1

2. Conventional networks2.3 Cellular networks

Prof. JP Hubaux

• Overview• Network capacity• Security: the Lin-Harn protocol• Billing

2

The Public Switched Telephone Network (reminder)

Localswitch

Localswitch

Transitswitch

Outgoingcall

Incomingcall

Transitswitch

Transitswitch

Long distance network

- Transfer mode: circuit switching- all the network (except part of the accessnetwork) is digital- each voice channel is usually 64kb/s

3

Trunk Dimensioning in the Telephone Network (reminder)

Trunk with N channels;each channel carries a traffic of

Virtuallyinfinitesources

A: offered traffic

B: blocking probability (*)

(*): the blocking probability is defined as the probability of an incoming call to be rejected, because all N channels are already occupied.

Assumptions:• Loss system: calls are dropped if they cannot be immediately accepted• The sources are independent from each other• The time between call arrivals is drawn from an exponential distribution

Assumptions:• Loss system: calls are dropped if they cannot be immediately accepted• The sources are independent from each other• The time between call arrivals is drawn from an exponential distribution

BA

NAi

N

i

i

N F

HGIKJ! !0

Erlang formula:

Output utilization:

1 B A

Nb g

calls/s * seconds/call (Erlang),

where represents the duration of calls

A E X

X

4

Principle of the basic call (reminder)Callingterminal Network

Calledterminal

Off-hook

Dial tone

Dialing

Ring indication Alert signal

Off hookRemove ring indication

Bi-directional channel

On hook

Billing

On hook signal

Resource allocation

Translation + routing

Conversation

5

Basic architecture of a cellular network

ExternalNetwork

Cellular network

Mobilestation Base

stationMobile

switchingcenter

Server(e.g., Home Location

Register)

6

Registration

Tuning on the strongest signal

Term. Nr: 079/4154678

7

Service Request

079/4154678079/8132627 079/4154678

079/8132627

8

Paging broadcast

079/8132627?

079/8132627?

079/8132627?

079/8132627?

Note: paging makes sense only over a small area

9

Response

079/8132627

079/8132627

10

Channel Assignment

Channel47

Channel47 Channel

68

Channel68

11

Conversation

12

Handover (or Handoff)

13

Message Sequence Chart

CallerBase

StationSwitch Base

Station Callee

Periodic registration Periodic registration

Service request Service request

Ring indicationRing indication

Page requestPage requestPaging broadcast Paging broadcast

Paging responsePaging response

Assign Ch. 47Tune to Ch.47

Assign Ch. 68 Tune to Ch. 68

Alert tone

User responseUser responseStop ring indicationStop ring indication

14

Peculiarities of Personal Communication Systems (PCS)

Mobility User location ==> periodic registration and/or paging Moving form a cell to another ==> handoff procedures Moving from one network to another ==> roaming

Ether Multiple users per cell ==> access technology (FDMA,

TDMA, CDMA) Channel impairments ==> coding, error detection,

retransmission, forward error correction Bandwidth ==> channel reuse, signal compression, efficient

modulation and coding Privacy and security ==> encryption

Energy Limited autonomy ==> power control, discontinuous

transmission

15

Services offered by current PCS

Telephony services (including voice mail, call transfer,…)

Short message services Voiceband data and fax Packet switched data (e.g., GSM/GPRS, CDPD) Closed user groups Telemetry

16

Relevant service features (user perspective)

Terminal characteristics (weight, size, robustness, price) Battery life / autonomy Modes of operation of the terminal (as a cellular phone, a cordless phone, with a

satellite,…) Service price Range of services Coverage area (of the home network + roaming agreements) User environment while roaming User interface: ease of use, programmability Call blocking (service denial) Call dropping Setup time Transmission quality (error rate, signal to distortion ratio, delay) Maximum speed of the terminal Authentication technique Privacy Confidentiality Secure billing Radiated power

17

Operator perspective

Spectrum efficiency Cell radius Infrastructure cost Deployment timing and adaptability Roaming agreements Resistance to fraud Non repudiability of bills …

