Professional Documents
Culture Documents
Chapter 5 GSM
GSM Timeline
What is GSM ?
Global System for Mobile (GSM) is a second generation cellular standard developed to cater voice services and data delivery using digital modulation.
Frequency Assignment
Available spectrum is limited Need to support large number of users The challenge is to assign the available frequencies across the network while minimising the cochannel reuse distances The example shows a repeat pattern of 7 cells
196 channels spread across cells gives 28 channels per cell 29-56 1-28 57-84 1-28 29-56 57-84
Brown gets channels 1-28 and these can be re-used 2 cells away, and so on
cell
Cell A cell is the basic unit of a cellular system and is defined as the radio coverage given by one BTS.
GSM Architecture
GSM Architecture
Cells are formed by the radio areas covered by a BTS (Base Transceiver Station) Several BTSs are controlled by one BSC Traffic from the MS (Mobile Station) is routed through MSC Calls originating from or terminating in a fixed network or other mobile networks is handled by the GMSC (Gateway MSC)
Entities in GSM
The Mobile Station (MS) - This includes the Mobile Equipment (ME) and the Subscriber Identity Module (SIM). The Base Station Subsystem (BSS) - This includes the Base Transceiver Station (BTS) and the Base Station Controller (BSC). The Network and Switching Subsystem (NSS) - This includes Mobile Switching Center (MSC), Home Location Register (HLR), Visitor Location Register (VLR), Equipment Identity Register (EIR), and the Authentication Center (AUC). The Operation and Support Subsystem (OSS) - This includes the Operation and Maintenance Center (OMC).
Mobile Station
Mobile Station (MS) consists of two main elements: mobile equipment or mobile device (that is the phone without the SIM card) and Subscriber Identity Module (SIM) Terminals distinguished principally by their power and application SIM is installed in every GSM phone and identifies the terminal SIM cards used in GSM phones are smart processor cards with a processor and a small memory SIM card contains the International Mobile Subscriber Identity (IMSI) used to identify the subscriber to the system, a secret key for authentication, and other security information
Mobile Station
=
SIM Card Handset
Global GSM Mobility Card
The Smart Card to use
battery
+
f153454
2W kgdjipj
GSM
jmhfod This can be summed-up with the basic GSM architectural equation, MS = ME + SIM.
Permanent data:
- Unique mobile subscriber identity through IMSI number, - Authentication parameter Ki, - Authentication algorithm A3, - Generating encryption key Kc algorithm A8.
GSM
Microchip with stored user information
Removable data:
- Temporary Mobile Subscriber Number, - Location Area Identification.
BSS Connectivity
Assigns and releases frequencies and time slots for all the MSs in its area Reallocation of frequencies among cells Hand off protocol is executed here
Time and frequency synchronization signals to BTSs Time Delay Measurement and notification of an MS to BTS Power Management of BTS and MS
Mobility of subscribers
Location registration of subscriber
Usually one per PLMN Request routing information from the HLR and routes the connection to the local MSC
Subscriber Identity
GSM identifiers
International mobile subscriber identity (IMSI):
unique 15 digits assigned by service provider = home country code + home GSM network code + mobile subscriber ID + national mobile subscriber ID
LAI
Location Area Identifier of an LA of a PLMN Based on international ISDN numbering plan
Country Code (CC): 3 decimal digits Mobile Network Code (MNC): 2 decimal digits Location Area Code (LAC) : maximum 5 decimal digits
TDMA
Modulation used
Gaussian Minimum Shift Keying (GMSK)
AuC/EIR/OSS
AuC: Authentication Center
is accessed by HLR to authenticate a user for service Contains authentication and encryption keys for subscribers
EIR (cont)
Each GSM phone has a unique identifier IMEI which can not be altered. Like HLR and VLR, the EIR is also a data base which maintain three lists. White list : IMEI, assigned to valid ME.
Black list : IMEI reported stolen Gray list : IMEI having problems like faulty software, wrong make of equipment etc.
Call Routing
The directory number dialed to reach a mobile subscriber is called the Mobile Subscriber ISDN (MSISDN) which is defined by the E.164 numbering plan and includes a country code and a National Destination Code, which identifies the subscribers operator. The first few digits of the remaining subscriber number may identify the subscribers HLR within the home PLMN For example, the MSISDN number of a subscriber in Bangalore associated with Airtel network is +919845XYYYYY which is a unique number and understood from anywhere in the world. Here, + means prefix for international dialing, 91 is the country code for India and 45 is the network operators code (Airtel in this case). X is the level number managed by the network operator ranging from 0 to 9 while YYYYY is the subscriber code which , too, is managed by the operator.
