10 1 GSM

Communication
Systems
10th lecture
Chair of Communication Systems

Department of Applied Sciences
University of Freiburg
2006
1 | 49
Communication Systems
Last lecture – digital telephony networks
●
Signaling in large scale digital networks
– Primary Rate Interface to connect large organizations PBX
– Global call setup and routing with signaling system #7 (which
is loosely modelled after OSI stack)
– Several protocols to handle different services
– Special protocol QSIG for inter-connecting PBX (in private,
corporate telephony networks)
●
Interfaces in the telephony world are the standards
equivalent to protocols in the TCP/IP world
– Major difference: TCP/IP is rather open to everyone and not
restricted to an exclusive club of telephony equipment
manufacturers and telcos
2 | 49
Last lecture – introduction to mobile telephony networks
●
Introduction to mobile telephony networks from the
analogous world to cell based infrastructure to second
generation interoperable digital mobile phone networks
– Standardization process started middle of 80s
– First deployment in 1991, 92
– Fast growth till then – more then 500 million subscribers by
2005
●
GSM – Global System for Mobile communication is a
worldwide standard by now, available everywhere with few
exceptions
3 | 49
Plan for this lecture
●
GSM interfaces
●
GSM network components
– Mobile switching center,visitor location register, home location
register, authentication center, mobile stations, SIM, radio
subsystem...
●
Radio interface Um
●
Control channels
●
Network control, SS7
●
Call setup
●
Authentication, Authorisation, Access
●
security issues
4 | 49
Last lecture – first introduction to GSM structure
●
GSM consists of radio, network and operation and
maintenance subsystems
●
Radio subsystem is comprised of Mobile Stations (MS, end
user equipment), Base Transceiver Stations (BTS, covering
a certain Location Area)
●
BTS are handled by Base Station controllers (BSC), which
are controlled by MSC:
5 | 49
GSM interfaces and components
6 | 49
●
Like in the digital telephony network interfaces between the
different components are defined
– Um is the radio interface (m for mobile) between the mobile
stations and the base station transceiver, modelled after the
user interface in the ISDN world (Uk0 , UG2)
– Abis is the interface between BTS and BSC
– A the interface of the BSC to the MSC
●
The network subsystem defines the following interfaces
– B between MSC and visitor location register (VLR)
– C between MSC and home location register (HLR)
7 | 49
●
The several MSC are interconnected via
– E interfaces, this is the interface to Gateway MSC too
– F defines the interface to the equipment identifier register
(EIR)
– The different VLR talk to each other (needed when handovers
between different MSC occur) via G interface
●
Operation & Maintenance Subsystem (OSS) is the whole
systems management layer
– Network measurement and control functions
– Monitored and initiated from the OMC (Operation and
Maintenance Center)
– Network Administration
8 | 49
●
OMC keeps track of configuration, operation, performance
management, statistics
– collection and analysis, network maintenance
– Commercial operation & charging
– Accounting & billing
– Security Management, e.g. Equipment Identity Register (EIR)
management
9 | 49
GSM network components
●
Network and radio
subsystem are
supervised by OMC
●
Many BSCs are
controlled by Mobile
Switching Center
(MSC), which is part
of Network subsystem
●
Somewhere in
between is the TRAU
(Transcoding and
Rate adaption Unit)
10 | 49
GSM components – network operation, MSC
●
A provider network has in general many distributed
MSCs
●
Thus the MSC is a typical ISDN switching center with
additional components for mobility management
– Many standards and interfaces discussed in last lecture apply
here too
– Controls the access and authorization of mobile subscribers
– Gets the user data from HLR and copies it to the VLR of all
MS in range
11 | 49
GSM components - MSC
– To convert 13kbit/s (from MS), 16kbit/s (from BSC because of

