Nokia Wireless

7/29/2019 Nokia Wireless

1/42

1 NOKIA FILENAMs.PPT/ DATE / NN

Mobile Technology Overview

Ed Gibbs

Technologist

ISSA - September 20, 2001

Sacramento, California


2/42


Ed Gibbs Biography

Prior: Digital Equipment Corporation, Lockheed-Martin, Dow

Jones & Company, and a few start-ups that dont existanymore!

Focus on Firewalls, VPN, internetworking, 802.11, Mobile Dataincluding WAP, and carrier infrastructure

Recently completed chapter for Eoghan Caseys new bookHandbook of Computer Crime to be published in

October/Nov. Collecting digital evidence within a cellular and 802.11

network

Contact Information: Nokia, 313 Fairchild Drive, Mountain View, CA 94043 Mobile: +1 650-868-9091 E-mail: [email protected]


3/42


Introduction

Why is understanding Cellular networking important?

As voice and data merge over cellular networks, you maybe tasked securing both

Wireless data handsets are inescapable

Carrier infrastructures are very complex to what degreeshould one become acquainted?

Just the basicsthats what well cover here today As security experts, theres significant value in obtaining this

knowledge to prepare you for the future

Carriers have enjoyed closed networks, opening them up tothe Internet is a major challenge


4/42


Types of Cellular Networks


5/425 NOKIA FILENAMs.PPT/ DATE / NN

Analog Mobile Phone Service

What is AMPS:

Commercially available in 1970 by Bell TelephoneLaboratories Geographic areas are subdivided into smaller areas which

are commonly known as cells Each cell has its own antenna that is set to operate at

distinct transmission frequencies

Communications occur at a set frequency in each direction

AMPS is still widely used today

7-cell pattern, each with

different frequencies to avoidinterference

824Mhz to 894Mhz with30Khz of bandwidthseparation per assignedchannel for Transmit/Receive



Digital Advanced Mobile Phone Service

D-AMPS is far more complex than AMPS and supports two

modes of operations Voice traffic is digital AMPS used for channel setup and signaling IS-54 Uses Time-Division Multiple Access (TDMA) to

divide the radio channels used by AMPS IS-136 (D-AMPS 1900) supports dual-mode, dual-band:

Dual-Mode: Analog or Digital

800Mhz cellular frequency used by AMPS

1900Mhz frequency spectrum Personal Communications

Service (PCS)

Allows for pages and short message services (SMS) of up to239 characters



Time Division Multiple Access

TDMA separates users by assigned time slots, which

minimizes interference from other simultaneous transmissions Disadvantage: When changing cells (handoff), the assigned

time-slot in the new cell may already be occupied howeverthis is a capacity problem

Transmission (uplink/downlink or send/receive) is allocated two

slots: One used at a defined frequency for uplink Second used at a particular frequency for downlink

Extends battery life-time of handset by only transmitting aportion of time instead of a continuous transmission

AT&T, Cingular (Eastern/Central US) uses TDMA Cingular formally PacificBell uses a technology called GSM

which is not compatible with TDMA



Code Division Multiple Access

CDMA (IS-95) offers 6-10x the capacity of TDMA and uses

codes to separate users as opposed to TDMA, which usesassigned time slots

Uses broadband spread-spectrum developed in the 1940s formilitary purposes and uses a direct sequence technique, withthe spreading sequence based on a pseudorandom binary

sequence Also uses the 800Mhz and 1900Mhz frequency bands.

When using 800Mhz AMPS mode, more AMPS channelsneeded to obtain frequency for CDMA (operator must clear1.23Mhz/30khz or 41 channels) to accommodate

When in 1900Mhz mode, CDMA uses PCS

Directly supports IP packet data protocols

Sprint, SBC uses CDMA



Global System for MobileCommunications

GSM developed in Europe in 1980s and became aninternational standard 13 years later

There are two standards: European: 900Mhz (International Standard) North American 800Mhz (900Mhz used by Government)

and 1900Mhz GSM PCS North American GSM and European GSM are not compatible due to their

frequency Tri-mode phones are available that operate at 800Mhz, 900Mhz, and1900Mhz

Uses TDMA framework but not compatible Subdivides each radio channel into eight time slots; D-AMPS subdivides into six time slots

Over 250 GSM Networks are presently operating in 110countries

Data rates: 9.6Kbps to 14.4Kbps

Carriers: Pacific Bell (now Cingular), VoiceStream, and nowAT&T Wireless


10/42


GSM

GSM uses the Subscriber Information Module (SIM card)

which comes in two forms credit card sized format and thumbtip size Embedded in the card is a microprocesor, ROM and RAM

Also contains data such as: The subscribers phone number which is referred to as the