MHzcells

onsconversatiE

18

Air interface

Messages

Logicalchannels

Radio link

Messages

Logicalchannels

Radio link

Packets

Messages

Bits

Structure, content

Packet structure, error detection/retransmissionTopology: one to one

one to many (e.g., synch signals)many to one (e.g., service request)

Multiple access (e.g., CDMA, TDMA, FDMA)Duplex (e.g., Frequency Division Duplex - FDD)Modulation, source coding, channel coding,interleaving, diversity reception, channel equalization

Terminal Base Station

19

2. Receive the ID of the LA3. Compare with stored ID4. If different, update and ask for registration

User Tracking: Geographic-based Strategy

Location area 1 (ID = 1) Location area 2 (ID = 2)

• All base stations within the same LA periodically broadcast the ID of the LA• Each user compares its last LA ID with the current ID, and transmits a registration message whenever the ID is different• When there is an incoming call directed to a user, all the cells within its current LA are paged

1. Change LA

5. Inform the HLR of the new LA ID of the end user

20

Cellular networks

• The area to be covered is tesselated in a (usually large) number of cells• There is usually one antenna per cell• A mobile communicates with one (or sometimes two) antennas• Antennas are controlled by Mobile Switching Centers (MSC)• Cells are usually represented by hexagons, although the real shape can be quite variable• In all systems, cells interfere with each other• To increase the capacity of the network, the usual technique consists in increasing the number of cells

21

Frequency reuse

F3

F4

F5

F2

F7

F6

F1

F3

F4

F5

F2

F7

F6

F1

F3

F4

F5

F2

F7

F6

F1

• Cells with the same name use the same set of frequencies

• In this example, the cluster size N = 7

• In order to tesselate, the geometry of hexagons is such that N can only have values which satisfy: N = i2 + ij + j2 with i = 1, 2,… and j = 1, 2,…

• Channel assignment strategies:• fixed: each cell is allocated a predetermined set of voice channels• dynamic: each time a call request is made, the serving base station requests a channel from the MSC

22

Handover: principle

BS1 BS2

A B

time

Receivedsignallevel

Level at point B

Level at which handover is made(call properly transferred to BS2)

23

Decibels (reminder)

100

0

The decibel is used to express a power ratio:

10.log

where P is the reference power level and P is the power level

at the considered point of the system.

Example: if the transmission power

PB

P

0

10

P is 10W and the received power P

is 0.1W, the loss is 10 log (1/100) 20 .

A decibel (dB) expresses a ratio. An absolute value can be expressed in

decibels relative to 1 Watt (dBW) or (more frequent

dB

10

ly) in decibels relative

to 1 mW (dBm).

The latter is expressed by: 10.log1

PP

mW

24

Handover strategies The handover power level must be carefully chosen:

If too small: risk of superfluous handovers If too high: risk of losing the call due to weak signal conditions

Dwell time: time during which a call is maintained in the same cell (hence without handover)

Mobile Assisted Handover (MAHO): every mobile measures the power from surrounding base stations and report these measurements to the serving base station. A handover is initiated if the power of the signal received from another station exceeds the one of the serving one by a certain threshold for a certain amount of time.

Inter-system handover: when changing network Prioritising handovers over new calls; 2 methods:

Guard channels (spare channels in each cell) Queuing of handover requests

Coping with stations moving at very different speeds (e.g., cars vs pedestrians): umbrella cells

Typical values for GSM handover: threshold between 0 and 6 dB, execution time of around 1 to 2 seconds

Soft handover: in the case of CDMA

25

Interference and system capacity

Possible sources of interference: Another mobile in the same cell A call in progress in a neighboring cell Other base stations operating in the same frequency band Any noncellular system which inadvertently leaks energy

into the frequency band Consequences of interferences:

On data channel: crosstalk (voice), erroneous data (data transmission)

On control channel: missed calls, dropped calls 2 major types of system-generated interference:

Co-channel interference (same frequency), see hereafter Adjacent channel interference (adjacent frequency)

26

Co-channel interference (1/4)

0

1

Co-channel reuse ratio:

3

Signal-to-interference ratio (SIR):

where is the desired signal power from the desired base station,

is the interference power caused by the ith interferin

i

ii

i

DQ N

R

S S

II

S I

0

00

00

g co-channel

base station and is the number of co-channel interfering cells.

