Description
The General Authentication Architecture (GAA) is a comprehensive 3GPP security framework defined to provide generic authentication and key agreement procedures for applications and services that are not part of the traditional 3GPP network access authentication. Its primary objective is to allow service providers (which can be the mobile network operator, MNO, or a trusted third party) to authenticate a user or user equipment (UE) by leveraging the strong, existing security credentials stored in the UE's Universal Integrated Circuit Card (UICC), i.e., the SIM card. GAA creates a bootstrapping mechanism where the shared secret established during cellular network access (between the UE and the Home Subscriber Server, HSS) can be used to derive further application-specific keys for securing other services.
Architecturally, GAA is built around several key functional components. The Bootstrapping Server Function (BSF) is a central network element that interacts with the UE to perform the bootstrapping procedure, and with the Home Subscriber Server (HSS) to retrieve the subscriber's authentication vectors. The Network Application Function (NAF) is the entity providing the actual service (e.g., a multimedia portal, a banking app, or a device management server) that needs to authenticate the user. The UE contains the GAA client functionality. The core procedure is the GAA Bootstrapping Procedure, also known as the Ub interface procedure. In this process, the UE and the BSF mutually authenticate using the Authentication and Key Agreement (AKA) protocol (the same used for network access). Upon successful authentication, they establish a shared, session-specific secret called the Bootstrapping Transaction Identifier (B-TID) and a related key material, Ks. The Ks is then used to derive application-specific keys (Ks_NAF) for use between the UE and a specific NAF.
GAA defines two main usage variants: GAA-aware and GAA-unaware applications in the UE. For GAA-aware applications, the UE's GAA client manages the keys and provides them to the application. For GAA-unaware applications, a Generic Bootstrapping Architecture (GBA) User Security Settings (GUSS) and a reference identifier can be used. The framework also specifies the Zn interface between the BSF and NAF, where the NAF can request key material (Ks_NAF) for a given user identified by a B-TID. This architecture decouples the strong, SIM-based authentication from the service itself, allowing a wide variety of applications—from HTTP Digest authentication for web services to TLS client authentication and MBMS service protection—to reuse a single, robust authentication event. It forms the basis for the Generic Bootstrapping Architecture (GBA), which is the most common and standardized instantiation of GAA principles.
Purpose & Motivation
GAA was created to solve the problem of fragmented and weak authentication for value-added services in mobile networks. Prior to GAA, services like mobile email, multimedia portals, or device management often used their own, separate username/password credentials, which were weak, cumbersome for users (multiple logins), and difficult to manage securely. The motivation was to leverage the strong, two-factor authentication already present in every mobile device—the SIM card and its shared secret with the operator's HSS—and extend its trust to other services. This provided a superior user experience (single sign-on), stronger security (cryptographic keys instead of passwords), and simplified service provisioning for operators and third-party providers.
Historically, the development of GAA (starting in 3GPP Release 6) was driven by the need for a standardized authentication framework for new IP-based services like IMS (Multimedia Subsystem), but its utility quickly expanded. It addressed the limitations of previous ad-hoc solutions by providing a generic, reusable architecture. This allowed any application, whether provided by the MNO or a trusted partner, to request cryptographic proof of the user's identity without needing direct access to the sensitive credentials on the SIM. GAA enabled new business models, such as secure mobile banking and authenticated content download, by providing a standardized, carrier-grade authentication method that was independent of the underlying service protocol. It became a cornerstone for secure service delivery in a converged IP environment.
Key Features
- Bootstraps authentication for applications using the shared secret from 3GPP AKA
- Central Bootstrapping Server Function (BSF) for key agreement with the UE
- Supports Network Application Functions (NAFs) for service-specific key derivation (Ks_NAF)
- Enables both GAA-aware and GAA-unaware client applications
- Provides a foundation for the Generic Bootstrapping Architecture (GBA)
- Facilitates secure single sign-on across multiple operator or third-party services
Evolution Across Releases
Initial introduction of the General Authentication Architecture (GAA) framework. Defined the core architecture with the Bootstrapping Server Function (BSF), Network Application Function (NAF), and the bootstrapping procedure over the Ub interface. Established the mechanism to derive application-specific keys (Ks_NAF) from the 3GPP AKA credentials, enabling secure authentication for non-access stratum services.
Defining Specifications
| Specification | Title |
|---|---|
| TS 22.978 | 3GPP TS 22.978 |
| TS 23.862 | 3GPP TS 23.862 |
| TS 24.109 | 3GPP TS 24.109 |
| TS 24.302 | 3GPP TS 24.302 |
| TS 29.109 | 3GPP TS 29.109 |
| TS 31.213 | 3GPP TR 31.213 |
| TS 33.220 | 3GPP TR 33.220 |
| TS 33.221 | 3GPP TR 33.221 |
| TS 33.223 | 3GPP TR 33.223 |
| TS 33.804 | 3GPP TR 33.804 |
| TS 33.835 | 3GPP TR 33.835 |
| TS 33.919 | 3GPP TR 33.919 |
| TS 33.924 | 3GPP TR 33.924 |
| TS 33.980 | 3GPP TR 33.980 |
| TS 34.229 | 3GPP TR 34.229 |