• No results found

CS Cellular and Mobile Network Security: GSM - In Detail

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "CS Cellular and Mobile Network Security: GSM - In Detail"

Copied!
38
0
0

Loading.... (view fulltext now)

Download now ( 38 Page )

Full text

(1)

CS 8803 - Cellular and

Mobile Network Security:

GSM - In Detail

(2)

Cellular Telecommunications

Architecture

Background

Air Interfaces

Network Protocols

Application: Messaging

Research

(3)

GSM

The Global System for Mobile Communications (GSM) is the

de facto standard for wireless communications with well over 5 billion users.

‣ As a comparison, there are approximately 1.5 billion Internet users.

The architectures of other network are similar, so knowing how to “speak GSM” will get you a long way in this space.

(4)

Wireless Signaling and Control in GSM

Common Control Channel

‣ Structure

‣ Broadcast Channels

‣ Channel Access from Mobile

‣ Procedures and Messages for Call Control

Traffic Channel

(5)

GSM Control Functions

Read System Parameters

Register

Receive and Originate Calls

(6)

GSM Structure

Common Control Channel (CCCH)

‣ Used for control information: registration, paging, call origination/termination.

Traffic Channel (TCH)

‣ Information transfer

‣ in-call control (fast/slow associated control channels)

Common Control Channel (CCCH)

Traffic Channel (per user in a call)

(7)

GSM TDMA Frames

TDMA Frame:

Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msec

(8)

From Frames to Channels

0 1 2 3 4 5 6 7

}

Frame: 4.615ms 26 Multiframe: 120.00 ms

(9)

GSM CCCH

Random Access Control Channel (RACH) Reverse (MS BS) Paging and Access Grant Channel (PAGCH) Forward (BS MS) Broadcast Control Channel (BCCH) Forward (BS MS) Synchronization Channel (SCH) Forward (BS MS) Frequency Correction Channel (FCCH) Forward (BS MS) PCH AGCH

(10)

GSM CCCH Structure

TDMA Frame:

Uplink: Channel Name (Frame #) Downlink

‣ CCCH/RACH always uses Slot 0 of each frame; other seven slots for TCH

‣ TCH: 26 multi-frame repeats every 120 msec (13th and 16th frames are used by

Slow Associated Control Channel (SACCH) or is idle

Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msec

Frame 0 Frame 1 Frame 2 ... Frame 50 51 Multiframe:235.365 msec

FCCH (0) SCH (1) BCCH (2-5) PAGCH (6-9) FCCH (10) SCH (11) PAGCH (12-19) FCCH (20) SCH (21) PAGCH (11) PAGCH (22-29) FCCH (30) SCH (31) PAGCH (32-39) FCCH (40) SCH (41) PAGCH (42-49) I (50) RACH (0) ... RACH (50)

(11)

GSM: BCCH

Broadcast to all users on the CCCH

No addressing

Used to acquire system parameters, so mobile may operate with the system.

Key parameters (contained in RR SYSTEM INFORMATION MESSAGES):

‣ RACH control parameters

‣ cell channel descriptions (frequencies) ‣ neighbor cells (frequencies)

‣ cell id

‣ Location Area ID (LAI)

(12)

GSM: FCCH and SCH

Keeps system synchronization

‣ What do you mean, synchronization?

Broadcasts Basestation ID

(13)

GSM: Mobile Channel Access Procedures (RACH)

MS Communicates with BS over RACH

‣ Only initially and must compete for this shared resource.

Feedback provided with AGCH

‣ Points the user to a dedicated channel for real exchanges.

Functions:

‣ Responses to paging messages ‣ Location update (registration) ‣ Call Origination

(14)

GSM: Paging Channel (PCH)

Used to send pages to mobile devices.