Call Routing
Call Routing
The call first goes to the local PSTN exchange where PSTN exchange looks at the routing table and determines that it is a call to a mobile network. PSTN forwards the call to the Gateway MSC (GMSC) of the mobile network. MSC enquires the HLR to determine the status of the subscriber. It will decide whether the call is to be routed or not. If MSC finds that the call can be processed, it will find out the address of the VLR where the mobile is expected to be present.
Call Routing
If VLR is that of a different PLMN, it will forward the call to the foreign PLMN through the Gateway MSC. If the VLR is in the home network, it will determine the Location Area (LA). Within the LA, it will page and locate the phone and connect the call.
GMSC
LA 1
4 MSRN 2
ISDN
1
BSC BTS
7 TMSI
3 MSRN
MSISDN
MSC
MSC
7 TMSI 5 MSRN
HLR
LA 2
BSC
BTS
8 TMSI 7 TMSI
EIR
VLR
BTS
6 TMSI
AUC
61
MS
PLMN Interfaces
Basic configuration of a GSM network contains a central HLR and a central VLR where HLR contains all security, provisioning and subscriber related information and VLR stores the location information and other transient data. MSC needs subscriber parameter for successful call setup. Any data related to user call (connection, teardown etc.) are processed with SS7 protocol for signaling using ISUP (ISDN User Part) stack between network nodes. For mobile specific signaling, a protocol stack called MAP (Mobile Application Part) is used over the SS7 network which does all database transactions and handover/roaming transactions between the MSC.
PLMN Interfaces
In any telecommunication system, signaling is required to coordinate the necessarily distributed functional entities of the network. The transfer of signaling information in GSM follows the layered OSI model
Layer 1: Physical Layer Radio Transmission Layer 2: Data Link Layer (DLL) provides error-free transmission between adjacent entities, based on the ISDNs LAPD protocol for the Um and Abis interfaces, and on SS7s Message Transfer Protocol (MTP) for the other Layer interfaces Layer 3: Networking or Messaging Layer Responsible for the communication of network resources, mobility, code format and call-related management messages between various network entities
66
Um
Radio interface between MS and BTS each physical channel supports a number of logical channels
Abis
between BTS and BSC primary functions: traffic channel transmission, and radio channel management
between BSC and MSC primary functions: message transfer between different BSCs to the MSC
Entity Functionality
BSSAP (is also used in channel switching) is used to map RR messages in BSC. BTSM is used to transfer all information to BTS. MTP and SCCP are used to support transfer of signaling messages between MSC and BSS. SCCP is used to provide a referencing mechanism to identify a particular transaction relation to a particular call. SCCP is also for messages routing, operation and maintenance information. MTP provides a reliable transfer of signaling messages.
Supplementary Services
Call Transfer and Call Forwarding
unconditional on busy on no reply (CFU) (CFB) (CFNRy)
1 2
Supplementary Services
Waiting / Hold and Multi Party
WAIT HOLD 1 2 1 2
Waiting / Hold:
Multi Party:
Max = 5 persons
2 2
Physical Layer
Two types of channels are there: (1)Traffic Channel intended to carry encoded voice or data (2) Control Channel intended to carry signaling and synchronization data between BTS and MS.
Handover
The procedure of change of resources is called handover when the user is mobile while the call is in progress. There are four different types of handover in the GSM system, which involve transferring a call between: 1. Channels (time slots) in the same cell (Intra-cell handover) 2. Cells (Base Transceiver Stations) under the control of the same Base Station Controller (BSC) (Inter-cell, intra-BSC handover) 3. Cells under the control of different BSCs but belonging to the same Mobile Switching Center (MSC) (Inter-BSC, IntraMSC handover) 4. Cells under the control of different MSCs (Inter-MSC handover)
Handover
Handover
First two types of handover, called internal handovers, involve only one Base Station Controller (BSC). To save signaling bandwidth, they are managed by the BSC without involving the Mobile services Switching Center (MSC), except to notify it at the completion of the handover. Last two types of handover, called external handovers, are handled by the MSC.
Handover Procedure
Mobility Management
Mobility Management (MM) function handles the procedures that arise from the mobility of the subscriber and is in charge of all the aspects related to the mobility of the user, especially the roaming, the location management, and the security/authentication of the subscriber. First location update procedure is called the IMSI attach procedure where the MS indicates its IMSI to the network whereas when a mobile station is powered off, it performs an IMSI detach procedure in order to tell the network that it is no longer connected.
