Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.222  Word version:  18.0.0

Top   Top   Up   Prev   None
0…   4…
4 Overview of the Security Architecture5 Authentication schemes6 Use of Authentication ProxyA Technical Solutions for Access to Application Servers via Authentication Proxy and HTTPSB Guidance on Certificate-based mutual authentication between UE and application serverC Considerations for GBA security using a web browser and JavascriptD Security measures for usage of GBA with a web browser$ Change history

 

4  Overview of the Security Architecturep. 8

5  Authentication schemesp. 9

5.1  Reference modelp. 9

5.2  General requirements and principlesp. 9

5.2.1  Requirements on the UEp. 9

5.2.2  Requirements on the NAFp. 9

5.3  Shared key-based UE authentication with certificate-based NAF authenticationp. 10

5.3.0  Procedures |R11|p. 10

5.3.1  TLS profilep. 11

5.3.1.0  General |R11|p. 11

5.3.1.1  Protection mechanismsp. 12

5.3.1.2Void

5.3.1.3  Authentication of the AP/ASp. 12

5.3.1.4  Authentication Failuresp. 12

5.3.1.5  Set-up of Security parametersp. 12

5.3.1.6  Error casesp. 12

5.4  Shared key-based mutual authentication between UE and NAFp. 13

5.4.0  Procedures |R11|p. 13

5.4.0.0  General |R17|p. 13

5.4.0.1  TLS 1.2 |R17|p. 13

5.4.0.2  TLS 1.3 |R17|p. 14

5.4.1  TLS Profilep. 15

5.4.1.0  General |R11|p. 15

5.4.1.1  Protection mechanismsp. 16

5.4.1.2  Authentication of the AP/ASp. 16

5.4.1.3  Authentication Failuresp. 16

5.4.1.4  Set-up of Security parametersp. 16

5.5  Certificate based mutual authentication between UE and application serverp. 16

5.5.1  General |R7|p. 16

5.5.2  TLS Profile |R7|p. 16

5.5.2.1  Generalp. 16

5.5.2.2  Protection mechanismsp. 17

5.5.2.3Void

6  Use of Authentication Proxyp. 18

6.1  Architectural viewp. 18

6.2  Requirements and principlesp. 19

6.4  Reference pointsp. 20

6.4.1  Ua reference pointp. 20

6.4.2  AP-AS reference pointp. 20

6.5  Management of UE identityp. 20

6.5.1  Granularity of Authentication and Access Control by APp. 20

6.5.1.1  Authorised Participant of GBAp. 20

6.5.1.2  Authorised User of Applicationp. 21

6.5.2  Transfer of Asserted Identity from AP to ASp. 21

6.5.2.1  Authorised Participant of GBAp. 21

6.5.2.2  Authorised User of Application Anonymous to ASp. 21

6.5.2.3  Authorised User of Application with Transferred Identity asserted to ASp. 21

6.5.2.4  Authorised User of Application with Transferred Identity asserted to AS and Check of User Inserted Identityp. 22

A  Technical Solutions for Access to Application Servers via Authentication Proxy and HTTPSp. 23

B  Guidance on Certificate-based mutual authentication between UE and application serverp. 24

C  Considerations for GBA security using a web browser and Javascript |R12|p. 25

C.1  Usage Scenariop. 25

C.2  Threatsp. 25

C.3  Control of GBA Credentials and GBA Module in the UEp. 26

C.3.1  Generalp. 26

C.3.2  Control Mechanism 1- Same Origin Authentication Tokensp. 26

C.3.3  Control Mechanism 2 - Server Authenticated TLSp. 26

C.3.4  Control Mechanism 3 - Channel Bindingp. 26

C.3.5  Control Mechanism 4 - Key Usagep. 26

C.4  Security Considerationsp. 27

C.4.1  General Scripting Security Considerationsp. 27

C.4.2  GBA key controlp. 27

C.4.3  User grantsp. 27

C.4.4  Root CAs in Browserp. 27

D (Normative)  Security measures for usage of GBA with a web browser |R12|p. 29

D.1  Extension of Protocol Mechanism used on Ua Reference Pointp. 29

D.1.1  Generalp. 29

D.1.2  Key derivationp. 29

D.1.3  Channel bindingp. 29

D.1.3.1  Backgroundp. 29

D.1.3.2  Channel binding using RFC 5705 and RFC 5929p. 30

D.2  Sequence flowp. 30

D.2.1  Sequence flow with channel bindingp. 30

D.3  Javascript GBA API descriptionp. 34

D.3.1  GBA API Descriptionp. 34

D.3.2  API usagep. 35

$  Change historyp. 36

Up   Top