1、 ETSI TR 133 905 V14.0.0 (2017-04) Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Recommendations for Trusted Open Platforms (3GPP TR 33.905 version 14.0.0 Release 14) TECHNICAL REPORT ETSI ETSI TR 133 905 V14.0.0 (2017-04)13GPP T
2、R 33.905 version 14.0.0 Release 14Reference RTR/TSGS-0333905ve00 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prf
3、ecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not b
4、e modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretar
5、iat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, ple
6、ase send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written per
7、mission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand
8、the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members GSM and the GSM logo are Trade Marks regi
9、stered and owned by the GSM Association. ETSI ETSI TR 133 905 V14.0.0 (2017-04)23GPP TR 33.905 version 14.0.0 Release 14Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if
10、any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available
11、 on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or
12、 may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. Th
13、ese should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“,
14、 “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TR 133 905 V14.0.0 (2017-04)3
15、3GPP TR 33.905 version 14.0.0 Release 14Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g33 Definitions, symbols and abbreviations . 5g33.1 Definitions 5g33.2 Abbreviations . 6g34 Recommendations for trusted ope
16、n platforms in 3GPP Release 7 . 7g34.1 Recommendations from the Generic Bootstrapping Architecture 7g34.1.1 Study of GBA in open trusted platforms 7g34.1.2 Recommendation 10g34.2 Recommendations from I-WLAN 10g34.3 Generalized recommendations . 12g34.3.1 Study of credential security in open trusted
17、platforms 12g34.3.2 Recommendation 14g3Annex A: Change history 15g3History 16g3ETSI ETSI TR 133 905 V14.0.0 (2017-04)43GPP TR 33.905 version 14.0.0 Release 14Foreword This Technical Report has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are sub
18、ject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first
19、 digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented whe
20、n editorial only changes have been incorporated in the document. Introduction Securing the storage, processing, and input and output of sensitive data on an open platform are of critical importance. Also, isolation of applications that are managing (U)SIMs and (U)SIM readers, EAP-SIM and EAP-AKA pro
21、tocols, and SAP applications from untrusted applications is imperative. Protecting the interface between the trusted open platform and the UICC is also of critical importance. Therefore, it is very much desirable that the Open Platform must have secure authentication and authorization mechanisms to
22、protect against eavesdropping, and malicious modification of sensitive data and operator applications residing on the Open Platform. Consequently, for the diverse 3GPP usage models of the Open Platform, such as the ones described in 3GPP TS 33.234, appropriate trust recommendations need to be outlin
23、ed to counteract the threats. This document describes trust recommendations for the usage models described in 3GPP. ETSI ETSI TR 133 905 V14.0.0 (2017-04)53GPP TR 33.905 version 14.0.0 Release 141 Scope This technical report investigates relevant trust standards and technologies, both existing as we
24、ll as the ones that are work-in-progress. It develops the recommendations for trusted open platforms for delivery of new applications and services to open platforms. 2 References The following documents contain provisions, which, through reference in this text, constitute provisions of the present d
25、ocument. - References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a specific reference, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP documen
26、t (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 33.220: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Generic Authentication Archit
27、ecture (GAA); Generic Bootstrapping Architecture“. 2 3GPP TS 33.234: “3rd Generation Partnership Project; Technical Specification Group Service and System Aspects; 3G Security; Wireless Local Area Network (WLAN) interworking security“. 3 3GPP TR 21.905: “Vocabulary for 3GPP Specifications“. 3 Defini
28、tions, symbols and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions given in TR 21.905 3 and the following apply. Application Specific Credentials: These are credentials e.g. keys, identifiers and related data, that are application specific
29、and need to be protected against malicious access and only to be released to authorized applications acting as a Orpheus client. The application specific credentials might be stored or generated in the UICC or in the Persephone server. The application specific credentials can be generated from a mas
30、ter secret, randomly or be set by the user. Charon Fine Grained Access Control: The access control policy in the terminal controls which authorized applications in the terminal have access to certain application specific application credentials, i.e., only certain application in the terminal is allo
31、wed to application specific credentials that can be used with certain applications. Coarse-grained access control policy: In GAA context, the access control policy in the terminal controls whether an application is authorized to have access to NAF specific GAA credentials. Therefore, the application