some added inband information) to 64kbit/s ISDN data rate a
TRAU is typically included in between MSC and BSC
– Performs all the switching and routing functions of a fixed
network switching node and adds specific mobility-related
functions, like
●
Allocation and administration of radio resources
●
Management of mobile users
●
Registration, authentication
●
Manages handover execution and control
●
Does paging (search for MS within the BSCs)
12 | 49
GSM components – visitor location register (VLR)
●
MSC looks up users and communication information in VLR
– VLR is a temporary database dynamically updated when
subscribers enter or leave vicinity of the serving MSC
– one database per MSC (or per group of MSCs), typically joint MSC-
VLR implementation
– Idea: Avoid heavy MSC-VRL signalling load on network links
– VLR entries contain the following information:
●
Every user / MSISDN actually staying in the administrative area
of the associated MSC
●
Entry created when an MS enters the MSC area (registration)
●
May store data for roaming users (subscribed to different
operators)
13 | 49
GSM components – visitor location register (VLR)
– VLR entries contain the following information:

●
Tracking and routing information
●
Mobile Station Roaming Number (MSRN)
●
Temporary Mobile Station Identity (TMSI) assigned by
MSC
●
Location Area Identity (LAI) where MS has registered
needed for paging and call setup
14 | 49
GSM components – home location register (HLR)
●
While VLR keeps user data only temporarily, the permanent
storage of data takes place in HLR
– Each mobile provider keeps such a database to store its
subscribers information
– Subscriber and subscription data
●
IMSI, MSISDN
●
Parameters (authorization) for additional services
●
info about user equipment (IMEI)
●
Authentication data
– Service setup for call deflection, mobile phone box, ...
15 | 49
GSM components – authentication center (AUC)
●
Typically seen as part of OMC
●
Associated to HLR (home location register)
– Might be integrated with HLR
– Search key: IMSI
– Responsible of storing security-relevant subscriber data
– Subscriber’s secret key Ki (for authentication)
– Shared encryption key on the radio channel (Kc)
– Algorithms to compute temporary keys used during
authentication process
16 | 49
GSM components – mobile stations (MS)
●
GSM separates user mobility from equipment mobility by
defining two distinct components
●
Mobile Equipment (ME)
– or Mobile Terminal (MT) – it is the cellular telephone itself
(mobile phone hardware)
– It has its own address / identifier: IMEI (International Mobile
Equipment Identity)
●
Composed of the technical components for user interaction:
keypad, display, speaker and microphon, may contain
– Interfaces for additional services like fax or data (peripheral
connections as Bluetooth, IrDA or serial connections might be
available too)
17 | 49
GSM components – mobile stations (MS)
●
Five transmit power classes defined for MS in 900MHz band
– 20, 8, 5, 2, 0.8 Watt – normally used are 8W for vehicular and
0.8W for portable devices
– Only two classes for 1800MHz band: 1 and 0.25W
●
Implementations
– Early devices were single band for GSM900 or DCS1800 or
PCS1900
– Today mostly so called multiband phones are sold (allow
communication in two or all three GSM bands)
– Newest devices are multimode which could handle both GSM
and UMTS (and several data standards like GPRS)
18 | 49
GSM components – mobile stations (SIM)
●
Second component is the Subscriber Identity Module (SIM)
●
SIM keeps the following addresses / identifiers:
– IMSI (International Mobile Subscriber Identity) – 15-digit
composed of Mobile Country Code, Mobile Network Code,
Mobile Subscriber Identification Number
– Is sent (for security reasons only) when entering network or
doing location update
– MSISDN (Mobile Subscriber ISDN number) of 15 digits is the
