Bootstrapping Server Function for Secure Authentication

Author

Reads 4.9K

Computer server in data center room
Credit: pexels.com, Computer server in data center room

Bootstrapping Server Function for Secure Authentication can be a complex process, but it's essential for any system that requires secure user authentication.

The first step is to create a secure connection between the client and server using Transport Layer Security (TLS). TLS ensures that data transmitted between the two is encrypted and can't be intercepted by unauthorized parties.

A secure connection is crucial for authentication because it prevents hackers from accessing sensitive information.

To implement TLS, you can use a library like OpenSSL, which provides a range of functions for encrypting and decrypting data.

The server function should also verify the client's identity to ensure that only authorized users can access the system. This can be done using a technique called mutual authentication.

Bootstrapping Process

The bootstrapping process is a critical step in establishing a secure connection between a User Equipment (UE) and a Base Station Function (BSF). This process is specified by the Generic Bootstrapping Architecture (GBA) from 3GPP TS 33.220.

A different take: Node B

Credit: youtube.com, What is Bootstrapping? - Computerphile

In the bootstrapping process, the UE initiates a new security association with the BSF, which is known as "bootstrapping". This process involves the UE contacting the BSF to create a new security association, and the BSF responding with the subscriber's GBA User Security Settings (GUSS), which defines the lifetime of the security association.

The UE must indicate the authentication mechanism to use in all requests to access the NAF through the addition of a product token to the User-Agent header. The possible product tokens are 3gpp-gba for GBA_ME authentication and 3gpp-gba-digest for GBA_Digest authentication.

Here are the possible authentication mechanisms and their corresponding product tokens:

The BSF server operation involves a typical bootstrapping transaction, where the UE initiates a new security association with the BSF. The BSF responds with the subscriber's GBA User Security Settings (GUSS), which defines the lifetime of the security association.

Bootstrap

Bootstrap is a one-time event that's emitted immediately after an express.js app has been created, before any middleware or CDS services are added to it. This event is a crucial part of the bootstrapping process, setting the stage for the rest of the app's functionality.

Close-up of a hand holding a telephone receiver in a server room emphasizing technology.
Credit: pexels.com, Close-up of a hand holding a telephone receiver in a server room emphasizing technology.

The bootstrap lifecycle function is a synchronous function that's called at every server start, found in ./src/index.js. It can be used to create an admin user, fill the database with necessary data, or declare custom conditions for the Role-Based Access Control (RBAC) feature.

A bootstrap process involves creating a new security association with the BSF, which is specified by the Generic Bootstrapping Architecture (GBA) from 3GPP TS 33.220. This process is known as "bootstrapping" and is essential for establishing trust between the UE and the BSF.

The bootstrap_info Cassandra table is used to store bootstrap information, including the user's private identity (IMPI) and shared secrets. This information is used to calculate Ks_NAF, the password, and is retrieved by the NAF filter to authenticate users.

Here are the different types of bootstrap events:

  • One-time event, emitted immediately after the express.js app has been created and before any middleware or CDS services are added to it.
  • One-time event, emitted when all services have been bootstrapped and added to the express.js app.
  • A synchronous function called at every server start, found in ./src/index.js.
  • A function that can be used to create an admin user, fill the database with necessary data, or declare custom conditions for the RBAC feature.

The BSF server operation involves walking through a typical bootstrapping transaction, similar to the NAF authentication filter operation. This process ensures that the BSF is properly configured and ready to handle user requests.

Key

Credit: youtube.com, What is Bootstrapping Anyway? - Computerphile

The key to a successful bootstrapping session is the naf-key tool, which generates a NAF-specific shared key for the session. This key is used as the password input for the NAF Digest tool.

You'll need this key to get started, and it's generated automatically by the naf-key tool. The naf-key tool is an essential part of the bootstrapping process.

Authentication

The Bootstrapping Server Function (BSF) plays a crucial role in the authentication process, allowing users to securely access network applications. The BSF supports two authentication schemes: Digest-AKAv1-MD5 and GBA_Digest.

