Lecture 4
Global System for Mobile Communications
(GSM)
Asad Ali
GSM system overview
GSM is a digital wireless network
It provides a common set of compatible services and capabilities
to all mobile users worldwide
The basic requirements of GSM have been described in five
aspects:
Services:
The system will provide service portability, that is, mobile
phones can be used in all participating countries. The system
will offer services that exist in fixed line networks as services
specific to mobile communications
Quality of service and Security:
The quality of voice telephony of GSM will be at least as good
as the previous analog systems over the operating range. The
system will be capable of offering information encryption without
significantly affecting costs to users who do not require such
facility.
GSM system overview
Radio frequency utilization:
The system will permit high level of spectrum efficiency and
state-of-the-art user facilities. The system will be capable of
operating in the entire allocated frequency band and co-exist
with the earlier systems using the same frequency.
Network:
The identification and numbering plans will be based on relevant
ITU recommendations.
Cost:
System parameters will be chosen with a view to limiting the
cost of the complete system in particular the Mobile Stations.
The figure in the next slide illustrates the GSM architecture.
GSM architecture
GSM architecture
GSM architecture (2)
MS Mobile Station
Base Station Subsystem (BSS)
BTS: Base Transceiver station
BSC: Base Station Controller
Network and Switching Subsystem (NSS)
MSC: Mobile Switching center
Registers: HLR (Home Location Register), VLR (Visitor
Location Register, AuC (Authentication center), EIR
(Equipment Identity Register)
GMSC: Gateway Services Switching Center
GSM Frequencies
GSM-900
Uplink: 890 – 915 MHz (25 MHz)
Downlink: 935 – 960 MHz (25 MHz)
Uplink - Downlink distance: 45 MHz
FDMA
Channels are 200 kHz wide
Use 124 pairs of channels
TDMA
8 timeslots (connections) on each channel
Theoretical 124*8 = 992 channels to use
Mobile Station (MS)
The MS consists of two parts:
Subscriber Identity Module (SIM) and the Mobile
Equipment (ME)
The SIM is protected by the Personal Identity Number
(PIN) which is usually 4 digits in length
To use the MS, the user is asked to enter the PIN
If the number is not correctly entered in 3 attempts, the
SIM is blocked and the MS cannot be used
To unblock the SIM, the user is asked to enter the eight
digit PIN unblocking key (PUK)
Mobile Station (MS)
A SIM card is a small memory device which contains user
specific information
It can be taken out from one mobile and inserted into
another
In a GSM network, the SIM card identifies the user – just
like a traveler uses a passport to identify himself
There is also a storage place for messages and store
phone numbers
A home operator issues a SIM card when the user joins
the network by making a service subscription
It also contains tools for authentication purposes.
The Base Station Subsystem (BSS)
The BSS connects the MS and the Network and Switching
Subsystem (NSS)
It consists of two parts:
Base Transceiver Station (BTS)
Base Station Controller (BSC)
The BTS contains transmitter, receiver and signaling
equipment related to the air interface in order to contact
the MS
The BSC is responsible for switching functions in the BSS
and it turn connected to an Mobile Switching Center
(MSC) in the NSS
The BSS also supports channel allocation/ release and
handover management.
Network and Switching Subsystem (NSS)
The NSS contains the MSC, HLR, VLR, AuC and EIR.
It supports switching functions, user profiles and mobility
management.
Basic switching functions in the NSS are performed by the
MSC
User information relevant to the provisioning of services is
kept in the HLR
When an MS moves from its current location to a visited
location, its location is registered at the VLR of that
system. The VLR then informs the HLR of its current
location
The Authentication Center (AuC) is used in security data
management for the authentication of users. The AuC
maybe co-located with the HLR.
Network and Switching Subsystem (NSS)
The Equipment Identity Register (EIR) is a database
which stores all device identifications registered for a
network
As MSs are mobile, they can easily be stolen. With a
valid SIM, anyone could use the stolen MS
The EIR has a blacklist of stolen devices.
The MSC is involved in the interworking functions to
communicate with other networks such as the PSTN
through the GMSC.
Mobile Switching Center (MSC)
Responsible for controlling calls within the network
An MSC acting as a bridge between a mobile network and other
fixed networks is known as Gateway MSC (GMSC)
The MSC is responsible for several important tasks
Call control: The MSC identifies the type of the call, its origin
and destination. It also sets up, supervises and clear
connections.
