K.3 Shared key-based mutual authentication between UE and AF

24.1093GPPBootstrapping interface (Ub) and network application function interface (Ua)Protocol detailsRelease 17TS

K.3.1 General

The TLS profile for GBA in clause 5.3.3.1 is modified with the AKMA AF taking the role of the NAF from GBA (see 3GPP TS 33.220 [1]) to support AKMA keys as follows:

– The profile for TLS and TLS Extensions to be used together with PSK TLS is defined in annex E of 3GPP TS 33.310 [25].

K.3.2 TLS 1.2

The PSK TLS handshake shall be used with bootstrapped security association as follows:

a) the ClientHello message shall contain one or more PSK-based ciphersuites;

b) the ClientHello message shall contain the server_name TLS extension and it shall contain the hostname of the AF;

c) the ServerHello message shall contain a PSK-based ciphersuite selected by the AF;

d) the ServerKeyExchange shall be sent by the server and it shall contain the psk_identity_hint field and it shall contain the static string "3GPP-AKMA";

e) the ClientKeyExchange shall contain the psk_identity field and it shall contain a prefix "3GPP-AKMA" and the A-KID. If the UE has a choice between GBA_Digest (see 3GPP TS 33.220 [1]) and AKMA keying, then the AF shall select AKMA over GBA_Digest; and

NOTE 1: The choice between AKMA and AKA-based GBA at the UE and the AF, if both are supported, is application dependent.

f) the UE and AF shall derive the TLS premaster secret from KAF (AKMA Application Key).

The authentication failures are supported as described in clause 5.3.3.2.

Clauses 5.3.3.3 and 5.3.3.4 are not supported as AKMA does not support deriving a fresh key in the same way as GBA.

NOTE 2: How a fresh key is derived for AKMA is up to Ua* protocol implementation.

K.3.3 TLS 1.3

The PSK TLS handshake shall be used with bootstrapped security association as follows:

1) The UE shall include in the ClientHello message:

a) an indication that it supports the TLS with PSK authentication using the "psk_key_exchange_modes" extension;

b) the hostname of the AF using the "server_name" TLS extension;

c) authentication methods other than PSK which the UE supports; and

d) PSK identities within the psk_identities field. The psk_identity parameters within the psk_identities field shall contain a prefix indicating the PSK identity name space, i.e. "3GPP-AKMA", a separator character ";" and the A-KID. The psk_identity parameters within the psk_identities field are separated by a comma character (",");

The UE shall derive the TLS external PSK from the AF specific key KAF.

2) If the AF is willing to establish a TLS tunnel using PSK authentication with AKMA keys, the AF shall reply with the ServerHello message and indicate the index of the AKMA psk_identity parameter. The AF concludes the TLS handshake by sending Finished message to the UE.

NOTE 1: The choice between AKMA and AKA-based GBA at the UE and the AF, if both are supported, is application dependent.

The AF shall derive the TLS external PSK from the AF specific key KAF.

3) The UE concludes the TLS handshake by sending Finished message to the AF.

Once the UE and the AF have established a TLS tunnel using AKMA-based shared secret, they may start to use the application level communication through this tunnel.

The authentication failures are supported as described in clause 5.3.3.2.

Clauses 5.3.3.3 and 5.3.3.4 are not supported as AKMA does not support deriving a fresh key in the same way as GBA.

NOTE 2: How a fresh key is derived for AKMA is up to Ua* protocol implementation.

Annex L (informative):
Change history

Change history

Date

TSG #

TSG Doc.

CR

Rev

Subject/Comment

Old

New

2004-09

CN-25

NP-040423

The draft was approved, and 3GPP TS 24.109 was then to be issued in Rel-6 under formal change control.

2.1.2

6.0.0

2004-12

CN-25

NP-040511

001

1

Corrections and clarifications to clause 4 and example flows

6.0.0

6.1.0

2004-12

CN-25

NP-040511

002

1

Corrections and clarifications to clause 5 and example flows in annex F

6.0.0

6.1.0

2004-12

CN-25

NP-040511

003

1

Update of Authentication Proxy Procedures

6.0.0

6.1.0

2004-12

CN-25

NP-040511

005

Clarification of Ua usage

6.0.0

6.1.0

2004-12

CN-25

NP-040511

006

1

Correction of User Agent Header

6.0.0

6.1.0

2004-12

CN-25

NP-040511

007

1

B-TID transfer

6.0.0

6.1.0

2004-12

CN-25

NP-040511

008

1

AP signalling flow example

6.0.0

6.1.0

2004-12

CN-25

NP-040511

010

1

Editorials

6.0.0

6.1.0

2004-12

CN-25

NP-040512

009

1

Authorization flag transfer between AP and AS

6.0.0

6.1.0

2005-03

CN-27

NP-050082

011

1

Editorial corrections

6.1.0

6.2.0

2005-03

CN-27

NP-050130

012

2

PSK TLS updates

6.1.0

6.2.0

2005-06

CP-28

CP-050066

13

1

Format of lifetime values

6.2.0

6.3.0

2005-06

CP-28

CP-050066

15

1

User identify reference

6.2.0

6.3.0

2005-06

CP-28

CP-050066

16

Key material – Ks only

6.2.0

6.3.0

2005-06

CP-28

CP-050066

17

1

Usage of Ks_int_NAF

6.2.0

6.3.0

2005-09

CP-29

CP-050364

018

2

NAF specific key derivation

6.3.0

6.4.0

2005-09

CP-29

CP-050364

019

 