The BSF stores authentication vector values in the auth_vector Cassandra table, with an expiry time of 60 seconds by default. This allows any BSF node in the cluster to process the authentication vector details when a challenge response arrives.

During the authentication process, the BSF calculates the expected HTTP digest using XRES and compares it with the value received in the response directive. If the values match, the bootstrapping was successful, and the BSF creates a new security association containing the Bootstrapping Transaction Identifier (B-TID), IMPI, and a new shared key Ks.

Here are the authentication schemes supported by the BSF and NAF Authentication Filter:

The NAF Authentication Filter supports the MD5 and SHA256 digest algorithms, allowing for secure authentication and authorization of network applications.

Sentinel Authentication Gateway

Detailed view of server racks with glowing lights in a data center environment.
Credit: pexels.com, Detailed view of server racks with glowing lights in a data center environment.

The Sentinel Authentication Gateway is a crucial component in the authentication process. It provides 3GPP Generic Authentication Architecture (GAA) support for OpenCloud's Sentinel products.

This release allows IMS devices to authenticate with their home network and securely login to Sentinel's XCAP server. The Sentinel Authentication Gateway consists of two main components: the Bootstrapping Security Function (BSF) server and the NAF Authentication Filter.

The BSF server receives "bootstrap" authentication requests from UEs, which ask the BSF to initiate a bootstrap process between the UE and the HSS. This results in a secret key shared by the BSF and the UE.

This shared key can then be used to authenticate with a Network Application Function (NAF), such as the Sentinel XCAP server. The Sentinel XCAP server is an example of a NAF.

The NAF Authentication Filter is deployed with the Sentinel VoLTE XCAP servlet application. It implements the NAF authentication processes for the application, using the shared key generated by the bootstrapping process.

Together these components allow a UE to transparently authenticate with Sentinel VoLTE XCAP and securely perform configuration updates.

Authentication Schemes

Credit: youtube.com, An Exploration of Geographic Authentication Schemes

The BSF Server supports two authentication schemes: Digest-AKAv1-MD5 and GBA_Digest. These schemes are used to authenticate users and ensure secure communication between the UE and the BSF.

The NAF Authentication Filter, on the other hand, supports the MD5 and SHA256 digest algorithms. These algorithms are used to verify the authenticity of the user and ensure that the request is legitimate.

Additional variants may be supported in future Sentinel Authentication Gateway releases. This means that the authentication schemes and algorithms may be updated or expanded in the future to provide more secure and efficient authentication.

Here are the authentication schemes and algorithms supported by the BSF Server and the NAF Authentication Filter:

The use of these authentication schemes and algorithms ensures that the authentication process is secure and reliable, and that only authorized users can access the NAF.

Diameter Base Ra

The Diameter Base RA is a crucial component in the authentication process, allowing communication with the HSS using the Zh Diameter application. It's created by default with the name "diameterbase".

Credit: youtube.com, Diameter (protocol)

The configuration of the Diameter Base RA is primarily defined in XML strings stored in a SLEE profile, specifically in the "DiameterConfig/DiameterZhConfig" profile. This profile contains critical information that affects the BSF Server operation.

The "PeerTable" profile attribute describes the Diameter peers that the RA can connect to, typically the primary and secondary HSS hosts. The default value for this attribute is a complex XML string that includes placeholders for dynamic values.

The "RealmTable" profile attribute determines how different applications are routed to Diameter peers, and in the BSF's case, everything is routed to the HSS. The default value for this attribute is another XML string that references the HSS hostname and metric.

The dynamic values in the XML strings are obtained from the "config.properties" file of the deployment module. This file contains crucial information that is substituted into the XML strings after deployment in the SLEE.

To edit the profile values, you can manually update the XML strings in Rhino Element Manager or rhino-console, or update the "config.properties" file in your deployment module.

Filter and Validation

Hands of a Man Near a Glass Funnel with Paper Filter
Credit: pexels.com, Hands of a Man Near a Glass Funnel with Paper Filter

The Filter and Validation process is a crucial step in the bootstrapping process. The NAF filter validates the bootstrapped user information by calculating Ks_NAF, a new shared key, and using it as the password in its HTTP Digest calculation.

