Global System for Mobile Communications (GSM)

(1)

UPMC/PUF - M2 Networks - PTEL 1

Global System for Mobile

Communications (GSM)

Nguyen Thi Mai Trang

LIP6/PHARE

Thi-Mai-Trang.Nguyen@lip6.fr

Outline

Principles of cellular networks

GSM architecture

Security management

Location management

(2)

Mobile networks

First generation

In the late 1970s

Analog air interface

Ex: AMPS (Advanced Mobile Phone Service) in the US, Radiocom 2000 in France, NMT 900 in the Nordic countries, TACS in England, NETZ C in Germany

Second generation

In the early 1990s

Digital air interface

Ex: GSM in Europe and over the world, DCS (Digital Communication System) which is the GSM standard deployed in the 1800 MHz band, IS-136, IS-95, GSM PCS 1900 in the US

GPRS function

Third generation

In the early 2000s

Multimedia applications and Internet access

Ex: UMTS

3G+ and 4G

3G+: High speed data services

4G: Multi-homed terminal

Cell

Cell is a geographical area covered by an

(3)

Cell size

Depend on the frequencies and the power

level used

The more the frequency is high, the more the cell

is small

The more the power level is high, the more the

cell is big

Different cell sizes

(4)

Cellular networks

The network is organized in cells which are

partially overlapping to cover the area that the

operator want to provide services

cells

Handover

The change of cell of a mobile

The handover procedure ensures the

continuity of the ongoing communication

Handover zone

(5)

Frequency reuse

The reuse of the same frequency in disjoint cells allows a coverage in large scale

A k-cell reuse pattern is defined as the smallest group of cells containing a set of channels which are used only once

F2 F1 F3 F3 F2 F3 F2 F1 F2 F3 F3 F2 K = 3

Air interface

Terminals communicate with the central antenna via

the air interface

Use frequency bands specific to each country

In Europe: GSM 900 MHz – DCS 1800 MHz

In the US: DCS 1900 MHz

Air interface specification

Modulation techniques, encoding scheme and multiple

(6)

Multiple access procedures

Air interface is responsible for frequency bands

sharing between users

Multiple access procedure prevents the collisions

FDMA (Frequency Division Multiple Access) used in the

first generation

TDMA (Time Division Multiple Access) used in GSM

CDMA (Code Division Multiple Access) used in UMTS

FDMA

The frequency band f is divided into n

channels allowing n mobiles to transmit

simultaneously

frequency

time Channel

(7)

TDMA

The time is divided into time slots who are

affected to different mobiles

frequency

Totality of bandwidth

time

CDMA

The mobiles in a cell share the same radio channel by using a code

assigned by the system which determines the frequencies and the power levels used

Allow the reuse of the same frequencies in adjacent cells

frequency

(8)

GSM architecture (1)

BTS BSC BSC MSC MSC MSC HLR VLR VLR VLR

Base Transceiver Station

Base Station Controller

Mobile service Switching Center Visitor Location Register

Home Location Register

BTS BTS GMSC Gateway MSC RTC Um Abis A

Radio Sub-System Network Sub-System

AuC

Authentication Center

GSM architecture (2)

Radio Sub-System

BTS (Base Transceiver Station)

BSC (Base Station Controller)

Network Sub-System

MSC (Mobile service Switching Center) Two databases

HLR (Home Location Register) VLR (Visitor Location Register)

AuC (Authentication Center)

Mobile terminal

(9)

Radio sub-system

Air interface transmission and radio resource managmemnt Base station (BTS)

Responsible for radio transmission

Modulation, demodulation, equalization, error recovery

TDMA multiplexing, frequency hopping, encryption, radio

measurements

Base station controller (BSC) Radio resource management

Channel allocation

Analyze the measurements realized by the BTSs to control the power of

the mobiles or the BTSs

Handover decision

Network Sub-System (1)

Mobile switching center (MSC)

Switching matrix

Call establishment between a mobile and another MSC MSC level handover execution

Mobility management (VLR look-up for outgoing call, transfer of location information)

(10)

Network Sub-System (2)

Two databases for subscriber management Home Location Register (HLR)

