UNIT 5 : GSM

INTRODUCTION
But what’s cellular?

MSC

BS

PSTN
HLR, VLR,
AC, EIR
What is GSM ?

 Global System for Mobile (GSM) is a

second generation cellular standard
developed to cater voice services and
data delivery using digital modulation
GSM: Overview

 GSM
 formerly: Groupe Spéciale Mobile (founded 1982)
 now: Global System for Mobile Communication
 Pan-European standard (ETSI, European
Telecommunications Standardisation Institute)
 simultaneous introduction of essential digital cellular
services in three phases (1991, 1994, 1996) by the
European telecommunication administrations,
seamless roaming within Europe possible
 today many providers all over the world use GSM (more
than 130 countries in Asia, Africa, Europe, Australia,
America)
 more than 100 million subscribers
Performance characteristics of GSM
 Communication
 mobile, wireless digital communication; support for voice and
data services
 Total mobility
 international access, chip-card enables use of access points
of different providers
 Worldwide connectivity
 one number, the network handles localization
 High capacity
 better frequency efficiency, smaller cells, more customers per
cell
 High transmission quality
 high audio quality
 uninterrupted phone calls at higher speeds (e.g., from cars,
trains) – better handoffs and
 Security functions
 access control, authentication via chip-card and PIN
Disadvantages of GSM

 There is no perfect system!!

 no end-to-end encryption of user data
 no full ISDN bandwidth of 64 kbit/s to the user,
no transparent B-channel

 abuse of private data possible

roaming profiles accessible

 high complexity of the system

 several incompatibilities within the GSM
standards
 GSM
SERVICES
 GSM: Mobile Services

 GSM offers
 several types of connections
voice connections, data connections, short message service
 multi-service options (combination of basic services)
 Three service domains
 Bearer Services – interface to the physical medium (transparent for
example in the case of voice or non transparent for data services)
 Telematic Services – services provided by the system to the end user
(e.g., voice, SMS, fax, etc.)
 Supplementary Services – associated with the tele services: call
forwarding, redirection, etc.
bearer services
MS
transit source/
TE MT GSM-PLMN network destination TE
R, S Um (PSTN, ISDN) network (U, S, R)

tele services
ARCHITECTURE
Architecture of the GSM system

 GSM is a PLMN (Public Land Mobile Network)

 several providers setup mobile networks following the
GSM standard within each country
 components
MS (mobile station)
BS (base station)
MSC (mobile switching center)
LR (location register)
 subsystems
RSS (radio subsystem): covers all radio aspects
NSS (network and switching subsystem): call forwarding,
handover, switching
OSS (operation subsystem): management of the network
GSM: overview
 GSM: overview
OMC, EIR,
AUC
HLR
GMSC
NSS fixed network
with OSS

VLR MSC MSC

VLR

BSC

BSC

RSS
GSM: elements and interfaces

radio cell
BSS
MS MS

Um radio cell

RSS BTS MS

BTS

Abis

BSC BSC
A

MSC MSC

NSS signaling
VLR VLR
ISDN, PSTN
HLR GMSC
PDN
IWF
O

OSS
EIR AUC OMC
GSM System Architecture
GSM: system architecture
radio network and fixed
subsystem switching subsystem partner networks

MS MS
ISDN
PSTN
Um MSC

BTS Abis
BSC EIR
BTS

SS7
HLR

BTS VLR
BSC ISDN
BTS MSC PSTN
A
BSS IWF
PSPDN
CSPDN
System architecture: radio subsystem
radio network and switching  Components
subsystem subsystem
 MS (Mobile Station)
MS MS  BSS (Base Station Subsystem):
consisting of
BTS (Base Transceiver Station):
Um sender and receiver
Abis BSC (Base Station Controller):
BTS controlling several transceivers
BSC MSC
BTS
 Interfaces
 Um : radio interface
 Abis : standardized, open
interface with
16 kbit/s user channels
A
BTS  A: standardized, open interface
BSC MSC
with
BTS
64 kbit/s user channels
BSS
System architecture: network and switching subsystem
network fixed partner
subsystem networks
Components
 MSC (Mobile Services Switching Center):
ISDN  IWF (Interworking Functions)
PSTN
MSC
 ISDN (Integrated Services Digital Network)
 PSTN (Public Switched Telephone Network)
EIR  PSPDN (Packet Switched Public Data Net.)
 CSPDN (Circuit Switched Public Data Net.)
SS7

