GSM Protocol Stack

GSM architecture is a layered model designed for allowing communications between two
different systems. Lower layers will assure services of the upper-layer protocols. Each layer will
pass appropriate notifications to make sure that the transmitted data is formatted, transmitted and
received accurately.
GMS protocol stacks diagram is shown below:

MS Protocols

Based on the interface, GSM signaling protocol will be assembled into three general layers:
 Layer 1: Physical layer. It makes use of the channel structures over the air interface.
 Layer 2: Data-link layer. Across the Um interface, data-link layer is a tailored version of
Link access protocol for D channel (LAP-D) protocol used in ISDN, called Link access
protocol on the Dm channel (LAP-Dm). Across the A interface, the Message Transfer Part
(MTP), Layer 2 of SS7 is used.
 Layer 3 : GSM signaling protocol’s third layer can be divided into three sub layers:
o Radio Resource Management (RR),
o Mobility Management (MM), and
o Connection Management (CM).

1. MS to BTS Protocols

RR layer is the lower layer which manages a link, both radio and fixed, between MS and MSC.
Main components involved for this formation are MS, BSS, and MSC. Job of RR layer is to
manage the RR-session, the time when a mobile is in a committed mode and the radio channels
which include the allocation of dedicated channels.

MM layer is stacked above the RR layer. It will handle the functions that arise from the mobility
of the subscriber and also the authentication and security aspects. Location management is
concerned with the procedures which enable the system to identify the current location of a
powered-on MS to compete the incoming call routing.

CM layer is the topmost layer of the GSM protocol stack and this layer is responsible for Call
Control, Supplementary Service Management, and Short Message Service Management. Each of
these services will be treated as individual layer within the CM layer. Other functions of the CC
sublayer include call establishment, selection of the type of service (including alternating
between services during a call), and call release.

BSC Protocols

BSC makes use of a different set of protocols after receiving the data from BTS. Abis interface is
used between BTS and BSC. At this level, radio resources at the lower portion of Layer 3 will be
changed from RR to Base Transceiver Station Management (BTSM). BTS management layer is
a relay function at BTS to BSC.

RR protocols will be responsible for the allocation and reallocation of traffic channels between
MS and BTS. These services contain controlling the initial access to the system, paging for MT
calls, hand-over of calls between cell sites, power control, and call termination. BSC still has
some radio resource management in place for the frequency coordination, frequency allocation
and management of the overall network layer for the Layer 2 interfaces.

To transit from BSC to MSC, BSS mobile application part or the direct application part will be
used and SS7 protocols will be applied by the relay. Therefore the MTP 1-3 can be used as the
main architecture.
MSC Protocols
At MSC, starting from BSC, information will be mapped across A interface to the MTP Layers 1
through 3. Here, Base Station System Management Application Part (BSS MAP) will be the
equal set of radio resources. Relay process is finished by the layers that are stacked on top of
Layer 3 protocols, they are BSS MAP/DTAP, MM, and CM. This will complete the relay
process. To find and connect to the users across the network, MSCs will interact using the
control-signalling network. Location registers will be included in the MSC databases to help in
the role of determining how and whether connections should be made to roaming users.

Every GSM MS user will be given a HLR which in turn consists of the user’s location and
subscribed services. VLR is a separate register used for tracking the location of a user. When the
user moves out of the HLR covered area, VLR will be notified by the MS to discover the
location of the user. VLR in turn, with the help of the control network, signals HLR of the MS’s
new location. With the help of location information contained in the user’s HLR, MT calls will
be routed to the user.

GSM Security and Encryption

GSM is the most secured cellular telecommunications system available today and all of its
security methods are standardized. GSM maintains end-to-end security by maintaining the
privacy of calls and secrecy of the GSM subscriber.

Temporary identification numbers will be assigned to the subscriber’s number so as to maintain

privacy of the user. Communication privacy can be maintained by applying encryption
algorithms and frequency hopping which is enabled using digital systems and signaling.

This chapter will give you an outline of the security measures implemented for GSM subscribers.

1. Mobile Station Authentication

The GSM network will authenticate the identity of the subscriber by using a challenge-response
mechanism. A 128-bit Random Number (RAND) will be sent to MS. MS will compute the 32-bit
Signed Response (SRES) based on the encryption of RAND with the authentication algorithm
(A3), using the individual subscriber authentication key (Ki). After receiving SRES from the
subscriber, GSM network will repeat the calculation for verifying the identity of the subscriber.

The individual subscriber authentication key (Ki) will never be transmitted over the radio
channel, as it is present in the subscriber's SIM, AUC, HLR and VLR databases. If the received
SRES agrees with the calculated value, it means that MS is successfully authenticated and you
can continue. If the values do not match, connection will be terminated and an authentication
failure will be indicated to MS.

Calculation of the signed response will be processed within the SIM. It offers improved security,
as confidential subscriber information like IMSI or the individual subscriber authentication key
(Ki) will never be released from the SIM during the authentication process.

2. Signaling and Data Confidentiality

SIM consists of the ciphering key generating algorithm (A8) which is used for producing the 64-
bit ciphering key (Kc). This key will be computed by applying the same random number
(RAND) that is used in the authentication process to ciphering key generating algorithm (A8)
with the individual subscriber authentication key (Ki).

GSM offers an additional level of security to change the ciphering key, make the system more
resistant to eavesdropping. Ciphering key can be changed periodically as and when required.
Similar to the authentication process, computation of the ciphering key (Kc) will take place
internally within the SIM. So, sensitive information like individual subscriber authentication key
(Ki) will never be revealed by the SIM.

Encrypted voice and data communications between MS and the network can be achieved with
the help of ciphering algorithm A5. Encrypted communication will be initiated by a ciphering
mode request command from the GSM network. After receiving this command, mobile station
will start encryption and decryption of data by using the ciphering algorithm (A5) and the
ciphering key (Kc).
Subscriber Identity Confidentiality

To guarantee subscriber identity confidentiality, Temporary Mobile Subscriber Identity (TMSI)

will be used. After the authentication and encryption procedures are done, TMSI will be sent to
the mobile station and after receiving, mobile station will respond. TMSI is valid in the location
area in which it was issued. For communications outside the location area, Location Area
Identification (LAI) is needed in addition to the TMSI.