Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

GSM Air

advertisement 
CS 8803 - Cellular and
Mobile Network Security:
GSM - In Detail
Professor Patrick Traynor
9/27/12
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
Cellular Telecommunications
•
•
•
•
•
•
Architecture
Background
Air Interfaces
Network Protocols
Application: Messaging
Research
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
2
GSM
•
The Global System for Mobile Communications (GSM) is the
de facto standard for wireless communications with well
over 5 billion users.
‣
•
As a comparison, there are approximately 1.5 billion Internet users.
The architectures of other network are similar, so knowing
how to “speak GSM” will get you a long way in this space.
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
3
Wireless Signaling and Control in GSM
•
Common Control Channel
‣
Structure
‣
Broadcast Channels
‣
Channel Access from Mobile
‣
Procedures and Messages for Call Control
•
Traffic Channel
‣
Structure Handoffs
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
4
GSM Control Functions
•
•
•
•
Read System Parameters
Register
Receive and Originate Calls
Manage Handoffs
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
5
GSM Structure
Traffic Channel (per user in a call)
Common Control Channel (CCCH)
TCH (13 KBps)
•
Common Control Channel (CCCH)
‣
•
Used for control information: registration, paging, call origination/termination.
Traffic Channel (TCH)
‣
Information transfer
‣
in-call control (fast/slow associated control channels)
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
6
GSM TDMA Frames
•
TDMA Frame:
Slot 0
Slot 1
Slot 2
Slot 3
Frame 0 Frame 1 Frame 2
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
Slot 4
Slot 5
...
Slot 6
Slot 7
Frame 50
Frame: 4.615 msec
51 Multiframe:
235.365 msec
7
From Frames to Channels
26 Multiframe:
120.00 ms
0
1
2
3
4
5
6
7
}
Frame:
4.615ms
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
8
GSM CCCH
Reverse
(MS BS)
Forward
(BS
MS)
Forward
(BS
MS)
Forward
(BS
MS)
Forward
(BS
MS)
Random Access
Control Channel
(RACH)
Paging and
Access Grant
Channel (PAGCH)
Broadcast
Control
Channel
(BCCH)
Synchronization
Channel
(SCH)
Frequency
Correction
Channel
(FCCH)
PCH
AGCH
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
9
GSM CCCH Structure
•
TDMA Frame:
Slot 0
Slot 1
Slot 2
Slot 3
Slot 4
Frame 0 Frame 1 Frame 2
•
Slot 5
...
Slot 6
Slot 7
51 Multiframe:
235.365 msec
Frame 50
Uplink: Channel Name (Frame #)
FCCH (0) SCH (1) BCCH (2-5) PAGCH (6-9)
FCCH (10) SCH (11)
Frame: 4.615 msec
Downlink
RACH (0)
...
RACH (50)
PAGCH (12-19)
FCCH (20) SCH (21)
PAGCH (22-29)
PAGCH (11)
FCCH (30) SCH (31)
PAGCH (32-39)
FCCH (40) SCH (41)
‣
‣
PAGCH (42-49)
I (50)
CCCH/RACH always uses Slot 0 of each frame; other seven slots for TCH
TCH: 26 multi-frame repeats every 120 msec (13th and 16th frames are used by
Slow Associated Control Channel (SACCH) or is idle
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
10
GSM: BCCH
•
•
•
Broadcast to all users on the CCCH
•
Key parameters (contained in RR SYSTEM INFORMATION MESSAGES):
No addressing
Used to acquire system parameters, so mobile may operate
with the system.
‣
‣
‣
‣
‣
‣
RACH control parameters
cell channel descriptions (frequencies)
neighbor cells (frequencies)
cell id
Location Area ID (LAI)
Control Channel description
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
11
GSM: FCCH and SCH
•
Keeps system synchronization
‣
•
What do you mean, synchronization?
Broadcasts Basestation ID
‣
Why is this useful information?
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
12
GSM: Mobile Channel Access Procedures (RACH)
•
MS Communicates with BS over RACH
‣
•
Only initially and must compete for this shared resource.
Feedback provided with AGCH
‣
•
Points the user to a dedicated channel for real exchanges.
Functions:
‣
Responses to paging messages
‣
Location update (registration)
‣
Call Origination
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
13
GSM: Paging Channel (PCH)
•
Used to send pages to mobile devices.
