Mobility Management, Call Routing &

Security

Mobility Management

Routing Calls to
Mobile Stations

Confidentiality and Security

Detailed Location
Registration Scenario

Objectives
At the end of this unit, you should be able to:
Explain why the mobile registration process is necessary
Describe how a call is automatically routed from PSTN to a mobile station
Explain why mobile authentication is necessary and how it works
Describe the various phases of mobile registration and the location
updating process

Unit 3 Section 1

Mobility Management

Where is the Mobile Station?

United
Kingdom
GSA

PSTN

Benelux
GSA
GPA 2
Belgium
GPA 1
UK

GPA 3
Netherlands

Location Areas and Cell Areas

GPA
Location Area 1

Location Area 3

Location Area 2
Cell
Area

Location Areas and Cell Areas

Cell Global Identification Number

MCC

MNC

LAC

CI

Location Area Identification

(LAI)
Acronyms
MCC - Mobile Country Code (Same as in the IMSI) 3 digits.
MNC - Mobile Network Code (same as in the IMSI 2 digits.
LAC
- Location Area Code used to identify a location area within a GSM PLMN 2 octets.
LAI
- Location Area Identification
CI
- Cell Identity 2 octets.

Location Areas and

Base Station Systems
PSTN

MSC
BSC 1

BSC 1

Location
Area 2

BTS
BTS

BTS
BTS

Location
Area 1

BTS

MSC Areas and Location Areas

GPA
MSC 1

To PSTN
MSC 2

MSC
Area 2

MSC
Area 1

Location
Area 3

Location
Area 1
Cell
Area

Location
Area 4

Cell
Area

Cell
Area

Cell
Area

Location
Area 2

Network Operation - Examples

Mobile Powers On/IMSI Attach
Location Updating
Mobile Powers Off/IMSI Detach
Idle Mode Measurements
BTS
Mobile Makes a Call
Mobile Receives a Call
BSC a Call
Measurements during
Handover
MSC

BTS

BSC

MS

Registration and IMSI Attach

HLR

MSC
VLR

BSC

Radio Criterion

C1 = (Received Level Average - p1) - (p2 - Maximum Power of Mobile)

C1 must be greater than 0 for a cell to be used

p1 and p2 are supplied by the BS
p1 specifies the minimum receive level
p2 specifies the maximum mobile transmit level
All quantities are measured in dB

Source: An Introduction to GSM

Redl, Weber and Oliphant

Registration Sequence

Types of Location Registration

GEOGRAPHIC Based

TIME Based
ON/OFF Based

Time-Based Registration
TIMER MANAGEMENT:
Timer is reset when mobile station activity has taken place.
Mobile Station initiates location updating when timer expires.
Mobile station timer value is kept in memory when turned off.

On/Off-Based Registration

IMSI Attach
- mobile power-up = attach
- mobile power-up causes a registration

IMSI Detach
- mobile power-down = detach
- mobile power-down causes a deregistration

Paging a Mobile Station

Location Area

BSS
BSS

Mobile Switching Centre

DN

PSTN

DN

- Location Area
- Mobile ID

Mobile Station
BSS
BSS
BSS

Location Area

Mobile Station Identification

International Mobile
Subscriber Identity (IMSI)
Mobile Station
ISDN Number
(MSISDN)

International
Mobile Equipment
Identity (IMEI)

Smart Card
(SIM)
Jane Doe

Temporary Mobile
Subscriber Identity (TMSI)

Smart Card
(SIM)
Mike = Jane Doe

Mobile Station Identification Numbers Used in GSM

International Mobile Equipment Identity (IMEI)

Uniquely identifies mobile station equipment

Burnt in by the equipment manufacturer

TAC
FAC
SNR
SP

Type Approval Code (6 digits)

Final Assembly Code (2 digits)
Serial Number (6 digits)
Spare (1 digit)

International Mobile Subscriber Identity (IMSI)

IMSI is assigned to a MS at subscription time

IMSI uniquely identifies a given MS

IMSI is transmitted over the radio path only when necessary

MCC
MNC
MSIN
NMSI

IMEI (15 digits)

TAC

FAC

SP

SNR

IMSI (15 digits)

MCC

Mobile Country Code [3 digits] (home country)

Mobile Network Code [2 digits] (home GSM PLMN)
Mobile Subscriber Identification Number (10 digits)
National Mobile Subscriber Identity

Temporary Mobile Subscriber Identity (TMSI)

TMSI is assigned to a MS by the VLR

TMSI uniquely identifies a MS within the area controlled by a given VLR

MNC

MSIN
NMSI

TMSI (32 bits max)

