Communication Systems 10th lecture Chair of Communication Systems Department of Applied Sciences University of Freiburg 2006 1 | 49

Communication Systems Last lecture – digital telephony networks Signaling in large scale digital networks Primary Rate Interface to connect large organizations PBX Global call setup and routing with signaling system #7 (which is loosely modelled after OSI stack) Several protocols to handle different services Special protocol QSIG for inter-connecting PBX (in private, corporate telephony networks) Interfaces in the telephony world are the standards equivalent to protocols in the TCP/IP world Major difference: TCP/IP is rather open to everyone and not restricted to an exclusive club of telephony equipment manufacturers and telcos 2 | 49

Communication Systems Last lecture – introduction to mobile telephony networks Introduction to mobile telephony networks from the analogous world to cell based infrastructure to second generation interoperable digital mobile phone networks Standardization process started middle of 80s First deployment in 1991, 92 Fast growth till then – more then 500 million subscribers by 2005 GSM – Global System for Mobile communication is a worldwide standard by now, available everywhere with few exceptions 3 | 49

Communication Systems Plan for this lecture GSM interfaces GSM network components Mobile switching center,visitor location register, home location register, authentication center, mobile stations, SIM, radio subsystem... Radio interface Um Control channels Network control, SS7 Call setup Authentication, Authorisation, Access security issues 4 | 49

Communication Systems Last lecture – first introduction to GSM structure GSM consists of radio, network and operation and maintenance subsystems Radio subsystem is comprised of Mobile Stations (MS, end user equipment), Base Transceiver Stations (BTS, covering a certain Location Area) BTS are handled by Base Station controllers (BSC), which are controlled by MSC: 5 | 49

Communication Systems GSM interfaces and components 6 | 49

Communication Systems GSM interfaces and components Like in the digital telephony network interfaces between the different components are defined Um is the radio interface (m for mobile) between the mobile stations and the base station transceiver, modelled after the user interface in the ISDN world (Uk0 , UG2) Abis is the interface between BTS and BSC A the interface of the BSC to the MSC The network subsystem defines the following interfaces B between MSC and visitor location register (VLR) C between MSC and home location register (HLR) 7 | 49

Communication Systems GSM interfaces and components The several MSC are interconnected via E interfaces, this is the interface to Gateway MSC too F defines the interface to the equipment identifier register (EIR) The different VLR talk to each other (needed when handovers between different MSC occur) via G interface Operation & Maintenance Subsystem (OSS) is the whole systems management layer Network measurement and control functions Monitored and initiated from the OMC (Operation and Maintenance Center) Network Administration 8 | 49

Communication Systems GSM interfaces and components OMC keeps track of configuration, operation, performance management, statistics collection and analysis, network maintenance Commercial operation & charging Accounting & billing Security Management, e.g. Equipment Identity Register (EIR) management 9 | 49

Communication Systems GSM network components Network and radio subsystem are supervised by OMC Many BSCs are controlled by Mobile Switching Center (MSC), which is part of Network subsystem Somewhere in between is the TRAU (Transcoding and Rate adaption Unit) 10 | 49

Communication Systems GSM components – network operation, MSC A provider network has in general many distributed MSCs Thus the MSC is a typical ISDN switching center with additional components for mobility management Many standards and interfaces discussed in last lecture apply here too Controls the access and authorization of mobile subscribers Gets the user data from HLR and copies it to the VLR of all MS in range 11 | 49

Communication Systems GSM components - MSC To convert 13kbit/s (from MS), 16kbit/s (from BSC because of some added inband information) to 64kbit/s ISDN data rate a TRAU is typically included in between MSC and BSC Performs all the switching and routing functions of a fixed network switching node and adds specific mobility-related functions, like Allocation and administration of radio resources Management of mobile users Registration, authentication Manages handover execution and control Does paging (search for MS within the BSCs) 12 | 49

Communication Systems GSM components – visitor location register (VLR) MSC looks up users and communication information in VLR VLR is a temporary database dynamically updated when subscribers enter or leave vicinity of the serving MSC one database per MSC (or per group of MSCs), typically joint MSC- VLR implementation Idea: Avoid heavy MSC-VRL signalling load on network links VLR entries contain the following information: Every user / MSISDN actually staying in the administrative area of the associated MSC Entry created when an MS enters the MSC area (registration) May store data for roaming users (subscribed to different operators) 13 | 49

Communication Systems GSM components – visitor location register (VLR) VLR entries contain the following information: Tracking and routing information Mobile Station Roaming Number (MSRN) Temporary Mobile Station Identity (TMSI) assigned by MSC Location Area Identity (LAI) where MS has registered needed for paging and call setup 14 | 49

