K.3 Shared key-based mutual authentication between UE and AF
24.1093GPPBootstrapping interface (Ub) and network application function interface (Ua)Protocol detailsRelease 17TS
K.3.1 General
The TLS profile for GBA in clause 5.3.3.1 is modified with the AKMA AF taking the role of the NAF from GBA (see 3GPP TS 33.220 [1]) to support AKMA keys as follows:
– The profile for TLS and TLS Extensions to be used together with PSK TLS is defined in annex E of 3GPP TS 33.310 [25].
K.3.2 TLS 1.2
The PSK TLS handshake shall be used with bootstrapped security association as follows:
a) the ClientHello message shall contain one or more PSK-based ciphersuites;
b) the ClientHello message shall contain the server_name TLS extension and it shall contain the hostname of the AF;
c) the ServerHello message shall contain a PSK-based ciphersuite selected by the AF;
d) the ServerKeyExchange shall be sent by the server and it shall contain the psk_identity_hint field and it shall contain the static string "3GPP-AKMA";
e) the ClientKeyExchange shall contain the psk_identity field and it shall contain a prefix "3GPP-AKMA" and the A-KID. If the UE has a choice between GBA_Digest (see 3GPP TS 33.220 [1]) and AKMA keying, then the AF shall select AKMA over GBA_Digest; and
NOTE 1: The choice between AKMA and AKA-based GBA at the UE and the AF, if both are supported, is application dependent.
f) the UE and AF shall derive the TLS premaster secret from KAF (AKMA Application Key).
The authentication failures are supported as described in clause 5.3.3.2.
Clauses 5.3.3.3 and 5.3.3.4 are not supported as AKMA does not support deriving a fresh key in the same way as GBA.
NOTE 2: How a fresh key is derived for AKMA is up to Ua* protocol implementation.
K.3.3 TLS 1.3
The PSK TLS handshake shall be used with bootstrapped security association as follows:
1) The UE shall include in the ClientHello message:
a) an indication that it supports the TLS with PSK authentication using the "psk_key_exchange_modes" extension;
b) the hostname of the AF using the "server_name" TLS extension;
c) authentication methods other than PSK which the UE supports; and
d) PSK identities within the psk_identities field. The psk_identity parameters within the psk_identities field shall contain a prefix indicating the PSK identity name space, i.e. "3GPP-AKMA", a separator character ";" and the A-KID. The psk_identity parameters within the psk_identities field are separated by a comma character (",");
The UE shall derive the TLS external PSK from the AF specific key KAF.
2) If the AF is willing to establish a TLS tunnel using PSK authentication with AKMA keys, the AF shall reply with the ServerHello message and indicate the index of the AKMA psk_identity parameter. The AF concludes the TLS handshake by sending Finished message to the UE.
NOTE 1: The choice between AKMA and AKA-based GBA at the UE and the AF, if both are supported, is application dependent.
The AF shall derive the TLS external PSK from the AF specific key KAF.
3) The UE concludes the TLS handshake by sending Finished message to the AF.
Once the UE and the AF have established a TLS tunnel using AKMA-based shared secret, they may start to use the application level communication through this tunnel.
The authentication failures are supported as described in clause 5.3.3.2.
Clauses 5.3.3.3 and 5.3.3.4 are not supported as AKMA does not support deriving a fresh key in the same way as GBA.
NOTE 2: How a fresh key is derived for AKMA is up to Ua* protocol implementation.