32、 has access to all possible NAF specific GAA credentials. The coarse-grained access control policy may be stored in the UICC or in the ME. Credential Generator: The credential generator generates the application specific credentials and the master secret. It might also generate directly the applicat
33、ion specific credentials without a master secret. The Credential Generator might be part of an application or co-hosted together with an application. ETSI ETSI TR 133 905 V14.0.0 (2017-04)63GPP TR 33.905 version 14.0.0 Release 14Fine-grained access control policy: In GAA context, the access control
34、policy in the terminal controls which authorized applications in the terminal have access to certain NAF specific GAA credentials, i.e., only certain application in the terminal is allowed to GAA credentials that can be used with certain NAFs. The fine-grained access control policy may be stored in
35、the UICC or in the ME. GAA Client: A software component in the terminal that communicates with a NAF in the network. The GAA client uses GAA credentials to authenticate and possibly otherwise secure the communication with the NAF in the network. GAA client uses the API provided by the GAA Server to
36、gain access to the GAA credentials. GAA Credentials: Consists of a bootstrapping transaction identifier (B-TID), one or two NAF specific keys, and a lifetime of those keys. If the terminal is equipped with GBA_U unaware UICC, then there is only one key (the GBA_ME NAF specific key) that derived by t
37、he GAA Server from the GAA master secret and given to the GAA client for further usage with the NAF. If the terminal is equipped with GBA_U aware UICC, then there are two keys that are derived from the GAA master secret in the UICC: one key (Ks_int_NAF) that stays and is used in the UICC, and one th
38、at is given to the ME and is used in the ME (Ks_ext_NAF similar to the GBA_U unaware key). GAA Master Secret: GAA master secret Ks 1 is established during the bootstrapping session between the terminal (i.e., GAA Server for GBA_ME and UICC for GBA_U) and the BSF. The GAA master secret is used as a k
39、ey to derive further NAF specific keys that can be used between the GAA clients and the NAFs. If the terminal is equipped with GBA_U unaware UICC, then the GAA Master secret is stored in the GAA server and GBA_ME is used. If the terminal is equipped with GBA_U aware UICC and GBA_U is used, then the
40、GAA Master Secret is stored in the UICC. GAA Master Secret stored in the GAA server corresponds to GAA Master Secret established with a terminal equipped with GBA_U unaware UICC (GBA_ME procedure used). GAA Server: The software component in the terminal responsible for communicating with the SIM/USI
41、M/ISIM application in the UICC, and with the BSF during bootstrapping procedure. The GAA server also functions as a public API towards the GAA clients in the terminal. Master Secret: The Master Secret is a master secret that servers as a basis for later key derivations. The Master Secret is establis
42、hed between the terminal (i.e., Persephone Server) and the network. The master secret is used as a key to derive further application specific credentials that can be used between the Orpheus clients and the application. Not every application derives its credentials from a master secret. Orpheus Clie
43、nt: A software component in the terminal that communicates with an application in the network. The Orpheus client application specific credentials to perform security functionalities. Orpheus Client uses the API provided by the Persephone Server to gain access to the Application Specific Credentials
44、. Persephone Server: The software component in the terminal responsible for communicating with the SIM/USIM/ISIM application in the UICC, and with external entities for possible key generation processes. The Persephone server also functions as a public API towards the Orpheus Clients in the terminal
45、. Styx Coarse Grained Access Control: The access control policy in the terminal controls whether an application is authorized to have access to application specific application credentials. Therefore, the application has access to all possible application specific credentials. NOTE: The Greek Mythol
46、ogy was used in this Technical Report to minimize conflicts with other existing security specifications. 3.2 Abbreviations The abbrevitations of TR 21.905 3 apply, for the Generic Authentication Architecture (GAA) specific abbreviations we refer to 1 and for the I-WLAN specific abbreviations see 2.
47、In case of conflict, 1 and 2 take precedence. ETSI ETSI TR 133 905 V14.0.0 (2017-04)73GPP TR 33.905 version 14.0.0 Release 144 Recommendations for trusted open platforms in 3GPP Release 7 4.1 Recommendations from the Generic Bootstrapping Architecture 4.1.1 Study of GBA in open trusted platforms Fig
48、ure 4-1 depicts the GAA related functionalities in the terminal. In relation to the GAA architecture, the GAA server communicates with the BSF server over Ub reference point, and with the UICC through the relevant device drivers, for example. The GAA client communicates over the network with a NAF s
49、erver and the GAA server to obtain the NAF specific GAA credentials. When a NAF server requests a GAA client to authenticate itself with GAA credentials, the client communicates with the GAA server for GAA credentials specific to that NAF. Terminal GAA server Device drivers GAA client UICC BSF NAF Ub Zn Ua Figure 4-1 GAA related modules in terminal The inherent feature of open platforms is that new applications can be installed to the terminal. In relation to GAA, this poses a security threat when a malicious application is installed in a type of terminal