Average received power at a distance d from the transmitting antenna:

or

(dBm) (dBm) 10 log

r

r

r

i

P

dP P

d

dP P

d

0 0where is the power received at a small distance from the

transmitting antenna, and is the path loss exponent.

P d

27

Co-channel interference (2/4)

0

1

If the transmit power of each base station is equal and is the same

throughout the coverage area:

Considering only the first layer of interfering cells

(and assuming their centers are

i

ii

S R

ID

0 0

all at distance D

of the considered base station):

3( ) NS D R

I i i

28

Co-channel interference (3/4)

A

R

D-R

D-R

D

D+R

D+R

D

First tier of co-channel cells for a cluster size of N=7Note: the marked distances are approximations

29

Co-channel interference (4/4)

Approximation of the signal-to-interference ratio at point A:

2( ) 2 2( )

Thus:

1

2( 1) 2 2( 1)

Numerical example:

If 7 and 4, then 4.6 and / 49.56 17.8

S R

I D R D D R

S

I Q Q Q

N Q S I dB

30

Capacity of cellular networks (1/2)

We consider the downlink channel interference.

Assume the mobile to be located at the edge of the cell,

and consider only the interference of the 6 closest cells.

We want C/I to be greater than a given m

0

min

min

1

1/

min

inimum /

Then we need:

1

6

As / , we get:

6

i

ii

C I

S R R C

I D ID

Q D R

CQ

I

31

Capacity of cellular networks (2/2)

t

c

2

/ 2min

Radio capacity of a cellular network:

radio channels/cell

where B is the total allocated spectrum for the system

and B is the channel bandwidth.

As Q= 3N, we get:

63 3

t

c

t t

c c

Bm

B N

B Bm

Q CB BI

2/

Techniques to improve capacity:• Cell splitting• Sectoring

Techniques to improve capacity:• Cell splitting• Sectoring

32

Capacity of cellular CDMA

The capacity of CDMA is interference limited, while it is bandwidth limited in TDMA and FDMA.

Techniques to reduce interference: Multisectorized antennas Discontinuous transmission mode (takes advantage of the

intermittent nature of speech); duty factor typically between 3/8 and ½.

Power control: for a single cell, all uplink signals should be received approximately with the same power at the base station

33

Capacity of cellular CDMA: single cell case (1/2)

b

0

N: number of users

S: power of the signal received at the base station from a single user

1

( 1) 1

Energy-to-noise ratio:

E / /

N ( 1)( / ) 1

where R is the bitrate and W is the available ban

SSNR

N S N

S R W R

N S W N

b

0

0

dwidth.

Taking the thermal noise into account:

E /

N ( 1) ( / )

Thus the number of users that can access the system is:

/1 - /S

/b

W R

N S

W RN

E N

34

Capacity of cellular CDMA: single cell case (2/2)

´ ´0 0 0 0

´0 0

b´0

With antenna sectorization, becomes , with

For example, with 3 antennas covering 120 each:

1

3: duty cycle of voice

: number of users per sector

E /

N ( 1) ( / )

If the number o

o

s

s

N N N N

N N

N

W R

N S

´0

f users is large and noise is neglected:

1 /1s

b

W RN

EN

35

Capacity of cellular CDMA: multiple cells case (1/3)

B0

B6

B5

B4

B3

B2

B1

0

0

0

0

controls the transmit power of each of its own in-cell users,

but not the power of users in neighboring cells.

Frequency reuse factor on the uplink:

where is the total interference po

i aii

B

Nf

N U N

N

wer received from the

-1 in-cell users, is the number of users in the ith adjacent

cell, and is the average interference power for a user

located in the ith adjacent cell.

