Signal Processing in GSM

Lecture 10
 Channel Coding
 Interleaving
 Authentication & Ciphering
 GMSK Modulation
 Identifiers

Channel Coding
 For channel coding 260 bits of data in a TRAU frame separated
into
 182 class-1 bits (very important) and
 78 class-2 bits (less important)
 Channel coding protects the two classes with different priorities
 After channel coding original data packet of 260 bits (user data)
or 184 bits (signaling data) extended to a data block of length
456 bits
 Data block then mapped on various bursts for the actual
transmission
Channel Coding for User Data
Channel Coding for Signalling
Data
Interleaving

 Packets of 456 bits spread over a larger time period in separate
TSs
 Spreading depends on application the bits represent
 Signalling & data traffic are spread more than voice traffic
 Goal - to minimize the impact of Air-interface peculiarities that
account for rapid, short-term changes of the quality of the
transmission channel
 A particular channel may be corrupted for a very short period of
time and all the data sent during that time are lost
 That could lead to loss of complete data packets of n times 114
bits
 Interleaving does not prevent loss of bits
 If there is a loss, the same number of bits are lost
 However, in interleaving, the lost bits are part of several
different packets bits
 These few bits can be recovered by error-correction
mechanisms
Interleaving

Authentication
 Problem- unauthorised access to telecom services via
cloning of a valid user identifier
 GSM anticipated this and defined an authentication
procedure
 A user is challenged to provide proof of the claimed
identity
 User accesses network and provides the user
identifier
 Network sends a random number (RAND) to the MS
 Which together with Ki provide a response (SRES)

Ciphering
 MS sends a connection request to the
network
 Among others, this request contains
 Ciphering key sequence number (CKSN)
 Mobile station class mark
 Which indicates the available ciphering
algorithms (A5/X) in the mobile station
Ciphering
 VLR examines the CKSN and decides whether authentication is necessary
 Authentication not required a second time during the same network access
 Multiparty call- an example of second connection while another connection
already exists
 A message sent to the MS in case authentication is necessary
 Message contains the random number, RAND
 SIM uses the RAND, value Ki and algorithm A3 to calculate SRES
 MS sends SRES to the VLR
 VLR compares this SRES with the one earlier sent by HLR/AuC
 Auth successful if both values are identical
 Immediately after SRES, the MS calculates ciphering key Kc using RAND, Ki and
algorithm A8
 To activate ciphering, the VLR sends
 Value Kc that the AuC has calculated
 A reference to the chosen A5/X algorithm
 Via the MSC and the BSC to the BTS
Calculation of SRES & Kc
Ciphering
 BTS retrieves from the ENCR_CMD message
 Kc
 Info about the required ciphering algorithm
 BTS only forwards info about the A5/X algorithm in a CIPH_MOD_CMD message to the MS
 Which triggers MS to enable
 Ciphering of all outgoing data and
 Deciphering of all incoming information
 MS confirms the change to ciphering mode by sending a CIPH_MOD_COM message
 A5/X uses the current value of the frame number (FN) at the time and Kc as input
parameters
 Output of this operation are ciphering sequences, each 114 bits long, one is needed for
ciphering and the other one for deciphering
 First ciphering sequence and the 114 bits of “useful data” of a burst are XORed
 To provide encrypted 114 bits that are actually sent over the Air-interface
 Ciphering sequences altered with every frame number
 Which in turn changes the encryption with every frame number
 Deciphering takes place exactly the same way but in the opposite direction
Ciphering
De-ciphering
Authentication
= ?
NSS
RAND = RANDom number
SRES = Signed RESponse
Kc = Ciphering Key
Ki = Identification Key
RAND
Kc
RAND (128 bits)
SIM card
G S M
Global GSM Mobility
Card
The Smart Card to use
A8
A3
Ki Ki
A3
A8
MS
AUC
(A3 and A8)
(RAND, SRES, Kc)
SRES
SRESm
(32 bits)
SRESm
CIPHER
MODE
Ki (128 bits)
Ki (128 bits)
A3
A8
A3
A8
BSS
OK
Radio
Interface
Kc
A3
Ki
RAND
SRESm
Purpose:
Avoid logging of lost,
stolen or
forgery SIM-Cards.
5
Triplets
3
AUC
(A3 and A8)
(RAND, SRES, Kc)
HLR
MSC
BTS
BSS
BSC
4
SRESm
6
1
1
4
6
4
6
SRESm
Authentication
7
Ciphering
Command
7
CIPHER
MODE
3
2
VLR
SRESm = SRES ?
S
R
E
S
m

