GSM: Overview Formerly: Groupe Spéciale Mobile (founded 1982) Now: Global System for Mobile Communication Pan-European standard (ETSI, European Telecommunications Standardisation Institute) 1 Architecture of the GSM system GSM is a PLMN (Public Land Mobile Network) several providers setup mobile networks following the GSM standard within each country Main Components MS (mobile station) BS (base station) MSC (mobile switching center) LR (location register) Subsystems RSS (Radio SubSystem): covers all radio aspects, consist of BSS (BSC + several BTSs)and MS. NSS (Network and Switching Subsystem): call forwarding, handover, switching, comprising an MSC and associated registers. OSS (Operation SubSystem): management of the network 2 GSM: Architecture Overview OMC, EIR, AUC HLR VLR fixed network PSTN GMSC NSS with OSS MSC VLR MSC BSC BSC BTS RSS BTS BTS MS BTS BSS – Base Station Sub-system BSC – Base Station Controller HLR – Home Location Register BTS – Base Transceiver Station VLR – Visitor Location Register TRX – Transceiver AuC – Authentication Centre MS – Mobile Station MSC – Mobile Switching Center GMSC – Gateway MSC EIR – Equipment Identity Register OMC – Operations and Maintenance Centre PSTN – Public Switched Telephone Network BTS 3 GSM: Architecture Overview Core 4 GSM: elements and interfaces radio cell MS Several interfaces are defined between different parts of the system: •'A' interface between MSC and BSC •'Abis' interface between BSC and BTS •'Um' air interface between the BTS (antenna) and the MS BSS MS Um radio cell MS BTS RSS BTS Abis BSC BSC A MSC NSS MSC VLR signaling VLR GMSC HLR IWF ISDN, PSTN PDN O OSS EIR AUC OMC 5 GSM: system architecture radio subsystem network and switching subsystem BTS ISDN PSTN MS BSC MSC Um BTS Abis BSC EIR SS7 BTS BSC BSS HLR VLR BTS BTS fixed partner networks A MSC IWF ISDN PSTN PSPDN CSPDN 6 System architecture: radio subsystem radio subsystem MS network and switching subsystem Components MS (Mobile Station) BSS (Base Station Subsystem): MS consisting of Um BTS Abis BTS BSC MSC BTS (Base Transceiver Station): radio components including sender, receiver, antenna - if directed antennas are used one BTS can cover several cells BSC (Base Station Controller): switching between BTSs, controlling BTSs, managing of network resources, mapping of radio channels (Um) onto terrestrial channels (A interface) Interfaces Um : radio interface Abis : standardized, open interface with A BTS BTS BSC MSC 16 kbit/s user channels A: standardized, open interface with 64 kbit/s user channels BSS 7 Tasks of a BSS are distributed over BSC and BTS BTS comprises radio specific functions BSC is the switching center for radio channels Functions Management of radio channels Frequency hopping (FH) Management of terrestrial channels Mapping of terrestrial onto radio channels Channel coding and decoding Rate adaptation Encryption and decryption Paging Uplink signal measurements Traffic measurement Authentication Location registry, location update Handover management BTS X X X X X X BSC X X X X X X X X X X 8 BSS Network Topologies Base stations are linked to the parent BSC in one of several standard network topologies. The actual physical link may be microwave, optical fiber or cable. Star: most popular configuration for first GSM systems • Expensive as each BTS has its own link • One link failure always results in loss of BTS Ring: Redundancy gives some protection if a link fails • More difficult to roll-out and extend - ring must be closed Chain: cheap, easy to implement • One link failure isolates several BTSs 9 The Mobile Station The mobile station consists of: mobile equipment (ME) subscriber identity module (SIM) The SIM stores permanent and temporary data about the mobile, the subscriber and the network, including: The International Mobile Subscribers Identity (IMSI) MS ISDN number of subscriber Authentication key (Ki) and algorithms for authentication check The mobile equipment has a unique International Mobile Equipment Identity (IMEI), which is used by the EIR. The IMEI may be used to block certain types of equipment from accessing the network if they are unsuitable and also to check for stolen equipment. The two parts of the mobile station allow a distinction between the actual equipment and the subscriber who is using it. 10 System architecture: Network and Switching Subsystem network subsystem fixed partner networks ISDN PSTN MSC • Components MSC (Mobile Switching Center) IWF (Interworking Functions) ISDN (Integrated Services