Country Codes Used

in Mobile Identities
Partial List of Codes
Country

Country Codes (CC)

used in land network

Mobile Country Codes (MCC)

used in GSM network

United Kingdom

44

234, 235

Spain

34

214

France

33

208

Finland

358

244

Sweden

46

240

Italy

39

222

Ireland

354

272

United States

310 316

Australia

61

505

Japan

81

440, 441

Kuwait

965

419

Mobile Station

Mobile Equipment

SIM Card

Plug-In
Type SIM

IC Card Type SIM

Mobile Station = Mobile Equipment + Subscriber Identity Module (SIM)

Subscriber Identity Module (SIM) - Continued

92316

005

GSM Test SIM 2To

Contains:
International Mobile Subscriber Identity (IMSI)
Authentication key (Ki)
Personal Identification Number (PIN)
Subscriber information
Access control class
Cipher key (Kc)*
Temporary Mobile Station Identification (TMSI)*
Additional GSM services*
Location Area Identity (LAI)*
Forbidden Public Land Mobile Numbers (PLMNs)*
*Updateable by network

Subscriber Identity Module (SIM)

Hardware Spec

92316

005

GSM Test SIM 2To

Highly Secure Processor

Contact Type - Smart Card
Communication via serial IO
Data Rate 1MHz
Contains ROM, RAM and EPROM

SIM Security Functions

Pin Code to unlock the mobile station.
3 wrong attempts at PIN and SIM is blocked.
SIM may be unblocked with PIN Unblock Code (PUK).
10 attempts at PUK and SIM is permanently disabled.
Second PIN and second PUK available in Phase 2 to support Closed User Groups and Fixed Dial Numbers.
SIM and Phase 2+
SIM Application Toolkit allows user applications (e.g. electronic banking) to be run on the SIM

Routing Calls Automatically

To Mobile Stations

MSC Directory Number Allocation

Trunks

Local
Exchange

MSC

Trunks

PSTN
MSC

Directory Number Spectrum in MSC

MSISDN

Used to reference home subscribers

MSRN

Used to reference visiting subscribers

Home Location Register (HLR)

Keys:
International Mobile Subscriber Identity (IMSI)
Mobile Subscriber ISDN Number (MSISDN)
Contains:
International Mobile Subscriber Identity (IMSI)
Mobile Subscriber ISDN Number (MSISDN)
Permanent copy of subscriber data
Mobile Station Roaming

MSISDN
X

X
IMSI
X

- MSISDN
- IMSI
- MSRN
- Subscriber Data

Visitor Location Register (VLR)

Keys:
International Mobile Subscriber Identity (IMSI)
Temporary Mobile Subscriber Identity (TMSI)
Mobile Station Roaming Number (MSRN)
Contains:
Mobile Station ISDN number (MSISDN)
International Mobile Subscriber Identity (IMSI)
Temporary Mobile Subscriber Identity (TMSI)
Mobile Station Roaming Number (MSRN)
Location Area Code (LAC) of Mobile Station
Copy of subscriber data from HLR

MSRN
X

IMSI
X

TMSI
X

- MSISDN
- IMSI
- MSRN
- LAC
- TMSI
- Subscriber Data

Located Area, VLR,

and HLR Relationship
Home
HLR

SS7 Network

VLR

VLR

MSC
Area

MSC
Area

MSC
Area

MSC
Area

LA1 LA2 LA 3

LA 1

LA 2

LA1

System 1

VLR

System 2

System 3

Land to Mobile Call Routing

Mobile Located in Non-Home MSC Area
HLR
MSISDN

MSRN

Home
MSC

MSISDN
2

MSISDN
1

BSS 1

BSS 2

PSTN

MSRN

MSRN

TMSI

10

Visited
MSC

BSS 1

MSRN

TMSI & LAC

Signalling
Voice Path

TMSI

VLR

BSS 2

Land to Mobile Call Routing

Mobile in Home MSC Area

HLR
MSISDN

MSRN

MSISDN
TMSI

PSTN

MSISDN

Home
MSC

BSS 1

BSS 2
MSRN

TMSI & LAC

VLR

TMSI

Land to Mobile Call Routing

Intelligent PSTN Routing
BSS 1
Home
MSC

BSS 2

MSISDN

MSISDN

PSTN

HLR

MSRN
TMSI

MSISDN

Visited
MSC
MSRN

TMSI & LAC

VLR

BSS 3
BSS 4

TMSI

Land to Mobile Call Routing

Routing Via a Gateway MSC

BSS 1
Home
MSC

BSS 2

MSISDN
MSISDN

Gateway
MSC

PSTN

HLR
MSRN
TMSI

MSISDN

BSS 1
TMSI

MSRN

Signalling

Visited
MSC
MSRN

TMSI & LAC

Voice Path

VLR

BSS 2

Dynamic Allocation of MSRN

Home GSM system

Visited GSM system

VLR

Landline network

Home
MSC

HLR

PSTN
Mobile Registers

Update Location.
No MSRN, use
LMSI
Subscriber Data
Incoming Call
Need MSRN
For LMSI
MSRN

Need MSRN
For LMSI
MSRN

Get Route
MSRN

Get Route
MSRN

Incoming Call

GSM Confidentiality and

Security Mechanisms

Use of a temporary mobile station identity (TMSI)

The temporary mobile station identity that is sent is not the mobile station's true identity.
Instead, an alias is used by the network so no calling pattern can be seen by an observer.

