BootstrappingInfo-Request message

Description

The BootstrappingInfo-Request (BIR) message is a critical Diameter command within the 3GPP Generic Authentication Architecture (GAA) framework, specifically defined in the Zh interface specification (TS 29.109). It serves as the initial request from a Network Application Function (NAF) to the Bootstrapping Server Function (BSF) to obtain the necessary authentication vectors and shared keys required for securing communication with a User Equipment (UE). The message operates within a client-server model where the NAF acts as the Diameter client and the BSF as the server, using the Diameter base protocol with 3GPP-specific Attribute-Value Pairs (AVPs) to carry authentication-related information.

When a UE attempts to access a service provided by a NAF (such as a Multimedia Broadcast/Multicast Service or a secure application server), the NAF may not have a direct security association with the UE. Instead of implementing its own authentication mechanism, the NAF sends a BIR message to the BSF. This message contains identifiers for both the UE (typically the IMPI or IMPU) and the requesting NAF itself, along with the NAF's identifier. The BSF, which maintains a trust relationship with the Home Subscriber Server (HSS) and has previously performed a bootstrapping procedure with the UE using the AKA protocol, processes this request to verify if a valid security context exists for that UE.

The technical operation involves the BIR message triggering the BSF to locate the relevant bootstrapping session for the UE. If a valid session exists, the BSF generates a specific key, Ks_NAF, derived from the master session key (Ks) shared between the UE and BSF, and the NAF's identifier. This key is unique to the UE-NAF pair. The BSF then responds with a BootstrappingInfo-Answer (BIA) message containing the Ks_NAF (or a reference to it) and associated key lifetime. The NAF uses this key material to establish a secure channel with the UE, often using protocols like HTTP Digest AKA or TLS-PSK. This architecture centralizes authentication management at the BSF, allowing multiple, diverse NAFs to leverage the 3GPP subscription credentials without each needing direct access to the HSS or implementing complex AKA logic.

The BIR message's structure includes mandatory AVPs such as Session-Id, Origin-Host, Origin-Realm, Destination-Host, Destination-Realm, and Auth-Application-Id. Crucially, it carries the User-Name AVP containing the user's private identity (IMPI) and the NAF-Id AVP identifying the requesting application function. Optional AVPs can request specific key types or indicate supported security protocols. This design enables flexible integration with various service architectures while maintaining strong security derived from the core network's authentication infrastructure. The BIR/BIA exchange is fundamental to enabling single sign-on-like capabilities across different services in 3GPP networks.

Purpose & Motivation

The BIR message and the broader GAA framework were created to solve the problem of secure service authentication for applications outside the traditional 3GPP circuit-switched and packet-switched domains. Before GAA, each new application service (like streaming, gaming, or enterprise access) requiring authentication had to either implement its own credential management system or find a way to interface directly with the complex HSS, which was impractical and insecure. This resulted in fragmented security, poor user experience with multiple passwords, and increased operational costs for service providers.

The primary motivation was to leverage the strong, SIM-based authentication of 3GPP networks (UMTS AKA) to secure a wide range of IP-based services. The BIR message provides the standardized mechanism for these external services (NAFs) to request and obtain cryptographic keys derived from the core network authentication, without ever exposing the master keys or requiring the NAF to understand the AKA protocol. This addresses key limitations: it prevents credential proliferation, utilizes the robust security of the SIM card, and enables seamless user experience where network authentication can be reused for service access.

Historically introduced in 3GPP Release 6 and refined in subsequent releases, the BIR message enabled new business models for mobile operators and service providers. It allowed them to offer value-added services with built-in, carrier-grade security, competing with internet service providers. The architecture solved the technical challenge of securely distributing session keys from a central authentication authority (BSF) to potentially untrusted or external application servers, a fundamental requirement for the mobile internet era. It forms the basis for authentication in MBMS, IMS application access, and other secured services defined in later releases.