Database containing information of the subscribers of an operator Subscriber information: subscriber identity (IMSI), telephone number

(NSISDN), service profile (supplementary services, international call authorization), the number of VLR where the mobile is registered

Visitor Location Register (VLR)

Database containing information of the users present in a geographical area managed by the VLR

User information: IMSI, MSISDN as in the HLR, and in addition the

TMSI

Authentication center (AuC) associated with the HLR Contain the secret key of each subscriber for the authentication and

the encryption of the communications

Mobile terminal

A smart card (SIM card) containing the subscriber identity Subscriber identity authentication is realized between the

SIM card and the authentication center (AuC)

SIM card IMSI

(International Mobile Subscriber Identity) Ex: 208 01 314159

Terminal IMEI

(International Mobile Equipment Identity) User MSISDN

(Mobile Station ISDN Number) Ex: 33 6 07 62 17 73

(11)

Addressing

IMSI

Permanent identity of the subscriber which is only used internally the network

TMSI

Temporary identity used to identify the mobile in the exchange over the air interface

MSISDN

The telephone number of the subscriber

MSRN

A number assigned for the call establishment with a fixed network

IMSI

Each subscriber has an international identity, the IMSI MCC (Mobile Country Code)

Home country code of the subscriber Ex: 208 for France

MNC (Mobile Network Code)

Home network code of the subscriber Ex: 01 for France Télécom, 10 for SFR

MSIN (Mobile Subscriber Identification Number)

Subscriber number inside the home network

(12)

TMSI

Temporary Mobile Subscriber Identity

Locally assigned to the mobile within the area managed by the current VLR

Only known at the MS-MSC/VLR levels, not by the HLR Used to identify the mobile during the call establishment For each change of VLR, a new TMSI must be assigned The structure of TMSI depends on the operator (encoded over

4 bytes)

The use of TMSI is optional (depends on the operator)

MSISDN

Mobile Station ISDN Number

Follow the international numbering plan E.164 CC (Country Code)

Indicate the country of the home network of the subscriber

Ex: 33 for France

NDC (National Destination Code)

Indicate a particular network within the country

SN (Subscriber Number) Free to assigned by the operator

(13)

Identity exchanges

IMEI

International Mobile Equipment Identity

<= 15 digits

Uniquely reference to a terminal equipment

TAC (Type Approval Code)

Provided by the constructor when the device type is approved

FAC (Final Assembly Code)

Identify the factory where the terminal is made

SNR (Serial Number)

Freely assigned by the constructor

Spare (SP)

(14)

Subscriber identity confidentiality

Limit the transmission of the IMSI over the air interface Use TMSI

The mapping TMSI - IMSI is managed at the VLR level TMSI is sent to the mobile in the encrypted mode

Radio interface Encryption procedure of save of release

Authentication and encryption (1)

Elements

Two keys: authentication key Ki, encryption key Kc

Three algorithms: A3, A5, A8

Random number RAND

Principles

Each subscriber has a key Ki stored in the SIM card together with the IMSI, and in the AuC of the network operator

For encryption

The encryption key Kc is generated by the A8 algorithm from the Ki key and the random number RAND

The A5 algorithm uses the Kc key for data encryption

For authentication

The A3 algorithm generates a number SRES from the Ki key and the random number RAND

(15)

29

Authentication and encryption (2)

HLR AuC Authentication Center Mobile Terminal SIM Card Ki Ki

Ki: Authentification key Kc: Encryption key Challenge (RAND) Response (RES’) A3 A8 RAND RES’ _Kc A3 A8 RAND RES _Kc RES = RES’ : ? Authenticated Oui Non X Encypted communication A5 Kc Encryption/ Decryption A5 Kc Encryption/ Decryption

Subscriber identity authentication

Allow the verification of the identity sent by the mobile (IMSI or TMSI)

For each location update, call establishment, service activation/deactivation

radio interface

(16)

Data confidentiality

Kc key establishment

Encryption/decryption algorithm is implemented in the BTS Encryption activation is realized on request of the MSC

radio interface

network

Triplet

The network using the triplets to authenticate and activate the encryption

don’t need to know the A3 and A8 algorithms

The triplets are calculated by the AuC and sent to the MSC/VLR Each operator can have their own A3 and A8 algorithms

