1、 ETSI TR 133 905 V15.0.0 (2018-07) Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Recommendations for Trusted Open Platforms (3GPP TR 33.905 version 15.0.0 Release 15) TECHNICAL REPORT ETSI ETSI TR 133 905 V15.0.0 (2018-07)13GPP T
2、R 33.905 version 15.0.0 Release 15Reference RTR/TSGS-0333905vf00 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prf
3、ecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not b
4、e modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretar
5、iat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, ple
6、ase send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written per
7、mission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI regist
8、ered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSMand the GSM logo are trademarks registered and owned by the GSM Association. ETSI
9、 ETSI TR 133 905 V15.0.0 (2018-07)23GPP TR 33.905 version 15.0.0 Release 15Intellectual Property Rights Essential patents IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly availabl
10、e for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (
11、https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, e
12、ssential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduc
13、e any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technical Report (TR) has been produced by ETSI 3rd Generation Partnership Project (
14、3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be
15、found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provi
16、sions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TR 133 905 V15.0.0 (2018-07)33GPP TR 33.905 version 15.0.0 Release 15Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 4g3Introduction 4g31 Sco
17、pe 5g32 References 5g33 Definitions, symbols and abbreviations . 5g33.1 Definitions 5g33.2 Abbreviations . 6g34 Recommendations for trusted open platforms in 3GPP Release 7 . 7g34.1 Recommendations from the Generic Bootstrapping Architecture 7g34.1.1 Study of GBA in open trusted platforms 7g34.1.2 R
18、ecommendation 10g34.2 Recommendations from I-WLAN 10g34.3 Generalized recommendations . 12g34.3.1 Study of credential security in open trusted platforms 12g34.3.2 Recommendation 14g3Annex A: Change history 15g3History 16g3ETSI ETSI TR 133 905 V15.0.0 (2018-07)43GPP TR 33.905 version 15.0.0 Release 1
19、5Foreword This Technical Report has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be r
20、e-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second
21、digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. Introduction Securing the storage, processing, and input and output of sensitive data on an
22、open platform are of critical importance. Also, isolation of applications that are managing (U)SIMs and (U)SIM readers, EAP-SIM and EAP-AKA protocols, and SAP applications from untrusted applications is imperative. Protecting the interface between the trusted open platform and the UICC is also of cr
23、itical importance. Therefore, it is very much desirable that the Open Platform must have secure authentication and authorization mechanisms to protect against eavesdropping, and malicious modification of sensitive data and operator applications residing on the Open Platform. Consequently, for the di
24、verse 3GPP usage models of the Open Platform, such as the ones described in 3GPP TS 33.234, appropriate trust recommendations need to be outlined to counteract the threats. This document describes trust recommendations for the usage models described in 3GPP. ETSI ETSI TR 133 905 V15.0.0 (2018-07)53G
25、PP TR 33.905 version 15.0.0 Release 151 Scope This technical report investigates relevant trust standards and technologies, both existing as well as the ones that are work-in-progress. It develops the recommendations for trusted open platforms for delivery of new applications and services to open pl
26、atforms. 2 References The following documents contain provisions, which, through reference in this text, constitute provisions of the present document. - References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a specific referen
27、ce, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
28、1 3GPP TS 33.220: “3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture“. 2 3GPP TS 33.234: “3rd Generation Partnership Project; Technical Specification Group Service and System As
29、pects; 3G Security; Wireless Local Area Network (WLAN) interworking security“. 3 3GPP TR 21.905: “Vocabulary for 3GPP Specifications“. 3 Definitions, symbols and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions given in TR 21.905 3 and the f
30、ollowing apply. Application Specific Credentials: These are credentials e.g. keys, identifiers and related data, that are application specific and need to be protected against malicious access and only to be released to authorized applications acting as a Orpheus client. The application specific cre
31、dentials might be stored or generated in the UICC or in the Persephone server. The application specific credentials can be generated from a master secret, randomly or be set by the user. Charon Fine Grained Access Control: The access control policy in the terminal controls which authorized applicati
32、ons in the terminal have access to certain application specific application credentials, i.e., only certain application in the terminal is allowed to application specific credentials that can be used with certain applications. Coarse-grained access control policy: In GAA context, the access control
