1、 ETSI TS 1Universal Mobile TelBootstrand network appP(3GPP TS 24.1TECHNICAL SPECIFICATION124 109 V13.1.0 (2016elecommunications System (LTE; strapping interface (Ub) pplication function interface (Protocol details .109 version 13.1.0 Release 1316-04) (UMTS); e (Ua); 13) ETSI ETSI TS 124 109 V13.1.0
2、(2016-04)13GPP TS 24.109 version 13.1.0 Release 13Reference RTS/TSGC-0124109vd10 Keywords LTE,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-
3、Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall no
4、t be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secre
5、tariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please sen
6、d your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission
7、 of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETS
8、I logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 124 109 V
9、13.1.0 (2016-04)23GPP TS 24.109 version 13.1.0 Release 13Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, an
10、d can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the
11、 ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Fore
12、word This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the cor
13、responding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “ca
14、nnot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 124 109 V13.1.0 (2016-04)33GPP TS 24.109 version 13.1.0 Rele
15、ase 13Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 6g31 Scope 7g32 References 7g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 9g34 Generic Bootstrapping Architecture; Ub interface . 10g34.1 Introduction 10g34.2 Bootstrapp
16、ing procedure 11g34.3 User authentication failure . 12g34.4 Network authentication failure . 12g34.5 Synchronization failure 12g34A Generic Bootstrapping Achitecture Push; Upa . 12g34A.1 Introduction 12g34A.2 Bootstrapping procedure 13g34A.3 User authentication failure . 14g34A.4 Network authenticat
17、ion failure . 14g34A.5 Synchronization failure 14g35 Network application function; Ua interface . 14g35.1 Introduction 14g35.2 HTTP Digest authentication . 14g35.2.1 General 14g35.2.2 Authentication procedure 15g35.2.2.1 General 15g35.2.3 Authentication failures 16g35.2.4 Bootstrapping required indi
18、cation . 16g35.2.5 Bootstrapping renegotiation indication . 16g35.2.6 Integrity protection . 16g35.3 UE and NAF authentication using HTTPS . 16g35.3.1 General 16g35.3.2 Shared key-based UE authentication with certificate-based NAF authentication . 17g35.3.2.1 Authentication procedure 17g35.3.2.2 Aut
19、hentication failures 17g35.3.2.3 Bootstrapping required indication . 18g35.3.2.4 Bootstrapping renegotiation indication . 18g35.3.3 Shared key-based mutual authentication between UE and NAF 18g35.3.3.1 Authentication procedure 18g35.3.3.2 Authentication failures 19g35.3.3.3 Bootstrapping required in
20、dication . 19g35.3.3.4 Bootstrapping renegotiation indication . 19g35.3.4 Certificate based mutual authentication between UE and application server . 19g35.3.5 Integrity protection . 20g36 PKI portal, Ua interface 20g36.1 Introduction 20g36.2 Subscriber certificate enrolment . 20g36.2.1 Enrolment pr
21、ocedure. 20g36.2.2 WIM specific authentication code for key generation 22g36.2.3 WIM specific authentication code for proof of key origin 22g3ETSI ETSI TS 124 109 V13.1.0 (2016-04)43GPP TS 24.109 version 13.1.0 Release 136.2.4 Error situations 23g36.3 CA certificate delivery . 23g36.3.1 CA certifica
22、te delivery procedure . 24g36.3.2 Error situations 24g37 Authentication Proxy 25g37.1 Introduction 25g37.2 Authentication 26g37.3 Authorization 26g3Annex A (informative): Signalling flows of bootstrapping procedure . 27g3A.1 Scope of signalling flows . 27g3A.2 Introduction 27g3A.2.1 General . 27g3A.
23、2.2 Key required to interpret signalling flows 27g3A.3 Signalling flows demonstrating a successful bootstrapping procedure 27g3A.4 Signalling flows demonstrating a synchronization failure in the bootstrapping procedure . 31g3Annex A1 (informative): Signalling flows of GBA Push procedure. 34g3A1.1 Sc
24、ope of signalling flows . 34g3A1.2 Introduction 34g3A1.2.1 General . 34g3A1.2.2 Key required to interpret signalling flows 34g3A1.3 Signalling flows demonstrating a successful GBA Push procedure . 34g3Annex B (informative): Signalling flows for HTTP Digest Authentication with bootstrapped security a
25、ssociation 37g3B.1 Scope of signalling flows . 37g3B.2 Introduction 37g3B.2.1 General . 37g3B.2.2 Key required to interpret signalling flows 37g3B.3 Signalling flows demonstrating a successful authentication procedure . 37g3Annex C (normative): XML Schema Definition 42g3C.1 Introduction 42g3Annex D
26、(informative): Signalling flows for Authentication Proxy . 43g3D.1 Scope of signalling flows . 43g3D.2 Introduction 43g3D.2.1 Key required to interpret signalling flows 43g3D.3 Signalling flow demonstrating a successful authentication procedure . 43g3Annex E (informative): Signalling flows for PKI p
27、ortal . 49g3E.1 Scope of signalling flows . 49g3E.2 Introduction 49g3E.2.1 General . 49g3E.2.2 Key required to interpret signalling flows 49g3E.3 Signalling flows demonstrating a successful subscriber certificate enrolment 49g3E.3.1 Simple subscriber certificate enrolment . 49g3E.3.2 Subscriber cert
28、ificate enrolment with WIM authentication codes 53g3E.4 Signalling flows demonstrating a failure in subscriber certificate enrolment 60g3ETSI ETSI TS 124 109 V13.1.0 (2016-04)53GPP TS 24.109 version 13.1.0 Release 13E.5 Signalling flows demonstrating a successful CA certificate delivery 60g3E.6 Sign
