GUSS

GBA User Security Settings

Security
Introduced in Rel-8
GBA User Security Settings (GUSS) is a security profile used within the Generic Bootstrapping Architecture (GBA). It contains user-specific authentication credentials and security parameters, enabling secure authentication between a User Equipment (UE) and network application servers without requiring separate credentials for each service.

Description

The GBA User Security Settings (GUSS) is a critical security data structure within the 3GPP Generic Bootstrapping Architecture (GAA). GAA/GBA provides a mechanism for mutual authentication and key agreement between a User Equipment (UE) and a Network Application Function (NAF), leveraging the existing security relationship between the UE and its home network. The GUSS is the repository for the user-specific security material and configuration needed for this bootstrapping process. It is securely stored in the Bootstrapping Server Function (BSF), which is the central GBA network element responsible for performing bootstrapping procedures with the UE.

The GUSS is essentially a profile associated with a user's private identity (e.g., IMS Private User Identity - IMPI). Its contents are defined by the home network operator and can include several key components. Primarily, it contains the shared secret key (K) associated with the user's Universal Integrated Circuit Card (UICC) or soft credential, which is the root of trust. Beyond the key, it holds GBA-specific user security settings, such as the list of supported GBA versions (e.g., GBA_ME, GBA_U, GBA_Digest), key lifetimes, and potentially service-specific indications. The BSF uses the information in the GUSS, along with authentication vectors received from the Home Subscriber Server (HSS), to execute the bootstrapping procedure with the UE.

During a GBA bootstrapping run, the UE and BSF authenticate each other using the credentials derived from the GUSS data, typically via the HTTP Digest AKA protocol. Upon successful authentication, they derive shared, session-specific key material (Ks). A key part of this derived material is the NAF-specific key (Ks_NAF), which is then provided by the BSF to the requesting NAF (e.g., a multimedia service server). The UE independently calculates the same Ks_NAF. This allows the UE and the NAF to establish a secure channel without the NAF ever knowing the user's long-term secret (K). The GUSS thus enables the secure proliferation of authentication from the core network (HSS/BSF) to multiple application servers, forming the basis for single sign-on-like experiences in the 3GPP service layer.

Purpose & Motivation

GUSS was created to solve the problem of fragmented and cumbersome authentication for value-added services in mobile networks. Before GBA and GUSS, application servers (like those for multimedia messaging, presence, or location-based services) often had to maintain their own separate user databases and authentication mechanisms. This required users to manage multiple credentials, increased operational complexity for operators, and created security vulnerabilities through credential proliferation. The industry needed a way to leverage the strong, SIM-based authentication of the mobile network for securing application-layer services.

The Generic Bootstrapping Architecture (GBA) was the answer, and GUSS is a foundational component of GBA. Its purpose is to centralize the management of the user-specific security parameters required for GBA within the network's trust domain (the BSF). This design allows the home operator to maintain control over authentication policies, key strengths, and credential lifetimes. It separates the concerns of core authentication (handled by BSF/HSS using GUSS) from service provision (handled by the NAFs).

By providing a standardized container for these settings, GUSS enables interoperability and consistent security enforcement across different GBA-compliant services and vendors. It is a key enabler for secure service access in IMS and other IP-based services, allowing operators to offer a seamless and secure user experience where network-level authentication transparently grants access to a suite of applications, significantly enhancing both security and usability.

Key Features

  • Stores user-specific long-term secret key (K) and GBA security parameters in the Bootstrapping Server Function (BSF)
  • Essential for the GBA bootstrapping procedure between UE and BSF
  • Contains configuration for supported GBA variants (GBA_ME, GBA_U) and key lifetimes
  • Enables derivation of NAF-specific session keys (Ks_NAF) for secure application-layer access
  • Centralizes security management for the operator, preventing credential proliferation
  • Foundational for providing single sign-on capabilities across diverse 3GPP application services

Evolution Across Releases

Rel-8 Initial

Introduced GUSS as a core component of the Generic Bootstrapping Architecture (GBA). Defined its role in storing user-specific security settings in the BSF, including the shared secret and GBA capabilities, to enable bootstrapping of application security from the 3GPP subscription authentication.

TS 24.109TS 29.109TS 29.309TS 32.808TS 33.220TS 33.223TS 33.804TS 33.924TS 33.980

Defining Specifications

SpecificationTitle
TS 24.109 3GPP TS 24.109
TS 29.109 3GPP TS 29.109
TS 29.309 3GPP TS 29.309
TS 32.808 3GPP TR 32.808
TS 33.220 3GPP TR 33.220
TS 33.223 3GPP TR 33.223
TS 33.804 3GPP TR 33.804
TS 33.924 3GPP TR 33.924
TS 33.980 3GPP TR 33.980