Communication Systems 11: Chair of Communication Systems Department of Applied Sciences University of Freiburg 2008

Communication
Systems
11th lecture
Chair of Communication Systems

Department of Applied Sciences
University of Freiburg
2008
1 | 49
Communication Systems
Last lecture digital telephony networks
Please be reminded: End of registration period for the exam in

Communication Systems is the 27th June both for Master and
Bachelor students
We will decide from the number of registrants on oral/written for

Master students
Signaling in large scale digital networks
Primary Rate Interface (PRI) to connect large organizations PBX
Global call setup and routing with signaling system #7 (which is

loosely modeled after OSI stack)
Several protocols to handle different services
Special protocol QSIG for inter-connecting PBX (in private,

corporate telephony networks)
2 | 49
Last lecture introduction to mobile telephony networks
Interfaces in the telephony world are the standards equivalent to

protocols in the TCP/IP world
Major difference: TCP/IP is rather open to everyone and not

restricted to an exclusive club of telephony equipment manufacturers
and telcos (which has major implications for security issues)
Introduction to mobile telephony networks from the analogous

world to cell based infrastructure to second generation
interoperable digital mobile phone networks
Standardization process started middle of 80s
First deployment in 1991, 92
Fast growth till then more then 500 million subscribers by 2005
GSM Global System for Mobile communication is a worldwide

standard by now, available everywhere with few exceptions
3 | 49
Last lecture first introduction to GSM structure
GSM consists of radio, network and operation and maintenance

subsystems
Radio subsystem is comprised of Mobile Stations (MS, end user
equipment), Base Transceiver Stations (BTS, covering a certain
Location Area)
BTS are handled by Base Station controllers (BSC), which are
controlled by MSC:
4 | 49
Plan for this lecture
Extension of GSM overview
GSM interfaces
GSM network components
Mobile switching center,visitor location register, home location

register, authentication center, mobile stations, SIM, radio
subsystem...
Radio interface Um
Control channels
Network control, SS7
Call setup
Authentication, Authorization, Access
Security issues
5 | 49
GSM interfaces and components
6 | 49
Like in the digital telephony network interfaces between the

different components are defined
Um is the radio interface (m for mobile) between the mobile stations

and the base station transceiver, modeled after the user interface in
the ISDN world (Uk0 , UG2)
Abis is the interface between BTS and BSC
A the interface of the BSC to the MSC
The network subsystem defines the following interfaces
B between MSC and visitor location register (VLR)
C between MSC and home location register (HLR)
7 | 49
The several MSC are interconnected via
E interfaces, this is the interface to Gateway MSC too
F defines the interface to the equipment identifier register (EIR)
The different VLR talk to each other (needed when hand-overs

between different MSC occur) via G interface
Operation & Maintenance Subsystem (OSS) is the whole systems

management layer
Network measurement and control functions
Monitored and initiated from the OMC (Operation and Maintenance

Center)
Network Administration
8 | 49
OMC keeps track of configuration, operation, performance

management, statistics
Collection and analysis, network maintenance
Commercial operation & charging
Accounting & billing
Security Management, e.g. Equipment Identity Register (EIR)

management
9 | 49
GSM network components
Network and radio

subsystem are
supervised by OMC
Many BSCs are
controlled by Mobile
Switching Center
(MSC), which is part of
Network subsystem
Somewhere in
between is the TRAU
(Transcoding and Rate
adaption Unit)
10 | 49
GSM components network operation, MSC
A provider network has in general many distributed MSCs

Thus the MSC is a typical ISDN switching center with additional
components for mobility management
Many standards and interfaces discussed in last lecture apply here

too
Controls the access and authorization of mobile subscribers
Gets the user data from HLR and copies it to the VLR of all MS in
range
11 | 49
GSM components - MSC
To convert 13kbit/s (from MS), 16kbit/s (from BSC because of some

added in-band information) to 64kbit/s ISDN data rate a TRAU is
typically included in between MSC and BSC
Performs all the switching and routing functions of a fixed network

switching node and adds specific mobility-related functions, like
Allocation and administration of radio resources
Management of mobile users
Registration, authentication
Manages handover execution and control
Does paging (search for MS within the BSCs)
12 | 49
GSM components visitor location register (VLR)
MSC looks up users and communication information in VLR
VLR is a temporary database dynamically updated when subscribers

