Professional Documents
Culture Documents
Contents
1 Digital Transmission 3
1.1 PCM30: Transmission in GSM fixed network part 6
2 PCM30 9
3 Power Control in CDMA 15
3.1 Effect of No Power Control 16
3.2 The NEAR – FAR Problem 18
3.3 Classification of Power Control Techniques 20
3.4 Power Control Techniques for DS-CDMA 22
3.4.1 REVERSE LINK OPEN-LOOP POWER CONTROL 24
3.4.2 FORWARD LINK POWER CONTROL 26
3.4.3 REVERSE LINK POWER CONTROL 27
3.4.4 REVERSE LINK CLOSED-LOOP POWER CONTROL 28
3.5 RAKE Receiver 31
3.5.1 RAKE Receiver Structure 34
4 HANDOFF 37
4.1 SOFT HANDOVER 38
4.1.1 THE IMPORTANCE OF SOFT HANDOFF 38
4.2 Softer Handover 40
4.3 Implementation of SOFT HANDOVER 42
5 MULTIUSER DETECTION 45
6 CDMA Security Codes 48
7 Security in CDMA 55
7.1 Authentication 58
7.2 Voice Privacy 60
8 Security in GSM 67
8.1 Encryption for secrecy in GSM 68
8.2 TMSI allocation 70
8.3 IMEI Check 72
TM2106EU01EG_0001
1
Siemens
CDMA System Performance
TM2106EU01EG_0001
2
CDMA System Performance Siemens
Digital Transmission
TM2106EU01EG_0001
3
Siemens
CDMA System Performance
As mentioned befor, that voice speech undergoes several processes through the network
like: -
• Analog to Digital conversion (A/D).
• Speech Compression.
The reason for voice digitizing is to enable it to be transmitted through distances without
distortion or degradiation by using PCM or Pulse Code Modulation, and the amount of
information can be reduced by using Speech Compression by using CELP or Code Excited
Linear Predictive.
TM2106EU01EG_0001
4
CDMA System Performance Siemens
Fig.1
Fig.2
TM2106EU01EG_0001
5
Siemens
CDMA System Performance
TM2106EU01EG_0001
6
CDMA System Performance Siemens
Fig.3
TM2106EU01EG_0001
7
Siemens
CDMA System Performance
TM2106EU01EG_0001
8
CDMA System Performance Siemens
2 PCM30
TM2106EU01EG_0001
9
Siemens
CDMA System Performance
PCM30 transmission systems use digital transmission lines or radio relay. A PCM30 frame
consists of 32 time multiplexed time slots.
The 32 time slots can contain pulse code modulated message information (speech, data) or
signaling information in the form of 8-bit words.
The total bit rate of a PCM30 line is 2048 kbit/s
• Time slot 0: alternately frame identification word and service word (alarms).
• Time slots 1-15 and 17-31: calls or data.
• Time slot 16: signaling channel.
The pulse frames are transmitted in a direct sequence.
TM2106EU01EG_0001
10
CDMA System Performance Siemens
Fig.4
TM2106EU01EG_0001
11
Siemens
CDMA System Performance
TM2106EU01EG_0001
12
CDMA System Performance Siemens
Fig.5
TM2106EU01EG_0001
13
Siemens
CDMA System Performance
TM2106EU01EG_0001
14
CDMA System Performance Siemens
TM2106EU01EG_0001
15
Siemens
CDMA System Performance
In recent years the cellular communications market has exploded. The main goal of cellular
communications systems is to enable communication services irrespective of time and
location.
Due to the dramatic increase in number of users and In order to meet the growing demands
of subscribers for different kinds of services, such as conferencing, multimedia, data base
access, Internet, etc., it is necessary to have higher data rates up to 2Mb/s and more
stringent Quality of Service (QoS) requirements.
Since it is necessary to have higher data rates and more stringent QoS requirements, new
transmission technologies and improved radio resource management, especially power
control, and handoff, are required for cellular communication systems.
Power control is one of the most important system requirement, and it is analyzed for
cellular networks based on FDMA and TDMA, and for DS-CDMA cellular networks, In most
modern systems, both base stations and mobiles have the capability of real-time (dynamic)
adjustment of their transmit powers.
