wireless communication :gsm lec02 by
DESCRIPTION
Wireless Communication :GSM lec02 By. Engr. Muhammad Ashraf Bhutta. Contents. Recap of last lecture GSM interfaces Hand off Security In GSM. GSM Interfaces (just some of them!). Protocols Rules for exchanging data between different entities Protocol layers - PowerPoint PPT PresentationTRANSCRIPT
Wireless Communication :GSM lec02
ByEngr. Muhammad Ashraf Bhutta
Contents
• Recap of last lecture
• GSM interfaces
• Hand off
• Security In GSM
Trafficchannels(TCH)
Signalingchannel
TCH/F: Full-rate Traffic Channel
TCH/H: Half-rate Traffic Channel
FCCH: Frequency correction
SCH: Synchronization
BCCH: Broadcast control
PCH: Paging
AGCH: Access grant
RACH: Random access
SDCCH: Stand-alone dedicated control
SACCH: Slow associated control
FACCH: Fast associated control
Two-way
Base-to-mobile
Two-way
Logical Channel List
BCH
CCCH
DCCH
Burst• The information contained in one time slot is a
burst• Five types of burst
– Normal Burst (NB)• To carry information on traffic and control channels
– Frequency Correction Burst (FB)• To synchronize the frequency of the mobile
– Synchronization Burst (SB)• To synchronize the frames of the mobile
– Access Burst (AB)• For random and handover access
– Dummy Burst• For padding the frame
Bursts and Frames
... 2047204620452044204310 2 3 4 5
...0 1 2 3 50494847
0 1 2524...
0 1 2524... 0 1 5049...
0 1 2 3 4 5 6 7
1 hyperframe = 2048 superframes = 2,715,648 TDMA frames (3 hours 28 minutes 53 seconds 760 microseconds)
1 superframe = 1326 TDMA frames (6.12 seconds)= 51 (26-frame) multiframes or 26 (51-frame) multiframes
1TDMA frame = 8 timeslots(120/26 =~ 4.615 ms)
1 (26-frame) multiframe= 26 TDMA frames (120 ms)
1 (51-frame) multiframe= 51 TDMA frames (120 ms)
GSM System Architecture
PSTN
Data Terminal
HLR/VLR
MSCBSC
OMC(Operation & Maintenance
Center)
OperationTerminal
BTS
HandsetA
X.25
A-bis SS7
Network sub-system PSTNRadiosub-system
Mobilestation
UM
SIMcard
Location Information --GSM Service Area Hierarchy
• The area in which a subscriber can access the network. cell
Location Area
MSC/VLR
PLMN Service Area(one per operator)
GSM Service Area
GMSC
MSC/VLR
BSC
HLR
BTS BTS BTS
MSISDN
MSISDN
MSRN
IMSI
MSISDN-->IMSI-->MSC/VLR Service Area
IMSI<-->MSRN
6.
1.3.
5.
4.
7.
8.
8. 9.
2.
PSTN5.
Call Delivery
GSM Interfaces (just some of them!)
Protocols—Rules for exchanging data between different entities Protocol layers
—Concept of dividing (usually complex) protocols into separate functions
—Higher protocol layers build on the functions (“services”) of lower layers
—Each protocol layer can be designed and analyzed separately, if “services” provided to higher protocol layers is unchanged
—Each protocol layer uses separate overhead information (eg, header fields)
—Protocol “entities” in each layer communicate with their “peer entities” in the same layer
Numbers in parentheses indicate the relevant ETSI-GSM recommendations.
GSM Layers
Layer 1: Physical layer
• physical transmission
• channel quality measurements
• GSM Rec. 04.04, PCM 30 or ISDN links are used (GSM Rec. 08.54 on Abis interface and
08.04 on A to F interfaces)
• Layer 2: Data link layer
• Multiplexing of layer 2 connections on control/signaling channels
•
Error detection (based on HDLC)
• Flow control
• Transmission quality assurance
• Routing
• Layer 3: Network layer
• Connection management (air interface)
• Management of location data
• Subscriber identification
• Management of added services (SMS, call forwarding, conference calls, etc.)