enter or leave vicinity of the serving MSC
one database per MSC (or per group of MSCs), typically joint MSCVLR implementation
Idea: Avoid heavy MSC-VRL signaling load on network links
VLR entries contain the following information:
Every user / MSISDN actually staying in the administrative area

of the associated MSC
Entry created when an MS enters the MSC area (registration)
May store data for roaming users (subscribed to different
operators)
13 | 49
GSM components visitor location register (VLR)
VLR entries contain the following information:
Tracking and routing information
Mobile Station Roaming Number (MSRN)
Temporary Mobile Station Identity (TMSI) assigned by MSC
Location Area Identity (LAI) where MS has registered needed

for paging and call setup
14 | 49
GSM components home location register (HLR)
While VLR keeps user data only temporarily, the permanent

storage of data takes place in HLR
Each mobile provider keeps such a database to store its subscribers

information
Subscriber and subscription data
IMSI, MSISDN
Parameters (authorization) for additional services
info about user equipment (IMEI)
Authentication data
Service setup for call deflection, mobile phone box, ...
15 | 49
GSM components authentication center (AUC)
Typically seen as part of OMC
Associated to HLR (home location register)
Might be integrated with HLR
Search key: IMSI
Responsible of storing security-relevant subscriber data
Subscribers secret key Ki (for authentication)
Shared encryption key on the radio channel (Kc)
Algorithms to compute temporary keys used during authentication

process
16 | 49
GSM components mobile stations (MS)
GSM separates user mobility from equipment mobility by defining

two distinct components
Mobile Equipment (ME)
Or Mobile Terminal (MT) it is the cellular telephone itself (mobile

phone hardware)
It has its own address / identifier: IMEI (International Mobile

Equipment Identity)
Composed of the technical components for user interaction:

keypad, display, speaker and microphone, may contain
Interfaces for additional services like fax or data (peripheral

connections as Bluetooth, IrDA or serial connections might be
available too)
17 | 49
GSM components mobile stations (MS)
Five transmit power classes defined for MS in 900MHz band
20, 8, 5, 2, 0.8 Watt normally used are 8W for vehicular and 0.8W
for portable devices
Only two classes for 1800MHz band: 1 and 0.25W
Implementations
Early devices were single band for GSM900 or DCS1800 or

PCS1900
Today mostly so called multi-band phones are sold (allow

communication in two or all three GSM bands)
Newest devices are multi-mode which could handle both GSM and
UMTS (and several data standards like GPRS)
18 | 49
GSM components mobile stations (SIM)
Second component is the Subscriber Identity Module (SIM)
SIM keeps the following addresses / identifiers:
IMSI (International Mobile Subscriber Identity) 15-digit composed

of Mobile Country Code, Mobile Network Code, Mobile Subscriber
Identification Number
Is sent (for security reasons only) when entering network or doing

location update
MSISDN (Mobile Subscriber ISDN number) of 15 digits is the

telephone number users call, composed of Country Code (Germany
49, US 1), National Destination Code (Provider prefix without the 0),
Subscriber Number
19 | 49
The MSISDN is used for routing in traditional telephony networks

(but not for routing in mobile)
TMSI is temporarily stored on SIM
Translated in MSC to TMSI, unique within a certain Location Area

(LA), kept in the VLR
Not fixed, regularily changed to avoid outside user tracking
Same applies for MSRN (Mobile Station Roaming Number, GSM

internally):
VCC = contry code of visited mobile network
VNDC = location code (place where the user actually is)
VMSN = ID of the visited MSC
VSN = subscriber ID, assigned by VLR

20 | 49
MSRN is similarily composed to

MSISDN, but location dependent
SIM itself is piece of hardware, a plug-inmodule, a so-called smartcard (or fixed
chip within the phone only on special
devices)
Usually provided in the ID-000 format,

which is about 0,76mm thick plastic with
cast-in chip
It contains: a CPU, internal bus system

connecting RAM and EEPROM and an
electrical interface (contact pads on the
upper side)
21 | 49
GSM components - radio subsystem (BTS)
Radio interface functions (MS <-> BTS)
GMSK modulation-demodulation
channel coding, encryption/decryption
burst formatting, interleaving
signal strength measurements
interference measurements
22 | 49
GSM components - radio subsystem (BSC)
Functions of a BSC
One BSC may control up to 40