Digital Network) PSTN (Public Switched Telephone Network) PSPDN (Packet Switched Public Data Net.) CSPDN (Circuit Switched Public Data Net.) EIR SS7 • HLR Databases HLR (Home Location Register) VLR (Visitor Location Register) EIR (Equipment Identity Register) VLR MSC IWF ISDN PSTN PSPDN CSPDN 11 Network and switching subsystem NSS is the main component of the public mobile network GSM switching, mobility management, interconnection to other networks, system control Components Mobile Services Switching Center (MSC) and GMSC controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC Databases (important: scalability, high capacity, low delay) Home Location Register (HLR) central master database containing user data, permanent and semipermanent data of all subscribers assigned to the HLR (one provider can have several HLRs) Visitor Location Register (VLR) local database for a subset of user data, including data about all user currently in the domain of the VLR 12 Mobile Switching Center The MSC (mobile switching center) plays a central role in GSM switching functions additional functions for mobility support management of network resources VLR interworking functions via Gateway MSC (GMSC) integration of several databases MSC Functions of a MSC specific functions for paging and call forwarding termination of SS7 (signaling system no. 7) mobility specific signaling location registration and forwarding of location information provision of new services (fax, data calls) support of short message service (SMS) generation and forwarding of accounting and billing information 13 Gateway MSC A Gateway Mobile Switching Centre (GMSC) is a device which routes traffic entering or exiting a mobile network to the correct destination The GMSC accesses the network’s HLR to find the location of the required mobile subscriber A particular MSC can be assigned to act as a GMSC The operator may decide to assign more than one GMSC HLR VLR MSC GMSC VLR fixed network MSC 14 Visitor Location Register Each MSC has a VLR VLR stores data temporarily for mobiles served by the MSC Information stored includes: VLR IMSI Mobile Station ISDN Number MSC Mobile Station Roaming Number Temporary Mobile Station Identity Local Mobile Station Identity The location area where the mobile station has been registered Supplementary service parameters 15 Home Location Register Stores details of all subscribers in the network , such as: Subscription information Location information: mobile station roaming number, VLR, MSC International Mobile Subscriber Identity (IMSI) MS ISDN number AuC Tele-service and bearer service subscription information Service restrictions HLR Supplementary services Together with the AuC, the HLR checks the validity and service profile of subscribers Notice that the VLR stores the current Location Area of the subscriber, while the HLR stores the MSC/VLR they are currently under. This information is used to page the subscriber when they have an incoming call. 16 Operation subsystem The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems Components Authentication Center (AUC) generates user specific authentication parameters on request of a VLR authentication parameters used for authentication of mobile terminals and encryption of user data on the air interface within the GSM system Equipment Identity Register (EIR) registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes even localized. The EIR controls access to the network by returning the status of a mobile in response to an IMEI query Operation and Maintenance Center (OMC) different control capabilities for the radio subsystem and the network subsystem 17 Activities and Operations Main activities which the network must carry out are: Switching mobile on (IMSI attach) Mobility management Switching mobile off (IMSI detach) Location updating Making a call (mobile originated) Receiving a call (mobile terminated) Cell measurements and handover Mobile Station (MS) Base Station (BS) 18 IMSI Attach (Switch on) Mobile camps on to best serving BTS Mobile sends IMSI to MSC MSC/VLR is updated in HLR Subscriber data including current location area is added to local VLR MSC and HLR carry out authentication check - challenge and response using Ki Optionally EIR checks for status of mobile (white/grey/black) BSC VLR MSC AuC HLR EIR 19 IMSI Detach (Switch off) Mobile informs MSC it is switching off HLR stores last location area for mobile VLR records that mobile is no longer available on network Mobile powers down BSC VLR MSC AuC HLR 