telephone number users call, composed of Country Code
(Germany 49, US 1), National Destination Code (Provider
prefix without the 0), Subscriber Number
19 | 49
●
The MSISDN is used for routing in traditional telephony networks
(but not for routing in mobile)
– Translated in MSC to TMSI, unique within a certain Location
Area (LA), kept in the VLR
●
TMSI is temporarily stored on SIM
– Not fixed, regularily changed to avoid outside user tracking
●
Same applies for MSRN (Mobile Station Roaming Number,
GSM internally):
– VCC = contry code of visited mobile network
– VNDC = location code (place where the user actually is)
– VMSN = ID of the visited MSC
– VSN = subscriber ID, assigned by VLR
20 | 49
●
MSRN is similarily composed to
MSISDN, but location dependent
●
SIM itself is piece of hardware, a plug-
in-module, a so-called smartcard (or
fixed chip within the phone – only on
special devices)
– Usually provided in the ID-000 format,
which is about 0,76mm thick plastic
with cast-in chip
– It contains: a CPU, internal bus
system connecting RAM and
EEPROM and an electrical interface
(contact pads on the upper side)
21 | 49
GSM components - radio subsystem (BTS)
●
Radio interface functions (MS <-> BTS)
– GMSK modulation-demodulation
– channel coding, encryption/decryption
– burst formatting, interleaving
– signal strength measurements
– interference measurements
22 | 49
GSM components - radio subsystem (BSC)
●
Functions of a BSC
– One BSC may control up to
40 BTS (kept in database)
– switch calls from MSC to
correct BTS and conversely
– Protocol and coding
conversion for traffic (voice)
& signaling (GSM-specific to
ISDN-specific)
– Manage mobility of MS
(handover between different
BTS)
– Enforce power control
23 | 49
GSM – the radio interface Um
●
Lets start with the physical layer of the beloved OSI model
● Um defines the communication of MS with the GSM
infrastructure
●
The bandwidth is 270,833kbit/s (bit rate not integer because
derived from time slots as explained later)
●
Because of the limited frequency band multiplex access is
used
24 | 49
GSM – Um: FDM & TDM
●
Frequency Division Multiplexing two 25MHz bands
– Uplink (MS to BTS) = 890 – 915MHz.
– Downlink (BTS to MS) = 935 – 960MHz
– Each defined channel has a 200kHz bandwidth
– Duplex spacing: 45MHz
– Thus 124 bearer frequency pairs possible, suggested to use
only 122 to keep additional guard top and bottom
– In practice, due to power control and shadowing, adjacent
channels cannot be used within the same cell…
●
Additionally in each frequency channel Time Division
Multiplexing (TDM) is applied
25 | 49
– 8 periodic time slots - 0,577ms each
– TDM frame composed of 8 timeslots equals to 4,615ms
– Every time slot a so called “burst” - succession of 148bit is
transmitted
– Between the bursts a “security buffer” of 8,25bit/burst is put in
between
26 | 49
●
Through FDM/TDM
hybrid in GSM 992
channels available
●
In DCS1800 more
channels: 75MHz
band split into
200kHz channels
allows a total of
374 carriers
●
Thus 2992 physical
channels available
in E-GSM
27 | 49
GSM – Um: burst types / dummy burst
●
Five different burst types defined
– Normal Burst
– Access Burst
– Frequency Correction Burst
– Synchronization Burst
– Dummy Burst to fill in inactive bursts in Broadcast Control
Channel (BCCH, direction from BTS to MS) to have most
power on this channel (helpful, when MS needs to find BCCH)
28 | 49
GSM – Um: fequency hopping
●
Not all channels in a given cell are of equal quality and multi
path reception / adjacent channels may disrupt
communication
●
Thus frequency hopping is introduced
– avoid frequency-selective fading, co-channel interference
29 | 49
GSM – Um: GMSK modulation
●
Split single bits into
odd and even
●
Double the time period
of each bit
●
Four cases
Bg=Bu=0 use f2 inverted
