Mobile Communications Chapter 4: Wireless Telecommunication Systems

(1)

Mobile Communications

Chapter 4: Wireless

Telecommunication Systems



Market



GSM



Overview



Services



Sub-systems



Components



GPRS



DECT

Not a part if this course!



TETRA

Not a part if this course!

(2)

1946 – First commercial mobile radio-telephone service by Bell and AT&T

in Saint Louis, USA. Half duplex

1973 – First handheld cellular phone

– Motorola.

1978 – First cellular net in Bahrein

1979 – NMT at 450MHz (Scandinavian countries)

1992 – Start of GSM

It all started like this

(3)

Basic Definitions

•

Forward Link, Downlink, Downstream

•

The path from the network or base station to the mobile

•

GSM terminology uses “Downlink”

•

CDMA, AMPS and TDMA use “Forward Link”

•

Most wireline technologies use “Downstream”

•

Reverse Link, Uplink, Upstream

•

The path from the mobile to the network or base station

•

GSM terminology uses “Uplink”

•

CDMA, AMPS and TDMA use “Reverse Link”

(4)

Duplex Techniques

Frequency channels

time time

Forward Link

Reverse Link

Forward Link

FDD

TDD

Frequency Division Duplex (FDD), Time Division Duplex (TDD)

GSM

UMTS

(5)

GSM

1982 The GSM group was formed

1986 Field trials in France

1987 TDMA was chosen as access method

1988 Memorandum of understanding -18 countries

1991 Phase I specifications published

1990 GSM specifications ported to DCS 1800

1992 Official commercial launch of GSM in Europe

1995 GSM specifications ported to PCS 1900

2000 Responsibility for GSM Standard transferred to 3GPP (3rd

Generation Partnership Project)

(6)

GSM frequency bands

•

890-915 MHz Uplink

•

935-960 MHz Downlink

•

1710-1785 MHz Uplink

•

1850-1910 MHz Uplink

•

900 MHz

•

2*25 MHz Bands

•

45 MHz Duplex Spacing

•

125 carriers

•

1800 MHz

•

2*75 MHz Bands

•

375 carriers

•

1900 MHz

•

2*60 MHz Bands

•

300 carriers

North America

(7)

SYSTEM ARCHITECTURE

PSTN

GMSC

ISDN

PLMN

MSC

BSC

BTS

BSC

MSC

HLR

VLR

AUC

EIR

MS

AUC: AUthentication Center

OMC: Operation and Managing Center BTS: Base Tranciver Staition

BSC: Base Station Controller EIR: Equipment Identity Register GMSC: Gateway MSC

HLR: Home Location Register MS: Mobile Station

MSC: Mobile Switching Center VLR: Visiting Location Register

OMC

(8)

GSM: elements and interfaces

NSS MS MS BTS BSC GMSC IWF OMC BTS BSC MSC MSC Abis Um EIR HLR VLR VLR A PDN ISDN, PSTN RSS radio cell radio cell MS AUC OSS signaling O

The Radio Station Subsystem (RSS)

-The Wireless Part

Base Transceiver Station (BTS),

cell coverage, comprises radio specific

functions

Base Station Controller (BSC)

controls several BTSs, the switching

center for radio channels

Functions BTS BSC

Management of radio channels X Frequency hopping (FH) X X Management of terrestrial channels X Mapping of terrestrial onto radio channels X Channel coding and decoding X

Rate adaptation X

Encryption and decryption X X

Paging X X

Uplink signal measurements X

Traffic measurement X

Authentication X

(9)

GSM: elements and interfaces

NSS MS MS BTS BSC GMSC IWF OMC BTS BSC MSC MSC Abis Um EIR HLR VLR VLR A BSS PDN ISDN, PSTN RSS radio cell radio cell MS AUC OSS signaling O

Network Switching SubSystem

NSS is the main component of the public

mobile network GSM

switching, mobility management,

interconnection to other networks,

system control

(10)

GSM: elements and interfaces

The Network Switching Subsystem (NSS)

-The Mobile Switching Centre (

MSC

) manages a

large number of BSCs

Gateway Mobile Switching Centre (

GMSC

) is

the gateway to other networks

Various Registers (data bases)

Signalling messages and data base accesses

are transported by the Signalling System Nr. 7

(

SS7

) using the Mobile Application Part (MAP)

(11)

The MSC plays a central role in GSM

controls all connectionsvia a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC

•switching functions

•additional functions for mobility support •management of network resources

•interworking functions via Gateway MSC (GMSC) •integration of several databases

Functions of a MSC

•specific functions for paging and call forwarding •mobility specific signaling

• location registration and forwarding of location information •support of short message service (SMS)

•generation and forwarding of accounting and billing information

(12)

GSM: elements and interfaces

Home Location Register (HLR)

Central master database containing user data,

permanent and semi-permanent data of all

subscribers assigned to the HLR

* usually one HLR per provider

* primarilly a data base for subscriber data.

