The evolution of mobile telephone systems

Cellular is one of the fastest growing and most demanding telecommunications applications. Today, it represents a continuously increasing percentage of all new telephone subscriptions around the world. Currently there are more than 45 million cellular subscribers worldwide, and nearly 50 percent of those subscribers are located in the United States. It is forecasted that cellular systems using a digital technology will become the universal method of telecommunications. By the year 2005, forecasters predict that there will be more than 100 million cellular subscribers worldwide. It has even been estimated that some countries may have more mobile phones than fixed phones by the year 2000.

The concept of cellular service is the use of low-power transmitters where frequencies can be reused within a geographic area. The idea of cell-based mobile radio service was formulated in the United States at Bell Labs in the early 1970s. However, the Nordic countries were the first to introduce cellular services for commercial use with the introduction of the Nordic Mobile Telephone (NMT) in 1981.Cellular systems began in the United States with the release of the advanced mobile phone service (AMPS) system in 1983. The AMPS standard was adopted by Asia, Latin America, and Oceanic countries, creating the largest potential market in the world for cellular. In the early 1980s, most mobile telephone systems were analog rather than digital, like today's newer systems. One challenge facing analog systems was the inability to handle the growing capacity needs in a cost-efficient manner. As a result, digital

technology was welcomed. The advantages of digital systems over analog systems include ease of signaling, lower levels of interference, integration of transmission and switching, and increased ability to meet capacity demands. Table 1 charts the worldwide development of mobile telephone systems.

Throughout the evolution of cellular telecommunications, various systems have been developed without the benefit of standardized specifications. This presented many problems directly related to compatibility, especially with the development of digital radio technology. The GSM standard is intended to address these problems.  formerly: Groupe Spéciale Mobile (founded 1982)  now: Global System for Mobile Communication
 Pan-European standard (ETSI, European Telecommunications Standardisation

Institute)  simultaneous introduction of essential services in three phases (1991,1994, 1996) by the European telecommunication administrations(Germany: D1 and D2)  seamless roaming within Europe possible
 today many providers all over the world use GSM (more than 200 countries in

Asia, Africa, Europe, Australia, America)

 more than 1.2 billion subscribers in more than 630 networks  more than 75% of all digital mobile phones use GSM (74% total)  over 200 million SMS per month in Germany, > 550 billion/year worldwide(> 10% of the revenues for many operators)

GSM: Mobile Services
The GSM services are grouped into three categories:
• • •

1. Teleservices (TS) 2. Bearer services (BS) 3. Supplementary services (SS)


Regular telephony, emergency calls, and voice messaging are within TS. Telephony, the old bidirectional speech calls, is certainly the most popular of all services. An emergency call is a feature that allows the mobile subscriber to contact a nearby emergency service, such as police, by dialing a unique number. Voice messaging permits a message to be stored within the voice mailbox of the called party either because the called party is not reachable or because the calling party chooses to do so.

Additional services  Non-Voice-Teleservices  group 3 fax  voice mailbox (implemented in the fixed network supporting the mobile terminals)  electronic mail (MHS, Message Handling System, implemented in the fixed network) Short Message Service (SMS) alphanumeric data transmission to/from the mobile terminal (160 characters) using the signaling channel, thus allowing simultaneous use of basic services and SMS

Bearer Services
Data services, short message service (SMS), cell broadcast, and local features are within BS. Rates up to 9.6 kbit/s are supported. With a suitable data terminal or computer connected directly to the mobile apparatus, data may be sent through circuit-switched or packet-switched networks. Short messages containing as many as 160 alphanumeric characters can be transmitted to or from a mobile phone. In this case, a message center is necessary. The broadcast mode (to all subscribers) in a given geographic area may also be used for short messages of up to 93 alphanumeric characters. Some local features of the mobile terminal may be used. These may include, for example, abbreviated dialing, edition of short messages, repetition of failed calls, and others. •   •   data service (circuit switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300 - 1200 bit/s data service (packet switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300 - 9600 bit/s

Supplementary Services
Some of the SS are as follows:
1. Advice of charge - This SS details the cost of a call in progress.

2. Barring of all outgoing calls - This SS blocks outgoing calls. 3. Barring of international calls - This SS blocks incoming or outgoing international

calls as a whole or only those associated with a specific basic service, as desired. 4. Barring of roaming calls - This SS blocks all the incoming roaming calls or only those associated with a specific service. 5. Call forwarding - This SS forwards all incoming calls, or only those associated with a specific basic service, to another directory number. The forwarding may be unconditional or may be performed when the mobile subscriber is busy, when there is no reply, when the mobile subscriber is not reachable, or when there is radio congestion. 6. Call hold - This SS allows interruption of a communication on an existing call. Subsequent reestablishment of the call is permitted. 7. Call waiting - This SS permits the notification of an incoming call when the mobile subscriber is busy. 8. Call transfer - This SS permits the transference of an established incoming or outgoing call to a third party. 9. Completion of calls to busy subscribers. This SS allows notification of when a busy called subscriber becomes free. At this time, if desired, the call is reinitiated. 10. Closed user group - This SS allows a group of subscribers to communicate only among themselves. 11. Calling number identification presentation/restriction - This SS permits the presentation or restricts the presentation of the calling party’s identification number (or additional address information). 12. Connected number identification presentation - This SS indicates the phone number that has been reached. 13. Freephone service - This SS allocates a number to a mobile subscriber, and all calls to that number are free of charge for the calling party. 14. Malicious call identification - This SS permits the registration of malicious, nuisance, and obscene incoming calls. 15. Three-party service - This SS permits the establishment of conference calls.

GSM slot structure and multiple access scheme
GSM uses a combination of both TDMA and FDMA techniques. The FDMA element involves the division by frequency of the (maximum) 25 MHz bandwidth into 124 carrier frequencies spaced 200 kHz apart as already described.

The carriers are then divided in time, using a TDMA scheme. This enables the different users of the single radio frequency channel to be allocated different times slots. They are then able to use the same RF channel without mutual interference. The slot is then the time that is allocated to the particular user, and the GSM burst is the transmission that is made in this time. Each GSM slot, and hence each GSM burst lasts for 0.577 mS (15/26 mS). Eight of these burst periods are grouped into what is known as a TDMA frame. This lasts for approximately 4.615 ms (i.e.120/26 ms) and it forms the basic unit for the definition of logical channels. One physical channel is one burst period allocated in each TDMA frame. There are different types of frame that are transmitted to carry different data, and also the frames are organised into what are termed multiframes and superframes to provide overall synchronisation.