Initiation of Paging: Paging is the process of locating a mobile in
case of a mobile terminated call (MTC) (a call to a mobile
station).
Charging: Collects charging information about the call such as
the number of callers and the called subscribers, the time and
type of transaction etc and transfers it to the Billing Center.
Home Location Register (HLR)
The HLR is the most important database in a GSM network.
It stores all user relevant information
This comprises of International Mobile Subscriber Identity
(IMSI), Mobile Subscriber ISDN number (MSISDN), user data
(e.g. supplementary services).
It also stores dynamic information such as the current location
area (LA) of the MS, the Mobile Subscriber Roaming Number
(MSRN), current VLR and MSC
As soon as the MS leaves its current LA, the information in the
HLR is updated . This information is necessary to localize a user
in the worldwide GSM network.
HLRs can manage data for several million users and it contains
highly specialized databases.
What is IMSI, TMSI, MSISDN, MSRN, IMEI
etc.. ?
IMSI: International Mobile Subscriber Identity
GSM uses the IMSI for internal unique identification of a
subscriber
IMSI consists of a mobile country code (MCC), the mobile
network code (MNC), i.e. the code of the network provider and
finally the mobile subscriber identification number (MSIN)
TMSI: Temporary mobile subscriber identity
The TMSI is assigned to an MS by the VLR. The TMSI uniquely
identifies an MS within an area controlled by the given VLR.
MSRN: Mobile Station Roaming Number
Another temporary address that hides the identity and location
of a subscriber is MSRN
MSISDN: Mobile subscriber ISDN number
The mobile number that a user is allocated.
What is IMSI, MSISDN, MSRN, IMEI etc.. ?
The VLR generates this address on the request of the MSC and
this is also stored in the HLR.
MSRN contains the current visitor country code (VCC), the
visitor national destination code (VNDC), the identification of the
current MSC together with the subscriber number.
The MSRN helps the HLR to find a subscriber for an incoming
call.
IMEI: International Mobile Equipment Identity
The IMEI uniquely identifies the MS equipment. It is assigned by
the equipment manufacturer. The IMEI contains 15 digits and
carries
Type Approval code (TAC): 6 digits
Final Assembly Code (FAC): 2 digits
Serial Number (SN): 6 digits
A Spare (SP): 1 digit
Visitor Location Register (VLR)
A VLR is integrated with an MSC
It’s a dynamic data base which contains information about
subscribers currently being in the service area of an
MSC/VLR such as:
Identification numbers of subscribers
Security information for authentication of the SIM card
Services that the subscriber can use
The VLR carries out location registration and updates. It
means that when a mobile station comes to a new
MSC/VLR serving area, it must register itself with the VLR,
in other words, perform a location update.
It’s a temporary database and holds to information as long
as the MS is in its serving area.
Authentication Center (AuC)
Provides security information to the network so that we
can verify the SIM card (authentication between the MS
and the VLR)
Supports the VLR work
Equipment Identity Register (EIR)
The EIR is also used for security reasons.
It is responsible for the IMEI checking (checking the
validity of the mobile equipment)
The EIR contains three lists:
A mobile equipment in the white list is allowed to operate
normally
If we suspect that the mobile equipment is faulty, we can
monitor the use of it. It is then placed in the grey list
If the mobile equipment is reported stolen, or it is
otherwise not allowed to operate in the network, it is
placed in the black list.
Radio Interface
The available frequency band is divided into two sub
bands:
UPLINK and DOWNLINK
Radio Interface
FDM is used to separate both the uplink and downlink as
shown below.
Radio Interface
This makes it 124 pairs of 248 channels.
Each of the 248 channels are additionally separated in
time via a GSM TDMA frame, i.e. each 200 kHz carrier
is subdivided into frames that are repeated
continuously.
The duration of the frame is 4.615 ms
A TDMA frame is again divided into 8 GSM timeslots
where each slot represents a physical TDM channel
and lasts for 577 microseconds
Each TDM channel occupies the 200 kHz for 577
microseconds every 4.615 ms.
Radio Interface
Data is transmitted in small portions called bursts
The figure in the next slide shows the so-called
normal burst as used in data transmission inside a
time slot.