29、alling flows demonstrating a failure in CA certificate delivery 64g3Annex F (informative): Signalling flows for PSK TLS with bootstrapped security association . 65g3F.1 Scope of signalling flows . 65g3F.2 Introduction 65g3F.2.1 General . 65g3F.2.2 Key required to interpret signalling flows 65g3F.3 S
30、ignalling flow demonstrating a successful PSK TLS authentication procedure 66g3Annex G (normative): 3GPP specific extension-headers for HTTP entity-header fields 69g3G.1 General . 69g3G.2 X-3GPP-Intended-Identity extension-header . 69g3G.3 X-3GPP-Asserted-Identity extension-header . 69g3G.4 X-3GPP-A
31、uthorization-Flags extension-header . 69g3Annex H (normative): 2G GBA . 71g3H.1 Introduction 71g3H.2 2G GBA bootstrapping procedure 71g3H.3 User authentication failure . 72g3H.4 Network authentication failure . 72g3Annex I (normative): GBA_Digest 73g3I.1 Introduction 73g3I.2 GBA_Digest bootstrapping
32、 procedure . 73g3I.3 User authentication failure . 74g3I.4 Network authentication failure . 74g3Annex J (Normative): Realization of GBA Push delivery 75g3J.1 Introduction 75g3J.2 GPI delivery using WAP Push . 75g3J.2.1 General . 75g3J.2.2 Push-NAF procedures 75g3J.2.3 UE procedures 76g3J.2.3.1 Recep
33、tion of GPI in push message . 76g3J.3 PDUs and parameters specific to the present document 77g3J.3.1 GPI envelope 77g3J.3.1.1 General 77g3J.3.1.2 Structure 77g3J.3.1.3 GPI envelope short code values 77g3J.3.1.4 IANA registration template. 77g3Annex K (informative): Change history . 79g3History 81g3E
34、TSI ETSI TS 124 109 V13.1.0 (2016-04)63GPP TS 24.109 version 13.1.0 Release 13Foreword This Technical Specification has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TS
35、G approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approv
36、al; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. ETSI ETS
37、I TS 124 109 V13.1.0 (2016-04)73GPP TS 24.109 version 13.1.0 Release 131 Scope The present document defines stage 3 for the HTTP Digest AKA 6 based implementation of Ub interface (UE-BSF), the Disposable-Ks model based implementation of Upa interface (NAF-UE) and the HTTP Digest 9 and the PSK TLS ba
38、sed implementation of bootstrapped security association usage over Ua interface (UE-NAF) in Generic Authentication Architecture (GAA) as specified in 3GPP TS 33.220 1. The purpose of the Ub interface is to create a security association between UE and BSF for further usage in GAA applications. The pu
39、rpose of the Upa interface is to provide a push mechanism to created a bootstrapped security association between the UE and NAF for secure communication of pushed messages. The purpose of the Ua interface is to use the so created bootstrapped security association between UE and NAF for secure commun
40、ication. The present document also defines stage 3 for the Authentication Proxy usage as specified in 3GPP TS 33.222 5. The present document also defines stage 3 for the subscriber certificate enrolment as specified in 3GPP TS 33.221 4 which is one realization of the Ua interface. The subscriber cer
41、tificate enrolment uses the HTTP Digest based implementation of bootstrapped security association usage to enrol a subscriber certificate and the delivery of a CA certificate. 2 References The following documents contain provisions, which, through reference in this text, constitute provisions of the
42、 present document. References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP doc
43、ument (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. 1 3GPP TS 33.220: “Generic Authentication Architecture (GAA); Generic bootstrapping architecture“. 2 3GPP TR 33.919: “Generic Authenticatio
44、n Architecture (GAA); System description“. 3 3GPP TS 29.109: “Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter protocol; Protocol details“. 4 3GPP TS 33.221: “Generic Authentication Architecture (GAA); Support for Subscriber Certificates“. 5 3GPP TS 33.222: “Gene
45、ric Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)“. 6 IETF RFC 3310: “Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA)“. 7 3GPP TS 23.003: “Number
46、ing, addressing and identification“. 8 IETF RFC 3023: “XML Media Types“. 9 IETF RFC 2617: “HTTP Authentication: Basic and Digest Access Authentication“. 10 IETF RFC 3548: “The Base16, Base32, and Base64 Data Encodings“. 11 Void. 12 IETF RFC 2818: “HTTP over TLS“. ETSI ETSI TS 124 109 V13.1.0 (2016-0
47、4)83GPP TS 24.109 version 13.1.0 Release 1313 3GPP TS 24.228 Release 5: “Signalling flows for the IP multimedia call control based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP); Stage 3“. 14 IETF RFC 2616: “Hypertext Transfer Protocol - HTTP/1.1“. 15 Void. 16 PKCS#10 v1
48、.7: “Certification Request Syntax Standard“. NOTE: ftp:/ 17 WAP Forum: “WPKI: Wireless Application Protocol; Public Key Infrastructure Definition“ NOTE: http:/www1.wapforum.org/tech/documents/WAP-217-WPKI-20010424-a.pdf. 18 Void. 19 Open Mobile Alliance: “ECMAScript Crypto Object“ NOTE: http:/www.op
49、enmobilealliance.org. 20 Open Mobile Alliance: “WPKI“ NOTE: http:/member.openmobilealliance.org/ftp/public_documents/SEC/Permanent_documents/. 21 3GPP TS 33.203: “3G security; Access security for IP-based services“. 22 IETF RFC 2234: “Augmented BNF for Syntax Specifications: ABNF“. 23 Void. 24 3GPP TS 33.223: “Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) Push function“. 25 3GPP TS 33.310: “Network Domain Security (ND
