3GPP Liaison Request from Harry Halpin on 2012-11-13 (public-webcrypto@w3.org from November 2012)

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 13 Nov 2012 19:11:25 +0100
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <50A28D4D.103@w3.org>
Translated out of their .DOC file they sent to us in a .ZIP :)

    cheers,
       harry
----

3GPP TSG-SA WG3 (Security) Meeting #69  S3-121203

Edinburgh, Scotland, 5. - 9. November 2012

Title: Integration of Web GBA with Crypto API

Release:    Rel-12

Work Item:    SEC12

Source:    3GPP SA3

To:    W3C - Web Crypto Working Group

Cc: SA

Contact Persons:

Names: Silke Holtmanns, Mireille Pauliac

E-mail Addresss: Silke dot Holtmanns at Nokia dot com

Mireille dot Pauliac at Gemalto dot com

Attachments:    S3-121202

1. Overall Description:

3GPP SA3 (security group) standardized "Generic Bootstrapping 
Architecture" (GBA) in 3GPP TS 33.220. GBA is a generic mechanism 
enabling the establishment of shared keys between the User Equipment 
(UE) and any Application Server (a NAF in GBA description) thanks to the 
3GPP user authentication (AKA authentication). Those cellular based 
shared keys, named "NAF-keys" or "Ks_(ext/int)_NAF"  keys, have 
corresponding key identifier  (named B-TID) and key life time.

In order to simplify the usage of GBA in web browsers, 3GPP SA3 is 
currently working to enable access to GBA in HTML forms layer, namely 
using Javascript. The current work is described in 3GPP draft Technical 
Report TR 33.823 which studies the "Security for Usage of GBA with a UE 
browser".

The objectives for the usage of GBA in web browsers are

      to have cryptographic separation between different applications 
using GBA,
      to have authentication token for the usage of GBA web browsers 
protected from man-in-the middle attacks,
      to have GBA-based authentication token bound to the existing GBA 
web session between the browser and the webserver
      to have  restricted access to NAF authentication tokens.

In order to address those objectives and counteract identified threats, 
the usage of NAF specific authentication token (Ks_js_NAF), derived from 
NAF keys, is defined. The draft Technical Report TR 33.823 proposes in 
section 8.2 the description of a Javascript based GBA API providing the 
needed cryptographic information

We believed that it would be beneficial to have your feedback on the way 
that the Javascript based GBA API is defined.

SA3 would also like to ask, if W3C - Web Crypto Working Group could 
study the possibility to integrate the 3GPP Web GBA API into their 
specification work.

2. Actions:

To W3C Web Crypto Working Group:

ACTION:

SA3 would like to kindly ask for review and feedback on the Javascript 
based GBA API description described in the draft TR 33.823 section 8.2.

SA3 would also like to ask, if W3C - Web Crypto Working Group could 
study the possibility to integrate the 3GPP Web GBA API into their 
specification work.

3. Date of Next TSG-RAN WG2 Meetings:

TSG SA WG3 Meeting #70  21-25 January 2013  Sophia Antipolis, France

TSG SA WG3 Meeting #71  8-12 April 2013  Valencia, Spain
LS template for N3
Received on Tuesday, 13 November 2012 18:11:55 UTC