In the diagram, the burst is only 546.5 microseconds
long and contains 148 bits
The remaining 30.5 microseconds are used as guard
space to avoid overlapping with other bursts
Filling the whole slot with data allows for the
transmission of 156.25 bits within 577 microseconds
Radio Interface
Radio Interface
The tail bits (T) are a group of 3 bits set to zero and placed
at the beginning and the end of a burst. They cover the
periods of ramping up and down of the mobile's power.
The user data bits corresponds to two groups, of 57 bits
each, containing signaling or user data.
The stealing flags (S) indicate, to the receiver, whether the
data bits are data or signaling traffic.
The training sequence has a length of 26 bits. It
synchronizes the receiver, thus masking out multi-path
propagation effects.
The guard period (GP), with a length of 8.25 bits, is used to
avoid a possible overlap of two mobiles during the ramping
time
Logical Channels and Frame Hierarchy
The air interface has two sorts of channels, i.e. physical
channels and logical channels
One channel is the highway that carries the signal traffic
The other is the traffic that flows along the highway
Which is the physical and logical channel in the next
figure.
Physical channel?
Logical channel?
Logical Channels and Frame Hierarchy
Logical Channels and Frame Hierarchy
Physical channel is the medium along which the
information is carried
For terrestrial interfaces, this is usually cable
For the air interface, these are radio waves
Logical channels comprise the information that is
carried along the physical channel, that is, the traffic
itself
Logical Channels and Frame Hierarchy
A single GSM Absolute Radio Frequency Channel
Number (ARFCN) can support up to 8 mobile users at the
same time
Logical Channels and Frame Hierarchy
8 consecutive physical channels or time slots occupy the
ARFCN for exactly one eighth of the time
The 8 time slot sequence is called a TDMA frame
Signals are carried in bursts from the MS to the BTS using
one time slot per TDMA frame (shown in the next slide)
Subsequent data bursts occupy the same time slots
across successive TDMA frames
Each time slot is a physical channel carrying varying
number of logical channels from the MS to the BTS
Each user occupies the same physical channel until it
terminates the call or is handed over to another cell.
Logical Channels and Frame Hierarchy
Logical Channels and Frame Hierarchy
Now we look into more detail on GSM logical channels
GSM logical channels consists of Traffic Channels (TCH)
and Control Channels (CCH)
GSM uses TCH to transmit user data
Two basic categories of TCHs have been defined, i.e. fullrate TCH (TCH/F) and half-rate TCH (TCH/H)
TCH/F is 22.8 kbps
TCH/H is 11.4 kbps
For data transmission, rates of 9.6, 4.8 and 2.4 kbps can
be used.
GSM Logical Channels
There are two types of CCH associated with the TCH
Slow Associated Control Channel (SACCH)
Fast Associated Control Channel (FACCH)
SACCH: A GSM control channel used by the MS for reporting
signal strengths and quality measurements
FACCH: Carries control information as shall be seen later
Control channels in GSM are used to control medium access,
allocation of traffic channels or mobility management and fall
into three categories
Broadcast Control Channels (BCCH)
Common Control Channels (CCCH)
Dedicated Control Channels (DCCH)
GSM Control Channels
Broadcast Control Channels (BCCH)
A BTS uses this channel to signal information to all MSs within a
cell
Information transmitted in this channel is, for example,
frequencies available inside the cell and in neighboring cells.
The BTS sends information regarding frequency via the
frequency control channels (FCCH) and information about time
synchronization via the synchronization channel (SCH) where
both channels are sub-channels of the BCCH
Downlink only
Carries information about the network, mobile’s present call and
the surrounding cells
The synchronizing channels carry frame synchronization
information
The Frequency control channels (FCCH) carries information
regarding frequency synchronization
Broadcast Control Channels (BCCH)
Common Control Channels (CCCH)
Bi-directional
All information regarding the connection setup between the MS
and the BTS is exchanged via the CCCH
For call towards an MS, the BTS uses paging channel (PCH) for
paging the appropriate MS (downlink)
If an MS wants to setup a call, it uses RACH to send data to the
BTS (uplink) – gain access to the system
The BTS uses access grant channel (AGCH) to signal an MS
that it can use a TCH or SDCCH for further connection setup
(downlink)
PCH and AGCH are downlink but are never used at the same
time
Cell broadcast channel is used to transmit information such as
traffic information to all MSs
Types of CCCHs
Dedicated Control Channels (DCCHs)
Supported in GSM for dedicated use by specific MS
Its consists of
Standalone dedicated control channel (SDCCH)
Slow associated control channel (SACCH)
Fast associated control channel (FACCH)
SDCCH: As long as an MS has not established a TCH with the
BTS, it uses the SDCCH for signaling
SACCH: Each TCH and SDCCH has a SACCH associated with
it which is used to exchange system information, such as the
channel quality and signal power level.
