Documente Academic
Documente Profesional
Documente Cultură
GSM: Properties
cellular radio network (2nd Generation)
digital transmission, integrated data communication
roaming (mobility between different network operators)
good transmission quality (error detection and correction)
scalable (large number of participants possible)
security mechanisms (authentication, authorization,
encryption)
good resource use (frequency and time division
multiplex)
integration with fixed telephone network
standard (ETSI, European Telecommunications
Standards Institute)
GSM: Structure
Fixed network
Switching Subsystems
Radio Subsystems
OMC
Data
networks
VLR
HLR
AuC
(G)MSC
PSTN
AuC
BSS
BSC
BTS
EIR
HLR
EIR
MS
BSC
Call Management
Network Management BSS
Authentication Center
Base Station Subsystem
Base Station Controller
Base Transceiver Station
Equipment Identity Register
Home Location Register
MS
(G)SMC
OMC
PSTN
VLR
BTS
BTS
MS
MS
Mobile Station
(Gateway) Mobile Switching Center
Operation and Maintenance Center
Public Switched Telephone Network
Visitor Location Register
3
GSM: Structure
(8)
(9)
(12)
BSS
BSS
BSS
VLR
(8) (7)
(6)
(11) (10)
(8)
(9)
MSC
(4)
(3)
HLR
(4)
(5)
(2)
GMSC
(1)
PSTN/
ISDN
(12)
(8)
BSS
(8)
(9)
(12)
BSS
BSS
BSS
VLR
(8) (7)
(6)
(11) (10)
(8)
(9)
MSC
(4)
(3)
HLR
(4)
(5)
(2)
GMSC
(1)
PSTN/
ISDN
(12)
(8)
BSS
BSS
(4)
BSS
BSS
(1)
(1)
(2)
(3-4)
(5)
HLR
VLR
(2)
(3)
MSC
(5)
GMSC
Connection request
(via random access channel, possible collision handling)
Transfer by BSS
Authorization control
Switching of the call request to fixed network
7
Radio structure
1 TDMA-Slot, 144 Bit in 4,615 ms
890
935
downlink
uplink
915 MHz
960 MHz
Databases
Home Location Register (HLR), stores data of participants
which are registered in an HLR-area
Semi-permanent data:
Call number (Mobile Subscriber International ISDN Number) - MSISDN,
e.g. +49/171/333 4444 (country, network, number)
Identity (International Mobile Subscriber Identity) - IMSI: MCC = Mobile
Country Code (262 for .de) + MNC = Mobile Network Code (01-T-Mobile,
02-Vodafone, 03-eplus, 07-O2) + MSIN = Mobile Subscriber Identification
Number
Personal data (name, address, mode of payment)
Service profile (call transfer, roaming-limits etc.)
Temporary data:
Databases
Visitor Location Register (VLR)
local database of each MSC with following data:
IMSI, MSISDN
Service profile
Billing and accounting information
TMSI (Temporary Mobile Subscriber Identity) pseudonym for data security
MSRN
LAI (Location Area Identity)
MSC-address, HLR-address
11
HLR
MSC-area
VLR
Location
area
12
VLR 9
IMSI LA 2
HLR 1
32311 VLR 9 IMSI
LA 5
LA 2
LA 3
Data transmission
Each GSM-channel configurable as data channel
Kinds of channels:
non-transparent (repeat of faulty data frames; very low error
rate, but also very low throughput below 10 kbit/s)
transparent (only very simple forward error correction;
slightly higher data rate; error rate 10-3 up to 10-4)
in practice, only faster extensions like GPRS, UMTS and LTE
are used (explained later)
Speech channels have higher priority than data channels
Short-Message-Service (SMS)
connectionless transmission (up to 160 Byte) on signaling
channel
Cell Broadcast (CB)
connectionless transmission (up to 80 Byte) on signaling
channel to all participants in one cell or location area, e.g. for
location based services; further refinement: triangulationbased location check like in global positioning system (GPS)
14
BSC
MSC IWF
ISDN
BTS
Modem
TA
PSTN
Internet
Modem
Security aspects:
Subscriber Identity Module (SIM)
Chip-card (Smart Cart) to personalize a mobile subscriber
(MS):
IMSI (International Mobile Subscriber Identity)
symmetric key Ki of participant, stored also at AuC
algorithm A3 for Challenge-Response-Authentication
algorithm A8 for key generation of Kc for content data
algorithm A5 for encryption
PIN (Personal Identification Number) for access control
Temporary data:
TMSI (Temporary Mobile Subscriber Identity) pseudonym
LAI (Location Area Identification)
Encryption key Kc
