Gsm Overview
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Gsm Overview as PDF for free.
More details
- Words: 1,600
- Pages: 25
Mobile Communication and Mobile Computing
Mobile Radio Networks: Overview
41
Mobile Communication and Mobile Computing
Development of Mobile Radio General technological development in mobile telephony
Satellite systems (LEO)
UMTS
4G
GSM Phase II+ Digital cellular Networks...1800 Mhz Digital cellular Networks...900 Mhz Anal. cellular Networks...900 Mhz
Anal. cellular Networks...450 Mhz
Analog Networks...150Mhz
before 1970
1970
1980
1990
2000
2005
2010
42
Mobile Communication and Mobile Computing
Correspondent data rates 10Mbit/s UMTS (pico cell)
DAB 1Mbit/s DECT EDGE HSCSD/ GPRS
100kbit/s
10kbit/s
GSM
1995
UMTS (macro cell)
Satellites Satelliten (GEO)
2000
2005
2010
43
Mobile Communication and Mobile Computing
44
Frequency Assignment Circuit Switched Radio Mobile Phones Cordless Phones Wireless LANs TETRA
NMT TETRA
380-400 453-457 450-470
CT2
500Mhz
CT1+ GSM900
CT1+
864-868 885-887 890-915 930-932
GSM900
935-960
1GHz
410-430 463-467 (nationally different) TFTS (Pager, aircraft phones) GSM1800
1670-1675
TFTS
GSM1800
1710-1785 1800-1805 1805-1880
DECT
UMTS
1880-1900
(1885-2025 2110-2200)
WLAN IEEE 802.11b Bluetooth
IEEE 802.11a: 5,15-5,25; 5,25-5,35; 5,725-5,825 HIPERLAN1 HIPERLAN2 HIPER-Link MHz
2400-2483 2402-2480 2412-2472 HomeRF...(approx.2400) TFTS - Terrestrial Flight Telephone System
5176-5270 Notes:
(ca.5200,5600)
(ca.17000)
- 2,4 GHz license free, nationally different - () written : Prognoses! - today speech over license free frequencies up to 61Ghz -> interesting for high data rates
Mobile Communication and Mobile Computing
GSM: Global System for Mobile Communications
45
Mobile Communication and Mobile Computing
GSM: Properties • • • • • • • • •
cellular radio network (2nd Generation) digital transmission, data communication up to 9600 Bit/s Roaming (mobility between different network operators, international) good transmission quality (error detection and -correction) scalable (large number of participants possible) Security mechanisms (authentication, authorization, encryption) good resource use (frequency and time division multiplexing) integration within ISDN and fixed network standard (ETSI, European Telecommunications Standards Institute)
46
Mobile Communication and Mobile Computing
47
GSM: structure Fixed network
Switching Subsystems
Radio Subsystems OMC
Data networks
VLR
HLR
AuC
EIR
(G)MSC PSTN/ ISDN
AuC BSS BSC BTS EIR HLR
BSC BTS
BTS Call Management Network Management
Authentication Centre Base Station Subsystem Base Station Controller Base Transceiver Station Equipment Identity Register Home Location Register
MS (G)MSC OMC PSTN VLR ISDN
BSS
Mobile Station (Gateway) Mobile Switching Centre Operation and Maintenance Centre Public Switched Telephone Network Visitor Location Register Integrated Services Digital Network
MS
MS MS
Mobile Communication and Mobile Computing
GSM: Structure Operation and Maintenance Centre (OMC) • logical, central structure with HLR, AuC und EIR Authentication Centre (AuC) • authentication, storage of symmetrical keys, generation of encryption keys Equipment Identity Register (EIR) • storage of device attributes of allowed, faulty and blocked devices (white, grey, black list) Mobile Switching Centre (MSC) • networking centre, partially with gateways to other networks, assigned to one VLR each Base Station Subsystem (BSS): technical radio centre • Base Station Controller (BSC): control centre • Base Transceiver Station (BTS): radio tower / antenna
48
Mobile Communication and Mobile Computing
GSM: protocols, incoming call BSS
VLR
BSS
(8) (8) (9)
BSS
(12)
(4) (3)
(8) (9) (12)
(7) (11)
(6) (10)
MSC
HLR (4)
(5)
(2)
GMSC
(1)
PSTN/ ISDN
(8) BSS
(1) Call from fixed network was switched via GMSC (2) GMSC finds out HLR from phone number (3) HLR checks whether participant is authorized for corresponding service and asks for MSRN at the responsible VLR (4) MSRN will be returned to GMSC, can now contact responsible MSC