FACCH: If more signaling information is needed to be
transmitted and a TCH already exists, GSM uses the FACCH.
The FACCH uses timeslots which are otherwise used by the
TCH. This is necessary incase of handovers where the BTS and
MS have to exchange data.
Types of Control Channels
GSM call origination (radio aspect)
RACH (request signaling channel
AGCH (assign signaling channel)
SDCCH (request call setup)
SDCCH message exchanges for call setup
SDCCH (assign TCH)
FACCH (complete assignment)
MS
BSS
GSM call origination (radio aspect)
To initiate a call setup, the MS sends a signaling channel
request to the network through RACH
The BSC informs the MS of the allocated signaling
channel (SDCCH) through AGCH
The MS then sends the call origination request via
SDCCH
The MSC instructs the BSC to allocate a TCH for this call
Then the MS acknowledges the traffic channel assignment
through FACCH
Finally, both the MS and the BTS tune to the TCH
Location Tracking and Call Setup
The current location of an MS is maintained by a two-level
hierarchical strategy with the HLR and the VLRs
When a MS visits a new location, it must register in the
VLR of the visited location
The HLR must also be updated about this registration.
To access the MS, the HLR is queried to find the current
VLR of the MS
The registration process of the MS moving from one VLR
to another VLR is described in the following steps.
The MS registration process
The MS registration process
Step1: The MS periodically listens to the BCCH broadcast
from the BSS. If the MS detects that it has entered a new
location area, it sends a registration message to the new
VLR by using the SDCCH channel
Step2: The new VLR communicates with the old VLR to
get information about the MS. The new VLR then
performs the authentication process to be described later
Step3: After the MS is authenticated, the new VLR sends
a registration message to the HLR. If the registration
request is accepted, the HLR provides the new VLR with
all relevant user information for call handling.
The MS registration process
Step4: The new VLR informs the MS of the successful
registration
Step5: After step 3, the HLR sends a deregistration
(cancellation) message to the old VLR. The old VLR
cancels the record for the MS and sends an
acknowledgement to the HLR for the cancellation.
Localization
The HLR always contains information about the current location
and the VLR currently responsible for the MS informs the HLR
about location changes
As soon as the MS moves into a location area of a new VLR,
the HLR sends all user data to the new VLR
Changing VLRs with uninterrupted availability of all services is
also called roaming.
Roaming can take place within the network of one provider,
between two providers in one country, but also between
different providers in different countries (international roaming).
Typically people associate the word ‘roaming’ with international
roaming as it is this type of roaming that makes GSM very
attractive: one device over 190 countries!
Localization
To locate an MS and to address the MS, several numbers
are needed:
MSISDN: The only important number for a GSM user is
the phone number. The phone number is not associated
with a certain device but with the SIM, which is
personalized for a user. The MSISDN follows the ITU-T
standard E.164 for addresses as it is also used for fixed
networks. This number consists of the country code,
national destination code (NDC) (i.e. address of the
network provider), and the subscriber number (SN).
Localization
IMSI: GSM uses the IMSI for internal unique identification
of the user. IMSI consists of a mobile country code (MCC),
the mobile network code (MNC), and finally the mobile
subscriber identification number (MSIN).
TMSI: To hide the IMSI, which would give away the exact
identity of the user over the air interface, GSM uses the 4
bit TMSI for local user identification. TMSI is selected by
the current VLR and is only valid temporarily and within
the location area of the VLR.
Localization
MSRN: Another temporary address that hides the identity
and location of the user is the MSRN. The VLR generates
this address on request from the MSC and the address is
also stored in the HLR. MSRN contains the Visitor Country
Code (VCC), the visitor national destination code (VNDC),
the identification of the current MSC together with the user
number.
All these numbers are needed to find a subscriber and
maintain a connection with the MS.
Mobile Originated Call (MOC)
Step 1: The MS transmits a request for a new connection
Step 2: The BSS forwards this request to the MSC
Step 3 and 4: The MSC then checks if this user is allowed
to setup a call with the requested service and checks the
availability of resources through the GSM network and into
the PSTN
If all resources are available, the MSC sets up a
connection between the MS and the fixed network.