Layer 1 (GSM Rec. 04.04): Um interface
• Layer 2 (GSM Rec. 04.05/06): LAP-Dm protocol (similar to ISDN
LAP-D):
• connectionless transfer of point-to-point and point-to-multipoint signaling channels
• Setup and tear-down of layer 2 connections of point-to-point signaling channels
• connection-oriented transfer with in order delivery, error detection and error correction
• Layer 3 (GSM Rec. 04.07/08) with sublayers for control signaling
channel functions (BCH, CCCH and DCCH):
Radio resource management (RR): to establish and release stable connection between mobile stations (MS) and an MSC for the duration of a call and to maintain connection
despite user movements - functions of MSC:
– cell selection
– handover
– allocation and tear-down of point-to-point channels
– monitoring and forwarding of radio connections
– enabling encryption
– change transmission mode
• Mobility management (MM) handles the control functions required for mobility:
– authentication
– assignment of TMSI,
– management of subscriber location
• Connection management (CM) - set up, maintain and tear down calls connections:
– Call control (CC): Manages call connections,
– Supplementary service support (SS): Handles special services,
– Short message service support (SMS): Transfers brief text messages
Neither the BTS nor the BSC interpret CM and MM messages, these messages are
exchanged between the MSC or the MS using the direct transfer application part
(DTAP) protocol on the A interface.
Radio Resource Management (RR) messages are mapped to or from the base
station system application part (BSSAP) for exchange with the MSC:
• Transmission mode (change) management
• Cipher mode management
• Discontinuous transmission mode management
• Handover execution
• Call re-establishment
• RR-session release
• Load management
Abis interface
Dividing line between the BSC function and the BTS
BSC and BTS can be connected using leased lines, radio links, metropolitan area
networks (MANs), LANs ), …
Two channel types exist between the BSC and BTS:
• Traffic channels (TCH): configured in 8, 16 and 64 kbps formats – for transporting user data
• Signaling channels: configured in 16, 32, 56 and 64 kbps formats - for
signaling purposes between the BTS and BSC
Each transceiver (transmitter + receiver) generally requires a signaling channel on
theAbis interface, data is sent as Transcoder Rate Adapter Unit (TRAU)1 frames
(for a 16 kbps traffic channel (TCH), 13.6 kbps are used for user data and 2.4 kbps
for inband signaling, timing, and synchronization)
Personal Communication System Personal Communication System (PCS)(PCS)
Wireless channels are limited
Item Europe (MHz) US (MHz) Japan (MHz)
Mobile
Phones
NMT: 453-457, 463-467
GSM: 890-915, 935-960,
1710-1785, 1805-1880
AMPS, TDMA, CDMA
824-849, 869-894
GSM, TDMA, CDMA
1850-1910, 1930-1990
PDC: 810-826
940-956,
1429-1465,
1477-1513.
Cordless
Phones
CT1+: 885-887, 930-932
CT2: 864-868
DECT: 1880-1900
PACS
1850-1910,1930-1990;
PACS-UB: 1910-1930
PHS
1895-1918;
JCT: 254-380
NMT: Nordic Mobile TelephonePDC: Pacific Digital CellularPACS: Personal Access Communications SystemPHS: Personal Handy phone SystemPACS-UB: PACS Unlicensed BandJCT: Japanese Cordless Telephone(Taken from Mobile Communications by Jochen Schiller)
Mobile cellsThe entire coverage area is a group of a number of cells.
The size of cell depends upon the power of the base stations.
PSTNMSC
Problems with cellular structure
How to maintain continuous communication between two parties in the presence of mobility?
Solution: Handoff
How to maintain continuous communication between two parties in the presence of mobility?
Solution: Roaming
How to locate of a mobile unit in the entire coverage area?
Solution: Location management
Handoff
A process, which allows users to remain in touch, even while breaking the
connection with one BS and establishing connection with another BS.
Old BS New BS
MSC
Old BS New BS
MSC
MSC
Old BS New BS New BSOld BS
MSC
Handoff To keep the conversation going, the Handoff procedure
should be completed while the MS (the bus) is in the overlap region.
G
Old BS New BS
Cell overlap region
Handoff issues
Handoff detection
Channel assignment
Radio link transfer
Handoff detection strategies
Mobile-Controlled handoff (MCHO)
Network-Controlled handoff (NCHO)
Mobile-Assisted handoff (MAHO)
Mobile-Controlled Handoff (MCHO)
In this strategy, the MS continuously monitors the radio
signal strength and quality of the surrounding BSs.
When predefined criteria are met, then the MS checks for
the best candidate BS for an available traffic channel and
requests the handoff to occur. MCHO is used in DECT
and PACS.