GSM slot structure
These GSM slot is the smallest individual time period that is available to each mobile. It has a defined format because a variety of different types of data are required to be transmitted. Although there are shortened transmission bursts, the slots is normally used for transmitting 148 bits of information. This data can be used for carrying voice data, control and synchronisation data. It can be seen from the GSM slot structure that the timing of the slots in the uplink and the downlink are not simultaneous, and there is a time offset between the transmit and receive. This offset in the GSM slot timing is deliberate and it means that a mobile that which is allocated the same slot in both directions does not transmit and receive at the same time. This considerably reduces the need for expensive filters to isolate the transmitter from the receiver. It also provides a space saving.

GSM burst

The GSM burst, or transmission can fulfil a variety of functions. Some GSM bursts are used for carrying data while others are used for control information. As a result of this a number of different types of GSM burst are defined.
• • • •

Normal burst uplink and downlink Synchronisation burst downlink Frequency correction burst downlink Random Access (Shortened Burst) uplink

GSM normal burst
This GSM burst is used for the standard communications between the basestation and the mobile, and typically transfers the digitised voice data. The structure of the normal GSM burst is exactly defined and follows a common format. It contains data that provides a number of different functions:
1. 3 tail bits: 2.

3. 4.

5. 6. 7.


These tail bits at the start of the GSM burst give time for the transmitter to ramp up its power 57 data bits: This block of data is used to carry information, and most often contains the digitised voice data although on occasions it may be replaced with signalling information in the form of the Fast Associated Control CHannel (FACCH). The type of data is indicated by the flag that follows the data field 1 bit flag: This bit within the GSM burst indicates the type of data in the previous field. 26 bits training sequence: This training sequence is used as a timing reference and for equalisation. There is a total of eight different bit sequences that may be used, each 26 bits long. The same sequence is used in each GSM slot, but nearby base stations using the same radio frequency channels will use different ones, and this enables the mobile to differentiate between the various cells using the same frequency. 1 bit flag Again this flag indicates the type of data in the data field. 57 data bits Again, this block of data within the GSM burst is used for carrying data. 3 tail bits These final bits within the GSM burst are used to enable the transmitter power to ramp down. They are often called final tail bits, or just tail bits. 8.25 bits guard time At the end of the GSM burst there is a guard period. This is introduced to prevent transmitted bursts from different mobiles overlapping. As a result of their differing distances from the base station.

GSM Normal Burst

GSM synchronisation burst
The purpose of this form of GSM burst is to provide synchronisation for the mobiles on the network.

1. 3 tail bits: 2. 3. 4. 5. 6.

Again, these tail bits at the start of the GSM burst give time for the transmitter to ramp up its power 39 bits of information: 64 bits of a Long Training Sequence: 39 bits Information: 3 tail bits Again these are to enable the transmitter power to ramp down. 8.25 bits guard time: to act as a guard interval.

GSM Synchronization Burst

GSM frequency correction burst
With the information in the burst all set to zeros, the burst essentially consists of a constant frequency carrier with no phase alteration.
1. 3 tail bits:

Again, these tail bits at the start of the GSM burst give time for the transmitter to ramp up its power. 2. 142 bits all set to zero: 3. 3 tail bits Again these are to enable the transmitter power to ramp down. 4. 8.25 bits guard time: to act as a guard interval.

GSM Frequency Correction Burst

GSM random access burst
This form of GSM burst used when accessing the network and it is shortened in terms of the data carried, having a much longer guard period. This GSM burst structure is used to ensure that it fits in the time slot regardless of any severe timing problems that may exist. Once the mobile has accessed the network and timing has been aligned, then there is no requirement for the long guard period.
1. 7 tail bits: 2. 3. 4. 5.

The increased number of tail bits is included to provide additional margin when accessing the network. 41 training bits: 36 data bits: 3 tail bits Again these are to enable the transmitter power to ramp down. 69.25 bits guard time: The additional guard time, filling the remaining time of the GSM burst provides for large timing differences.

GSM Random Access Burst

GSM discontinuous transmission (DTx)
A further power saving and interference reducing facility is the discontinuous transmission (DTx) capability that is incorporated within the specification. It is particularly useful because there are long pauses in speech, for example when the person using the mobile is listening, and during these periods there is no need to transmit a signal. In fact it is found that a person speaks for less than 40% of the time during normal telephone conversations. The most important element of DTx is the Voice Activity Detector. It must correctly distinguish between voice and noise inputs, a task that is not trivial. If a voice signal is misinterpreted as noise, the transmitter is turned off an effect known as clipping results and this is particularly annoying to the person listening to the speech. However if noise is misinterpreted as a voice signal too often, the efficiency of DTX is dramatically decreased. It is also necessary for the system to add background or comfort noise when the transmitter is turned off because complete silence can be very disconcerting for the listener. Accordingly this is added as appropriate. The noise is controlled by the SID (silence indication descriptor).

The basic element in the GSM frame structure is the frame itself. This comprises the eight slots, each used for different users within the TDMA system. As mentioned earlier, the slots for transmission and reception for a given mobile are offset in time so that the mobile does not transmit and receive at the same time.

GSM frame consisting of eight slots

The basic GSM frame defines the structure upon which all the timing and structure of the GSM messaging and signalling is based. The fundamental unit of time is called a burst period and it lasts for approximately 0.577 ms (15/26 ms). Eight of these burst periods are grouped into what is known as a TDMA frame. This lasts for approximately 4.615 ms (i.e.120/26 ms) and it forms the basic unit for the definition of logical channels. One physical channel is one burst period allocated in each TDMA frame. In simplified terms the base station transmits two types of channel, namely traffic and control. Accordingly the channel structure is organised into two different types of

frame, one for the traffic on the main traffic carrier frequency, and the other for the control on the beacon frequency.