HLR
Databases
 HLR (Home Location Register)
VLR  VLR (Visitor Location Register)
ISDN  EIR (Equipment Identity Register)
MSC
PSTN
IWF
PSPDN
CSPDN
Radio subsystem

 The Radio Subsystem (RSS) comprises the cellular mobile

network up to the switching centers
 Components
 Base Station Subsystem (BSS):
Base Transceiver Station (BTS): radio components
including sender, receiver, antenna - if directed antennas
are used one BTS can cover several cells
Base Station Controller (BSC): switching between BTSs,
controlling BTSs, managing of network resources,
mapping of radio channels (Um) onto terrestrial channels
(A interface)

BSS = BSC + sum(BTS) + interconnection

 Mobile Stations (MS)

 Mobile Station (MS)

 MS consists of following two components

Mobile Equipment (ME)
Mobile Subscriber Identity Module (SIM)
Removable plastic card
Stores Network Specific Data such as list of carrier frequencies and current Location
Area ID (LAI).
Stores International Mobile Subscriber Identity (IMSI) + ISDN
Stores Personal Identification Number (PIN) & Authentication Keys.
Also stores short messages, charging information, telephone book etc.

 Allows separation of user mobility from

equipment mobility

Prof. Anirudha Sahoo 3.20

 Mobile station

 Terminal for the use of GSM services

 A mobile station (MS) comprises several functional groups
 MT (Mobile Terminal):
offers common functions used by all services the MS offers
corresponds to the network termination (NT) of an ISDN access
end-point of the radio interface (Um)
 TA (Terminal Adapter):
terminal adaptation, hides radio specific characteristics (TE connects via modem,
Bluetooth, IrDA etc. to MT)
 TE (Terminal Equipment):
peripheral device of the MS, offers services to a user
Can be a headset, microphone, etc.
does not contain GSM specific functions
 SIM (Subscriber Identity Module):
personalization of the mobile terminal, stores user parameters

TE TA MT
Um
R S
GSM: cellular network

segmentation of the area into cells

possible radio coverage of the cell

idealized shape of the cell

cell

 use of several carrier frequencies

 not the same frequency in adjoining cells
 cell sizes vary from some 100 m up to 35 km depending on user
density, geography, transceiver power etc.
 hexagonal shape of cells is idealized (cells overlap, shapes
depend on geography)
 if a mobile user changes cells
 handover of the connection to the neighbor cell
Base Transceiver Station and Base Station
Controller
 Tasks of a BSS are distributed over BSC and BTS
 BTS comprises radio specific functions
 BSC is the switching center for radio channels

Functions BTS BSC

Management of radio channels X
Frequency hopping (FH) X X
Management of terrestrial channels X
Mapping of terrestrial onto radio channels X
Channel coding and decoding X
Rate adaptation X
Encryption and decryption X X
Paging X X
Uplink signal measurements X
Traffic measurement X
Authentication X
Location registry, location update X
Handover management X
Network and switching subsystem

 NSS is the main component of the public mobile network

GSM
 switching, mobility management, interconnection to other
networks, system control
 Components
 Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a
mobile terminal within the domain of the MSC - several BSC
can belong to a MSC
 Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR)
central master database containing user data, permanent and semi-
permanent data of all subscribers assigned to the HLR (one provider
can have several HLRs)
Visitor Location Register (VLR)
local database for a subset of user data - data about all users currently
visiting in the domain of the VLR
 HLR/VLR

