Description
The Network Application Function (NAF) operates within the framework defined by the Generic Authentication Architecture (GAA). It is an application-specific server that requires authentication of its users (User Equipments - UEs) and the establishment of shared session keys for securing subsequent communications. The NAF does not perform the authentication itself; instead, it leverages the Bootstrapping Server Function (BSF) and the Home Subscriber Server (HSS) for this purpose. When a UE attempts to access a service provided by the NAF, the NAF redirects the UE to the BSF for authentication bootstrapping.
During the bootstrapping procedure, the UE and the BSF mutually authenticate each other using credentials stored in the HSS (typically based on the Authentication and Key Agreement (AKA) protocol). Upon successful authentication, the BSF and the UE derive shared keying material, specifically a Bootstrapping Transaction Identifier (B-TID) and a session key (Ks). The BSF provides the B-TID to the UE. The UE then contacts the NAF again, presenting this B-TID.
The NAF, upon receiving the B-TID, queries the BSF (over the Zn interface) to obtain the corresponding keying material (a NAF-specific key, Ks_NAF, derived from Ks). This allows the NAF to authenticate the UE (indirectly via the BSF) and to share the Ks_NAF with the UE, enabling them to establish a secure channel. The NAF's role is thus to act as a relying party, trusting the authentication performed by the BSF and using the derived keys for application-layer security. Architecturally, the NAF is separate from the core network authentication infrastructure, allowing service providers to implement secure services independently.
Key components of the NAF's operation include its interfaces: the Zn interface with the BSF for key retrieval, and the application-specific interface (often over HTTP/HTTPS or other protocols) with the UE. The NAF is defined to support various service scenarios, making it a versatile security enabler in 3GPP networks. Its design allows for the reuse of the robust 3GPP AKA infrastructure across a wide array of services, promoting security consistency and reducing implementation complexity for application providers.
Purpose & Motivation
The NAF was introduced to solve the problem of providing standardized, robust authentication and key agreement for value-added services and applications beyond basic network access. Before GAA and the NAF concept, each application or service (like MBMS, location-based services, or device management) would need to implement its own authentication mechanism, leading to security fragmentation, increased complexity for UE manufacturers, and potential vulnerabilities from non-standardized approaches.
The creation of the NAF was motivated by the need for a generic security framework that could be leveraged by any network application. The Generic Authentication Architecture (GAA), introduced in 3GPP Release 6, established this framework. The NAF serves as the application-side endpoint within GAA, allowing service providers to outsource the complex authentication process to the mobile network operator's proven infrastructure (BSF/HSS). This separation of concerns enables innovation in services while maintaining a high, consistent level of security derived from the mobile subscription.
Historically, this addressed limitations where application security was either weak (e.g., simple username/password) or required complex, service-specific integration with the carrier's network. The NAF model provides a scalable, standardized way to achieve strong, two-factor authentication (something you have - the SIM/USIM, and something you know - the PIN) for a multitude of services, fostering a secure ecosystem for mobile applications.
Key Features
- Acts as a relying party within the Generic Authentication Architecture (GAA)
- Utilizes bootstrapped keying material (Ks_NAF) from the BSF for application-layer security
- Interfaces with the Bootstrapping Server Function (BSF) via the standardized Zn reference point
- Supports mutual authentication between the user equipment (UE) and the application server
- Enables secure service access for diverse applications like MBMS, GBA, and User Plane Integrity
- Decouples application security from core network access authentication, allowing independent service deployment
Evolution Across Releases
Initially introduced as part of the Generic Authentication Architecture (GAA). The NAF was defined as the application function that uses the bootstrapping service provided by the BSF. The initial architecture established the Zn interface between NAF and BSF and the Ua interface between UE and NAF, enabling basic GBA (Generic Bootstrapping Architecture) functionality.
Defining Specifications
| Specification | Title |
|---|---|
| TS 23.862 | 3GPP TS 23.862 |
| TS 24.109 | 3GPP TS 24.109 |
| TS 24.259 | 3GPP TS 24.259 |
| TS 24.423 | 3GPP TS 24.423 |
| TS 24.623 | 3GPP TS 24.623 |
| TS 29.309 | 3GPP TS 29.309 |
| TS 31.213 | 3GPP TR 31.213 |
| TS 31.822 | 3GPP TR 31.822 |
| TS 32.808 | 3GPP TR 32.808 |
| TS 33.107 | 3GPP TR 33.107 |
| TS 33.110 | 3GPP TR 33.110 |
| TS 33.141 | 3GPP TR 33.141 |
| TS 33.185 | 3GPP TR 33.185 |
| TS 33.220 | 3GPP TR 33.220 |
| TS 33.221 | 3GPP TR 33.221 |
| TS 33.222 | 3GPP TR 33.222 |
| TS 33.223 | 3GPP TR 33.223 |
| TS 33.224 | 3GPP TR 33.224 |
| TS 33.246 | 3GPP TR 33.246 |
| TS 33.259 | 3GPP TR 33.259 |
| TS 33.303 | 3GPP TR 33.303 |
| TS 33.328 | 3GPP TR 33.328 |
| TS 33.804 | 3GPP TR 33.804 |
| TS 33.822 | 3GPP TR 33.822 |
| TS 33.823 | 3GPP TR 33.823 |
| TS 33.835 | 3GPP TR 33.835 |
| TS 33.919 | 3GPP TR 33.919 |
| TS 33.924 | 3GPP TR 33.924 |
| TS 33.980 | 3GPP TR 33.980 |