Missing separator character

6.3.0

6.4.0

2005-09

CP-29

CP-050369

20

1

Ks_int_NAF usage

6.4.0

7.0.0

2005-12

CP-30

CP-050539

22

Reference correction

7.0.0

7.1.0

2005-12

CP-30

CP-050551

23

1

2GGBA

7.0.0

7.1.0

2006-03

CP-31

CP-060116

025

Extension of the XML schema

7.1.0

7.2.0

2006-03

CP-31

CP-060116

027

Update of Reference PSK TLS

7.1.0

7.2.0

2006-06

CP-32

CP-060279

028

Correction of message recipient in table caption

7.2.0

7.3.0

2006-09

CP-33

CP-060454

0032

1

Realm parameter on Ub interface

7.3.0

7.4.0

2006-09

CP-33

CP-060454

0030

1

Corrections of BSF examples

7.3.0

7.4.0

2006-11

CP-34

CP-060657

0034

Registration of content-type "application/vnd.3gpp.bsf+xml"

7.4.0

7.5.0

2007-12

CP-38

CP-070787

0036

 

Interoperability problems for request on Ub reference point

7.5.0

7.6.0

2008-12

CP-42

 

Upgrade to Rel-8

7.6.0

8.0.0

2009-03

CP-43

CP-090160

0037

2

Introduction of GBA Push within TS 24.109 – Upa Interface

8.0.0

8.1.0

2009-06

CP-44

CP-090425

0038

Correction of key material on Upa Interface

8.1.0

8.2.0

2009-06

CP-44

CP-090424

0039

Invalid XML schema bug fix

8.1.0

8.2.0

2009-12

CP-46

Upgrade to Rel-9

8.2.0

9.0.0

2010-06

CP-18

CP-100351

0041

Privacy for Private User Identity on Ub

9.0.0

9.1.0

2011-03

CP-51

Upgrade to Rel-10

9.1.0

10.0.0

2011-09

CP-53

CP-110650

0046

Updating of references to 24.228

10.0.0

10.1.0

2012-06

CP-56

CP-120321

0047

1

GBA_Digest procedures for 24.109

10.1.0

11.0.0

2012-06

CP-56

CP-120307

0048

1

Correct TLS version

10.1.0

11.0.0

2012-09

CP-57

CP-120598

0049

Qop for GBA_Digest

11.0.0

11.1.0

2012-09

CP-57

CP-120598

0050

1

GBA_Digest procedures for Ua interface

11.0.0

11.1.0

2012-09

CP-57

CP-120583

0051

1

Update references for TLS Extensions and PSK cyphersuites

11.0.0

11.1.0

2012-12

CP-58

CP-120794

0052

2

Realization of GBA Push delivery

11.1.0

11.2.0

2013-03

CP-59

CP-130130

0053

1

Correction of header field names in flows

11.2.0

12.0.0

2013-06

CP-60

CP-130265

0054

1

Shared key-based UE authentication with certificate-based NAF authentication – compliance

12.0.0

12.1.0

2013-06

CP-60

CP-130265

0055

Consistent usage of terminology and correction of flows

12.0.0

12.1.0

2013-06

CP-60

CP-130265

0056

Corrections of references

12.0.0

12.1.0

2013-12

CP-62

CP-130725

0062

2

GBA mode selection in NAF

12.1.0

12.2.0

2014-03

CP-63

CP-140132

0064

1

Base64 encoding of NAF specific key material

12.2.0

12.3.0

2015-03

CP-67

CP-150082

0065

2

Determination of UTC time

12.3.0

13.0.0

2016-03

CP-71

CP-160084

0067

Adding ability to signal BSF address in psk_identity_hint field for ProSe

13.0.0

13.1.0

Change history

Date

Meeting

TDoc

CR

Rev

Cat

Subject/Comment

New version

2016-12

CP-74

CP-160752

0068

F

opaque parameter

14.0.0

2018-06

SA-80

Automatic upgrade (MCC)

15.0.0

2020-07

SA-88e

Update to Rel-16 version (MCC)

16.0.0

2021-12

CT#94e

CP-213031

0069

B

Update of HTTP Digest Access Authentication and reference update for HTTP/1.1 protocol

17.0.0

2022-03

CT#95e

CP-220284

0070

2

B

Adding profiles of TLS to use AKMA keys

17.1.0

2022-03

CT#95e

CP-220273

0071

1

B

GBA-based shared secret with PSK authentication in TLS 1.3

17.1.0

2022-06

CT#96e

CP-221243

0072

1

B

Adding AKMA based profile for TLS 1.3

17.2.0

2022-06

CT#96e

CP-221243

0073

1

F

Choosing between AKMA and AKA-based GBA at both UE and AF sides

17.2.0

2022-06

CT#96e

CP-221243

0074

F

Fresh key derivation for AKMA

17.2.0