Network-Controlled Handoff (NCHO)
In this strategy, the surrounding BSs, the MSC or both monitor the radio signal. When the signal’s strength and quality deteriorate below a predefined threshold, the network arranges for a handoff to another channel. NCHO is used in CT-2 Plus and AMPS
Mobile-Assisted Handoff (MAHO)
It is a variant of NCHO strategy. In this strategy, the network
directs the MS to measure the signal from the surrounding
BSs and to report those measurements back to the network.
The network then uses these measurements to determine
where a handoff is required and to which channel. MACHO is
used in GSM and IS-95 CDMA.
Handoff types with reference to the network
Intra-system handoff or Inter-BS handoff
The new and the old BSs are connected to the
same MSC.
Old BS New BS
MSC
Handoff types with reference to the network
Intersystem handoff or Inter-MSC handoff
The new and the old BSs are connected to
different MSCs
Old BS New BS
MSCMSC
Handoff types with reference to link transfer
Hard handoff
The MS connects with only one BS at a time, and there is
usually some interruption in the conversation during the link
transition
Soft handoff
The two BSs are briefly simultaneously connected to the MU while
crossing the cell boundary. As soon as the mobile's link with the new BS
is acceptable, the initial BS disengages from the MU.
Handoff types with reference to link transfer
Hard handoff
1. MU temporarily suspends the voice conversation by
sending a link suspend message to the old BS.
2. MU sends a handoff request message through an idle
time slot of the new BS to the network.
3. The new BS sends a handoff ack message and marks
the slot busy.
4. The MU returns the old assigned channel by sending a
link resume message to the old BS.
Handoff types with reference to link transfer
Hard handoff
5. MU continues voice communication while the network
prepares for the handoff.
6. Upon receipt of a handoff request message, the new BS
sends a handoff ack message and reconfigures itself to
effect the handoff.
7. The MSC inserts a bridge into the conversation path and
bridges the new BS.
8. Finally, the network informs the MU to execute the
handoff via both the new and old BSs by sending the
handoff execute message.
Handoff types with reference to link transfer
Hard handoff
9. MU releases the old channel by sending an access release
message to the old BS.
10. Once the MU has made the transfer to the new BS, it sends
the network a handoff complete message through the new
channel, and resumes the voice communication. The
network removes the bridge from the path and frees up the
resources associated with the old channel.
Handoff types with reference to link transfer
Soft handoff
1. MU sends a pilot strength measurement message to the old BS,
indicating the new BS to be added.
2. The old BS sends a handoff request message to the MSC. If the
MSC accepts the handoff request, it sends a handoff request
message to the new BS.
3. The BS sends a null traffic message to the MU to prepare the
establishment of the communication link.
Handoff types with reference to link transfer
Soft handoff
4. The new BS sends a join request message to the MSC.
The MSC bridges the connection for the two BSs, so
that the handoff can be processed without breaking
the connection.
5. The new BS sends a handoff ack message to the old
BS via the MSC. The old BS instructs the MU to add a
link to the new BS by exchanging the handoff
command and handoff complete messages.
Handoff types with reference to link transfer
Soft handoff
6. The old BS and the MSC conclude this procedure by
exchanging the required handoff information. The quality
of the new link is guaranteed by the exchange of the pilot
measurement request and the pilot strength measurement
message pair between the MU and the new BS.
Roaming
Roaming is a facility, which allows a subscriber to enjoy
uninterrupted communication from anywhere in the entire coverage
space.
A mobile network coverage space may be managed by a
number of different service providers. They must cooperate with
each other to provide roaming facility.
Roaming can be provided only if some administrative and
technical constraints are met.
Roaming
Administrative constraints
Billing.
Subscription agreement.
Call transfer charges.
User profile and database sharing.
Any other policy constraints.
Roaming
Technical constraints
Bandwidth mismatch. For example, European 900MHz band
may not be available in other parts of the world. This may
preclude some mobile equipment for roaming.
Service providers must be able to communicate with each
other. Needs some standard.
Mobile station constraints.
Roaming
Technical constraints
Integration of a new service provider into the network.
A roaming subscriber must be able to detect this new
provider.
Service providers must be able to communicate with
each other. Needs some standard.
Quick MU response to a service provider’s availability.
Limited battery life.
Location Management
Two-Tier Scheme
HLR: Home Location Register
A HLR stores user profile and the geographical location.
VLR: Visitor Location Register
A VLR stores user profile and the current location who is a
visitor to a different cell that its home cell.
Location Management
Two-Tier Scheme steps. MU1 wants to talk to MU2.
MU1
MU2
Cell 1 Cell 2
Location Management
Two-Tier Scheme steps. MU1 wants to talk to MU2.
