Signal Processing in GSM

Lecture 10

Channel Coding Interleaving Authentication & Ciphering GMSK Modulation Identifiers

Channel Coding

For channel coding 260 bits of data in a TRAU frame separated into 182 class-1 bits (very important) and 78 class-2 bits (less important) Channel coding protects the two classes with different priorities After channel coding original data packet of 260 bits (user data) or 184 bits (signalling data) extended to a data block of length 456 bits Data block then mapped on various bursts for the actual transmission

Channel Coding for User Data

Channel Coding for Signalling Data

Interleaving

Packets of 456 bits spread over a larger time period in separate TSs Spreading depends on application the bits represent Signalling & data traffic are spread more than voice traffic Goal - to minimize the impact of Air-interface peculiarities that account for rapid, short-term changes of the quality of the transmission channel A particular channel may be corrupted for a very short period of time and all the data sent during that time are lost That could lead to loss of complete data packets of n times 114 bits Interleaving does not prevent loss of bits If there is a loss, the same number of bits are lost However, in interleaving, the lost bits are part of several different packets bits These few bits can be recovered by error-correction mechanisms

Interleaving

Authentication

Problem- unauthorised access to telecom services via cloning of a valid user identifier GSM anticipated this and defined an authentication procedure A user is challenged to provide proof of the claimed identity User accesses network and provides the user identifier Network sends a random number (RAND) to the MS Which together with Ki provide a response (SRES)

Ciphering

MS sends a connection request to the network Among others, this request contains

Ciphering key sequence number (CKSN) Mobile station class mark

Which indicates the available ciphering algorithms (A5/X) in the mobile station

Ciphering

VLR examines the CKSN and decides whether authentication is necessary Authentication not required a second time during the same network access Multiparty call- an example of second connection while another connection already exists A message sent to the MS in case authentication is necessary Message contains the random number, RAND SIM uses the RAND, value Ki and algorithm A3 to calculate SRES MS sends SRES to the VLR VLR compares this SRES with the one earlier sent by HLR/AuC Auth successful if both values are identical Immed after SRES, the MS calculates ciphering key Kc using RAND, Ki and algorithm A8 To activate ciphering, the VLR sends

Value Kc that the AuC has calculated A reference to the chosen A5/X algorithm

Via the MSC and the BSC to the BTS

Calculation of SRES & Kc

Ciphering

BTS retrieves from the ENCR_CMD message

Kc Info about the required ciphering algorithm

BTS only forwards info about the A5/X algorithm in a CIPH_MOD_CMD message to the MS Which triggers MS to enable

Ciphering of all outgoing data and Deciphering of all incoming information

MS confirms the change to ciphering mode by sending a CIPH_MOD_COM message A5/X uses the current value of the frame number (FN) at the time and Kc as input parameters Output of this operation are ciphering sequences, each 114 bits long, one is needed for ciphering and the other one for deciphering First ciphering sequence and the 114 bits of useful data of a burst are XORed

To provide encrypted 114 bits that are actually sent over the Air-interface

Ciphering sequences altered with every frame number Which in turn changes the encryption with every frame number Deciphering takes place exactly the same way but in the opposite direction

Ciphering

De-ciphering

Authentication
Global GSM Mobility Card
The Smart Card to use

MS

Radio Interface

BSS

NSS
RAND (128 bits)

(RAND, SRES, Kc)

AUC

GSM

(A3 and A8)

SIM card

Ki

Ki (128 bits)

Ki (128 bits) RAND

Ki

A3

A3

A3

A3

SRESm A8
A8

SRESm (32 bits)

=?
OK

SRES
A8

A8

CIPHER MODE
RAND = RANDom number SRES = Signed RESponse Kc = Ciphering Key Ki = Identification Key

Kc

Kc

Authentication
RAND

BSS

RAND
6 SRESm

4 BSC 7 BTS

SRESm CIPHER MODE

MSC
6

Ciphering 7 Command

Purpose: Avoid logging of lost, stolen or forgery SIM-Cards.

SRESm

HLR
1

RAND
4 7

VLR
SRESm = SRES ?