Bg=1,Bu=0 use f1 inv.
Bg=0,Bu=1 use f1
Bg=1, Bu=1 use f2
30 | 49
GSM – the Um logical layer
●
The logical layer could be seen as the equivalent of OSI
data link layer
– Here are the logical channels mapped into the physical ones
– Two distinctions: traffic channels and control channels
●
The traffic channels carry the user data (voice, SMS, fax, ...)
– Full rate channel: Bm 22,8kbit/s (TCH/F)
– Half rate channel: Lm 13,4kbit/s (TCH/H)
31 | 49
GSM – control channels
●
Beside the traffic channels are a group of control channels
defined
●
They handle system information, connection setup and
connection control
●
Broadcast Control Channel (BCCH) group handles beacon
signaling, synchronization of MS with the serving BTS,
timing advance adjustment, it comprises of
– BCCH – Broadcast Control Channel
– FCCH – Frequency Control Channel
– SCH – Synchronization Channel
32 | 49
GSM – control channels: FCCH, SCH
●
FCCH is responsible for first part of MS tuning
(synchronisation of mobile device to BTS signal)
– MS listens on strongest beacon for a pure sine wave (FCCH),
first coarse bit synchronization used for fine tuning of oscillator
●
Immediately after follows a SCH burst
●
SCH: Fine tuning of synchronization (64 bits training
sequence)
– Read burst content for synchronization data
– 25 bits (+ 10 parity + 4 tail + ½ convolutional coding = 78bits)
– 6 bits: BSIC, 19 bits: Frame Number (reduced)
●
Finally MS is able to read BCCH information
33 | 49
GSM – control channels: BCCH
●
BCCH is responsible for
– Sending out of beacon on one frequency per cell (by BTS)
– Contains 16bit Location Area (LA) code
– MUST BE on Time Slot #0, following time slots might used by
TCH
●
BCCH provides:
– Details of the control channel configuration
– Parameters to be used in the cell
– Random access backoff values
– Maximum power an MS may access
(MS_TXPWR_MAX_CCCH)
34 | 49
GSM – control channels: BCCH
●
BCCH provides:
– Minimum received power at MS (RXLEV_ACCESS_MIN)
– Is cell allowed? (CELL_BAR_ACCESS)
– List of carriers used in the cell
– Needed if frequency hopping is applied
– List of BCCH carriers and BSIC of neighboring cells
35 | 49
GSM – control channels
●
Next group Common Control Channel (CCCH) it consists of
– Random Acces Channel (RACH)
– Access Grant Channel (AGCH)
– Paging Channel (PCH)
●
Third group is the Dedicated/Associated Control Channel
(DCCH)/ (ACCH)
– Stand-alone Dedicated Control Channel SDCCH
– Fast/Slow Associated Control Channel SACCH/FACCH
●
FACCH used when several signalling information needs to
be transmitted
– Call setup, Handover
36 | 49
GSM – the Um logical layer
●
Channels are grouped into
– 26-multiframe - payload / voice – summarizes the bursts of
TCHs and associated SACCHs and FACCHs
– 51-multiframe – signaling data – puts together all bursts of
traffic channels without SACCHs and FACCHs
●
GSM uses certain predefined pattern of channel
combinations:
CC1: TCH/F + FACCH/F + SACCH/TF
CC2: TCH/H (0,1) + FACCH/H(0,1) + SACCH/TH(0,1)
CC3: TCH/H(0) + FACCH/H(0) + SACCH/TH(0)+TCH/H(1)
CC4: FCCH + SCH + BCCH + CCCH
CC5: FCCH + SCH + BCCH + CCCH + SDCCH/4(0,1,2,3) + SACCH/C4
(0,1,2,3)
CC6: BCCH + CCCH
CC7: SDCCH/8 + SA
37 | 49
GSM – frames, multiframes, superframes
●
Why 26, 51:An active call transmits/receive in 25 frames,
except the last one
– In this last frame, it can monitor the BCCH of this (and
neighbor) cell
– This particular numbering allows to scan all BCCH slots during
a superframe
– Important slots while call is active: frequency correction FCCH
and sync SCH - needed for handover
●
Why multiframes - determine how BCCH is constructed, e.g.
which specific information transmitted on BCCH during a given
multiframe
●
Superframes are composed of multiframes
– Used as input parameter by encryption algorithm
38 | 49
GSM – network control, SS7
• Backend of mobile networks is