* Subscriber identifiers service profiles, etc.

* Localization information (current VLR, MSC)

* Is a platform for all kinds of services

Visitor Location Register (VLR)

local database for a subset of user data, including

data about all user currently in the domain of the

VLR

* usually one VLR per MSC

(13)

The OSS (Operation Subsystem) enables

centralized operation, management, and

maintenance of all GSM subsystems



Components

Authentication Center (AUC)

Equipment Identity Register (EIR)

Operation and Maintenance Center (OMC)

different control capabilities for the radio

subsystem and the network subsystem

(14)

Equipment Identification Register (EIR)

registers GSM mobile stations and user rights

stolen or malfunctioning mobile stations can be

locked and sometimes even localized

•stores serial numbers (IMEI) of MS equipment

(models, software versions, black list)

Authentication Centre (AUC)

generates user specific authentication parameters

on request of a VLR authentication parameters

used for authentication of mobile terminals and

encryption of user data on the air interface within

the GSM system

(15)

GSM: Mobile Services

GSM offers



several types of connections



voice connections, data connections, short message service



multi-service options (combination of basic services)

Three service domains



Bearer Services: to transfer data between access points



Telematic Services: mobile telephony, SMS, MMS



Supplementary Services: conferencing, suppression of number forwarding,

etc.

GSM-PLMN

transit

network

(PSTN, ISDN)

source/

destination

network

TE

bearer services

tele services

R, S

U

_m

(U, S, R)

MT

MS

(16)

Bearer Services



Bearer services to transfer data between access points



Specification of services up to the terminal interface (OSI layers 1-3)



Different data rates for voice and data (original standard)



data service (circuit switched)



synchronous: 2.4, 4.8 or 9.6 kbit/s



asynchronous: 300 - 1200 bit/s



data service (packet switched)



synchronous: 2.4, 4.8 or 9.6 kbit/s



asynchronous: 300 - 9600 bit/s

(17)

Tele Services I



Telecommunication services that enable voice communication

via mobile phones



All these basic services have to obey cellular functions, security

measurements etc.



Offered services



mobile telephony

primary goal of GSM was to enable mobile telephony offering the

traditional bandwidth of 3.1 kHz



Emergency number

common number throughout Europe (112); mandatory for all

service providers; free of charge; connection with the highest

priority (preemption of other connections possible)



Multinumbering

(18)

Tele Services II

Additional services



Non-Voice-Teleservices



group 3 fax



voice mailbox (implemented in the fixed network supporting the mobile

terminals)



electronic mail (MHS, Message Handling System, implemented in the fixed

network)



...



Short Message Service (SMS)

alphanumeric data transmission to/from the mobile terminal using the

signaling channel, thus allowing simultaneous use of basic services and

SMS

(19)

Supplementary services



Services in addition to the basic services, cannot be offered

stand-alone



Similar to ISDN services besides lower bandwidth due to the

radio link



May differ between different service providers, countries and

protocol versions



Important services



identification: forwarding of caller number



suppression of number forwarding



automatic call-back



conferencing with up to 7 participants



locking of the mobile terminal (incoming or outgoing calls)

(20)

GSM Mobile Communications

The GSM 900 MHz Frequency Band

860 870 880 890 900 910 920 930 940 950 960 970

25 MHz

10

4

P-GSM

E-GSM

R-GSM

*)

*) several other Systems:

-

Cordless Telephone CT1, CT1+, CT2

- Telemetry / Telecommand

- Terrestrial Trunked Radio (TETRA)

- Digital Satellite System Receiver (DSSR)

Uplink

Downlink

Duplex Distance 45 MHz

(21)