TM2106EU01EG_0001
16
CDMA System Performance Siemens
Fig.6
TM2106EU01EG_0001
17
Siemens
CDMA System Performance
For different UE with identical transmission power, the power received at the BTS of UE
located near the BTS is more powerful than the power of the more remote UE. This mean
that only the information of the UE near to the BTS can be interpreted . This must be
prevented as much as possible. In ideal cases , the power received at the BTS is identical
for all UE served by the BTS (assuming the transfer rates are identical) . This ideal situation
also represents the maximum capacity of the cell .
Genuine fast power control is necessary because of the mobility of the UE. This mobility
causes rapid variation in the attenuation of the power of the UE. Let us consider the shown
example:
If the mobiles are permitted to transmit the same power from two different distances, the
ratio of the received signals at the base station will be as in equation (1).
Equation (1) implies that if d1 ≠ d2 the received signal will be different for different mobiles
depending on the propagation environment and the respective distances. For example, if
d2 = 4d1 and γ = 4 (typical dense urban environment), P (UE1) from mobile1 will be 256
times (24dB) stronger than P (UE2) from mobile2, and the base station receiver will be
unable to recover P (UE1). Therefore, the transmitting power of each mobile has to be
controlled so that its received power at the cell site is constant to a predetermined level,
irrespective of the distance. Therefore, the objective of the mobile power control is to
produce a nominal received power from all mobiles in a given cell or a sector.
Because of that, well-defined power control is essential for proper functioning of the DS-
CDMA system. In the absence of power control the capacity of the DS-CDMA mobile
system is very low, even lower than that of mobile systems based on FDMA.
One of the reasons for the use of power control both in FDMA/TDMA and in DS-CDMA
networks is to prolong battery life by using a minimum of transmitter power to achieve the
required transmission quality.
TM2106EU01EG_0001
18
CDMA System Performance Siemens
Fig.7
TM2106EU01EG_0001
19
Siemens
CDMA System Performance
• Strength-based.
In strength-based schemes the strength of a signal arriving at the base station from a
mobile is measured to determine whether it is higher or lower than the desired strength.
The command to lower or rais the transmit power is made accordingly.
• SIR-based.
In SIR-based schemes the measured quantity is the SIR where interference consists of
channel noise and multi-user interference. Strength-based power control is easier to
implement but SIR-based power control reflects better system performance such as QoS
and capacity. A serious problem associated with SIR-based power control is the potential to
get positive feedback to endanger the stability of the system. Positive feedback arises in a
situation when one mobile under instructions from the base station has to raise its transmit
power in order to deliver a desirable SIR to the base station, but the increase in its power
also results in an increase in interference to other mobiles so that these other mobiles are
then forced to also increase their power, etc. In the case of N mobiles in the system, this
becomes a typical non-cooperative N-person game problem.
• BER-based.
In BER-based power control, BER is defined as an average number of erroneous bits
compared to the original sequence of bits. If the signal and interference powers are
constant, the BER will be a function of the SIR, and in this case the QoS is equivalent.
However, in reality the SIR is time-variant and thus the average SIR will not correspond to
the average BER. In this case the BER is a better quality measure. Since the channel
coding is implemented in every practical system, power control can be based on the
average number of erroneous frames as well.
According to update strategies, power control algorithms can be classified as follows: -
• Those where the transmit power step size is fixed (fixed step size algorithm)
• Those where the transmit power step size is made adaptive to the channel variation.
TM2106EU01EG_0001
20
CDMA System Performance Siemens
Fig.8
TM2106EU01EG_0001
21
Siemens
CDMA System Performance
A specific example of the adaptive step size approach is the inverse update algorithm,
which increases or decreases the mobile users' transmit power by the actual difference
between the received signal power and the desired received signal power.
Power control command in fixed step size algorithms is a simple 1-bit command. It has
been shown that the inverse algorithm is superior to the fixed step size algorithm. However,
the fixed step size algorithm is easier to implement because the inverse algorithm needs
additional bandwidth on the return channel to carry the power control step size instead of
the1-bit control command as in fixed step size algorithm. A compromise would be to use an
adaptive delta-modulation algorithm.
TM2106EU01EG_0001
22
CDMA System Performance Siemens
Power control for DS-CDMA reverse link is the single most important system requirement
because of the Near/ Far effect. In this case, it is necessary to have a dynamic range for
control on the order of 80dB . For the forward link, no power control is required in a single
cell system, since all signals are transmitted together and hence vary together. However in
multiple cell systems, interference from neighboring cell sites fades independently from the
given cell site and thereby degrades performance. Thus it is necessary to apply power
control in this case also, to reduce intercell interference.