1. VLR of cell 2 is searched for MU2’s profile.
2. If it is not found, then HLR is searched.
3. Once the location of MU2 is found, then the
information is sent to the base station of cell 1.
4. Cell 1 establishes the communication.
Location Management
Two-Tier Scheme steps location update
1. MU2 moves from cell 1 to cell 2.
2. MU2’s location is changed so new location must be recorded.
3. HLR is updated with the new location address.
4. MU2’s entry is deleted from the VLR of cell 1 and new entry is
made in cell 2’s VLR.
Security Algorithms in GSM
The various services and functions concerned with security in a GSM PLMN are categorized in the following way
Subscriber identity confidentiality
Subscriber identity authentication
Signaling information element confidentiality
Data confidentiality for physical connection
Random access in GSM
1. MS sends a short access burst over the Random Access CHannel (RACH) in uplink using Slotted Aloha (in case of collision => retransmission after random time)
2. After detecting the access burst, the network (BSC) returns an ”immediate assignment” message which includes the following information:
- allocated physical channel (frequency, time slot) in which the assigned signalling channel is located
- timing advance (for correct time slot alignment)
3. The MS now sends a message on the dedicated signalling channel assigned by the network, indicating the reason for performing random access.
Four security measures in GSM
1) PIN code (authentication of user using terminal => local security measure, network is not involved)
2) SIM authentication (performed by network)
3) Ciphering of information sent over air interface
4) Usage of TMSI (instead of IMSI ) over air interface
IMSI = International Mobile Subscriber Identity(globally unique identity)
TMSI = Temporary Mobile Subscriber Identity(local and temporary identity)
Basic principle of user authentication
algorithmalgorithm algorithmalgorithm
The same? I f yes, authentication is successful
The same? I f yes, authentication is successful
SIM (in terminal)
Air Interface
Network
Random numberChallenge
Response
Authentication key Authentication key
RAND
SRES
Ki Ki
Ciphering in GSM
algorithmalgorithm algorithmalgorithm
Ciphering keyTime info Ciphering keyTime info
MSMS BTSBTS
Data DataCiphered data
Cipher command (”time info”...)
For each call, a new ciphering key (Kc) is generated during authentication both in MS and MSC (in same way as authentication “response”).
Kc Kc
algorithmalgorithm algorithmalgorithm
Three security algorithms in GSM
A3A3Ki
Ciphered data
Time info (from network)
RAND (from network)
Data
SRES (to network)
A8A8
A5A5
Kc
Mobile Station (MS) Network
Three security algorithms in GSMat the network side ...
A3A3
RAND
A8A8Kc
Radio network Authentication Center (AuC)
RAND
Ciphering in BTS
SRES
Kc
Ki
SRES SRES
Authentication vector
?
A5A5
Algorithm considerations
Using output and one or more inputs, it is in practice not possible to calculate “backwards” other input(s)“brute force approach”, “extensive search”
Key length in bits (N) is important (in case of brute force approach 2N calculation attempts may be needed)
Strength of algorithm is that it is secret => bad idea! “security through obscurity”
Better: open algorithm can be tested by engineering community (security through strong algorithm)
Usage of TMSI in GSM
MSMS NetworkNetworkRandom access
Authentication
Start ciphering
IMSI detach New TMSI allocated by
networkNew TMSI stored in SIM
CM or MM transaction
TMSI
IMSI is never sent over air interface if
not absolutely necessary!
What Is LNP?
LNP is a circuit-switched network capability which
allows an end-user to change Service Provider
(SP), location, and/or service type without having
to change their telephone number. The three types
of LNP are:
1. Service Provider Portability - allows an end-user to
change SP while retaining his/her telephone
number. Service provider portability is made
technically feasible by the Location Routing
Number (LRN)
2. Location (Geographic) Portability - allows an end-
user to change from one geographic area to
another (the current Location Routing
Number(LRN) model does allow limited location
portability within the rate boundaries) while
retaining his/her telephone number.
3. Service Portability - allows an end-user to change
service (e.g., CENTREX to POTS, etc.) while
retaining his/her telephone number with the same
Service Provider.
Typical LRN Call Flow
Originating Switch LNP Processing Direct to Recipient Switch
What Components Are Required
in an LNP Capable Network?
The components for an LNP capable network include:
Service Switching Point (SSP)
Signal Transfer Point (STP)
Service Control Point (SCP)
Local Service Management System (LSMS)/Service
Order Administration (SOA)