7 Use of namespaces
29.1093GPPGeneric Authentication Architecture (GAA)Release 17Stage 3TSZh and Zn Interfaces based on the Diameter protocol
This clause contains the namespaces that have either been created in this 3GPP specification, or in 3GPP specification 3GPP TS 29.229 [3] or the values assigned to existing namespaces managed by IANA.
7.1 AVP codes
This specification reserves the 3GPP vendor specific values 10415:400-499 and assigns values 10415:400-418 for the GAA from the 3GPP AVP Code namespace for 3GPP Diameter applications ([8]). The 3GPP vendor specific AVP code space is managed by 3GPP CT4. See section 6 for the assignment of the namespace in this specification.
Besides the Diameter base protocol AVPs specified in IETF RFC 6733 [33], this specification reuses the following AVPs from 3GPP TS 29.229 [3]:
Authentication-Session-State, User-Name, Public-User-Identity and SIP-Auth-Data-Item.
7.2 Experimental-Result-Code AVP values
This specification reserves Experimental-Result-Code AVP values 10415:2401-2409 and 10415:5401-5409. See section 6.2.
7.3 Command Code values
Only Command-Codes 310 and 303 from 3GPP TS 29.229 [3] is used in this specification.
This specification reuses only the Command-Code value, not the content of the original specification. The AVPs, that are defined required in TS 29.229 [3], but are not needed in Zh, Zn or Zpn interfaces, are removed and are therefore not required in Zh, Zn or Zpn interface messages. All new AVPs for GAA are defined optional although they may be mandatory in GAA viewpoint.
This specification does not assign new command codes to the 3GPP TS 29.229 [3].
Annex A (normative):
GBA-UserSecSettings XML definition
This annex contains the XML schema definition for an XML document carrying the GBA User Security Settings inside GBA-UserSecSettings AVP in Zh,Zn and Zpn interface.
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="urn:3gpp:gba:GBAGUSSSchema-R9:2010-02"
xmlns:tns="urn:3gpp:gba:GBAGUSSSchema-R9:2010-02"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
attributeFormDefault="unqualified">
<!– This import brings in the XML language attribute xml:lang–>
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<!– Root element to be used in Zh reference point–>
<xs:element name="guss" type="tns:gussType"/>
<!– Root element to be used in Zn reference point–>
<xs:element name="ussList" type="tns:ussListType"/>
<xs:complexType name="ExtensionType">
<xs:sequence>
<xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="GUSSExtensionType">
<xs:sequence>
<xs:element name="timestamp" type="xs:dateTime" minOccurs="0"/>
<xs:element name="Extension" type="tns:ExtensionType" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="USSExtensionType">
<xs:sequence>
<xs:element name="keyChoice" type="xs:string" minOccurs="0" />
<xs:element name="Extension" type="tns:ExtensionType" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<!– The whole user’s GBA specific data set –>
<xs:complexType name="gussType">
<xs:sequence>
<xs:element name="bsfInfo" type="tns:bsfInfoType" minOccurs="0"/>
<xs:element name="ussList" type="tns:ussListType"/>
<xs:element name="Extension" type="tns:GUSSExtensionType" minOccurs="0"/>
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="id" type="xs:string"/>
</xs:complexType>
<!– BSF specific information element –>
<xs:complexType name="bsfInfoType">
<xs:sequence>
<xs:element name="uiccType" type="xs:string" minOccurs="0" />
<xs:element name="lifeTime" type="xs:integer" minOccurs="0" />
<xs:element name="securityFeatures" type="xs:string" minOccurs="0" />
<xs:element name="Extension" type="tns:ExtensionType" minOccurs="0"/>
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!–List of all users individual User Security Settings –>
<xs:complexType name="ussListType">
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="uss" type="tns:ussType"/>
<xs:element name="Extension" type="tns:ExtensionType" minOccurs="0"/>
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!– User Security Setting data –>
<xs:complexType name="ussType">
<xs:sequence>
<xs:element name="uids" type="tns:uidsType"/>
<xs:element name="flags" type="tns:flagsType"/>
<xs:element name="Extension" type="tns:USSExtensionType" minOccurs="0"/>
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:string"/>
<xs:attribute name="type" use="required" type="xs:int"/>
<xs:attribute name="nafGroup" use="optional" type="xs:string"/>
</xs:complexType>
<!– User Public Identities for authentication –>
<xs:complexType name="uidsType">
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="uid" type="xs:string"/>
<xs:element name="Extension" type="tns:ExtensionType" minOccurs="0"/>
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!– GAA Application type specific Authorization flag codes –>
<xs:complexType name="flagsType">
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:element name="flag" type="xs:int"/>
<xs:element name="Extension" type="tns:ExtensionType" minOccurs="0"/>
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
NOTE 1: The <xs:any> elements within the complex types ExtensionType allow for compatible standard extensions in future releases. The <xs:any namespace=##other"> elements within the other complex types allow for compatible private extensions.