TM2106EU01EG_0001
23
Siemens
CDMA System Performance
Reverse link (mobile to base station) open loop power control is accomplished by adjusting
the mobile transmit power so that the received signal at the base station is constant
irrespective of the mobile distance; where each mobile computes the relative path loss and
compensates the loss by adjusting its transmitting power. The total received power at the
cell site is the sum of all powers, which determines the system capacity. As shown we can
say that the reverse link open loop power control is primarily a function of the mobile
stations. The base stations take an active role in the reverse link closed-loop power control
and the forward link power control.
TM2106EU01EG_0001
24
CDMA System Performance Siemens
Fig. 9
TM2106EU01EG_0001
25
Siemens
CDMA System Performance
Forward link (base station to mobile) power control is a one step process .The base station
controls its transmitting power so that a given mobile receives extra power to overcome
fading, interference, BER, etc. In this mechanism, the cell site reduces its transmitting
power while the mobile computes the frame error rate (FER). Once the mobile detects 1%
FER, it sends a request to stop the power reduction .The adjustment process occurs once
every 15 to 20 ms.
TM2106EU01EG_0001
26
CDMA System Performance Siemens
Power control for the reverse link is a combined technique consisting of closed-loop and
open-loop power controls. Also, it is a fixed step size algorithm and strength-based
distributed algorithm. The goal of open-loop power control is the estimation of a path loss
and a loss due to shadowing between the base and the mobile station. According to this
process, the mobiles transmit the initial power control signal.
However, multipath fading in a reverse and a forward DS-CDMA link is an independent
process since the frequency separation of these links is 45MHz and it greatly exceeds the
coherent bandwidth of the channel. Thus, closed-loop power control is used. Every cell site
demodulator measures the received signal-to-noise ratio (SNR) from each mobile station.
The measured SNR is compared to the desired SNR for that mobile station and a power
adjustment command is sent to the mobile station. This power adjustment command is
combined with the mobile station open-loop estimate to obtain the final value of the mobile
station transmit power. This command has the fixed step size of 0.5dB and it is transmitted
at a rate of once every 1.25ms. The base station measures the signal quality (BER) and
based on that determines the desired SNR for specific mobile station. In previously
described power control technique, the subscribers are power controlled by the base
station of their own cell. However, the interference level from subscribers in other cells
varies not only according to the attenuation in the path to the subscriber's cell site, but also
inversely to the attenuation from the interfering user to his own cell site, which through
power control by that cell site may increase or decrease the interference to the desired cell
site. It has been shown that the maximal number of subscribers in the cell is the highest
when there are no subscribers in the neighboring cells. As the number of subscribers in the
neighboring cells increases the maximal number of subscribers in the cell decreases. For
example, when there is a maximal number of users in the neighboring cells the reverse link
can support 108 users/cell, with 10–3 bit error rates better than 99 percent of the time. This
number becomes 132 users/cell if the neighboring cells are kept to half of this loading.
TM2106EU01EG_0001
27
Siemens
CDMA System Performance
TM2106EU01EG_0001
28
CDMA System Performance Siemens
Fig.10
TM2106EU01EG_0001
29
Siemens
CDMA System Performance
TM2106EU01EG_0001
30
CDMA System Performance Siemens
TM2106EU01EG_0001
31
Siemens
CDMA System Performance
TM2106EU01EG_0001
32
CDMA System Performance Siemens
Fig.11
TM2106EU01EG_0001
33
Siemens
CDMA System Performance
TM2106EU01EG_0001
34
CDMA System Performance Siemens
Fig.12
TM2106EU01EG_0001
35
Siemens
CDMA System Performance
TM2106EU01EG_0001
36
CDMA System Performance Siemens
4 HANDOFF
TM2106EU01EG_0001
37
Siemens
CDMA System Performance
The act of transferring support of a mobile from one base station to another is termed
handoff. Handoff occurs when a call has to be handed off from one cell to another as the
user moves between cells. In a traditional "hard" handoff, the connection to the current cell
is broken, and then the connection to the new cell is made. This is known as a "break-
before-make" handoff.
In a CDMA system the same frequency band is shared between all the cells. Thus there is
well-defined efficient bandwidth utilization. Though there is frequency reuse , the orthogonal
nature of the waveforms serves to distinguish between the signals that occupy the same
frequency band.
