N.2 GAA/GBA SBA Services

33.2203GPPGeneric Authentication Architecture (GAA)Generic Bootstrapping Architecture (GBA)TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

N.2.1 HSS Services

N.2.1.1 General

An SBI capable HSS supports providing the authentication vectors and the subscription profile, i.e. GUSS, to an SBI capable BSF via service-based interfaces.

The following table shows the GBA services exposed by an SBI capable HSS.

Table N.2.1.1-1: GBA Services provided by an SBI capable HSS

Service	Service Operations	Operation Semantics	Example Consumer(s)
Nhss_GbaSubscriber Data	Get	Request/Response	BSF
Management (_GbaSDM)	Subscribe	Subscribe/Notify	BSF
	Unsubscribe	Subscribe/Notify	BSF
	Notification	Subscribe/Notify	BSF
Nhss_GbaUE Authentication	Get	Request/Response	BSF

N.2.1.2 Nhss_GbaSubscriberDataManagement (GbaSDM) service

N.2.1.2.1 General

GBA Subscriber data types e.g. GUSS used in the Nhss_GbaSDM Service are defined in Table N.2.1.2.1-1 below.

Table N.2.1.2.1-1: GBA Subscriber data types

GBA Subscriber data

Description

GUSS

This includes GBA User Security Settings.

GUSS is consumed by BSF.

At least a mandatory data key is required for each GBA Subscriber Data Type to identify the corresponding data as defined in Table N.2.1.2.1-2 below.

Table N.2.1.2.1-2: GBA Subscriber data types keys

GBA Subscriber Data Types	Data Key	Data Sub Key
GUSS	User Identity
NOTE: User Identity shall be one of IMSI, MSISDN, IMPI, IMPU.

N.2.1.2.2 Nhss_GbaSDM_Get service operation

Service operation name: Nhss_GbaSDM_Get

Description: This service operation enables the NF consumer to fetch the GBA User Security for the end user.

The HSS shall check that the requested NF consumer is authorized to fetch the requested data.

Inputs, Required: NF Type, GBA Subscriber data type(s), Key for GBA Subscriber data type(s).

Inputs, Optional: None.

Outputs, Required: Result indication.

Outputs, Optional: Requested Data.

N.2.1.2.3 Nhss_GbaSDM_Subscribe service operation

Service operation name: Nhss_GbaSDM_Subscribe

Description: The NF consumer subscribes for updates to requested data. HSS shall check that the requested NF consumer is authorized to subscribe to requested updates.

Inputs, Required: NF Type, GBA Subscriber data type(s), Key for GBA Subscriber data type(s).

Inputs, Optional: None.

Outputs, Required: Result indication.

Outputs, Optional: Subscription Data.

N.2.1.2.4 Nhss_GbaSDM_Unsubscribe service operation

Service operation name: Nhss_GbaSDM_Unsubscribe

Description: The NF consumer unsubscribes for updates to Requested data.

Inputs, Required: GBA Subscriber data type(s), Key for GBA Subscriber data type(s).

Inputs, Optional: None.

Outputs, Required: Result indication.

Outputs, Optional: None.

N.2.1.2.5 Nhss_GbaSDM_Notification service operation

Service operation name: Nhss_GbaSDM_Notification

Description: This service operation enables HSS to notify a NF of any changes to what the NF subscribed to.

Inputs, Required: GBA Subscriber data type(s), Key for each GBA Subscriber data type(s).

Inputs, Optional: None.

Outputs, Required: Result indication.

Outputs, Optional: None.

N.2.1.3 Nhss_GbaUEAuthentication service

N.2.1.3.1 Nhss_GbaUEAuthentication_Get service operation

Service operation name: Nhss_GbaUEAuthentication_Get

Description: This service operation is used between the BSF and the HSS to request the authentication data of the end user.

Inputs, Required: User Identity(-ies), Authentication Data (Authentication Scheme).

User Identity shall be one of IMSI, MSISDN, IMPI, IMPU. At least one of User Identities shall be presented.

Inputs, Optional: None.

Outputs, Required: Result Indication.

Outputs, Optional: User Identity, Authentication Data (e.g. AV).

In case only MSISDN or IMPU is present in the request, the HSS returns IMSI or IMPI in the response.

