Mobility Management, Call Routing &

Security

Mobility Management

Routing Calls toMobile Stations

Confidentiality and Security

Detailed LocationRegistration Scenario

Objectives

At the end of this unit, you should be able to:

• Explain why the mobile registration process is necessary

• Describe how a call is automatically routed from PSTN to a mobile station

• Explain why mobile authentication is necessary and how it works

• Describe the various phases of mobile registration and the location updating process

Unit 3 Section 1

Mobility Management

Where is the Mobile Station?

PSTN

BeneluxGSA

UnitedKingdom

GSA

GPA 1UK

GPA 2Belgium

GPA 3Netherlands

Location Areas and Cell Areas

Location Area 1

Location Area 3Location Area 2

GPA

CellArea

Location Areas and Cell Areas

Cell Global Identification Number

MCC MNC LAC CI

Location Area Identification (LAI)

AcronymsMCC - Mobile Country Code (Same as in the IMSI) –3 digits.MNC - Mobile Network Code (same as in the IMSI – 2 digits.LAC - Location Area Code used to identify a location area within a GSM PLMN – 2 octets.LAI - Location Area IdentificationCI - Cell Identity – 2 octets.

Location Areas and Base Station Systems

LocationArea 2

LocationArea 1

PSTN

BTS

BTS

BTS BTS

BTS

BSC 1

BSC 1

MSC

MSC Areas and Location Areas

LocationArea 2

LocationArea 1

LocationArea 4

LocationArea 3

MSC 2MSC 1

To PSTN

CellArea

CellArea

CellArea

CellArea

GPA

MSCArea 2

MSCArea 1

Network Operation - Examples

MSC

BSC

BTS

BTS

BSC

MS

Mobile Powers On/IMSI Attach

Location Updating

Mobile Powers Off/IMSI Detach

Idle Mode Measurements

Mobile Makes a Call

Mobile Receives a Call

Measurements during a Call

Handover

Registration and IMSI Attach

HLR

BSC

MSC

VLR

Radio Criterion

p1 and p2 are supplied by the BS

p1 specifies the minimum receive level

p2 specifies the maximum mobile transmit level

All quantities are measured in dB

C1 = (Received Level Average - p1) - (p2 - Maximum Power of Mobile)

C1 must be greater than 0 for a cell to be used

Registration Sequence

Sou

rce:

An

In

trod

uct

ion

to

GS

MR

edl,

Web

er a

nd

Oli

ph

ant

Types of Location Registration

• GEOGRAPHIC Based

• TIME Based

• ON/OFF Based

Time-Based Registration

TIMER MANAGEMENT:

• Timer is reset when mobile station activity has taken place.

• Mobile Station initiates location updating when timer expires.

• Mobile station timer value is kept in memory when turned off.

On/Off-Based Registration

• IMSI Attach- mobile power-up = attach- mobile power-up causes a registration

• IMSI Detach- mobile power-down = detach- mobile power-down causes a deregistration

Paging a Mobile Station

BSS

BSS

BSS

BSS

BSS

PSTN- Location Area- Mobile ID

DN

DN

Location Area

Location Area

Mobile Switching Centre

Mobile Station

Mobile Station Identification

Mike = Jane Doe

Temporary Mobile Subscriber Identity (TMSI)

InternationalMobile Equipment

Identity (IMEI)Smart Card

(SIM)

Jane Doe

International Mobile Subscriber Identity (IMSI)

Smart Card(SIM)

Mobile StationISDN Number

(MSISDN)

Mobile Station Identification Numbers Used in GSM

International Mobile Equipment Identity (IMEI)• Uniquely identifies mobile station equipment• Burnt in by the equipment manufacturer

TAC – Type Approval Code (6 digits)FAC – Final Assembly Code (2 digits)SNR – Serial Number (6 digits)SP – Spare (1 digit)

International Mobile Subscriber Identity (IMSI)• IMSI is assigned to a MS at subscription time• IMSI uniquely identifies a given MS• IMSI is transmitted over the radio path only when necessary

MCC – Mobile Country Code [3 digits] (home country)MNC – Mobile Network Code [2 digits] (home GSM PLMN)MSIN – Mobile Subscriber Identification Number (10 digits)NMSI – National Mobile Subscriber Identity

Temporary Mobile Subscriber Identity (TMSI)• TMSI is assigned to a MS by the VLR• TMSI uniquely identifies a MS within the area controlled by a given VLR

TMSI (32 bits max)

MCC MNC MSIN

IMSI (15 digits)

NMSI

TAC FAC SNR SP

IMEI (15 digits)