In power controlled CDMA systems soft handoff is preferred over hard handoff strategies.
This is more pronounced when the IS-95 standard is considered wherein the transmitter
[the base station] power is adjusted dynamically during the operation. Here the power
control and soft handoff are used as means of interference-reduction, which is the primary
concern of such an advanced communication system. The previous and the new wideband
channels occupy the same frequency band in order to make an efficient use of bandwidth,
which makes the use of soft handoff very important. The primary aim is to maintain a
continuous link with the strongest signal base station otherwise a positive power control
feedback would result in system problems. Soft handoff ensures a continuous link to the
base station from which the strongest signal is issued. Soft handoff requires less power,
which reduces interference and increases capacity.
TM2106EU01EG_0001
38
CDMA System Performance Siemens
Fig.13
TM2106EU01EG_0001
39
Siemens
CDMA System Performance
TM2106EU01EG_0001
40
CDMA System Performance Siemens
Fig.14
TM2106EU01EG_0001
41
Siemens
CDMA System Performance
TM2106EU01EG_0001
42
CDMA System Performance Siemens
Fig.15
TM2106EU01EG_0001
43
Siemens
CDMA System Performance
TM2106EU01EG_0001
44
CDMA System Performance Siemens
5 MULTIUSER DETECTION
TM2106EU01EG_0001
45
Siemens
CDMA System Performance
The current CDMA receivers are based on the RAKE receiver principle, which considers
other users’ signals as interference. However, in an optimum receiver all signals would be
detected jointly or interference from other signals would be removed by subtracting them
from the desired signal. This is possible because the correlation properties between signals
are known (i.e., the interference is deterministic not random).
The capacity of a direct sequence CDMA system using RAKE receiver is interference
limited. In practice this means that when a new user, or interferer, enters the network, other
users’ service quality will go below the acceptable level. The more the network can resist
interference the more users can be served. Multiple access interference that disturbs a
base or mobile station is a sum of both intra- and inter-cell interference. Multiuser detection
(MUD), also called joint detection and interference cancellation (IC), provides a means of
reducing the effect of multiple access interference, and hence increases the system
capacity. In the first place MUD is considered to cancel only the intra-cell interference,
meaning that in a practical system the capacity will be limited by the efficiency of the
algorithm and the inter-cell interference. In addition to capacity improvement, MUD
alleviates the near/far problem typical to DS-CDMA systems. A mobile station close to a
base station may block the whole cell traffic by using too high a transmission power. If this
user is detected first and subtracted from the input signal, the other users do not see the
interference. Since optimal multiuser detection is very complex and in practice impossible
to implement for any reasonable number of users, a number of suboptimum multiuser and
interference cancellation receivers have been developed. The suboptimum receivers can
be divided into two main categories: linear detectors and interference cancellation. Linear
detectors apply a linear transform into the outputs of the matched filters that are trying to
remove the multiple access interference using too high a transmission power. If this user is
detected first and subtracted from the input signal, the other users do not see the
interference. Since optimal multiuser detection is very complex and in practice impossible
to implement for any reasonable number of users, a number of suboptimum multiuser and
interference cancellation receivers have been developed. The suboptimum receivers can
be divided into two main categories: linear detectors and interference cancellation. Linear
detectors apply a linear transform into the outputs of the matched filters that are trying to
remove the multiple access interference (i.e., the interference due to correlations between
user codes). Examples of linear detectors are decorrelator and linear minimum mean
square error (LMMSE) detectors. In interference cancellation multiple access interference is
first estimated and then subtracted from the received signal. Parallel interference
cancellation (PIC) and successive (serial) interference cancellation (SIC) are examples of
interference cancellation.
TM2106EU01EG_0001
46
CDMA System Performance Siemens
Fig.16
TM2106EU01EG_0001
47
Siemens
CDMA System Performance
TM2106EU01EG_0001
48
CDMA System Performance Siemens
TM2106EU01EG_0001
49
Siemens
CDMA System Performance
• A Key
A 64-bit cryptographic key variable stored in the semi-permanent memory of the mobile
station and also known to the Authentication Center (AC or HLR/AC) of the wireless
system. It is entered when the mobile station is first put into service with a particular
subscriber, and usually will remain unchanged unless the operator determines that its value
has been compromised. The A-key is used in the SSD generation procedure.