16
Ki
A3
128 Bit
Authentication Request
RAND (128 Bit)
Random number
generator
Ki
A3
SRES
Authentication Response
SRES (Signed Response; 32 Bit)
Location Registration
Location Update with VLR-change
Call setup (in both directions)
SMS (Short Message Service)
17
Ki
A8
Kc
Authentication Request
RAND (128 Bit)
Random number
generator
64 Bit or 128
Bit
Ki
A8
Kc
18
Kc
TDMA-framenumber
Net
Ciphering Mode Command TDMA-framenumber
A5
Key block
+
Plain text block
Kc
A5
Ciphering Mode Complete
Encrypted Text
+
Plain text block
114 Bit
GSM-Security: assessment
low key length Ki with max. 128 Bit (could be hacked by
using Brute Force Attack in 8-12 hours)
key generation and -administration not controlled by the
participants (symmetric: network operator knows all
keys)
cryptographic methods secret, so they were not well
examined (but A5/3 and other enhancements open now)
no mutual authentication; attacker can pretend a GSMNet
no end-to-end encryption or end-to-end authentication
20
21
HSCSD: structure
BSC
MSC IWF
ISDN
BTS
Modem
TA
PSTN
Internet
Modem
22
HSCSD: changes
n time slots of
each TDMA frame
(theoretically max. 8)
BTS
Um
BSC
Abis
MSC
A
MS RECEIVE
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
MS TRANSMIT
5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4
MS
MONITOR
Required time for signal strength measure and setting to
receiving mode
Assessment of HSCSD
+ existing network structure and accounting model
maintained; only small changes were necessary
+ HSCSD is still circuit switched
+ has defined QoS-settings (data rate, delay)
one logical channel will be established on all interfaces
for the time of the connection (inefficient)
badly suited for burst-like traffic (Internet) or Flat Rate
billing (Logistics)
Only limited international acceptance (Roaming!)
also uses more resources on the radio interface
problems with handover into a new cell
25
GPRS: Structure
GPRS Nets
other
operators
GSM
BSC
MSC
HLR
Internet
BTS
Border
Gateway
SGSN
GGSN
other packet
switching
networks
GPRS Backbone
Frame Relay / ATM
GGSN
SGSN - Serving GPRS Support Node
GGSN - Gateway GPRS Support Node
signalization data
user data
27
GPRS: Changes
GMSC
BTS
MSC MAP
HLR/AuC
GPRS register
Gs
BSC
PCU
Um
public
fixed networks
Gb
Packet switched
traffic
SGSN
Gn
GGSN
MAP
Gi
other packet
switched
networks
BSS
PCU
Client
Client
MAP
Signalization
(GGSN)
MAP
Signalization
(SGSN)
Internet
Intranet
SGSN
BSS
PCU
BSS
PCU
HLR
GGSN
SGSN
SGSN, GGSN:
- Routing and Signalization
- Mapping to PDP (Packet Data Protocol)
- Address conversion (IP to GSM)
- Resource management
Server
29
Quality of Service
QoS profile agrees service parameters inside the whole
network for the duration of PDP (Packet Data Protocol)
context (session):
temporary address (IP) for mobile station
tunneling information, among others GGSN, which is used for
access to corresponding packet switched network
type of the connection
QoS profile
30
Mean Delay
Mean Delay
95% Delay
1 (predicitive)
< 0,5 s
< 1,5 s
<2s
<7s
2 (predicitive)
<5s
< 25 s
< 15 s
< 75 s
3 (predicitive)
< 50 s
< 250 s
< 75 s
< 375 s
4 (best effort)
Error
classes
GPRS
data
rates
95% Delay
Best effort
Probability for
Class
Lost packet
Duplicated p.
Out of Sequence p.
Corrupted p.
10-9
10-9
10-9
10-9
10-4
10-5
10-5
10-6
10-2
10-5
10-5
10-2
Coding
Scheme
CS-1
CS-2
CS-3
CS-4
# of timeslots
1
2
9,05
13,4
15,6
18,1
26,8
31,2
27,15
40,2
46,8
36,2
53,6
62,4
45,25
67
78
54,3
80,4
93,6
63,35
93,8
109,2
72,4
107,2
124,8
21,4
42,8
64,2
85,6
107
128,4
149,8
171,2
31
Assessment of GPRS
+ An up to four times higher data rate in comparison to
ordinary GSM data services
+ better resource management through packet switched
service
+ always on data service (email, etc.)
+ GPRS is a more suitable carrier for the mobile Internet
- IP-derivate, no true service guarantees (QoS)
- GPRS does not provide the data rates that advertising
has sometimes promised, therefore most operators
migrated to UMTS and LTE where possible, e.g. in urban
areas
32
33