The values are:
– The value of the attribute "id" in the element "guss" is the same as user’s IM Private Identity (IMPI) used in User-Name AVP.
– The value of the element "timestamp" in the element "guss" is the same type as GUSS-Timstamp used in GUSS-Timestamp AVP and indicates the timestamp of the GUSS. Timestamp value shall be expressed in UTC form, indicated by a time zone designator "Z" immediately following the time portion of the value.
– The value of the attribute "id" in the element "uss" is the same as service identifier (GSID) used in GAA-Service-Identifier AVP.
NOTE 2: In the case with currently standardized 3GPP applications (c. f. Annex B), the service identifier (GSID) is the same as the GAA Service Type Code i.e. the "id" and the "type" attribute would have the same value. For example, in the interoperator GAA where the requesting BM-SC (i.e. NAF) is different operator network than the answering BSF, the BM-SC (NAF) can request particular user’s MBMS USS by using "4" for the GSID in the "id" attribute in the USS. If the BSF operator wishes to have different MBMS USSs for different BM-SCs (NAFs), it can use the nafGroup attribute to separate NAFs to specific groups, and each group would get a particular USSs: <uss id="4" type="4" nafGroup="A"> would be given to NAFs in group A, and <uss id="4" type="4" nafGroup="B"> would be given to NAFs in group B when they request it. NAF groups are operator specific, i.e., operator decides which USS is given to which NAF."
– The value of the element "uiccType" in the element "bsfInfo" is:
GBA to indicate the basic case, or
GBA_U to indicate that generation of Ks_int_NAF is also required in the BSF.
The default value is GBA.
– The value of the element "lifeTime" in the element "bsfInfo" indicates a user specific key lifetime (duration in seconds). If the lifeTime element is missing the default value in the BSF is used.
– The value of the optional element "securityFeatures" in the element "bsfInfo" indicates a user specific security feature list that the UE supports. If the securityFeature element is missing then the security features are not defined. If there is a list of several values, they are separated by ";". Defined values are:
– "GPL_U": The UICC supports Generic Push Layer on the UICC as specified in 3GPP TS 33.224 [30].
– The value of attribute "type" in the element "uss" is GAA service type code defined in annex B.
– The value of attribute "nafGroup" in the element "uss" is an operator internal group designator for a NAF group the USS is valid for. If this attribute is missing then only the attribute "id" is used for selection of this element.
– Values of the element "uid" are user’s public authentication identities from the HSS.
– Values of element "flag" are user’s authorization flag codes from the HSS for GAA service type indicated in the type attribute in the parent uss element. If an authorization flag exist the NAF have permission to give the corresponding service, otherwise not
– The value of the element "keyChoice" in the "Extension" element inside the "uss" element is "ME-based-key", i.e., Ks_ NAF or Ks_ext_NAF shall be used, or "UICC-based-key", i.e., Ks_int_NAF shall be used or "ME-UICC-based-keys", i.e., Ks_ext_NAF or Ks_int_NAF can be used. The value of this element indicates to the NAF, which key shall be used. If the keyChoice element is missing, then as a default the "ME-based-key" shall be used by the NAF unless a prior agreement exists that mandates to use "UICC-based-key" or "ME-UICC-based-keys".
In the following illustrative examples the values are italised and underlined. The content of one User Security Setting tag is boxed.
