wireless communication :gsm lec02 by

Wireless Communication :GSM lec02

ByEngr. Muhammad Ashraf Bhutta

Contents

• Recap of last lecture

• GSM interfaces

• Hand off

• Security In GSM

Trafficchannels(TCH)

Signalingchannel

TCH/F: Full-rate Traffic Channel

TCH/H: Half-rate Traffic Channel

FCCH: Frequency correction

SCH: Synchronization

BCCH: Broadcast control

PCH: Paging

AGCH: Access grant

RACH: Random access

SDCCH: Stand-alone dedicated control

SACCH: Slow associated control

FACCH: Fast associated control

Two-way

Base-to-mobile

Two-way

Logical Channel List

BCH

CCCH

DCCH

Burst• The information contained in one time slot is a

burst• Five types of burst

– Normal Burst (NB)• To carry information on traffic and control channels

– Frequency Correction Burst (FB)• To synchronize the frequency of the mobile

– Synchronization Burst (SB)• To synchronize the frames of the mobile

– Access Burst (AB)• For random and handover access

– Dummy Burst• For padding the frame

Bursts and Frames

... 2047204620452044204310 2 3 4 5

...0 1 2 3 50494847

0 1 2524...

0 1 2524... 0 1 5049...

0 1 2 3 4 5 6 7

1 hyperframe = 2048 superframes = 2,715,648 TDMA frames (3 hours 28 minutes 53 seconds 760 microseconds)

1 superframe = 1326 TDMA frames (6.12 seconds)= 51 (26-frame) multiframes or 26 (51-frame) multiframes

1TDMA frame = 8 timeslots(120/26 =~ 4.615 ms)

1 (26-frame) multiframe= 26 TDMA frames (120 ms)

1 (51-frame) multiframe= 51 TDMA frames (120 ms)

GSM System Architecture

PSTN

Data Terminal

HLR/VLR

MSCBSC

OMC(Operation & Maintenance

Center)

OperationTerminal

BTS

HandsetA

X.25

A-bis SS7

Network sub-system PSTNRadiosub-system

Mobilestation

UM

SIMcard

Location Information --GSM Service Area Hierarchy

• The area in which a subscriber can access the network. cell

Location Area

MSC/VLR

PLMN Service Area(one per operator)

GSM Service Area

GMSC

MSC/VLR

BSC

HLR

BTS BTS BTS

MSISDN

MSISDN

MSRN

IMSI

MSISDN-->IMSI-->MSC/VLR Service Area

IMSI<-->MSRN

6.

1.3.

5.

4.

7.

8.

8. 9.

2.

PSTN5.

Call Delivery

GSM Interfaces (just some of them!)

Protocols—Rules for exchanging data between different entities Protocol layers

—Concept of dividing (usually complex) protocols into separate functions

—Higher protocol layers build on the functions (“services”) of lower layers

—Each protocol layer can be designed and analyzed separately, if “services” provided to higher protocol layers is unchanged

—Each protocol layer uses separate overhead information (eg, header fields)

—Protocol “entities” in each layer communicate with their “peer entities” in the same layer

Numbers in parentheses indicate the relevant ETSI-GSM recommendations.

GSM Layers

Layer 1: Physical layer

• physical transmission

• channel quality measurements

• GSM Rec. 04.04, PCM 30 or ISDN links are used (GSM Rec. 08.54 on Abis interface and

08.04 on A to F interfaces)

• Layer 2: Data link layer

• Multiplexing of layer 2 connections on control/signaling channels

•

Error detection (based on HDLC)

• Flow control

• Transmission quality assurance

• Routing

• Layer 3: Network layer

• Connection management (air interface)

• Management of location data

• Subscriber identification

• Management of added services (SMS, call forwarding, conference calls, etc.)