‣ Notifications of incoming services (e.g., voice, data, SMS)

Done at regular intervals

‣ Mobiles belong to a paging class

‣ Allows the device to sleep, conserve power

(15)

GSM: RACH and Slotted ALOHA (Layer 2)

Assumptions

all frames same size

time is divided into equal

size slots, time to transmit 1 frame

nodes start to transmit

frames only at beginning of slots

clocks are synchronized

if 2 or more nodes transmit in slot, all nodes detect

Operation

• when node obtains fresh frame, it transmits in next slot

• no collision, node successfully transmitted the frame

• if collision, node retransmits frame in each subsequent slot with prob. p until success

(16)

GSM: More Slotted ALOHA

Pros

single active node can continuously transmit at full rate of channel

highly decentralized: only slots in nodes need to be in sync

simple

Cons

• collisions, wasting slots • idle slots

• nodes may be able to

detect collision in less than time to transmit packet

(17)

GSM: Slotted ALOHA Efficiency

Suppose N nodes with many frames to send, each transmits in slot with probability p

prob that node 1 has success in a slot

= p(1-p)N-1

prob that any node has a

• For max efficiency with N nodes, find p* that

maximizes Np(1-p)N-1

• For many nodes, take limit of Np*(1-p*)N-1 as N goes

to infinity, gives 1/e = .37

Efficiency is the long-run fraction of successful slots

when there are many nodes, each with many frames to send

At best: channel has maximum throughput of

(18)

GSM: RACH Procedures (Layer 2)

Mobile

‣ sends assignment request with information

Basestation

‣ sends back assignment with information echoed

Creates Radio Resource (RR) connection

‣ “Standalone Dedicated Control Channel” ‣ May be a physical channel

‣ May be a traffic channel in signaling-only mode

‣ May eventually be bandwidth stolen from TCH (associated control

(19)

Basic Flow on Air Interface

Alert phone of incoming activity Request dedicated signaling channel

Signal

(20)

GSM Signaling

Signaling in GSM occurs over the Radio Interface Layer 3 (RIL-3).

‣ Technically layer 3, but debatable from OSI perspective as

application-esque things happen here.

Control messages are handled by protocol control processes and include Call Control (CC), Mobility

Management (MM), Radio Resource management (RR), Short Messaging Service management (SMS) and

(21)

Time Out: Privacy?

With all of this signaling going over well-known

channels, isn’t there a risk of user tracking/profiling?

(22)

GSM Registration

Types

‣ Power up and down

‣ Location Area changes (mobility) ‣ Periodic

User Privacy

‣ Mobile device may transmit real address: International Mobile

Subscriber Identity (IMSI)

‣ Get back temporary id (TMSI)

• Unique to a local area

(23)

GSM: Registration, High Level

Get SDCCH RR connection established Authenticate Cipher UpdateLocation Release RR connection

(24)

GSM Registration: Gory Details

Get SDCCH

RR connection established

Release RR connection

LOC UPD RQST

Authentication Request (RAND) Authentication Response (SRES)

Cipher Mode Cipher Mode Complete

LOC UPD ACC (TMSI Assigned) TMSI RE-ALLOC Complete

(25)

GSM: Call Termination (Receive a Call)

Authentication and Ciphering

Channel Request Page Request (TMSI)

Channel Assignment G et SDCCH SABM(Page Response) UA(Page Response) SETUP Call Confirmed Assignment Command Alert Assignment Complete RR co nnecti on es ta bl ished Connect

(26)

GSM: Call Origination

Authentication and Ciphering

Channel Request Channel Assignment

G

et

SDCCH

SABM(CM Service Req - Call Orig) UA(CM Service Request - Call Orig)

SETUP Call Proceeding Assignment Command Alert Assignment Complete RR co nnecti on es ta bl ished Connect Connect ACK RR co nnecti on rel ea se

(27)

GSM: Mobile Assisted Handoff (MAHO)

MSC Old BS New BS Measurement Report Measurement Report Measurement Report Measurement Report Handoff Order Handoff Access Handoff Complete Handoff Access

(28)

Measuring Mobility-Generated Load

How do we estimate the traffic load caused by handoffs?

Simplest mobility model - assume conservation of flow and random movements at constant velosity.

Rate of boundary crossings =

‣ = density of users, v = velocity and L is perimeter

(29)

Practice

Calculate the load at the VLR per second if each mobile creates an Update LA and creates a Reg Cancel.