The GSM 1800, DECT and UMTS Bands

1700 1750 1800 1850 1900 1950 200 2050 2100 2150 2200 2250

75 MHz

UMTS

GSM 1800

DECT

1: Time Division Duplex (

TDD

)

2: Frequency Division Duplex (

FDD

)

3: Mobile Satellite System (

MSS

)

Uplink

Downlink

Duplex Distance

95 MHz

75 MHz

(22)

R

cell radius

K

cluster size

D

repeating

distance

Spatial Frequency Re-use in Cell Clusters

1

2

3

1

2

3

1

2

3

1

2

3

5

4

6

7

1

2

3

5

4

6

7

1

2

3

5

4

6

7

1

2

3

5

4

6

7

1

2

3

K = 12

D

R

5

4

6

7

1

2

3

9

8

10

11

12

5

4

6

7

1

2

3

9

8

10

11

12

5

4

6

7

1

2

3

9

8

10

11

12

5

4

6

7

1

2

3

9

8

10

11

12

K = 7

K = 3

D



R

3

K

(23)

possible radio coverage of the cell

idealized shape of the cell

cell

segmentation of the area into cells

GSM: cellular network



use of several carrier frequencies



not the same frequency in adjacent cells



cell sizes vary from some 100 m up to 35 km depending on user

density, geography, transceiver power etc.



hexagonal shape of cells is idealized (cells overlap, shapes depend on

geography)



if a mobile user changes cells

(24)

MACRO, MICRO AND PICO CELLS

By using small macro

cells in combination with

Tighter Frequency Reuse

and a micro cellular

overlay, the capacity of a

standard 4/12 reuse

cellular network with 7.5

MHz available spectrum

can be increased

eight-fold. The micro cellular

network operates in a

segmented frequency and

from the nearby macro

cells and provides the

additional benefit of

coverage redundancy.

(25)

B = 200 kHz

B

Guard Band

···

f

_N

f

_k

f

₂

f

₁

Radio

Frequency

Channels

Guard Band

f

L

f

1

2

3

4

5

6

7

4.613 ms

156.25 bit/s

0.579 ms

•

A slot lasts for a duration of 156.25 bit times

•

The slot lasts 15/26 ms=579.9 micro s

(27)

f

₂

f

₁

0 1 2 ... 7 0 1

...

0 1 2 ... 7 0 1

GSM Radio Interface U

m

Bursts

156.25 Bits in 576.923 s

(3.6923



s/Bit)

useful part

Power p(t)

t

26 Training Bits

3 Tail Bits

Tail Bits:

Set to zero

Can be used to

Enhance the receiver

performance

(28)

m

Types of Burst

Structure of Normal Burst



2 x 3 Tail Bits (TB)



2 x 58 Encrypted Bits (Payload for Traffic and Control Channels)



2 x 1 Stealing Flag (Switch between Traffic / Control Payload)



2 x 57 Payload Bits



26 Bits Training Sequence (Midamble)



Fixed bit sequence used for channel estimation allowing optimum channel

equalization

Five Different Types of Burst



Normal Burst - Traffic and Control Payload



Frequency Correction Burst - All Zeroes Sequence



Synchronization Burst - Special Fixed Sequence



Access Burst - Extended Guard Period of 68.25 Bits (252



s)

(29)

m

Adaptive Frame Alignment

Thanks to the time shift of 3 time slots between the BTS TX and RX

TDMA frames, the MS is not required to receive and transmit

simultaneously. This simplifies the MS hardware.

The MS continuously aligns its TX frame start based on the Timing

Advance (TA) measurements received from the BTS

The extended guard period of the access burst (252



s) allows a

maximum range between MS and BTS of 35 km.

0 1 2 3 4 5 6 7

BTS

RX

TX

0

MS

0

TA = 2·



t

0 1 2 3 4 5 6 7 TX

0 1 2 3 4 5 6 7 RX



t = s / c

(30)

m

Logical Channels

Control

Channels

(CCH)

Traffic

Channels

(TCH)

Full Rate

(TCH/F)

Half Rate

(TCH/H)

Dedicated

Control

Channels

Stand Alone Dedicated Control Channel (SDCCH)

Fast Associated Control Channel (FACCH)

Slow Associated Control Channel (SACCH)

Common

Control

Channels

Paging Channel (PCH)

Random Access Channel (RACH)

Access Grant Channel (AGCH)

Notification Channel (PCH)

Broadcast

Channels

Synchronization Channel (SCH)

Frequency Control Channel (FCCH)

Broadcast Control Channel (BCCH)

Downlink (DL)

Uplink (UL)

(31)

m

Broadcast Channels

Broadcast Channels are used for

synchronisation purposes and

broadcasting of cell-specific

information in the downlink from

BTS to MS

Frequency Correction Channel (FCCH)

carries information for frequency correction of the MS

Synchronization Channel (SCH)

carries information for frame synchronization of the MS (e.g.

