UPMC/PUF - M2 Networks - PTEL 1
Global System for Mobile
Communications (GSM)
Nguyen Thi Mai Trang
LIP6/PHARE
Thi-Mai-Trang.Nguyen@lip6.fr
Outline
Principles of cellular networks
GSM architecture
Security management
Location management
UPMC/PUF - M2 Networks - PTEL 3
Mobile networks
First generation
In the late 1970s
Analog air interface
Ex: AMPS (Advanced Mobile Phone Service) in the US, Radiocom 2000 in France, NMT 900 in the Nordic countries, TACS in England, NETZ C in Germany
Second generation
In the early 1990s
Digital air interface
Ex: GSM in Europe and over the world, DCS (Digital Communication System) which is the GSM standard deployed in the 1800 MHz band, IS-136, IS-95, GSM PCS 1900 in the US
GPRS function
Third generation
In the early 2000s
Multimedia applications and Internet access
Ex: UMTS
3G+ and 4G
3G+: High speed data services
4G: Multi-homed terminal
Cell
Cell is a geographical area covered by an
UPMC/PUF - M2 Networks - PTEL 5
Cell size
Depend on the frequencies and the power
level used
The more the frequency is high, the more the cell
is small
The more the power level is high, the more the
cell is big
Different cell sizes
UPMC/PUF - M2 Networks - PTEL 7
Cellular networks
The network is organized in cells which are
partially overlapping to cover the area that the
operator want to provide services
cells
Handover
The change of cell of a mobile
The handover procedure ensures the
continuity of the ongoing communication
Handover zone
UPMC/PUF - M2 Networks - PTEL 9
Frequency reuse
The reuse of the same frequency in disjoint cells allows a coverage in large scale
A k-cell reuse pattern is defined as the smallest group of cells containing a set of channels which are used only once
F2 F1 F3 F3 F2 F3 F2 F1 F2 F3 F3 F2 K = 3
Air interface
Terminals communicate with the central antenna via
the air interface
Use frequency bands specific to each country
In Europe: GSM 900 MHz – DCS 1800 MHz
In the US: DCS 1900 MHz
Air interface specification
Modulation techniques, encoding scheme and multiple
UPMC/PUF - M2 Networks - PTEL 11
Multiple access procedures
Air interface is responsible for frequency bands
sharing between users
Multiple access procedure prevents the collisions
FDMA (Frequency Division Multiple Access) used in the
first generation
TDMA (Time Division Multiple Access) used in GSM
CDMA (Code Division Multiple Access) used in UMTS
FDMA
The frequency band f is divided into n
channels allowing n mobiles to transmit
simultaneously
frequency
time Channel
UPMC/PUF - M2 Networks - PTEL 13
TDMA
The time is divided into time slots who are
affected to different mobiles
frequency
Totality of bandwidth
time
CDMA
The mobiles in a cell share the same radio channel by using a code
assigned by the system which determines the frequencies and the power levels used
Allow the reuse of the same frequencies in adjacent cells
frequency
UPMC/PUF - M2 Networks - PTEL 15
GSM architecture (1)
BTS BSC BSC MSC MSC MSC HLR VLR VLR VLRBase Transceiver Station
Base Station Controller
Mobile service Switching Center Visitor Location Register
Home Location Register
BTS BTS GMSC Gateway MSC RTC Um Abis A
Radio Sub-System Network Sub-System
AuC
Authentication Center
GSM architecture (2)
Radio Sub-System
BTS (Base Transceiver Station)
BSC (Base Station Controller)
Network Sub-System
MSC (Mobile service Switching Center) Two databases
HLR (Home Location Register) VLR (Visitor Location Register)
AuC (Authentication Center)
Mobile terminal
UPMC/PUF - M2 Networks - PTEL 17
Radio sub-system
Air interface transmission and radio resource managmemnt Base station (BTS)
Responsible for radio transmission
Modulation, demodulation, equalization, error recovery
TDMA multiplexing, frequency hopping, encryption, radio
measurements
Base station controller (BSC) Radio resource management
Channel allocation
Analyze the measurements realized by the BTSs to control the power of
the mobiles or the BTSs
Handover decision
Network Sub-System (1)
Mobile switching center (MSC)
Switching matrix
Call establishment between a mobile and another MSC MSC level handover execution
Mobility management (VLR look-up for outgoing call, transfer of location information)
UPMC/PUF - M2 Networks - PTEL 19
Network Sub-System (2)
Two databases for subscriber management Home Location Register (HLR)
Database containing information of the subscribers of an operator Subscriber information: subscriber identity (IMSI), telephone number
(NSISDN), service profile (supplementary services, international call authorization), the number of VLR where the mobile is registered
