3GPP has defined an architecture called GBA (Generic Bootstrapping Architecture) the aim of which is to allow the authentication of a mobile terminal so as to create a security association between the mobile terminal and an application.
This architecture comprises a Bootstrapping Function Server, BSF, and relies on a protocol termed AKA of identification keys.
In the course of the authentication procedure, the terminal, furnished with a SIM card, uses a connection based on the http protocol to authenticate itself to the bootstrapping function server BSF. The general principle is as follows:
The result of the authentication is a security key that is valid for a duration determined by the server. The server also supplies the terminal with a session identifier associated with the security key as well as the duration of validity of the key.
When the terminal subsequently opens an IP connection with an application, it indicates to this application that it desires to be authenticated according to the GBA technique by supplying it with the session identifier.
The application contacts the BSF server to supply it with the session identifier. The BSF server responds to it by supplying it with a new key derived from the security key and from the name of the application. The terminal performs the same operations. Thus the terminal and the application employ one and the same key that they can use to authenticate themselves mutually and to secure the IP connection between them.
This procedure implies that the terminal opens its http browser so as to be able thereafter to open an IP connection with the application, this connection not necessarily being based on the http protocol.
Moreover, the mobile terminal has previously authenticated itself with a network access server, upon its attachment to the network. There is therefore dual-authentication of the mobile terminal, once upon its attachment to the network and then a second time to create a security association with an application.