33、policy in the terminal controls whether an application is authorized to have access to NAF specific GAA credentials. Therefore, the application has access to all possible NAF specific GAA credentials. The coarse-grained access control policy may be stored in the UICC or in the ME. Credential Generat
34、or: The credential generator generates the application specific credentials and the master secret. It might also generate directly the application specific credentials without a master secret. The Credential Generator might be part of an application or co-hosted together with an application. Fine-gr
35、ained access control policy: In GAA context, the access control policy in the terminal controls which authorized applications in the terminal have access to certain NAF specific GAA credentials, i.e., only certain ETSI ETSI TR 133 905 V15.0.0 (2018-07)63GPP TR 33.905 version 15.0.0 Release 15applica
36、tion in the terminal is allowed to GAA credentials that can be used with certain NAFs. The fine-grained access control policy may be stored in the UICC or in the ME. GAA Client: A software component in the terminal that communicates with a NAF in the network. The GAA client uses GAA credentials to a
37、uthenticate and possibly otherwise secure the communication with the NAF in the network. GAA client uses the API provided by the GAA Server to gain access to the GAA credentials. GAA Credentials: Consists of a bootstrapping transaction identifier (B-TID), one or two NAF specific keys, and a lifetime
38、 of those keys. If the terminal is equipped with GBA_U unaware UICC, then there is only one key (the GBA_ME NAF specific key) that derived by the GAA Server from the GAA master secret and given to the GAA client for further usage with the NAF. If the terminal is equipped with GBA_U aware UICC, then
39、there are two keys that are derived from the GAA master secret in the UICC: one key (Ks_int_NAF) that stays and is used in the UICC, and one that is given to the ME and is used in the ME (Ks_ext_NAF similar to the GBA_U unaware key). GAA Master Secret: GAA master secret Ks 1 is established during th
40、e bootstrapping session between the terminal (i.e., GAA Server for GBA_ME and UICC for GBA_U) and the BSF. The GAA master secret is used as a key to derive further NAF specific keys that can be used between the GAA clients and the NAFs. If the terminal is equipped with GBA_U unaware UICC, then the G
41、AA Master secret is stored in the GAA server and GBA_ME is used. If the terminal is equipped with GBA_U aware UICC and GBA_U is used, then the GAA Master Secret is stored in the UICC. GAA Master Secret stored in the GAA server corresponds to GAA Master Secret established with a terminal equipped wit
42、h GBA_U unaware UICC (GBA_ME procedure used). GAA Server: The software component in the terminal responsible for communicating with the SIM/USIM/ISIM application in the UICC, and with the BSF during bootstrapping procedure. The GAA server also functions as a public API towards the GAA clients in the
43、 terminal. Master Secret: The Master Secret is a master secret that servers as a basis for later key derivations. The Master Secret is established between the terminal (i.e., Persephone Server) and the network. The master secret is used as a key to derive further application specific credentials tha
44、t can be used between the Orpheus clients and the application. Not every application derives its credentials from a master secret. Orpheus Client: A software component in the terminal that communicates with an application in the network. The Orpheus client application specific credentials to perform
45、 security functionalities. Orpheus Client uses the API provided by the Persephone Server to gain access to the Application Specific Credentials. Persephone Server: The software component in the terminal responsible for communicating with the SIM/USIM/ISIM application in the UICC, and with external e
46、ntities for possible key generation processes. The Persephone server also functions as a public API towards the Orpheus Clients in the terminal. Styx Coarse Grained Access Control: The access control policy in the terminal controls whether an application is authorized to have access to application s
47、pecific application credentials. Therefore, the application has access to all possible application specific credentials. NOTE: The Greek Mythology was used in this Technical Report to minimize conflicts with other existing security specifications. 3.2 Abbreviations The abbrevitations of TR 21.905 3
48、apply, for the Generic Authentication Architecture (GAA) specific abbreviations we refer to 1 and for the I-WLAN specific abbreviations see 2. In case of conflict, 1 and 2 take precedence. ETSI ETSI TR 133 905 V15.0.0 (2018-07)73GPP TR 33.905 version 15.0.0 Release 154 Recommendations for trusted op
49、en platforms in 3GPP Release 7 4.1 Recommendations from the Generic Bootstrapping Architecture 4.1.1 Study of GBA in open trusted platforms Figure 4-1 depicts the GAA related functionalities in the terminal. In relation to the GAA architecture, the GAA server communicates with the BSF server over Ub reference point, and with the UICC through the relevant device drivers, for example. The GAA client communicates over the network with a NAF server and the GAA server to obtain the NAF specific GAA credentials. When a NAF server requests a GAA client to authent