Assume:

‣ L = 80 miles

‣ =150 users/mi2 ‣ v = 45 miles/hour

(30)

Example

Boundary crossing rate:

Load on VLR from mobility is 144 operations/sec:

‣ updates (3): Update LA, Reg Cancel, Auth Info

150 45 80 1 hour

3600 secs = 48 crossings/sec

(31)

Example, cont

Assume 3 calls/user/hour (1.5 in, 1.5 out on average)

‣ for each incoming call there is one database query (MSRN)

= 150 users/mi2, L = 80 miles

‣ each area contains 150 x (80/4)2 = 60,000 users ‣ = 25 calls/second

Total Load

‣ 25 queries/second (call related)

‣ 144 updates/second (mobility related)

(32)

GSM: Short Messaging Service

Bi-directional

Acknowledged Service

Store-and-Forward Service

140 octets/160 characters (concatenation possible)

Uses SDCCH signaling channel

Two services - cell broadcast and point to point

‣ Cell broadcast exists in the standards only at this time.

(33)

GSM: SMS Examples - Mobile Termination

Page Response Page

(34)

GSM: SMS Examples - Mobile Termination

Page Response Page

CP-Data (RP-Data (SMS Delivery)) CP-ACK

CP-Data (RP-ACK) CP-ACK

(35)

Other Air Interfaces

IS-54/IS-136/D-AMPS ‣ digital, TDMA

IS-95 ‣ digital, CDMA

CDMA2000 ‣ “3G”

UMTS ‣ W-CDMA ‣ “3G”

(36)

IS-54/IS-136

First North American standards

Converted traffic channels (IS-54) and control channels (IS-136) to digital.

‣ Phones could gracefully degrade to AMPS if neither of these

networks were available.

IS-54 was the first to consider security.

‣ Used the Cellular Message Encryption Algorithm (CMEA) to

protect the control channel and Cellular Authentication, Voice Privacy and Encryption (CAVE) to protect voice.

(37)

IS-95

Code Division Multiple Access (CDMA) Transmission

Similar call processing to GSM and IS-136

1.23 MHz carriers, each with 65 sub-code channels

(38)

Network Architecture: IS-95/CDMA2000

RNC/PCF

Performs frame-selection/power controlTerminates Radio Link Protocol w/ mobilesPerforms packet and burst control functions

PDSN

‣ terminates PPP with clients

‣ provides FA support for MIP-enabled Clients

AAA

Provides Authentication, Authorization and

Accounting for Data users

BS MSC BSC BS AAA HLR VLR RNC/ PCF PDSN HA PSTN Internet

BSC

Coordinates handoff for voice usersperforms frame-selection/power control

MSC

‣ call control and mobility management ‣ interfaces to the PSTN for voice users

AAA

provides location management and AAA functions for

References

Download now ( PDF - 38 Page - 0.99 MB )

Related documents

Enhancing the Shopping Experience through RFID in an Actual Retail Store

improvements, RFID can also be used to offer shoppers new and enticing functionalities, such as a “magic mirror” to virtually try garments on, or an interactive screen in the

Detecting Dominant Motion Patterns in Crowds of Pedestrians

Given a sequence of frames, the main steps involved in extracting the motion patterns are: (1) optical flow field computation followed by construction of the motion field; (2)

HERMESH : a geometrical domain composition method in computational mechanics

Although in this work we have not tested different keels, we have applied our method to a Chimera problem in such a way that the computational domain is composed of two

Het recht op de rechten in de asielpolitiek : over het grensgebied van democratische iteraties

Benhabib is hoopvol over de institutionele ontwikkelingen in de Europese Unie omdat die volgens haar de mogelijkheden voor immigranten, vluchtelingen en asielzoekers vergroten om

Pengaruh Gaya Kepemimpinan Dan Motivasi Terhadap Kinerja Karyawan Pada PT. Boga Lestari Sentosa (Kenny Rogers Roasters) Indonesia

Berdasarkan table tersebut dapat dilihat bahawa variabel motivasi diperoleh nilai signifikansi t lebih kecil dari 0,05 atau 0,004 <0,05 dan t hitung 3,564> t

90348124-Alburt-Palatnik-Chess-Strategy-for-the-Tournament-Player.pdf

White’s position contains weak dark squares because neither his pawns nor his bishop are able to protect them.. Based on these factors we can conclude that Black’s position

Utility Management System (UMS) Data Access Facility

• Standard schema - URIs are used as agreed names for the classes and properties of the EPRI Common Information Model (CIM) and the Resource Description Framework Schema (RDFS)..

The adoption of healthcare information systems within public hospitals in Kurdistan region of Iraq

The main objective of the study is to explore the ‎ factors that affect the adoption of HIS among ‎ healthcare practitioners within Kurdistan Region ‎ of Iraq (KRI)