 HLR - Home Location Register

 Contains semi-permanent subscriber information
 For all users registered with the network, HLR keeps
user profile
 MSCs exchange information with HLR
 When MS registers with a new GMSC, the HLR sends the
user profile to the new MSC
 VLR - Visitor Location Register
 Contains temporary info about mobile subscribers that
are currently located in the MSC service area but whose
HLR are elsewhere
 Copies relevant information for new users (of this HLR
or of foreign HLR) from the HLR
 VLR is responsible for a group of location areas,
typically associated with an MSC
Mobile Services Switching Center

 The MSC (mobile switching center) plays a central role in

GSM
 switching functions
 additional functions for mobility support
 management of network resources
 interworking functions via Gateway MSC (GMSC)
 integration of several databases
 Functions of a MSC
 specific functions for paging and call forwarding
 termination of SS7 (signaling system no. 7)
 mobility specific signaling
 location registration and forwarding of location information
 provision of new services (fax, data calls)
 support of short message service (SMS)
 generation and forwarding of accounting and billing
information
Operation subsystem

 The OSS (Operation Subsystem) enables centralized

operation, management, and maintenance of all GSM
subsystems
 Components
 Authentication Center (AUC)
generates user specific authentication parameters on request of a VLR
authentication parameters used for authentication of mobile terminals
and encryption of user data on the air interface within the GSM system
 Equipment Identity Register (EIR)
registers GSM mobile stations and user rights
stolen or malfunctioning mobile stations can be locked and sometimes
even localized
 Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the network
subsystem
 GSM :Sub-Systems

 Radio Sub System (RSS)

RSS = MS + BSS

BSS = BTS+ BSC

 Network Sub System (NSS)

NSS = MSC+ HLR + VLR + GMSC

 Operation Sub System

OSS = EIR + AuC
GSM IDENTIFIERS
 GSM identifiers

 International mobile subscriber identity (IMSI):

 unique 15 digits assigned by service provider =
home country code + home GSM network code +
mobile subscriber ID + national mobile
subscriber ID
 International mobile station equipment identity
(IMEI):
 unique 15 digits assigned by equipment
manufacturer = type approval code + final
assembly code + serial number + spare digit
 Temporary mobile subscriber identity (TMSI):
 32-bit number assigned by VLR to uniquely
identify a mobile station within a VLR’s area
 LAI

 Location Area Identifier of an LA of a PLMN

 Based on international ISDN numering plan
Country Code (CC): 3 decimal digits
Mobile Network Code (MNC): 2 decimal digits
Location Area Code (LAC) : maximum 5 decimal digits
 Is broadcast regularly by the BTS on broadcast channel
 Cell Identifier (CI)

 Within LA, individual cells are uniquely identified with Cell

Identifier (CI).
 LAI + CI = Global Cell Identity
GSM: Identification

 Identification of Mobile Subscriber

International Mobile Subscriber Identity (IMSI)
Temporary IMSI (TMSI)
Mobile Subscriber ISDN number (MSISDN)
 Identification of Mobile Equipment
International Mobile Station Equipment Identification (IMEI)
Mobile Station Roaming Number (MSRN)
 IMSI

 International Mobile Subscriber Identity

 Stored in SIM, not more than 15 digits
3 digits for Mobile Country Code (MCC)
3 digits for Mobile Network Code (MNC)
It uniquely identifies the home GSM PLMN of the mobile subscriber.
Not more than 10 digits for National Mobile Station Identity (MSIN)
The first 3 digits identify the logical HLR-ID of the mobile subscriber

 MNC+MSIN makes National Mobile Station

Identity (NMSI)
TMSI and LMSI
 Temporary Mobile Subscriber Identity
Has only local and temporal significance
Is assigned by VLR and stored there only
Is used in place of IMSI for security reasons
 Local Mobile Subscriber Identity
Is an additional searching key given by VLR
It is also sent to HLR
 Both are assigned in an operator specific way
MSISDN

 “real telephone number” of a MS

 It is stored centrally in the HLR
 MS can have several MSISDNs depending on SIM
 It follows international ISDN numbering plan
Country Code (CC): upto 3 decimal places
National Destination Code (NDC): 2-3 decimal places
Subscriber Number (SN) : maximal 10 decimal places
MSISDN = CC + NDC + SN
 GSM roaming