TDMA frame number FN) and for identification of the BTS (e.g

Base Station Identity Code BSIC)

Broadcast Control Channel (BCCH)

broadcasts general information on the BTS as well as

cell-specific information like control channel organisation, frequency

hopping sequences, cell identification, etc.

Control

Channels

(CCH)

Dedicated

Control

Channels

Common

Control

Channels

Broadcast

Channels

(32)

m

Common Control Channels

are point-to-multipoint

channels used mainly for

access control

Paging Channel (PCH) - downlink only

used by the BTS for paging and localizing the MS

Random Access Channel (RACH) - uplink only

used by any MS to request allocation of a signalling channel

(SDCCH). A slotted Aloha protocol is used, so collisions among

concurring MS are quite possible.

Access Grant Channel (AGCH) - downlink only

used to allocate a SDCCH or directly a TCH

Notification Channel (NCH) - downlink only

used to notify MS of voice group and voice broadcast calls (ASCI

feature)

Control

Channels

(CCH)

Dedicated

Control

Channels

Common

Control

Channels

Broadcast

Channels

(33)

m

Dedicated Control Channels

Dedicated Control Channels are

bidirectional point-to-point

channels, that allow authentication,

signalling, handover and the

exchange of measurement values.

Stand Alone Dedicated Control Channel (SDCCH)

used for call setup (authentication, signalling, assignment

of actual TCH), localisation updates and

SMS

Slow Associated Control Channel (SACCH)

is always coupled with a SDCCH or TCH and is used for the

exchange of measurement values and control parameters



Downlink : Control of MS Power Level and MS Timing Advance



Uplink : Measurement reports (MS reception levels) used

by the BTS for its handover-decisions

Fast Associated Control Channel (FACCH)

is activated in case of increased signalling demand e.g. during

Control

Channels

(CCH)

Dedicated

Control

Channels

Common

Control

Channels

Broadcast

Channels

(34)

m

Traffic Channels (TCH)

Full Rate Traffic Channel

(TCH / F)

Speech Codec



Speech @ 13 kbps

(TCH / FS)

Full Rate



Speech @ 12.2 kbps

(TCH / EFS)

Enhanced Full Rate



Data @ 14.4 kbps

(TCH / F14.4)



Data @ 9.6 kbps

(TCH / F9.6)



Data @ 4.8 kbps

(TCH / F4.8)



Data @



2.4 kbps

(TCH / F2.4)

Half Rate Traffic Channel

(TCH / H)

Speech Codec



Speech @ 6.5 kbps

(TCH / HS)

Half Rate



Data @ 4.8 kbps

(TCH / H4.8)



Data @



2.4 kbps

(TCH / H2.4)

Traffic Channels are used for

bidirectional transmission of

circuit switched voice or data.

Traffic

Channels

(TCH)

Full Rate

(TCH/F)

Half Rate

(TCH/H)

(35)

PCH

Paging Channel

RACH

Random Access Ch.

AGCH

Access Grant Ch.

SDCCH

Stand-alone

Dedicated Control

Channel

FACCH

Fast Associated

Control Channel

TCH

Traffic Channel

m

Call Setup (MS terminating)

MS

Paging Request

BTS

PCH

Paging Response

Call Confirmation

Assign Command

Setup

Authentication / Cipher Mode

SDCCH

Voice or Data

PCH

Channel Assignment

AGCH

Channel Request

RACH

Assign Completion

Connect Acknowledge

Alert

Connect

FACCH

(36)

m

Enhanced Full Rate Voice Channel Coding

every

20 ms

78

182

78

182

3 bit CRC

4 tail bits

78

189

160 Samples

260 bits

267 bits

456 bits

4 blocks

@ 114 Bits

RPE-LPC

Codec

Block

Coding

Convolutional

Coding

Inter-leaving

sensitive (class I)

insensitive (class II)

1

2

3

8

Encryption

456 bits spread

over 8 bursts

(37)

1

2

3

4

5

6

7

8

higher GSM frame structures

935-960 MHz 124 channels (200 kHz) downlink 890-915 MHz 124 channels (200 kHz) uplink time

GSM TDMA frame

GSM time-slot (normal burst)

4.615 ms

546.5 µs

tail user data S Training

guard

space S user data tail

guard space

3 bits

57 bits

1

...