Ki 5

RAND 1 A3 3

Triplets

SRESm

(RAND, SRES, Kc) 2 AUC (A3 and A8)

Ciphering MS
Frame Number (22 bits)

BTS
Frame Number (22 bits)

Radio interface

A5
Kc (64 bits)

A5
Kc (64 bits)

Block Block (114 bits) (114 bits)

Block Block (114 bits) (114 bits)

Data to transmit Received data

+ +

Ciphered data

+ +

Received data Data to transmit

+ : exclusive-or

CIPHERING
CIPHER MODE COMMAND

BSS
Kc BSC Kc BTS 2

CIPHER MODE COMPLETE

+
A5
Kc TDMA#

Ciphered 5 data

CIPHER MODE 6 COMPLETE

MSC

Purpose: avoid communication to be tapped. `dwbxh vce i vce tpfug

SET CIPHER MODE (Kc)

(Rand, SRES, Kc) Ki Rand A8 Kc

VLR

IMEI

Mobile station equipment identity Not mandatory for the network operator to query the IMEI Purpose of the IMEI is to prevent passive theft protection EIR maintains information on stolen mobile equipment in a black list, which makes stolen mobile equipment useless

IMEI
IMEI comprises following: A 24-bit-long type approval code (TAC)

Before any mobile equipment is brought into service, it undergoes a test to show that it complies with safety regulations and functionality requirements Process called type approval, and the requirements are specified by GSM

An 8-bit-long final assembly code (FAC) identifies the manufacturing facility A 24-bit-long serial number A spare field, currently not used

MOBILE IDENTIFICATION

E D YP VE T O R PP A

TAC
Type Approval Code

FAC

SNR
Serial number

SP
(SPare)

Final Assembly Code

IMEISV

IMEI plus a software version number (SVN) Which can be modified by the manufacturer in case of a software update

IMSI
International mobile subscriber identity An identifier for a GSM subscriber Part of the subscriber data stored on (SIM) card Uniquely identifies one subscription worldwide Structure similar to the ISDN number, defined in ITU-T Recommendation E.164

IMSI

15-digit number composed of

and

is

Mobile country code (MCC) Mobile network code (MNC) Mobile subscriber identification number (MSIN)

MSIN of the IMSI not used as the subscribers telephone number To make tracking more difficult, IMSI used only as an identifier when the temporary mobile subscriber identity (TMSI) not available, e.g., for initial system connections

MCC & MNC

Mobile country code A three-digit identifier Uniquely identifies a country (not a PLMN) Mobile network code A two-digit identifier Used (like the 3-bit-long NCC) to uniquely identify a PLMN

IMSI Attach/Detach

BTS permanently broadcasts parameter ATT in the BCCH message Which indicates whether the IMSI attach/detach procedure is required IMSI detach informs network that

An MS will go into an inactive state And is no longer available for incoming calls For example, due to power down or because the SIM is removed

MS sends an IMSI_DET_IND message to the network each time it is powered down VLR keeps track of this state This approach saves radio resources and processing time Call processing can switch to secondary call treatment

without first sending a PAGING message and then waiting for expiration of respective timers Call forwarding Voice mail, or Telling caller that the subscriber currently not reachable

Secondary call treatment means initiating

Complementary to IMSI detach is IMSI attach It indicates to network that a mobile station is active again IMSI attach is related to periodic location updating The location updating procedure is utilized to perform IMSI attach

IMSI Attach
1
CHANNEL REQUEST IMMEDIATE ASSIGNMENT

BSS
2 BSC BTS 3 4

3LOCATION UPDATING

REQUEST (IMSI Attach) Authentication 4 Procedure

MSC

LOCATION UPDATING 5 ACCEPT (LAC, TMSI)

5
4

VLR
6

IMSI Detach
1
CHANNEL REQUEST IMMEDIATE ASSIGNMENT

BSS
2 BSC BTS 4

IMSI DETach INDication CHANNEL RELEASE

IMSI DETach INDication

MSC

VLR

TMSI

Temporary mobile subscriber identity Identifies a mobile subscriber, like the IMSI 4-byte-long Unlike the IMSI, TMSI has only temporary significance VLR assigns a TMSI upon location registration for confidentiality So not required to transfer the IMSI over the Air-interface frequently Assignment and use of the TMSI only possible with active ciphering TMSI can take any value, except FF FF FF FFhex This value reserved in case SIM does not contain a valid IMSI

MSISDN
Mobile subscriber ISDN Dir No of a mobile subscriber Example: 49 171 5205787 is the directory number of a subscriber to the D1 network in Germany Country code (CC) identifies a country or region (e.g., 49 for Germany, 1 for the United States); National destination code (NDC) identifies the PLMN (e.g., 171 for the operator D1) Subscriber number (SN) is a unique identifier within the PLMN

MSRN

Mobile station roaming number A temporary identifier used terminating calls

for

mobile

To route a call from the gateway MSC to the serving MSC/VLR

VLR assigns MSRN when a request for routing information is received from the HLR MSRN released after the call has been set up MSRN used solely to route an incoming call and contains no information to identify the caller or the called party Contains following codes: Country code (CC) is the prefix of a country National destination code (NDC) identifies the PLMN (e.g., 172 is the D2 operator of Germany); Temporary subscriber number (temp. SN) assigned by the serving MSC/VLR of the called subscriber

