ETSI TS 124 109-2017 Universal Mobile Telecommunications System (UMTS) LTE Bootstrapping interface (Ub) and network application function interface (Ua) Protocol details (V14 0 0 3G.pdf

1、 ETSI TS 124 109 V14.0.0 (2017-05) Universal Mobile Telecommunications System (UMTS); LTE; Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details (3GPP TS 24.109 version 14.0.0 Release 14) TECHNICAL SPECIFICATION ETSI ETSI TS 124 109 V14.0.0 (2017-05)13GPP TS

2、24.109 version 14.0.0 Release 14Reference RTS/TSGC-0124109ve00 Keywords LTE,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grass

3、e (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified with

4、out the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of t

5、he present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your c

6、omment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI

7、. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo a

8、re Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members GSM and the GSM logo are Trade Marks registered and owne

9、d by the GSM Association. ETSI ETSI TS 124 109 V14.0.0 (2017-05)23GPP TS 24.109 version 14.0.0 Release 14Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicl

10、y available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI We

11、b server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may

12、 become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These shou

13、ld be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may

14、“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 124 109 V14.

15、0.0 (2017-05)33GPP TS 24.109 version 14.0.0 Release 14Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 6g31 Scope 7g32 References 7g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 9g34 Generic Bootstrapping Architecture; Ub int

16、erface . 10g34.1 Introduction 10g34.2 Bootstrapping procedure 11g34.3 User authentication failure . 12g34.4 Network authentication failure . 12g34.5 Synchronization failure 12g34A Generic Bootstrapping Achitecture Push; Upa . 12g34A.1 Introduction 12g34A.2 Bootstrapping procedure 13g34A.3 User authe

17、ntication failure . 14g34A.4 Network authentication failure . 14g34A.5 Synchronization failure 14g35 Network application function; Ua interface . 14g35.1 Introduction 14g35.2 HTTP Digest authentication . 14g35.2.1 General 14g35.2.2 Authentication procedure 15g35.2.2.1 General 15g35.2.3 Authenticatio

18、n failures 16g35.2.4 Bootstrapping required indication . 16g35.2.5 Bootstrapping renegotiation indication . 16g35.2.6 Integrity protection . 16g35.3 UE and NAF authentication using HTTPS . 16g35.3.1 General 16g35.3.2 Shared key-based UE authentication with certificate-based NAF authentication . 17g3

19、5.3.2.1 Authentication procedure 17g35.3.2.2 Authentication failures 17g35.3.2.3 Bootstrapping required indication . 18g35.3.2.4 Bootstrapping renegotiation indication . 18g35.3.3 Shared key-based mutual authentication between UE and NAF 18g35.3.3.1 Authentication procedure 18g35.3.3.2 Authenticatio

20、n failures 19g35.3.3.3 Bootstrapping required indication . 19g35.3.3.4 Bootstrapping renegotiation indication . 19g35.3.4 Certificate based mutual authentication between UE and application server . 19g35.3.5 Integrity protection . 20g36 PKI portal, Ua interface 20g36.1 Introduction 20g36.2 Subscribe

21、r certificate enrolment . 20g36.2.1 Enrolment procedure. 20g36.2.2 WIM specific authentication code for key generation 22g36.2.3 WIM specific authentication code for proof of key origin 22g36.2.4 Error situations 23g3ETSI ETSI TS 124 109 V14.0.0 (2017-05)43GPP TS 24.109 version 14.0.0 Release 146.3

22、CA certificate delivery . 23g36.3.1 CA certificate delivery procedure . 24g36.3.2 Error situations 24g37 Authentication Proxy 25g37.1 Introduction 25g37.2 Authentication 26g37.3 Authorization 26g3Annex A (informative): Signalling flows of bootstrapping procedure . 27g3A.1 Scope of signalling flows .

23、 27g3A.2 Introduction 27g3A.2.1 General . 27g3A.2.2 Key required to interpret signalling flows 27g3A.3 Signalling flows demonstrating a successful bootstrapping procedure 27g3A.4 Signalling flows demonstrating a synchronization failure in the bootstrapping procedure . 31g3Annex A1 (informative): Sig

24、nalling flows of GBA Push procedure. 34g3A1.1 Scope of signalling flows . 34g3A1.2 Introduction 34g3A1.2.1 General . 34g3A1.2.2 Key required to interpret signalling flows 34g3A1.3 Signalling flows demonstrating a successful GBA Push procedure . 34g3Annex B (informative): Signalling flows for HTTP Di

25、gest Authentication with bootstrapped security association 37g3B.1 Scope of signalling flows . 37g3B.2 Introduction 37g3B.2.1 General . 37g3B.2.2 Key required to interpret signalling flows 37g3B.3 Signalling flows demonstrating a successful authentication procedure . 37g3Annex C (normative): XML Sch

26、ema Definition 42g3C.1 Introduction 42g3Annex D (informative): Signalling flows for Authentication Proxy . 43g3D.1 Scope of signalling flows . 43g3D.2 Introduction 43g3D.2.1 Key required to interpret signalling flows 43g3D.3 Signalling flow demonstrating a successful authentication procedure . 43g3A

27、nnex E (informative): Signalling flows for PKI portal . 49g3E.1 Scope of signalling flows . 49g3E.2 Introduction 49g3E.2.1 General . 49g3E.2.2 Key required to interpret signalling flows 49g3E.3 Signalling flows demonstrating a successful subscriber certificate enrolment 49g3E.3.1 Simple subscriber c

28、ertificate enrolment . 49g3E.3.2 Subscriber certificate enrolment with WIM authentication codes 53g3E.4 Signalling flows demonstrating a failure in subscriber certificate enrolment 60g3E.5 Signalling flows demonstrating a successful CA certificate delivery 60g3ETSI ETSI TS 124 109 V14.0.0 (2017-05)5