• SSD
SSD is a 128-bit pattern stored in the mobile station (in semi-permanent memory) and
readily available to the base station,
SSD is partitioned into two distinct subsets. Each subset is used to support a different
process.
SSD_A is used to support the authentication procedures; and
SSD_B is used to support CDMA voice privacy, and message confidentiality for CDMA
• SSD_A:
The SSD_A is a 64-bit binary quantity in the semi-permanent memory of the mobile station
and also known to the Authentication Center. It may be shared with the serving MSC.
• SSD_B
The SSD_B is used in the computation of the authentication response. A 64-bit binary
quantity in the semi permanent memory of the mobile station and also known to the
authentication Center. It may be shared with the serving MSC. It is used in the computation
of the CMEA key, VPM (Voice Privacy Mask) and Data Key (for data services).
• Random Challenge Memory (RAND)
A 32-bit value held in the mobile station. When operating in the analog mode, it is the
concatenation of the last RAND1_A and RAND1_B values received in Random Challenge
A and Random Challenge B Global Action Messages appended to the overhead message
train of the Forward Analog Control Channel. Both RAND1_A and RAND1_B must be
received on the same control channel and in the same Overhead Message Train in order
for a valid RAND to exist. When operating in the CDMA Mode, it is equal to the RAND
value received in the last Access Parameters Message of the CDMA Paging Channel.
RANDs is used in conjunction with SSD_A and other parameters, as appropriate, to
authenticate mobile station originations, terminations and registrations.
TM2106EU01EG_0001
50
CDMA System Performance Siemens
Fig.17
Fig.18
TM2106EU01EG_0001
51
Siemens
CDMA System Performance
• ESN:
The Electronic Serial Number ESN is a 32-bit binary number that uniquely identifies the
mobile station to any cellular system. It must be factory-set and not readily alterable in the
field. Modification of the ESN will require a special facility not normally available to
subscribers. The circuitry that provides the ESN must be isolated from fraudulent contact
and tampering. Electronic storage devices mounted in sockets or connected with a cable
are deemed not to comply with this requirement. Attempts to change the ESN circuitry must
render the mobile station inoperative. At the time of issuance of initial type acceptance, the
manufacturer shall be assigned a Manufacturer’s (MFR) Code within the eight most-
significant bits (bit 31 through bit 24) of the 32-bit serial number. Bits 23 through 18 shall be
reserved (initially all zero), and bits17 through 0 shall be uniquely assigned by each
manufacturer. When a manufacturer has used substantially all possible combinations of
serial numbers within bits 17 through 0, the manufacturer may submit notification to the
FCC. The FCC will allocate the next sequential binary number within the reserve block (bits
23 through 18).
• IMSI
Mobile stations are identified by the International Mobile Station Identity (IMSI). The IMSI
consists of up to 15 numerical characters (0-9). The first three digits of the IMSI are the
mobile country code (MCC), and the remaining digits are the national mobile station identity
(NMSI). The NMSI consists of the mobile network code (MNC) and the mobile station
identification number (MSIN).
An IMSI that is 15 digits in length is called a class 0 IMSI (the NMSI is 12 digits in length);
an IMSI that is less than 15 digits in length is called a class 1 IMSI (the NMSI is less than
12 digits in length). The IMSI_S is a 10-digit (34-bit) number derived from the IMSI. When
the IMSI has ten or more digits, IMSI_S is equal to the last ten digits. When the IMSI has
fewer than ten digits, the least significant digits of IMSI_S are equal to the IMSI and zeros
are added to the most significant side to obtain a total of ten digits. The 10-digit IMSI_S
consists of 3- and 7-digit parts, called IMSI_S2 and IMSI_S1, respectively; IMSI_S is
mapped into a 34-bit number.
• ORYX:
ORYX is the algorithm used to encrypt data sent over digital cellular phones. It is a stream
cipher based on three 32-bit LFSRs. It is distinct from CMEA, which is a block cipher used
to encrypt the cellular data control channel.
• CAVE:
CAVE expands to Cellular Authentication Voice and Encryption Algorithm.
• CMEA:
CMEA is the encryption algorithm developed by the Telecommunications Industry
Association to encrypt digital cellular phone data. It uses a 64-bit key and features a
variable block length. CMEA is used to encrypt the control channel of cellular phones. It is
distinct from ORYX, an also insecure stream cipher that is used to encrypt data transmitted
over digital cellular phones.
