NAF

Network Application Function

Security →
Introduced in Rel-6 Also in: Services

NAF is a service provider application server in the Generic Authentication Architecture that uses GAA mechanisms to securely authenticate users and establish secure channels for network services.

Category
Security
Introduced
Rel-6
Where
Security
Also touches
1 segments
Specifications
29 specs
NAF Description Purpose Detected Changes Specifications

Description

The Network Application Function (NAF) operates within the framework defined by the Generic Authentication Architecture (GAA). It is an application-specific server that requires authentication of its users (User Equipments - UEs) and the establishment of shared session keys for securing subsequent communications. The NAF does not perform the authentication itself; instead, it leverages the Bootstrapping Server Function (BSF) and the Home Subscriber Server (HSS) for this purpose. When a UE attempts to access a service provided by the NAF, the NAF redirects the UE to the BSF for authentication bootstrapping.

During the bootstrapping procedure, the UE and the BSF mutually authenticate each other using credentials stored in the HSS (typically based on the Authentication and Key Agreement (AKA) protocol). Upon successful authentication, the BSF and the UE derive shared keying material, specifically a Bootstrapping Transaction Identifier (B-TID) and a session key (Ks). The BSF provides the B-TID to the UE. The UE then contacts the NAF again, presenting this B-TID.

The NAF, upon receiving the B-TID, queries the BSF (over the Zn interface) to obtain the corresponding keying material (a NAF-specific key, Ks_NAF, derived from Ks). This allows the NAF to authenticate the UE (indirectly via the BSF) and to share the Ks_NAF with the UE, enabling them to establish a secure channel. The NAF's role is thus to act as a relying party, trusting the authentication performed by the BSF and using the derived keys for application-layer security. Architecturally, the NAF is separate from the core network authentication infrastructure, allowing service providers to implement secure services independently.

Key components of the NAF's operation include its interfaces: the Zn interface with the BSF for key retrieval, and the application-specific interface (often over HTTP/HTTPS or other protocols) with the UE. The NAF is defined to support various service scenarios, making it a versatile security enabler in 3GPP networks. Its design allows for the reuse of the robust 3GPP AKA infrastructure across a wide array of services, promoting security consistency and reducing implementation complexity for application providers.

Purpose & Motivation

The NAF was introduced to solve the problem of providing standardized, robust authentication and key agreement for value-added services and applications beyond basic network access. Before GAA and the NAF concept, each application or service (like MBMS, location-based services, or device management) would need to implement its own authentication mechanism, leading to security fragmentation, increased complexity for UE manufacturers, and potential vulnerabilities from non-standardized approaches.

The creation of the NAF was motivated by the need for a generic security framework that could be leveraged by any network application. The Generic Authentication Architecture (GAA), introduced in 3GPP Release 6, established this framework. The NAF serves as the application-side endpoint within GAA, allowing service providers to outsource the complex authentication process to the mobile network operator's proven infrastructure (BSF/HSS). This separation of concerns enables innovation in services while maintaining a high, consistent level of security derived from the mobile subscription.

Historically, this addressed limitations where application security was either weak (e.g., simple username/password) or required complex, service-specific integration with the carrier's network. The NAF model provides a scalable, standardized way to achieve strong, two-factor authentication (something you have - the SIM/USIM, and something you know - the PIN) for a multitude of services, fostering a secure ecosystem for mobile applications.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (1 CRs across 1 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-6, normative work from Rel-18.

Rel-18 1 change

In Release 18, the specification updated architectural diagrams by removing the DC Application Server and adding a clarifying note. This change refines the presentation of the architecture for interworking between mobile operators and data application providers, where the NAF is a key function for authentication. The update aligns the figures with the described scenarios and procedures involving third-party application platforms.

  • Remove DC Application Server in Figure N.3.4-1 and add a NOTE TS 33.328CR0075

Explore further

Broader topics and technologies where NAF plays a role.

Topics
Authentication (5G-AKA, EAP)MEC (Edge Computing)Lawful InterceptSMS & MessagingServices & ApplicationsManagement & Operations

Defining Specifications

3GPP specifications that define or reference NAF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.862 vc00 Interworking Solutions for Mobile Operators & Data Apps Rel-12
TS 24.109 vj00 HTTP Digest AKA & GAA Stage 3 Rel-19
TS 24.259 vj00 Personal Network Management (PNM) Protocol Details Rel-19
TS 24.423 v850 PSTN/ISDN Simulation Services XCAP Protocol Rel-8
TS 24.623 vj00 XCAP Protocol for Supplementary Services Rel-19
TS 29.309 vj10 Nbsp Service Based Interface for GBA BSF Rel-19
TS 31.213 vi30 Test specification for (U)SIM Rel-18
TR 31.822 vi10 Technical Report on GBA_U based APIs Rel-18
TS 32.808 v1800 Common User Profile Storage Framework Rel-8
TS 33.107 vj00 Lawful Interception Architecture & Functions Rel-19
TS 33.110 vj00 UICC-Terminal Key Establishment Rel-19
TS 33.141 vj00 Security for Presence Service (Ut reference point) Rel-19
TS 33.185 vj00 V2X Security in LTE Rel-19
TS 33.220 vj00 Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) Rel-19
TS 33.221 vj00 Subscriber Certificate Distribution via GBA Rel-19
TS 33.222 vj00 Secure HTTP Access in GAA Rel-19
TS 33.223 vj00 GBA Push Function Specification Rel-19
TS 33.224 vj00 Generic Push Layer (GPL) Specification Rel-19
TS 33.246 vj00 MBMS Security Specification Rel-19
TS 33.259 vj00 Key Establishment between UICC Hosting & Remote Device Rel-19
TS 33.303 vj00 ProSe Security Specification for EPS Rel-19
TS 33.328 vj10 IMS Media Plane Security Specification Rel-19
TS 33.804 vc00 Non-UICC SSO using SIP Digest credentials Rel-12
TS 33.822 v1800 Security Architecture for Inter-Access Mobility Rel-8
TS 33.823 vc20 GBA Web Browser Integration Study Rel-12
TS 33.835 vg10 Study on authentication and key management for apps Rel-16
TR 33.919 vj00 GAA Overview TR Rel-19
TR 33.924 vj00 GBA-OpenID Interworking Specification Rel-19
TR 33.980 vj00 GAA & Liberty Alliance Interworking Guidelines Rel-19