WebRTC Authentication Function

Description

The WebRTC Authentication Function (WAF) is a critical security component defined by 3GPP to integrate Web Real-Time Communication (WebRTC) clients into the IP Multimedia Subsystem (IMS) network. It operates as a specialized Authentication, Authorization, and Accounting (AAA) proxy that facilitates the GBA-aware authentication procedure for WebRTC clients, which lack a traditional USIM card. The WAF's primary role is to act as a trusted intermediary between the WebRTC client (e.g., a browser) and the 3GPP Bootstrapping Server Function (BSF). The authentication flow begins when the WebRTC client, seeking access to IMS services like voice or video over LTE (VoLTE/ViLTE), contacts the WAF. The WAF initiates a GBA (Generic Bootstrapping Architecture) bootstrapping procedure with the BSF on behalf of the client. It uses the user's long-term credentials (managed by the BSF and HSS) to establish a shared secret. The WAF then generates a short-lived authentication token (a so-called 'WebRTC Token') and a corresponding key, which it securely delivers to the client, typically over a TLS-protected connection. The client uses this token and key to authenticate itself directly with the IMS core, specifically the Proxy-Call Session Control Function (P-CSCF), using the IMS Authentication and Key Agreement (AKA) protocol adapted for token-based access. The WAF is specified across several technical specifications (TS): 24.371 defines the overall architecture and procedures, 29.228/29.229 detail the Diameter-based interfaces (Mw and Mx) between the WAF, BSF, and HSS, and the 33.1xx series specs cover the security mechanisms and threat analyses. This architecture allows a web application to leverage the user's mobile network identity for strong authentication without exposing the core network credentials to the browser environment.

Purpose & Motivation

The WAF was created to solve the fundamental security and integration challenge of allowing WebRTC applications in standard web browsers to access secure, carrier-grade IMS services. Before its introduction, IMS services were exclusively accessible to native UE clients embedded with a USIM, which could perform the standard IMS AKA authentication. The rise of WebRTC presented an opportunity for operators to offer communication services directly from a web page, but the browser's sandboxed environment cannot access the USIM's cryptographic functions. The WAF bridges this gap by providing a secure, standardized method to map a user's 3GPP subscription credentials to a credential usable within a WebRTC session. It addresses the problem of strong user authentication for web-originated traffic, ensuring the same level of trust and charging capabilities as for native IMS clients. The motivation was driven by operator desires to expand service reach to any internet-connected device with a browser, compete with Over-The-Top (OTT) communication apps, and enable innovative converged communication services. It also provides a migration path for services like VoLTE to be accessible from non-cellular devices (e.g., laptops, tablets) while maintaining the security and regulatory (e.g., lawful intercept) frameworks of the IMS core.

Key Features

• Acts as an authentication proxy for WebRTC clients to perform GBA bootstrapping with the 3GPP BSF
• Generates and distributes short-lived, secure authentication tokens (WebRTC Tokens) and associated keys to clients
• Provides Diameter-based interfaces (Mw, Mx) for communication with the BSF and HSS within the 3GPP core network
• Enables WebRTC clients to authenticate to the IMS P-CSCF using a token-based variant of IMS AKA
• Supports the mapping of a user's 3GPP subscription identity (IMPI/IMPU) to a WebRTC service session
• Facilitates secure key establishment for media encryption (SRTP) between the WebRTC client and the IMS network

Evolution Across Releases

Defining Specifications