TM2106EU01EG_0001
52
CDMA System Performance Siemens
Fig.19
Fig.20
Fig.21
Fig.22
TM2106EU01EG_0001
53
Siemens
CDMA System Performance
TM2106EU01EG_0001
54
CDMA System Performance Siemens
7 Security in CDMA
TM2106EU01EG_0001
55
Siemens
CDMA System Performance
Since the birth of the cellular industry, security has been a major concern for both service
providers and subscribers. Service providers are primarily concerned with security to
prevent fraudulent operations such as cloning or subscription fraud, while subscribers are
mainly concerned with privacy issues.
The security protocols with CDMA networks are among the best in the industry.
By design, CDMA technology makes eavesdropping very difficult, whether intentional or
accidental.
Unique to CDMA systems, is the 42-bit PN (Pseudo-Random Noise) Sequence called
“Long Code” to scramble voice and data.
CDMA network security protocols rely on a 64-bit authentication key (A-Key) and the
Electronic Serial Number (ESN) of the mobile. A random binary number called RANDSSD,
which is generated in the HLR/AC, also plays a role in the authentication procedures.
The A-Key is programmed into the mobile and is stored in the Authentication Center (AC) of
the network. In addition to authentication, the A-Key is used to generate the sub-keys for
voice privacy and message encryption.
CDMA uses the standardized CAVE (Cellular Authentication and Voice Encryption)
algorithm to generate a 128-bit sub-key called the “Shared Secret Data” (SSD). The A-Key,
the ESN and the network-supplied RANDSSD are the inputs to the CAVE that generates
SSD. The SSD has two parts: SSD_A (64 bit), for creating authentication signatures and
SSD_B (64 bit), for generating keys to encrypt voice and signaling messages. The SSD can
be shared with roaming service providers to allow local authentication. A fresh SSD can be
generated when a mobile returns to the home network or roams to a different system.
TM2106EU01EG_0001
56
CDMA System Performance Siemens
TM2106EU01EG_0001
57
Siemens
CDMA System Performance
7.1 Authentication
Authentication is the process by which information is exchanged between a MS and the BS
for the purpose of confirming the identity of the MS. A successful outcome of the
authentication process will occur only when it can be demonstrated that the MS and BS
process identical sets of shared secret data (SSD). For example, in a CDMA authentication
protocol, a MS and BS each have matching sealed authenticators (i.e. identical SSD),
actually a short message digest of symbols produced and distributed by the authentication
algorithm.
The shared secret data (SSD) is a 128-bit pattern stored in the MS and readily available to
the BS. The SSD is partitioned into two distinct subsets used to support a different process,
that is SSD-A and SSD-B. The 64-bit SSD-A is used to support the authentication and the
64-bit SSD-B is used for CDMA voice privacy and data confidentiality.
SSD is updated using SSD-generation procedure initialized with the mobile station specific
information (ESN), random data (RANDSSD) and the mobile's
A-Key. The 64-bit A-key is stored in the mobile station and to its associated Home Location
Register / authentication Center (HLR/AC).
• When shall Authentication be performed?
Authentication is performed when the mobile is performing any of the following procedures.
1. Registration: When the mobile does autonomous registration.
2. Origination: When the mobile station originates a call.
3. Terminations: When the mobile station responds with a page message.
4. Mobile Station Data: When it sends a Data Burst Message. E.g. SMS
5. Base Station Challenge: During SSD Update.
TM2106EU01EG_0001
58
CDMA System Performance Siemens
Fig.23
TM2106EU01EG_0001
59
Siemens
CDMA System Performance
TM2106EU01EG_0001
60
CDMA System Performance Siemens
Fig.24
Fig.25
Fig.26
TM2106EU01EG_0001
61
Siemens
CDMA System Performance
TM2106EU01EG_0001
62
CDMA System Performance Siemens
Fig.27
TM2106EU01EG_0001
63
Siemens
CDMA System Performance
TM2106EU01EG_0001
64
CDMA System Performance Siemens
Fig.28
TM2106EU01EG_0001
65
Siemens
CDMA System Performance
TM2106EU01EG_0001
66
CDMA System Performance Siemens
8 Security in GSM
TM2106EU01EG_0001
67
Siemens
CDMA System Performance
In GSM, the picture is quite different, although conceptually similar. The challenge is
unique, and is generated within the home system (the system where the phone is
registered). The algorithm and the master key are both stored on a smart card called a SIM
(Subscriber Identity Module). This allows for the possibility that the algorithm may actually
vary with different service providers, and indeed this is the case for about 40% of phones.