Layer 1 (GSM Rec. 04.04): Um interface

• Layer 2 (GSM Rec. 04.05/06): LAP-Dm protocol (similar to ISDN

LAP-D):

• connectionless transfer of point-to-point and point-to-multipoint signaling channels

• Setup and tear-down of layer 2 connections of point-to-point signaling channels

• connection-oriented transfer with in order delivery, error detection and error correction

• Layer 3 (GSM Rec. 04.07/08) with sublayers for control signaling

channel functions (BCH, CCCH and DCCH):

Radio resource management (RR): to establish and release stable connection between mobile stations (MS) and an MSC for the duration of a call and to maintain connection

despite user movements - functions of MSC:

– cell selection

– handover

– allocation and tear-down of point-to-point channels

– monitoring and forwarding of radio connections

– enabling encryption

– change transmission mode

• Mobility management (MM) handles the control functions required for mobility:

– authentication

– assignment of TMSI,

– management of subscriber location

• Connection management (CM) - set up, maintain and tear down calls connections:

– Call control (CC): Manages call connections,

– Supplementary service support (SS): Handles special services,

– Short message service support (SMS): Transfers brief text messages

Neither the BTS nor the BSC interpret CM and MM messages, these messages are

exchanged between the MSC or the MS using the direct transfer application part

(DTAP) protocol on the A interface.

Radio Resource Management (RR) messages are mapped to or from the base

station system application part (BSSAP) for exchange with the MSC:

• Transmission mode (change) management

• Cipher mode management

• Discontinuous transmission mode management

• Handover execution

• Call re-establishment

• RR-session release

• Load management

Abis interface

Dividing line between the BSC function and the BTS

BSC and BTS can be connected using leased lines, radio links, metropolitan area

networks (MANs), LANs ), …

Two channel types exist between the BSC and BTS:

• Traffic channels (TCH): configured in 8, 16 and 64 kbps formats – for transporting user data

• Signaling channels: configured in 16, 32, 56 and 64 kbps formats - for

signaling purposes between the BTS and BSC

Each transceiver (transmitter + receiver) generally requires a signaling channel on

theAbis interface, data is sent as Transcoder Rate Adapter Unit (TRAU)1 frames

(for a 16 kbps traffic channel (TCH), 13.6 kbps are used for user data and 2.4 kbps

for inband signaling, timing, and synchronization)

Personal Communication System Personal Communication System (PCS)(PCS)

Wireless channels are limited

Item Europe (MHz) US (MHz) Japan (MHz)

Mobile

Phones

NMT: 453-457, 463-467

GSM: 890-915, 935-960,

1710-1785, 1805-1880

AMPS, TDMA, CDMA

824-849, 869-894

GSM, TDMA, CDMA

1850-1910, 1930-1990

PDC: 810-826

940-956,

1429-1465,

1477-1513.

Cordless

Phones

CT1+: 885-887, 930-932

CT2: 864-868

DECT: 1880-1900

PACS

1850-1910,1930-1990;

PACS-UB: 1910-1930

PHS

1895-1918;

JCT: 254-380

NMT: Nordic Mobile TelephonePDC: Pacific Digital CellularPACS: Personal Access Communications SystemPHS: Personal Handy phone SystemPACS-UB: PACS Unlicensed BandJCT: Japanese Cordless Telephone(Taken from Mobile Communications by Jochen Schiller)

Mobile cellsThe entire coverage area is a group of a number of cells.

The size of cell depends upon the power of the base stations.

PSTNMSC

Problems with cellular structure

How to maintain continuous communication between two parties in the presence of mobility?

Solution: Handoff

How to maintain continuous communication between two parties in the presence of mobility?

Solution: Roaming

How to locate of a mobile unit in the entire coverage area?

Solution: Location management

Handoff

A process, which allows users to remain in touch, even while breaking the

connection with one BS and establishing connection with another BS.

Old BS New BS

MSC

Old BS New BS

MSC

MSC

Old BS New BS New BSOld BS

MSC

Handoff To keep the conversation going, the Handoff procedure

should be completed while the MS (the bus) is in the overlap region.

G

Old BS New BS

Cell overlap region

Handoff issues

Handoff detection

Channel assignment

Radio link transfer

Handoff detection strategies

Mobile-Controlled handoff (MCHO)

Network-Controlled handoff (NCHO)

Mobile-Assisted handoff (MAHO)

Mobile-Controlled Handoff (MCHO)

In this strategy, the MS continuously monitors the radio

signal strength and quality of the surrounding BSs.

When predefined criteria are met, then the MS checks for

the best candidate BS for an available traffic channel and

requests the handoff to occur. MCHO is used in DECT

and PACS.