Average received power

i

ai

N U

N

from users in an adjacent cell:

/

where is the power received at the base station of

interest from the the th user in the th cell.

ai ij ij

ij

N N U

N

j i

36

Capacity of cellular CDMA: multiple cells case (2/3) Concentric circular geometry

d0

Consideredcell

R

2R+d02R-d0

3R

2d0

Adjacent cell

number of wedge-shaped cells of the firstsurrounding layer of cells

Aarea of the firstsurrounding layer

A1 = M1 A

To let all cells have thesame size A, we must have:M1 = 8 = 450

By recursion, for the ith layer:Ai = i8Ai = /4i

Firstsurroundinglayer

37

Capacity of cellular CDMA: multiple cells case (3/3)

d0

R

2R+d0

2R-d0

3R

Innersublayer

Outersublayer

d

d’

0

0

22 20

22 20

0

For the inner sublayer:

' sin 2 cos for (2 1) (2 )

For the outer sublayer:

' sin cos 2 for (2 ) (2 1)

Interference power at B from the th subscriber of

d d Ri d d i R d i R d

d d d Ri d i R d d i R

j

0, , 0 0 0 0

the th cell :

( , , ) ( '/ ) ( / )

In practice, the frequency reuse efficiency for CDMA

is in the order of 0.3 to 0.7 (as a comparison, in the case

of FDMA with cluster size = 7, = 1/7)

i j

i

P r d P d d d d

f

f

.

38

Roaming: principle

Roaming agreement

Subscriberdatabase

(IDs,keys,

bills,…)

Home network

Subscriberdatabase

(IDs,keys,

bills,…)

Visited network

User

39

Roaming: architecture

Servicelogic

HomeLocationRegister

BaseStation

Servicelogic

VisitingLocationRegister

BaseStation

PSTN + Data Network

HomeNetwork

VisitedNetwork

40

Security of cellular networks

Mobile station Base station/ Home network Foreign network

• Eavesdropping, traffic analysis• Maskerade as: - Mobile station (e.g. for fraudulent usage) - Base station • Denial of service

• Eavesdropping, traffic analysis• Maskerade as: - Mobile station (e.g. for fraudulent usage) - Base station • Denial of service

• Misuse of a stolen terminal• Tamper with the crypto information (e.g., cloning)• Repudiation of service usage

• Misuse of a stolen terminal• Tamper with the crypto information (e.g., cloning)• Repudiation of service usage

• Unveiling crypto information of the user• Unveiling identity/location of the user

• Unveiling crypto information of the user• Unveiling identity/location of the user

• Unauthorized access to data• Threats to integrity• Denial of service• Repudiation• Unauthorized access to services

• Unauthorized access to data• Threats to integrity• Denial of service• Repudiation• Unauthorized access to services

41

The Lin Harn protocol

Purpose: provide security in case of roaming mobile users

Protect the mobile user, the visited network and the home network

In particular: Protect the identity of the mobile user Avoid unveiling cryptographic material to the visited

network, which it could use (or an attacker could use) against the will of the mobile user.

42

The Lin Harn protocol: requirements

Security requirements Caller ID confidentiality: the identity of the user should be

hidden, including to the visited network Non-repudiation of service (e.g., the mobile user should not

be able to deny the usage of service) Shared secret key between the mobile and the visited

network, renewed for each session Implementation requirements

Limited computing power of the mobile station time-consuming public key cryptographic techniques should be avoided

Validation delay the number of interactions between the mobile station, the visited network and the home network should be limited

43

The Lin Harn protocol: mobile station registration

( , ( ), ), ,H MHPK K B M BE M E N N N H

Mobile M Base station B(visited network)

HomeNetwork H

BN

( , ( ), ), ,H MHPK K B M BE M E N N N H

0 1, , ,...,M mk N c c

Allocate a temporaryidentity Mt to M

Allocate a temporaryidentity Mt to M( , , )

ok t M BE M N PK

Initial shared key KMH

0

1

1

2( , 1( ( ), )), 1,...,

1( , )

2( , )

3( )