49
Mobile Communication and Mobile Computing
GSM: protocols, incoming call BSS
VLR
BSS
(8) (8) (9)
BSS
(12)
(4) (3)
(8) (9)
(7) (11)
(6) (10)
MSC
HLR (4)
(5)
(12) (8) BSS
(5) GMSC transmits call to current MSC (6) ask for the state of the mobile station (7) Information whether end terminal is active (8) Call to all cells of the Location Area (LA) (9) Answer from end terminal (10 - 12) security check and connection setup
(2)
GMSC
(1)
PSTN/ ISDN
50
Mobile Communication and Mobile Computing
GSM: protocols, outgoing call BSS
BSS
(4) (1)
BSS
HLR
VLR
(2)
(3)
MSC
(5)
(1) Connection request (2) Transfer by BSS (3-4) Authorization control (5) Switching of the call request to fixed network
GMSC
51
Mobile Communication and Mobile Computing
52
Radio structure 1 TDMA-Frame, 144 Bit in 4,615 ms
8 TDMA-channels, together 271 kBit/s including error protection information 124 radio frequency channels (carrier), each 200 kHz
890 935
downlink uplink
915 MHz 960 MHz 2 frequency bands, for each 25 MHz, divided into radio cells
• •
One or several carrier frequencies per BSC Physical channels defined by number and position of time slots
Mobile Communication and Mobile Computing
GSM: channel strucure Traffic Channel • speech- / data channel (13 kbit/s brutto; differential encoding) • Half-rate traffic channel: for more efficient speech encoding with 7 kbit/s Control Channel • Signal information • Monitoring of the BSCs for recognition of handover Broadcast Control Channel • BSC to MS (identity, frequency order etc.) Random Access Channel • Control of channel entry with Aloha-procedure Paging Channel • signalize incoming calls
53
Mobile Communication and Mobile Computing
Databases Home Location Register (HLR), stores data of participants which are registered in an HLR-area – Semi-permanent data: • Call number (Mobile Subscriber International ISDN Number) - MSISDN, e.g. +49/171/333 4444 (country, network, number) • identity (International Mobile Subscriber Identity) - IMSI: MCC = Mobile Country Code (262 for .de) + MNC = Mobile Network Code (01-D1, 02Vodafone-D2, 03-eplus, 07-O2) + MSIN = Mobile Subscriber Identification Number • Personal data (name, address, mode of payment) • Service profile (call transfer, Roaming-limits etc.)
– Temporary data: • MSRN (Mobile Subscriber Roaming Number) (country, net, MSC) • VLR-address, MSC-address • Authentication Sets of AuC (RAND (128 Bit), SRES (128 Bit), KC (64Bit)) • billing data
54
Mobile Communication and Mobile Computing
Databases Visitor Location Register (VLR) • local database of each MSC with following data: – – – –
IMSI, MSISDN service profile accounting information TMSI (Temporary Mobile Subscriber Identity) - pseudonym for data security – MSRN – LAI (Location Area Identity) – MSC-address, HLR-address
55
Mobile Communication and Mobile Computing
GSM: Location areas MSC-area = VLR-area
Handover
Location Area (LA) radio- with cell BTS
LA = smallest addressable unit
56
Mobile Communication and Mobile Computing
Cooperation of HLR, VLR HLR
MSC-area
VLR
advantage of the architecture: Location Update in case of limited mobility only at VLR, rarely at (perhaps very remote) HLR
Location area
57
Mobile Communication and Mobile Computing
58
Localization at GSM VLR 10
VLR 9 IMSI LA 2
HLR 26 32311 VLR 9 IMSI
z.B. 0x62F220 01E5
LA 3
+49 0177-26 32311
LA 2 participant call number in HLR
LA 5
LA 3
Internal area Network provider country code
Mobile Communication and Mobile Computing
59
Data transmission • • • • •
each GSM-channel configurable as a data channel; similar structure like ISDN-B and -D-channels data rates up to 9600 bit/s delay approximately 200 ms speech channels have higher priority than data channels kinds of channels: – transparent (without error correction; however FEC; fixed data rate; error rate 10-3 up to 10-4) – non-transparent (repeat of faulty data frames; very low error rate, but also less throughput)