The filter checks if the calculated value matches the value sent by the UE in the challenge response. If everything is correct, the filter can pass the request to the XCAP servlet.

The filter also determines which IMS public identities (IMPUs) are associated with the request by using the ussList element from the user's GUSS and the filter's settings for service ID, service type, and NAF group.

Here are the key components involved in the filter and validation process:

  • HA1 - a hashed value derived from the username and password
  • Realm - the authentication realm for the user

The filter must also verify that the request has been successfully authenticated before passing it to the XCAP servlet. This is done by comparing the calculated digest value with the value sent by the UE in the challenge response.

Filter Passes to XCAP Servlet

Modern data server room with network racks and cables.
Credit: pexels.com, Modern data server room with network racks and cables.

After the NAF filter has validated the bootstrapped user information, it passes the request and credentials to the XCAP servlet. This is a crucial step in the authentication process.

The filter adds the X-3GPP-Asserted-Identity header to the request, which includes the public identities associated with the request. This information is determined by the ussList element from the user's GUSS and the filter's settings for service ID, service type, and NAF group.

The XCAP servlet is responsible for handling the request, and it knows that the request should be routed to it based on the URL path prefix. This is a key part of the authentication process.

The request header seen by the XCAP servlet includes the public identities, which are used to authenticate the user. The user may also use a TMPI (temporary private identity) instead of their actual private identity.

Here are the key components of the request header:

  • Username: The Bootstrapping Transaction Identifier (B-TID)
  • Password: The NAF-specific shared key, or Ks_NAF
  • Realm: The authentication realm for the user

The filter's job is now done, and the XCAP servlet takes over to handle the request.

10 Success Responses

Credit: youtube.com, Filter Integrity Testing: Best Practices

In a successful authentication process, the BSF sends a response to the UE.

The BSF sends an HTTP 200 OK response to the UE, containing the bootstrapped security association info in XML form, as per 3GPP TS 24.109 Annex C.

This response is the final step in the bootstrap authentication process, after the UE has successfully authenticated.

The UE now has enough information to authenticate with a NAF, using the bootstrapped security association info received in the response.

Maximum Body Size

Maximum Body Size is a crucial aspect of Filter and Validation. The default maximum request body size is 100kb, as this is the default of the Express built-in body parsers.

To restrict the maximum request body size globally, you can use the configuration cds.server.body_parser.limit. This setting applies to all services and protocols.

If you need to limit the maximum request body size for an individual service, you can use the service specific annotation @cds.server.body_parser.limit. This is useful when the expected request body sizes might vary for services within the application.

The service specific annotation takes precedence over the global configuration for the respective service. This means that if both are set, the service specific annotation will be used.

For another approach, see: Next Js Use Server

Post-Installation Tasks

Credit: youtube.com, Mastering the Bootstrapping Process in Chef Tool: Your Guide to Efficient Deployment | NS3EDU

After installing the BSF server and NAF filter, you'll need to update the XCAP server. This is a crucial step to ensure seamless communication between the BSF and other components.

The rhino-instance-id value is a key identifier that equates to the Rhino instance where your BSF is deployed. For example, if you have Rhino and REM on the same host, the value would be "Local".

You'll also need to configure HTTP port mapping, which is essential for directing incoming HTTP requests to the correct ports.

Creating init.d scripts is an optional but recommended step to ensure the BSF server starts automatically during system boot.

Here's a quick rundown of the post-installation tasks:

Configuration and Settings

To configure the BSF Service, you'll need to set up the BSF SLEE profile attributes and the resource adaptors it uses. This includes the HTTP, Cassandra-CQL, and Diameter Base resource adaptors.

The BSF Server tracing is a bit more complex, but fortunately, you don't need to enter the entire service or SBB IDs when setting tracer levels. You can use the settracerlevel command in rhino-console, which supports tab-completion and can match simple patterns.

Credit: youtube.com, What is Bootstrapping | Part-1 | Chef

To customize the behavior of the built-in server.js, you'll need to explore the options documented in the configuration sections. This will help you tailor the BSF Server to your specific needs.