N.2.2 UDM Services

N.2.2.1 General

A UDM supports providing the GBA-AKA authentication vectors via the Nudm_UEAuthentication_GetGbaAv service operation.

The following table shows the services exposed by UDM supporting GBA.

Table N.2.2.1-1: GBA Services provided by UDM

Service	Service Operations	Operation Semantics	Example Consumer(s)
Nudm_UEAuthentication	GetGbaAv	Request/Response	BSF

N.2.2.2 Nudm_UEAuthentication Service

N.2.2.2.1 Nudm_UEAuthentication_GetGbaAv service operation

Service operation name: Nudm_UEAuthentication_GetGbaAv

Description: This service operation is used by the BSF to fetch the authentication data for UE.

Inputs, Required: SUPI.

Inputs, Optional:

Outputs, Required: GBA authentication vector

Outputs, Optional:

BSF needs to convert IMSI based IMPI to SUPI before invoking the Nudm_UEAuthentication_GetGbaAv service.

N.2.3 BSF Services

N.2.3.1 General

The following table shows the services exposed by an SBI capable BSF.

Table N.2.3.1-1: GBA Services provided by an SBI capable BSF

Service	Service Operations	Operation Semantics	Example Consumer(s)
Nbsp_Gba	BootStrapInfo	Request/Response	NAF

N.2.3.2 Nbsp_Gba service

N.2.3.2.1 General

This clause describes the SBA interfaces exposed by the BSF for the purpose of providing the bootstrap information to the NAF for the derivation of the application key material (e.g. Ks_(ext/int)_NAF).

N.2.3.2.2 Nbsp_Gba_BootstrapInfo service operation

Service operation name: Nbsp_Gba_BootstrapInfo

Description: This service operation is used between the BSF and the NAF to request the key material key material agreed during bootstrapping from the UE to the BSF. It is also used to fetch application-specific user security settings from the BSF, if requested by the NAF.

Inputs, Required: B-TID, NAF-Id.

Inputs, Optional: Flag to indicate that the NAF is GBA_U aware, identifier of the application-specific USS.

Outputs, Required: Key material, bootstrapping time, key lifetime. The key material consists of Ks_NAF in case of GBA_ME and Ks_ext_NAF in case of GBA_U. The key lifetime is the lifetime associated to the key material.

Outputs, Optional: Key material, Application-specific USS, Private Identity.

NOTE 1: Depending on the value of the GBA_U aware flag, more key material (i.e. Ks_int_NAF) may be returned as optional output.

N.2.4 Mapping of Zh, Zn operations and terminology to SBI services

N.2.4.1 General

This clause gives mappings from Zh, Zn operations to SBI services and service operations.

N.2.4.2 Mapping of Zh messages to HSS SBI services

The following table defines the mapping between Zh messages and HSS SBI services and service operations:

Table N.2.4.2-1: Zh messages to HSS SBI services and service operations mapping

Zh message	Source	Destination	HSS SBI service operation name
Zh interface: BSF retrieves AV and user profile	BSF	HSS	Nhss_GbaUEAuthentication_Get Nhss_GbaSDM_Get (see NOTE 1) Nhss_GbaSDM_Subscribe (see NOTE 1) Nhss_GbaSDM_Unsubscribe (see NOTE 1)
Zh interface: BSF retrieves AV and user profile	HSS	BSF	Nhss_GbaSDM_Notification (see NOTE 1)
NOTE 1: Corresponds to the GUSS retrieval during execution of the authentication of the end user.

N.2.4.3 Mapping of Zn messages to BSF SBI services

The following table defines the mapping between Zn messages and BSF SBI services and service operations:

Table N.2.4.3-1: Zn messages to BSF SBI services and service operations mapping

Zn message	Source	Destination	BSF SBI service operation name
Zn interface: NAF requests the bootstrapping information from the BSF	NAF	BSF	Nbsp_Gba_BootstrapInfo

N.2.4.4 Mapping of Zh messages to UDM SBI services

The following table defines the mapping between Zh messages and UDM SBI services and service operations:

Table N.2.4.4 -1: Zh messages to UDM SBI services and service operations mapping

Zh message	Source	Destination	UDM SBI service operation name
Zh interface: BSF retrieves GBA authentication vector	BSF	UDM	Nudm_UEAuthentication_GetGbaAv