•
Short-Message-Service (SMS) – connectionless transmission (up to 160 Byte) on signaling channel
•
Cell Broadcast (CB) – connectionless transmission (up to 80 Byte) on signaling channel to all participants, e.g. for location based services
Mobile Communication and Mobile Computing
Data transmission - structure BSC
MSC IWF
ISDN
UDI BTS
Modem TA
PSTN Internet
IWF - Inter Working Function UDI - Unspecified Digital TA - Terminal Adapter
Modem
60
Mobile Communication and Mobile Computing
Security aspects: Subscriber Identity Module (SIM) Chip-card (Smart Cart) to personalize a mobile subscriber (MS): • • • • • •
IMSI (International Mobile Subscriber Identity) symmetric key Ki of participant, stored also at AuC algorithm “A3” for Challenge-Response-Authentication algorithm “A8” for key generation of Kc for content data algorithm “A5” for encryption PIN (Personal Identification Number) for access control
Temporary data: • • •
TMSI (Temporary Mobile Subscriber Identity) - pseudonym LAI (Location Area Identification) Encryption key Kc
61
Mobile Communication and Mobile Computing
MS Ki
A3
Security aspects: Authentication max. 128 Bit Authentication Request RAND (128 Bit)
MSC, VLR, AuC Random number generator
Ki
A3 SRES Authentication Response SRES (32 Bit)
• • • •
Location Registration Location Update with VLR-change Call setup (in both directions) SMS (Short Message Service)
=
62
Mobile Communication and Mobile Computing
Security aspects: Session Key MS
Network
Ki
A8 Kc
•
Authentication Request RAND (128 Bit) 64 Bit
Key generation: Algorithm A8 – – – – –
Stored on SIM and in AuC one way function parameterized with Ki no (Europe, world wide) standard can be determined by network operator Interfaces are standardized
Random number generator
Ki
A8 Kc
63
Mobile Communication and Mobile Computing
Security aspects: encryption at the Radio interface MS
Net
TDMA-framenumber K
Ciphering Mode Command
c
TDMA-framenumber Kc
A5
A5
Key block
+ Plain text block
Ciphering Mode Complete Encrypted Text
114 Bit
•
Data encryption through algorithm A5: – stored in the Mobile Station – standardized in Europe and world wide – weaker algorithm A5* or A5/2 for specific countries
+ Plain text block
64
Mobile Communication and Mobile Computing
GSM-Security: assessment • cryptographic methods secret, so they are not „well examined“ • symmetric procedure – consequence: storage of secret user keys with network operators required • low key length Ki with max. 128 Bit (could be hacked by using Brute Force Attack in 8-12 hours) • no mutual authentication – consequence: Attacker can pretend a GSM-Net • no end-to-end encryption • no end-to-end authentication • Key generation and -administration not controlled by the participants
65
Mobile Radio Networks: Overview
41
Mobile Communication and Mobile Computing
Development of Mobile Radio General technological development in mobile telephony
Satellite systems (LEO)
UMTS
4G
GSM Phase II+ Digital cellular Networks...1800 Mhz Digital cellular Networks...900 Mhz Anal. cellular Networks...900 Mhz
Anal. cellular Networks...450 Mhz
Analog Networks...150Mhz
before 1970
1970
1980
1990
2000
2005
2010
42
Mobile Communication and Mobile Computing
Correspondent data rates 10Mbit/s UMTS (pico cell)
DAB 1Mbit/s DECT EDGE HSCSD/ GPRS
100kbit/s
10kbit/s
GSM
1995
UMTS (macro cell)
Satellites Satelliten (GEO)
2000
2005
2010
43
Mobile Communication and Mobile Computing
44
Frequency Assignment Circuit Switched Radio Mobile Phones Cordless Phones Wireless LANs TETRA
NMT TETRA
380-400 453-457 450-470
CT2
500Mhz
CT1+ GSM900
CT1+
864-868 885-887 890-915 930-932
GSM900
935-960
1GHz
410-430 463-467 (nationally different) TFTS (Pager, aircraft phones) GSM1800
1670-1675
TFTS
GSM1800
1710-1785 1800-1805 1805-1880
DECT
UMTS
1880-1900
(1885-2025 2110-2200)
WLAN IEEE 802.11b Bluetooth
IEEE 802.11a: 5,15-5,25; 5,25-5,35; 5,725-5,825 HIPERLAN1 HIPERLAN2 HIPER-Link MHz
2400-2483 2402-2480 2412-2472 HomeRF...(approx.2400) TFTS - Terrestrial Flight Telephone System
