Ut-Proxy Subscriber Self Administration

• Enhanced security for users when accessing Supplementary Services
• Protection of the core network from possible attacks and fraudulent accesses
• Improves network operations and subscriber satisfaction
• Authentication for new services using temporary credentials
• Flexible options for routing to support different deployment scenarios saving time and money

The Ut-Proxy acts as a gateway between untrusted User Equipment (UEs) and the trusted core network that is hosting TAS, HSS, protecting the core network from being corrupted improving network operations and subscriber satisfaction.

In addition, the Ut-Proxy provides authentication for any new services, including 3rd party services, by deriving new temporary credentials from the GBA. Furthermore, the Ut-Proxy provides flexible routing options to support different deployment scenarios saving time and money.

The Titan.ium Ut-Proxy is a next-generation Subscriber Self Administration (SSA) solution that is part of the Titan and Titan.ium architectures. These enable the most flexible and intelligent Ut-Proxy solution, making it possible to combine with other products like HSS, HLR, DSC, SLF, STP, SFW (depending on the chosen platform), providing common functions and a uniform look and feel GUI and API for its administration.

To authenticate Ut messages, Ut-Proxy is deployed to take this authentication task for the AS, and the Generic Bootstrapping Authentication (GBA) is applied to avoid provisioning an additional shared secret between UE and network. As a result, the Ut messages can be authenticated in any access network with the existing shared secret between the UE and operator. This is also applicable for authentication of any HTTP-based traffic, e.g., in IoT deployments, as long as the IoT devices can support GBA-based authentication. For devices not supporting GBA based authentication, Titan.ium Ut-Proxy can also use native HTTP Digest defined in RFC2617 to authenticate the devices.

Titan.ium Ut-Proxy consists of the two functional blocks of the GBA solution: the Bootstrapping Server Function (BSF) and the Authentication Proxy (AP) acting as a combination of a Network Application Function (NAF) and reverse HTTP proxy. One or both functions can be simultaneously activated in the same Titan Edge/Titan.ium cluster. BSF is deployed in the home PLMN and utilizes the Home Subscriber Server (HSS) as a subscriber profile repository (HSS only) and authentication center (AuC). The AP is optimized for the routing of Ut/XCAP requests from the UE towards the IMS application servers and can be deployed in the home or visited PLMN.

Initiation of Bootstrapping

The Ut Authentication Proxy (AP) will request the UE to initiate bootstrapping with the Bootstrapping Server Function (BSF) if the UE indicates support of Generic Bootstrapping Architecture (GBA) in the HTTP request to the AP, and the request does not include any bootstrapping data or the included bootstrapping data is expired. GBA ME, GBA U, and GBA Digest modes can be used by the UE to get access to the IMS AS via AP.

Authentication

The authentication procedure applied to a bootstrapping request initiated by the UE and received by the BSF re-uses the Digest AKA and SIP Digest authentication procedures utilized by the IMS core. The Digest AKA procedure is applied to SIM- based UE, while the SIP Digest procedure is applied to SIMless UE. Transport Layer Security (TLS) is mandatory during the authentication procedure for the SIMless UE in order to generate the shared session key. For SIM-based UE, the session key is generated from the UMTS authentication vector.

Profile Download

During the bootstrapping procedure, the BSF downloads the GBA User Security Settings (GUSS) profile of the subscriber from the home HSS and deliver relevant information to AP so that they can be
forwarded to AS. Titan.ium’s Ut-Proxy also supports the use case where HSS doesn’t provide GUSS profile.