Communication Systems GSM components – home location register (HLR) While VLR keeps user data only temporarily, the permanent storage of data takes place in HLR Each mobile provider keeps such a database to store its subscribers information Subscriber and subscription data IMSI, MSISDN Parameters (authorization) for additional services info about user equipment (IMEI) Authentication data Service setup for call deflection, mobile phone box, ... 15 | 49

Communication Systems GSM components – authentication center (AUC) Typically seen as part of OMC Associated to HLR (home location register) Might be integrated with HLR Search key: IMSI Responsible of storing security-relevant subscriber data Subscriber’s secret key Ki (for authentication) Shared encryption key on the radio channel (Kc) Algorithms to compute temporary keys used during authentication process 16 | 49

Communication Systems GSM components – mobile stations (MS) GSM separates user mobility from equipment mobility by defining two distinct components Mobile Equipment (ME) or Mobile Terminal (MT) – it is the cellular telephone itself (mobile phone hardware) It has its own address / identifier: IMEI (International Mobile Equipment Identity) Composed of the technical components for user interaction: keypad, display, speaker and microphon, may contain Interfaces for additional services like fax or data (peripheral connections as Bluetooth, IrDA or serial connections might be available too) 17 | 49

Communication Systems GSM components – mobile stations (MS) Five transmit power classes defined for MS in 900MHz band 20, 8, 5, 2, 0.8 Watt – normally used are 8W for vehicular and 0.8W for portable devices Only two classes for 1800MHz band: 1 and 0.25W Implementations Early devices were single band for GSM900 or DCS1800 or PCS1900 Today mostly so called multiband phones are sold (allow communication in two or all three GSM bands) Newest devices are multimode which could handle both GSM and UMTS (and several data standards like GPRS) 18 | 49

Communication Systems GSM components – mobile stations (SIM) Second component is the Subscriber Identity Module (SIM) SIM keeps the following addresses / identifiers: IMSI (International Mobile Subscriber Identity) – 15-digit composed of Mobile Country Code, Mobile Network Code, Mobile Subscriber Identification Number Is sent (for security reasons only) when entering network or doing location update MSISDN (Mobile Subscriber ISDN number) of 15 digits is the telephone number users call, composed of Country Code (Germany 49, US 1), National Destination Code (Provider prefix without the 0), Subscriber Number 19 | 49

Communication Systems GSM components – mobile stations (SIM) The MSISDN is used for routing in traditional telephony networks (but not for routing in mobile) Translated in MSC to TMSI, unique within a certain Location Area (LA), kept in the VLR TMSI is temporarily stored on SIM Not fixed, regularily changed to avoid outside user tracking Same applies for MSRN (Mobile Station Roaming Number, GSM internally): VCC = contry code of visited mobile network VNDC = location code (place where the user actually is) VMSN = ID of the visited MSC VSN = subscriber ID, assigned by VLR 20 | 49

Communication Systems GSM components – mobile stations (SIM) MSRN is similarily composed to MSISDN, but location dependent SIM itself is piece of hardware, a plug- in-module, a so-called smartcard (or fixed chip within the phone – only on special devices) Usually provided in the ID-000 format, which is about 0,76mm thick plastic with cast-in chip It contains: a CPU, internal bus system connecting RAM and EEPROM and an electrical interface (contact pads on the upper side) 21 | 49

Communication Systems GSM components - radio subsystem (BTS) Radio interface functions (MS <-> BTS) GMSK modulation-demodulation channel coding, encryption/decryption burst formatting, interleaving signal strength measurements interference measurements 22 | 49

Communication Systems GSM components - radio subsystem (BSC) Functions of a BSC One BSC may control up to 40 BTS (kept in database) switch calls from MSC to correct BTS and conversely Protocol and coding conversion for traffic (voice) & signaling (GSM-specific to ISDN-specific) Manage mobility of MS (handover between different BTS) Enforce power control 23 | 49

Communication Systems GSM – the radio interface Um Lets start with the physical layer of the beloved OSI model Um defines the communication of MS with the GSM infrastructure The bandwidth is 270,833kbit/s (bit rate not integer because derived from time slots as explained later) Because of the limited frequency band multiplex access is used 24 | 49

Communication Systems GSM – Um: FDM & TDM Frequency Division Multiplexing two 25MHz bands Uplink (MS to BTS) = 890 – 915MHz. Downlink (BTS to MS) = 935 – 960MHz Each defined channel has a 200kHz bandwidth Duplex spacing: 45MHz Thus 124 bearer frequency pairs possible, suggested to use only 122 to keep additional guard top and bottom In practice, due to power control and shadowing, adjacent channels cannot be used within the same cell… Additionally in each frequency channel Time Division Multiplexing (TDM) is applied 25 | 49

