Department of Computer Science Institute for System Architecture, Chair for Computer Networks

GSM (Global System for Mobile Communications) and Extensions

Mobile Communication and Mobile Computing Prof. Dr. Alexander Schill http://www.rn.inf.tu-dresden.de

GSM: Properties
cellular radio network (2nd Generation) digital transmission, integrated data communication roaming (mobility between different network operators)
good transmission quality (error detection and correction) scalable (large number of participants possible) security mechanisms (authentication, authorization, encryption) good resource use (frequency and time division multiplex) integration with fixed telephone network standard (ETSI, European Telecommunications Standards Institute)

GSM: Structure
Fixed network Switching Subsystems OMC VLR HLR AuC EIR BSC BTS MS MS Radio Subsystems

Data networks

MS

(G)MSC

PSTN

Call Management Network Management BSS

BTS

AuC BSS BSC BTS EIR HLR

Authentication Center Base Station Subsystem Base Station Controller Base Transceiver Station Equipment Identity Register Home Location Register

MS (G)SMC OMC PSTN VLR

Mobile Station (Gateway) Mobile Switching Center Operation and Maintenance Center Public Switched Telephone Network Visitor Location Register
3

GSM: Structure

Operation and Maintenance Center (OMC) logical, central structure with HLR, AuC und EIR Authentication Center (AuC) authentication, storage of symmetrical keys, generation of encryption keys Equipment Identity Register (EIR) storage of device attributes of allowed, faulty and blocked devices (white, gray, black list) Mobile Switching Center (MSC) networking center, partially with gateways to other networks, assigned to one VLR each Base Station Subsystem (BSS): technical radio center Base Station Controller (BSC): control center Base Transceiver Station (BTS): radio tower / antenna
4

GSM: Protocols, incoming call

BSS VLR (8) (7) (6) (11) (10) (8) (9) MSC (12) (8) BSS (4) (3) HLR

(4)
(5)

(2) (1) PSTN/ ISDN

BSS

(8) (9) (12)

BSS

GMSC

(1) Call from fixed network was switched via GMSC (2) GMSC finds out HLR from phone number (3) HLR checks whether participant is authorized for corresponding service and asks for MSRN at the responsible VLR (4) MSRN will be returned to GMSC, can now contact responsible MSC 5

GSM: Protocols, incoming call

BSS VLR (8) (7) (6) (11) (10) (8) (9) MSC (12) (8) BSS (4) (3) HLR

(4)
(5)

(2) (1) PSTN/ ISDN

BSS

(8) (9) (12)

BSS

GMSC

(5) GMSC transmits call to current MSC (6) Ask for the state of the mobile station (7) Information whether end terminal is active (8) Call to all cells of the Location Area (LA) (9) Answer from end terminal (10 - 12) Security check and connection setup

GSM: Protocols, outgoing call

BSS

VLR (4) (3) (5)

HLR

(1)

(1) (2) (3-4) (5)

Connection request (via random access channel, possible collision handling) Transfer by BSS Authorization control Switching of the call request to fixed network
7

BSS

BSS

(2)

MSC

GMSC

Radio structure
1 TDMA-Slot, 144 Bit in 4,615 ms

8 TDMA-channels, together 271 kBit/s including error protection information 124 radio frequency channels (carrier), each 200 kHz

890

downlink

915 MHz
960 MHz

935

uplink

2 frequency bands, each 25 MHz, divided into radio cells

One or several carrier frequencies per BSC Physical channels defined by number and position of time slots
8

GSM: channel structure

Traffic Channel Full-rate codec (13 kbit/s; differential encoding) Half-rate codec: more efficient speech encoding at 7 kbit/s (two phone calls per time slot can be encoded) Paging Channel Signalize incoming calls (BSC to MS) (Broadcast) Control Channel Allocation of identity, frequency order etc. (BSC to MS) Monitoring of BSCs for recognition of handover Random Access Channel Control of channel entry with Aloha-procedure for collision handling between competing participants (MS to BSC)

Databases
Home Location Register (HLR), stores data of participants which are registered in an HLR-area Semi-permanent data:
Call number (Mobile Subscriber International ISDN Number) - MSISDN, e.g. +49/171/333 4444 (country, network, number) Identity (International Mobile Subscriber Identity) - IMSI: MCC = Mobile Country Code (262 for .de) + MNC = Mobile Network Code (01-T-Mobile, 02-Vodafone, 03-eplus, 07-O2) + MSIN = Mobile Subscriber Identification Number Personal data (name, address, mode of payment) Service profile (call transfer, roaming-limits etc.)