Network-Controlled Handoff (NCHO)

In this strategy, the surrounding BSs, the MSC or both monitor the radio signal. When the signal’s strength and quality deteriorate below a predefined threshold, the network arranges for a handoff to another channel. NCHO is used in CT-2 Plus and AMPS

Mobile-Assisted Handoff (MAHO)

It is a variant of NCHO strategy. In this strategy, the network

directs the MS to measure the signal from the surrounding

BSs and to report those measurements back to the network.

The network then uses these measurements to determine

where a handoff is required and to which channel. MACHO is

used in GSM and IS-95 CDMA.

Handoff types with reference to the network

Intra-system handoff or Inter-BS handoff

The new and the old BSs are connected to the

same MSC.

Old BS New BS

MSC

Handoff types with reference to the network

Intersystem handoff or Inter-MSC handoff

The new and the old BSs are connected to

different MSCs

Old BS New BS

MSCMSC

Handoff types with reference to link transfer

Hard handoff

The MS connects with only one BS at a time, and there is

usually some interruption in the conversation during the link

transition

Soft handoff

The two BSs are briefly simultaneously connected to the MU while

crossing the cell boundary. As soon as the mobile's link with the new BS

is acceptable, the initial BS disengages from the MU.


Hard handoff

1. MU temporarily suspends the voice conversation by

sending a link suspend message to the old BS.

2. MU sends a handoff request message through an idle

time slot of the new BS to the network.

3. The new BS sends a handoff ack message and marks

the slot busy.

4. The MU returns the old assigned channel by sending a

link resume message to the old BS.


Hard handoff

5. MU continues voice communication while the network

prepares for the handoff.

6. Upon receipt of a handoff request message, the new BS

sends a handoff ack message and reconfigures itself to

effect the handoff.

7. The MSC inserts a bridge into the conversation path and

bridges the new BS.

8. Finally, the network informs the MU to execute the

handoff via both the new and old BSs by sending the

handoff execute message.


Hard handoff

9. MU releases the old channel by sending an access release

message to the old BS.

10. Once the MU has made the transfer to the new BS, it sends

the network a handoff complete message through the new

channel, and resumes the voice communication. The

network removes the bridge from the path and frees up the

resources associated with the old channel.


Soft handoff

1. MU sends a pilot strength measurement message to the old BS,

indicating the new BS to be added.

2. The old BS sends a handoff request message to the MSC. If the

MSC accepts the handoff request, it sends a handoff request

message to the new BS.

3. The BS sends a null traffic message to the MU to prepare the

establishment of the communication link.


Soft handoff

4. The new BS sends a join request message to the MSC.

The MSC bridges the connection for the two BSs, so

that the handoff can be processed without breaking

the connection.

5. The new BS sends a handoff ack message to the old

BS via the MSC. The old BS instructs the MU to add a

link to the new BS by exchanging the handoff

command and handoff complete messages.


Soft handoff

6. The old BS and the MSC conclude this procedure by

exchanging the required handoff information. The quality

of the new link is guaranteed by the exchange of the pilot

measurement request and the pilot strength measurement

message pair between the MU and the new BS.

Roaming

Roaming is a facility, which allows a subscriber to enjoy

uninterrupted communication from anywhere in the entire coverage

space.

A mobile network coverage space may be managed by a

number of different service providers. They must cooperate with

each other to provide roaming facility.

Roaming can be provided only if some administrative and

technical constraints are met.

Roaming

Administrative constraints

Billing.

Subscription agreement.

Call transfer charges.

User profile and database sharing.

Any other policy constraints.

Roaming

Technical constraints

Bandwidth mismatch. For example, European 900MHz band

may not be available in other parts of the world. This may

preclude some mobile equipment for roaming.

Service providers must be able to communicate with each

other. Needs some standard.

Mobile station constraints.

Roaming

Technical constraints

Integration of a new service provider into the network.

A roaming subscriber must be able to detect this new

provider.

Service providers must be able to communicate with

each other. Needs some standard.

Quick MU response to a service provider’s availability.

Limited battery life.

Location Management

Two-Tier Scheme

HLR: Home Location Register

A HLR stores user profile and the geographical location.

VLR: Visitor Location Register

A VLR stores user profile and the current location who is a

visitor to a different cell that its home cell.

Location Management

Two-Tier Scheme steps. MU1 wants to talk to MU2.

MU1

MU2

Cell 1 Cell 2

Location Management

Two-Tier Scheme steps. MU1 wants to talk to MU2.