NDC
National destination code Part of an ISDN number as defined by ITU-T in Recommendation E.164 Typically, the NDC addresses an area May also be used to address a service, just as the NDC 800 addresses free phone service in the United States In Germany, the NDCs 171 and 172 used to address the two GSM 900 operators

CKSN

Ciphering key sequence number A 3-bit-long value References to a ciphering key, Kc When a particular Kc is stored in the MS and the MSC/VLR, a CKSN is assigned as well Allows MS and network a negotiation of the Kc without compromising security by transmitting the value of Kc over the air Particularly when an MS tries to establish an additional or subsequent operation with the network In such a case, when the MS requests a connection, it sends its last valid CKSN to the VLR VLR then decides, based on the CKSN, if ciphering can start immediately or if another authentication is required VLR may decide to request another authentication, even if the CKSN matches the VLRs entry

LMSI

Local mobile subscriber identity A 4-byte-long parameter VLR assigns it to a subscriber on a temporary basis Purpose is to expedite queries in the VLR When the LMSI is assigned, both sides do not only use the IMSI but also the LMSI Although no use for the LMSI in the HLR, but it still must be stored in the HLR HLR required to send the LMSI whenever data between the two databases exchanged

CI

Cell identity A 2-byte-long hexadecimal identifier CI together with the location area (LAI) uniquely identifies a cell within a PLMN

Location area (LA)

LA comprises at least one but typically several BTSs Defined for the following purpose:

An MS that changes the serving cell in the same location area does not need to perform a location update When network tries to establish a connection to an MS for a mobile terminating call, PAGING message is sent to only those BTSs that belong to the current location area of the MS Reduction of signalling load

LA therefore, serves mainly one purpose

Every BTS broadcasts the LA via the parameter location area identity (LAI)

Location area

Even during an active call, LA communicated to the MS (particularly important in a handover) Shaded, one-digit field is a filler (1111bin) Extends three-digit MCC to 2 bytes Actual location area code (LAC) is four digits long LAC is an identifier that can be assigned by the network operator All values, except 0000hex and FFFE hex allowed Those two values reserved for cases when the LAI on a SIM has been deleted

Registration: The Very First Location Updat

1. Channel allocation (Connection request procedure):

MS sends (on RACH) a CHANNEL REQUEST message Network responds with IMMEDIATE ASSIGNMENT dedicated channel)

(on

2. MS sends to BSS a LOCATION UPDATING REQUEST message with IMSI 3. VLR triggers and monitors the Authentication procedure and can also activate Ciphering procedure 4. VLR stores the LA of the MS and informs the HLR which:

stores VLR identity downloads the subscriber profile, if the MS is allowed to roam

5. VLR may assign a TMSI and sends it to the MS in the LOCATION UPDATING ACCEPT message 6. MSC releases the connection

Registration: the Very First Location Update

1 2 IMSI 3 TMSI Release 6 5 BTS BSC 1

BSS

2 3 TMSI 6

MSC
5 2 3 TMSI 5

LAI

HLR
IMSI VLR id 4

VLR
IMSI TMSI LAI

BSIC

Base station identity code An identifier for a BTS Does not uniquely identify a single BTS, since it is reused several times per PLMN Purpose of the BSIC is to allow the MS to identify and distinguish among neighbor cells, even when neighbor cells use the same BCCH frequency Since BSIC is broadcast within SCH of a BTS, MS need not even have to establish a connection to a BTS to retrieve the BSIC

BSIC

Consists of the

Network color code (NCC), which identifies the PLMN Base station color code (BCC)

NCC

Network color code 3-bit-long code Identifies the PLMN Is part of the BSIC and Is broadcast in the synchronization channel

BCC

Base station color code 3-bit-long parameter Part of the BSIC Used to distinguish among the eight different training sequence codes (TSCs) BTS may use these TSCc on the CCCHs to distinguish between neighbor BTSs without the need for the MS to register on any other BTS

PIN

Personal identification number A four- to eight-digit number Provides limited protection against unauthorized use. Can be changed by the user and is stored on the SIM. Optional and can be disabled When enabled, the PIN needs to be entered at power up When the wrong PIN entered three consecutive times, the SIM is blocked and Only the PIN unblocking key (PUK) can release the Pin

PUK

PIN unblocking key A 10-digit code stored on the SIM Cannot be altered by the user Unblocks a SIM that was blocked due to wrong PIN entry three consecutive times