CS Cellular and Mobile Network Security: CDMA/UMTS Air Interface

Full text

(1)

CS 8803 - Cellular and Mobile

Network Security:

CDMA/UMTS Air Interface

Hank Carter

Professor Patrick Traynor

10/4/2012

(2)

Georgia Tech Information Security Center (GTISC)

UMTS and CDMA

3G technology - major change from GSM (TDMA)

Based on techniques originally employed by Verizon

(IS-95)

Signal is encoded so that it can be recovered from

“noise” (other signals)

(3)

New Considerations

Technology differences

‣ Power control

‣ Frequency re-use & handoffs

‣ Number of users

‣ Modulation (Phase Shift Keying)

Traffic differences

(4)

Georgia Tech Information Security Center (GTISC)

Code Division Multiple Access

4

used in several wireless broadcast channels (cellular, satellite, etc) standards

unique “code” assigned to each user; i.e., code set partitioning

all users share same frequency, but each user has own

“chipping” sequence (i.e., code) to encode data

encoded signal = (original data) X (chipping sequence)

decoding: inner-product of encoded signal and chipping

sequence

allows multiple users to “coexist” and transmit simultaneously

with minimal interference (if codes are “orthogonal”)

(5)

CDMA Encode/Decode

slot 1 slot 0 Zi,m= di.cm d0 = 1 1 1 1 1 1 - -1 -1 -1 1 1 1 1 1 - -1 - 11 -1 -1 -1 1 1 -1 - -1 -1 slot 0 channel output slot 1 channel output

channel output Zi,m

sender code data bits slot 1 slot 0 d1 = -1 d0 = 1 slot 0 channel output slot 1 channel output receiver code received input Di = ΣZi,m.cm m=1 M M d1 = -1 1 1 1 1 1 - -1 -1 -1 1 1 1 1 1 -1 - -1 -1 1 1 1 1 1 - -1 -1 -1 1 1 1 1 1 - -1 -1 -1 1 1 1 1 1 - -1 - 11

(6)

-Georgia Tech Information Security Center (GTISC)

CDMA: two-sender interface

(7)

CDMA Benefits

Higher capacity

‣ interference limited = high efficiency

‣ uses voice activity detection to reduce transmission bandwidth

Improved quality

‣ soft handoff

‣ CDMA has frequency, spatial, and time diversity to adapt to errors

Ease of deployment

‣ no frequency planning; frequency reuse = 1

Increased talk time

‣ power control ensures that the UE transmits at optimum power,

(8)

Georgia Tech Information Security Center (GTISC)

CDMA Privacy

Given that all signals look like noise unless you have the

despreading sequence, what sort of privacy does CDMA

offer?

(9)

Universal Mobile Telecommunications System: UMTS

Specifications:

‣ Frequencies: 700, 850, 900, 1700, 1900, 2100 MHz (5 MHz

channels) worldwide; FDD

‣ Chipping codes: up to 512 bits

‣ Power control: up to1500x per second

‣ Time division: 10 ms frames, 1 frame = 15 time slots

Borrows extensively from GSM protocols

Major changes:

‣ CDMA Technology: Channel structure/handoffs/power

control

‣ Security -- increased use of cryptographic constructions

(10)

Georgia Tech Information Security Center (GTISC)

Entities: New names, old faces

10 BTS BSC BTS BTS MS

UE = User Equipment

Node-B

RNC = Radio Network Controller

UE

RNC

Node-B

(11)

Channels: Old & New

GSM

BCCH

PCH

AGCH

SDCCH

TCH

RACH

SCH

CCCH

UMTS

BCCH

PCH

AICH

DCCH

DTCH

RACH

SCH

CCCH

(12)

Georgia Tech Information Security Center (GTISC)

Channel Types

Logical: defines a logical task or use in the network

Transport: defines the way logical data is prepared

Physical: defines the actual channel (i.e. chipping code)

used to transmit data

(13)

Logical Channels

Broadcast Control Channel (BCCH): Provides common information about the cell to UEs.

