ETSI TR 133 905-2016 Digital cellular telecommunications system (Phase 2+) Universal Mobile Telecommunications System (UMTS) LTE Recommendations for Trusted Open Platforms (V13 0 0.pdf

1、 ETSI TR 1Digital cellular telecoUniversal Mobile TelRecommendatio(3GPP TR 33.9TECHNICAL REPORT 133 905 V13.0.0 (2016communications system (Phaelecommunications System (LTE; tions for Trusted Open Platfor.905 version 13.0.0 Release 1316-01) hase 2+); (UMTS); forms 13) ETSI ETSI TR 133 905 V13.0.0 (2

2、016-01)13GPP TR 33.905 version 13.0.0 Release 13Reference RTR/TSGS-0333905vd00 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregist

3、re la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present docume

4、nt shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within

5、 ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document,

6、 please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written

7、 permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM

8、and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI T

9、R 133 905 V13.0.0 (2016-01)23GPP TR 33.905 version 13.0.0 Release 13Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-

10、members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Purs

11、uant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present doc

12、ument. Foreword This Technical Report (TR) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the

13、 corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and

14、 “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TR 133 905 V13.0.0 (2016-01)33GPP TR 33.905 version 13.0.0

15、Release 13Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g33 Definitions, symbols and abbreviations . 5g33.1 Definitions 5g33.2 Abbreviations . 6g34 Recommendations for trusted open platforms in 3GPP Release 7

16、. 7g34.1 Recommendations from the Generic Bootstrapping Architecture 7g34.1.1 Study of GBA in open trusted platforms 7g34.1.2 Recommendation 10g34.2 Recommendations from I-WLAN 10g34.3 Generalized recommendations . 12g34.3.1 Study of credential security in open trusted platforms 12g34.3.2 Recommenda

17、tion 14g3Annex A: Change history 15g3History 16g3ETSI ETSI TR 133 905 V13.0.0 (2016-01)43GPP TR 33.905 version 13.0.0 Release 13Foreword This Technical Report has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within

18、 the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for

19、 information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have

20、been incorporated in the document. Introduction Securing the storage, processing, and input and output of sensitive data on an open platform are of critical importance. Also, isolation of applications that are managing (U)SIMs and (U)SIM readers, EAP-SIM and EAP-AKA protocols, and SAP applications f

21、rom untrusted applications is imperative. Protecting the interface between the trusted open platform and the UICC is also of critical importance. Therefore, it is very much desirable that the Open Platform must have secure authentication and authorization mechanisms to protect against eavesdropping,

22、 and malicious modification of sensitive data and operator applications residing on the Open Platform. Consequently, for the diverse 3GPP usage models of the Open Platform, such as the ones described in 3GPP TS 33.234, appropriate trust recommendations need to be outlined to counteract the threats.

23、This document describes trust recommendations for the usage models described in 3GPP. ETSI ETSI TR 133 905 V13.0.0 (2016-01)53GPP TR 33.905 version 13.0.0 Release 131 Scope This technical report investigates relevant trust standards and technologies, both existing as well as the ones that are work-i

24、n-progress. It develops the recommendations for trusted open platforms for delivery of new applications and services to open platforms. 2 References The following documents contain provisions, which, through reference in this text, constitute provisions of the present document. - References are eith

25、er specific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a specific reference, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document),

26、a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 33.220: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA); Generic Bootstra

27、pping Architecture“. 2 3GPP TS 33.234: “3rd Generation Partnership Project; Technical Specification Group Service and System Aspects; 3G Security; Wireless Local Area Network (WLAN) interworking security“. 3 3GPP TR 21.905: “Vocabulary for 3GPP Specifications“. 3 Definitions, symbols and abbreviatio

28、ns 3.1 Definitions For the purposes of the present document, the following terms and definitions given in TR 21.905 3 and the following apply. Application Specific Credentials: These are credentials e.g. keys, identifiers and related data, that are application specific and need to be protected again

29、st malicious access and only to be released to authorized applications acting as a Orpheus client. The application specific credentials might be stored or generated in the UICC or in the Persephone server. The application specific credentials can be generated from a master secret, randomly or be set

30、 by the user. Charon Fine Grained Access Control: The access control policy in the terminal controls which authorized applications in the terminal have access to certain application specific application credentials, i.e., only certain application in the terminal is allowed to application specific cr

31、edentials that can be used with certain applications. Coarse-grained access control policy: In GAA context, the access control policy in the terminal controls whether an application is authorized to have access to NAF specific GAA credentials. Therefore, the application has access to all possible NA

32、F specific GAA credentials. The coarse-grained access control policy may be stored in the UICC or in the ME. Credential Generator: The credential generator generates the application specific credentials and the master secret. It might also generate directly the application specific credentials witho