1. VLR of cell 2 is searched for MU2’s profile.

2. If it is not found, then HLR is searched.

3. Once the location of MU2 is found, then the

information is sent to the base station of cell 1.

4. Cell 1 establishes the communication.

Location Management

Two-Tier Scheme steps location update

1. MU2 moves from cell 1 to cell 2.

2. MU2’s location is changed so new location must be recorded.

3. HLR is updated with the new location address.

4. MU2’s entry is deleted from the VLR of cell 1 and new entry is

made in cell 2’s VLR.

Security Algorithms in GSM

The various services and functions concerned with security in a GSM PLMN are categorized in the following way

Subscriber identity confidentiality

Subscriber identity authentication

Signaling information element confidentiality

Data confidentiality for physical connection

Random access in GSM

1. MS sends a short access burst over the Random Access CHannel (RACH) in uplink using Slotted Aloha (in case of collision => retransmission after random time)

2. After detecting the access burst, the network (BSC) returns an ”immediate assignment” message which includes the following information:

- allocated physical channel (frequency, time slot) in which the assigned signalling channel is located

- timing advance (for correct time slot alignment)

3. The MS now sends a message on the dedicated signalling channel assigned by the network, indicating the reason for performing random access.

Four security measures in GSM

1) PIN code (authentication of user using terminal => local security measure, network is not involved)

2) SIM authentication (performed by network)

3) Ciphering of information sent over air interface

4) Usage of TMSI (instead of IMSI ) over air interface

IMSI = International Mobile Subscriber Identity(globally unique identity)

TMSI = Temporary Mobile Subscriber Identity(local and temporary identity)

Basic principle of user authentication

algorithmalgorithm algorithmalgorithm

The same? I f yes, authentication is successful

The same? I f yes, authentication is successful

SIM (in terminal)

Air Interface

Network

Random numberChallenge

Response

Authentication key Authentication key

RAND

SRES

Ki Ki

Ciphering in GSM


Ciphering keyTime info Ciphering keyTime info

MSMS BTSBTS

Data DataCiphered data

Cipher command (”time info”...)

For each call, a new ciphering key (Kc) is generated during authentication both in MS and MSC (in same way as authentication “response”).

Kc Kc


Three security algorithms in GSM

A3A3Ki

Ciphered data

Time info (from network)

RAND (from network)

Data

SRES (to network)

A8A8

A5A5

Kc

Mobile Station (MS) Network

Three security algorithms in GSMat the network side ...

A3A3

RAND

A8A8Kc

Radio network Authentication Center (AuC)

RAND

Ciphering in BTS

SRES

Kc

Ki

SRES SRES

Authentication vector

?

A5A5

Algorithm considerations

Using output and one or more inputs, it is in practice not possible to calculate “backwards” other input(s)“brute force approach”, “extensive search”

Key length in bits (N) is important (in case of brute force approach 2N calculation attempts may be needed)

Strength of algorithm is that it is secret => bad idea! “security through obscurity”

Better: open algorithm can be tested by engineering community (security through strong algorithm)

Usage of TMSI in GSM

MSMS NetworkNetworkRandom access

Authentication

Start ciphering

IMSI detach New TMSI allocated by

networkNew TMSI stored in SIM

CM or MM transaction

TMSI

IMSI is never sent over air interface if

not absolutely necessary!

What Is LNP?

LNP is a circuit-switched network capability which

allows an end-user to change Service Provider

(SP), location, and/or service type without having

to change their telephone number. The three types

of LNP are:

1. Service Provider Portability - allows an end-user to

change SP while retaining his/her telephone

number. Service provider portability is made

technically feasible by the Location Routing

Number (LRN)

2. Location (Geographic) Portability - allows an end-

user to change from one geographic area to

another (the current Location Routing

Number(LRN) model does allow limited location

portability within the rate boundaries) while

retaining his/her telephone number.

3. Service Portability - allows an end-user to change

service (e.g., CENTREX to POTS, etc.) while

retaining his/her telephone number with the same

Service Provider.

Typical LRN Call Flow

Originating Switch LNP Processing Direct to Recipient Switch

What Components Are Required

in an LNP Capable Network?

The components for an LNP capable network include:

Service Switching Point (SSP)

Signal Transfer Point (STP)

Service Control Point (SCP)

Local Service Management System (LSMS)/Service

Order Administration (SOA)

wireless communication :gsm lec02 by

Documents