GSM frame hierarchy

GSM multiframe
The GSM frames are grouped together to form multiframes and in this way it is possible to establish a time schedule for their operation and the network can be synchronised. There are several GSM multiframe structures:

Traffic multiframe: The Traffic Channel frames are organised into multiframes consisting of 26 bursts and taking 120 ms. In a traffic multiframe, 24 bursts are used for traffic. These are numbered 0 to 11 and 13 to 24. One of the remaining bursts is then used to accommodate the SACCH, the remaining frame remaining free. The actual position used alternates between position 12 and 25. Control multiframe: the Control Channel multiframe that comprises 51 bursts and occupies 235.4 ms. This always occurs on the beacon frequency in time slot zero and it may also occur within slots 2, 4 and 6 of the beacon frequency as well. This multiframe is subdivided into logical channels which are timescheduled. These logical channels and functions include the following:      Frequency correction burst Synchronisation burst Broadcast channel (BCH) Paging and Access Grant Channel (PACCH) Stand Alone Dedicated Control Channel (SDCCH)

GSM Superframe

Multiframes are then constructed into superframes taking 6.12 seconds. These consist of 51 traffic multiframes or 26 control multiframes. As the traffic multiframes are 26 bursts long and the control multiframes are 51 bursts long, the different number of traffic and control multiframes within the superframe, brings them back into line again taking exactly the same interval.

GSM Hyperframe
Above this 2048 superframes (i.e. 2 to the power 11) are grouped to form one hyperframe which repeats every 3 hours 28 minutes 53.76 seconds. It is the largest time interval within the GSM frame structure. Within the GSM hyperframe there is a counter and every time slot has a unique sequential number comprising the frame number and time slot number. This is used to maintain synchronisation of the different scheduled operations with the GSM frame structure. These include functions such as:

Frequency hopping: Frequency hopping is a feature that is optional within the GSM system. It can help reduce interference and fading issues, but for it to work, the transmitter and receiver must be synchronised so they hop to the same frequencies at the same time. Encryption: The encryption process is synchronised over the GSM hyperframe period where a counter is used and the encryption process will repeat with each hyperframe. However, it is unlikely that the cellphone conversation will be over 3 hours and accordingly it is unlikely that security will be compromised as a result.

GSM logical channels
GSM uses a variety of channels in which the data is carried. In GSM, these channels are separated into physical channels and logical channels. The Physical channels are determined by the timeslot, whereas the logical channels are determined by the information carried within the physical channel. It can be further summarised by saying that several recurring timeslots on a carrier constitute a physical channel. These are then used by different logical channels to transfer information. These channels may either be used for user data (payload) or signalling to enable the system to operate correctly.

Common and dedicated channels
The channels may also be divided into common and dedicated channels. The forward common channels are used for paging to inform a mobile of an incoming call, responding to channel requests, and broadcasting bulletin board information. The return common channel is a random access channel used by the mobile to request channel resources before timing information is conveyed by the BSS. The dedicated channels are of two main types: those used for signalling, and those used for traffic. The signalling channels are used for maintenance of the call and for enabling call set up, providing facilities such as handover when the call is in progress, and finally terminating the call. The traffic channels handle the actual payload. The following logical channels are defined in GSM: TCHf - Full rate traffic channel. TCH h - Half rate traffic channel. BCCH - Broadcast Network information, e.g. for describing the current control channel structure. The BCCH is a point-to-multipoint channel (BSS-to-MS). SCH - Synchronisation of the MSs. FCHMS - frequency correction. AGCH - Acknowledge channel requests from MS and allocate a SDCCH. PCHMS - terminating call announcement. RACHMS - access requests, response to call announcement, location update, etc. FACCHt - For time critical signalling over the TCH (e.g. for handover signalling). Traffic burst is stolen for a full signalling burst.

SACCHt - TCH in-band signalling, e.g. for link monitoring. SDCCH - For signalling exchanges, e.g. during call setup, registration / location updates. FACCHs - FACCH for the SDCCH. The SDCCH burst is stolen for a full signalling burst. Function not clear in the present version of GSM (could be used for e.g. handover of an eight-rate channel, i.e. using a "SDCCH-like" channel for other purposes than signalling). SACCHs - SDCCH in-band signalling, e.g. for link monitoring.

A cellular network is a radio network made up of a number of cells, each served by at least one fixed-location transceiver known as a cell site or base station. When joined together these cells provide radio coverage over a wide geographic area. This enables a large number of portable transceivers (mobile phones, pagers, etc) to communicate with each other and with fixed transceivers and telephones anywhere in the network, via base stations, even if some of the transceivers are moving through more than one cell during transmission. GSM is a cellular network, which means that mobile phones connect to it by searching for cells in the immediate vicinity. There are five different cell sizes in a GSM network —macro, micro, pico, femto and umbrella cells. The coverage area of each cell varies according to the implementation environment. Macro cells can be regarded as cells where the base station antenna is installed on a mast or a building above average roof top level. Micro cells are cells whose antenna height is under average roof top level; they are typically used in urban areas. Picocells are small cells whose coverage diameter is a few dozen metres; they are mainly used indoors. Femtocells are cells designed for use in residential or small business environments and connect to the service provider’s network via a broadband internet connection. Umbrella cells are used to cover shadowed regions of smaller cells and fill in gaps in coverage between those cells.

The features of cellular networks are as follows :  segmentation of the area into cells

 use of several carrier frequencies  not the same frequency in adjoining cells  cell sizes vary from some 100 m up to 35 km depending on user density, geography, transceiver power etc.  hexagonal shape of cells is idealized (cells overlap)  if a mobile user changes cells: handover of the connection to the neighbor cell

Hexagonal cells Frequency reuse

 Signal propagation ranges: Frequency reuse only with a certain distance between the base stations

GSM network architecture

A GSM network is a public land mobile network (PLMN). Other types of PLMN are the time division multiple access (TDMA) network or code division multiple access (CDMA) network. GSM uses the following sub-division of the PLMN: Home PLMN (HPLMN) – the HPLMN is the GSM network that a GSM user is a subscriber of. That implies that GSM user’s subscription data resides in the HLR in that PLMN. The HLR may transfer the subscription data to a VLR (during registration in a PLMN) or a GMSC (during mobile terminating call handling). The HPLMN may also contain various service nodes, such as a short message service centre (SMSC), service control point (SCP), etc. Visited PLMN (VPLMN) – the VPLMN is the GSM network where a subscriber is currently registered. The subscriber may be registered in her HPLMN or in another PLMN. In the latter case, the subscriber is outbound roaming (from HPLMN’s perspective) and inbound roaming (from VPLMN’s perspective). When the subscriber is currently registered in her HPLMN, then the HPLMN is at the same time VPLMN.1 Interrogating PLMN (IPLMN) – the IPLMN is the PLMN containing the GMSC that handles mobile terminating (MT) calls. MT calls are always handled by a GMSC in the PLMN, regardless of the origin of the call. For most operators, MT call handling is done by a GMSC in the HPLMN;

in that case, the HPLMN is at the same time IPLMN. This implies that calls destined for a GSM subscriber are always routed to the HPLMN of that GSM subscriber. Once the call has arrived in the HPLMN, the HPLMN acts as IPLMN. MT call handling will be described in more detail in subsequent sections. When basic optimal routing (BOR) is applied, the IPLMN is not the same PLMN as the HPLMN.