 VLR registers users roaming in its area

 Recognizes mobile station is from another
PLMN
 If roaming is allowed, VLR finds the mobile’s
HLR in its home PLMN
 VLR constructs a global title from IMSI to
allow signaling from VLR to mobile’s HLR via
public telephone network
 VLR generates a mobile subscriber roaming
number (MSRN) used to route incoming calls
to mobile station
 MSRN is sent to mobile’s HLR
 GSM roaming

 VLR contains
 MSRN
 TMSI
 Location area where mobile station has
registered
 Info for supplementary services (if any)
 IMSI
 HLR or global title
 Local identity for mobile station (if any)
GSM Radio Interface - TDMA/FDMA

935-960 MHz
124 channels (200 kHz)
downlink

890-915 MHz
124 channels (200 kHz)
uplink
higher GSM frame structures
time

GSM TDMA frame

1 2 3 4 5 6 7 8
4.615 ms

GSM time-slot (normal burst)

guard guard
space tail user data S Training S user data tail space
3 bits 57 bits 1 26 bits 1 57 bits 3
546.5 µs
577 µs
GSM hierarchy of frames
hyperframe
0 1 2 ... 2045 2046 2047 3 h 28 min 53.76 s

superframe
0 1 2 ... 48 49 50
6.12 s
0 1 ... 24 25

multiframe
0 1 ... 24 25 120 ms

0 1 2 ... 48 49 50 235.4 ms

frame
0 1 ... 6 7 4.615 ms
slot
burst 577 µs
 Mobile Terminated Call

1: calling a GSM subscriber 

2: forwarding call to GMSC
4
3: signal call setup to HLR HLR VLR
5
4, 5: request MSRN from VLR 8 9
3 6 14 15
6: forward responsible
MSC to GMSC calling 7
PSTN GMSC MSC
station 1 2
7: forward call to
10 10 13 10
 current MSC 16
8, 9: get current status of MS BSS BSS BSS
10, 11: paging of MS 11 11 11
12, 13: MS answers
11 12
14, 15: security checks 17
16, 17: set up connection MS
Mobile Originated Call

1, 2: connection
request
VLR
3, 4: security
3 4
check 6 5
PSTN GMSC MSC
5-8: check 7 8
2 9
resources (free MS
1
BSS
circuit) 10

9-10: set up call

GSM Operation
Speech Speech

Speech coding Speech decoding

13 Kbps

Channel Coding Channel decoding

22.8 Kbps

Interleaving De-interleaving

22.8 Kbps

Burst Formatting Burst Formatting

33.6 Kbps

Ciphering De-ciphering

33.6 Kbps 270.83 Kbps

Radio Interface
Modulation Demodulation
MTC/MOC
MS MTC BTS MS MOC BTS
paging request
channel request channel request
immediate assignment immediate assignment
paging response service request
authentication request authentication request
authentication response authentication response
ciphering command ciphering command
ciphering complete ciphering complete
setup setup
call confirmed call confirmed
assignment command assignment command
assignment complete assignment complete
alerting alerting
connect connect
connect acknowledge connect acknowledge
data/speech exchange data/speech exchange
 Delivery of a call to a GSM mobile station
Mobile Station Base Station
Initial Procedure

RACH: “Channel request”

AGCH: “Immediate assignment” MSC gets

I am here. MS’s
location
SDCCH: “Paging response”

SDCCH message exchange

SDCCH: “Assignment ACK”

FACCH: “Connect ACK”

Conversation
45
HANDOFFS IN GSM
Handoffs

 GSM uses mobile assisted hand-off (MAHO). Signal

strength measurements are sent to the BS from the mobile.
 The MSC decides when to do a handoff and it informs the
new BS and the mobile.
 When a mobile switches to a new BS it sends a series of
shortened bursts to adjust its timing (giving the bS time to
calculate it and send it) and allow the new BS to
synchronize its receiver to the arrival time of the messages
4 types of handover