Mobility Management
A location update message is sent to the new MSC/VLR which records the location area information and then sends the location information to the subscribers HLR. If the mobile station is authenticated and authorized in the new MSC/VLR, the subscribers HLR cancels the registration of the mobile station with the old MSC/VLR. Location update is also performed periodically and if after the updating time period, the mobile station has not registered, it is then deregistered.
Mobility Management
When there is an incoming call for a subscriber, the mobile phone needs to be located and a channel needs to be allocated and the call connected. A powered-on mobile is informed of an incoming call by a paging message sent over the paging channel of the cells within the current location area while location updating procedures and subsequent call routing use MSC, HLR and VLR. If the subscriber is entitled to service, HLR sends a subset of the subscriber information needed for call control to the new MSC/VLR and sends a message to the old MSC/VLR to cancel the old registration.
Mobility Management
An incoming mobile terminating call is directed to the Gateway MSC (GMSC) function which, as a switch, interrogates the subscribers HLR to obtain routing information and thus contains a table linking MSISDNs to their corresponding HLRs. The routing information that is returned to the GMSC is the Mobile Station Roaming Number (MSRN). MSRNs are related to the geographical numbering plan and not visible to subscribers.
Mobility Management
Generally, GMSC queries the called subscribers HLR for an MSRN. HLR stores only the SS7 address of the subscribers current VLR while VLR temporarily allocates an MSRN from its pool for the call. MSRN is returned to the HLR and back to the GMSC, which can then route the call to the new MSC. At new MSC, IMSI corresponding to the MSRN is looked up and the mobile station is paged in its current location area. HLR is referred for incoming call whereas VLR is referred for outgoing call.
Paging
Paging is a process of broadcasting a message which alerts a specific mobile to take some action, for example if there is an incoming call to be received. If the system does not know the precise cell in which a mobile is located it must perform paging in a number of cells. An extreme approach would be to undertake paging throughout the entire coverage area of a cellular system whenever a mobile is to be alerted; however, in anything but the smallest system this would be wasteful of valuable signalling capacity, particularly over the air interface. The problem is addressed by the use of location areas and location updating.
Location Update
The MS detects that it has entered a new location area by comparing the last known LA (stored on the SIM) with the information broadcast by the local cell. The MS gains access to a radio channel and requests a location update.
If the serving MSC/VLR is unchanged the network can immediately authenticate the MS and note the change of LA.
If the MS has moved MSC/VLR, the MSC/VLR addresses a message to the HLR. The HLR notes the new location (VLR) and downloads security parameters to allow the network to authenticate the mobile, it also passes on subscription details of the user to the new VLR and informs the old VLR to delete its records.
A3 Algorithm
During authentication, MSC challenges the MS with a random number (RAND). SIM card uses this RAND received from the MSC and a secret key Kj stored within the SIM as input. Both the RAND and the Kj secret are 128 bits long. Using the A3 algorithm with RAND and Kj as input a 32-bit output called signature response (SRES) is generated in the MS and then sent back to MSC. Using the same set of algorithms, the AUC also generates a SRES. The SRES from MS and the SRES generated by the AUC are compared. If they are the same, the MS is authenticated.
A3 Algorithm
The idea is that no keys will be transacted over the air. However, if the SRES values calculated independently by the SIM and the AUC are the same, then Kj has to be same and if Kj is same, SIM card is genuine.
A8 Algorithm
A8 algorithm is the key generation algorithm. A8 generates a session key, Kc, from the random challenge RAND (received from the MSC) and from the secret key Kj. Keys are generated at both the MS and the network end. The session key, Kc, is used for ciphering till the MSC decides to authenticate the MS once again.
A5 Algorithm
A5 is the stream cipher algorithm used to encrypt over-the-air transmissions. The stream cipher is initialized all over again for every frame sent with the session key, Kc, and the number of the frame being encrypted or decrypted. Same Kc is used throughout the call but the 22-bit frame number changes during the call, thus, generating a unique key stream for every frame.
Disadvantages of GSM
There is no perfect system!! no end-to-end encryption of user data no full ISDN bandwidth of 64 kbit/s to the user, no transparent B-channel reduced concentration while driving electromagnetic radiation abuse of private data possible roaming profiles accessible high complexity of the system several incompatibilities within the GSM standards