<guss id="358500004836551@ims.mnc050.mcc358.3gppnetwork.org">
<bsfInfo>
<lifeTime>86400</lifeTime>
</bsfInfo>
<ussList>
<uss id="1" type="1" nafGroup="A">
<uids>
<uid>tel:358504836551</uid>
<uid>lauri.laitinen@example.com</uid>
…
</uids>
<flags>
<flag>1</flag>
…
</flags>
<Extension>
<keyChoice>ME-based-key</keyChoice>
</Extension>
</uss>
…
</ussList>
</guss>
The above GAA User Security Settings example for user "358500004836551@ ims.mnc050.mcc358.3gppnetwork.org" defines that for PKI-Portal (GAA service type code is 1) services are allowed for user identities "tel:358504836551" and "lauri.laitinen@example.com" and authentication is allowed (flag 1 exists) but non-repudiation is not allowed (flag 2 is missing) to NAFs that provide the GAA service identified by "1" GAA Service Identifier. This particular USS for PKI-Portal is intended to be used only with a NAF group that is labeled as "A" (NAF groupings and NAFs that belong to these groups are specified by the MNO). Additionally, the key choice for the PKI-Portal should use only ME based key (as key keyChoice is set to "ME-based-key"). The BSF shall not generate UICC-Ks, because uiccType is missing. A special key lifetime defines that the duration after which the key expires is 86400 seconds.
<![CDATA[<?xml version=’1.0′?>
<ussList>
<uss id="1" type="1">
<uids>
<uid>tel:358504836551</uid>
<uid>lauri.laitinen@example.com</uid>
</uids>
<flags>
<flag>1</flag>
</flags>
<Extension>
<keyChoice>ME-based-key</keyChoice>
</Extension>
</uss>
</ussList>
]]>
The above is an example how the value of "GAA-UserSecSettings" in Diameter based Zn reference point and "ussList" in Web Services based Zn reference point is populated.
NOTE 3: The BSF has removed the "nafGroup" attribute from "uss" element. Also, the XML document has been surrounded by "<![CDATA[" and "]]>" tags, so that the XML parser handling the outer message (i.e., in Web Services case) will not parse the ussList. The ussList will be parsed by the application itself handling the incoming message.
Below is an example illustrating the usage of the flag for service authorization. The content of one User Security Setting tag is boxed.
<guss id="358501234567@ims.mnc050.mcc358.3gppnetwork.org">
<bsfInfo>
<lifeTime>86400</lifeTime>
</bsfInfo>
<ussList>
<uss id="8" type="8" nafGroup="A">
<uids>
<uid>tel:358501234567</uid>
<uid>pekka.mustermann@example.com</uid>
…
</uids>
<flags>
<flag>1</flag>
…
</flags>
<Extension>
<keyChoice>ME-based-key</keyChoice>
…
</Extension>
</uss>
…
</ussList>
</guss>
The above GAA User Security Settings example for user "358501234567@ ims.mnc050.mcc358.3gppnetwork.org" defines that for ANDSF (GAA service type code is 8) services are allowed for user identities "tel:358501234567" and "pekka.mustermann@example.com" and authentication is allowed (flag 1 exists) i.e. the user is authorized to use the ANDSF service according to the policy stored in the ANDSF server. If the flag contains a 0 or is missing, the stated user identities would not be authorized to use the GAA service identified by "8" GAA Service Identifier. Additionally, the key choice for the ANDSF should use only ME based key (as key keyChoice is set to "ME-based-key").
Analogously, the authorization flag is used for OpenID GBA Interworking (GAA Service Type Code 11) the authentication is allowed (flag 1 exists) i.e. the user is authorized to use the OpenID-GBA Interworking service. If the flag contains a 0 or is missing, the stated user identities would not be authorized to use the GAA service identified by "11" GAA Service Identifier. Additionally, the key choice for the OpenID/GBA Interworking should use only ME based key if the keyChoice extension is set to "ME-based-key".
Annex B (normative): GAA Service Type Codes
The GAA Service Type Code values are used in GAA to indicate interpretation, coding and usage of GAA service type specific data.
For examples each GAA service type may have their own set of authorization flags. Meaning and coding of these flags are defined in Annex C. There may also be proprietary GAA service types with their own definitions in the future.
Code values 0 – 999999 are reserved for standardized GAA service types.