Encryption for information on the radio path

Encryption involves changing bits in a manner known only to the network and the mobile station.
Encryption occurs only on the radio link portion of the call.

Mobile station authentication procedure

Used to grant access to an MS via VLR. Same authentication keys stored in AUC and the MS is
used.

Mobile station equipment validation

Equipment validation is a process where the network can require the mobile station to transmit its
equipment serial number so the network can check the equipment against the Valid list, Suspect
list or Fraudulent list contained in the Equipment Identity Register (EIR).

Authentication Concept

Serving Network

Random Number
Generator

Mobile Station

Random Number

Secret Data Authentication

Algorithm

Authentication
Response

No

Secret Data

Authentication
Response

=
Yes

Deny
Access

Authentication
Algorithm

Grant
Access

GSM Authentication Example

Visited System

Home System
1

VLR

HLR

RAND, SRES

RAND, SRES
SRES

AUC
Ki

RAND

MSC

SRES

1. RAND, SRES sent to visited systems VLR

2. RAND transmitted to mobile
3. SRES transmitted from mobile in response

RAND
RAND
BSS

Mobile Station (MS)

SRES
Ki

Generating the Signed Response (SRES) and Cipher

Key (KC)
Home Systems
AUC

Mobile Station
IMSI/TMSI
Random Number (RAND)

RAND
Ki

RAND

A8

A3

RAND

Ki

Ki

RAND

A3

A8

SRES

Kc

Ki

128 bits
Kc

SRES

Ki
- Individual subscriber authentication key (128 bits)
Kc
- Cipher Key (64 bits)
RAND - Random number (128 bits)

SRES
A3
A8

- Signed response (32 bits)

- Authentication algorithm
- Cipher Key generating algorithm

Authentication Process Network View

AUC
Ki

Home System
A3 & A8

RAND
HLR

Visited System
IMSI

RAND

Kc

RAND

SRES
SRES

VLR

RAND, SRES Kc
RAND, SRES Kc
RAND, SRES Kc
RAND, SRES Kc
RAND, SRES Kc

RAND, Kc
BSS
SRES

MS

Equipment Validation Process

EIR

IMEI CHECK
Response

CHECK IMEI

Request IMEI

MSC
2

IMEI

MS

Detailed Location
Registration Scenario

Location Updating

MSC 1

MSC 2

VLR
HLR
VLR

BSC

BSC

BSC

Phases of a Location Update

1) Request for Service

2) Authentication*
3) Update Location Registers
4) Ciphering*
5) TMSI Reallocation
*Phase might not occur

Mobile Location Update: Request for Service

Um
MS

1
2
3

A
BSS

MSC

Channel Request (on RACH)

Dedicated Signalling Channel
Assignment (on AGCH)
Location Update Request
TMSI, LAI (on SDCCH)

Location Update Request

Location Update Request

Request IMSI

6
Request IMSI

7
8
9

IMSI Acknowledge

IMSI Acknowledge

New
VLR

Mobile Location Update : Authentication

B
MS

MSC

New
VLR

D
HLR

Get Authentication
Parameters IMSI

10

Get Authentication
Parameters IMSI

11

Authentication
Parameters

12
Authentication
Parameters
RAND, SRES, Kc

13
Authenticate Mobile
Station

14
15
16
17

AUC

Authenticate Mobile
Station RAND

RAND

Authenticate Response
SRES
Authenticate Response
SRES

RAND, SRES, Kc

Mobile Location Update: Update Location

New
VLR

18

19

20

21

D
HLR

Update Location
MSRN

Location Updated
Customer Profile

De-register
Mobile Station

Mobile Station
De-registered

Old
VLR

Mobile Location Update: Ciphering

Um
MS

A
BSS

MSC

Set Ciphering Kc

22

Encipher Command Kc

23

24

Cipher Mode Command

Cipher Mode Complete

25

26

Encipher Complete

New
VLR

Mobile Location Update: TMSI Reallocation

Um
MS

A
BSS

MSC
Location Update Accept
new TMSI

27
Location Update Accept
new TMSI

28

29

Location Update Complete

Clear Signalling
Connection

30

31

32

Release Radio
Signalling Channel

Clear Complete

New
VLR