Here's a summary of the HTTP RA configuration properties:

To view the current BSF configuration, simply use the listprofileattributes command in rhino-console.

Settings

Settings are a crucial part of configuring the BSF Server. You can customize the behavior of the built-in server.js through the options documented in the configuration sections.

To configure the HTTP port mapping, you'll need to use the operating system's port translation features to redirect traffic on port 80 to a different port where the HTTP RA is listening. This is because running processes as the super user (root) is not recommended on Unix systems.

The HTTP RA is used to receive HTTP requests from UEs and to send HTTP responses. The name of the HTTP RA entity created by default is bsf-http-ra.

Credit: youtube.com, App Configuration, where does it go? Config files, env vars, external service?

Here are the HTTP RA configuration properties that are relevant to the BSF Server:

Viewing the Current

You can view the current configuration by using a specific command in the rhino-console.

To do this, navigate to the rhino-console and use the listprofileattributes command.

This command will show you the current configuration.

Cds

Cds is a shortcut getter to require('@sap/cds/server'), loading and returning the built-in server.js implementation.

You'd mainly use this in custom server.js to delegate to the default implementation, as shown in the server() method example.

The express.js app constructed by the server implementation is a key part of cds.

This implementation is essentially a shortcut to require('@sap/cds/server'), making it a convenient option for developers.

By using cds, you can quickly and easily set up a server implementation in your custom server.js file.

The cds shortcut loads the built-in server.js implementation, which is a significant time-saver for developers.

Data Storage and Schema

The Sentinel Authentication Gateway uses a Cassandra database for sharing bootstrapped security association details between the BSF and XCAP servers.

Credit: youtube.com, Why Is Physical Data Storage Hidden In Relational Models? - Server Logic Simplified

For data storage, Cassandra is the chosen database, which is a distributed NoSQL database designed for handling large amounts of data across many commodity servers.

Cassandra's database configuration is detailed, including performance recommendations and schema, which are crucial for ensuring the database runs smoothly and efficiently.

The database schema is also specified, providing a clear outline of how the data is structured and organized.

Readers also liked: Charging Data Record

Cassandra-CQL RA

The Cassandra-CQL RA is a crucial component for performing queries against the Cassandra database. It's created by default with the name cassandra-cql-ra.

One of the key configuration properties of the Cassandra-CQL RA is the keyspace, which determines the Cassandra keyspace used for all queries. The default keyspace is opencloud_gaa_bootstrap_info.

A Cassandra-CQL RA also needs to know the hostname or IP addresses of the Cassandra nodes to discover the cluster topology. The default value for this is localhost.

The protocol port used to connect to a Cassandra node is also a crucial property, and the default value is 9042.

Here are the relevant Cassandra-CQL RA configuration properties in a table:

Cassandra Storage

Credit: youtube.com, Cassandra in 100 Seconds

Cassandra Storage can be used for sharing bootstrapped security association details between the BSF and XCAP servers.

The Sentinel Authentication Gateway uses a Cassandra database for this purpose, which requires specific configuration details.

A Cassandra database is suitable for handling large amounts of data and providing high availability, making it a good choice for sharing security association details.

The database configuration should be set up to optimize performance, as recommended by performance guidelines.

Optimizing performance is crucial for a Cassandra database, especially when handling large amounts of data and high traffic.

The schema for the Cassandra database should be designed to accommodate the specific needs of the Sentinel Authentication Gateway and its users.

Data Schema

A data schema is essentially a blueprint or a map that outlines the structure of your data, including the relationships between different data elements. This structure is crucial for organizing and storing data in a way that's easy to manage and query.

Credit: youtube.com, Database Schema

The data schema defines the format and organization of the data, including the types of data, such as text, numbers, or dates, and how they are related to each other. For example, in a customer database, the schema might define the relationships between a customer's name, address, and order history.

A well-designed data schema helps prevent data inconsistencies and errors, making it easier to maintain and update the data over time. By defining the relationships between data elements, you can avoid data duplication and ensure that data is accurate and consistent.

Data schema is often created using a data modeling tool, such as Entity-Relationship Diagrams (ERDs) or data modeling software like MySQL Workbench. These tools help you visualize and define the relationships between different data elements, making it easier to create a clear and logical schema.

