WAF

WebRTC Authentication Function

Security →
Introduced in Rel-12

WAF is a security entity within the IMS that provides authentication and key agreement services for WebRTC-based clients to enable secure access to IMS services.

Category
Security
Introduced
Rel-12
Where
Core Network › Evolved Packet Core
Specifications
7 specs
WAF Description Purpose Detected Changes Specifications

Description

The WebRTC Authentication Function (WAF) is a critical security component defined by 3GPP to integrate Web Real-Time Communication (WebRTC) clients into the IP Multimedia Subsystem (IMS) network. It operates as a specialized Authentication, Authorization, and Accounting (AAA) proxy that facilitates the GBA-aware authentication procedure for WebRTC clients, which lack a traditional USIM card. The WAF's primary role is to act as a trusted intermediary between the WebRTC client (e.g., a browser) and the 3GPP Bootstrapping Server Function (BSF). The authentication flow begins when the WebRTC client, seeking access to IMS services like voice or video over LTE (VoLTE/ViLTE), contacts the WAF. The WAF initiates a GBA (Generic Bootstrapping Architecture) bootstrapping procedure with the BSF on behalf of the client. It uses the user's long-term credentials (managed by the BSF and HSS) to establish a shared secret. The WAF then generates a short-lived authentication token (a so-called 'WebRTC Token') and a corresponding key, which it securely delivers to the client, typically over a TLS-protected connection. The client uses this token and key to authenticate itself directly with the IMS core, specifically the Proxy-Call Session Control Function (P-CSCF), using the IMS Authentication and Key Agreement (AKA) protocol adapted for token-based access. The WAF is specified across several technical specifications (TS): 24.371 defines the overall architecture and procedures, 29.228/29.229 detail the Diameter-based interfaces (Mw and Mx) between the WAF, BSF, and HSS, and the 33.1xx series specs cover the security mechanisms and threat analyses. This architecture allows a web application to leverage the user's mobile network identity for strong authentication without exposing the core network credentials to the browser environment.

Purpose & Motivation

The WAF was created to solve the fundamental security and integration challenge of allowing WebRTC applications in standard web browsers to access secure, carrier-grade IMS services. Before its introduction, IMS services were exclusively accessible to native UE clients embedded with a USIM, which could perform the standard IMS AKA authentication. The rise of WebRTC presented an opportunity for operators to offer communication services directly from a web page, but the browser's sandboxed environment cannot access the USIM's cryptographic functions. The WAF bridges this gap by providing a secure, standardized method to map a user's 3GPP subscription credentials to a credential usable within a WebRTC session. It addresses the problem of strong user authentication for web-originated traffic, ensuring the same level of trust and charging capabilities as for native IMS clients. The motivation was driven by operator desires to expand service reach to any internet-connected device with a browser, compete with Over-The-Top (OTT) communication apps, and enable innovative converged communication services. It also provides a migration path for services like VoLTE to be accessible from non-cellular devices (e.g., laptops, tablets) while maintaining the security and regulatory (e.g., lawful intercept) frameworks of the IMS core.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (4 CRs across 2 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-12, normative work from Rel-17.

Rel-17 3 changes

In Release 17, the WAF (WebRTC Authorization Function) was updated to support enhanced SIP Digest Access Authentication procedures. Specifically, this included the introduction of IMS authentication using the AKAv2-SHA-256 digest AKA algorithm, providing a more secure authentication method for WebRTC IMS Clients accessing the network.

  • Update of SIP Digest Access Authentication TS 29.228CR0696
  • Update of SIP Digest Access Authentication TS 29.229CR0297
  • IMS authentication using AKAv2-SHA-256 digest AKA algorithm TS 29.229CR0303
Rel-18 1 change

In Release 18, the specification clarified the identity handling for the WebRTC Authentication Function (WAF) and the WebRTC Web Server Function (WWSF). This update provided explicit details on how these functions operate together to control access and issue authorization tokens for WebRTC IMS Clients. The change ensured a clearer technical delineation of their roles within the WebRTC access architecture.

Explore further

Broader topics and technologies where WAF plays a role.

Topics
Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Encryption & IntegrityMEC (Edge Computing)LTE / LTE-AdvancedDiameter & Radius
Technologies
LTE

Defining Specifications

3GPP specifications that define or reference WAF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.371 vj00 WebRTC IMS Client Access Specification Rel-19
TS 29.228 vj20 Cx and Dx Interface Signaling Flows Rel-19
TS 29.229 vj10 Diameter Protocol for Cx/Dx Interfaces Rel-19
TS 33.107 vj00 Lawful Interception Architecture & Functions Rel-19
TS 33.108 vj00 LI Handover Interface Specification Rel-19
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.871 vc00 Security for WebRTC IMS Client Access Rel-12