GIBA

GPRS-IMS-Bundled Authentication

Security
Introduced in Rel-8
GIBA is a 3GPP security mechanism that reuses the authentication performed for GPRS/UMTS packet access to subsequently authenticate the user to the IMS (IP Multimedia Subsystem). This eliminates the need for a separate IMS authentication procedure, streamlining network access and reducing signaling overhead for IMS services.

Description

GPRS-IMS-Bundled Authentication (GIBA) is a security architecture defined by 3GPP to enable a seamless and efficient authentication flow between the packet-switched domain (GPRS/UMTS) and the IP Multimedia Subsystem (IMS). The core principle of GIBA is the derivation of IMS authentication credentials from the successful authentication and key agreement procedure already completed for the underlying GPRS/UMTS access network. When a User Equipment (UE) attaches to the GPRS network, it undergoes an authentication and key agreement procedure (e.g., AKA in UMTS) with the network, resulting in a set of session keys (IK and CK) established between the UE and the Serving GPRS Support Node (SGSN). GIBA leverages this established security context.

The mechanism works by having the network, specifically the Proxy-Call Session Control Function (P-CSCF) in IMS, request authentication vectors from the Home Subscriber Server (HSS). However, instead of performing a full IMS AKA procedure, the HSS, which also participated in the GPRS authentication, can provide authentication data derived from the GPRS security context. The P-CSCF and the UE then use these derived parameters to mutually authenticate for IMS access. This process involves the P-CSCF obtaining an Authentication Vector (AV) from the HSS. This AV contains parameters like the Authentication Token (AUTN), which is calculated using the GPRS session keys, and the Expected Response (XRES). The P-CSCF sends a challenge to the UE within the IMS registration request.

The UE, which possesses the same GPRS session keys, can independently compute the expected authentication parameters. It verifies the AUTN to authenticate the network and computes a response (RES). The UE sends this RES back to the P-CSCF, which compares it to the XRES received from the HSS. A match confirms the UE's identity and its successful GPRS authentication, thereby granting IMS access. Architecturally, GIBA relies on the integration between the HSS (or the legacy Home Location Register, HLR) and the IMS core. The HSS must be aware of the GPRS attachment and the corresponding keys to generate the correct derived authentication vectors for IMS. This makes the HSS a central component, acting as the anchor point for both access and service layer security contexts.

GIBA's role in the network is to optimize the service setup time for IMS applications like Voice over LTE (VoLTE) by avoiding a duplicate, full authentication cycle. It reduces signaling load on the core network and the UE's battery consumption associated with cryptographic computations. It represents a key convergence point between circuit-switched/packet-switched legacy networks and the all-IP IMS core, facilitating a smoother transition to unified communication services.

Purpose & Motivation

GIBA was created to address the inefficiency and user experience degradation caused by requiring separate, sequential authentication procedures when a user accesses IMS services over a 3GPP packet-switched network. Before GIBA, a UE would first authenticate to the GPRS/UMTS network (e.g., using UMTS AKA) to obtain IP connectivity. Then, when attempting to register for an IMS service like voice or video calling, it would need to perform a second, independent authentication procedure (IMS AKA) with the IMS core. This double authentication increased call setup times, consumed additional radio and core network signaling resources, and drained UE battery faster due to extra cryptographic processing.

The historical context is the introduction of IMS in 3GPP Release 5 as the service delivery platform for multimedia services. Initially, IMS was designed to be access-agnostic, which logically led to its own authentication framework. However, for 3GPP-defined accesses (GPRS, UMTS), this resulted in redundancy because the network operator already authenticated the user and established a secure channel at the access layer. GIBA was standardized to leverage this existing trust and security context. It solves the problem by creating a security association between the two layers, allowing the IMS to trust the authentication verdict of the underlying GPRS network.

This approach addressed limitations of the disjointed model, specifically the latency for service initiation and the unnecessary load on the authentication center (AuC) and HSS. By bundling the authentications, GIBA enables faster IMS registration, which is critical for real-time communication services. It also simplifies the overall security architecture for operators deploying IMS over their own 3GPP radio access, making the service launch more efficient and improving the perceived responsiveness for the end-user.

Key Features

  • Eliminates standalone IMS AKA procedure for 3GPP access
  • Derives IMS authentication credentials from established GPRS/UMTS security keys (IK, CK)
  • Reduces signaling overhead and latency during IMS registration
  • Leverages the HSS as a common security anchor for both access and service layers
  • Enhances user experience with faster service availability
  • Decreases UE power consumption by avoiding duplicate cryptographic computations

Evolution Across Releases

Rel-8 Initial

Introduced GIBA as a standardized mechanism for GPRS-IMS-Bundled Authentication. The initial architecture defined the process for the HSS to generate IMS authentication vectors (AVs) based on the GPRS security context and for the P-CSCF to use these vectors to authenticate the UE during IMS registration, thereby creating a secure link between the two network layers.

TS 33.141TS 33.203

Defining Specifications

SpecificationTitle
TS 33.141 3GPP TR 33.141
TS 33.203 3GPP TR 33.203