‣
•
•
Notifications of incoming services (e.g., voice, data, SMS)
Done at regular intervals
‣
Mobiles belong to a paging class
‣
Allows the device to sleep, conserve power
More than 1 mobile paged at a time.
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
14
GSM: RACH and Slotted ALOHA (Layer 2)
Assumptions
•
•
all frames same size
•
nodes start to transmit
frames only at beginning of
slots
•
•
clocks are synchronized
time is divided into equal
size slots, time to transmit 1
frame
Operation
•
when node obtains fresh frame,
it transmits in next slot
•
no collision, node successfully
transmitted the frame
•
if collision, node retransmits
frame in each subsequent slot
with prob. p until success
if 2 or more nodes transmit
in slot, all nodes detect
collision
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
15
GSM: More Slotted ALOHA
Pros
•
•
•
single active node can
continuously transmit at
full rate of channel
highly decentralized: only
slots in nodes need to
be in sync
simple
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
Cons
•
collisions, wasting slots
•
idle slots
•
nodes may be able to
detect collision in less than
time to transmit packet
•
clock synchronization
16
GSM: Slotted ALOHA Efficiency
Efficiency is the long-run
fraction of successful slots
when there are many nodes, each
with many frames to send
•
Suppose N nodes with
many frames to send,
each transmits in slot
with probability p
•
prob that node 1 has
success in a slot
= p(1-p)N-1
•
prob that any node has a
success = Np(1-p)N-1
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
•
For max efficiency with N
nodes, find p* that
maximizes
Np(1-p)N-1
•
For many nodes, take limit
of Np*(1-p*)N-1 as N goes
to infinity, gives 1/e = .37
At best: channel
has maximum
throughput of
37%!
17
GSM: RACH Procedures (Layer 2)
•
Mobile
‣
•
sends assignment request with information
Basestation
‣
•
sends back assignment with information echoed
Creates Radio Resource (RR) connection
‣
“Standalone Dedicated Control Channel”
‣
May be a physical channel
‣
May be a traffic channel in signaling-only mode
‣
May eventually be bandwidth stolen from TCH (associated control
channel).
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
18
Basic Flow on Air Interface
Alert phone of incoming activity
Request dedicated signaling channel
Signal
Release signaling channel
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
19
GSM Signaling
•
Signaling in GSM occurs over the Radio Interface Layer
3 (RIL-3).
‣
•
Technically layer 3, but debatable from OSI perspective as
application-esque things happen here.
Control messages are handled by protocol control
processes and include Call Control (CC), Mobility
Management (MM), Radio Resource management (RR),
Short Messaging Service management (SMS) and
Supplementary Services management (SS).
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
20
Time Out: Privacy?
•
With all of this signaling going over well-known
channels, isn’t there a risk of user tracking/profiling?
‣
Think about the PCH... what is transmitted here?
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
21
GSM Registration
•
Types
‣
Power up and down
‣
Location Area changes (mobility)
‣
Periodic
•
User Privacy
‣
Mobile device may transmit real address: International Mobile
Subscriber Identity (IMSI)
‣
Get back temporary id (TMSI)
•
‣
Unique to a local area
Subsequent registrations use TMSI
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
22
GSM: Registration, High Level
Get SDCCH
RR connection established
Authenticate
Cipher
UpdateLocation
Release RR connection
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
23
GSM Registration: Gory Details
Get SDCCH
RR connection established
LOC UPD RQST
Authentication Request (RAND)
Authentication Response (SRES)
Cipher Mode
Cipher Mode Complete
LOC UPD ACC (TMSI Assigned)
TMSI RE-ALLOC Complete
Release RR connection
•
More details on this “authentication” procedure soon...
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
24
GSM: Call Termination (Receive a Call)
Channel Request
Channel Assignment
RR connection
established
Get SDCCH
Page Request (TMSI)
SABM(Page Response)
UA(Page Response)
Authentication and Ciphering
SETUP
Call Confirmed
Alert
Assignment Command
Assignment Complete
Connect
Connect ACK
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
25
GSM: Call Origination
Channel Assignment
RR connection
established
Get SDCCH
Channel Request
SABM(CM Service Req - Call Orig)
UA(CM Service Request - Call Orig)
Authentication and Ciphering
SETUP
Call Proceeding
Alert
RR connection
release
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
Assignment Command
Assignment Complete
Connect
Connect ACK
26
GSM: Mobile Assisted Handoff (MAHO)
MSC
Old BS
New BS
Measurement Report
Measurement Report
Measurement Report
Measurement Report
Handoff Order
Handoff Access
Handoff Access
Handoff Complete
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
27
Measuring Mobility-Generated Load
•
•
How do we estimate the traffic load caused by handoffs?