 RSS (radio subsystem): covers all radio aspects  NSS (network and switching subsystem): call forwarding, handover, switching  OSS (operation subsystem): management of the network

Radio subsystem(RSS)
The Base Station System (BSS) All radio-related functions are performed in the BSS, which consists of base station controllers (BSCs) and the base transceiver stations (BTSs). Base station controller (BSC) - The BSC provides all the control functions and physical links between the MSC and BTS. It is a high-capacity switch that provides functions such as handover, cell configuration data, and control of radio frequency (RF) power levels in base transceiver stations. A number of BSCs are served by an MSC.

Base transreceiver station (BTS) - The BTS handles the radio interface to the mobile station. The BTS is the radio equipment (transceivers and antennas) needed to service each cell in the network. A group of BTSs are controlled by a BSC.

Mobile station (MS) The mobile station (MS) comprises all user equipment and software needed for communication with a mobile network.In GSM, the mobile station consists of four main components:

• •

Mobile Termination (MT) - offers common functions of a such as: radio Transmission and handover, speech encoding and decoding, Error detection and correction, signalling and access to the SIM. The IMEI code is attached to the MT. It is equivalent to the network termination of an ISDN access. Terminal Equipment (TE) - is any device connected to the MS offering services to the user. It does not contain any functions specific to GSM. Terminal adapter (TA) - Provides access to the MT as if it was an ISDN network termination with extended capabilities. Communication between the TE and MT over the TA takes place using AT commands. Subscriber Identity Module (SIM) - is a removable subscriber identification token storing the IMSI a unique key shared with the mobile network operator and other data.

Network Switching Subsystem (NSS)
Network switching subsystem (NSS) (or GSM core network) is the component of a GSM system that carries out call switching and mobility management functions for mobile phones roaming on the network of base stations. It is owned and deployed by mobile

phone operators and allows mobile devices to communicate with each other and telephones in the wider Public Switched Telephone Network or (PSTN). The architecture contains specific features and functions which are needed because the phones are not fixed in one location. The NSS originally consisted of the circuit-switched core network, used for traditional GSM services such as voice calls, SMS, and circuit switched data calls. It was extended with an overlay architecture to provide packet-switched data services known as the GPRS core network. This allows mobile phones to have access to services such as WAP, MMS, and Internet access. home location register (HLR) - The HLR is a database used for storage and management of subscriptions. The HLR is considered the most important database, as it stores permanent data about subscribers, including a subscriber's service profile, location information, and activity status. When an individual buys a subscription from one of the PCS operators, he or she is registered in the HLR of that operator.

mobile services switching center (MSC) - The MSC performs the telephony switching functions of the system. It controls calls to and from other telephone and data systems. It also performs such functions as toll ticketing, network interfacing, common channel signaling, and others. visitor location register (VLR) - The VLR is a database that containstemporary information about subscribers that is needed by the MSC in order to service visiting subscribers. The VLR is always integrated with the MSC. When a mobile station roams into a new MSC area, the VLR connected to that MSC will request data about the mobile station from the HLR. Later, if the mobile station makes a call, the VLR will have the information needed for call setup without having to interrogate the HLR each time. Gateway MSC (GMSC) – the GMSC is the switching entity that controls mobile terminating calls. When a call is established towards a GSM subscriber, a GMSC contacts the HLR of that subscriber, to obtain the address of the MSC where that subscriber is currently registered. That MSC address is used to route the call to that subscriber.

Operation and Support System (OSS)
The OSS is the functional entity from which the network operator monitors and controls the system. The purpose of OSS is to offer the customer cost-effective support for centralized, regional, and local operational and maintenance activities that are required for a GSM network. An important function of OSS is to provide a network

overview and support the maintenance activities of different operation and maintenance organizations. authentication center (AUC) - A unit called the AUC provides authenticationand encryption parameters that verify the user's identity and ensure the confidentiality of each call. The AUC protects network operators from different types of fraud found in today's cellular world. equipment identity register (EIR) - The EIR is a database that containsinformation about the identity of mobile equipment that prevents calls from stolen, unauthorized, or defective mobile stations. The AUC and EIR are implemented as stand-alone nodes or as a combined AUC/EIR node. operations and maintenance center (OMC) - The operations and maintenance center (OMC) is connected to all equipment in the switching system and to the BSC. The implementation of OMC is called the operation and support system (OSS).Here are some of the OMC functions:
• • • •

Administration and commercial operation (subscription, end terminals, charging and statistics). Security Management. Network configuration, Operation and Performance Management. Maintenance Tasks.

Following is the figure which shows how OMC system covers all the GSM elements.


Before looking at the GSM specifications, it is important to understand the following basic terms:

• bandwidth - the range of a channel's limits; the broader the bandwidth, the faster data can be sent

fbits per second (bps) - a single on-off pulse of data; eight bits are equivalent to one byte frequency - the number of cycles per unit of time; frequency is measured in hertz (Hz) kilo (k) - kilo is the designation for 1,000; the abbreviation kbps represents 1,000 bits per second megahertz (MHz) - 1,000,000 hertz (cycles per second) milliseconds (ms) - one-thousandth of a second watt (W) - a measure of power of a transmitter Listed below is a description of the specifications and characteristics for GSM. frequency band - The frequency range specified for GSM is 1,850 to 1,990 MHz (mobile station to base station). duplex distance - The duplex distance is 80 MHz. Duplex distance is the distance between the uplink and downlink frequencies. A channel has two frequencies, 80 MHz apart. channel separation - The separation between adjacent carrier frequencies. In GSM, this is 200 kHz. modulation - Modulation is the process of sending a signal by changing the characteristics of a carrier frequency. This is done in GSM via Gaussian minimum shift keying (GMSK). transmission rate - GSM is a digital system with an over-the-air bit rate of 270 kbps. access method - GSM utilizes the time division multiple access (TDMA) concept. TDMA is a technique in which several different calls may share the same carrier. Each call is assigned a particular time slot. speech coder - GSM uses linear predictive coding (LPC). The purpose of LPC is to reduce the bit rate. The LPC provides parameters for a filter that mimics the vocal tract. The signal passes through this filter, leaving behind a residual signal. Speech is encoded at 13 kbps.

