Description
The Bootstrapping Transaction Identifier (B-TID) is a fundamental component of the Generic Bootstrapping Architecture (GAA) specified in 3GPP standards. It is generated by the Bootstrapping Server Function (BSF) during the initial authentication and key agreement procedure between a User Equipment (UE) and the network. The B-TID is constructed using a specific format: it begins with a fixed prefix (typically the realm of the BSF), followed by a base64-encoded representation of the RAND value (a random challenge used in authentication) and the BSF server's name. This structured format ensures global uniqueness and allows any network entity to identify the specific bootstrapping transaction.
During the GBA procedure, after successful mutual authentication between the UE and the BSF using the Authentication and Key Agreement (AKA) protocol, the BSF generates the B-TID and associates it with the established session keys (specifically, the Bootstrapping Key Agreement (Ks) and derived keys). The BSF then returns the B-TID to the UE along with the key lifetime information. The UE stores this B-TID locally along with the corresponding keys. Subsequently, when the UE needs to access an application service (like a Multimedia Telephony Service or other Network Application Functions), it presents this B-TID to the service provider instead of re-authenticating from scratch.
The B-TID serves as a secure reference pointer that enables the Network Application Function (NAF) to retrieve the appropriate authentication context from the BSF. When a NAF receives a service request containing a B-TID from a UE, it contacts the BSF (using the Zn interface) and provides the B-TID. The BSF validates the B-TID, confirms the session is still active within its lifetime, and then provides the NAF with the relevant keying material (specifically, the Ks_NAF derived key) needed to establish a secure channel with the UE. This mechanism separates the heavy authentication process from application access, improving efficiency.
From an architectural perspective, the B-TID operates within the three-tier GBA model: UE, BSF, and NAF. Its primary role is to maintain the linkage between these entities without exposing sensitive key material over the air or to application servers. The B-TID itself is not secret but must be transmitted securely to prevent hijacking attacks. In network deployments, B-TIDs are managed by the BSF with proper lifetime controls and revocation mechanisms to maintain security. The identifier's design allows for scalability across multiple BSFs and supports both GBA and GBA-U (GBA with Ubiquity) variants.
Purpose & Motivation
The B-TID was created to address the fundamental problem of repeated authentication in mobile networks where users access multiple services from different providers. Before GBA and the B-TID mechanism, each application service might require its own authentication procedure, leading to redundant signaling, increased latency, and poor user experience. The traditional approach also meant that users had to manage multiple credentials for different services, creating security vulnerabilities and usability challenges.
The introduction of B-TID in Release 6 as part of GAA provided a standardized way to leverage the strong authentication already performed by the mobile network (via USIM cards and AKA protocol) for application-layer security. By creating a transaction identifier that references the established security context, the system enables single sign-on capabilities across diverse services. This solves the problem of authentication silos while maintaining the security level of the underlying mobile network authentication.
Historically, the development of B-TID was motivated by the growing need for secure mobile services beyond basic voice and SMS. As operators introduced services like Multimedia Messaging, Push-to-Talk, and later IMS-based applications, they needed a way to extend cellular authentication to these value-added services efficiently. The B-TID mechanism allowed service providers to outsource authentication to the mobile network operator while maintaining control over their application security. This created new business models and enabled secure third-party services without requiring users to create separate accounts.
Key Features
- Unique identifier format combining BSF realm and encoded RAND value
- References established GBA security context between UE and BSF
- Enables key derivation for multiple Network Application Functions
- Supports lifetime management with explicit expiration controls
- Facilitates single sign-on across diverse mobile services
- Allows secure context retrieval via standardized Zn interface
Evolution Across Releases
Introduced B-TID as part of the initial Generic Bootstrapping Architecture specification. Defined the basic format and usage for referencing bootstrapping transactions between UE, BSF, and NAF. Established the fundamental mechanism where B-TID enables NAFs to retrieve keying material from BSF without direct UE authentication.
Defining Specifications
| Specification | Title |
|---|---|
| TS 24.109 | 3GPP TS 24.109 |
| TS 29.109 | 3GPP TS 29.109 |
| TS 31.102 | 3GPP TR 31.102 |
| TS 31.103 | 3GPP TR 31.103 |
| TS 31.213 | 3GPP TR 31.213 |
| TS 33.107 | 3GPP TR 33.107 |
| TS 33.110 | 3GPP TR 33.110 |
| TS 33.220 | 3GPP TR 33.220 |
| TS 33.221 | 3GPP TR 33.221 |
| TS 33.222 | 3GPP TR 33.222 |
| TS 33.223 | 3GPP TR 33.223 |
| TS 33.246 | 3GPP TR 33.246 |
| TS 33.259 | 3GPP TR 33.259 |
| TS 33.823 | 3GPP TR 33.823 |
| TS 33.843 | 3GPP TR 33.843 |
| TS 33.980 | 3GPP TR 33.980 |