BTS (kept in database)
switch calls from MSC to

correct BTS and conversely
Protocol and coding

conversion for traffic (voice) &
signaling (GSM-specific to
ISDN-specific)
Manage mobility of MS
(handover between different
BTS)
Enforce power control
23 | 49
GSM the radio interface Um
Lets start with the physical layer of the beloved OSI model
Um defines the communication of MS with the GSM infrastructure
The bandwidth is 270,833kbit/s (bit rate not integer because

derived from time slots as explained later)
Because of the limited frequency band multiplex access is used
24 | 49
GSM Um: FDM & TDM
Frequency Division Multiplexing two 25MHz bands
Uplink (MS to BTS)
= 890 915MHz.
Downlink (BTS to MS) =
Each defined channel has a 200kHz bandwidth
Duplex spacing: 45MHz
Thus 124 bearer frequency pairs possible, suggested to use only

122 to keep additional guard top and bottom
In practice, due to power control and shadowing, adjacent channels

cannot be used within the same cell
935 960MHz
Additionally in each frequency channel Time Division Multiplexing

(TDM) is applied
25 | 49
GSM Um: FDM & TDM
8 periodic time slots - 0,577ms each
TDM frame composed of 8 time slots equals to 4,615ms
Every time slot a so called burst - succession of 148bit is

transmitted
Between the bursts a security buffer of 8,25bit/burst is put in

between
26 | 49
GSM Um: FDM & TDM
Through FDM/TDM
hybrid in GSM 992
channels available
In DCS1800 more
channels: 75MHz
band split into
200kHz channels
allows a total of 374
carriers
Thus 2992 physical
channels available in
E-GSM
27 | 49
GSM Um: burst types / dummy burst
Five different burst types defined
Normal Burst
Access Burst
Frequency Correction Burst
Synchronization Burst
Dummy Burst to fill in inactive bursts in Broadcast Control Channel

(BCCH, direction from BTS to MS) to have most power on this
channel (helpful, when MS needs to find BCCH)
28 | 49
GSM Um: fequency hopping
Not all channels in a given cell are of equal quality and multi path
reception / adjacent channels may disrupt communication
Thus frequency hopping is introduced
avoid frequency-selective fading, co-channel interference
29 | 49
GSM Um: GMSK modulation
Split single bits into odd

and even
Double the time period of
each bit
Four cases
Bg=Bu=0 use f2 inverted
Bg=1,Bu=0 use f1 inv.
Bg=0,Bu=1 use f1
Bg=1, Bu=1 use f2
30 | 49
GSM the Um logical layer
The logical layer could be seen as the equivalent of OSI data link
layer
Here are the logical channels mapped into the physical ones
Two distinctions: traffic channels and control channels
The traffic channels carry the user data (voice, SMS, fax, ...)
Full rate channel: Bm 22,8kbit/s (TCH/F)
Half rate channel: Lm 13,4kbit/s (TCH/H)
31 | 49
GSM control channels
Beside the traffic channels are a group of control channels

defined
They handle system information, connection setup and
connection control
Broadcast Control Channel (BCCH) group handles beacon
signaling, synchronization of MS with the serving BTS, timing
advance adjustment, it comprises of
BCCH Broadcast Control Channel
FCCH Frequency Control Channel
SCH Synchronization Channel
32 | 49
GSM control channels: FCCH, SCH
FCCH is responsible for first part of MS tuning (synchronisation of

mobile device to BTS signal)
MS listens on strongest beacon for a pure sine wave (FCCH), first

coarse bit synchronization used for fine tuning of oscillator
Immediately after follows a SCH burst
SCH: Fine tuning of synchronization (64 bits training sequence)
Read burst content for synchronization data
25 bits (+ 10 parity + 4 tail + convolutional coding = 78bits)
6 bits: BSIC, 19 bits: Frame Number (reduced)
Finally MS is able to read BCCH information
33 | 49
GSM control channels: BCCH
BCCH is responsible for
Sending out of beacon on one frequency per cell (by BTS)
Contains 16bit Location Area (LA) code
MUST BE on Time Slot #0, following time slots might used by TCH
BCCH provides:
Details of the control channel configuration
Parameters to be used in the cell
Random access backoff values
Maximum power an MS may access (MS_TXPWR_MAX_CCCH)
34 | 49
GSM control channels: BCCH
BCCH provides:
Minimum received power at MS (RXLEV_ACCESS_MIN)
Is cell allowed? (CELL_BAR_ACCESS)
List of carriers used in the cell
Needed if frequency hopping is applied
List of BCCH carriers and BSIC of neighboring cells
35 | 49
GSM control channels
Next group Common Control Channel (CCCH) it consists of
Random Acces Channel (RACH)
Access Grant Channel (AGCH)
Paging Channel (PCH)
Third group is the Dedicated/Associated Control Channel