GSM - Addresses and Identifiers
GSM distinguishes explicitly between user and equipment and deals with them separately. Besides phone numbers and subscriber and equipment identifiers, several other identifiers have been defined; they are needed for the management of

subscriber mobility and for addressing of all the remaining network elements. The most important addresses and identifiers are presented in the following: International Mobile Station Equipment Identity (IMEI): The international mobile station equipment identity (IMEI) uniquely identifies a mobile station internationally. It is a kind of serial number. The IMEI is allocated by the equipment manufacturer and registered by the network operator and registered by the network operator who stores it in the EIR. By means of IMEI one recognizes obsolete, stolen or nonfunctional equipment. There are following parts of an IMEI:
• • • •

Type Approval Code (TAC): 6 decimal places, centrally assigned. Final Assembly Code (FAC): 2 decimal places, assigned by the manufacturer. Serial Number (SNR): 6 decimal places, assigned by the manufacturer. Spare (SP): 1 decimal place.

Thus, IMEI = TAC + FAC + SNR + SP. It uniquely characterizes a mobile station and gives clues about the manufacturer and the date of manufacturing.

International Mobile Subscriber Identity ( IMSI): The international mobile subscriber identity (IMSI) is embedded on the SIM card and is used to identify a subscriber. The IMSI is also contained in the subscription data in the HLR. The IMSI is used for identifying a subscriber for various processes in the GSM network. Some of these are:

location update – when attaching to a network, the MS reports the IMSI to the MSC, which uses the IMSI to derive the global title (GT) of the HLR associated with the subscriber; terminating call – when the GSM network handles a call to a GSM subscriber, the HLR uses the IMSI to identify the subscriber in the MSC/VLR, to start a process for delivering the call to that subscriber in that MSC/VLR. roaming charging – a VPLMN uses the IMSI to send billing records to the HPLMN of a subscriber.

There are following parts of an IMSI:
• • •

Mobile Country Code (MCC): 3 decimal places, internationally standardized. Mobile Network Code (MNC): 2 decimal places, for unique identification of mobile network within the country. Mobile Subscriber Identification Number (MSIN): Maximum 10 decimal places, identification number of the subscriber in the home mobile network.

Mobile Subscriber ISDN Number ( MSISDN): The real telephone number of a mobile station is the mobile subscriber ISDN number (MSISDN). It is assigned to the subscriber (his or her SIM, respectively), such that a mobile station set can have several MSISDNs depending on the SIM. The MSISDN categories follow the international ISDN number plan and therefore have the following structure.
• •

country code (CC) – the CC identifies the country or group of countries of the subscriber; national destination code (NDC) – each PLMN in a country has one or more NDCs allocated to it; the NDC may be used to route a call to the appropriate network; subscriber number (SN) – the SN identifies the subscriber within the number plan of a PLMN.

Mobile Station Roaming Number ( MSRN): The Mobile Station Roaming Number ( MSRN) is a temporary location dependent ISDN number. It is assigned by the locally responsible VLR to each mobile station in its area. Calls are also routed to the MS by using the MSRN. The MSRN has same structure as the MSISDN.

Country Code (CC) : of the visited network.

• •

National Destination Code (NDC): of the visited network. Subscriber Number (SN): in the current mobile network.

Location Area Identity (LAI): Each LA of an PLMN has its own identifier. The Location Area Identifier (LAI) is also structured hierarchically and internationally unique as follows:
• • •

Country Code (CC) : 3 decimal places. Mobile Network Code (MNC): 2 decimal places. Location Area Code (LAC): maximum 5 decimal places or, maximum twice 8 bits coded in hexadecimal (LAC < FFFF).

Temporary Mobile Subscriber Identity (TMSI): The VLR, which is responsible for the current location of a subscriber, can assign a temporary mobile subscriber identity (TMSI) which has only local significance in the area handled by the VLR. It is stored on the network side only in the VLR and is not passed to the HLR.Together with the current location area, TMSI allows a subscriber to be identified uniquely and it can consist of upto 4x8 bits. Local Mobile Subscriber Identity (LMSI): The VLR can assign an additional searching key to each mobile station within its area to accelerate database access. This unique key is called the Local Mobile Subscriber Identity (LMSI). The LMSI is assigned when the mobile station registers with the VLR and is also sent to the HLR.An LIMSI consists of four octets ( 4 x 8 bits).

Cell Identifier (CI): Within an LA, the individual cells are uniquely identified with a cell identifier (CI), maximum 2 x 8 bits. Together with the global cell identity (LAI + CI) calls are thus also internationally defined in a unique way.

GSM - Operations
The operation of the GSM system can be understood by studying the sequence of events that takes place when a call is initiated from the Mobile Station.

Call from Mobile Phone to PSTN (MOT) When a mobile subscriber makes a call to a PSTN telephone subscriber, the following sequence of events takes place: 1. The MSC/VLR receives the message of a call request. 2. The MSC/VLR checks if the mobile station is authorized to access the network. If so, the mobile station is activated. If the mobile station is not authorized, service will be denied. 3. MSC/VLR analyzes the number and initiates a call setup with the PSTN. 4. MSC/VLR asks the corresponding BSC to allocate a traffic channel (a radio channel and a time slot). 5. The BSC allocates the traffic channel and passes the information to the mobile station. 6. The called party answers the call and the conversation takes place. 7. The mobile station keeps on taking measurements of the radio channels in the present cell and neighboring cells and passes the information to the BSC. The BSC decides if handover is required, if so, a new traffic channel is allocated to the mobile station and the handover is performed. If handover is not required, the mobile station continues to transmit in the same frequency.