The following values are defined for standardized GAA service types with 3GPP specification:
0 Unspecific service
1 PKI-Portal
2 Authentication Proxy
3 Presence
4 MBMS
5 Liberty Alliance Project (see [15])
6 UICC – Terminal Key Establishment (see [17])
7 Terminal – Remote Device Key Establishment (see [18])
8 ANDSF (see [24])
9. GBA Push (see [25])
10 IMS based PSS MBMS (see [26])
11 OpenID GBA Interworking (see [29])
12 Generic Push Layer (see [30])
Default value is 0. An unspecific service may or may not have user security settings containing or not a list of public identities. An unspecific service cannot have specified authorization flags or other service type specific data.
Annex C (normative): GAA Authorization flag codes
For GAA services which have a defined set of special authorization flag codes the following rule holds: The service specified by the GAA authorization flag codes is allowed for a user only if user’s user security setting contains that flag.
The following standardised GAA service types that are listed in previous annex B have the following special authorization flag codes:
PKI-Portal (1)
1 Authentication allowed
2 Non-repudiation allowed
ANDSF (8)
0 Not authorized
1 Authorized according to policy stored in ANDSF server
OpenID Interworking (13)
0 Not authorized
1 Authorized
Annex D (normative):
Web Services Definition for Zn interface
This annex contains the Web Services Defination Language (WSDL) [14] for Zn interface:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions name="GBAService"
targetNamespace="urn:3gpp:gba:GBAService:2010-02"
xmlns:typens="urn:3gpp:gba:GBAService:2010-02"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<wsdl:types>
<xsd:schema targetNamespace="urn:3gpp:gba:GBAService:2010-02">
<!– Extension element definition –>
<xsd:complexType name="tExtension">
<xsd:sequence>
<xsd:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
<!– Request Bootstrapping info request parameter definitions –>
<xsd:element name="requestBootstrappingInfoRequest">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="btid" type="xsd:string"/>
<xsd:element name="nafid" type="xsd:base64Binary"/>
<xsd:element name="gsid" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
<xsd:element name="gbaUAware" type="xsd:boolean" minOccurs="0"/>
<xsd:element name="extension" type="typens:tExtension" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<!– Request Bootstrapping info responset parameter definitions –>
<xsd:element name="requestBootstrappingInfoResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="impi" type="xsd:string" minOccurs="0"/>
<xsd:element name="meKeyMaterial" type="xsd:base64Binary"/>
<xsd:element name="uiccKeyMaterial" type="xsd:base64Binary" minOccurs="0"/>
<xsd:element name="keyExpiryTime" type="xsd:dateTime"/>
<xsd:element name="bootstrappingInfoCreationTime" type="xsd:dateTime"/>
<xsd:element name="gbaType" type="xsd:string" minOccurs="0"/>
<xsd:element name="ussList" type="xsd:string" minOccurs="0"/>
<xsd:element name="extension" type="typens:tExtension" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<!– Request Bootstrapping info fault parameter definitions –>
<xsd:element name="requestBootstrappingInfoFault">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="errorCode" type="xsd:integer"/>
<xsd:element name="errorText" type="xsd:string" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
</wsdl:types>
<wsdl:message name="requestBootstrappingInfoRequestMessage">
<wsdl:part name="body" element="typens:requestBootstrappingInfoRequest"/>
</wsdl:message>
<wsdl:message name="requestBootstrappingInfoResponseMessage">
<wsdl:part name="body" element="typens:requestBootstrappingInfoResponse"/>
</wsdl:message>
<wsdl:message name="requestBootstrappingInfoFaultMessage">
<wsdl:part name="body" element="typens:requestBootstrappingInfoFault"/>
</wsdl:message>
<wsdl:portType name="GBAServicePortType">
<wsdl:operation name="requestBootstrappingInfo">
<wsdl:input message="typens:requestBootstrappingInfoRequestMessage"/>
<wsdl:output message="typens:requestBootstrappingInfoResponseMessage"/>
<wsdl:fault name="FaultName" message="typens:requestBootstrappingInfoFaultMessage"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="GBAServiceBinding" type="typens:GBAServicePortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="requestBootstrappingInfo">
<soap:operation soapAction="urn:3gpp:gba:GBAServiceAction:2007-05"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
<wsdl:fault name="FaultName">
<soap:fault name="FaultName" use="literal"/>
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="GBAService">
<wsdl:port name="GBAServicePort" binding="typens:GBAServiceBinding">
<!– add SOAP address location URI below –>
<soap:address location="http://add.here.uri.to/GBAService"/>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
Annex E (informative):
Liberty authentication context definitions for GBA