GBA User Security Settings

Description

The GBA User Security Settings (GUSS) is a critical security data structure within the 3GPP Generic Bootstrapping Architecture (GAA). GAA/GBA provides a mechanism for mutual authentication and key agreement between a User Equipment (UE) and a Network Application Function (NAF), leveraging the existing security relationship between the UE and its home network. The GUSS is the repository for the user-specific security material and configuration needed for this bootstrapping process. It is securely stored in the Bootstrapping Server Function (BSF), which is the central GBA network element responsible for performing bootstrapping procedures with the UE.

The GUSS is essentially a profile associated with a user's private identity (e.g., IMS Private User Identity - IMPI). Its contents are defined by the home network operator and can include several key components. Primarily, it contains the shared secret key (K) associated with the user's Universal Integrated Circuit Card (UICC) or soft credential, which is the root of trust. Beyond the key, it holds GBA-specific user security settings, such as the list of supported GBA versions (e.g., GBA_ME, GBA_U, GBA_Digest), key lifetimes, and potentially service-specific indications. The BSF uses the information in the GUSS, along with authentication vectors received from the Home Subscriber Server (HSS), to execute the bootstrapping procedure with the UE.

During a GBA bootstrapping run, the UE and BSF authenticate each other using the credentials derived from the GUSS data, typically via the HTTP Digest AKA protocol. Upon successful authentication, they derive shared, session-specific key material (Ks). A key part of this derived material is the NAF-specific key (Ks_NAF), which is then provided by the BSF to the requesting NAF (e.g., a multimedia service server). The UE independently calculates the same Ks_NAF. This allows the UE and the NAF to establish a secure channel without the NAF ever knowing the user's long-term secret (K). The GUSS thus enables the secure proliferation of authentication from the core network (HSS/BSF) to multiple application servers, forming the basis for single sign-on-like experiences in the 3GPP service layer.

Purpose & Motivation

GUSS was created to solve the problem of fragmented and cumbersome authentication for value-added services in mobile networks. Before GBA and GUSS, application servers (like those for multimedia messaging, presence, or location-based services) often had to maintain their own separate user databases and authentication mechanisms. This required users to manage multiple credentials, increased operational complexity for operators, and created security vulnerabilities through credential proliferation. The industry needed a way to leverage the strong, SIM-based authentication of the mobile network for securing application-layer services.

The Generic Bootstrapping Architecture (GBA) was the answer, and GUSS is a foundational component of GBA. Its purpose is to centralize the management of the user-specific security parameters required for GBA within the network's trust domain (the BSF). This design allows the home operator to maintain control over authentication policies, key strengths, and credential lifetimes. It separates the concerns of core authentication (handled by BSF/HSS using GUSS) from service provision (handled by the NAFs).

By providing a standardized container for these settings, GUSS enables interoperability and consistent security enforcement across different GBA-compliant services and vendors. It is a key enabler for secure service access in IMS and other IP-based services, allowing operators to offer a seamless and secure user experience where network-level authentication transparently grants access to a suite of applications, significantly enhancing both security and usability.