1
2 3 4
MS MS MS MS

BTS BTS BTS BTS

BSC BSC BSC

MSC MSC
 GSM handoffs

 Intra-BSS: if old and new BTSs are attached to same base

station
 MSC is not involved

 Intra-MSC: if old and new BTSs are attached to different base

stations but within same MSC

 Inter-MSC: if MSCs are changed

 GSM Intra-MSC handoff

1. Mobile station monitors signal quality and

determines handoff is required, sends signal
measurements to serving BSS
2. Serving BSS sends handoff request to MSC with
ranked list of qualified target BSSs
3. MSC determines that best candidate BSS is under
its control
4. MSC reserves a trunk to target BSS
5. Target BSS selects and reserves radio channels for
new connection, sends Ack to MSC
6. MSC notifies serving BSS to begin handoff,
including new radio channel assignment
 GSM Intra-MSC handoff

7. Serving BSS forwards new radio channel

assignment to mobile station
8. Mobile station retunes to new radio channel,
notifies target BSS on new channel
9. Target BSS notifies MSC that handoff is detected
10. Target BSS and mobile station exchange messages
to synchronize transmission in proper timeslot
11. MSC switches voice connection to target BSS,
which responds when handoff is complete
12. MSC notifies serving BSS to release old radio
traffic channel
 GSM Inter-MSC handoff
1. MS sends signal measurements to serving BSS
2. Serving BSS sends handoff request to MSC
3. Serving MSC determines that best candidate BSS
is under control of a target MSC and calls target
MSC
4. Target MSC notifies its VLR to assign a TMSI
5. Target VLR returns TMSI
6. Target MSC reserves a trunk to target BSS
7. Target BSS selects and reserves radio channels
for new connection, sends Ack to target MSC
8. Target MSC notifies serving MSC that it is ready for
handoff
 GSM Inter-MSC handoff
9. Serving MSC notifies serving BSS to begin handoff,
including new radio channel assignment
10. Serving BSS forwards new radio channel
assignment to mobile station
11. Mobile station retunes to new radio channel,
notifies target BSS on new channel
12. Target BSS notifies target MSC that handoff is
detected
13. Target BSS and mobile station synchronize
timeslot
14. Voice connection is switched to target BSS, which
responds when handoff is complete
15. Target MSC notifies serving MSC
16. Old network resources are released
Handover decision

receive level receive level

BTSold BTSold

HO_MARGIN

MS MS

BTSold BTSnew
 Handover procedure

MS BTSold BSCold MSC BSCnew BTSnew

measurement measurement
report result

HO decision
HO required HO request
resource allocation
ch. activation

HO command HO request ack ch. activation ack

HO command HO command
HO access
Link establishment

HO complete HO complete
clear command clear command
clear complete clear complete
GSM Security
 Security in GSM
 Security services
 access control/authentication
user  SIM (Subscriber Identity Module): secret PIN (personal
identification number)
SIM  network: challenge response method
 confidentiality
voice and signaling encrypted on the wireless link (after successful
authentication)
 anonymity
“secret”:
temporary identity TMSI
• A3 and A8
(Temporary Mobile Subscriber Identity) available via the
newly assigned at each new location update (LUP) Internet
encrypted transmission • network providers
can use stronger
 3 algorithms specified in GSM mechanisms
 A3 for authentication (“secret”, open interface)
 A5 for encryption (standardized)
 A8 for key generation (“secret”, open interface)
GSM Security

 Access Control and Authentication

 User should not be able to use the GSM
resources without being authenticated
 Confidentiality
 Messages containing user related
information should not be accessible to
others
 Anonymity
 User identifier is not used over the air
GSM Security

 Access Control and authentication

 GSM handsets must be presented with a
subscriber identity module (SIM)
 SIM must be validated with personal
identification number (PIN)
 SIM also stores subscriber
authentication key, authentication
algorithm, cipher key generation
algorithm, encryption algorithm
GSM - authentication

mobile network SIM

RAND
Ki RAND RAND Ki

AC 128 bit 128 bit 128 bit 128 bit

A3 A3
SIM
SRES* 32 bit SRES 32 bit

SRES
MSC SRES* =? SRES SRES
32 bit

Ki: individual subscriber authentication key SRES: signed response

GSM Security

 During registration (when roaming),

mobile station receives “challenge” and
uses authentication key and
authentication algorithm to generate
“challenge response” to verify user’s
identity
 Confidentiality (Privacy from eavesdropping)
 Temporary encryption key is used for
privacy of data, signaling, and voice
 Info is encrypted before transmission
GSM Security