The interface to which the algorithm adheres is called A3, and it accepts a 64 bit challenge
and produces a 64 bit response, based on the secret key in the SIM. At the same time, an
algorithm whose interface is called A8 calculates the corresponding session key for privacy
during the call. The “standard” algorithm performing these functions together is called
COMP128. This algorithm is held tightly secret by the GSM MoU (Memorandum of
Understanding Group); only the interface to it is public. Because the algorithm might not
even be known at a visited system, the home system has to perform all of the verification
and key generation functions. As an optimization for network traffic, a number of triplets are
forwarded upon the first access.
These consist of:
1. A challenge to be sent to the mobile station
2. The expected response
3. The session key to be used after authentication succeeds.
Relying on the secrecy of the algorithm is rarely a good move, and indeed COMP128 was
disclosed in 1998. Furthermore, the algorithm is weak, allowing disclosure of the A-Key with
a few million interactions with the SIM card.
TM2106EU01EG_0001
68
CDMA System Performance Siemens
Fig.29
TM2106EU01EG_0001
69
Siemens
CDMA System Performance
TM2106EU01EG_0001
70
CDMA System Performance Siemens
Fig.30
TM2106EU01EG_0001
71
Siemens
CDMA System Performance
TM2106EU01EG_0001
72
CDMA System Performance Siemens
Fig.31
TM2106EU01EG_0001
73
Siemens
CDMA System Performance
CALL PROCESSING
In getting to a traffic channel, a mobile station goes through several states:
• System initialization
• System idle state
• System access
• Traffic channel state.
In system initialization state the mobile acquires a pilot channel by searching all the PN Offsets possibilities
and selecting the strongest pilot signal. Once the pilot is acquired, the sync channel is acquired using the W32
Walsh function and the detected pilot channel.
Then the mobile obtains the system configuration and timing information.
Next the mobile enters the system idle state where it monitors the paging channel.
If a call is being placed or received, the mobile enters the system access state where the necessary
parameters are exchanged.
The mobile transmits its response on the access channel and the base station transmits its response on the
paging channel.
When the access attempt is successful the mobile enters the traffic state.
TM2106EU01EG_0001
74
CDMA System Performance Siemens
Fig.32
TM2106EU01EG_0001
75
Siemens
CDMA System Performance
TM2106EU01EG_0001
76
CDMA System Performance Siemens
Fig.33
TM2106EU01EG_0001
77
Siemens
CDMA System Performance
TM2106EU01EG_0001
78
CDMA System Performance Siemens
Fig.34
Fig.35
TM2106EU01EG_0001
79
Siemens
CDMA System Performance
TM2106EU01EG_0001
80
CDMA System Performance Siemens
Fig.36
Fig.37
TM2106EU01EG_0001
81
Siemens
CDMA System Performance
PROTOCOL LAYERING
The following Figure shows a simplified logical view of the CDMA protocol structure for the Paging Channel,
Access Channel, Forward Traffic Channel and Reverse Traffic Channel. This protocol is divided into
conceptual layers. Layer 1 is the physical layer of the digital radio channel, including those functions
associated with the transmission of bits, such as modulation, coding, framing, and canalization via radio
waves.
Between Layer 1 and Layer 2 is a Multiplex Sublayer containing the multiplexing functions that allow sharing
of the digital radio channel for user data and signaling processes. For user data, protocol layering above the
Multiplex Sublayer is service option dependent and, where used, will be described in standards for the service
options.
For the signaling protocol described in this standard, two higher layers are defined.
Signaling protocol Layer 2 is the protocol associated with the reliable delivery of signaling
Layer 3 messages between the base station and the mobile station, such as message retransmission and
duplicate detection. Signaling Layer 3 is the protocol associated with call processing, radio channel control,
and mobile station control, including call setup, handoff, power control, and mobile station lockout.
TM2106EU01EG_0001
82
CDMA System Performance Siemens
Fig.38
TM2106EU01EG_0001
83
Siemens
CDMA System Performance
TM2106EU01EG_0001
84