Description
The Generic Bootstrapping Architecture (GBA), also referred to as Generic Authentication Architecture (GAA), is a standardized security framework defined by 3GPP that provides a method for user equipment (UE) and network application servers (NAFs) to derive shared session keys. It reuses the robust authentication and key agreement (AKA) procedures already established between the UE and the mobile network's Home Subscriber Server (HSS). The core idea is to 'bootstrap' application-layer security from this proven network-layer authentication, creating a trusted security association for services without requiring users to manage additional usernames and passwords.
The architecture involves several key functional entities: the Bootstrapping Server Function (BSF), the Network Application Function (NAF), the Home Subscriber Server (HSS), and the User Equipment (UE). The process begins with a bootstrapping procedure between the UE and the BSF. The UE and BSF perform a mutual authentication using the 3GPP AKA protocol, facilitated by the HSS which provides authentication vectors. Upon successful authentication, both the UE and the BSF derive a shared, session-specific key called the Bootstrapping Transaction Identifier (B-TID) and a related key material, Ks. The B-TID serves as a reference to this shared secret.
Subsequently, when the UE needs to access a service provided by a NAF (e.g., a streaming server or a corporate portal), it presents the B-TID to the NAF. The NAF, in turn, contacts the BSF using the Zn interface, providing the B-TID. The BSF verifies the B-TID and, if valid, derives a NAF-specific key, Ks_NAF, from the master key Ks and the NAF's identifier. The BSF then sends this Ks_NAF securely to the NAF. Now, both the UE (which can independently derive the same Ks_NAF) and the NAF possess a shared secret key. They can use this key to secure their communication, for instance, by using it within TLS-PSK (Pre-Shared Key) or to generate keys for encryption and integrity protection at the application layer. This entire process allows for single sign-on-like experience across different services hosted by different NAFs, all secured by the user's SIM card credentials.
Purpose & Motivation
GBA was created to address the growing need for secure authentication to internet-based application services (like video streaming, email, or banking) accessed from mobile devices, without forcing users to remember and enter separate credentials for each service. Before GBA, application servers either relied on weak username/password combinations, required complex public key infrastructure (PKI) deployment on UEs, or had no integrated security with the mobile operator's trust domain. This led to poor user experience, security vulnerabilities, and fragmented identity management.
The primary motivation was to leverage the strong, SIM-based authentication already present in mobile networks. The 3GPP AKA protocol provides mutual authentication and strong key establishment between the UE and the network core. GBA repurposes this infrastructure to create a generic key distribution service for the application layer. This solves the problem of credential proliferation and allows mobile operators to offer value-added services with built-in, high-grade security derived from the SIM.
Furthermore, GBA enables new business models by allowing third-party application providers (the NAFs) to rely on the mobile operator's authentication infrastructure. A content provider can offer a service securely to a subscriber without needing to operate its own authentication system; it simply integrates with the operator's BSF. This created a trusted ecosystem, facilitated the deployment of IP Multimedia Subsystem (IMS) services, and provided a foundation for secure machine-to-machine (M2M) communication, addressing the limitations of previous ad-hoc and less secure application authentication methods.
Classification
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (65 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.
Studied in Rel-6, normative work from Rel-15.
In Release 15, the GBA function was updated by introducing the Charging Function into the overall architecture to support the enhanced charging and policy control needed for multi-access systems. Furthermore, a non-roaming reference architecture correction was made, and editor's notes regarding the application ID for ANDSF GBA Push were resolved to ensure clarity and proper functionality. These changes were part of broader architectural updates that also included clarifications to roaming architectures and the NRF roaming architecture.
- Adding of the abbreviations and Network Function Architecture for Cell site Information reporting plus Handover details TS 33.107CR0276
- Non-roaming Architecture for Network Exposure Function in reference point representation TS 23.501CR0073
- Update Roaming reference architectures TS 23.501CR0166
- Clarification to the NRF Roaming architecture TS 23.501CR0325
- Introduce Charging Function in overall architecture TS 23.501CR0793
- Non-roaming reference architecture correction TS 23.501CR0915
+ 1 more changes
In Release 16, the GBA function was enhanced to support new architectural use cases, specifically for Personal Area Networks (PANs) where multiple devices share a single USIM for authentication to the AIPN. This enabled a user's non-USIM devices to access network services by bootstrapping through a USIM-equipped device on the PAN, requiring reliable billing association with the correct USIM. Furthermore, the architecture was updated to support Time Sensitive Communication and the integration of 5G LAN-type services within the ETSUN framework.
