17.1 Cellular Telephony

Frequency Reuse PrincipleTransmittingReceiving

Handoff

Roaming

First Generation

Second Generation

Third Generation

Cellular telephony

Figure 17.1 Cellular system

Radius typically 1 to 12 miles

Depends on population density

Figure 17.2 Frequency reuse patterns

Global System for mobile communication

GSM

GSM

• More than 800 million end users in 190 countries and representing over 70% of today's digital wireless market.

• Better security. GSM Authentication will be discussed at the end of discussion.

GSM is a digital cellular phone system using TDMA and FDMA.

Figure 17.7 GSM bands

Figure 17.8 GSM

GSM Standardization and Service Aspects

• The GSM standard was developed by the Groupe SpecialMobile • Work was started in 1982, and the first specifications became

available in 1990. • Services:• telephony. • emergency calling • voice messaging • call offering services—call forwarding• call restriction services—call barring• call waiting service• call hold service• multi party service—tele conferencing• calling line presentation restriction services• advice of charge service• closed user group service

GSM Network Architecture

A different View

Introduction to the architecture

• The subsystems are –1. Base Station Subsystem (BSS)2. Network & Switching Subsystem (NSS)3. Operation & Support Subsystem (OSS)

Mobile Station• Mobile station communicates across Um interface (air interface) with base station transceiver in same cell

as mobile unit• Power level: 0.8 -8.0 Walt.• At the time of manufacture an international mobile equipment identity (IMEI) is programmed into the

terminal.• Mobile equipment (ME) – physical terminal, such as a telephone or PCS

– ME includes radio transceiver, digital signal processors and subscriber identity module (SIM)

• SIM (Subscriber Identity module)i. GSM subscriber units are generic until SIM is inserted

ii. SIM may be contained in the MS or it can be inserted in the MS.

iii. SIMs roam, not necessarily the subscriber devicesiv. The SIM provides personal mobility, so that the user can have access to subscribed services irrespective of

a specific terminal. By inserting the SIM card into a GSM terminal, the user is able to receive and make calls at that terminal, and receive other subscribed services. Without the SIM, the terminal will not work.

v. The mobile equipment is uniquely identified by the International Mobile Equipment Identity (IMEI).

vi. The SIM card contains the International Mobile Subscriber Identity (IMSI) used to identify the subscriber to the system, a secret key for authentication, and other information.

vii. The IMEI and the IMSI are independent, thereby allowing personal mobility.

viii. The SIM card may be protected against unauthorized use by a password or personal identity number (PIN).

Base Station Subsystem (BSS)• BSS consists of base station controller and one or more base transceiver stations (BTS)

• Each BTS defines a single cell

Includes radio antenna, radio transceiver and a link to a base station controller (BSC)

The range of functions performed by the BSS therefore include the

following:

• Radio resource control– configuration of radio channels– selection, allocation, and deallocation of radio channels– monitoring of radio channel busy/idle status– encryption of radio interface

• Frequency hopping and power control– assignment of frequency-hop sequence and start time– assignment of effective radiated power (ERP) values to mobile stations

• Handoff management– collect signal quality data from adjacent BSSs– analyze signal quality data and determine handoff need– keep MSC informed regarding handoff activity

• Digital signal processing– transcoding and rate adaption– channel coding and decoding

Base Transceiver Station

Base Transceiver Station

• The BTS corresponds to the transceivers and antennas used in each cell of the network.

• It handles the radio-link protocols with the Mobile Station. • A BTS may be placed in the center of a cell (omni-directional)

or shooting in one or more specific directions (sectorized). Its transmitting power defines the size of a cell.

• Each BTS has typically between one and sixteen transceivers depending on the density of users in the cell.

• In a large urban area, there will potentially be a large number of BTSs deployed, thus the requirements for a BTS are ruggedness, reliability, portability, and minimum cost.

Base Station Controller• The BSC controls a group of BTSs and

manages their radio resources. • It handles radio-channel setup,

handover, frequency hopping and the radio frequency power levels of the BTSs.

• The BSC is the connection between the mobile station and the Mobile service Switching Center (MSC).

• Before transmitting speech or data to the MSC, the information is transformed and coded in an TRANSCODER.

Mobile services and Switching Centre (MSC)

• The MSC is a very central component of the GSM network. The MSC performs the switching functions of the network and also provides connection to other networks.

• It additionally provides all the functionality needed to handle a mobile subscriber, such as registration, authentication, location updating, handovers, and call routing to a roaming subscriber.

• Signaling between functional entities in the Network Subsystem uses Signaling System Number 7 (SS7) protocol.

Mobile Switching Center (MSC) Databases

• Home location register (HLR) database – stores information

about each subscriber that belongs to it

• Visitor location register (VLR) database – maintains

information about subscribers currently physically in the

region

• Authentication center database (AuC) – used for

authentication activities, holds encryption keys

• Equipment identity register database (EIR) – keeps track of

the type of equipment that exists at the mobile station

Functions of Mobile switching center• Call setup, supervision and release• Digit collection and translation• Call routing• Billing information collection• Mobility management1. Registration2. Location updating3. Inter BSS and inter MSc call handoffs • Paging and alerting• Management of radio resources during a call• Management connections to BSS other MSCs and PSTN/ISDN• Interrogation of appropriate registers (VLR/HLR)

Home Location Register• The HLR is a network database that contains all the

administrative information of each subscriber registered in the GSM network, along with the current location of the mobile.