MSISDN (Mobile Subscriber ISDN Number) The IMSI (International Mobile Subscriber Identity). The

IMSI is globally unique to a particular subscriber The subscribers PIN which is used to prevent unauthorized

use of the mobile device

Authentication Keys


11/42


Carrier Infrastructure


12/42


Simple Architecture

Radio Access Network

Base Station

Core Network

SwitchSubscriber

Information

Billing

Records

Network Operations

and Maintenance

To otherNetworks

Mobile Dev ice

Radio Link


13/42


Detailed Architecture

BSC

BT S

BT S

BT S

Mobile Phone

BSC

BT S

BT S

BT S

MSC

VLR HLR

Charging

Gateway

SMSc

LIG

To other networks

(e.g. PSTN)

OMC

Connected to all elements in

the core networkConnected

to all BSCs

Radio Access Network

Core Netw ork


14/42


Network Operation Parameters

The adjunct processor handling operational issues may handle records thatdrill down deep into the network operation details. These records can cover

such items as:

A subscribers phone call attempt

Whether the attempt was successful

Whether the call was ended normally or was dropped

Date and time of the call Signal strength of the subscribers mobile device as seen by the BTS

In what cell site was the call set up

In what cell site sector was the call set up

Handover information

What channel was used

What frequency/time slot/PN number was used


15/42


Surveillance & Tracking


16/42


Methods of Tracking

AOA: By knowing the direction from which a wireless signal is received (viathe use of special antennas at the cell site), Angle of Arrival techniques

calculate the location of a mobile device. This technology is deployed at the cell sites of the network operator.

TDOA: Time Difference of Arrival technology uses the difference in time thatit takes for a wireless signal to arrive at multiple cell sites to calculate thelocation of the mobile device.

This technology is deployed at the cell sites of the network operator. E-OTD: Enhanced Observed Time Difference involves a mobile device

receiving the signals from at least three base stations, while a specialreceiver in the network (at a known position) also receives these signals.

The mobile device location is calculated by comparing the time

differences of arrival of the signals from the base stations at both themobile device and the special receiver.

This technology is deployed at cell sites and in the mobile device itself.


17/42


Methods of Tracking

Triangulation is a process by which the location of a radio

transmitter can be determined by measuring either the radialdistance, or the direction of the received signal from two orthree different points

Time delay response can be used in conjunction withtriangulation to determine how far away the signal is between

multiple points When a cell phone is turned onits communicating!

Call or standby mode

Tracking is often difficult if not impossible in some situations Signal reflection, distortion, weak signal, etc.


18/42


Triangulation & Timed Response

BaseX

Base

Z

BaseY

Cell Phone

Measured Response

Time + Direction


19/42


Lawful Interception

MSC/VLR

EIRHLR

Gi

Gs

Gf

Gr

GSM & UMTS

SGSN

GGSN

Gn

3GGPRS backbone

PDN

Gp


20/42


Functional Roles

LawEnforcement

Authority (LEA)

AuthorisationAuthority (AA)

Network Operator

EquipmentManufacturer

User

Host/Terminal

Target User1 2

2

4

4

3

4

5


21/42


Authorizing interceptions

Authorizing Agency (AA)

Authorizes session using the web interface at theLIC


22/42


Enabling interceptions

Law Enforcement Agency (LEA)

Starts interception at the LIC


23/42


E911 Update

August 2000: FCC adopted an Order to implement the

Wireless Communications and Public Safety Act of 1999 (911Act), enacted on October 26,1999.

Implemented in two phases: First Phase Reveals cell phone number and base-station

caller is using

Second Phase Pinpoints location accurate within 50-100meters

October 1, 2001 Deadline will not be met

All major carriers will file an extension with the FCC Location based service and tracking software not in place

Only %10 of law enforcement is equipped to handle E911

Official Web-site http://www.fcc.gov/e911/
http://www.fcc.gov/e911/http://www.fcc.gov/e911/


24/42


Steps to 3rd Generation within the US

Basic GSM data at 9.6 kbit/s & Smart messaging1997

Landline-like circuit services (HSCSD) & Interactive messaging (USSD)

2000

Internet-like IP packet services for mass market (GPRS) 144Kbps

2001-2002Enhanced speed and capacity (EDGE)

2002

Evolution

New multimedia servicesMass market cost of service (WCDMA)2Mbps

2003-2005

Introduction of 3rd generation radio

GPRS A hit t


25/42


GPRS Architecture

VPN VPN

Firewall

Firewall


26/42


WAP

Wi l A li ti P t l (WAP)


27/42


Wireless Application Protocol (WAP)

De-facto world standard for wireless information andtelephony services on digital mobile phones and otherwireless terminals

"Internet in Every Pocket"

Objectives: General environment for wireless applications Internet or Intranet-like services and content to mobile terminals Network, bearer and manufacturer independent

WAP Forum Started 1997 by Nokia, Ericsson, Motorola and Unwired Planet Now close to 500 member companies

WAP 1.1 (June 99) The first release for commercial products

WAP 1.2 (December 99)

WAP S t A hit t


28/42


Web Server

Content

CGI

Scripts

etc.