Visitor Location Register (VLR)
Database containing information of the users present in a geographical area managed by the VLR
User information: IMSI, MSISDN as in the HLR, and in addition the
TMSI
Authentication center (AuC) associated with the HLR Contain the secret key of each subscriber for the authentication and
the encryption of the communications
Mobile terminal
A smart card (SIM card) containing the subscriber identity Subscriber identity authentication is realized between the
SIM card and the authentication center (AuC)
SIM card IMSI
(International Mobile Subscriber Identity) Ex: 208 01 314159
Terminal IMEI
(International Mobile Equipment Identity) User MSISDN
(Mobile Station ISDN Number) Ex: 33 6 07 62 17 73
UPMC/PUF - M2 Networks - PTEL 21
Addressing
IMSI
Permanent identity of the subscriber which is only used internally the network
TMSI
Temporary identity used to identify the mobile in the exchange over the air interface
MSISDN
The telephone number of the subscriber
MSRN
A number assigned for the call establishment with a fixed network
IMSI
Each subscriber has an international identity, the IMSI MCC (Mobile Country Code)
Home country code of the subscriber Ex: 208 for France
MNC (Mobile Network Code)
Home network code of the subscriber Ex: 01 for France Télécom, 10 for SFR
MSIN (Mobile Subscriber Identification Number)
Subscriber number inside the home network
UPMC/PUF - M2 Networks - PTEL 23
TMSI
Temporary Mobile Subscriber Identity
Locally assigned to the mobile within the area managed by the current VLR
Only known at the MS-MSC/VLR levels, not by the HLR Used to identify the mobile during the call establishment For each change of VLR, a new TMSI must be assigned The structure of TMSI depends on the operator (encoded over
4 bytes)
The use of TMSI is optional (depends on the operator)
MSISDN
Mobile Station ISDN Number
Follow the international numbering plan E.164 CC (Country Code)
Indicate the country of the home network of the subscriber
Ex: 33 for France
NDC (National Destination Code)
Indicate a particular network within the country
SN (Subscriber Number) Free to assigned by the operator
UPMC/PUF - M2 Networks - PTEL 25
Identity exchanges
IMEI
International Mobile Equipment Identity
<= 15 digits
Uniquely reference to a terminal equipment
TAC (Type Approval Code)
Provided by the constructor when the device type is approved
FAC (Final Assembly Code)
Identify the factory where the terminal is made
SNR (Serial Number)
Freely assigned by the constructor
Spare (SP)
UPMC/PUF - M2 Networks - PTEL 27
Subscriber identity confidentiality
Limit the transmission of the IMSI over the air interface Use TMSI
The mapping TMSI - IMSI is managed at the VLR level TMSI is sent to the mobile in the encrypted mode
Radio interface Encryption procedure of save of release
Authentication and encryption (1)
Elements
Two keys: authentication key Ki, encryption key Kc
Three algorithms: A3, A5, A8
Random number RAND
Principles
Each subscriber has a key Ki stored in the SIM card together with the IMSI, and in the AuC of the network operator
For encryption
The encryption key Kc is generated by the A8 algorithm from the Ki key and the random number RAND
The A5 algorithm uses the Kc key for data encryption
For authentication
The A3 algorithm generates a number SRES from the Ki key and the random number RAND
29
Authentication and encryption (2)
HLR AuC Authentication Center Mobile Terminal SIM Card Ki Ki
Ki: Authentification key Kc: Encryption key Challenge (RAND) Response (RES’) A3 A8 RAND RES’ Kc A3 A8 RAND RES Kc RES = RES’ : ? Authenticated Oui Non X Encypted communication A5 Kc Encryption/ Decryption A5 Kc Encryption/ Decryption
Subscriber identity authentication
Allow the verification of the identity sent by the mobile (IMSI or TMSI)
For each location update, call establishment, service activation/deactivation
radio interface
UPMC/PUF - M2 Networks - PTEL 31
Data confidentiality
Kc key establishment
Encryption/decryption algorithm is implemented in the BTS Encryption activation is realized on request of the MSC
radio interface
network
Triplet
The network using the triplets to authenticate and activate the encryption
don’t need to know the A3 and A8 algorithms
The triplets are calculated by the AuC and sent to the MSC/VLR Each operator can have their own A3 and A8 algorithms
Subscriber is always authenticated by the algorithms of their home
network
Generate de 1 to n