24

25

superframe

0

1

...

24

25

0

1

2

...

48

49

50

0

1

...

6

7

multiframe

frame

burst

slot

577 µs

4.615 ms

120 ms

235.4 ms

12 frames

one frame for

”slow signalling”

for all the 8 slots

SACCH

12 frames

1 empty frame

(39)

GSM hierarchy of frames

0

1

2

...

2045 2046 2047

hyperframe

0

1

2

...

48

49

50

0

1

...

24

25

superframe

0

1

...

24

25

0

1

2

...

48

49

50

0

1

...

6

7

multiframe

frame

burst

slot

577 µs

4.615 ms

120 ms

235.4 ms

6.12 s

3 h 28 min 53.76 s

Larger frames

for encryption

(40)

GSM protocol layers for signaling

CM MM RR

MM

LAPD_m radio LAPD_m radio LAPD PCM RR’ BTSM CM LAPD PCM RR’ BTSM

16/64 kbit/s

U

_m

A

_bis

A

SS7

PCM

SS7

PCM

64 kbit/s /

2.048 Mbit/s

MS

BTS

BSC

MSC

BSSAP

(41)

Protocol Architecture of GSM

with signalling protocol intefaces

CM MM RR

MM

U

_m

A

_bis

A

SS7

PCM

SS7

PCM

MS

BTS

BSC

MSC

BSSAP

Interfaces:

is here of main interests

are intefaces from the fixed network

U

_m

A

_bis

A

U

_m

A

_bis

A

Layer 3

Layer 2

Layer 1

(42)

Layer 1 (physical) : radio

Handles all radio specific functions

• creation of bursts – 5 different formats

• multiplexing of bursts into TDMA frames

• synchronisation with the BTS (see next slide)

• detection of idle channels

• measurements of channel quality at downlink

• the physical layer at Um uses GMSK modulation

• performs enchryption/decryption of data

CM MM

RR

LAPD_m LAPD_m LAPD

RR’ BTSM

U

_m

A

_bis

(43)

Layer 1: Synchronization:

The distance between the MS and the BTS

An MS 35 km from the BTS has a round trip time (RTT) of 0.23 ms!!!

The BTS sends the current RTT to the MS, which then adjusts its access time!!!

Adjusting the access is controlled by the variable timing advance, where a burst

can be shifted up to 63 bit times ealier => 0.23 ms. (each bit is 3.69 micro

seconds long).

Max 35 km between a BTS and a MS!!

0

1

2

3

4

5

6

7

0

1

2

3

4

5

6

7

BTS

RX

TX

MS

0

1

2

3

4

5

6

7

TX

0

1

2

3

4

5

6

7

RX



t = s / c

(44)

Layer 1 (physical) : radio

Handles all radio specific functions

CM MM

RR

LAPD_m LAPD_m LAPD

RR’ BTSM

U

_m

MS

BTS

Channel coding and error detection/correction!

78

182

78

182

3 bit CRC

4 tail bits

78

189

sensitive (class I)

insensitive (class II)

The physical layer tries to correct errors, but it does

not deliver erroneous data to the higher layers.

(45)

Layer 2 (data link) -

LAPDm

It is said to be a lightweight LAPD protocol as it does not

handle error correction/detection.

It handles:

•

segmentation and reassembly of data and

acknowledges/unacknowledged data transfer

•

re-sequencing of data frames and flow control!

CM MM RR LAPD_m radio LAPD_m radio LAPD PCM RR’ BTSM

U

_m

MS

BTS

Layer 3

Layer 2

Layer 1

(46)

CM MM RR

MM

U

_m

A

_bis

A

SS7

PCM

SS7

PCM

MS

BTS

BSC

MSC

BSSAP

The network layer in GSM comprises several sublayers!