Paging Control Channel (PCCH): Provides information about incoming calls and how to listen for them.

Dedicated Control Channel (DCCH): A two-way assigned channel that carries control information to and from a single UE.

Common Control Channel (CCCH): A two-way shared channel that carries control information.

Dedicated Traffic Channel (DTCH): A two-way assigned channel that carries traffic to and from a single UE.

(14)

Georgia Tech Information Security Center (GTISC)

Transport Channels

Dedicated Transport Channel (DCH): carries data to and from a specific UE

Broadcast Channel (BCH): Broadcasts network and cell information

Forward Access Channel (FACH): Carries control information to UEs for shared channels.

Random Access Channel (RACH): Carries channel requests to the network from the UE.

Paging Channel (PCH): Carries incoming call alerts.

Uplink Common Packet Channel (CPCH): Carries packet data to the network.

Downlink Shared Channel (DSCH): Carries packet data to the UE.

(15)

Physical Channels: Signaling

Forward (to UE):

‣ Primary Common Control Physical Channel (PCCPCH): Carries the BCH

‣ Secondary Common Control Physical Channel (SCCPCH): Carries the

FACH and the PCH

‣ Synchronization Channel (SCH): Synchronizes time with the network

‣ Common Pilot Channel (CPICH): Informs the user of the Primary

Scrambling Code (PSC)

‣ Acquisition Indicator Channel (AICH): Used to carry dedicated channel

assignments to UEs

‣ Paging Indication Channel (PICH): Provides the UE with information about

how pages are sent. This informs the UE how often to wake up and listen for pages.

Reverse (to Node-B):

(16)

Georgia Tech Information Security Center (GTISC)

Physical Channels: Traffic

Bi-Directional:

‣ Dedicated Physical Data Channel (DPDCH): Carries a DCH

‣ Dedicated Physical Control Channel (DPCCH): Carries control

information (e.g., identifiers, power control)

Forward (to UE):

‣ Physical Downlink Shared Channel (PDSCH): carries packet data to a UE.

‣ CPCH Status Indication Channel (CSICH): Indicates the status of the

CPCH

‣ Collision Detection/Channel Assignment Indication Channel

(CD/CA-ICH): Indicates if data sent over the CPCH has been successfully received or if a collision occurred.

Reverse (to Node-B):

‣ Physical Common Packet Channel (PCPCH): Carries the CPCH

(17)

How a connection is made

Synchronize Time (SCH)

Acquire cell information (PCCPCH) Acquire PSC (CPICH)

(18)

Georgia Tech Information Security Center (GTISC)

How a call is sent/received

18

Node-B

UE

Page sent over PCH (SCCPCH) Page response over RACH (PRACH) Chipping & scrambling code assigned (AICH) Authentication over DCCH (DPDCH + DPCCH)

(19)

Mappings

(20)

http://www.authorstream.com/Presentation/3627946-387767-wcdma-air-interface-fundamentals-science-Georgia Tech Information Security Center (GTISC)

Spreading Codes

Orthogonal Variable Spreading Factor (OVSF) vs

scrambling codes

‣ OVSF codes are typical chipping/spreading codes

‣ Scrambling codes can be multiplied into OSVF codes to

provide more user channels

Long vs. short codes

‣ Uplink: code lengths up to 256 (+ 16.8 M scrambling codes)

‣ Downlink: code lengths up to 512

‣ Why are these numbers different?

(21)

Power Control

CDMA provides optimal performance when all signals

are received at approximately the same strength.

When a DTCH is assigned, the Node-B sends reports of

the RSS (received signal strength) to the UE, alerting it

at what power to transmit.

Power control commands sent up to 1500 times per

(22)

Georgia Tech Information Security Center (GTISC)

Handoffs

4 types: hard, soft, softer, network (2G 3G)

Soft handoff overview:

‣ Frequency reuse = 1

‣ UE will receive signal from multiple

Node-Bs.

‣ Extract signals of old and new tower

simultaneously using different chipping codes.

‣ Remain connected to old Node-B until re-registered with

new Node-B

Figure

Updating...

Related subjects :