Professional Documents
Culture Documents
GSM
GSM
Partially adapted with permission from Mobile Communication: Wireless Telecommunication Systems - Jochen Schiller http://www.jochenschiller.de
Overview
GSM
formerly: Groupe Spciale Mobile (founded 1982) now: Global System for Mobile Communication Pan-European standard (ETSI, European Telecommunications Standardisation Institute) simultaneous introduction of essential services in three phases by the European telecommunication administrations seamless roaming within Europe possible today many providers all over the world use GSM (more than 180 countries in Asia, Africa, Europe, Australia, America) more than 900 million subscribers more than 70% of all digital mobile phones use GSM
GSM
Total mobility
Worldwide connectivity
High capacity
high audio quality and reliability for wireless, uninterrupted phone calls at higher speeds (e.g., from cars, trains)
Security functions
Mobile Services
GSM services
basic services
z
additional services
z
supplementary services
z z z z z
identification: forwarding of caller number suppression of number forwarding automatic call-back conferencing with up to 7 participants ...
GSM
Basic Services
full rate: 22.8 kbit/s (gross bit rate, unprotected transmission) half rate: 11.4 kbit/s (gross bit rate, unprotected transmission)
full rate: 13 / 12.2 kbit/s (original coder / enhanced full rate coder) half rate: 5.6 kbit/s (enhanced half rate coder)
full rate: 9.6 / 4.8 / 2.4 kbit/s half rate: 4.8 / 2.4 kbit/s
n X 14.4 / n X 9.6 / n X 4.8 kbit/s (n=1, 2, 3, 4) various rates (typically up to 53.6 kbit/s)
GSM
BTS
BSC
BSC
MSC NSS
VLR HLR
VLR
OSS
EIR
AuC
OMC
GSM
MS
Mobile Station
Mobile terminal equipment Management of several BTS and MS Transmitter, receiver and antennas
BSC BSC MS
BTS
GSM
Mobile Switching Centre Management of all connections Home Location Register Associated to each PLMN Visitor Location Register Associated to each MSC
MSC providing interconnection to other networks
HLR
GMSC
fixed network
VLR
MSC
MSC
BSC
VLR
BSC
GSM
Operation and Management Control of the radio and network Centre subsystems Authentication Centre Equipment Identity Register
Security functions Mobile station registration
OMC
AuC
EIR
Network Element
HLR
MSC
GSM
MSC
Interfaces
Um : radio interface Abis : standardized, open interface with 16/64 kbit/s user channels A: standardized, open interface with 64 kbit/s user channels
HLR
VLR BTS BSC BTS BSS GMSC IWF ISDN PSTN PDN
GSM
10
BTS - 13 kbit/s air-interface (original coder) MSC - 64 kbit/s ISDN type switching (PCM, A-law)
BTS
BTS
TRAU 64 kbit/s
BSC
64 kbit/s
MSC
BSC
BTS
16 kbit/s
BSC TRAU
64 kbit/s
MSC
MSC
BTS
16 kbit/s
BSC
MSC
GSM
11
Mobile addresses
local number allocated by VLR, may be changed periodically z hides the IMSI over the air interface - transmitted instead of IMSI
helps HLR to determine current location area z hides the IMSI inside the network
GSM
12
MT (Mobile Termination)
offers common functions used by all services the MS offers end-point of the radio interface (Um) - equivalent to NT of an ISDN access hides GSM radio specific characteristics
TE (Terminal Equipment)
TA (Terminal Adapter)
TE1
MT
Um
TE2
TA
MT
Um
GSM
13
IMSI - International Mobile Subscriber Identity z TMSI - Temporary Mobile Subscriber Identity z LAI - Location Area Identification
PIN - Personal Identity Number PUK - PIN Unblocking Key Ki - subscriber secret authentication key A3 - authentication algorithm A8 - cipher key generation algorithm
GSM
14
BTS comprises radio specific functions BSC is the switching center for radio channels
z
Functions Management of radio channels Frequency hopping (FH) Management of terrestrial channels Mapping of terrestrial onto radio channels Channel coding and decoding Rate adaptation Encryption and decryption Paging Uplink signal measurements Traffic measurement Authentication Location registry, location update Handover management
X X X X X
X X X X X X
GSM
15
switching functions additional functions for mobility support management of network resources interworking functions via Gateway MSC (GMSC) integration of several databases
switching of 64 kbit/s channels paging and call forwarding termination of SS7 (signaling system no. 7) mobility specific signaling location registration and forwarding of location information support of short message service (SMS) generation and forwarding of accounting and billing information
GSM
16
Location registers
Database requirements
data from every user that has subscribed to the operator z one database per operator z may be replicated