MHMH K B M

i MH i

i i i

i i

k h K h E N N i m

r h K k

k h k r

c h r

0

1

1

2( , 1( ( ), )), 1,...,

1( , )

2( , )

3( )

MHMH K B M

i MH i

i i i

i i

k h K h E N N i m

r h K k

k h k r

c h r

44

Computation of the parameters

KMH

EKMH(NB)

NM h1h1 h2h2

k0

h1h1

r1

h2h2

k1

h1h1

r2

h2h2

k2

h1h1

rm

h2h2

km

h1, h2: one-way keyed hash functionh3 : one-way hash functionci : session key of the ith session

h1, h2: one-way keyed hash functionh3 : one-way hash functionci : session key of the ith session

h3h3 c1 h3h3 c2 h3h3 cm

45

The Lin Harn Protocol: Mobile Station Origination Protocol

Mobile M Base station B(visited network)

( , )BPK t iE M r

( )ik iE r

• Check that h3(ri)=ci • Set the session key to ci

• Compute ki= h2(ki-1, ri)

• Check that h3(ri)=ci • Set the session key to ci

• Compute ki= h2(ki-1, ri)

This protocol is activated for each call request made by the mobile

This protocol is activated for each call request made by the mobile

• Check that h3(ri)=ci • Set the session key to ci

• Check that h3(ri)=ci • Set the session key to ci

• Compute ri= h1(KMH, ki-1)• Compute ri= h1(KMH, ki-1)

46

The Lin Harn Protocol: analysis

Security The subscriber can prove itself by presenting the ri’s to the

visited network; knowing the checking values ci’s, the visited network can verify the legitimacy of the subscriber

The identity of the mobile user is protected Security parameters of the mobile user (stored at the visited

network) are protected Non-repudiation: by demonstrating the possession of the

ri’s, the visited network can prove that the service has been used

Performance Small number of exchanged messages The computational effort on the mobile side can be limited;

e.g., encryption with the public keys PKH and PKB can be

based on the low-exponent of the RSA algorithm: 3.

47

Billing in mobile networksExample Scenario

Informationserver

Backbone network

1. Technical view:

2. Business view:

User

Access NetworkOperator

Backbone NetworkOperator

InformationService Provider

Service provision

Payment

Trust

48

Business model

> 1 Bpotential

users

1 M +connectivity

and informationservice

providers

Privacy?Authentication?

Payment and billing?User customization?National regulations?Disputes (bankrupts,

order or usage repudiations,…)?

49

The customer care

User

Customercare

agency

Cellular network operators

Long distance network operators

Satellite network operators

Information service providers

50

Requirements

Customer care agency

User

Service provider

R1: Free choice of the customer care agency

R2: Protection of user’s privacy (anonymity)

R3: Agreement on tariff at session setup

R4: Very small amounts supported

R5: Continuous information about cost

R6: accurate andnon repudiable bill

R7: Future-proofmechanism

R7: Future-proofmechanism

51

Facts and problems Facts

growing number of mobile users (> 1 billion in the near future) growing number of service providers (~ millions in the near future)

• basic communication services (connectivity)

• value-added services (information services) Problems

lack of trust

• service providers do not trust users– illegitimate service usage (fraud)– denial of service usage

• users do not trust service providers– leaking of information related to service usage (monitoring of

users’ activity)– incorrect charging

scalability

• on-line cross-domain authentication

52

Customer Care Agency Vs Service Provider- selects / recommends service providers for its users- handles payments on behalf of its users- protects user privacy- prevents / resolves conflicts- provides personal customization- etc.