- ETSUN - Architecture conclusion TS 23.501CR0732
- Architecture and reference points for Wireline AN TS 23.501CR0863
- TSC Architecture TS 23.501CR0871
- ETSUN Architecture Update TS 23.501CR1170
- Misleading RACS architecture pictures TS 23.501CR1828
- Introduction of the Inter PLMN UP functionality in the architecture TS 23.501CR1848
+ 4 more changes
In Release 17, the key enhancements for GBA included the introduction of GBA-based shared secret with PSK authentication in TLS 1.3 and the capability for GBA key re-negotiation with TLS 1.3. Furthermore, the release deprecated the use of SHA-1 in GBA for improved security and introduced the GBA Push Info (GPI) for use in the 5G ProSe direct link security mode control procedure. The architecture also added explicit support for choosing between AKMA and AKA-based GBA at both the UE and AF sides.
- Introduction of AKMA into the reference architecture TS 23.501CR2457
- 5G system architecture updates to support Dynamically Changing Policies in the 5GC TS 23.501CR2560
- Introduction of the architectures for Time Sensing Communication other than TSN. TS 23.501CR2573
- 5G Architecture reference model for ProSe TS 23.501CR2637
- 5MBS architecture TS 23.501CR2689
- Introduction of architecture for AF requested support of Time Sensitive Communication and Time Synchronization TS 23.501CR2833
+ 14 more changes
In Release 18, the GBA function was enhanced by specifying new security protocols for the GBA Ua interface, including DTLS and IETF OSCORE, as documented in new annexes to TS 33.220. The release also included updates to test cases related to the GBAUCipher class for UICC/USIM. Furthermore, architectural clarifications were made regarding authentication for Non-Seamless WLAN Offload (NSWO) using a Certificate Holder (CH) with an AAA Server via the 5G Core.
- Multiple NSACF architecture enhancement TS 23.501CR3785
- Hierarchical NSAC architecture enhancement TS 23.501CR3959
- Informative Annex on PIN Architecture TS 23.501CR4028
- PIN definition and architecture TS 23.501CR4092
- Event exposure enhancement for enhanced NSAC architecture TS 23.501CR4156
- Hierarchical NSAC Architecture for EPS counting TS 23.501CR4442
+ 11 more changes
In Release 19, the updates to the Generic Bootstrapping Architecture (GBA) primarily focused on enhancing security and authentication mechanisms for Personal Area Networks (PANs) where multiple devices share a single USIM. The specifications clarified how devices without a USIM can be authorized to access the network using a USIM from another device within the PAN, ensuring correct billing association. Furthermore, the architecture was refined to support efficient end-to-end protection and simplified trust establishment for service provisioning in heterogeneous network environments.
- Introduction of new network function for energy related information, its definition and corresponding Architecture Reference Model TS 23.501CR5636
- PDU Set Information Identification for end-to-end encrypted traffic using connect-UDP - architecture part TS 23.501CR5728
- NR Femto architecture definition TS 23.501CR5807
- NR Femto architecture introduction TS 23.501CR5694
- KI#1 Architecture for Local Offloading Management TS 23.501CR5752
- Automatic Certificate Management Environment (ACME) for the Service Based Architecture (SBA) TS 33.310CR0215
+ 4 more changes
In Release 20, the Generic Bootstrapping Architecture (GBA) was updated to support policy control for network energy saving, as indicated by the Change Request. This involved an update to the architecture and the EIF function to integrate this new capability, aligning with the release's broader focus on operational efficiency within evolving network environments.
- Update on architecture and EIF function to support policy control for network energy saving TS 23.501CR6521
Explore further
Broader topics and technologies where GBA plays a role.