Temporary data:
MSRN (Mobile Subscriber Roaming Number) (country, network, MSC) VLR-address, MSC-address Authentication Sets of AuC (RAND (128 Bit), SRES (128 Bit), KC (64Bit)) Billing data
10

Databases
Visitor Location Register (VLR) local database of each MSC with following data: IMSI, MSISDN Service profile Billing and accounting information TMSI (Temporary Mobile Subscriber Identity) pseudonym for data security MSRN LAI (Location Area Identity) MSC-address, HLR-address

11

Location Area: Concept

HLR
MSC-area

VLR
Location area

advantage of the architecture: Location Update in case of limited mobility only at VLR, rarely at (perhaps very remote) HLR

12

Localization with GSM

VLR 10 VLR 9 IMSI LA 2 HLR 1 32311 VLR 9 IMSI

e.g. 0x62F220 01E5

LA 3 LA 2

+49 (0)177-26 32311 participant call number in HLR Internal area Network provider country code
13

LA 5

LA 3

Data transmission
Each GSM-channel configurable as data channel Kinds of channels: non-transparent (repeat of faulty data frames; very low error rate, but also very low throughput below 10 kbit/s) transparent (only very simple forward error correction; slightly higher data rate; error rate 10-3 up to 10-4) in practice, only faster extensions like GPRS, UMTS and LTE are used (explained later) Speech channels have higher priority than data channels
Short-Message-Service (SMS) connectionless transmission (up to 160 Byte) on signaling channel Cell Broadcast (CB) connectionless transmission (up to 80 Byte) on signaling channel to all participants in one cell or location area, e.g. for location based services; further refinement: triangulationbased location check like in global positioning system (GPS)
14

Data transmission - structure

BSC

MSC IWF ISDN

BTS

Modem PSTN

TA

Internet
Modem

IWF - Inter Working Function TA - Terminal Adapter

15

Security aspects: Subscriber Identity Module (SIM)

Chip-card (Smart Cart) to personalize a mobile subscriber (MS): IMSI (International Mobile Subscriber Identity) symmetric key Ki of participant, stored also at AuC algorithm A3 for Challenge-Response-Authentication algorithm A8 for key generation of Kc for content data algorithm A5 for encryption PIN (Personal Identification Number) for access control Temporary data: TMSI (Temporary Mobile Subscriber Identity) pseudonym LAI (Location Area Identification) Encryption key Kc
16

Security aspects: Authentication

MS MSC, VLR, AuC

Ki
A3

128 Bit Authentication Request RAND (128 Bit) Random number generator

Ki
A3 SRES Authentication Response SRES (Signed Response; 32 Bit) =

Location Registration Location Update with VLR-change Call setup (in both directions) SMS (Short Message Service)

17

Security aspects: Session Key

MS

Ki
A8 Authentication Request RAND (128 Bit) 64 Bit or 128 Bit

Network

Random number generator

Kc

Ki
A8

Key generation: Algorithm A8 Stored on SIM and in AuC one way function parameterized with Ki no global standard, can differ between countries can be determined by network operator Interfaces are standardized

Kc

18

Security aspects: Encryption

MS Net Ciphering Mode Command TDMA-framenumber A5 Ciphering Mode Complete Encrypted Text + Plain text block

Kc

TDMA-framenumber A5

Kc

Key block

+ Plain text block 114 Bit

Data encryption with algorithm A5:

stored in the Mobile Station standardized in Europe and world wide enhancement: A5/3 with improved security and 128 Bit key length
19

GSM-Security: assessment
low key length Ki with max. 128 Bit (could be hacked by using Brute Force Attack in less than an hour using a regular computers as documented recently again)
key generation and -administration not controlled by the participants (symmetric: network operator knows all keys) cryptographic methods secret, so they were not well examined (but A5/3 and other enhancements open now) no mutual authentication; attacker can pretend a GSMNet

no end-to-end encryption or end-to-end authentication

20

HSCSD: High Speed Circuit Switched Data

GSM extension for higher data rates
parallel usage of several time slots (TS) of one frequency on Um (air interface) channel bundling with asymmetric transmission (1 TS Uplink / 3 TS or 4 TS Downlink) Data rates up to 4 * 14,4 kbit/s = 57,6 kbit/s (theoretically 8 time slots, but limited bundling in practice)

21

HSCSD: structure
MSC IWF ISDN
BTS

BSC

Modem PSTN

TA

n time slots of each TDMA frame (theoretically max. 8)

Internet
Modem

IWF - Inter Working Function TA - Terminal Adapter

22

HSCSD: changes
n time slots of each TDMA frame (theoretically max. 8)

BTS

BSC

MSC

Um

Abis

multiplex of the time slots on each 64 kBit/s channel

certain changes are necessary at the component several changes of the software/firmware minimal changes of the software/firmware
23

HSCSD radio interface

Required time for setting to transmission mode Required time for setting to receiving mode