•
Rate of boundary crossings = ⇥vL
Simplest mobility model - assume conservation of flow and
random movements at constant velosity.
‣
= density of users, v = velocity and L is perimeter
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
28
Practice
VLR
•
•
Calculate the load at the VLR per second if each mobile
creates an Update LA and creates a Reg Cancel.
Assume:
‣
‣
‣
L = 80 miles
=150 users/mi2
v = 45 miles/hour
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
29
Example
•
Boundary crossing rate:
•
Load on VLR from mobility is 144 operations/sec:
150
1 hour
3600 secs
= 48 crossings/sec
‣
45
80
updates (3): Update LA, Reg Cancel, Auth Info
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
30
Example, cont
•
Assume 3 calls/user/hour (1.5 in, 1.5 out on average)
‣
•
for each incoming call there is one database query (MSRN)
= 150 users/mi2, L = 80 miles
‣
‣
•
each area contains 150 x (80/4)2 = 60,000 users
= 25 calls/second
Total Load
‣
25 queries/second (call related)
‣
144 updates/second (mobility related)
•
Conclusion
‣
mobility substantially dominates the database load
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
31
GSM: Short Messaging Service
•
•
•
•
•
•
Bi-directional
Acknowledged Service
Store-and-Forward Service
140 octets/160 characters (concatenation possible)
Uses SDCCH signaling channel
Two services - cell broadcast and point to point
‣
•
Cell broadcast exists in the standards only at this time.
Three types - user specific, ME-specific, SIM-specific
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
32
GSM: SMS Examples - Mobile Termination
Page
Page Response
SMS Delivery
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
33
GSM: SMS Examples - Mobile Termination
Page
Page Response
CP-Data (RP-Data (SMS Delivery))
CP-ACK
CP-Data (RP-ACK)
CP-ACK
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
34
Other Air Interfaces
•
IS-54/IS-136/D-AMPS
‣
•
digital, TDMA
IS-95
‣
•
digital, CDMA
CDMA2000
‣
•
“3G”
UMTS
‣
W-CDMA
‣
“3G”
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
35
IS-54/IS-136
•
•
First North American standards
Converted traffic channels (IS-54) and control channels
(IS-136) to digital.
‣
•
Phones could gracefully degrade to AMPS if neither of these
networks were available.
IS-54 was the first to consider security.
‣
Used the Cellular Message Encryption Algorithm (CMEA) to
protect the control channel and Cellular Authentication,
Voice Privacy and Encryption (CAVE) to protect voice.
‣
Both algorithms later shown to be weak.
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
36
IS-95
•
•
•
•
Code Division Multiple Access (CDMA) Transmission
Similar call processing to GSM and IS-136
1.23 MHz carriers, each with 65 sub-code channels
Operates in similar bands as AMPS/IS-136
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
37
Network Architecture: IS-95/CDMA2000
BS
BSC
RNC/
PCF
•
RNC/PCF
‣
•
‣
Performs frame-selection/power control
Terminates Radio Link Protocol w/ mobiles
Performs packet and burst control functions
PDSN
‣
‣
terminates PPP with clients
provides FA support for MIP-enabled Clients
AAA
‣
Provides Authentication, Authorization and
Accounting for Data users
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
HLR
AAA
PSTN
PDSN
BS
‣
•
VLR
MSC
HA
•
•
•
Internet
BSC
‣
‣
Coordinates handoff for voice users
performs frame-selection/power control
MSC
‣
‣
call control and mobility management
interfaces to the PSTN for voice users
AAA
‣
provides location management and AAA functions for
voice users.
38
Related documents
Sample Cover Letter - San Juan Unified School District
Sample Cover Letter - San Juan Unified School District
Education in the Industrial Age
Education in the Industrial Age
Designing for Signal and Power Integrity
Designing for Signal and Power Integrity
Step_Three_Powerpoint
Step_Three_Powerpoint
The introduction is full of choppy sentences, good ideas
The introduction is full of choppy sentences, good ideas
Han Zhang
Han Zhang
Curriculum Vitae - Georgia Institute of Technology
Curriculum Vitae - Georgia Institute of Technology
Download
advertisement