Defining Specifications
3GPP specifications that define or reference GBA, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TR 22.978 vj00 | Feasibility of All-IP Network (AIPN) in 3GPP | Rel-19 |
| TS 23.501 vk00 | 5G System Architecture Stage 2 | Rel-20 |
| TS 23.862 vc00 | Interworking Solutions for Mobile Operators & Data Apps | Rel-12 |
| TS 24.109 vj00 | HTTP Digest AKA & GAA Stage 3 | Rel-19 |
| TS 24.229 vj50 | IMS call control protocol based on SIP and SDP | Rel-19 |
| TS 24.259 vj00 | Personal Network Management (PNM) Protocol Details | Rel-19 |
| TS 24.302 vj00 | Access to EPC via non-3GPP networks; Stage 3 | Rel-19 |
| TS 24.554 vj40 | 5G Proximity Services (ProSe) Protocols | Rel-19 |
| TS 26.517 vj10 | 5G MBS User Service Protocols and Formats | Rel-19 |
| TR 26.946 vj00 | MBMS User Services Overview | Rel-19 |
| TS 29.109 vj00 | GAA Bootstrapping Interfaces (Zh, Dz, Zn, Zpn) | Rel-19 |
| TS 29.309 vj10 | Nbsp Service Based Interface for GBA BSF | Rel-19 |
| TS 31.213 vi30 | Test specification for (U)SIM | Rel-18 |
| TR 31.822 vi10 | Technical Report on GBA_U based APIs | Rel-18 |
| TS 32.808 v1800 | Common User Profile Storage Framework | Rel-8 |
| TS 33.107 vj00 | Lawful Interception Architecture & Functions | Rel-19 |
| TS 33.110 vj00 | UICC-Terminal Key Establishment | Rel-19 |
| TS 33.141 vj00 | Security for Presence Service (Ut reference point) | Rel-19 |
| TS 33.179 vdc0 | MCPTT Security Architecture and Procedures | Rel-13 |
| TS 33.180 vk00 | Security of Mission Critical (MC) Service | Rel-20 |
| TS 33.185 vj00 | V2X Security in LTE | Rel-19 |
| TS 33.220 vj00 | Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) | Rel-19 |
| TS 33.221 vj00 | Subscriber Certificate Distribution via GBA | Rel-19 |
| TS 33.222 vj00 | Secure HTTP Access in GAA | Rel-19 |
| TS 33.223 vj00 | GBA Push Function Specification | Rel-19 |
| TS 33.224 vj00 | Generic Push Layer (GPL) Specification | Rel-19 |
| TS 33.246 vj00 | MBMS Security Specification | Rel-19 |
| TS 33.259 vj00 | Key Establishment between UICC Hosting & Remote Device | Rel-19 |
| TS 33.303 vj00 | ProSe Security Specification for EPS | Rel-19 |
| TS 33.310 vj50 | 3GPP Authentication Framework for Network Nodes | Rel-19 |
| TS 33.503 vj20 | Security for Proximity Services (ProSe) in 5G | Rel-19 |
| TS 33.533 vj00 | Security for 5G Ranging & Sidelink Positioning | Rel-19 |
| TR 33.739 vi10 | Study on security enhancement of support for | Rel-18 |
| TS 33.804 vc00 | Non-UICC SSO using SIP Digest credentials | Rel-12 |
| TS 33.822 v1800 | Security Architecture for Inter-Access Mobility | Rel-8 |
| TS 33.823 vc20 | GBA Web Browser Integration Study | Rel-12 |
| TS 33.835 vg10 | Study on authentication and key management for apps | Rel-16 |
| TS 33.863 ve20 | Security for Battery-Efficient IoT Device to Enterprise | Rel-14 |
| TR 33.919 vj00 | GAA Overview TR | Rel-19 |
| TR 33.924 vj00 | GBA-OpenID Interworking Specification | Rel-19 |
| TR 33.980 vj00 | GAA & Liberty Alliance Interworking Guidelines | Rel-19 |
| TS 34.229 vj21 | IMS SIP/SDP UE Conformance Testing for 5GS | Rel-19 |