Subscriber is always authenticated by the algorithms of their home

network

Generate de 1 to n

(17)

Global view of security

Location management

The system has to know at any time the

location of each mobile in order to be able to

join it

The mobile must stay active (i.e. standby

mode), even if there is not communication, in

order to signal the system about its movement

(18)

Location Area Identification

Location area is a group of cells

Each location area is identified by a LAI (Location Area Identification)

address

MCC: country code (as in IMSI)

MNC: network code (as in IMSI)

LAC (Location Area Code) (<= 2 bytes): assigned by the operator

cell

Location area boundary

Location management (1)

A VLR can manage several location areas

A location area cannot include cells belonging to different VLRs

Only the VLR knows the current location area of the managed mobiles

The HLR knows the identity of the current VLR of each subscriber and don’t know its location area

The location update is initiated by the mobiles upon a change of location area

It’s possible to have a periodical location update with the period controlled by the network

(19)

Location management (2)

search by

IMSI Attach/Detach procedure

To avoid un-useful search of turned off mobiles, a parameter in the MSC/VLR indicates that whether the mobile is

reachable

When a mobile is turned on, the IMSI Attach procedure re-attach this mobile to its location area

If the VLR contains the information of the mobile, no message is sent to the HLR equivalent to an update without change of VLR

When the mobile is switching off, or when the VLR is not in contact with a mobile during a certain period, the network can

(20)

Paging procedure

To search a subscriber for an incoming call, the

MSC broadcasts a paging message containing the

TMSI (or the IMSI in the absence of TMSI) of the

callee in the cells belonging to its location area

The mobile responds to the paging message, realizes

the authentication and encryption

The call establishment duration is about 8 seconds

Air interface

Frequency bands

Uplink: 890 – 915 MHz Downlink: 935 – 960 MHz

Frequency bands are divided into channels of 200

KHz

In a channel, the signals are modulated and transmitted

around a carrier frequency at the center of the channel

In GSM 900

124 carriers available for each downlink or uplink frequency band

(21)

TDMA in GSM

Each carrier is divided into time slots

T_slot= (75/130)10-3(s) = 0,5769 ms

In the same carrier, 8 slots are grouped to form a

TDMA frame

T_TDMA= 8 * T_slot= 4,6152 ms

Each user uses one time slot per TDMA frame

A physical channel is constituted by the periodical

repartition of a time slot in TDMA frames

TDMA frame

0 1 2 3 4 5 6 7 TDMA frame (4,6152 ms) Slot (~577 µs)

(22)

Duplexing

A duplex physical channel corresponds to two

simplex physical channels

fu(i) = fd(i) - ∆Wduplex

fd(i): downlink frequency

f_u(i): uplink frequency

∆Wduplexis the duplex interval (45 MHz in GSM) The downlink frequencies in GSM 900

f_d= 935 + (0,2 * n) , 1≤ n ≤ 124

A mobile sends and receives at different moments with

the interval of three slots

Duplex physical channel

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 frequency time Downlink Uplink D u p le x in te rv al f_d fu

(23)

Voice transmission (1)

Voice transmission (2)

Speech coding Channel coding Interleaving

Analog voice frame

Unprotected voice

(24)

Speech coding

Full-rate

13 Kbps

Voice is sampled at 8 kHz to form 20 ms frames The codec RPE-LTP (Regular Pulse Excitation – Long

Term Prediction) transforms the 20 ms voice segments into 260 bits blocks

Half-rate

5,6 Kbps

(25)

Channel coding (1)

The 260 bits of voice don’t have the same

importance

Class I.a – 50 bits very sensible to errors

Class I.b – 132 bits sensible to errors

Class II – 78 bits less sensible to errors

Channel coding (2)

class I.a bits CRC 50 3 bits tail bits Class I.b 53 bits 132 4 Convolutional code 189 bits 378 bits

(26)

Interleaving (1)