subscriber data
z
IMSI - International Mobile Subscriber Identity z list of subscribed services with parameters and restrictions
location data
z
GSM
17
Location registers
Visitor Location Register (VLR)
local database
z
data about all users currently in the domain of the VLR z includes roamers and non-roamers z associated to each MSC
subscriber identity
z
temporary location
z
temporary addresses
z
MSRN - Mobile Station Roaming Number z TMSI - Temporary Mobile Subscriber Identity
GSM
18
GSM
19
associated to HLR search key: IMSI supports authentication and encryption mechanisms
z
Ki - subscriber secret authentication key z A3 - authentication algorithm z A8 - cipher key generation algorithm
stores mobile stations IMEI (International Mobile Equipment Identity) white list - mobile stations allowed to connect without restrictions black list - mobile stations locked (stolen or not type approved) gray list - mobile stations under observation for possible problems
GSM - TDMA/FDMA
935-960 MHz 124 channels (200 kHz) downlink
nc y
FDMA channels
890-915 MHz 124 channels (200 kHz) uplink
fre qu e
GSM
21
Burst structures
Trainin Sequence - allows estimation of propagation characteristics (including multipath), in order to set up the equaliser parameters Stealing flags - indicate that a burst normally assigned to traffic is stolen for signalling
GSM
22
Burst structures
Synchronisation Sequence long training sequence Coded Data - data used to align the mobile to the base station's time-slot structure
GSM
23
Frame hierarchy
time-slot 15/26 ms = 0.577 ms 0 1 2 2 2 3 4 5 6 7 frame 8 x 15/26 ms = 60/13 ms = 4.615 ms frame 0 frame 1 frame 2 traffic multiframe 26 x 60/13 = 120 ms frame 24 frame 25 superframe (*) 6.12 s x 2048 hyperframe (**) 3.5 hours x 51
2 2
0 0 0
frame 0 frame 1
x 26 frame 2 control multiframe 51 x 60/13 = 235.38 ms 0 0 frame 49 frame 50 (*) - aligns traffic and control multiframes (**) - allows cycle for frame number
GSM
24
Logical channels
TCH Traffic Channels CCH Control Channels CCCH Common Control Channels DCCH Dedicated Control Channels ACCH Associated Control Channels
Full-rate
Half-rate
Uplink channel: MS transmits Downlink channel: BTS transmits Bi-direccional channel: both transmit
GSM
25
Logical channels
Channel
TCH Traffic Channels TCH/H TCH/F FCCH BCH Broadcast Channels SCH BCCH RACH AGCH
Direction
BTS MS User data
Application
Allocation
Allocated by network on demand by MS
Carrier synchronization BTS MS Frame synchronisation General network information Cell information (present and adjacent) BTS MS Request SDCCH for signalling Request TCH for handover Confirmation of SDCCH or TCH request BTS MS Permanent Allert MS to a call originated in the network Registration / location updating Call control procedures Control information between MS and BTS during the progress of a call or call set up Exchange of time critical control information during the progress of a call Allocated by network on demand Associated to a specific TCH or SDCCH Allocated by network or MS (*) Multiple access with slotted Alhoa contention between MS Permanent
(*) Fast allocation by setting S bit; bits are stolen from TCH
GSM
26
Logical channels
Channel
TCH Traffic Channels TCH/H TCH/F FCCH BCH Broadcast Channels SCH BCCH RACH AGCH PCH SDCCH DCCH Dedicated Control Channels SACCH FACCH Normal (114 data bits)
Burst type
Normal (114 data bits) Frequency correction Synchronisation Normal (114 data bits) Random access Normal (114 data bits)
Time-slot
Any
Mulitiframe
26 frames (120 ms)
Bursts / Multiframe
24 12 5
Capacity
24 x 114 / 120 = 22.8 kbit/s 12 x 114 / 120 = 11.4 kbit/s
12 minimum
TS0 - base channel (*) TS0/TS2/TS4/TS6 (**) Same TS as SDCCH Same TS as TCH Same TS as TCH (bits stolen from TCH)
4 x 114 / 120 = 3.8 kbit/s 2 x 114 / 120 = 1.9 kbit/s 1 x 114 / 120 = 0.95 kbit/s Same as TCH
GSM
27
to simplify hardware design, transmitter and receiver never operate at the same time transmission is half-duplex the numbering scheme is staggered by 3 time-slots
receive
1 2 3 4 5 6 7 0 1
downlink
0
receive
2 3 4 5 6 7
uplink
0 1 2 3 4 5 6 7 0 1 2 3 4 5
transmit
transmit
GSM
28
Principle of operation
z z z z z
correct timing of uplink bursts at the BTS is required to avoid overlapping different path delays (MS-BTS distances) must be compensated transmission from the MS is advanced 0-63 bits under BTS control maximum time advance of 63 bits allows 0.233 ms round trip delay maximum cell radius is approximately 35 km