Call from PSTN to Mobile Phone (MTC) When a PSTN subscriber calls a mobile station, the sequence of events is as follows: 1. The Gateway MSC receives the call and queries the HLR for the information needed to route the call to the serving MSC/VLR. 2. The GMSC routes the call to the MSC/VLR. 3. The MSC checks the VLR for the location area of the MS. 4. The MSC contacts the MS via the BSC through a broadcast message, that is, through a paging request. 5. The MS responds to the page request.

6. The BSC allocates a traffic channel and sends a message to the MS to tune to the channel. The MS generates a ringing signal and, after the subscriber answers, the speech connection is established. 7. Handover, if required, takes place, as discussed in the earlier case.

GSM - Protocol Stack
The layered model of the GSM architecture integrates and links the peer-to-peer communications between two different systems. The underlying layers satisfy the services of the upper-layer protocols. Notifications are passed from layer to layer to ensure that the information has been properly formatted, transmitted, and received. The GMS protocol stacks diagram is shown below:

MS Protocols
The signaling protocol in GSM is structured into three general layers, depending on the interface.
• •

Layer 1: The physical layer, which uses the channel structures over the air interface. Layer 2: The data-link layer. Across the Um interface, the data-link layer is a modified version of the Link access protocol for the D channel (LAP-D) protocol used in ISDN, called Link access protocol on the Dm channel (LAP-Dm). Across the A interface, the Message Transfer Part (MTP), Layer 2 of SS7 is used. Layer 3: The third layer of the GSM signaling protocol is divided into three sublayers: o Radio Resource management (RR) o Mobility Management (MM) and o Connection Management (CM).

The MS to BTS Protocols
The RR layer oversees the establishment of a link, both radio and fixed, between the MS and the MSC. The main functional components involved are the MS, the BSS, and the MSC. The RR layer is concerned with the management of an RR-session, which is the time that a mobile is in dedicated mode, as well as the configuration of radio channels, including the allocation of dedicated channels. The MM layer is built on top of the RR layer and handles the functions that arise from the mobility of the subscriber, as well as the authentication and security aspects. Location management is concerned with the procedures that enable the system to know the current location of a powered-on MS so that incoming call routing can be completed. The CM layer is responsible for CC, supplementary service management, and Short Message Service (SMS) management. Each of these may be considered as a separate sublayer within the CM layer. Other functions of the CC sublayer include call establishment, selection of the type of service (including alternating between services during a call), and call release.

BSC Protocols
After the information is passed from the BTS to the BSC, a different set of interfaces is used. The Abis interface is used between the BTS and BSC. At this level, the radio

resources at the lower portion of Layer 3 are changed from the RR to the Base Transceiver Station Management (BTSM). The BTS management layer is a relay function at the BTS to the BSC. The RR protocols are responsible for the allocation and reallocation of traffic channels between the MS and the BTS. These services include controlling the initial access to the system, paging for MT calls, the handover of calls between cell sites, power control, and call termination. The RR protocols provide the procedures for the use, allocation, reallocation, and release of the GSM channels. The BSC still has some radio resource management in place for the frequency coordination, frequency allocation, and the management of the overall network layer for the Layer 2 interfaces. From the BSC, the relay is using SS7 protocols so the MTP 1-3 is used as the underlying architecture, and the BSS mobile application part or the direct application part is used to communicate from the BSC to the MSC.

MSC Protocols
At the MSC, the information is mapped across the A interface to the MTP Layers 1 through 3 from the BSC. Here the equivalent set of radio resources is called the BSS MAP. The BSS MAP/DTAP and the MM and CM are at the upper layers of Layer 3 protocols. This completes the relay process. Through the control-signaling network, the MSCs interact to locate and connect to users throughout the network. Location registers are included in the MSC databases to assist in the role of determining how and whether connections are to be made to roaming users. Each user of a GSM MS is assigned a HLR that is used to contain the user's location and subscribed services. A separate register, the VLR, is used to track the location of a user. As the users roam out of the area covered by the HLR, the MS notifies a new VLR of its whereabouts. The VLR in turn uses the control network (which happens to be based on SS7) to signal the HLR of the MS's new location. Through this information, MT calls can be routed to the user by the location information contained in the user's HLR.

GSM handover or handoff
One of the key elements of a mobile phone or cellular telecommunications system, is that the system is split into many small cells to provide good frequency re-use and coverage. However as the mobile moves out of one cell to another it must be possible to retain the connection. The process by which this occurs is known as handover or handoff. The term handover is more widely used within Europe, whereas handoff tends to be use more in North America. Either way, handover and handoff are the same process.

Requirements for GSM handover
The process of handover or handoff within any cellular system is of great importance. It is a critical process and if performed incorrectly handover can result in the loss of the call. Dropped calls are particularly annoying to users and if the number of dropped

calls rises, customer dissatisfaction increases and they are likely to change to another network. Accordingly GSM handover was an area to which particular attention was paid when developing the standard.

Handover decisions

Types of GSM handover
Within the GSM system there are four types of handover that can be performed for GSM only systems:

Intra-BTS handover: This form of GSM handover occurs if it is required to change the frequency or slot being used by a mobile because of interference, or other reasons. In this form of GSM handover, the mobile remains attached to the same base station transceiver, but changes the channel or slot. Inter-BTS Intra BSC handover: This for of GSM handover or GSM handoff occurs when the mobile moves out of the coverage area of one BTS but into another controlled by the same BSC. In this instance the BSC is able to perform the handover and it assigns a new channel and slot to the mobile, before releasing the old BTS from communicating with the mobile. Inter-BSC handover: When the mobile moves out of the range of cells controlled by one BSC, a more involved form of handover has to be performed, handing over not only from one BTS to another but one BSC to another. For this the handover is controlled by the MSC. Inter-MSC handover: This form of handover occurs when changing between networks. The two MSCs involved negotiate to control the handover.