UPMC/PUF - M2 Networks - PTEL 33
Global view of security
Location management
The system has to know at any time the
location of each mobile in order to be able to
join it
The mobile must stay active (i.e. standby
mode), even if there is not communication, in
order to signal the system about its movement
UPMC/PUF - M2 Networks - PTEL 35
Location Area Identification
Location area is a group of cells
Each location area is identified by a LAI (Location Area Identification)
address
MCC: country code (as in IMSI)
MNC: network code (as in IMSI)
LAC (Location Area Code) (<= 2 bytes): assigned by the operator
cell
Location area boundary
Location management (1)
A VLR can manage several location areas
A location area cannot include cells belonging to different VLRs
Only the VLR knows the current location area of the managed mobiles
The HLR knows the identity of the current VLR of each subscriber and don’t know its location area
The location update is initiated by the mobiles upon a change of location area
It’s possible to have a periodical location update with the period controlled by the network
UPMC/PUF - M2 Networks - PTEL 37
Location management (2)
search by
IMSI Attach/Detach procedure
To avoid un-useful search of turned off mobiles, a parameter in the MSC/VLR indicates that whether the mobile is
reachable
When a mobile is turned on, the IMSI Attach procedure re-attach this mobile to its location area
If the VLR contains the information of the mobile, no message is sent to the HLR equivalent to an update without change of VLR
When the mobile is switching off, or when the VLR is not in contact with a mobile during a certain period, the network can
UPMC/PUF - M2 Networks - PTEL 39
Paging procedure
To search a subscriber for an incoming call, the
MSC broadcasts a paging message containing the
TMSI (or the IMSI in the absence of TMSI) of the
callee in the cells belonging to its location area
The mobile responds to the paging message, realizes
the authentication and encryption
The call establishment duration is about 8 seconds
Air interface
Frequency bands
Uplink: 890 – 915 MHz Downlink: 935 – 960 MHz
Frequency bands are divided into channels of 200
KHz
In a channel, the signals are modulated and transmitted
around a carrier frequency at the center of the channel
In GSM 900
124 carriers available for each downlink or uplink frequency band
UPMC/PUF - M2 Networks - PTEL 41
TDMA in GSM
Each carrier is divided into time slots
Tslot= (75/130)10-3(s) = 0,5769 ms
In the same carrier, 8 slots are grouped to form a
TDMA frame
TTDMA= 8 * Tslot= 4,6152 ms
Each user uses one time slot per TDMA frame
A physical channel is constituted by the periodical
repartition of a time slot in TDMA frames
TDMA frame
0 1 2 3 4 5 6 7 TDMA frame (4,6152 ms) Slot (~577 µs)
UPMC/PUF - M2 Networks - PTEL 43
Duplexing
A duplex physical channel corresponds to two
simplex physical channels
fu(i) = fd(i) - ∆Wduplexfd(i): downlink frequency
fu(i): uplink frequency
∆Wduplexis the duplex interval (45 MHz in GSM) The downlink frequencies in GSM 900
fd= 935 + (0,2 * n) , 1≤ n ≤ 124
A mobile sends and receives at different moments with
the interval of three slots
Duplex physical channel
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 frequency time Downlink Uplink D u p le x in te rv al fd fu
UPMC/PUF - M2 Networks - PTEL 45
Voice transmission (1)
Voice transmission (2)
Speech coding Channel coding InterleavingAnalog voice frame
Unprotected voice
UPMC/PUF - M2 Networks - PTEL 47
Speech coding
Full-rate
13 Kbps
Voice is sampled at 8 kHz to form 20 ms frames The codec RPE-LTP (Regular Pulse Excitation – Long
Term Prediction) transforms the 20 ms voice segments into 260 bits blocks
Half-rate
5,6 Kbps
UPMC/PUF - M2 Networks - PTEL 49
Channel coding (1)
The 260 bits of voice don’t have the same
importance
Class I.a – 50 bits very sensible to errors
Class I.b – 132 bits sensible to errors
Class II – 78 bits less sensible to errors
Channel coding (2)
class I.a bits CRC 50 3 bits tail bits Class I.b 53 bits 132 4 Convolutional code 189 bits 378 bits
UPMC/PUF - M2 Networks - PTEL 51
Interleaving (1)
Interleaving is used to make the error positions
random especially when the errors in wireless
networks are usually bursty
The encoded symbols are permuted before their
transmission to make the error correction at the
receiver easier
Interleaving consist in
Mixing the bits of a bloc
Distributing the symbols over a set of bursts
Interleaving (2)