 Anonymity of users
 Supported by temporary mobile subscriber ID
(TMSI)
 When registered, mobile station sends
globally-unique international mobile
subscriber ID (IMSI) to network
 Network assigns TMSI for use during call -
IMSI is not sent over radio link
 Only network and mobile station know true
identity
 New TMSI is assigned when roam into new
area
 GSM - key generation and encryption

mobile network (BTS) MS with SIM

RAND
Ki RAND RAND Ki
AC 128 bit 128 bit 128 bit 128 bit SIM

A8 A8

cipher Kc
key 64 bit Kc
64 bit
data encrypted SRES
data
BTS
data MS
A5 A5
Channels

 The physical channel in GSM is the timeslot.

 The logical channel is the information which goes through
the physical ch.
 Both user data and signaling are logical channels.
 User data is carried on the traffic channel (TCH) , which is
defined as 26 TDMA frames.
 There are lots of control channels for signaling, base
station to mobile, mobile to base station (“aloha” to request
network access)
 Signaling protocol for networks
 Packet – switching [like IP]
 GSM uses SS7 for communication between HLR and VLR
(allowing roaming) and other advanced capabilities.
 GSM’s protocol which sits on top of SS7 is MAP – mobile
application part
 Frequency bands

 Frequency band: Uplink: 890-915 MHz, Downlink: 935-960

MHz
 Frequency range: 50 MHz (25 MHz Up, 25 MHz Down)
 Carrier spacing: 200 KHz (but time shared bet. 8 subscribers)
 Duplex distance: 45 MHz (FDD)

65
 Frequency bands

 Number of carriers: 25 MHz/200KHz =124

 Users/carrier: 8
 The reverse channel is retarded by 3 time slots relative to the
forward

66
Frequency bands
 One or more carrier frequencies are assigned to each BS
 Eight time slots are grouped into a TDMA frame (120/26 ms, or
approx. 4.62 ms; 120 frames in a multiframe that is 26ms in
duration)
 Time slot = 4.62/ 8 ms (or approx. 0.577 ms)
 One physical channel is one time slot per TDMA frame.

67
 Spectrum efficiency

 Assume N =3 (depends on environment)

 Country side: N = 2 or 3;
 Metropolitan areas: N > 3 or higher

Carriers: 124; each carrier has 8 channels:

No. of physical channels = 124*8 = 992
Total frequency band: 25(uplink)+25(downlink)=50MHz
Efficiency = 992/(3*50MHz)
= 6.61 conversations/ cell/ MHz

68
Traffic frames & control frames

69
 Delivery of a call to a GSM mobile station
Mobile Station Base Station
Initial Procedure

RACH: “Channel request”

AGCH: “Immediate assignment” MSC gets

I am here. MS’s
location
SDCCH: “Paging response”

SDCCH message exchange

SDCCH: “Assignment ACK”

FACCH: “Connect ACK”

Conversation
70
 Initial procedure in delivery of a call to
a GSM mobile station

Mobile Station SCH: “Sync Channel Information” Base Station

BCCH: “System Information”

PCH: “Paging Request”

RACH: “Channel request”

PCH: Paging Channel

Purpose: To notify terminals of arriving
calls. 71
SDCCH message exchange in delivery of a
call to a GSM mobile station
Mobile Station Base Station
SDCCH: Standalone dedicated control channel
Authentication request

Authentication response

CIPHERING MODE
Ciphering Mode ACK

setup

Call Confirmed

ALERTING

CONNECT

Assignment Command

72
 Termination of the call (by MS)
Mobile Station How is the call terminated at MS? Base Station

Conversation

FACCH: “Disconnect”

FACCH: “Release”

FACCH: “Release complete”

FACCH: “Channel release”

73