6
7
4
Ciphered
data
MS BTS
Radio
interface
Frame Number
(22 bits)
Kc (64 bits)
+
Kc (64 bits)
Ciphering
+
+
+
: exclusive-or
+
A5 A5
Frame Number
(22 bits)
Block
(114 bits)
Data to transmit
Received data Data to transmit
Received data
Block
(114 bits)
Block
(114 bits)
Block
(114 bits)
BTS
BSS
BSC
VLR
(Rand, SRES, Kc)
A5
Kc
TDMA#
+
A8
Ki
Rand
Kc
MSC
Kc
Kc
2
Ciphered
data
5
CIPHERING
SET CIPHER MODE
(Kc)
1
3
CIPHER MODE COMMAND
4
CIPHER MODE COMPLETE
CIPHER MODE
COMPLETE
6
Purpose: avoid communication to be
tapped.
!azeq?tcyui
p?sdq!f? j
sdf!? okgrh
IMEI
 Mobile station equipment identity
 Not mandatory for the network operator to
query the IMEI
 Purpose of the IMEI is to prevent passive
theft protection
 EIR maintains information on stolen mobile
equipment in a “black list,” which makes
stolen mobile equipment useless

IMEI
IMEI comprises following:
 A 24-bit-long type approval
code (TAC)
 Before any mobile equipment is
brought into service, it
undergoes a test to show that it
complies with safety regulations
and functionality requirements
 Process called type approval,
and the requirements are
specified by GSM
 An 8-bit-long final assembly
code (FAC) identifies the
manufacturing facility
 A 24-bit-long serial number
 A spare field, currently not used
Type Approval
Code
TAC FAC SNR
SP
Final Assembly
Code
Serial number (SPare)
MOBILE IDENTIFICATION
IMEISV
 IMEI plus a software
version number
(SVN)
 Which can be
modified by the
manufacturer in
case of a software
update
IMSI
International mobile subscriber identity
 An identifier for a GSM subscriber
 Part of the subscriber data stored on (SIM)
card
 Uniquely identifies one subscription
worldwide
 Structure similar to the ISDN number, defined
in ITU-T Recommendation E.164
IMSI
 15-digit number and is
composed of :
 Mobile country code (MCC),
 Mobile network code (MNC)
 Mobile subscriber
identification number (MSIN)
 MSIN of the IMSI not used as
the subscriber’s telephone
number
 To make tracking more
difficult, IMSI used only as an
identifier when the temporary
mobile subscriber identity
(TMSI) not available, e.g., for
initial system connections
MCC & MNC
Mobile country code
 A three-digit identifier
 Uniquely identifies a country (not a
PLMN)
Mobile network code
 A two-digit identifier
 Used (like the 3-bit-long NCC) to
uniquely identify a PLMN
IMSI Attach/Detach
 BTS permanently broadcasts parameter ATT in the BCCH message
 Which indicates whether the IMSI attach/detach procedure is required
 IMSI detach informs network that
 An MS will go into an inactive state
 And is no longer available for incoming calls
 For example, due to power down or because the SIM is removed
 MS sends an IMSI_DET_IND message to the network each time it is powered down
 VLR keeps track of this state
 This approach saves radio resources and processing time
 Call processing can switch to secondary call treatment
 without first sending a PAGING message and then waiting for expiration of respective timers
 Secondary call treatment means initiating
 Call forwarding
 Voice mail, or
 Telling caller that the subscriber currently not reachable
 Complementary to IMSI detach is IMSI attach
 It indicates to network that a mobile station is active again
 IMSI attach is related to periodic location updating
 The location updating procedure is utilized to perform IMSI attach
IMSI Attach
MSC BTS
BSS
BSC
VLR
3
4
5
4
6
1
CHANNEL
REQUEST
2
IMMEDIATE
ASSIGNMENT
LOCATION UPDATING
REQUEST (IMSI Attach)
3
5
LOCATION UPDATING
ACCEPT (LAC, TMSI)
4
Authentication
Procedure
IMSI Detach
MSC
BTS
BSS
BSC
VLR
1
CHANNEL
REQUEST
2
IMMEDIATE
ASSIGNMENT
IMSI DETach
INDication
3
4
CHANNEL
RELEASE
IMSI DETach
INDication
3
TMSI
 Temporary mobile subscriber identity
 Identifies a mobile subscriber, like the IMSI
 4-byte-long
 Unlike the IMSI, TMSI has only temporary significance
 VLR assigns a TMSI upon location registration for confidentiality
 So not required to transfer the IMSI over the Air-interface
frequently
 Assignment and use of the TMSI only possible with active
ciphering
 TMSI can take any value, except FF FF FF FFhex
 This value reserved in case SIM does not contain a valid IMSI
MSISDN
Mobile subscriber ISDN
 Dir No of a mobile subscriber
 Example: 49 171 5205787 is
the directory number of a
subscriber to the D1 network
in Germany
 Country code (CC) identifies a
country or region (e.g., 49 for
Germany, 1 for the United
States);
 National destination code
(NDC) identifies the PLMN
(e.g., 171 for the operator
D1)
 Subscriber number (SN) is a
unique identifier within the
PLMN
MSRN
 Mobile station roaming number
 A temporary identifier used for mobile
terminating calls
 To route a call from the gateway MSC to the
serving MSC/VLR
 VLR assigns MSRN when a request for
routing information is received from the HLR
 MSRN released after the call has been set up
 MSRN used solely to route an incoming call
and contains no information to identify the
caller or the called party
 Contains following codes:
 Country code (CC) is the prefix of a country
 National destination code (NDC) identifies the
PLMN (e.g., 172 is the D2 operator of
 Germany);
 Temporary subscriber number (temp. SN)
assigned by the serving MSC/VLR of the
called subscriber
NDC
National destination code
 Part of an ISDN number as defined by ITU-T
in Recommendation E.164
 Typically, the NDC addresses an area
 May also be used to address a service, just as
the NDC 800 addresses free phone service in
the United States
 In Germany, the NDCs 171 and 172 used to
address the two GSM 900 operators
CKSN
 Ciphering key sequence number
 A 3-bit-long value
 References to a ciphering key, Kc
 When a particular Kc is stored in the MS and the MSC/VLR, a CKSN is
assigned as well
 Allows MS and network a negotiation of the Kc without compromising
security by transmitting the value of Kc over the air
 Particularly when an MS tries to establish an additional or subsequent
operation with the network
 In such a case, when the MS requests a connection, it sends its last
valid CKSN to the VLR
 VLR then decides, based on the CKSN, if ciphering can start
immediately or if another authentication is required
 VLR may decide to request another authentication, even if the CKSN
matches the VLR’s entry