29、3GPP TS 24.109 version 14.0.0 Release 14E.6 Signalling flows demonstrating a failure in CA certificate delivery 64g3Annex F (informative): Signalling flows for PSK TLS with bootstrapped security association . 65g3F.1 Scope of signalling flows . 65g3F.2 Introduction 65g3F.2.1 General . 65g3F.2.2 Key

30、required to interpret signalling flows 65g3F.3 Signalling flow demonstrating a successful PSK TLS authentication procedure 66g3Annex G (normative): 3GPP specific extension-headers for HTTP entity-header fields 69g3G.1 General . 69g3G.2 X-3GPP-Intended-Identity extension-header . 69g3G.3 X-3GPP-Asser

31、ted-Identity extension-header . 69g3G.4 X-3GPP-Authorization-Flags extension-header . 69g3Annex H (normative): 2G GBA . 71g3H.1 Introduction 71g3H.2 2G GBA bootstrapping procedure 71g3H.3 User authentication failure . 72g3H.4 Network authentication failure . 72g3Annex I (normative): GBA_Digest 73g3I

32、.1 Introduction 73g3I.2 GBA_Digest bootstrapping procedure . 73g3I.3 User authentication failure . 74g3I.4 Network authentication failure . 74g3Annex J (Normative): Realization of GBA Push delivery 75g3J.1 Introduction 75g3J.2 GPI delivery using WAP Push . 75g3J.2.1 General . 75g3J.2.2 Push-NAF proc

33、edures 75g3J.2.3 UE procedures 76g3J.2.3.1 Reception of GPI in push message . 76g3J.3 PDUs and parameters specific to the present document 77g3J.3.1 GPI envelope 77g3J.3.1.1 General 77g3J.3.1.2 Structure 77g3J.3.1.3 GPI envelope short code values 77g3J.3.1.4 IANA registration template. 77g3Annex K (

34、informative): Change history . 79g3History 81g3ETSI ETSI TS 124 109 V14.0.0 (2017-05)63GPP TS 24.109 version 14.0.0 Release 14Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work w

35、ithin the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TS

36、G for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes

37、have been incorporated in the document. ETSI ETSI TS 124 109 V14.0.0 (2017-05)73GPP TS 24.109 version 14.0.0 Release 141 Scope The present document defines stage 3 for the HTTP Digest AKA 6 based implementation of Ub interface (UE-BSF), the Disposable-Ks model based implementation of Upa interface (

38、NAF-UE) and the HTTP Digest 9 and the PSK TLS based implementation of bootstrapped security association usage over Ua interface (UE-NAF) in Generic Authentication Architecture (GAA) as specified in 3GPP TS 33.220 1. The purpose of the Ub interface is to create a security association between UE and B

39、SF for further usage in GAA applications. The purpose of the Upa interface is to provide a push mechanism to created a bootstrapped security association between the UE and NAF for secure communication of pushed messages. The purpose of the Ua interface is to use the so created bootstrapped security

40、association between UE and NAF for secure communication. The present document also defines stage 3 for the Authentication Proxy usage as specified in 3GPP TS 33.222 5. The present document also defines stage 3 for the subscriber certificate enrolment as specified in 3GPP TS 33.221 4 which is one rea

41、lization of the Ua interface. The subscriber certificate enrolment uses the HTTP Digest based implementation of bootstrapped security association usage to enrol a subscriber certificate and the delivery of a CA certificate. 2 References The following documents contain provisions, which, through refe

42、rence in this text, constitute provisions of the present document. References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version a

43、pplies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 33.220: “Generic Authentication Architecture (GAA); Generic bootstrapping archite

44、cture“. 2 3GPP TR 33.919: “Generic Authentication Architecture (GAA); System description“. 3 3GPP TS 29.109: “Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter protocol; Protocol details“. 4 3GPP TS 33.221: “Generic Authentication Architecture (GAA); Support for S

45、ubscriber Certificates“. 5 3GPP TS 33.222: “Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)“. 6 IETF RFC 3310: “Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and

46、 Key Agreement (AKA)“. 7 3GPP TS 23.003: “Numbering, addressing and identification“. 8 IETF RFC 3023: “XML Media Types“. 9 IETF RFC 2617: “HTTP Authentication: Basic and Digest Access Authentication“. 10 IETF RFC 3548: “The Base16, Base32, and Base64 Data Encodings“. 11 Void. 12 IETF RFC 2818: “HTTP

47、 over TLS“. 13 3GPP TS 24.228 Release 5: “Signalling flows for the IP multimedia call control based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP); Stage 3“. ETSI ETSI TS 124 109 V14.0.0 (2017-05)83GPP TS 24.109 version 14.0.0 Release 1414 IETF RFC 2616: “Hypertext Trans

48、fer Protocol - HTTP/1.1“. 15 Void. 16 PKCS#10 v1.7: “Certification Request Syntax Standard“. NOTE: ftp:/ 17 WAP Forum: “WPKI: Wireless Application Protocol; Public Key Infrastructure Definition“ NOTE: http:/www1.wapforum.org/tech/documents/WAP-217-WPKI-20010424-a.pdf. 18 Void. 19 Open Mobile Allianc

49、e: “ECMAScript Crypto Object“ NOTE: http:/www.openmobilealliance.org. 20 Open Mobile Alliance: “WPKI“ NOTE: http:/member.openmobilealliance.org/ftp/public_documents/SEC/Permanent_documents/. 21 3GPP TS 33.203: “3G security; Access security for IP-based services“. 22 IETF RFC 2234: “Augmented BNF for Syntax Specifications: ABNF“. 23 Void. 24 3GPP TS 33.223: “Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) Push function“.