b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 b440 b441 b442 b443 b444 b445 b446 b447 b448 b449 b450 b451 b452 b453 b454 b455 ….. A0 A1 A2 A3 A4 A5 A6 A7 8 half-blocs Writing 1 2 57 ReadingUPMC/PUF - M2 Networks - PTEL 53
Interleaving (3)
B0 B1 B2 B3 B4 B5 B6 B7
A0 A1 A2 A3 A4 A5 A6 A7
C0 C1 C2 C3 C4 C5 C6 C7
3 bits 58 bits 26 bits 58 bits 3 bits8,25 bits Burst (odd bit : A0 – even bits: B4)
Burst structure
0 1 2 3 4 5 6 7 TDMA frame
UPMC/PUF - M2 Networks - PTEL 55
Logical channels (1)
Over physical channels, logical channels are
defined for different purposes
User data transmission
Control functions
The mobile can use the best base station Establish a communication
Monitor a communication Realize the handovers
UPMC/PUF - M2 Networks - PTEL 57
Multiframe
A multiframe is a succession of a given slot
The time interval between two slots of a multiframe
is of 4,615 ms
TDMA frame
multiframe
Multiframe, superframe and hyperframe (1)
Two structures of multiframe have been defined Multiframe of 26 frames
Duration of 120 ms
Multiframe of 51 frames Duration of 235,8 ms
Superframe
To have a commun structure for the two types of multiframe Composed of [26 multiframes at 51] or [51 multiframes at 26]
Hyperframe
UPMC/PUF - M2 Networks - PTEL 59
Multiframe, superframe and hyperframe (2)
multiframe multiframe
superframe
hyperframe
TCH-SACCH multiplexing (1)
UPMC/PUF - M2 Networks - PTEL 61
TCH-SACCH multiplexing (2)
1 voice bloc is of 20 ms
260 bits to send in 8 demi-bursts (4 bursts) 1 burst of voice every 5 ms is required
A multiframe at 26 lasts 120 ms
6 voice blocs (24 bursts) to send The mobile has 26 slots
2 slots are availables
1 slot for the SACCH channel
1 slot of pause (the mobile listens and analyzes the beacons of the neighbor cells)
SACCH
Slow Associated Control Channel
Control physical parameters of the link
Measure the round trip delay
Control the power level of the terminal
Control the link quality
Analyze the measurements made over the
UPMC/PUF - M2 Networks - PTEL 63
FACCH
Fast Associated Control Channel
The low data rate of the SACCH (380 bps) channel
is not sufficient to handover execution
The TCH channel is temporarily stolen for signaling
Normal burst Data bits (TCH or FACCH)
Even data bits Even data bits
Data bits (TCH or FACCH)
Odd data bits Odd data bits Sequence
Beacon channel (1)
Each base station has a beacon channel
Allow the mobiles to be in permanent contact
with the best base station
Play an important role to realize roaming and
UPMC/PUF - M2 Networks - PTEL 65
Beacon channel (2)
Corresponds to a particular frequency, one of
the frequencies allocated to the base station
A neighbor mobile periodically measures the
signal level over this channel
Allow a mobile to determine whether it is in
the coverage of a base station, near or far
from the base station
Beacon channel (3)
Information
Specific form of signal
Allow the mobiles to detect the presence of a base station and
synchronize in terms of time and frequency
System information
Network identity and access characteristics
Mobile terminal Turned on
Seeking the beacon channel of the best BTS
Standby
UPMC/PUF - M2 Networks - PTEL 67
RACH – AGCH – PCH
Random Access CHannel
When the mobile want to make an control operation with the network (location update, call request, etc.), it must inform the network by sending a request over the RACH channel
Access Grant CHannel
When the network receive a request, it allocate a dedicated signalling channel by sending an allocation message over the AGCH channel containing the carrier number and the slot number
Paging CHannel
When the network wants to communicate with a mobile (for a call, an authentication, etc.), it broadcasts the identity of the mobile over a set of cells using the PCH channel
Network planning
Blocking probability
Erlang-B table
N: the number of servers
UPMC/PUF - M2 Networks - PTEL 69
Example (1)
For an area with a population of 10 000
subscribers having each a traffic of 25 mE. 24
frequencies are available and allocated to cells
following a reuse pattern with K=12. The
acceptable blocking ratio is fixed to 2%.
Determine the number of cells to cover the
area
Example (2)
UPMC/PUF - M2 Networks - PTEL 71
Example (3)
The number of TCH per cell
(2 * 8) – 2 = 14
Each cell can support at most 14 simultaneous
communications
With the blocking ratio of 2%, the traffic that
can go through a cell is 8,2 Erlang
Example (4)
Each cell can serve
8,2 / 0,025 = 328 subscribers
The number of cells necessary for the
considered area is
UPMC/PUF - M2 Networks - PTEL 73
References