Communication Systems GSM – Um: FDM & TDM 8 periodic time slots - 0,577ms each TDM frame composed of 8 timeslots equals to 4,615ms Every time slot a so called “burst” - succession of 148bit is transmitted Between the bursts a “security buffer” of 8,25bit/burst is put in between 26 | 49

Communication Systems GSM – Um: FDM & TDM Through FDM/TDM hybrid in GSM 992 channels available In DCS1800 more channels: 75MHz band split into 200kHz channels allows a total of 374 carriers Thus 2992 physical channels available in E-GSM 27 | 49

Communication Systems GSM – Um: burst types / dummy burst Five different burst types defined Normal Burst Access Burst Frequency Correction Burst Synchronization Burst Dummy Burst to fill in inactive bursts in Broadcast Control Channel (BCCH, direction from BTS to MS) to have most power on this channel (helpful, when MS needs to find BCCH) 28 | 49

Communication Systems GSM – Um: fequency hopping Not all channels in a given cell are of equal quality and multi path reception / adjacent channels may disrupt communication Thus frequency hopping is introduced avoid frequency-selective fading, co-channel interference 29 | 49

Communication Systems GSM – Um: GMSK modulation Split single bits into odd and even Double the time period of each bit Four cases Bg=Bu=0 use f2 inverted Bg=1,Bu=0 use f1 inv. Bg=0,Bu=1 use f1 Bg=1, Bu=1 use f2 30 | 49

Communication Systems GSM – the Um logical layer The logical layer could be seen as the equivalent of OSI data link layer Here are the logical channels mapped into the physical ones Two distinctions: traffic channels and control channels The traffic channels carry the user data (voice, SMS, fax, ...) Full rate channel: Bm 22,8kbit/s (TCH/F) Half rate channel: Lm 13,4kbit/s (TCH/H) 31 | 49

Communication Systems GSM – control channels Beside the traffic channels are a group of control channels defined They handle system information, connection setup and connection control Broadcast Control Channel (BCCH) group handles beacon signaling, synchronization of MS with the serving BTS, timing advance adjustment, it comprises of BCCH – Broadcast Control Channel FCCH – Frequency Control Channel SCH – Synchronization Channel 32 | 49

Communication Systems GSM – control channels: FCCH, SCH FCCH is responsible for first part of MS tuning (synchronisation of mobile device to BTS signal) MS listens on strongest beacon for a pure sine wave (FCCH), first coarse bit synchronization used for fine tuning of oscillator Immediately after follows a SCH burst SCH: Fine tuning of synchronization (64 bits training sequence) Read burst content for synchronization data 25 bits (+ 10 parity + 4 tail + ½ convolutional coding = 78bits) 6 bits: BSIC, 19 bits: Frame Number (reduced) Finally MS is able to read BCCH information 33 | 49

Communication Systems GSM – control channels: BCCH BCCH is responsible for Sending out of beacon on one frequency per cell (by BTS) Contains 16bit Location Area (LA) code MUST BE on Time Slot #0, following time slots might used by TCH BCCH provides: Details of the control channel configuration Parameters to be used in the cell Random access backoff values Maximum power an MS may access (MS_TXPWR_MAX_CCCH) 34 | 49

Communication Systems GSM – control channels: BCCH BCCH provides: Minimum received power at MS (RXLEV_ACCESS_MIN) Is cell allowed? (CELL_BAR_ACCESS) List of carriers used in the cell Needed if frequency hopping is applied List of BCCH carriers and BSIC of neighboring cells 35 | 49

Communication Systems GSM – control channels Next group Common Control Channel (CCCH) it consists of Random Acces Channel (RACH) Access Grant Channel (AGCH) Paging Channel (PCH) Third group is the Dedicated/Associated Control Channel (DCCH)/ (ACCH) Stand-alone Dedicated Control Channel SDCCH Fast/Slow Associated Control Channel SACCH/FACCH FACCH used when several signalling information needs to be transmitted Call setup, Handover 36 | 49

Communication Systems GSM – the Um logical layer Channels are grouped into 26-multiframe - payload / voice – summarizes the bursts of TCHs and associated SACCHs and FACCHs 51-multiframe – signaling data – puts together all bursts of traffic channels without SACCHs and FACCHs GSM uses certain predefined pattern of channel combinations: CC1: TCH/F + FACCH/F + SACCH/TF CC2: TCH/H (0,1) + FACCH/H(0,1) + SACCH/TH(0,1) CC3: TCH/H(0) + FACCH/H(0) + SACCH/TH(0)+TCH/H(1) CC4: FCCH + SCH + BCCH + CCCH CC5: FCCH + SCH + BCCH + CCCH + SDCCH/4(0,1,2,3) + SACCH/C4 (0,1,2,3) CC6: BCCH + CCCH CC7: SDCCH/8 + SA 37 | 49

