What is GAA? General Authentication Architecture

Description

The General Authentication Architecture (GAA) is a comprehensive 3GPP security framework defined to provide generic authentication and key agreement procedures for applications and services that are not part of the traditional 3GPP network access authentication. Its primary objective is to allow service providers (which can be the mobile network operator, MNO, or a trusted third party) to authenticate a user or user equipment (UE) by leveraging the strong, existing security credentials stored in the UE's Universal Integrated Circuit Card (UICC), i.e., the SIM card. GAA creates a bootstrapping mechanism where the shared secret established during cellular network access (between the UE and the Home Subscriber Server, HSS) can be used to derive further application-specific keys for securing other services.

Architecturally, GAA is built around several key functional components. The Bootstrapping Server Function (BSF) is a central network element that interacts with the UE to perform the bootstrapping procedure, and with the Home Subscriber Server (HSS) to retrieve the subscriber's authentication vectors. The Network Application Function (NAF) is the entity providing the actual service (e.g., a multimedia portal, a banking app, or a device management server) that needs to authenticate the user. The UE contains the GAA client functionality. The core procedure is the GAA Bootstrapping Procedure, also known as the Ub interface procedure. In this process, the UE and the BSF mutually authenticate using the Authentication and Key Agreement (AKA) protocol (the same used for network access). Upon successful authentication, they establish a shared, session-specific secret called the Bootstrapping Transaction Identifier (B-TID) and a related key material, Ks. The Ks is then used to derive application-specific keys (Ks_NAF) for use between the UE and a specific NAF.

GAA defines two main usage variants: GAA-aware and GAA-unaware applications in the UE. For GAA-aware applications, the UE's GAA client manages the keys and provides them to the application. For GAA-unaware applications, a Generic Bootstrapping Architecture (GBA) User Security Settings (GUSS) and a reference identifier can be used. The framework also specifies the Zn interface between the BSF and NAF, where the NAF can request key material (Ks_NAF) for a given user identified by a B-TID. This architecture decouples the strong, SIM-based authentication from the service itself, allowing a wide variety of applications—from HTTP Digest authentication for web services to TLS client authentication and MBMS service protection—to reuse a single, robust authentication event. It forms the basis for the Generic Bootstrapping Architecture (GBA), which is the most common and standardized instantiation of GAA principles.

Purpose & Motivation

GAA was created to solve the problem of fragmented and weak authentication for value-added services in mobile networks. Prior to GAA, services like mobile email, multimedia portals, or device management often used their own, separate username/password credentials, which were weak, cumbersome for users (multiple logins), and difficult to manage securely. The motivation was to leverage the strong, two-factor authentication already present in every mobile device—the SIM card and its shared secret with the operator's HSS—and extend its trust to other services. This provided a superior user experience (single sign-on), stronger security (cryptographic keys instead of passwords), and simplified service provisioning for operators and third-party providers.

Historically, the development of GAA (starting in 3GPP Release 6) was driven by the need for a standardized authentication framework for new IP-based services like IMS (Multimedia Subsystem), but its utility quickly expanded. It addressed the limitations of previous ad-hoc solutions by providing a generic, reusable architecture. This allowed any application, whether provided by the MNO or a trusted partner, to request cryptographic proof of the user's identity without needing direct access to the sensitive credentials on the SIM. GAA enabled new business models, such as secure mobile banking and authenticated content download, by providing a standardized, carrier-grade authentication method that was independent of the underlying service protocol. It became a cornerstone for secure service delivery in a converged IP environment.

Classification

Part ofGBA

Related approaches

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (5 CRs across 3 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-6, normative work from Rel-15.

Rel-15 1 change

In Release 15, the GAA function was updated with a clarification to the Zh Multimedia-Authentication-Request command. This refinement provided more precise operational details for this specific authentication procedure within the architecture. The change aligns with the broader AIPN principles of enabling secure, efficient authentication mechanisms.

Clarification of Zh Multimedia-Authentication-Request command TS 29.109CR0107

Rel-17 3 changes

In Release 17, the GAA function was enhanced to support new authentication methods, including an update for HTTP Digest Access Authentication aligned with the HTTP/1.1 protocol and the introduction of a GBA-based shared secret for PSK authentication in TLS 1.3. Furthermore, the release expanded GAA's applicability by defining mechanisms for connectivity authentication in Non-Seamless WLAN Offload (NSWO) scenarios. These updates provided more versatile and secure authentication capabilities for services within the All-IP Network (AIPN) framework.

Update of HTTP Digest Access Authentication and reference update for HTTP/1.1 protocol TS 24.109CR0069
GBA-based shared secret with PSK authentication in TLS 1.3 TS 24.109CR0071
Connectivity for NSWO authentication TS 24.302CR0731

Rel-18 1 change

In Release 18, the General Authentication Architecture (GAA) was updated to include a clarification on the procedure for authentication when using an ePDG certificate. This provides more precise guidance for securing connections in scenarios involving WLAN access to the mobile core network. The enhancement ensures consistent implementation of certificate-based authentication mechanisms within the All-IP network framework.

Clarification on authentication using ePDG certificate TS 24.302CR0777

Explore further

Broader topics and technologies where GAA plays a role.

Topics

Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Encryption & Integrity MEC (Edge Computing)Lawful Intercept SMS & Messaging

Defining Specifications

3GPP specifications that define or reference GAA, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TR 22.978 vj00	Feasibility of All-IP Network (AIPN) in 3GPP	Rel-19
TS 23.862 vc00	Interworking Solutions for Mobile Operators & Data Apps	Rel-12
TS 24.109 vj00	HTTP Digest AKA & GAA Stage 3	Rel-19
TS 24.302 vj00	Access to EPC via non-3GPP networks; Stage 3	Rel-19
TS 29.109 vj00	GAA Bootstrapping Interfaces (Zh, Dz, Zn, Zpn)	Rel-19
TS 31.213 vi30	Test specification for (U)SIM	Rel-18
TS 33.220 vj00	Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)	Rel-19
TS 33.221 vj00	Subscriber Certificate Distribution via GBA	Rel-19
TS 33.223 vj00	GBA Push Function Specification	Rel-19
TS 33.804 vc00	Non-UICC SSO using SIP Digest credentials	Rel-12
TS 33.835 vg10	Study on authentication and key management for apps	Rel-16
TR 33.919 vj00	GAA Overview TR	Rel-19
TR 33.924 vj00	GBA-OpenID Interworking Specification	Rel-19
TR 33.980 vj00	GAA & Liberty Alliance Interworking Guidelines	Rel-19
TS 34.229 vj21	IMS SIP/SDP UE Conformance Testing for 5GS	Rel-19