LMSI
 Local mobile subscriber identity
 A 4-byte-long parameter
 VLR assigns it to a subscriber on a temporary basis
 Purpose is to expedite queries in the VLR
 When the LMSI is assigned, both sides do not only
use the IMSI but also the LMSI
 Although no use for the LMSI in the HLR, but it still
must be stored in the HLR
 HLR required to send the LMSI whenever data
between the two databases exchanged
CI
 Cell identity
 A 2-byte-long hexadecimal identifier
 CI together with the location area (LAI)
uniquely identifies a cell within a PLMN
Location area (LA)
 LA comprises at least one but typically several BTSs
 Defined for the following purpose:
 An MS that changes the serving cell in the same location
area does not need to perform a location update
 When network tries to establish a connection to an MS for a
mobile terminating call, PAGING message is sent to only
those BTSs that belong to the current location area of the
MS
 LA therefore, serves mainly one purpose
 Reduction of signalling load
 Every BTS broadcasts the LA via the parameter
location area identity (LAI)
Location area
 Even during an active call, LA
communicated to the MS
(particularly important in a
handover)
 Shaded, one-digit field is a filler
(1111bin)
 Extends three-digit MCC to 2 bytes
 Actual location area code (LAC) is
four digits long
 LAC is an identifier that can be
assigned by the network operator
 All values, except 0000hex and FFFE
hex allowed
 Those two values reserved for cases
when the LAI on a SIM has been
deleted
Registration: The Very First
Location Update
 1. Channel allocation (Connection request procedure):
 MS sends (on RACH) a CHANNEL REQUEST message
 Network responds with IMMEDIATE ASSIGNMENT (on
dedicated channel)
 2. MS sends to BSS a LOCATION UPDATING REQUEST
message with IMSI
 3. VLR triggers and monitors the Authentication procedure and
can also activate Ciphering procedure
 4. VLR stores the LA of the MS and informs the HLR which:
 stores VLR identity
 downloads the subscriber profile, if the MS is allowed to roam
 5. VLR may assign a TMSI and sends it to the MS in the
LOCATION UPDATING ACCEPT message
 6. MSC releases the connection

LAI
HLR
IMSI
VLR id
TMSI
IMSI
TMSI
Release
VLR
IMSI
TMSI
LAI
MSC
BTS
BSS
BSC
Registration: the Very First
Location Update
2
3
5
1
2
6
1
2
3
5
6
4
3
TMSI
5
BSIC
 Base station identity code
 An identifier for a BTS
 Does not uniquely identify a single BTS, since it is
reused several times per PLMN
 Purpose of the BSIC is to allow the MS to identify and
distinguish among neighbor cells, even when
neighbor cells use the same BCCH frequency
 Since BSIC is broadcast within SCH of a BTS, MS
need not even have to establish a connection to a
BTS to retrieve the BSIC
BSIC
 Consists of the
 Network color code
(NCC), which
identifies the PLMN
 Base station color
code (BCC)

NCC
 Network color code
 3-bit-long code
 Identifies the PLMN
 Is part of the BSIC and
 Is broadcast in the synchronization
channel
BCC
 Base station color code
 3-bit-long parameter
 Part of the BSIC
 Used to distinguish among the eight different
training sequence codes (TSCs)
 BTS may use these TSCc on the CCCHs to
distinguish between neighbor BTSs without
the need for the MS to register on any other
BTS
PIN
 Personal identification number
 A four- to eight-digit number
 Provides limited protection against unauthorized use.
 Can be changed by the user and is stored on the
SIM.
 Optional and can be disabled
 When enabled, the PIN needs to be entered at power
up
 When the wrong PIN entered three consecutive
times, the SIM is blocked and
 Only the PIN unblocking key (PUK) can release the
Pin
PUK
 PIN unblocking key
 A 10-digit code stored on the SIM
 Cannot be altered by the user
 Unblocks a SIM that was blocked due to
wrong PIN entry three consecutive
times