Communication Systems GSM – frames, multiframes, superframes Why 26, 51:An active call transmits/receive in 25 frames, except the last one In this last frame, it can monitor the BCCH of this (and neighbor) cell This particular numbering allows to scan all BCCH slots during a superframe Important slots while call is active: frequency correction FCCH and sync SCH - needed for handover Why multiframes - determine how BCCH is constructed, e.g. which specific information transmitted on BCCH during a given multiframe Superframes are composed of multiframes Used as input parameter by encryption algorithm 38 | 49

Communication Systems GSM – network control, SS7 Backend of mobile networks is the same digital telephony network as for ISDN (Intelligent Network – IN) Thus Signaling System 7 is used for the network generic and GSM specific tasks MAP (Mobile Application Part) Located in presentation layer (OSI layer 6) communication between different MSCs or MSC and HLR 39 | 49

Communication Systems GSM – network control, SS7 DTAP the Direct Transfer Application Part is located on the presentation layer too Used to send messages from the MS to MSC directly BSSMAP (Base Station Subsystem MAP Found on session layer (OSI layer 5) Handles communication between MSC and radio subsystem Additionally SCCP (Signaling Connection and Control Part) on transport layer similar to TCP or UDP, instead of port numbers SubSystemNumbers (SSN) are used TCAP (Transaction Capability Application Part) - session layer known from last lecture 40 | 49

Communication Systems GSM – call setup After defining the lower layers we could deal with the important part for the subscribers – receive a call in a mobile phone network The called device/user has to be looked up in a given location area (paging) To be able to answer the MS has to request a channel It gets assigned a control channel by the BSC immediately if cell is not congested 41 | 49

Communication Systems GSM – call setup – network originated call The MS sends out an acknowledgement (subscriber is present) Next steps check the authorization of the subscriber If check was passed the system changes into encryption mode The MS signals which kind of service it wishes to use (voice, data, ...) Depending on the preferred service a traffic channel is assigned A “call signal” is produced for the calling party and a ring is generated on the MS 42 | 49

Communication Systems GSM – call setup – network originated call The subscriber accepts the call, ack is sent and connection is established A full rate traffic channel (for voice) is used During call setup and operation several control channels are used: PCH, RACH, AGCH, SDCCH, ... Mobile originated calls are mostly similar No paging is needed because the MS activily requests a channel A signaling channel is assigned by BSC 43 | 49

Communication Systems GSM – call setup – mobile originated call Service request a SDCCH is required Same authorization and encryption procedure has to be done Signaling of desired service and assignment of proper payload channel Signaling of “call signal” to the subscriber at the MS Call setup if called party answers 44 | 49

Communication Systems GSM – Authentication, Authorisation, Access In a public network like GSM the triple-A of authentication, authorisation, access plays a major role The subscribers ID has to be kept confidential The network access has to be granted or denied to the subscriber The integrity and confidentiality of data has to be ensured by the network This is achieved by a more or less sophisticated asymmetric and symmetric encryption and authentication process Temporary and confidential identities and keys are used 45 | 49

Communication Systems GSM – Authentication, Authorisation, Access 46 | 49

Communication Systems GSM – Authentication, Authorisation, Access Sequence of authorization and generation of shared keys for encryption 1. The network sends an authentication request message to MS, conveying a 128-bit random number (RAND). 2. MS uses the RAND, the secret key Ki (stored at SIM), and the encryption algorithm A3, to compute a 32-bit number as a signed response (SRES). 3. MS computes the 64-bit ciphering key Kc using encryption algorithm A8, which will be later used in the ciphering procedure. 4. MS responses with an authentication response message containing SRES. 5. The netwotk uses same parameters and algorithm to computer another SRES. 6. MS SRES and the network SRES are compared with each other. If mactch, the network accepts the user as an authorized subscriber. Otherwise, authentication is rejected. 7. After authentication has been successful, the network transmits a ciphering mode message to MS indicating whether encryption is to be applied. 8. In case ciphering is to be performed, the secret key Kc and encryption algorithm A5 are used for ciphering. 47 | 49

Communication Systems GSM – stream encryption 48 | 49

Communication Systems GSM literature Some of the pictures are taken from text books or online sources German text books: Jochen Schiller, Mobilkommunikation Bernhard Walke, Mobilfunknetze und ihre Protokolle, Grundlagen GSM, UMTS, ... http://www.ks.uni-freiburg.de/download/papers/telsemWS05/G2- GSM/HA_GSM2_Mohry_1.pdf http://www.ks.uni-freiburg.de/download/papers/telsemWS05/GSM- UMTS/ausarbeitungCarkciQiang.pdf 49 | 49