A good data schema should be flexible and scalable, allowing you to easily add or modify data elements as your data storage needs change. This might involve adding new fields to a table or creating new relationships between data elements.

Adding New Data Dependencies

Credit: youtube.com, How Can You Model Data In A Schema-less NoSQL Database? - Server Logic Simplified

Adding new data dependencies is a straightforward process, thanks to the provided add_new_device.sh script. This script can be used to add new devices by passing their serial number, which will create a new entry under the data/ directory.

The script will automatically populate the new entry with sample templates for each data file and link them with an actively-running server.

If you're adding new devices while the server is running, you must use the add_new_device.sh script to create new dependencies, as restarting the server isn't an option in this case. This is because bazel run copies symlinks into a temporary bazel-bin folder during execution.

You can manually add new subdirectories under data/ without using the script if you're willing to restart the server for each new device.

Trusted Data Phase

The trusted data phase is a crucial step in the sZTP process. It occurs immediately after the untrusted phase, with the switch redirecting back to the sZTP server address provided in the earlier response.

Credit: youtube.com, What is a database schema?

The goal of the trusted data phase is for the server to provide the switch with a URL pointing to an OS image to install. This is essential for the switch to configure itself with the correct bootstrap configuration.

The switch receives a URL from the server, which it uses to download the OS image. This image is then installed on the switch, allowing it to boot up and start functioning correctly.

Customization and Overrides

You can override certain options by providing your own bootstrapping function, allowing you to access and process command line options before delegating to the built-in server.js.

This also gives you the flexibility to construct your own express.js app and fix the models to be loaded.

To access and customize configuration settings, you can use the BSF SLEE profile, which is used for most of its configuration. The profile ID is bsf-config/default.

The available profile attributes and their descriptions are as follows:

These attributes can be updated using Rhino Element Manager or rhino-console commands.

Slee Profile

Computer server in data center room
Credit: pexels.com, Computer server in data center room

The SLEE profile is a crucial part of the BSF Server's configuration, and it's used for most of its settings. You can update it using Rhino Element Manager or rhino-console commands.

The profile ID is bsf-config/default, and it has several attributes that can be modified. Here are a few key ones to know about:

The HSSDestinationRealm attribute sets the Diameter Destination-Realm value in Zh requests to the HSS, and its default value is zh-realm.

The HSSDestinationHost attribute sets the Diameter Destination-Host value in Zh requests to the HSS, and its default value is zh-server.

The CassandraQueryTimeoutMS attribute sets the Cassandra query timeout in ms, and its default value is 5000.

Some of the CQL statements in the profile are used for retrieving and updating user data in Cassandra. For example, the GUSSLookupCQL attribute sets the CQL statement for retrieving a user's GBA User Security Settings (GUSS) from Cassandra, and its default value is SELECT guss_data FROM guss_by_impi WHERE impi = ?.

Closeup of switch in server with connectors and adapters connected to plastic device in dark room on blurred background inside
Credit: pexels.com, Closeup of switch in server with connectors and adapters connected to plastic device in dark room on blurred background inside

Here's a list of some of the other CQL statements in the profile:

Custom.js

You can create a custom server.js file to take control of the bootstrapping process. This allows you to override certain options before delegating to the built-in server.js.

The CLI command cds serve optionally bootstraps from project-local ./server.js or ./srv/server.js, giving you flexibility in how you set up your server.

Lifecycle and Events

During the server bootstrapping process, lifecycle events are emitted via the cds facade object. These events can be registered using cds.on().

You can register event handlers in the order you want them to execute, but keep in mind that event handlers execute synchronously.

Some lifecycle events are exceptions to this rule, such as served and shutdown events, which are handled differently.

Check this out: Server-sent Events

Security and Enrollment

The bootstrapping server function has a robust security feature that allows for TPM enrollment and attestation. This feature is supported through extra HTTP endpoints.

