1
4
All rights reserved
After the completion of this course, the trainees should understand
the following contents:
GSM security management
All rights reserved
PLMN’s need a higher level of protection than traditional
telecommunication networks. Therefore, to protect GSM systems, the
following security functions have been defined:
Subscriber authentication: By performing authentication, the
network ensures that no unauthorized users can access the network,
including those that are attempting to impersonate others.
Radio information ciphering: The information sent between the
network and an MS is ciphered. An MS can only decipher information
intended for itself.
Mobile equipment identification: Because the subscriber and
equipment are separate in GSM, it is necessary to have a separate
authentication process for the MS equipment. This ensures, e.g.
that a mobile terminal, which has been stolen, is not able to
access the network.
Subscriber identity confidentiality: During communication with an
MS over a radio link, it is desirable that the real identity (IMSI)
of the MS is not always transmitted. Instead a temporary identity
(TMSI) can be used. This helps to avoid subscription fraud.
The AUC and EIR are involved in the first three of the above
features, while the last is handled by MSC/VLRs.
GSM Security Management
Authentication may be executed during setup, location updating and
supplementary services. Authentication is done by AUC.
The primary function of an AUC is to provide information, which is
then used by an MSC/VLR to perform subscriber authentication and
to, establish ciphering procedures on the radio link between the
network and MS’s. The information provided is called a triplet and
consists of:
A non predictable RANDom number (RAND)
A signed RESponse (SRES)
A ciphering key (Kc)
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
At subscription time, each subscriber is assigned a subscriber
authentication Key (Ki). Ki is stored in the AUC along with the
subscriber’s IMSI. Both are used in the process of providing a
triplet. The same Ki and IMSI are also stored in the SIM. In an AUC
the following steps are carried out to produce one triplet:
1. A non-predictable random number, RAND, is generated.
2. RAND and Ki are used to calculate SRES and Kc, using two
different algorithms, A3 and A8 respectively.
3. RAND, SRES and Kc are delivered together to the HLR as a
triplet.
RAND -Random number
The MSC/VLR transmits the RAND to the MS.
2. The MS computes the signature SRES using RAND and the subscriber
authentication key (Kii) through the A3 algorithm.
3. The MS computes the Kc by using Ki and RAND through A8
algorithm. Kc will thereafter be used for ciphering and deciphering
in MS.
4. The signature SRES is sent back to MSC/VLR, which performs
authentication, by checking whether, the SRES from the MS and the
SRES from the AUC match. If so, the subscriber is permitted to use
the network. If not, the subscriber is barred from network
access.
Authentication Procedure
Each registration
MSC/VLR
1. RAND
3. SRES
2. MS calculates SRES using RAND + Ki (SIM-card) through A3 and Kc
using RAND+Ki through A8.
4. Compare SRES received from MS with SRES in triplet. If they are
equal access is granted.
HUAWEI TECHNOLOGIES CO., LTD.
Confidentiality means that user information and signaling exchanged
between BTS’s and MS’s is not disclosed to unauthorized
individuals, entities or processes.
A ciphering sequence is produced using Kc and the TDMA frame number
as inputs in the encryption algorithm A5. The purpose of this is to
ensure privacy concerning user information(speech and data) as well
as user related signaling elements.
In order to test the ciphering procedure some sample of information
must be used. For this purpose the actual ciphering mode command
(M) is used.
1. M and Kc are sent from the MSC/VLR to the BTS.
2. M is forwarded to the MS.
3. M is encrypted using Kc (calculated earlier with SRES in the
authentication procedure) and the TDMA frame number which are fed
through the encryption algorithm, A5.
4. The encrypted message is sent to the BTS.
5. Encrypted M is decrypted in the BTS using Kc, the TDMA frame
number and the decryption algorithm, A5.
6. If the decryption of M was successful, the ciphering mode
completed message is sent to the MSC. All information over the air
interface is ciphered from this point on.
Ciphering Procedure
If yes
M Ciphering Mode Command
M’ Ciphering Mode Complete
Kc Ciphering key
VLR Visitor Location Register
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
2 Authenticate
Authentication Request
2 Authenticate
Authentication Request
2 Authenticate
Authentication Request
2 Authenticate
Authentication Request
(TMSI)
The Temporary Mobile Subscriber Identity (TMSI) is a temporary IMSI
number made known to an MS at registration. It is used to protect
the subscriber’s identity on the air interface. The TMSI has local
significance only (that is, within the MSC/VLR area) and is changed
at time intervals or when certain events occur such as location
updating. Every operator can chose TMSI structure, but should not
consist of more than 8 digits.