Country Codes Used in Mobile Identities

Partial List of Codes

Country

United Kingdom

Spain

France

Finland

Sweden

Italy

Ireland

United States

Australia

Japan

Kuwait

Country Codes (CC) used in land network

44

34

33

358

46

39

354

1

61

81

965

Mobile Country Codes (MCC) used in GSM network

234, 235

214

208

244

240

222

272

310 – 316

505

440, 441

419

Mobile Station

Mobile Station = Mobile Equipment + Subscriber Identity Module (SIM)

SIM Card

Mobile Equipment

Plug-InType SIM

IC Card Type SIM

Subscriber Identity Module (SIM) - Continued

Contains:

• International Mobile Subscriber Identity (IMSI)

• Authentication key (Ki)

• Personal Identification Number (PIN)

• Subscriber information

• Access control class

• Cipher key (Kc)*

• Temporary Mobile Station Identification (TMSI)*

• Additional GSM services*

• Location Area Identity (LAI)*

• Forbidden Public Land Mobile Numbers (PLMNs)*

*Updateable by network

GSM Test SIM 2To

92316 005

Subscriber Identity Module (SIM)Hardware Spec

GSM Test SIM 2To

92316 005

Highly Secure Processor

Contact Type - Smart Card

Communication via serial IO

Data Rate 1MHz

Contains ROM, RAM and EPROM

SIM Security Functions

• Pin Code to unlock the mobile station.

• 3 wrong attempts at PIN and SIM is blocked.

• SIM may be unblocked with PIN Unblock Code (PUK).

• 10 attempts at PUK and SIM is permanently disabled.

• Second PIN and second PUK available in Phase 2 to support Closed User Groups and Fixed Dial Numbers.

SIM and Phase 2+

• SIM Application Toolkit allows user applications (e.g. electronic banking) to be run on the SIM

Routing Calls Automatically

To Mobile Stations

MSC Directory Number Allocation

PSTN

MSC

MSC

LocalExchange

MSISDN

MSRN

Directory Number Spectrum in MSC

Trunks

Trunks

Used to reference home subscribers

Used to reference visiting subscribers

Home Location Register (HLR)

Keys:• International Mobile Subscriber Identity (IMSI)• Mobile Subscriber ISDN Number (MSISDN)

Contains:• International Mobile Subscriber Identity (IMSI)• Mobile Subscriber ISDN Number (MSISDN)• Permanent copy of subscriber data• Mobile Station Roaming

- MSISDN

- IMSI

- MSRN

- Subscriber DataIMSI

X

X

MSISDN

X

Visitor Location Register (VLR)

- MSISDN

- IMSI

- MSRN

- LAC

- TMSI

- Subscriber Data

X

TMSIX

IMSIX

MSRNX

Keys:• International Mobile Subscriber Identity (IMSI)• Temporary Mobile Subscriber Identity (TMSI)• Mobile Station Roaming Number (MSRN)

Contains:• Mobile Station ISDN number (MSISDN)• International Mobile Subscriber Identity (IMSI)• Temporary Mobile Subscriber Identity (TMSI)• Mobile Station Roaming Number (MSRN)• Location Area Code (LAC) of Mobile Station• Copy of subscriber data from HLR

Located Area, VLR, and HLR Relationship

 VLR  VLR VLR

 HomeHLR

SS7 Network

MSCArea

MSCArea

MSCArea

MSCArea

LA 1 LA 2 LA1LA1 LA2 LA 3

System 1 System 2 System 3

Land to Mobile Call Routing

Mobile Located in Non-Home MSC Area

BSS 1

BSS 2

HomeMSC

BSS 1

BSS 2

VisitedMSC

 HLR

 VLR

PSTN

TMSI & LACMSRN

TMSIMSRN

MSRN

MSISDNMSISDN

MSISDN MSRN

TMSI

Signalling

Voice Path

1 2

5

3 4

6

7 8

9 10

Land to Mobile Call Routing

Mobile in Home MSC Area

PSTN

 VLR

 HLR

Home

MSC

TMSI & LACMSRN

MSISDN MSRN

MSISDNBSS 1

BSS 2

TMSI

TMSI

MSISDN

Land to Mobile Call Routing

Intelligent PSTN Routing

PSTN

 VLR

 HLR

TMSI & LACMSRN

MSISDN

MSRN

MSISDN BSS 3

BSS 4

VisitedMSC

MSISDN

TMSI

TMSI

BSS 1

BSS 2

HomeMSC

Land to Mobile Call Routing

Routing Via a Gateway MSC

PSTN

 VLR

 HLR

TMSI & LACMSRN

MSISDN

MSRN

MSISDNBSS 1

BSS 2

VisitedMSC

MSISDN

TMSI

TMSI

BSS 1

BSS 2

HomeMSC

GatewayMSC

MSRN

Signalling

Voice Path

Dynamic Allocation of MSRN

 VLR  HLRHomeMSC

PSTN

Mobile Registers Update Location.No MSRN, use

LMSI

Subscriber Data

Need MSRNFor LMSI

MSRN

Need MSRNFor LMSI

MSRNMSRN

Get Route

MSRN

Get Route

Incoming Call

Incoming Call

Home GSM systemVisited GSM system Landline network

GSM Confidentiality and

Security Mechanisms

• Use of a temporary mobile station identity (TMSI)

The temporary mobile station identity that is sent is not the mobile station's true identity. Instead, an alias is used by the network so no calling pattern can be seen by an observer.