Initial ranging
z
Access Burst is transmitted without time advance z Guard Period of 68.25 bits allows for a path delay due to 37 km distance z BTS measures path delay and sends required time advance on SACCH z MS introduces time advance on all bursts
Adaptive control
z
BTS monitors burst and measures delays with specified time advance z if path delay varies more than 1 bit period, the new value is signalled on SACCH
GSM
29
Frequency hopping
optional, but usually implemented channels with no frequency hopping: BCH and CCCH
Hoping sequence
in a given time-slot, successive TDMA frame are transmitted on different carriers main hoping parameters
z
GSM
30
Transmission power
GSM 1800
36 dBm 30 dBm 24 dBm vehicular portable portable usual classes
silent frames are sent to synthesise comfort noise at the receiver several advantages
z
GSM
31
Transmission power
Power control
implemented on both links objective: lowest power level which provides desired quality (BER) procedure
z
MS measures power received and BER and sends result on SACCH z BTS sends new power level on SACCH, if and when necessary
control range
GSM 900
5 - 39 dBm
GSM 1800
0 - 36 dBm
Comments
effective maxima depend on cell size and MS capability control steps of 2 dB
channels with no power control - use maximum power for the cell
z
GSM
32
Security in GSM
Security services
access control/authentication
user SIM (Subscriber Identity Module): secret PIN (Personal Identification Number) z SIM network: challenge - response method
z
confidentiality
z
voice and signaling encrypted on the wireless link (after successful authentication)
secret: A3 and A8 available via the Internet network providers can use stronger mechanisms
anonymity
z
TMSI - Temporary Mobile Subscriber Identity z newly assigned at each new location update z encrypted transmission
A3 for authentication (secret, open interface) A5 for encryption (standardized) A8 for encryption key generation (secret, open interface)
33
GSM
GSM - authentication
mobile network Ki AuC 128 bit A3 SRES* 32 bit RAND 128 bit RAND
MSC
SRES* =? SRES
SRES 32 bit
SRES
GSM
34
mobile network (BTS) Ki AuC 128 bit A8 cipher key Kc 64 bit data A5 encrypted data RAND 128 bit RAND
BTS
GSM
35
Um MS
CM MM RR RR LAPDm radio LAPDm radio BTSM LAPD PCM
A MSC
CM
MM
BSSAP
BSSAP SS7
PCM
SS7
PCM
16/64 kbit/s
GSM
36
CM (Connection Management)
MM (Mobility Management)
setup, maintenance and release of radio channels control of radio transmission quality
GSM
37
4
HLR VLR
5 3 6
GMSC
15 14 7 10
MSC
7: route call to current MSC 8, 9: get current status of MS (LAI + TMSI) 10, 11: paging of MS in location area 12, 13: MS answers paging and authentication request 14, 15: security checks 16, 17: set up connection
BSS
10 13 16
BSS
10
BSS
11
11 11 17 12
MS
11
GSM
38
MS
idle updated announced TMSI matches stored value
PCH
successful access
GSM
39
MS
switch signaling to FACCH using assigned TCH generate ringing sound
FACCH Disconnect
Release FACCH
GSM
40
1, 2: connection and authentication request 3, 4: security check 5-8: check resources (free circuit) 9-10: set up call
6
PSTN GMSC HLR
3 5
MSC
8 2 9 1
MS BSS
10
GSM
41
GSM
42
MS
switch signaling to FACCH using assigned TCH ringing tone
TCH
data flow
Disconnect FACCH mobile on-hook
FACCH Release
Release complete FACCH
idle updated
GSM
43
4 types of handover
1 MS 2 MS 3 MS 4 MS
BTS
BTS BSC
1 - between different sectors of the same cell 2 - between different cells within the same BSC domain 3 - between different BSC domains within the same MSC domain 4 - between different MSC domains
GSM
44
Handover decision
handover margin
GSM
45
BTS
measurement result
HO decision HO required HO request resource allocation ch. activation HO command HO command HO access link establishment clear command clear complete clear command clear complete HO complete HO complete HO request ack ch. activation ack
HO command
GSM
46
Location update
MS is aware of location
BTS broadcasts Location Area Identification (LAI) on BCCH SIM stores current LAI and TMSI
MS is switched on and current LAI equals stored LAI a timer set by the network expires and MS reports position
MS is switched on and current LAI differs from stored LAI MS enters a new location area
GSM
47
Location update
NEW MSC
location update request (old LAI/TMSI sent)
MS
send IMSI update location request cancel location request update confirmed update location
update confirmed
update confirmed
cancellation confirmed
GSM
48
Location update
MS
idle updated
successful access
idle updated
GSM
49