• Subscription data states the logical identity of each subscriber (MS) and which services that are accessible or barred for the respective subscriber.

• The location of the mobile is typically in the form of the address of the Visitor Location Register (VLR) associated with the mobile station. This information is used to route calls and SMS to the MSC/VLR where the mobile station is currently located.

• The HLR also contains a number of functions for managing these data, controlling services and enabling subscribers to access and receive their services when roaming within and outside their home GSM network.

• The HLR is kept updated with the current locations of all its mobile subscriber, including those who may have roamed to another network operator within or outside the country.

HLR maintains the following subscriber data on a permanent basis

• International mobile subscriber identity (IMSI)• Service subscription information• service restrictions• supplementary services (subscribed to)• mobile terminal characteristics• billing/accounting information

Visitor Location Register (VLR)• The VLR is always implemented together with a MSC; so the area

under control of the MSC is also the area under control of the VLR. • The VLR contains selected information from a subscriber's HLR

necessary for call control and provisioning of the subscribed services to the visiting user.

• The VLR represents a temporary data store, and generally there is one VLR per MSC.

• This register contains information about the mobile subscribers who are currently in the service area covered by the MSC/VLR.

• The VLR also contains information about locally activated features such as call forward on busy.

• The temporary subscriber information resident in a VLR includes: • features currently activated

• temporary mobile station identity (TMSI)• current location information about the MS (e.g., location area and cellidentities)

Authentication Center (AC)• The AUC generates authentication and ciphering data. • The purpose of the authentication security feature is to protect

the network against unauthorized use. It also protects subscribers by denying the possibility for intruders to impersonate authorized users.

• The ciphering data is used to ensure that confidentiality and integrity is kept on the physical radio channels. Ciphering prevents user information and signalling to be available or disclosed to unauthorized individuals.

• In case of GSM, the AC maintains the authentication keys and algorithms, and provides the security triplets (RAND, SRES, and Kc) to the VLR so that the user authentication and radio channel encryption procedures may be carried out within the visited network.

• The authentication center for GSM contains the security modules for the authentication keys (Ki) and the authentication and cipher key generation algorithms A3 and A8, respectively.

Equipment Identity Register (EIR)• The EIR maintains information to

authenticate terminal equipment so that fraudulent, stolen, or nontype approved terminals can be identified and denied service.

• The information is in the form of white, gray, and black lists that may be consulted by the network when it wishes to confirm the authenticity of the terminal requesting service.

Standards of Mobile Communications

• In Bangladesh-Operators

1. GSM (GP, AKtel, BanglaLink,Warid, TeleTalk, Rangstel)

2. CDMA 2000 1xRTT(Citycell)

Vendor:EricssonNokia SiemensHua wei

GEOGRAPHICAL NETWORK STRUCTUREGEOGRAPHICAL NETWORK STRUCTURE

CELL LOCATION AREA MSC/VLR SERVICE AREA PLMN SERVICE AREA GSM SERVICE AREA

CELL LOCATION AREA MSC/VLR SERVICE AREA PLMN SERVICE AREA GSM SERVICE AREA

G

F

A

E

B

C

D

G

F

A

Cell 2

Cell 3

Cell 4

Cell 1

Cell 5

Cell 6

VLR

MSC

LA 1

LA 3

LA 4 LA 5

Cell

LOCATIONAREA

MSC SERVICEAREA

PLMN SERVICE AREA(one per operator)

GSM SERVICE AREA

CELL

GSM Reference Architectureand Function Partitioning

• Number of logical channels (number

of time slots in TDMA frame): 8

• Maximum cell radius (R): 35 km

• Frequency: region around 900 MHz

• Maximum vehicle speed (Vm):250

km/hr

• Bandwidth: Not to exceed 200 kHz (25

MHz per channel)

GSM Authentication Vulnerabilities of wireless networks • The channel can be listened to: By placing an antenna at an

appropriate location, an attacker can overhear the information that the victim transmits or receives. Eavesdropping is often used to carry out attacks, notably passive attacks

• The data can be altered: an attacker can try to modify the content of the message exchanged between (wireless) parties. These attacks are called active attacks.

• The radio channel can be overused: The radio spectrum being a shared resource, there is a risk that a wireless operator or a user makes an excessive use of it.

Continue……

GSM Security

Continue….

• Ki is the 128-bit Individual Subscriber Authentication Key utilized as a secret key shared between the Mobile Station and the Home Location Register of the subscriber's home network.

• RAND is 128-bit random challenge generated by the Home Location Register.

• SRES is the 32-bit Signed Response generated by the Mobile Station and the Mobile Services Switching Center.