• Encryption for information on the radio path

Encryption involves changing bits in a manner known only to the network and the mobile station. Encryption occurs only on the radio link portion of the call.

• Mobile station authentication procedure

Used to grant access to an MS via VLR. Same authentication keys stored in AUC and the MS is used.

• Mobile station equipment validationEquipment validation is a process where the network can require the mobile station to transmit its equipment serial number so the network can check the equipment against the Valid list, Suspect list or Fraudulent list contained in the Equipment Identity Register (EIR).

Authentication Concept

Random Number Generator

AuthenticationAlgorithm

AuthenticationAlgorithm

Secret Data Secret Data

Random Number

AuthenticationResponse

Yes

No

AuthenticationResponse

=

Mobile StationServing Network

Grant Access

Deny Access

GSM Authentication Example

 VLR

MSC

BSS

 HLRAUC

SRES

RAND

RANDSRES

RANDSRES

RAND, SRESRAND, SRES

23

1

Ki

Ki

Mobile Station (MS)

Visited System Home System

1. RAND, SRES sent to visited system’s VLR2. RAND transmitted to mobile3. SRES transmitted from mobile in response

Generating the Signed Response (SRES) and Cipher Key (KC)

Ki - Individual subscriber authentication key (128 bits)Kc - Cipher Key (64 bits)RAND - Random number (128 bits)

Kc SRES

A8A3

KcSRES

KiKi

RANDRAND

Home System’s AUC

A3A8KiKi

RANDRAND

Mobile Station

128 bits

IMSI/TMSI

Random Number (RAND)

SRES - Signed response (32 bits)A3 - Authentication algorithmA8 - Cipher Key generating algorithm

Authentication Process Network View

BSS

SRES

RAND

MS

RAND, SRES Kc

RAND, SRES Kc

RAND, SRES Kc

RAND, SRES Kc

RAND, SRES Kc

VLR

RAND, Kc

SRES

AUC

Ki

RANDA3 & A8

HLR

RAND Kc SRESIMSIVisited System

Home System

Equipment Validation Process

 

MSC

Request IMEI 1

IMEI2

CHECK IMEI

3

EIR

IMEI CHECK

Response

4

MS

Detailed Location

Registration Scenario

Location Updating

VLRHLR

MSC 2

VLR

BSCBSCBSC

MSC 1

Phases of a Location Update

• 1) Request for Service

• 2) Authentication*

• 3) Update Location Registers

• 4) Ciphering*

• 5) TMSI Reallocation

*Phase might not occur

Mobile Location Update: Request for Service

NewVLR

BMSCBSSMS

AUm

1

2

3

4

5

6

7

8

9

Channel Request (on RACH)

Dedicated Signalling ChannelAssignment (on AGCH)

Location Update RequestTMSI, LAI (on SDCCH)

Location Update Request

Location Update Request

Request IMSI

Request IMSI

IMSI Acknowledge

IMSI Acknowledge

Mobile Location Update : Authentication

10

11

12

13

14

15

16

17

HLRD

NewVLR

MSCMSB

Get AuthenticationParameters IMSI

Get AuthenticationParameters IMSI

AuthenticationParameters

AuthenticationParameters

Authenticate MobileStation

Authenticate ResponseSRES

AUC

RAND, SRES, Kc

RANDAuthenticate Mobile

Station RAND

Authenticate ResponseSRES

RAND, SRES, Kc

Mobile Location Update: Update Location

18

19

20

21

OldVLR

HLRNewVLR

D

Update LocationMSRN

Location UpdatedCustomer Profile

De-registerMobile Station

Mobile StationDe-registered

D

Mobile Location Update: Ciphering

NewVLR

BMSCBSSMS

AUm

22

23

24

25

26

Set Ciphering Kc

Encipher Command Kc

Cipher Mode Command

Cipher Mode Complete

Encipher Complete

Mobile Location Update: TMSI Reallocation

NewVLR

BMSCBSSMS

AUm

27

28

29

30

31

Location Update Acceptnew TMSI

Location Update Complete

Clear SignallingConnection

Release RadioSignalling Channel

32Clear Complete

Location Update Acceptnew TMSI