Global System For Mobile Communications (GSM) : Asad Ali
Global System For Mobile Communications (GSM) : Asad Ali
Global System For Mobile Communications (GSM) : Asad Ali
GSM architecture
GSM architecture
GSM Frequencies
GSM-900 Uplink: 890 915 MHz (25 MHz) Downlink: 935 960 MHz (25 MHz) Uplink - Downlink distance: 45 MHz FDMA Channels are 200 kHz wide Use 124 pairs of channels TDMA 8 timeslots (connections) on each channel Theoretical 124*8 = 992 channels to use
Radio Interface
The available frequency band is divided into two sub bands: UPLINK and DOWNLINK
Radio Interface
FDM is used to separate both the uplink and downlink as shown below.
Radio Interface
This makes it 124 pairs of 248 channels. Each of the 248 channels are additionally separated in time via a GSM TDMA frame, i.e. each 200 kHz carrier is subdivided into frames that are repeated continuously. The duration of the frame is 4.615 ms A TDMA frame is again divided into 8 GSM timeslots where each slot represents a physical TDM channel and lasts for 577 microseconds Each TDM channel occupies the 200 kHz for 577 microseconds every 4.615 ms.
Radio Interface
Data is transmitted in small portions called bursts The figure in the next slide shows the so-called normal burst as used in data transmission inside a time slot. In the diagram, the burst is only 546.5 microseconds long and contains 148 bits The remaining 30.5 microseconds are used as guard space to avoid overlapping with other bursts Filling the whole slot with data allows for the transmission of 156.25 bits within 577 microseconds
Radio Interface
Radio Interface
The tail bits (T) are a group of 3 bits set to zero and placed at the beginning and the end of a burst. They cover the periods of ramping up and down of the mobile's power. The user data bits corresponds to two groups, of 57 bits each, containing signaling or user data. The stealing flags (S) indicate, to the receiver, whether the data bits are data or signaling traffic. The training sequence has a length of 26 bits. It synchronizes the receiver, thus masking out multi-path propagation effects. The guard period (GP), with a length of 8.25 bits, is used to avoid a possible overlap of two mobiles during the ramping time
Types of CCCHs
RACH (request signaling channel AGCH (assign signaling channel) SDCCH (request call setup)
SDCCH message exchanges for call setup
MS
BSS
Localization
The HLR always contains information about the current location and the VLR currently responsible for the MS informs the HLR about location changes As soon as the MS moves into a location area of a new VLR, the HLR sends all user data to the new VLR Changing VLRs with uninterrupted availability of all services is also called roaming. Roaming can take place within the network of one provider, between two providers in one country, but also between different providers in different countries (international roaming). Typically people associate the word roaming with international roaming as it is this type of roaming that makes GSM very attractive: one device over 190 countries!
Localization
To locate an MS and to address the MS, several numbers are needed: MSISDN: The only important number for a GSM user is the phone number. The phone number is not associated with a certain device but with the SIM, which is personalized for a user. The MSISDN follows the ITU-T standard E.164 for addresses as it is also used for fixed networks. This number consists of the country code, national destination code (NDC) (i.e. address of the network provider), and the subscriber number (SN).
Localization
IMSI: GSM uses the IMSI for internal unique identification of the user. IMSI consists of a mobile country code (MCC), the mobile network code (MNC), and finally the mobile subscriber identification number (MSIN). TMSI: To hide the IMSI, which would give away the exact identity of the user over the air interface, GSM uses the 4 bit TMSI for local user identification. TMSI is selected by the current VLR and is only valid temporarily and within the location area of the VLR.
Localization
MSRN: Another temporary address that hides the identity and location of the user is the MSRN. The VLR generates this address on request from the MSC and the address is also stored in the HLR. MSRN contains the Visitor Country Code (VCC), the visitor national destination code (VNDC), the identification of the current MSC together with the user number. All these numbers are needed to find a subscriber and maintain a connection with the MS.
Illustration of MOC
Handover Scenarios
There are two basic reasons for a handover which are: The MS moves out of the range of the BTS or a certain antenna of a BTS respectively. The received signal strength decreases continuously until it falls below the minimal requirements for communication. The wired infrastructure (BSC, MSC) may decide that the traffic in one cell is too high and some MS to other cells with a lower load (if possible). Handover maybe due to load balancing.
Handover Scenarios
There are four possible handover scenarios in GSM Intra-cell handover: Within a cell, interference could make transmission at a certain frequency band impossible. The BSC could then decide to change the carrier frequency Inter-cell, intra-BSC handover: This is a typical handover scenario. The MS moves from one cell to another, but stays within the control of the same BSC. The BSC then performs a handover, assigns a new radio channel in the new cell and releases the old one
Handover Scenarios
Inter-BSC, intra-MSC handover: As a BSC only controls a limited number of cells, GSM also has to perform handovers between cells controlled by different BSCs. This has to be then controlled by the MSC. Inter-MSC handover: A handover could be required between two cells belonging to different MSCs. Now both MSCs perform the handover together.
Security in GSM
GSM security is addressed in two aspects: Authentication and Encryption Authentication avoids fraudulent access and Encryption avoids unauthorized listening
Authentication
Authentication is achieved by using a secret key, Ki This value is stored in the SIM as well as the AuC and is unknown to the subscriber Authentication is based on the SIM which stores the individual key, user identification IMSI and the A3 algorithm. It uses a challenge response method The home system of the MS generates the 128 bit random number (RAND). This number is sent to the MS The SIM within the MS responds with a signed response (SRES)
Authentication
The SRES generated by the MS is sent back to the home system and compared with the SRES generated by the AuC. If they are not identical, access request is rejected. If the SRES and RAND generated by the AuC are sent from the HLR to the visited VLR in advance, then SRES comparison is done at the VLR. The AuC generates the numbers for each IMSI and forwards this information to the HLR
Authentication
For authentication, the VLR sends this RAND value to the SIM Both sides perform, the same function with the RAND and Ki, called the A3 algorithm The MS sends back the SRES generated by the SIM Visited VLR compares both values If they are the same, the MS is accepted otherwise rejected. The process of Authentication is illustrated in the next slide.
Authentication
Encryption
To ensure privacy, all messages containing user-related information are encrypted over the air interface After the authentication process is complete, the MS and BSS can start encrypting by applying the encryption key, Kc The encryption key is generated using the Ki and a random value by applying the A8 algorithm. SIM in the MS and the network both calculate the same Kc based on the random value MS and BTS can now encrypt and decrypt data using the A5 algorithm and Kc
Encryption
Like the A3 algorithm, A8 is specific to the home system. After the home system has generated Kc, this is sent to the visited system A5 is then used to encrypt and decrypt the data between the MS and the visited system. The process of Encryption is illustrated in the following slide.
Encryption