20 Location Updates Automatic Location Update –when mobile moves to new location area BSC Periodic Location Update – checks that mobile is still attached to network Updates location area in VLR BSC If move is to a new MSC/ VLR then HLR is informed BSC VLR MSC VLR MSC AuC HLR 21 Mobile Terminated Call HLR 1: calling a GSM subscriber 2: forwarding call to GMSC calling 3: signal call setup to HLR station 1 4, 5: request (Mobile station roaming number)MSRN from VLR 6: forward responsible MSC to GMSC 7: forward call to current MSC 8, 9: get current status of MS 10, 11: paging of MS 12, 13: MS answers 14, 15: security checks 16, 17: set up connection 4 5 3 6 PSTN 2 GMSC 10 7 VLR 8 9 14 15 MSC 10 13 16 10 BSS BSS BSS 11 11 11 11 12 17 MS 22 Mobile Originated Call 1, 2: connection request 3, 4: security check 5-8: check resources (free circuit) 9-10: set up call VLR 3 4 6 PSTN 5 GMSC 7 MSC 8 2 9 MS 1 10 BSS 23 MTC/MOC MS MTC BTS MS MOC BTS paging request channel request channel request immediate assignment immediate assignment paging response service request authentication request authentication request authentication response authentication response ciphering command ciphering command ciphering complete ciphering complete setup setup call confirmed call confirmed assignment command assignment command assignment complete assignment complete alerting alerting connect connect connect acknowledge connect acknowledge data/speech exchange data/speech exchange 24 Network Area • • • • With the mobility of a subscriber handover occurs. As mobile moves around it monitors signal strength and quality from neighbor cells BSS determines when handover should occur, based on cell measurements and traffic loading on neighbor cells. A subscriber outside of their PLMN service area may access their normal service with a roaming agreement. 25 4 types of handover 1: within a cell (from a channel to another) 2: within the same location area (from a cell to another under the control of the same BSC) 3: within the same MSC/VLR service area (under the same MSC control) 4: within the PLMN service area(from one MSC to another) From PLMN service area to another PLMN (operator): Roaming 1 2 3 4 MS MS MS MS BTS BTS BTS BTS BSC BSC BSC MSC MSC 26 Handover decision I Many handover strategies prioritize handover requests over call initiation receive level receive level requests when allocating unused channel BTSold BTSnew in a cell site. Since having a call abruptly terminated while in a middle of a Actual measured power conversation is more annoying than being blocked occasionally on a new call Average of measured power attempt. Guard channel concept :a fraction of the total available channels is reserved exclusively for handover requests from ongoing calls which may be handed off HO_MARGIN onto the cell. Handover must be performed successfully and as infrequently as possible, and be MS MS imperceptible to the users. Def: Dwell time is the time over which a BTSold BTSnew call may be maintained within a cell, without handover. Depends on (signal propagation, interference, distance between MS and BS, speed, etc.) 27 Handover decision II MAHO: Mobile assisted handover. ∆ = 𝑃𝑟 ℎ𝑎𝑛𝑑𝑜𝑓𝑓 − 𝑃𝑟 min 𝑎𝑐𝑒𝑝𝑡𝑎𝑏𝑙𝑒 ∆ too large, unnecessary handover. ∆ too small, there may be insufficient time (depends on the speed of MS)to complete a handover before a call is lost due to weak signal condition. ∆ 28 Umbrella Cell High speed MS pass through the coverage area of a cell within a matter of seconds, whereas pedestrian MS may never need a handoff during a call. Umbrella cell: provide large coverage area to high speed MS while providing small coverage area to MS travelling at low speed. Large Umbrella cell (Macrocell) for high speed traffic Small microcells for slow speed traffic 29 Handover procedure in GSM MS BTSold BSCold measurement measurement report result MSC HO decision HO required BSCnew BTSnew HO request resource allocation ch. activation HO command HO command HO command HO request ack ch. activation ack HO access Link establishment clear command clear command clear complete HO complete HO complete clear complete 30 Roaming Allows subscriber to travel to different network areas, different operator’s networks, different countries - keeping the services and features they use at home. Billing is done through home network operator, who pays any other serving operator involved. Requires agreements between operators on charge rates, methods of payments etc. Clearing house companies carry out data validation on roamer data records, billing of home network operators and allocation of payments. 