the same digital telephony
network as for ISDN (Intelligent
Network – IN)
• Thus Signaling System 7 is used
for the network generic and GSM
specific tasks
• MAP (Mobile Application Part)
– Located in presentation layer
(OSI layer 6)
– communication between
different MSCs or MSC and
HLR
39 | 49
GSM – network control, SS7
• DTAP the Direct Transfer Application Part is located on the

presentation layer too
– Used to send messages from the MS to MSC directly
• BSSMAP (Base Station Subsystem MAP
– Found on session layer (OSI layer 5)
– Handles communication between MSC and radio
subsystem
• Additionally SCCP (Signaling Connection and Control Part) on
transport layer similar to TCP or UDP, instead of port
numbers SubSystemNumbers (SSN) are used
• TCAP (Transaction Capability Application Part) - session
layer known from last lecture
40 | 49
GSM – call setup
• After defining the lower layers

we could deal with the
important part for the
subscribers – receive a call in a
mobile phone network
– The called device/user has to
be looked up in a given
location area (paging)
– To be able to answer the MS
has to request a channel
– It gets assigned a control
channel by the BSC
immediately if cell is not
congested
41 | 49
GSM – call setup – network originated call
• The MS sends out an acknowledgement (subscriber is

present)
• Next steps check the authorization of the subscriber
• If check was passed the system changes into encryption
mode
• The MS signals which kind of service it wishes to use (voice,
data, ...)
• Depending on the preferred service a traffic channel is
assigned
• A “call signal” is produced for the calling party and a ring is
generated on the MS
42 | 49
GSM – call setup – network originated call
• The subscriber accepts the call, ack is sent and connection is

established
• A full rate traffic channel (for voice) is used
• During call setup and operation several control channels are
used: PCH, RACH, AGCH, SDCCH, ...
• Mobile originated calls are mostly similar
– No paging is needed because the MS activily requests a
channel
– A signaling channel is assigned by BSC
43 | 49
GSM – call setup – mobile originated call
– Service request a SDCCH is

required
– Same authorization and
encryption procedure has to
be done
– Signaling of desired service
and assignment of proper
payload channel
– Signaling of “call signal” to the
subscriber at the MS
– Call setup if called party
answers
44 | 49
GSM – Authentication, Authorisation, Access
• In a public network like GSM the triple-A of authentication,

authorisation, access plays a major role
– The subscribers ID has to be kept confidential
– The network access has to be granted or denied to the
subscriber
– The integrity and confidentiality of data has to be ensured by
the network
• This is achieved by a more or less sophisticated asymmetric
and symmetric encryption and authentication process
– Temporary and confidential identities and keys are used
45 | 49
46 | 49
• Sequence of authorization and generation of shared keys for
encryption
1. The network sends an authentication request message to MS, conveying a 128-bit
random number (RAND).
2. MS uses the RAND, the secret key Ki (stored at SIM), and the encryption algorithm
A3, to compute a 32-bit number as a signed response (SRES).
3. MS computes the 64-bit ciphering key Kc using encryption algorithm A8, which will
be later used in the ciphering procedure.
4. MS responses with an authentication response message containing SRES.
5. The netwotk uses same parameters and algorithm to computer another SRES.
6. MS SRES and the network SRES are compared with each other. If mactch, the
network accepts the user as an authorized subscriber. Otherwise, authentication is
rejected.
7. After authentication has been successful, the network transmits a ciphering mode
message to MS indicating whether encryption is to be applied.
8. In case ciphering is to be performed, the secret key Kc and encryption algorithm
A5 are used for ciphering.
47 | 49
GSM – stream encryption
48 | 49
GSM literature
●
Some of the pictures are taken from text books or online sources
●
German text books:
– Jochen Schiller, Mobilkommunikation
– Bernhard Walke, Mobilfunknetze und ihre Protokolle,
Grundlagen GSM, UMTS, ...
●
http://www.ks.uni-freiburg.de/download/papers/telsemWS05/G2-
GSM/HA_GSM2_Mohry_1.pdf
●
http://www.ks.uni-freiburg.de/download/papers/telsemWS05/GSM-
UMTS/ausarbeitungCarkciQiang.pdf
49 | 49

10 1 GSM

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

10 1 GSM

Încărcat de

Drepturi de autor:

Formate disponibile

Communication

Chair of Communication Systems

– To convert 13kbit/s (from MS), 16kbit/s (from BSC because of

– VLR entries contain the following information:

• Backend of mobile networks is

• DTAP the Direct Transfer Application Part is located on the

• After defining the lower layers

• The MS sends out an acknowledgement (subscriber is

• The subscriber accepts the call, ack is sent and connection is

– Service request a SDCCH is

• In a public network like GSM the triple-A of authentication,

S-ar putea să vă placă și