(DCCH)/ (ACCH)
Stand-alone Dedicated Control Channel SDCCH
Fast/Slow Associated Control Channel SACCH/FACCH
FACCH used when several signalling information needs to be

transmitted
Call setup, Handover
36 | 49
GSM the Um logical layer
Channels are grouped into
26-multiframe - payload / voice summarizes the bursts of TCHs

and associated SACCHs and FACCHs
51-multiframe signaling data puts together all bursts of traffic

channels without SACCHs and FACCHs
GSM uses certain predefined pattern of channel combinations:

CC1: TCH/F + FACCH/F + SACCH/TF
CC2: TCH/H (0,1) + FACCH/H(0,1) + SACCH/TH(0,1)
CC3: TCH/H(0) + FACCH/H(0) + SACCH/TH(0)+TCH/H(1)
CC4: FCCH + SCH + BCCH + CCCH
CC5: FCCH + SCH + BCCH + CCCH + SDCCH/4(0,1,2,3) + SACCH/C4
(0,1,2,3)
CC6: BCCH + CCCH
CC7: SDCCH/8 + SA
37 | 49
GSM frames, multiframes, superframes
Why 26, 51:An active call transmits/receive in 25 frames, except

the last one
In this last frame, it can monitor the BCCH of this (and neighbor) cell
This particular numbering allows to scan all BCCH slots during a

superframe
Important slots while call is active: frequency correction FCCH and

sync SCH - needed for handover
Why multiframes - determine how BCCH is constructed, e.g.

which specific information transmitted on BCCH during a given
multiframe
Superframes are composed of multiframes
Used as input parameter by encryption algorithm
38 | 49
GSM network control, SS7
Backend of mobile networks is the

same digital telephony network as
for ISDN (Intelligent Network IN)
Thus Signaling System 7 is used for
the network generic and GSM
specific tasks
MAP (Mobile Application Part)
Located in presentation layer (OSI
layer 6)
communication between different
MSCs or MSC and HLR
39 | 49
GSM network control, SS7
DTAP the Direct Transfer Application Part is located on the

presentation layer too
Used to send messages from the MS to MSC directly
BSSMAP (Base Station Subsystem MAP

Found on session layer (OSI layer 5)
Handles communication between MSC and radio subsystem
Additionally SCCP (Signaling Connection and Control Part) on

transport layer similar to TCP or UDP, instead of port numbers
SubSystemNumbers (SSN) are used
TCAP (Transaction Capability Application Part) - session layer
known from last lecture
40 | 49
GSM call setup
After defining the lower layers we

could deal with the important part
for the subscribers receive a call
in a mobile phone network
The called device/user has to be
looked up in a given location area
(paging)
To be able to answer the MS has
to request a channel
It gets assigned a control channel
by the BSC immediately if cell is
not congested
41 | 49
GSM call setup network originated call

The MS sends out an acknowledgement (subscriber is present)
Next steps check the authorization of the subscriber
If check was passed the system changes into encryption mode
The MS signals which kind of service it wishes to use (voice,
data, ...)
Depending on the preferred service a traffic channel is assigned
A call signal is produced for the calling party and a ring is
generated on the MS
42 | 49
GSM call setup network originated call

The subscriber accepts the call, ack is sent and connection is
established
A full rate traffic channel (for voice) is used
During call setup and operation several control channels are used:
PCH, RACH, AGCH, SDCCH, ...
Mobile originated calls are mostly similar
No paging is needed because the MS activily requests a

channel
A signaling channel is assigned by BSC
43 | 49
GSM call setup mobile originated call
Service request a SDCCH is

required
Same authorization and

encryption procedure has to
be done
Signaling of desired service

and assignment of proper
payload channel
Signaling of call signal to the

subscriber at the MS
Call setup if called party

answers
44 | 49
GSM Authentication, Authorization, Access

In a public network like GSM the triple-A of authentication,
authorisation, access plays a major role
The subscribers ID has to be kept confidential
The network access has to be granted or denied to the subscriber
The integrity and confidentiality of data has to be ensured by the
network
This is achieved by a more or less sophisticated asymmetric and

symmetric encryption and authentication process
Temporary and confidential identities and keys are used
45 | 49
46 | 49