Types of handover

GSM handover process
Although there are several forms of GSM handover as detailed above, as far as the mobile is concerned, they are effectively seen as very similar. There are a number of stages involved in undertaking a GSM handover from one cell or base station to another. In GSM which uses TDMA techniques the transmitter only transmits for one slot in eight, and similarly the receiver only receives for one slot in eight. As a result the RF section of the mobile could be idle for 6 slots out of the total eight. This is not the case because during the slots in which it is not communicating with the BTS, it scans the other radio channels looking for beacon frequencies that may be stronger or more suitable. In addition to this, when the mobile communicates with a particular BTS, one of the responses it makes is to send out a list of the radio channels of the beacon frequencies of neighbouring BTSs via the Broadcast Channel (BCCH). The mobile scans these and reports back the quality of the link to the BTS. In this way the mobile assists in the handover decision and as a result this form of GSM handover is known as Mobile Assisted Hand Over (MAHO). The network knows the quality of the link between the mobile and the BTS as well as the strength of local BTSs as reported back by the mobile. It also knows the availability of channels in the nearby cells. As a result it has all the information it needs to be able to make a decision about whether it needs to hand the mobile over from one BTS to another. If the network decides that it is necessary for the mobile to hand over, it assigns a new channel and time slot to the mobile. It informs the BTS and the mobile of the change. The mobile then retunes during the period it is not transmitting or receiving, i.e. in an idle period. A key element of the GSM handover is timing and synchronization. There are a number of possible scenarios that may occur dependent upon the level of synchronization.

Old and new BTSs synchronised: In this case the mobile is given details of the new physical channel in the neighbouring cell and handed directly over. The mobile may optionally transmit four access bursts. These are shorter than the standard bursts and thereby any effects of poor synchronisation do not cause

overlap with other bursts. However in this instance where synchronisation is already good, these bursts are only used to provide a fine adjustment.

Time offset between synchronised old and new BTS: In some instances there may be a time offset between the old and new BTS. In this case, the time offset is provided so that the mobile can make the adjustment. The GSM handover then takes place as a standard synchronised handover.

Non-synchronised handover: When a non-synchronised cell handover takes place, the mobile transmits 64 access bursts on the new channel. This enables the base station to determine and adjust the timing for the mobile so that it can suitably access the new BTS. This enables the mobile to re-establish the connection through the new BTS with the correct timing.

Handover procedure

Inter-system handover
With the evolution of standards and the migration of GSM to other 2G technologies including to 3G UMTS / WCDMA as well as HSPA and then LTE, there is the need to handover from one technology to another. Often the 2G GSM coverage will be better then the others and GSM is often used as the fallback. When handovers of this nature are required, it is considerably more complicated than a straightforward only GSM handover because they require two technically very different systems to handle the handover. These handovers may be called intersystem handovers or inter-RAT handovers as the handover occurs between different radio access technologies. The most common form of intersystem handover is between GSM and UMTS / WCDMA. Here there are two different types:

UMTS / WCDMA to GSM handover: There are two further divisions of this category of handover: o Blind handover: This form of handover occurs when the base station hands off the mobile by passing it the details of the new cell to the mobile without linking to it and setting the timing, etc of the mobile for the new cell. In this mode, the network selects what it believes to be the optimum GSM based station. The mobile first locates the broadcast channel of the new cell, gains timing synchronisation and then carries out nonsynchronised intercell handover. o Compressed mode handover: using this form of handover the mobile uses the gaps I transmission that occur to analyse the reception of local GSM base stations using the neighbour list to select suitable candidate base stations. Having selected a suitable base station the handover takes place, again without any time synchronisation having occurred. Handover from GSM to UMTS / WCDMA: This form of handover is supported within GSM and a "neighbour list" was established to enable this occur easily. As the GSM / 2G network is normally more extensive than the 3G network, this type of handover does not normally occur when the mobile leaves a coverage area and must quickly find a new base station to maintain contact. The handover from GSM to UMTS occurs to provide an improvement in performance and can normally take place only when the conditions are right. The neighbour list will inform the mobile when this may happen.

GSM - Security and Encryption
The security methods standardized for the GSM System make it the most secure cellular telecommunications standard currently available. Although the confidentiality of a call and anonymity of the GSM subscriber is only guaranteed on the radio channel, this is a major step in achieving end-to- end security. The subscriber's anonymity is ensured through the use of temporary identification numbers. The confidentiality of the communication itself on the radio link is performed by the application of encryption algorithms and frequency hopping which could only be realized using digital systems and signaling. This chapter gives an outline of the security measures implemented for GSM subscribers.

Mobile Station Authentication:
The GSM network authenticates the identity of the subscriber through the use of a challenge-response mechanism. A 128-bit random number (RAND) is sent to the MS. The MS computes the 32-bit signed response (SRES) based on the encryption of the random number (RAND) with the authentication algorithm (A3) using the individual subscriber authentication key (Ki). Upon receiving the signed response (SRES) from the subscriber, the GSM network repeats the calculation to verify the identity of the subscriber.

Note that the individual subscriber authentication key (Ki) is never transmitted over the radio channel. It is present in the subscriber's SIM, as well as the AUC, HLR, and VLR databases as previously described. If the received SRES agrees with the calculated value, the MS has been successfully authenticated and may continue. If the values do not match, the connection is terminated and an authentication failure indicated to the MS. The calculation of the signed response is processed within the SIM. This provides enhanced security, because the confidential subscriber information such as the IMSI or the individual subscriber authentication key (Ki) is never released from the SIM during the authentication process.

Authentication in GSM

Key generation and encryption
The SIM contains the ciphering key generating algorithm (A8) which is used to produce the 64-bit ciphering key (Kc). The ciphering key is computed by applying the same random number (RAND) used in the authentication process to the ciphering key generating algorithm (A8) with the individual subscriber authentication key (Ki). As will be shown in later sections, the ciphering key (Kc) is used to encrypt and decrypt the data between the MS and BS. An additional level of security is provided by having the means to change the ciphering key, making the system more resistant to eavesdropping. The ciphering key may be changed at regular intervals as required by network design and security considerations. In a similar manner to the authentication process, the computation of the ciphering key (Kc) takes place internally within the SIM. Therefore sensitive information such as the individual subscriber authentication key (Ki) is never revealed by the SIM. Encrypted communication is initiated by a ciphering mode request command from the GSM network. Upon receipt of this command, the mobile station begins encryption and decryption of data. Each frame in the over-the-air traffic is encrypted with a different

key-stream. The A5 algorithm used to encrypt the data is initialized with the KC and the number of the frame to be encrypted, thus generating a different key stream for every frame. The same KC is used as long as the MSC does not authenticate the MS again, in which case a new KC is generated. In practice, the same KC may be in use for days. The MS authentication is an optional procedure in the beginning of a call, but it is usually not performed. So it is very common the KC will not change during calls. When it is switched off , the mobile station stores the TMSI on the SIM card to make sure it is available when it is switched on again .The A5 algorithm is implemented in the hardware of the mobile phone, as it has to encrypt and decrypt data on the fly.