MS RECEIVE MS TRANSMIT MS MONITOR

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4
Required time for signal strength measure and setting to receiving mode

parallel usage of several time slots limited to one frequency, in half-duplex mode due to technical limitations of the end devices Cost factor limits number of used TS to (2+2) or (1+3, uplink, downlink); (1+4) with improved timing
24

Assessment of HSCSD
+ existing network structure and accounting model maintained; only small changes were necessary + HSCSD is still circuit switched + has defined QoS-settings (data rate, delay) one logical channel will be established on all interfaces for the time of the connection (inefficient) badly suited for burst-like traffic (Internet) or Flat Rate billing (Logistics) Only limited international acceptance (Roaming!) also uses more resources on the radio interface problems with handover into a new cell

25

GPRS: General Packet Radio Service

GSM extension based on packet switching service (end-to-end) and channel bundling based on multiple time slots
Data rates up to 171,2 kbit/s (theoretical) in practice however similar to HSCSD Effective and flexible administration of the radio interface; adaptive channel encoding

Internetworking with IP networks standardized

Dynamic sharing of resources with classical GSM speech services

Advantage: Billing and Accounting according to data volume

26

GPRS: Structure
GSM

GPRS Nets other operators

MSC HLR

BSC

BTS
Border Gateway SGSN GGSN

Internet

GGSN

other packet switching networks

GPRS Backbone Frame Relay / ATM

SGSN - Serving GPRS Support Node GGSN - Gateway GPRS Support Node signalization data user data

27

GPRS: Changes
GMSC
public fixed networks

n time slots (TS) per TDMA frame (theoretically max. 8) per packet!

Circuit switched traffic A Abis MSC MAP Gs Gb SGSN Gn MAP

other packet switched networks

BTS

BSC
PCU

HLR/AuC GPRS register

Um

Packet switched traffic

GGSN

Gi

modified network components Existing components

PCU - Packet Control Unit

new components or extensively modified components

28

Tasks: SGSN, GGSN

SGSN: - packet delivery - mobility management - session management
- QoS - Security - Billing

HLR
MAP Signalization (GGSN) MAP Signalization (SGSN)

External Data Domain

BSS PCU BSS PCU BSS PCU

Intranet SGSN GGSN

Internet

Client

SGSN
SGSN, GGSN: - Routing and Signalization - Mapping to PDP (Packet Data Protocol) - Address conversion (IP to GSM) - Resource management

Client

Server

29

Quality of Service
QoS profile agrees service parameters inside the whole network for the duration of PDP (Packet Data Protocol) context (session):
temporary address (IP) for mobile station tunneling information, among others GGSN, which is used for access to corresponding packet switched network type of the connection QoS profile

QoS profile commits:

precedence class, priority against other services (high, normal, low) packet delay class, times valid for traffic inside the GPRS network reliability class peak throughput class mean throughput class

30

Quality of Service: Examples

Packet delay classes
Size: 128 octets Class 1 (predicitive) 2 (predicitive) 3 (predicitive) 4 (best effort) Mean Delay
< 0,5 s <5s < 50 s

Size: 1024 octets Mean Delay

<2s < 15 s < 75 s Best effort

95% Delay
< 1,5 s < 25 s < 250 s

95% Delay
<7s < 75 s < 375 s

Error classes

Probability for Class 1 2 3 Lost packet

10-9 10-4 10-2

Duplicated p.
10-9 10-5 10-5

Out of Sequence p.
10-9 10-5 10-5

Corrupted p.
10-9 10-6 10-2

GPRS data rates

Coding Scheme CS-1 CS-2 CS-3 CS-4

# of timeslots 1 2
9,05 13,4 15,6 21,4 18,1 26,8 31,2 42,8

3
27,15 40,2 46,8 64,2

4
36,2 53,6 62,4 85,6

5
45,25 67 78 107

6
54,3 80,4 93,6 128,4

7
63,35 93,8 109,2 149,8

8
72,4 107,2 124,8 171,2
31

(only CS-1 and CS-2 comprise reasonable error correction and are relevant in practice)

Assessment of GPRS
+ An up to four times higher data rate in comparison to ordinary GSM data services + better resource management through packet switched service + always on data service (email, etc.) + GPRS is a more suitable carrier for the mobile Internet
- IP-derivate, no true service guarantees (QoS) - GPRS does not provide the data rates that advertising has sometimes promised, therefore most operators migrated to UMTS and LTE where possible, e.g. in urban areas

32

Some further readings

ETSI standards (GSM etc.) in general: www.etsi.org GSM, HSCSD, GPRS: good overviews on www.wikipedia.org GPRS tutorial: www.telecomspace.com/datatech-gprs.html SMS tutorial: www.developershome.com/sms/

33