Annex L (informative):
Change history
Change history |
|||||||
---|---|---|---|---|---|---|---|
Date |
TSG # |
TSG Doc. |
CR |
Rev |
Subject/Comment |
Old |
New |
2004-09 |
CN-25 |
NP-040423 |
The draft was approved, and 3GPP TS 24.109 was then to be issued in Rel-6 under formal change control. |
2.1.2 |
6.0.0 |
||
2004-12 |
CN-25 |
NP-040511 |
001 |
1 |
Corrections and clarifications to clause 4 and example flows |
6.0.0 |
6.1.0 |
2004-12 |
CN-25 |
NP-040511 |
002 |
1 |
Corrections and clarifications to clause 5 and example flows in annex F |
6.0.0 |
6.1.0 |
2004-12 |
CN-25 |
NP-040511 |
003 |
1 |
Update of Authentication Proxy Procedures |
6.0.0 |
6.1.0 |
2004-12 |
CN-25 |
NP-040511 |
005 |
Clarification of Ua usage |
6.0.0 |
6.1.0 |
|
2004-12 |
CN-25 |
NP-040511 |
006 |
1 |
Correction of User Agent Header |
6.0.0 |
6.1.0 |
2004-12 |
CN-25 |
NP-040511 |
007 |
1 |
B-TID transfer |
6.0.0 |
6.1.0 |
2004-12 |
CN-25 |
NP-040511 |
008 |
1 |
AP signalling flow example |
6.0.0 |
6.1.0 |
2004-12 |
CN-25 |
NP-040511 |
010 |
1 |
Editorials |
6.0.0 |
6.1.0 |
2004-12 |
CN-25 |
NP-040512 |
009 |
1 |
Authorization flag transfer between AP and AS |
6.0.0 |
6.1.0 |
2005-03 |
CN-27 |
NP-050082 |
011 |
1 |
Editorial corrections |
6.1.0 |
6.2.0 |
2005-03 |
CN-27 |
NP-050130 |
012 |
2 |
PSK TLS updates |
6.1.0 |
6.2.0 |
2005-06 |
CP-28 |
CP-050066 |
13 |
1 |
Format of lifetime values |
6.2.0 |
6.3.0 |
2005-06 |
CP-28 |
CP-050066 |
15 |
1 |
User identify reference |
6.2.0 |
6.3.0 |
2005-06 |
CP-28 |
CP-050066 |
16 |
Key material – Ks only |
6.2.0 |
6.3.0 |
|
2005-06 |
CP-28 |
CP-050066 |
17 |
1 |
Usage of Ks_int_NAF |
6.2.0 |
6.3.0 |
2005-09 |
CP-29 |
CP-050364 |
018 |
2 |
NAF specific key derivation |
6.3.0 |
6.4.0 |
2005-09 |
CP-29 |
CP-050364 |
019 |
|
Missing separator character |
6.3.0 |
6.4.0 |
2005-09 |
CP-29 |
CP-050369 |
20 |
1 |
Ks_int_NAF usage |
6.4.0 |
7.0.0 |
2005-12 |
CP-30 |
CP-050539 |
22 |
Reference correction |
7.0.0 |
7.1.0 |
|
2005-12 |
CP-30 |
CP-050551 |
23 |
1 |
2GGBA |
7.0.0 |
7.1.0 |
2006-03 |
CP-31 |
CP-060116 |
025 |
Extension of the XML schema |
7.1.0 |
7.2.0 |
|
2006-03 |
CP-31 |
CP-060116 |
027 |
Update of Reference PSK TLS |
7.1.0 |
7.2.0 |
|
2006-06 |
CP-32 |
CP-060279 |
028 |
Correction of message recipient in table caption |
7.2.0 |
7.3.0 |
|
2006-09 |
CP-33 |
CP-060454 |
0032 |
1 |
Realm parameter on Ub interface |
7.3.0 |
7.4.0 |
2006-09 |
CP-33 |
CP-060454 |
0030 |
1 |
Corrections of BSF examples |
7.3.0 |
7.4.0 |
2006-11 |
CP-34 |
CP-060657 |
0034 |
– |
Registration of content-type "application/vnd.3gpp.bsf+xml" |
7.4.0 |
7.5.0 |
2007-12 |
CP-38 |
CP-070787 |
0036 |
|
Interoperability problems for request on Ub reference point |
7.5.0 |
7.6.0 |
2008-12 |
CP-42 |
|
Upgrade to Rel-8 |
7.6.0 |
8.0.0 |
||
2009-03 |
CP-43 |
CP-090160 |
0037 |
2 |
Introduction of GBA Push within TS 24.109 – Upa Interface |
8.0.0 |
8.1.0 |
