WPKI

Wireless Public Key Infrastructure

Security
Introduced in Rel-6
A Public Key Infrastructure (PKI) framework adapted for the constraints of wireless networks and mobile devices. It enables secure management of digital certificates, keys, and trust relationships for applications like mobile commerce, device authentication, and secure messaging in 3GPP systems.

Description

Wireless Public Key Infrastructure (WPKI) is a set of standards and protocols that extend traditional PKI concepts to the mobile environment, addressing limitations such as device processing power, memory, bandwidth, and intermittent connectivity. It provides the foundation for issuing, managing, distributing, using, storing, and revoking digital certificates for mobile subscribers and network entities. The core components include a Certification Authority (CA) that issues certificates, a Registration Authority (RA) that verifies subscriber identity, a repository for storing certificates and Certificate Revocation Lists (CRLs), and end-user entities equipped with wireless identity modules (like USIM) or software certificates.

How it works involves optimized protocols for certificate enrollment and management. A mobile device, through its User Equipment (UE), typically initiates a certificate request via a secure channel to a WPKI portal or RA. The request may be generated using a key pair generated on the device or, for higher security, within a tamper-resistant UICC. The RA validates the subscriber's identity, often leveraging the existing mobile network authentication (e.g., using IMSI). Upon approval, the CA issues a certificate, which is then delivered to the device and stored. For certificate validation, WPKI often employs compressed certificate formats (like WTLS certificates) and efficient status checking mechanisms, such as Online Certificate Status Protocol (OCSP) responders, to avoid downloading large CRLs over the air.

Its role in the network is to enable trusted services that require non-repudiation, integrity, and confidentiality. WPKI facilitates secure mobile banking, official electronic signatures, corporate VPN access, and device-to-network authentication beyond the native 3GPP AKA. It integrates with the Generic Bootstrapping Architecture (GBA) to leverage the shared secret in the UICC for securing the initial PKI enrollment phase. Architecturally, it often interfaces with the Home Environment and network application servers, providing a standardized trust anchor that allows service providers to verify the identity of a mobile user reliably and in a legally binding manner, thus bridging the gap between telecom authentication and broader internet security services.

Purpose & Motivation

WPKI was created to enable advanced security services in mobile networks that require the legal and technical guarantees provided by digital certificates, which were not supported by the native SIM-based authentication alone. Traditional PKI was designed for wired internet with powerful PCs and stable connections, making it unsuitable for early mobile devices with limited capabilities. The problem WPKI solves is how to bring strong authentication, digital signatures, and encryption key management to the mass mobile market.

The motivation stemmed from the growth of mobile data services and the vision of mobile e-commerce, m-government, and secure enterprise access. Operators and service providers needed a way to uniquely and securely identify users for transactions beyond network access. The limitations of previous approaches included the high overhead of X.509 certificates on slow wireless links and the lack of a standardized way to manage certificate lifecycles on constrained devices. WPKI standardized these processes, defining optimized certificate formats and lightweight protocols.

Historically introduced in 3GPP Release 6, WPKI responded to market demands for standardized mobile security frameworks. It addressed the gap between the closed, operator-centric security of the SIM card and the open, certificate-based security required for internet applications. By adapting PKI to the wireless world, it allowed mobile networks to become a trusted platform for a wide range of secure services, facilitating new business models and meeting regulatory requirements for electronic signatures in many jurisdictions.

Key Features

  • Optimized certificate formats (e.g., WTLS, compact X.509) for bandwidth efficiency
  • Integration with UICC/USIM for secure key storage and generation
  • Defined certificate enrollment and management procedures for mobile devices
  • Support for Online Certificate Status Protocol (OCSP) for efficient revocation checking
  • Alignment with 3GPP Generic Bootstrapping Architecture (GBA) for secure bootstrap
  • Enables mobile digital signatures and non-repudiation for applications

Evolution Across Releases

Rel-6 Initial

Initial introduction of WPKI framework. Defined the architecture, certificate profiles, and management procedures for mobile environments. Specified integration points with the USIM for key generation and storage, and outlined the use of the WAP forum's WTLS certificate format as a lightweight alternative to full X.509v3.

TS 24.109

Defining Specifications

SpecificationTitle
TS 24.109 3GPP TS 24.109