WMLDecks

withWML-ScriptWAP Gateway

WML Encoder

WMLScript

Compiler

Protocol Adapters

Client

WML

WML-

Script

WTAI

Etc.

HTTPWSP/WTP

WAP System Architecture

Common WAP Deployment Scenarios


29/42


Common WAP Deployment Scenarios

Mobile

Customer

Dial-inServer

WAPServer/Gateway

Content & ApplicationsServer (s)

Total Corporate Solution

Closed WAP

Portal e.g.Operator / ISP

Business ModelTechnical Architecture

Typical WAP Enabled

'Web Destination Site'

Open WAP Portal +

Content providers

and Merchants

Key

Enterpr. hosted

xSP hosted

Wireless Transport Layer Security


30/42


Wireless Transport Layer Security

WTLS provides encryption from the mobile handset to theWAP Gateway

WTLS to SSL conversion on WAP gateway must decryptWTLS and re-encrypt to SSL

Vulnerability: Clear-text

Four classes:

Class 0: No Security Class 1: Server Authentication (dh_anon)

Available today

Class 2: Signed Server Certificate Available today

Class 3: Signed Client Servificate Coming Soon

WTLS


31/42


WTLS

Wireless Identity Module (WIM)


32/42


Wireless Identity Module (WIM)

Terminal HW(terminal SW)

Additionalchip,

"Dual chip"

Integratedreader I.e."dual slot"

Externalreader

Wireless PKI Capability

WIM has five implementation possibilities

WIM insideSIM = SWIM

WAP Modes


33/42


WAP Modes

The four modes for WAP communications are:

Mode UDP Port WTLS Security Connectionless 9200 No Connection 9201 No Connectionless 9202 Yes Connection 9203 Yes

Security in WAP


34/42


Terminal

WAP Gateway Origin Server

Wireless Network

Internet

Companyintranet

FIREWALL

Leasedmodem pool

Security in WAP

FIR

EWALL

WAP can securecommunication betweenterminal and WAP gateway.

For communications betweengateway and origin server,other means e.g. SSL arerequired.

GSM Security

Internet Security

Future Example


35/42


1. Choosing the movie

2. Choosing the payment method

3. Entering the PIN-code

4. Downloading tickets to the chip

5. Confirming the downloading and loyalty points

Future Example

EMPS: Many ways to use it


36/42


In the Cinema:

Printing the tickets from terminal with bluetooth

EMPS: Many ways to use it


37/42


Corporate Impact

Cellular Phones Outnumber PCs


38/42


Currently there are 350 million mobile phone subscribers. By 2003 there willbe more than 1 billion! Of these, around 600m are likely to be using WAPcompatible products to access the web, compared to a PC installed base of

around 400m

Cellular Phones Outnumber PCs

0

200

400

600

800

1000

1200

1997 1998 1999 2000 2001 2002 2003

Cellular Subscribers.Source: EMC 1999

PC installed base.Source: Dataquest 1999

Mobile Phone will be a new online


39/42


Mobile phones are becoming media phones

WAP (Wireless Application Protocol) brings standard way to connect mobile

customers to content services Now near 300 million mobile phone users, by 2003 there will be more than 1

billion!

50 Milj.

Users

RadioTV

WWW

Internet

GSM

35 Years155

Today there are more than 150 million GSM subscribersworld wide

WAP

Channel

Is youre organization ready?


40/42


Is you re organization ready?

Mobile data is here today

Accessibility Modems

Internal External

Internet Portal

Encryption WTLS SSL VPN

Device

Applications

Terms


41/42


Terms

2G Second Generation Phone Service What we have today!

2.5G - GPRS

3G Third Generation Packet Switched Radio

BTS Base Transceiver Station

BSC Base Station Controller

GGSN GPRS Gateway Server Node

HLR Home Location Registry

LIG Lawful Interception Gateway

MSC Mobile Switching Center

SMSc Small Message Service Center

PSTN Public Switched Telephone Network SGSN Serving GPRS Support Node

VLR Visitor Location Registry

Q ti ?


42/42


Questions?

Thank You for listening

Danke fr Ihre Aufmerksamkeit

Kiitos huomiostanne

Muchas gracias por atencinMerci pour votre attention

[email protected]

Documents

Nokia Wireless