The lowest sublayer is the

Radio Resource Management (RR)!

Just a part of it is implemented in the BTS, the remainder in the BSC!

Setup,

maintenence

and

release

(47)

CM MM RR

MM

U

_m

A

_bis

A

SS7

PCM

SS7

PCM

MS

BTS

BSC

MSC

BSSAP

Mobility Management (MM)

contains functions for

registration

authentification

location update

It also provides a

temporary mobile subscriber identity (TMSI)

that replaces the international mobile subscriber identity (IMSI)

which hides the real identity of an MS user over the air interface.

(48)

CM MM RR

MM

U

_m

A

_bis

A

SS7

PCM

SS7

PCM

MS

BTS

BSC

MSC

BSSAP

Call Management (CM)

contains functions for:

call control (CC): point-to point connection between two terminals

call establishment, call clearing, etc.

short message service (SMS): using control channels SDCCH and SACCH

supplementary services (SS): user identification, forwarding, etc.

(49)

Numbers and Identifiers I

International Mobile Equipment Identifier (IMEI)



Unique serial number assigned by equipment manufacturer

International Mobile Subscriber Identifier (IMSI)



Unique subscriber identification number, stored on SIM-card

Mobile Subscriber ISDN Number (MSISDN)



Actual phone number structured according to ITU-T E.164



Country Code (CC) up to 3 digits



National Destination Code (NDC) 2 to 3 digits



Subscriber Number (SN) with a maximum of 10 digits



Strict separation of subscriber identification (IMSI)

and phone number (MSISDN)



Several MSISDN numbers can be assigned to a single IMSI

(used for service selection)

(50)

HSCSD: High Speed Circuit Switched Data

Chapter: 4.1.8.1

(51)

Mobile Terminated Call

PSTN calling station GMSC HLR VLR BSS BSS BSS MSC MS

1

2

3

4

5

6

7

8

9

10

11 12

13

16

10

11

14 15

17

1: calling a GSM subscriber

2: forwarding call to GMSC

3: signal call setup to HLR

4, 5: request MSRN (Mobile Station

Roaming Number) from VLR

6: forward responsible

MSC to GMSC

7: forward call to

current MSC

8, 9: get current status of MS

10, 11: paging of MS

12, 13: MS answers

14, 15: security checks

16, 17: set up connection

(52)

Mobile Originated Call

PSTN GMSC VLR BSS MSC MS

1

2

6

5

3

4

9

10

7

8

1, 2: connection request

3, 4: security check

5-8: check resources (free circuit)

9-10: set up call

(53)

4 types of handover

MSC

BSC

BTS

MS

1

2

3

4

(54)

Handover decision

receive level

BTS

_old

receive level

BTS

_old

MS

HO_MARGIN

BTS

_old

BTS

_new

(55)

Handover procedure

HO access

BTS_old BSC_new measurement result BSC_old Link establishment MSC MS measurement report HO decision HO required BTS_new HO request resource allocation ch. activation ch. activation ack HO request ack HO command HO command HO command HO complete HO complete clear command clear command

(56)

Security in GSM

Security services



access control/authentication



user



SIM (Subscriber Identity Module): secret PIN (personal

identification number)



SIM



network: challenge response method



confidentiality



voice and signaling encrypted on the wireless link (after successful

authentication)



anonymity



temporary identity TMSI

(Temporary Mobile Subscriber Identity)



newly assigned at each new location update (LUP)



encrypted transmission

3 algorithms specified in GSM



A3 for authentication (“secret”, open interface)



A5 for encryption (standardized)



A8 for key generation (“secret”, open interface)

“secret”: • A3 and A8 available via the Internet

• network providers can use stronger mechanisms

(57)

GSM - authentication

A3

RAND

K

_i

128 bit

SRES* 32 bit

A3

RAND

K

_i

128 bit

SRES 32 bit

SRES* =? SRES

SRES

RAND

SRES

32 bit

mobile network

SIM

AC

MSC

SIM

(58)

GSM - key generation and encryption

A8

RAND

K

_i

128 bit

K

_c

64 bit

A8

RAND

K

_i

128 bit

SRES

RAND

encrypted

data

mobile network (BTS)

MS with SIM

AC

BSS

SIM

A5

K

_c

64 bit

A5

MS

data

cipher

key

(59)