- control- business agreements

- specialization- control- reputation- separation of concern

53

Operating principle

1. request 6. ticks

3. ticket

4. ticks

7. payment

User

Customer care agency

Service provider5. service

2. generate ticket

off-line

on-line

54

Initial situation

Customer care agency (A)

User (U)Service provider (S)

Long-

term

key

K UA

Knows PKSKnows PKS

Knows PKAKnows PKA

Business agreement

55

Ticket acquisitionCustomer care agency

User

Service provider

Ticket

Header

n T

icks

1

( )0( )

( , , mod , )U

A

nn

an UPK

c g c

T Sig sn c p PK

10 0( , , , , )

UAK U UE T c a PK rnd

0

1

: freshly generated random seed

: freshly generated random number

: one-way function

: serial number of the ticket

and : publicly known

: secret D-H parameter

: private key of the agency

U

A

c

rnd

g

sn

p

a

PK

PK

1: private key of the userU

0

1

: freshly generated random seed

: freshly generated random number

: one-way function

: serial number of the ticket

and : publicly known

: secret D-H parameter

: private key of the agency

U

A

c

rnd

g

sn

p

a

PK

PK

1: private key of the userU

0Request ( , )Uid rnd

56

Ticket usage (setup)Customer care agency

User

Service provider

Ticket

Header

n T

icks

modSa p

11 ,Servi ( , , mod , )ce request: U

A

an UPK

rnd T Sig sn c p PK

2 1Tariff proposa ,: )l , ( , ,rnd tf h tf k rnd

-1U

2PK SigCommitment to tari f ( ,f : , )sn tf rnd

( ) modS Ua ak p

( ) modU Sa ak p

: tariff

: session key

: one-way hash function

tf

k

h

: tariff

: session key

: one-way hash function

tf

k

h

57

Ticket Usage (service provision)

d

cn-dcn-d = g(n-d)(c0)

g(d)(cn-d) = cn ?

Customer care agency

Service provider

Ticket

Header

User

d ticks

d: price of the first piece of service (expressed in ticks)

d: price of the first piece of service (expressed in ticks)

User

Ek(service)

58

Clearance and billing

Bill (afteraggregation)

Customer care agency

User Service provider

User

1 -1U

2PKSig (Sig ( , , ), )

SlPK

sn tf rnd c

Check consistency With Ticket T

Check consistency With Ticket T

Payment (afteraggregation)

59

Trust and scalability

Trust access to services is based on anonymous tickets the customer care agency can link tickets to real

identities the service provider is always authenticated potential loss due to incorrect charging or to denial

of payment is very low (ticket slicing)

Scalability no on-line cross-domain authentication interaction with the customer care agency is

removed from the critical path (off-line)

60

Further advantages

Separation of roles the customer care role is factored out from service providers

Gradual deployment at the beginning, the customer care role can be played by

service providers later, other organizations (e.g., credit card organizations) are

expected to play the customer care role Efficiency

expensive operations are off-line mobile users have a stationary agent in the fixed network

Flexibility very short term relationships between users and service

providers

61

Some (unavoidable?) disadvantages

Centralized solution the customer care agency can be a

bottleneck and single point of failure; it is therefore an ideal target to attack

Complex (cryptographic) protocols Infrastructure customer care agencies

Commonly deployed mechanisms standardized protocols for tickets

62

Conclusion on billing

Problem: lack of trust, scalability problems in future mobile networks

Solution: new business role: customer care agency ticket based access to services

Features: solves the trust and scalability problems clear separation of roles gradual deployment efficiency and flexibility requires complex, standardized protocols and infrastructure centralized solution

63

General conclusion on cellular networks

Huge technical problem Physical layer barely considered in this course We have addressed network capacity, security and

billing System aspects not covered in this chapter:

MAC layer traffic analysis network dimensioning

64

References

About cellular networks in general: S. Tabbane: Handbook of mobile radio networks

Artech House, 2000 About the capacity of cellular networks:

T. Rappaport: Wireless Communications, 2nd edition, Prentice Hall, 2001

About security in cellular networks: H. Lin, L. Harn: Authentication protocols for personal

communication systems. SIGCOMM’95 About billing:

L. Buttyan and JP Hubaux: Accountable Anonymous Service Usage in Mobile Communication Systems. Workshop for Electronic Commerce (WELCOM), Oct. 1999 (available at lcawww.epfl.ch)

M. Peirce and D. O’Mahony: Flexible Real-Time Payment Methods for Mobile Communications. IEEE Personal Communications, Dec. 1999