This is illustrated in the next slide.
Illustration of MOC
Mobile Terminated Call (MTC)
Step 1: The user dials the phone number of a GSM
subscriber
Step 2: The fixed network (PSTN) notices (looking at the
dialed number) that the number belongs to a user in the
GSM network and forwards the call to the GMSC
Step 3: The GMSC signals the call setup to the HLR
Step 4: The HLR now checks whether the number exists
and whether the user has subscribed to the requested
service and requests an MSRN from the current VLR
Step 5: The HLR receives an MSRN
Step 6: The HLR can determine the MSC responsible for
the MS and forwards this information to the GMSC
Mobile Terminated Call (MTC)
Step 7: The GMSC now forwards the call setup request to the
MSC indicated.
From this point onwards, the MSC is responsible for all further
steps.
Step 8: MSC requests the current status of the MS from the VLR
Step 9 and 10: If the MS is available, the MSC initiates paging in
all cells it is responsible for (i.e. location area)
Step 11: The BTSs of all the BSSs transmit this paging signal to
the MS
Step 12, 13 and 14: If the MS answers, the VLR has to perform
security checks
Step 15 to 17: The VLR then signals to the MSC to setup a
connection to the MS
Illustration of Mobile Terminated Call (MTC)
Illustration of Mobile Terminated Call (MTC)
Handover Scenarios
There are two basic reasons for a handover which are:
The MS moves out of the range of the BTS or a certain
antenna of a BTS respectively. The received signal
strength decreases continuously until it falls below the
minimal requirements for communication.
The wired infrastructure (BSC, MSC) may decide that the
traffic in one cell is too high and some MS to other cells
with a lower load (if possible). Handover maybe due to
load balancing.
Handover Scenarios
There are four possible handover scenarios in GSM
Intra-cell handover: Within a cell, interference could make
transmission at a certain frequency band impossible. The
BSC could then decide to change the carrier frequency
Inter-cell, intra-BSC handover: This is a typical handover
scenario. The MS moves from one cell to another, but
stays within the control of the same BSC. The BSC then
performs a handover, assigns a new radio channel in the
new cell and releases the old one
Handover Scenarios
Inter-BSC, intra-MSC handover: As a BSC only controls a
limited number of cells, GSM also has to perform
handovers between cells controlled by different BSCs.
This has to be then controlled by the MSC.
Inter-MSC handover: A handover could be required
between two cells belonging to different MSCs. Now both
MSCs perform the handover together.
Security in GSM
GSM security is addressed in two aspects:
Authentication and
Encryption
Authentication avoids fraudulent access and
Encryption avoids unauthorized listening
Authentication
Authentication is achieved by using a secret key, Ki
This value is stored in the SIM as well as the AuC and is
unknown to the subscriber
Authentication is based on the SIM which stores the
individual key, user identification IMSI and the A3
algorithm.
It uses a challenge – response method
The home system of the MS generates the 128 bit random
number (RAND). This number is sent to the MS
The SIM within the MS responds with a signed response
(SRES)
Authentication
The SRES generated by the MS is sent back to the home
system and compared with the SRES generated by the
AuC.
If they are not identical, access request is rejected.
If the SRES and RAND generated by the AuC are sent
from the HLR to the visited VLR in advance, then SRES
comparison is done at the VLR.
The AuC generates the numbers for each IMSI and
forwards this information to the HLR
Authentication
For authentication, the VLR sends this RAND value to the
SIM
Both sides perform, the same function with the RAND and
Ki, called the A3 algorithm
The MS sends back the SRES generated by the SIM
Visited VLR compares both values
If they are the same, the MS is accepted otherwise
rejected.
The process of Authentication is illustrated in the next
slide.
Authentication
Encryption
To ensure privacy, all messages containing user-related
information are encrypted over the air interface
After the authentication process is complete, the MS and
BSS can start encrypting by applying the encryption key,
Kc
The encryption key is generated using the Ki and a
random value by applying the A8 algorithm.
SIM in the MS and the network both calculate the same Kc
based on the random value
MS and BTS can now encrypt and decrypt data using the
A5 algorithm and Kc
Encryption
Like the A3 algorithm, A8 is specific to the home system.
After the home system has generated Kc, this is sent to
the visited system
A5 is then used to encrypt and decrypt the data between
the MS and the visited system.
The process of Encryption is illustrated in the following
slide.
Encryption