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
The equipment identification procedure uses the identity of the
equipment itself (IMEI) to ensure that the MS terminal equipment is
valid.
1. The MSC/VLR requests the IMEI from the MS.
2. MS sends IMEI to MSC.
3. MSC/VLR sends IMEI to EIR.
4. On reception of IMEI, the EIR examines three lists:
A white list containing all number series of all equipment
identities that have been allocated in the different participating
GSM countries.
A black list containing all equipment identities that has been
barred.
A gray list (on operator level) containing faulty or non -approved
mobile equipment.
5. The result is sent to MSC/VLR, which then decides whether or not
to allow network access for the terminal equipment.
MSC/VLR
GSM Basic Call Sequence
The process for calling MS and called MS are two independent flow.
The calling party begins with channel request and ends with TCH
assignment competition. In general, the calling party includes
following several stages: access process, authentication and
ciphering process, TCH assignment process. So, we take the sequence
from mobile to land as example, in this sequence, we mainly devote
to the calling party.
HUAWEI TECHNOLOGIES CO., LTD.
<
<
<
GSM Basic Call Sequence
For the called party, the flow for the called party begins when MSC
sends paging command to the called party, ends when two party start
talk. In general, this call flow includes several stages: access
process, authentication and ciphering process, TCH assignment
process, talk process, release process.
HUAWEI TECHNOLOGIES CO., LTD.
Call Setup
Call Setup
5 Page
Paging Request
Land to Mobile Sequence
HUAWEI TECHNOLOGIES CO., LTD.
Land to Mobile Sequence
HUAWEI TECHNOLOGIES CO., LTD.
Ringing stops at land phone
Subscriber picks up
HUAWEI TECHNOLOGIES CO., LTD.
Normal Location Update
Reads the LAI broadcast on the BCCH.
Compares with the last stored LAI and if it is different does a
location update.
Normal Location Update
IMSI Attach
Saves the network from paging a MS which is not active in the
system.
When MS is turned off or SIM is removed the MS sends a detach
signal to the Network. It is marked as detached.
When the MS is powered again it reads the current LAI and if it is
same does a location update type IMSI attach.
Attach/detach flag is broadcast on the BCCH sys info.
Periodic Location Update
Many times the MS enters non-coverage zone.
The MS will keep on paging the MS thus wasting precious
resources.
To avoid this the MS has to inform the MSC about its current LAI in
a set period of time.
This time ranges from 0 to 255 deci-hours.
Periodic location timer value is broadcast on BCCH sys info
messages.
Location Update
Intra-VLR Location Update Sequence
Inter-VLR Location Update Sequence
HUAWEI TECHNOLOGIES CO., LTD.
HLR
Only sent to HLR if this is the first time the MS has Location
Updated in this VLR
HUAWEI TECHNOLOGIES CO., LTD.
<SDCCH>
HLR
Only sent to HLR if this is the first time the MS has Location
Updated in this VLR
Intra-VLR Location Update Sequence
HUAWEI TECHNOLOGIES CO., LTD.
HLR
Only sent to HLR if this is the first time the MS has Location
Updated in this VLR
Intra-VLR Location Update Sequence
HUAWEI TECHNOLOGIES CO., LTD.
TMSI>
<SDCCH>
<TMSI>
HLR
Only sent to HLR if this is the first time the MS has Location
Updated in this VLR
Intra-VLR Location Update Sequence
HUAWEI TECHNOLOGIES CO., LTD.
SDCCH>
HLR
Only sent to HLR if this is the first time the MS has Location
Updated in this VLR
Intra-VLR Location Update Sequence
HUAWEI TECHNOLOGIES CO., LTD.
SDCCH>
HLR
Only sent to HLR if this is the first time the MS has Location
Updated in this VLR
Intra-VLR Location Update Sequence
HUAWEI TECHNOLOGIES CO., LTD.
<
<
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
<
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
MO SMS Transfer
MT SMS Transfer
MS
Servicing
MSC
VLR
HLR
Gateway
MSC
SC
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
MS
Servicing
MSC
VLR
HLR
Gateway
MSC
SC
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI TECHNOLOGIES CO., LTD.
3. Location Update Sequence