Interleaving is used to make the error positions

random especially when the errors in wireless

networks are usually bursty

The encoded symbols are permuted before their

transmission to make the error correction at the

receiver easier

Interleaving consist in

Mixing the bits of a bloc

Distributing the symbols over a set of bursts

Interleaving (2)

b0 b1 b2 b3 b4 b5 b6 b7 b₈ b₉ b₁₀ b₁₁ b₁₂ b₁₃ b₁₄ b₁₅ b₄₄₀ b₄₄₁ b₄₄₂ b₄₄₃ b₄₄₄ b₄₄₅ b₄₄₆ b₄₄₇ b448 b449 b450 b451 b452 b453 b454 b455 ….. A0 A1 A2 A3 A4 A5 A6 A7 8 half-blocs Writing 1 2 57 Reading

(27)

Interleaving (3)

B0 B1 B2 B3 B4 B5 B6 B7

A0 A1 A2 A3 A4 A5 A6 A7

C0 C1 C2 C3 C4 C5 C6 C7

3 bits 58 bits 26 bits 58 bits 3 bits8,25 bits Burst (odd bit : A0 – even bits: B4)

Burst structure

0 1 2 3 4 5 6 7 TDMA frame

(28)

Logical channels (1)

Over physical channels, logical channels are

defined for different purposes

User data transmission

Control functions

The mobile can use the best base station Establish a communication

Monitor a communication Realize the handovers

(29)

Multiframe

A multiframe is a succession of a given slot

The time interval between two slots of a multiframe

is of 4,615 ms

TDMA frame

multiframe

Multiframe, superframe and hyperframe (1)

Two structures of multiframe have been defined Multiframe of 26 frames

Duration of 120 ms

Multiframe of 51 frames Duration of 235,8 ms

Superframe

To have a commun structure for the two types of multiframe Composed of [26 multiframes at 51] or [51 multiframes at 26]

Hyperframe

(30)

Multiframe, superframe and hyperframe (2)

multiframe multiframe

superframe

hyperframe

TCH-SACCH multiplexing (1)

(31)

TCH-SACCH multiplexing (2)

1 voice bloc is of 20 ms

260 bits to send in 8 demi-bursts (4 bursts) 1 burst of voice every 5 ms is required

A multiframe at 26 lasts 120 ms

6 voice blocs (24 bursts) to send The mobile has 26 slots

2 slots are availables

1 slot for the SACCH channel

1 slot of pause (the mobile listens and analyzes the beacons of the neighbor cells)

SACCH

Slow Associated Control Channel

Control physical parameters of the link

Measure the round trip delay

Control the power level of the terminal

Control the link quality

Analyze the measurements made over the

(32)

FACCH

Fast Associated Control Channel

The low data rate of the SACCH (380 bps) channel

is not sufficient to handover execution

The TCH channel is temporarily stolen for signaling

Normal burst Data bits (TCH or FACCH)

Even data bits Even data bits

Data bits (TCH or FACCH)

Odd data bits Odd data bits Sequence

Beacon channel (1)

Each base station has a beacon channel

Allow the mobiles to be in permanent contact

with the best base station

Play an important role to realize roaming and

(33)

Beacon channel (2)

Corresponds to a particular frequency, one of

the frequencies allocated to the base station

A neighbor mobile periodically measures the

signal level over this channel

Allow a mobile to determine whether it is in

the coverage of a base station, near or far

from the base station

Beacon channel (3)

Information

Specific form of signal

Allow the mobiles to detect the presence of a base station and

synchronize in terms of time and frequency

System information

Network identity and access characteristics

Mobile terminal Turned on

Seeking the beacon channel of the best BTS

Standby

(34)

RACH – AGCH – PCH

Random Access CHannel

When the mobile want to make an control operation with the network (location update, call request, etc.), it must inform the network by sending a request over the RACH channel

Access Grant CHannel

When the network receive a request, it allocate a dedicated signalling channel by sending an allocation message over the AGCH channel containing the carrier number and the slot number

Paging CHannel

When the network wants to communicate with a mobile (for a call, an authentication, etc.), it broadcasts the identity of the mobile over a set of cells using the PCH channel