Description
The Generic Bootstrapping Architecture (GBA), also referred to as Generic Authentication Architecture (GAA), is a standardized security framework defined by 3GPP that provides a method for user equipment (UE) and network application servers (NAFs) to derive shared session keys. It reuses the robust authentication and key agreement (AKA) procedures already established between the UE and the mobile network's Home Subscriber Server (HSS). The core idea is to 'bootstrap' application-layer security from this proven network-layer authentication, creating a trusted security association for services without requiring users to manage additional usernames and passwords.
The architecture involves several key functional entities: the Bootstrapping Server Function (BSF), the Network Application Function (NAF), the Home Subscriber Server (HSS), and the User Equipment (UE). The process begins with a bootstrapping procedure between the UE and the BSF. The UE and BSF perform a mutual authentication using the 3GPP AKA protocol, facilitated by the HSS which provides authentication vectors. Upon successful authentication, both the UE and the BSF derive a shared, session-specific key called the Bootstrapping Transaction Identifier (B-TID) and a related key material, Ks. The B-TID serves as a reference to this shared secret.
Subsequently, when the UE needs to access a service provided by a NAF (e.g., a streaming server or a corporate portal), it presents the B-TID to the NAF. The NAF, in turn, contacts the BSF using the Zn interface, providing the B-TID. The BSF verifies the B-TID and, if valid, derives a NAF-specific key, Ks_NAF, from the master key Ks and the NAF's identifier. The BSF then sends this Ks_NAF securely to the NAF. Now, both the UE (which can independently derive the same Ks_NAF) and the NAF possess a shared secret key. They can use this key to secure their communication, for instance, by using it within TLS-PSK (Pre-Shared Key) or to generate keys for encryption and integrity protection at the application layer. This entire process allows for single sign-on-like experience across different services hosted by different NAFs, all secured by the user's SIM card credentials.
Purpose & Motivation
GBA was created to address the growing need for secure authentication to internet-based application services (like video streaming, email, or banking) accessed from mobile devices, without forcing users to remember and enter separate credentials for each service. Before GBA, application servers either relied on weak username/password combinations, required complex public key infrastructure (PKI) deployment on UEs, or had no integrated security with the mobile operator's trust domain. This led to poor user experience, security vulnerabilities, and fragmented identity management.
The primary motivation was to leverage the strong, SIM-based authentication already present in mobile networks. The 3GPP AKA protocol provides mutual authentication and strong key establishment between the UE and the network core. GBA repurposes this infrastructure to create a generic key distribution service for the application layer. This solves the problem of credential proliferation and allows mobile operators to offer value-added services with built-in, high-grade security derived from the SIM.
Furthermore, GBA enables new business models by allowing third-party application providers (the NAFs) to rely on the mobile operator's authentication infrastructure. A content provider can offer a service securely to a subscriber without needing to operate its own authentication system; it simply integrates with the operator's BSF. This created a trusted ecosystem, facilitated the deployment of IP Multimedia Subsystem (IMS) services, and provided a foundation for secure machine-to-machine (M2M) communication, addressing the limitations of previous ad-hoc and less secure application authentication methods.
Key Features
- Leverages existing 3GPP AKA and SIM/USIM for strong authentication
- Bootstraps application-layer security from network-layer credentials
- Enables single sign-on across multiple application servers (NAFs)
- Defines clear functional entities: BSF, NAF, HSS, UE
- Supports key derivation for specific application servers (Ks_NAF)
- Facilitates secure service access for both HTTP-based and non-HTTP services
Evolution Across Releases
Introduced the core Generic Bootstrapping Architecture framework. Defined the initial bootstrapping procedure between UE and BSF, the role of the NAF, and the key derivation mechanisms. Primarily focused on supporting HTTP-based services and laid the foundation for securing IMS applications and other value-added services.
Defining Specifications
| Specification | Title |
|---|---|
| TS 22.978 | 3GPP TS 22.978 |
| TS 23.501 | 3GPP TS 23.501 |
| TS 23.862 | 3GPP TS 23.862 |
| TS 24.109 | 3GPP TS 24.109 |
| TS 24.229 | 3GPP TS 24.229 |
| TS 24.259 | 3GPP TS 24.259 |
| TS 24.302 | 3GPP TS 24.302 |
| TS 24.554 | 3GPP TS 24.554 |
| TS 26.517 | 3GPP TS 26.517 |
| TS 26.946 | 3GPP TS 26.946 |
| TS 29.109 | 3GPP TS 29.109 |
| TS 29.309 | 3GPP TS 29.309 |
| TS 31.213 | 3GPP TR 31.213 |
| TS 31.822 | 3GPP TR 31.822 |
| TS 32.808 | 3GPP TR 32.808 |
| TS 33.107 | 3GPP TR 33.107 |
| TS 33.110 | 3GPP TR 33.110 |
| TS 33.141 | 3GPP TR 33.141 |
| TS 33.179 | 3GPP TR 33.179 |
| TS 33.180 | 3GPP TR 33.180 |
| TS 33.185 | 3GPP TR 33.185 |
| TS 33.220 | 3GPP TR 33.220 |
| TS 33.221 | 3GPP TR 33.221 |
| TS 33.222 | 3GPP TR 33.222 |
| TS 33.223 | 3GPP TR 33.223 |
| TS 33.224 | 3GPP TR 33.224 |
| TS 33.246 | 3GPP TR 33.246 |
| TS 33.259 | 3GPP TR 33.259 |
| TS 33.303 | 3GPP TR 33.303 |
| TS 33.310 | 3GPP TR 33.310 |
| TS 33.503 | 3GPP TR 33.503 |
| TS 33.533 | 3GPP TR 33.533 |
| TS 33.739 | 3GPP TR 33.739 |
| TS 33.804 | 3GPP TR 33.804 |
| TS 33.822 | 3GPP TR 33.822 |
| TS 33.823 | 3GPP TR 33.823 |
| TS 33.835 | 3GPP TR 33.835 |
| TS 33.863 | 3GPP TR 33.863 |
| TS 33.919 | 3GPP TR 33.919 |
| TS 33.924 | 3GPP TR 33.924 |
| TS 33.980 | 3GPP TR 33.980 |
| TS 34.229 | 3GPP TR 34.229 |