33、ut a master secret. The Credential Generator might be part of an application or co-hosted together with an application. ETSI ETSI TR 133 905 V13.0.0 (2016-01)63GPP TR 33.905 version 13.0.0 Release 13Fine-grained access control policy: In GAA context, the access control policy in the terminal control

34、s which authorized applications in the terminal have access to certain NAF specific GAA credentials, i.e., only certain application in the terminal is allowed to GAA credentials that can be used with certain NAFs. The fine-grained access control policy may be stored in the UICC or in the ME. GAA Cli

35、ent: A software component in the terminal that communicates with a NAF in the network. The GAA client uses GAA credentials to authenticate and possibly otherwise secure the communication with the NAF in the network. GAA client uses the API provided by the GAA Server to gain access to the GAA credent

36、ials. GAA Credentials: Consists of a bootstrapping transaction identifier (B-TID), one or two NAF specific keys, and a lifetime of those keys. If the terminal is equipped with GBA_U unaware UICC, then there is only one key (the GBA_ME NAF specific key) that derived by the GAA Server from the GAA mas

37、ter secret and given to the GAA client for further usage with the NAF. If the terminal is equipped with GBA_U aware UICC, then there are two keys that are derived from the GAA master secret in the UICC: one key (Ks_int_NAF) that stays and is used in the UICC, and one that is given to the ME and is u

38、sed in the ME (Ks_ext_NAF similar to the GBA_U unaware key). GAA Master Secret: GAA master secret Ks 1 is established during the bootstrapping session between the terminal (i.e., GAA Server for GBA_ME and UICC for GBA_U) and the BSF. The GAA master secret is used as a key to derive further NAF speci

39、fic keys that can be used between the GAA clients and the NAFs. If the terminal is equipped with GBA_U unaware UICC, then the GAA Master secret is stored in the GAA server and GBA_ME is used. If the terminal is equipped with GBA_U aware UICC and GBA_U is used, then the GAA Master Secret is stored in

40、 the UICC. GAA Master Secret stored in the GAA server corresponds to GAA Master Secret established with a terminal equipped with GBA_U unaware UICC (GBA_ME procedure used). GAA Server: The software component in the terminal responsible for communicating with the SIM/USIM/ISIM application in the UICC

41、, and with the BSF during bootstrapping procedure. The GAA server also functions as a public API towards the GAA clients in the terminal. Master Secret: The Master Secret is a master secret that servers as a basis for later key derivations. The Master Secret is established between the terminal (i.e.

42、, Persephone Server) and the network. The master secret is used as a key to derive further application specific credentials that can be used between the Orpheus clients and the application. Not every application derives its credentials from a master secret. Orpheus Client: A software component in th

43、e terminal that communicates with an application in the network. The Orpheus client application specific credentials to perform security functionalities. Orpheus Client uses the API provided by the Persephone Server to gain access to the Application Specific Credentials. Persephone Server: The softw

44、are component in the terminal responsible for communicating with the SIM/USIM/ISIM application in the UICC, and with external entities for possible key generation processes. The Persephone server also functions as a public API towards the Orpheus Clients in the terminal. Styx Coarse Grained Access C

45、ontrol: The access control policy in the terminal controls whether an application is authorized to have access to application specific application credentials. Therefore, the application has access to all possible application specific credentials. NOTE: The Greek Mythology was used in this Technical

46、 Report to minimize conflicts with other existing security specifications. 3.2 Abbreviations The abbrevitations of TR 21.905 3 apply, for the Generic Authentication Architecture (GAA) specific abbreviations we refer to 1 and for the I-WLAN specific abbreviations see 2. In case of conflict, 1 and 2 t

47、ake precedence. ETSI ETSI TR 133 905 V13.0.0 (2016-01)73GPP TR 33.905 version 13.0.0 Release 134 Recommendations for trusted open platforms in 3GPP Release 7 4.1 Recommendations from the Generic Bootstrapping Architecture 4.1.1 Study of GBA in open trusted platforms Figure 4-1 depicts the GAA relate

48、d functionalities in the terminal. In relation to the GAA architecture, the GAA server communicates with the BSF server over Ub reference point, and with the UICC through the relevant device drivers, for example. The GAA client communicates over the network with a NAF server and the GAA server to ob

49、tain the NAF specific GAA credentials. When a NAF server requests a GAA client to authenticate itself with GAA credentials, the client communicates with the GAA server for GAA credentials specific to that NAF. Terminal GAA server Device drivers GAA client UICC BSF NAF Ub Zn Ua Figure 4-1 GAA related modules in terminal The inherent feature of open platforms is that new applications can be installed to the terminal. In relation to GAA, this poses a security threat when a malicious application is installed in a type of terminal that does not protect GAA rel