• Ck/Kc is the 64-bit ciphering key used as a Session Key for encryption of the over-the-air channel. Kc is generated by the Mobile Station from the random challenge presented by the GSM network and the Ki from the SIM utilizing the A8 algorithm.

• A8 ciphering key generating algorithm

• A3 authentication algorithm

• A5 ciphering algorithm

location updating

• The location updating feature is invoked when an active MS moves from one location area to another or when the MS tries to access the network and it is not already registered in the serving VLR for its present location. Location areas generally

1. The MS sends a Location Update request to the VLR (new) via the BSS and MSC.

2. The VLR sends a Location Update message to the HLR serving the MS which includes the address of the VLR (new) and the IMSI of the MS. This updating of the HLR is not required if the new LA is served by the same VLR as the old LA.

3. The service and security related data for the MS is downloaded to the new VLR.

4. The MS is sent an acknowledgment of successful location update.

5. The HLR requests the old VLR to delete data relating to the relocated MS consist of multiple, contiguous cells and are identified by location area identities (LAI).

Continue..

Mobile Call Origination

• Initially when the user enters the called number and presses the send key, the MS establishes a signaling connection to the BSS on a radio channel. This may involve authentication and ciphering.

• Once this has been established, the call setup procedures will take place

1. The MS sends the dialed number indicating service requested to the MSC

(via BSS).

2. The MSC checks from the VLR if the MS is allowed the requested service.

If so, MSC asks the BSS to allocate necessary resources for the call.

3. If the call is allowed, the MSC routes the call to GMSC.

4. The GMSC routes the call to the Local Exchange of called user.

5. The LE alerts (applies ringing) the called terminal.

6. Answer back (ring back tone) from the called terminal to LE

7. Answer back signal is routed back to the MS through the serving MSC

which also completes the speech path to the MS.

PSTN Call origination

• The sequence relates to a call originating in the PSTN and terminating at an

MS in a GSM network.1. The PSTN user diales the MSISDN of the called user in GSM.2. The LE routes the call to the GMSC of the called GSM user.3. The GMSC uses the dialed MSISDN to determine the serving HLR forthe GSM user and interrogates it to obtain the required routing number.4. The HLR requests the current serving VLR for the called MS for a MSRN(MS Roaming Number) so that the call can be routed to the correct MSC.5. The VLR passes the MSRN to the HLR.6. The HLR passes the MSRN to the GMSC.7. Using the MSRN, the GMSC routes the call to the serving MSC.8. The MSC interrrogates the VLR for the current Location Area Indentity(LAI) for the MS.9. The VLR provides the current location (LAI) for the MS.10. The MSC pages the MS via the appropriate BSS. The MS responds tothe page and sets up the necessary signaling links.11. When the BSS has established the necessary radio links, the MSC is

informedand the call is delivered to the MS.12. When the MS answers the call, the connection is completed to the calingPSTN user.

Authentication and Encryption

• The authentication and ciphering functions in GSM are closely linked and are performed as a single procedure between the MS and the network.

• The security procedure in GSM is based on the so-called private key (or symmetric key) mechanism, which requires that a secret key (called Ki) be allocated and programmed into each mobile station.

• An authentication algorithm (A3), a cipher key generation algorithm (A8), and an encryption algorithm (A5) are also programmed into the MS at the time of service provisioning. The relevant call flows are:

1. At terminal location update, VLR sends IMSI to the HLR.2. HLR returns security triplets (RAND, SREIS, Kc) to the VLR.3. For authentication and ciphering the VLR sends RAND to the MS.4. Using stored A3 algorithm and secret key Ki stored in the SIM, and RAND provided by the VLR, the MS calculates the SRES and returns it to the VLR. Using the A8 algorithm and Ki, the MS also calculates the cipher key Kc.5. If the SRES returned by the MS matchis with the stored SRES in the VLR, the VLR sends the cipher key Kc to the BTS which uses Kc for

ciphering the radio path (downlink). The MS uses its Kc to cipher the radio path

(uplink) using encryption algorithm A5.

Inter-MSC Handoff

Handoff of calls already in progress from one channel to another may be invoked for one of the following reasons:

• to avoid dropped calls when a subscriber (with call in progress) crosses the boundary of one cell and moves into a neighboring cell

• to improve the global interference level

• to improve load balancing between adjacent cells

The main criterion for call handoff to avoid dropped calls is the quality of transmission for the ongoing connection, both uplink and downlink.

The handoffs may be intra-BSC, inter-BSC, or inter-MSC.

Call flow for inter-MSC call handoff

Continue..MS moves from cell A to cell B1. BSC A informs MSC A that MS needs handover from BTS A to

BTS B.2. MSC A informs MSC B that a handover from BTS A to BTS B is

underway.3. MSC A commands BSC A/BTS A to proceed with handover to

BTS B.4. BTS A commands MS to change to a specified channel on BTS

B.5. MS informs BTS B that it is on specified channel on BTS B.6. BTS B informs BSC A/MSC A that handover is complete.7. MSC B informs MSC A that handover to BTS B is complete.Note: MSC A continues to maintain control of call routing and

connection