2009-06 |
CP-44 |
CP-090425 |
0038 |
Correction of key material on Upa Interface |
8.1.0 |
8.2.0 |
|
2009-06 |
CP-44 |
CP-090424 |
0039 |
Invalid XML schema bug fix |
8.1.0 |
8.2.0 |
|
2009-12 |
CP-46 |
Upgrade to Rel-9 |
8.2.0 |
9.0.0 |
|||
2010-06 |
CP-18 |
CP-100351 |
0041 |
Privacy for Private User Identity on Ub |
9.0.0 |
9.1.0 |
|
2011-03 |
CP-51 |
Upgrade to Rel-10 |
9.1.0 |
10.0.0 |
|||
2011-09 |
CP-53 |
CP-110650 |
0046 |
Updating of references to 24.228 |
10.0.0 |
10.1.0 |
|
2012-06 |
CP-56 |
CP-120321 |
0047 |
1 |
GBA_Digest procedures for 24.109 |
10.1.0 |
11.0.0 |
2012-06 |
CP-56 |
CP-120307 |
0048 |
1 |
Correct TLS version |
10.1.0 |
11.0.0 |
2012-09 |
CP-57 |
CP-120598 |
0049 |
Qop for GBA_Digest |
11.0.0 |
11.1.0 |
|
2012-09 |
CP-57 |
CP-120598 |
0050 |
1 |
GBA_Digest procedures for Ua interface |
11.0.0 |
11.1.0 |
2012-09 |
CP-57 |
CP-120583 |
0051 |
1 |
Update references for TLS Extensions and PSK cyphersuites |
11.0.0 |
11.1.0 |
2012-12 |
CP-58 |
CP-120794 |
0052 |
2 |
Realization of GBA Push delivery |
11.1.0 |
11.2.0 |
2013-03 |
CP-59 |
CP-130130 |
0053 |
1 |
Correction of header field names in flows |
11.2.0 |
12.0.0 |
2013-06 |
CP-60 |
CP-130265 |
0054 |
1 |
Shared key-based UE authentication with certificate-based NAF authentication – compliance |
12.0.0 |
12.1.0 |
2013-06 |
CP-60 |
CP-130265 |
0055 |
Consistent usage of terminology and correction of flows |
12.0.0 |
12.1.0 |
|
2013-06 |
CP-60 |
CP-130265 |
0056 |
Corrections of references |
12.0.0 |
12.1.0 |
|
2013-12 |
CP-62 |
CP-130725 |
0062 |
2 |
GBA mode selection in NAF |
12.1.0 |
12.2.0 |
2014-03 |
CP-63 |
CP-140132 |
0064 |
1 |
Base64 encoding of NAF specific key material |
12.2.0 |
12.3.0 |
2015-03 |
CP-67 |
CP-150082 |
0065 |
2 |
Determination of UTC time |
12.3.0 |
13.0.0 |
2016-03 |
CP-71 |
CP-160084 |
0067 |
Adding ability to signal BSF address in psk_identity_hint field for ProSe |
13.0.0 |
13.1.0 |
Change history |
|||||||
Date |
Meeting |
TDoc |
CR |
Rev |
Cat |
Subject/Comment |
New version |
2016-12 |
CP-74 |
CP-160752 |
0068 |
F |
opaque parameter |
14.0.0 |
|
2018-06 |
SA-80 |
Automatic upgrade (MCC) |
15.0.0 |
||||
2020-07 |
SA-88e |
– |
– |
– |
Update to Rel-16 version (MCC) |
16.0.0 |
|
2021-12 |
CT#94e |
CP-213031 |
0069 |
B |
Update of HTTP Digest Access Authentication and reference update for HTTP/1.1 protocol |
17.0.0 |
|
2022-03 |
CT#95e |
CP-220284 |
0070 |
2 |
B |
Adding profiles of TLS to use AKMA keys |
17.1.0 |
2022-03 |
CT#95e |
CP-220273 |
0071 |
1 |
B |
GBA-based shared secret with PSK authentication in TLS 1.3 |
17.1.0 |
2022-06 |
CT#96e |
CP-221243 |
0072 |
1 |
B |
Adding AKMA based profile for TLS 1.3 |
17.2.0 |
2022-06 |
CT#96e |
CP-221243 |
0073 |
1 |
F |
Choosing between AKMA and AKA-based GBA at both UE and AF sides |
17.2.0 |
2022-06 |
CT#96e |
CP-221243 |
0074 |
– |
F |
Fresh key derivation for AKMA |
17.2.0 |