31 Security issues Authentication: Procedure of verifying the authenticity of an entity (user, terminal, network, network element). In other words, is the entity the one it claims to be? Data integrity: The property that data has not been altered in an unauthorised manner. Confidentiality: The property that information is not made available to unauthorised individuals, entities or processes. Anonymity: Preventing unencrypted transmission of user ID information such as IMSI number over the air interface. 32 Security in GSM Security services access control/authentication user SIM (Subscriber Identity Module): secret PIN (personal identification number) SIM network: challenge response method confidentiality voice and signaling encrypted on the wireless link (after successful authentication) anonymity temporary identity TMSI “secret”: (Temporary Mobile Subscriber Identity) is given to the user • A3 and A8 available after switching on which use IMSI. via the Internet newly assigned at each new location update (LUP) • network providers encrypted transmission can use stronger mechanisms 3 algorithms specified in GSM A3 for authentication (“secret”, open interface) A5 for encryption (standardized) A8 for key generation (“secret”, open interface) 33 GSM - authentication SIM mobile network Ki AuC RAND 128 bit RAND 128 bit RAND Ki 128 bit A3 128 bit A3 SIM SRES* 32 bit MSC SRES* =? SRES SRES SRES 32 bit Ki: individual subscriber authentication key 32 bit SRES SRES: signed response 34 GSM - key generation and encryption MS with SIM mobile network (BTS) Ki AC RAND 128 bit RAND 128 bit RAND 128 bit A8 cipher key BTS Ki 128 bit SIM A8 Kc 64 bit Kc 64 bit data A5 encrypted data SRES data MS A5 35 GSM: Mobile Services GSM offers several types of connections voice connections, data connections, short message service multi-service options (combination of basic services) Three service domains offered to the end user: Telematic Services: service completely defined including terminal equipment functions - telephony and various data services. Bearer Services: basic data transmission capabilities protocols and functions not defined Supplementary Services. 36 Tele Services I Telecommunication services that enable voice communication via mobile phones All these basic services have to obey cellular functions, security measurements etc. Offered services mobile telephony primary goal of GSM was to enable mobile telephony offering the traditional bandwidth of 3.1 kHz Emergency number - mandatory for all service providers -free of charge -connection with the highest priority (preemption of other connections possible) -Emergency calls can override any locked state the phone may be in -May be initiated from a mobile without a SIM - common number throughout Europe (112) -If the national emergency code is used the SIM must be present Multinumbering several ISDN phone numbers per user possible 37 Tele Services II Additional services Non-Voice-Teleservices group 3 fax voice mailbox (implemented in the fixed network supporting the mobile terminals) electronic mail (MHS, Message Handling System, implemented in the fixed network) Short Message Service (SMS) alphanumeric data transmission to/from the mobile terminal using the signaling channel, thus allowing simultaneous use of basic services and SMS DTMF - Dual Tone Multi-Frequency - used for control purposes – remote control of answering machine, selection of options. Cell Broadcast - short text messages sent by the operator to all users in an area, e.g. to warn of road traffic problems, accidents 38 Bearer Services Telecommunication services to transfer data between access points Specification of services up to the terminal interface (OSI layers 1-3) Different data rates for voice and data (original standard) data service (circuit switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300 - 1200 bit/s data service (packet switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300 - 9600 bit/s 39 Supplementary services Services in addition to the basic services, cannot be offered stand-alone Similar to ISDN services besides lower bandwidth due to the radio link May differ between different service providers, countries and protocol versions Important services identification: forwarding of caller number suppression of number forwarding automatic call-back conferencing with up to 7 participants locking of the mobile terminal (incoming or outgoing calls) ... 40