Subscriber Identity Confidentiality
To ensure subscriber identity confidentiality, the Temporary Mobile Subscriber Identity (TMSI) is used. The TMSI is sent to the mobile station after the authentication and encryption procedures have taken place. The mobile station responds by confirming reception of the TMSI. The TMSI is valid in the location area in which it was issued. For communications outside the location area, the Location Area Identification (LAI) is necessary in addition to the TMSI.

The limitation and problems with GSM security
Problems with GSM security  Security by obscurity - which means that all of the algorithms used are not available to the public. Most security analysts believe any system that is not subject to the scrutiny of the world’s best minds can’t be as secure.  Only provides access security. All communication between the Mobile Station and the Base Transceiver Station are encrypted. But all communications and signalling is generally transmitted in plain text in the fixed network.

 Difficult to upgrade the cryptographic mechanisms  Lack of user visibility (e.g. doesn’t know if encrypted or not)  The flaw of the algorithms.

Some possible method of attacks
History In April 1998, the Smartcard Developer Association (SDA) together with two U.C. Berkeley researchers claimed to have cracked the COMP128 algorithm stored on the SIM. By sending large number of challenges to the authorization module, they were able to deduce the KI within several hours.They also discovered that KC uses only 54 bits of the 64 bits. The remaining 10 bits are replaced by zeros, which makes the cipher key purposefully weaker. In August 1999, an American group of researchers claimed to have cracked the weaker A5/2 algorithm commonly used in Asia, using a single PC within seconds. In December 1999, two leading Israeli cryptographers claimed to have cracked the strong A5/1 algorithm responsible for encrypting conversations. They admit the version they cracked may not be the exact version used in GSM handsets, as GSM operators are allowed to make small modifications to the GSM algorithms. The researchers used a digital scanner and a high end PC to crack the code. Within two minutes of intercepting a call with a digital scanner, theresearchers were able to listen to the conversation. The most dangerous attach is retrieving the key from the SIM. The Smartcard Developer Association and the ISAAC security research group discovered a flaw in the COMP128 algorithm that effectively enabled them to retrieve the secret key, KI, from a SIM. The attack was performed on a SIM they had physical access to, but the same attack is applicable when launched over-the-air as well. The attack is based on a chosen-challenge attack that works, because the COMP128 algorithm is broken in such a way that it reveals information about the KI when the appropriate RANDs are given as arguments to the A8 algorithm. The SIM was accessed through a Smartcard reader connected to a PC. The PC made about 150.000 challenges to the SIM and the SIM generated the SRES and the session key, KC, based on the challenge and the secret key. The secret key could be deduced from the SRES responses through differential cryptanalysis. The Smartcard reader used in implementing the attack could make 6.25 queries per second to the SIM card. So the attack required about eight hours to conduct. In May 2002, the IBM Research team discovered a new way to quickly extract the COMP128 keys in SIM cards using side channels in spite of existing protections. The COMP128 algorithm requires the lookup of large tables, which can only be achieved in a complicated way on simple devices such as SIM cards leaking a lot of sensitive information into the side channels. The attack can be easily accomplished by making the card perform the algorithm just seven times with the unknown key. A hacker, who has possession of a SIM card for a minute, can easily extract the full 128-bit key. Possible improvements Security could be improved in some areas with relatively simple measures. One solution is to use another cryptographically secure algorithm for A3. This would require issuing new SIM-cards to all subscribers and updating HLR software. This would effectively disable the attacker from cloning SIM-cards, the most dangerous attack,

which is discussed above. This solution is easy to be implemented because the network operators can make the changes themselves and do not need the support of hardware or software manufacturers or the GSM Consortium. There is now a new algorithms available called COMP128-2. The operator can employ a new A5 implementation with strong encryption too. A new A5/3 algorithm has also been agreed upon to replace the aging A5/2 algorithm[7]. This improvement would require the co-operation of the hardware and software manufacturers because they will have to release new versions of their software and hardware that would comprise with the new algorithm. Third solution would be to encrypt the traffic on the operator’s backbone network between the network components. This would disable the attacker from wire tapping the backbone network. This solution could probably also be implemented without the blessings of the GSM Consortium, but the co-operation of the hardware manufacturers would still be required.

What is Next?
To enhance the current data capabilities of GSM, operators and infrastructure providers have specified new extensions to GSM Phase II. These extensions are:

High Speed Circuit Switched Data (HSCSD): by using several circuit channels.

General Packet Radio Service (GPRS) to provide packet radio access to external packet data networks (such as X.25 or Internet)

Enhanced Data rate for GSM Evolution (EDGE): using a new modulation scheme to provide up to three times higher throughput (for HSCSD and GPRS)

Universal Mobile Telecommunication System (UMTS): a new wireless technology using new infrastructure deployment.


Global System for Mobile communications (GSM: originally from Group Special Mobile) is the most popular standard for mobile phones in the world. Its promoter, the GSM Association, estimates that 82% of the global mobile market uses the standard GSM is used by over 2 billion people across more than 212 countries and territories. Its ubiquity makes international roaming very common between mobile phone operators, enabling subscribers to use their phones in many parts of the world. GSM differs from its predecessors in that both signaling and speech channels are digital call quality, and so is considered a second generation (2G) mobile phone system. This has also meant that data communication were built into the system using the 3rd Generation Partnership Project (3GPP)The GSM logo is used to identify compatible handsets and equipment . The key advantage of GSM systems to consumers has been better voice quality and low-cost alternatives to making calls, such as the Short message service (SMS, also called "text messaging"). The advantage for network operators has been the ease of deploying equipment from any vendors that implement the standard. Like other cellular standards, GSM allows network operators to offer roaming services so that subscribers can use their phones on GSM networks all over the world. Newer versions of the standard were backward-compatible with the original GSM phones. For example, Release ''97 of the standard added packet data capabilities, by means of General Packet Radio Service (GPRS). Release ''99 introduced higher speed data transmission using Enhanced Data Rates for GSM Evolution (EDGE).