Credit: youtube.com, Spring Boot : User Login and Registration Tutorial [ In 30 Mins ] - Spring boot Series

The TPM enrollment process involves issuing an AIK certificate, which is a cryptographic key used for authentication and encryption. The request for this process is sent in JSON-encoded Protocol Buffers, specifically in the body of the /tpm-enrollment:issue-aik-cert request.

The server responds with a JSON-encoded IssueAikCertResponse proto, which contains the issued AIK certificate. This certificate is a crucial component of the bootstrapping process, ensuring the secure initialization of the system.

The server also supports verifying attestation credentials, which is an essential step in ensuring the authenticity and integrity of the system. The request for this process is sent in JSON-encoded Protocol Buffers, specifically in the body of the /tpm-enrollment:verify-attestation-credential request.

The server responds with a JSON-encoded VerifyAttestationCredentialResponse proto, which contains the verification result. This verification process helps to ensure that the system is properly configured and secure.

Hss

The HSS plays a crucial role in the security and enrollment process. It's a key component in the Diameter protocol, which is used for authentication and authorization.

Credit: youtube.com, Security in LTE - Authentication, Integrity and Encryption Keys HSS MME UE eNodeb

The HSS sends a Zh request to the BSF using the Diameter protocol. This request is used to authenticate the user and generate an authentication vector.

The authentication vector contains a 128-bit random number and secrets derived from the shared key K. This is a critical piece of information that only the UE should be able to calculate.

The HSS also returns a SIP-Digest AV, which is made up of several values including the nonce, realm, response, and algorithm. This information is used to authenticate the user and authorize access to the network.

The returned SIP-Digest AV is used by the UE to authenticate the user and authorize access to the network. This is a critical step in the security and enrollment process.

Consider reading: Access Point Name

TPM Enrollment and Attestation

The server supports TPM enrollment and attestation, which are extra HTTP endpoints beyond the standard sZTP operations. These operations are not defined as part of sZTP, but they're available for use.

Credit: youtube.com, More TPM attestation and diving into MDM hardening

To request a TPM enrollment, you'll need to send a JSON-encoded Protocol Buffers body to the /tpm-enrollment:issue-aik-cert endpoint. The request body is an IssueAikCertRequest proto, defined in proto/tpm_enrollment.proto.

The server responds with an IssueAikCertResponse proto, which is also JSON-encoded and defined in proto/tpm_enrollment.proto. This response body contains the results of the TPM enrollment operation.

To verify an attestation credential, you'll send a request to the /tpm-enrollment:verify-attestation-credential endpoint, again with a JSON-encoded Protocol Buffers body. The request body is not explicitly defined in the article section, but it's implied to be a proto related to attestation.

The server responds with a VerifyAttestationCredentialResponse proto, which is also JSON-encoded and defined in proto/tpm_enrollment.proto. This response body contains the results of the attestation verification operation.

Register

The register lifecycle function is an asynchronous function that runs before the application is initialized. It's a crucial step that sets the stage for the rest of the application.

This function is found in ./src/index.js (or in ./src/index.ts), and it can be used to extend plugins, which are essential for adding new features to your Strapi application. Extending plugins allows you to add custom functionality without modifying the core code.

You might enjoy: SIM Application Toolkit

Credit: youtube.com, Spring Security - User Registration, Authentication and Authorization using MySQL and Thymeleaf

You can also use the register function to extend content-types programmatically, which is a powerful tool for creating custom content structures. For example, you can create a custom field that would be used only by the current Strapi application.

The register function is the very first thing that happens when a Strapi application is starting, making it an ideal place to load some environment variables. This allows you to configure your application with the necessary settings.

Here are some of the things you can do within the register function:

  • Extend plugins
  • Extend content-types programmatically
  • Load some environment variables
  • Register a custom field that would be used only by the current Strapi application
  • Register a custom provider for the Users & Permissions plugin

The key thing to remember is that the register function runs before any setup process, which means you don't have access to database, routes, policies, or any other backend server elements within this function.

Walter Brekke

Lead Writer

Walter Brekke is a seasoned writer with a passion for creating informative and engaging content. With a strong background in technology, Walter has established himself as a go-to expert in the field of cloud storage and collaboration. His articles have been widely read and respected, providing valuable insights and solutions to readers.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.