Description
JSON Web Signature (JWS) is a mechanism for securing JSON data through digital signatures, providing integrity, authenticity, and non-repudiation. Within 3GPP specifications, JWS is employed to sign various payloads, such as JSON Web Tokens (JWTs) or API messages, ensuring they are tamper-proof and verifiable by recipients. A JWS object consists of three parts: a header, a payload, and a signature. The header contains metadata describing the signature algorithm (e.g., RS256 for RSA with SHA-256 or ES256 for ECDSA with SHA-256) and optionally other parameters like key identifiers. The payload is the actual data to be signed, which can be any JSON content or a base64url-encoded string. The signature is generated by applying the cryptographic algorithm specified in the header to the concatenated base64url-encoded header and payload, using a private key. Upon receipt, the verifier uses the corresponding public key to validate the signature, confirming that the data has not been modified and was signed by the holder of the private key.
In 3GPP architectures, JWS plays a vital role in securing service-based interfaces (SBIs) and authentication frameworks. For example, in 5G Core networks, JWTs used for access tokens or identity assertions are often signed with JWS to prevent forgery. The process involves the signer constructing the JWS by serializing the header and payload, computing the signature, and encoding all components into a compact serialization format (a dot-separated string) or a JSON serialization format. This allows for efficient transmission over HTTP/2 protocols. Verification requires parsing the JWS, decoding the header to identify the algorithm, and using the signer's public key (obtained from a trusted source like a certificate authority or key server) to check the signature against the provided data. This ensures that messages between network functions—such as between the Authentication Server Function (AUSF) and Unified Data Management (UDM)—are authentic and have not been tampered with during transit.
The integration of JWS in 3GPP extends to multiple specifications, including those for security exposure, edge computing, and network automation. It supports various algorithms to cater to different security requirements and performance constraints, such as HMAC with SHA-256 for symmetric key scenarios or elliptic curve cryptography for efficient asymmetric signatures. JWS is often used in conjunction with JWE for comprehensive security, where a payload might be signed with JWS for integrity and then encrypted with JWE for confidentiality. This combination is particularly important in scenarios like network API exposure, where third-party applications interact with 5G networks, and data must be both trusted and private. By standardizing on JWS, 3GPP ensures interoperability across vendors and systems, enabling robust security mechanisms that align with web standards and facilitate the deployment of secure, scalable telecommunications services.
Purpose & Motivation
JWS was adopted in 3GPP to address the need for reliable data integrity and source authentication in JSON-based communications, which became prevalent with the transition to service-oriented architectures in 4G and 5G. Before its introduction, 3GPP systems primarily relied on message authentication codes (MACs) or traditional digital signatures in binary formats, which were less flexible for RESTful APIs and required custom parsing. These methods often lacked standardization for JSON payloads, leading to interoperability challenges and increased complexity in implementing secure exchanges between network functions and external entities. JWS solves these issues by providing a standardized, JSON-native way to sign data, ensuring that recipients can verify the origin and integrity of messages without proprietary extensions.
The creation of JWS in 3GPP was motivated by the expansion of network exposure and the need for secure authentication mechanisms in evolving use cases like IoT and edge computing. As networks opened up to third-party applications via APIs, there was a heightened risk of message manipulation or spoofing, which could lead to service disruptions or security breaches. JWS enables the signing of tokens and API requests, allowing network functions to trust data from authenticated sources, such as in OAuth 2.0 flows for access delegation or in securing service-based interfaces within the 5G Core. By incorporating JWS into specifications like 33.117 and 33.938, 3GPP leveraged industry standards from the IETF (RFC 7515) to enhance security while reducing development overhead, ensuring that telecommunications networks can securely support innovative services and comply with regulatory requirements for data protection.
Key Features
- Digital signing of JSON data for integrity and authenticity
- Support for multiple signature algorithms (e.g., RS256, ES256, HS256)
- Compact and JSON serialization formats for flexibility
- Non-repudiation through asymmetric key cryptography
- Compatibility with JWT and JWE for combined security
- Standardized header parameters for algorithm identification
Evolution Across Releases
Introduced JWS as part of early 5G security enhancements, initially defined in specifications like 29.573 and 33.117. It provided the foundation for signing JSON payloads in network APIs, supporting algorithms such as RS256 for securing authentication tokens and API messages, enabling integrity protection in service-based interactions and third-party exposures.
Defining Specifications
| Specification | Title |
|---|---|
| TS 29.573 | 3GPP TS 29.573 |
| TS 33.117 | 3GPP TR 33.117 |
| TS 33.180 | 3GPP TR 33.180 |
| TS 33.517 | 3GPP TR 33.517 |
| TS 33.876 | 3GPP TR 33.876 |
| TS 33.880 | 3GPP TR 33.880 |
| TS 33.938 | 3GPP TR 33.938 |