Sequence of authorization and generation of shared keys for encryption
1. The network sends an authentication request message to MS, conveying a 128-bit
random number (RAND).
2. MS uses the RAND, the secret key Ki (stored at SIM), and the encryption algorithm
A3, to compute a 32-bit number as a signed response (SRES).
3. MS computes the 64-bit ciphering key Kc using encryption algorithm A8, which will
be later used in the ciphering procedure.
4. MS responses with an authentication response message containing SRES.
5. The netwotk uses same parameters and algorithm to computer another SRES.
6. MS SRES and the network SRES are compared with each other. If mactch, the
network accepts the user as an authorized subscriber. Otherwise, authentication is
rejected.
7. After authentication has been successful, the network transmits a ciphering mode
message to MS indicating whether encryption is to be applied.
8. In case ciphering is to be performed, the secret key Kc and encryption algorithm
A5 are used for ciphering.
47 | 49
GSM stream encryption
48 | 49
GSM literature, next exercise, lectures
Some of the pictures are taken from text books or online sources
German text books:
Jochen Schiller, Mobilkommunikation
Bernhard Walke, Mobilfunknetze und ihre Protokolle, Grundlagen

GSM, UMTS, ...
Generally you might want to check the seminar papers of the

telephony seminar held in the beginning of 2006:
http://www.ks.uni-freiburg.de/php_veranstaltungsdetail.php?id=9
summary of GSM and UMTS telephony networks and other topics

dealt with in this lecture
Next lecture: Friday, 27th July (next practical course on Tuesday,

24th)
49 | 49

Communication Systems 11: Chair of Communication Systems Department of Applied Sciences University of Freiburg 2008

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Communication Systems 11: Chair of Communication Systems Department of Applied Sciences University of Freiburg 2008

Uploaded by

Copyright:

Available Formats

Communication

Chair of Communication Systems

Last lecture digital telephony networks

Please be reminded: End of registration period for the exam in

We will decide from the number of registrants on oral/written for

Signaling in large scale digital networks

Primary Rate Interface (PRI) to connect large organizations PBX

Global call setup and routing with signaling system #7 (which is

Several protocols to handle different services

Special protocol QSIG for inter-connecting PBX (in private,

Last lecture introduction to mobile telephony networks

Interfaces in the telephony world are the standards equivalent to

Major difference: TCP/IP is rather open to everyone and not

Introduction to mobile telephony networks from the analogous

Standardization process started middle of 80s

First deployment in 1991, 92

GSM Global System for Mobile communication is a worldwide

Last lecture first introduction to GSM structure

GSM consists of radio, network and operation and maintenance

Extension of GSM overview

GSM network components

Mobile switching center,visitor location register, home location

Network control, SS7

Authentication, Authorization, Access

GSM interfaces and components

GSM interfaces and components

Like in the digital telephony network interfaces between the

Um is the radio interface (m for mobile) between the mobile stations

Abis is the interface between BTS and BSC

A the interface of the BSC to the MSC

The network subsystem defines the following interfaces

B between MSC and visitor location register (VLR)

C between MSC and home location register (HLR)

GSM interfaces and components

The several MSC are interconnected via

E interfaces, this is the interface to Gateway MSC too

F defines the interface to the equipment identifier register (EIR)

The different VLR talk to each other (needed when hand-overs

Operation & Maintenance Subsystem (OSS) is the whole systems

Network measurement and control functions

Monitored and initiated from the OMC (Operation and Maintenance

GSM interfaces and components

OMC keeps track of configuration, operation, performance

Collection and analysis, network maintenance

Commercial operation & charging

Accounting & billing

Security Management, e.g. Equipment Identity Register (EIR)

Network and radio

GSM components network operation, MSC

A provider network has in general many distributed MSCs

Many standards and interfaces discussed in last lecture apply here

Controls the access and authorization of mobile subscribers

To convert 13kbit/s (from MS), 16kbit/s (from BSC because of some

Performs all the switching and routing functions of a fixed network

Allocation and administration of radio resources

Management of mobile users

Manages handover execution and control

Does paging (search for MS within the BSCs)

GSM components visitor location register (VLR)

MSC looks up users and communication information in VLR

VLR is a temporary database dynamically updated when subscribers

Idea: Avoid heavy MSC-VRL signaling load on network links

VLR entries contain the following information: