Upload
ali-ahmad
View
215
Download
0
Embed Size (px)
Citation preview
8/22/2019 Global System for Mobile Communication (GSM)-II
1/39
Global System for MobileCommunication (GSM)
Muhammad Ali Raza Anjum
Part II
8/22/2019 Global System for Mobile Communication (GSM)-II
2/39
The Network Switching Subsystem The NSS plays the central part in every mobile
network.
While the BSS provides the radio access for the
MS, the various network elements within theNSS assume responsibility for the complete setof control and database functions required to setup call connections using one or more of thesefeatures:encryption,
authentication, and
roaming.
8/22/2019 Global System for Mobile Communication (GSM)-II
3/39
The Network Switching Subsystem
To satisfy those tasks, the NSS consists of the following:MSC (mobile switching center);
HLR (home location register)/authentication center (AuC);
VLR (visitor location register);
EIR (equipment identity register). The subsystems are interconnected directly or indirectly
via the worldwide SS7 network.
The network topology of the NSS is more flexible thanthe hierarchical structure of the BSS.
Several MSCs may, for example, use one common VLR;
The use of an EIR is optional, and the required numberof subscribers determines the required number of HLRs.
8/22/2019 Global System for Mobile Communication (GSM)-II
4/39
The Network Switching Subsystem
Figure 1 The NSS.
8/22/2019 Global System for Mobile Communication (GSM)-II
5/39
The Network Switching Subsystem
Figure on previous slide provides an
overview of the interfaces between the
different network elements in the NSS.
Note that most interfaces are virtual, that
is, they are defined as reference points for
signaling between the network elements.
8/22/2019 Global System for Mobile Communication (GSM)-II
6/39
Home Location Register andAuthentication Center
Every PLMN requires access to at least oneHLR as a permanent store of data.
The concept is illustrated in Figure on next slide.
The HLR can best be regarded as a largedatabase with access times that must be kept asshort as possible.
The faster the response from the database, the
faster the call can be connected. Such a database is capable of managing data
for literally hundreds of thousands subscribers.
8/22/2019 Global System for Mobile Communication (GSM)-II
7/39
Home Location Register andAuthentication Center
Figure 2 Only the SIM and the HLR know the value of Ki.
8/22/2019 Global System for Mobile Communication (GSM)-II
8/39
Home Location Register andAuthentication Center
Within the HLR, subscriber-specific parameters aremaintained, such as the parameter Ki, which is part ofsecurity handling.
It is never transmitted on any interface and is known onlyto the HLR and the SIM, as shown in Figure 2 on lastslide.
Each subscriber is assigned to one specific HLR, whichacts as a fixed reference point and where information onthe current location of the user is stored.
To reduce the load on the HLR, the VLR was introducedto support the HLR by handling many of the subscriber-related queries (e.g., localization and approval offeatures).
8/22/2019 Global System for Mobile Communication (GSM)-II
9/39
Home Location Register andAuthentication Center
Because of the central function of the HLR and thesensitivity of the stored data, it is essential that everyeffort is taken to prevent outages of the HLR or the lossof subscriber data.
The AuC is always implemented as an integral part ofthe HLR.
The reason for this is that although GSM mentions theinterface between the AuC and the HLR and has evenassigned it a name, the H-interface, it was never
specified in sufficient detail to be a standalone entity.
The only major function assigned to the AuC is tocalculate and provide the authentication-triplets,
8/22/2019 Global System for Mobile Communication (GSM)-II
10/39
Home Location Register andAuthentication Center
That is, the signed response (SRES), the
random number (RAND), and Kc.
For each subscriber, up to five such triplets can
be calculated at a time and sent to the HLR. The HLR, in turn, forwards the triplets to the
VLR, which uses them as input parameters for
authentication and ciphering.
Here is the process:
8/22/2019 Global System for Mobile Communication (GSM)-II
11/39
Home Location Register andAuthentication Center
Ciphering [GSM 03.20] Used in GSM to encryptdata on the Air-interface between the mobilestation and the BTS.
Encryption applies only to the Air interface.
Therefore, tapping of a call still is possible on theterrestrial part of the connection.
Precondition for ciphering is successful
authentication. The process of authentication and activation of
ciphering is performed in the following steps:
8/22/2019 Global System for Mobile Communication (GSM)-II
12/39
Home Location Register andAuthentication Center
o For each mobile station, the VLR stores up to five
different authentication triplets.Such a triplet consists
of SRES,RAND, and Kc, and was originally calculated
and provided by the HLR/AuC.
o At first, the MS is sending a connection request to thenetwork (e.g., LOC_UPD_REQ). Among others, this
request contains the ciphering key sequence number
(CKSN) and the mobile station classmark,which
indicates what ciphering algorithms (A5/X) areavailable in the mobile station.
8/22/2019 Global System for Mobile Communication (GSM)-II
13/39
Home Location Register andAuthentication Center
The NSS (more precisely, the VLR) examines theCKSN and decides whether authentication isnecessary (see CKSN). Particularly to establish asecond connection while another connection alreadyexists (e.g.,for a multiparty call), it is obvious thatauthentication is not required a second time duringthe same network access. A message is sent to theMS in case authentication is necessary. This DTAPmessage (AUTH_REQ) contains the randomnumber, RAND, received from the HLR/AuC. TheMSmore precisely, the SIMuses the RAND andthe value Ki as well as the algorithm A3 to calculateSRES (authentication procedure)
8/22/2019 Global System for Mobile Communication (GSM)-II
14/39
Home Location Register andAuthentication Center
The MS sends the result of this calculation, the
SRES, to the VLR.The VLR compares the SRES that
the MS has sent with the one that the HLR/AuC had
sent earlier.The authentication is successful if both
values are identical.Immediately after calculating SRES, the MS uses
RAND and Ki to calculate the ciphering key Kc via
the algorithm A8.
To activate ciphering, the VLR sends the value Kcthat the AuC has calculated and a reference to the
chosen A5/X algorithm via the MSC and the BSC to
the BTS.
8/22/2019 Global System for Mobile Communication (GSM)-II
15/39
Home Location Register andAuthentication Center
Figure 3 Calculation of SRES from Ki and RAND by use of A3.
8/22/2019 Global System for Mobile Communication (GSM)-II
16/39
Home Location Register andAuthentication Center
Figure 4 Calculation of Kc from Ki and RAND by use of A8.
8/22/2019 Global System for Mobile Communication (GSM)-II
17/39
Home Location Register andAuthentication Center
The BTS retrieves the cipher key Kc and the informationabout the required ciphering algorithm from theENCR_CMD message and only forwards the informationabout the A5/X algorithm in a CIPH_MOD_CMD messageto the MS. That message triggers the MS to enable
ciphering of all outgoing data and deciphering of allincoming information. The MS confirms the change tociphering mode by sending a CIPH_MOD_COM message.
The algorithm A5/X uses the current value of the framenumber (FN) at the time tx together with the cipher key Kc
as input parameters.The output of this operation are theso-called ciphering sequences,each 114 bits long,whereby one is needed for ciphering and the other one fordeciphering.
8/22/2019 Global System for Mobile Communication (GSM)-II
18/39
Home Location Register andAuthentication Center
The first ciphering sequence and the 114 bits of
useful data of a burst are XORed to provide the
encrypted 114 bits that are actually sent over the Air-
interface. Note that the ciphering sequences are
altered with every frame number, which in turnchanges the encryption with every frame number.
Deciphering takes place exactly the same way but in
the opposite direction
8/22/2019 Global System for Mobile Communication (GSM)-II
19/39
Home Location Register andAuthentication Center
Figure 5 Functionality of ciphering of data.
8/22/2019 Global System for Mobile Communication (GSM)-II
20/39
Home Location Register andAuthentication Center
Figure 6 Functionality of deciphering of data.
8/22/2019 Global System for Mobile Communication (GSM)-II
21/39
Visitor Location Register
The VLR, like the HLR, is a database
But its function differs from that of the HLR While theHLR is responsible for more static functions, the VLRprovides dynamic subscriber data management.
Consider the example of a roaming subscriber. As the subscriber moves from one location to another,data are passed between the VLR of the location thesubscriber is leaving (old VLR) to the VLR of thelocation being entered (new VLR).
In this scenario, the old VLR hands over the related datato the new VLR.
There are times when the new VLR has to request thesubscribers HLR for additional data.
8/22/2019 Global System for Mobile Communication (GSM)-II
22/39
Visitor Location Register
This question then arises: Does the HLR in GSMassume responsibility for the management of thosesubscribers currently in its geographic area?
The answer is NO.
Even if the subscriber happens to be in the home area,the VLR of that area handles the dynamic data.
This illustrates another difference between the HLR andthe VLR.
The VLR is assigned a limited geographical area, whilethe HLR deals with tasks that are independent of asubscribers location.
8/22/2019 Global System for Mobile Communication (GSM)-II
23/39
Visitor Location Register
The term HLR areahas no significance in GSM, unlessit refers to the whole PLMN.
Typically, but not necessarily, a VLR is linked with asingle MSC.
The GSM standard allows, as Figure on next slideillustrates, the association of one VLR with severalMSCs.
The initial intentions were to specify the MSC and theVLR as independent network elements.
However, when the first GSM systems were put intoservice in 1991, numerous deficiencies in the protocolbetween the MSC and the VLR forced the manufacturersto implement proprietary solutions.
8/22/2019 Global System for Mobile Communication (GSM)-II
24/39
Visitor Location Register
Figure 7 The NSS hierarchy.
8/22/2019 Global System for Mobile Communication (GSM)-II
25/39
Visitor Location Register
That is the reason the interface betweenthe MSC and the VLR, the B-interface, isnot mentioned in the specifications of
GSM Phase 2.GSM Recommendation 09.02 now
provides only some basic guidelines onhow to use that interface.
Table on next slide lists the most importantdata contained in the HLR and the VLR.
8/22/2019 Global System for Mobile Communication (GSM)-II
26/39
Visitor Location Register
8/22/2019 Global System for Mobile Communication (GSM)-II
27/39
Visitor Location Register
8/22/2019 Global System for Mobile Communication (GSM)-II
28/39
The Mobile-Services Switching Center
From a technical perspective, the MSC is just an ordinaryIntegrated Services Digital Network (ISDN) exchange withsome modifications specifically required to handle themobile application.
That allows suppliers of GSM systems to offer their
switches, familiar in many public telephone networks, asMSCs.
SIEMENS with its EWSD technology and ALCATEL withthe S12 and the E10 are well-known examples that benefitfrom such synergy.
The modifications of exchanges required for the provisionof mobile service affect, in particular, the assignment ofuser channels toward the BSS, for which the MSC isresponsible, and the functionality to perform and controlinter-MSC handover.
8/22/2019 Global System for Mobile Communication (GSM)-II
29/39
The Mobile-Services Switching Center
That defines two of the main tasks of the MSC.
We have to add the interworking function (IWF),
which is needed for speech and nonspeech
connections to external networks. The IWF is responsible for protocol conversion
between CC and the ISDN user part (ISUP), as
well as for rate adaptation for data services.
8/22/2019 Global System for Mobile Communication (GSM)-II
30/39
Gateway MSC
An MSC with an interface to other networks is called agateway MSC.
Figure on next slide shows a PLMN with gateway MSCsinterfacing other networks.
Network operators may opt to equip all of their MSCs with
gateway functionality or only a few. Any MSC that does not possess gateway functionality has
to route calls to external networks via a gateway MSC.
The gateway MSC has some additional tasks during theestablishment of a mobile terminating call from an external
network. The call has to enter the PLMN via a gateway MSC, which
queries the HLR and then forwards the call to the MSCwhere the called party is currently located.
8/22/2019 Global System for Mobile Communication (GSM)-II
31/39
Gateway MSC
Figure 8 The functionality of the gateway MSC.
8/22/2019 Global System for Mobile Communication (GSM)-II
32/39
The Relationship Between MSC and VLR
The sum of the MSC areas determines the geographicarea of a PLMN.
Looking at it another way, the PLMN can be consideredas the total area covered by the BSSs connected to theMSCs.
Since each MSC has its own VLR, a PLMN also couldbe described as the sum of all VLR areas.
Note that a VLR may serve several MSCs, but one MSCalways uses only one VLR. Figure on next slideillustrates this situation.
That relationship, particularly the geographicinterdependency, allows for the integration of the VLRinto the MSC.
8/22/2019 Global System for Mobile Communication (GSM)-II
33/39
The Relationship Between MSC and VLR
All manufacturers of GSM systems selected that option,since the specification of the B-interface was not entirelyavailable on time.
In GSM Phase 2, the B-interface is no longer an open
interface (as outlined above). It is expected that this trend will continue.
A network operator still has the freedom to operateadditional MSCs with a remote VLR, but that issomewhat restrictive in that all the MSCs must besupplied by the same manufacturer.
8/22/2019 Global System for Mobile Communication (GSM)-II
34/39
The Relationship Between MSC and VLR
Figure 9 Geographic relationship between the MSC and the VLR.
8/22/2019 Global System for Mobile Communication (GSM)-II
35/39
Equipment Identity Register
The separation of the subscriber identity from theidentifier of the MS
(described in last slides) also bears a potential pitfall forGSM subscribers.
Because it is possible to operate any GSM MS with anyvalid GSM SIM, an opportunity exists for a black marketin stolen equipment.
To combat that, the EIR was introduced to identify, track,and bar such equipment from being used in the network.
Each GSM phone has a unique identifier, its IMEI, whichcannot be altered without destroying the phone.
8/22/2019 Global System for Mobile Communication (GSM)-II
36/39
Equipment Identity Register
The IMEI contains a serial number and a type identifier. Like the HLR or the VLR, the EIR basically consists of a
database
It maintains three lists:
the white list contains all the approved types of mobilestations;
the black list contains those IMEIs known to be stolen orto be barred for technical reasons; and
the gray list allows tracing of the related mobile stations.
The prices for mobile equipment have fallen dramaticallydue to the great success of GSM
Consequently, the theft rate is low.
8/22/2019 Global System for Mobile Communication (GSM)-II
37/39
Equipment Identity Register
Figure 10 Contents of the EIR.
8/22/2019 Global System for Mobile Communication (GSM)-II
38/39
Equipment Identity Register
Several GSM operators have decided not to install the
EIR or, at least, to postpone such installation for a while.
If the EIR is installed, there is no specification on when
the EIR should be interrogated.
The EIR may be queried at any time during call setup or
location update.
8/22/2019 Global System for Mobile Communication (GSM)-II
39/39
That is ALL for today!!!
I value your patience & timeTHANK YOUVERY MUCH