5176-5270 Notes:
(ca.5200,5600)
(ca.17000)
- 2,4 GHz license free, nationally different - () written : Prognoses! - today speech over license free frequencies up to 61Ghz -> interesting for high data rates
Mobile Communication and Mobile Computing
GSM: Global System for Mobile Communications
45
Mobile Communication and Mobile Computing
GSM: Properties • • • • • • • • •
cellular radio network (2nd Generation) digital transmission, data communication up to 9600 Bit/s Roaming (mobility between different network operators, international) good transmission quality (error detection and -correction) scalable (large number of participants possible) Security mechanisms (authentication, authorization, encryption) good resource use (frequency and time division multiplexing) integration within ISDN and fixed network standard (ETSI, European Telecommunications Standards Institute)
46
Mobile Communication and Mobile Computing
47
GSM: structure Fixed network
Switching Subsystems
Radio Subsystems OMC
Data networks
VLR
HLR
AuC
EIR
(G)MSC PSTN/ ISDN
AuC BSS BSC BTS EIR HLR
BSC BTS
BTS Call Management Network Management
Authentication Centre Base Station Subsystem Base Station Controller Base Transceiver Station Equipment Identity Register Home Location Register
MS (G)MSC OMC PSTN VLR ISDN
BSS
Mobile Station (Gateway) Mobile Switching Centre Operation and Maintenance Centre Public Switched Telephone Network Visitor Location Register Integrated Services Digital Network
MS
MS MS
Mobile Communication and Mobile Computing
GSM: Structure Operation and Maintenance Centre (OMC) • logical, central structure with HLR, AuC und EIR Authentication Centre (AuC) • authentication, storage of symmetrical keys, generation of encryption keys Equipment Identity Register (EIR) • storage of device attributes of allowed, faulty and blocked devices (white, grey, black list) Mobile Switching Centre (MSC) • networking centre, partially with gateways to other networks, assigned to one VLR each Base Station Subsystem (BSS): technical radio centre • Base Station Controller (BSC): control centre • Base Transceiver Station (BTS): radio tower / antenna
48
Mobile Communication and Mobile Computing
GSM: protocols, incoming call BSS
VLR
BSS
(8) (8) (9)
BSS
(12)
(4) (3)
(8) (9) (12)
(7) (11)
(6) (10)
MSC
HLR (4)
(5)
(2)
GMSC
(1)
PSTN/ ISDN
(8) BSS
(1) Call from fixed network was switched via GMSC (2) GMSC finds out HLR from phone number (3) HLR checks whether participant is authorized for corresponding service and asks for MSRN at the responsible VLR (4) MSRN will be returned to GMSC, can now contact responsible MSC
49
Mobile Communication and Mobile Computing
GSM: protocols, incoming call BSS
VLR
BSS
(8) (8) (9)
BSS
(12)
(4) (3)
(8) (9)
(7) (11)
(6) (10)
MSC
HLR (4)
(5)
(12) (8) BSS
(5) GMSC transmits call to current MSC (6) ask for the state of the mobile station (7) Information whether end terminal is active (8) Call to all cells of the Location Area (LA) (9) Answer from end terminal (10 - 12) security check and connection setup
(2)
GMSC
(1)
PSTN/ ISDN
50
Mobile Communication and Mobile Computing
GSM: protocols, outgoing call BSS
BSS
(4) (1)
BSS
HLR
VLR
(2)
(3)
MSC
(5)
(1) Connection request (2) Transfer by BSS (3-4) Authorization control (5) Switching of the call request to fixed network
GMSC
51
Mobile Communication and Mobile Computing
52
Radio structure 1 TDMA-Frame, 144 Bit in 4,615 ms
8 TDMA-channels, together 271 kBit/s including error protection information 124 radio frequency channels (carrier), each 200 kHz
890 935
downlink uplink
915 MHz 960 MHz 2 frequency bands, for each 25 MHz, divided into radio cells
• •
One or several carrier frequencies per BSC Physical channels defined by number and position of time slots
Mobile Communication and Mobile Computing
GSM: channel strucure Traffic Channel • speech- / data channel (13 kbit/s brutto; differential encoding) • Half-rate traffic channel: for more efficient speech encoding with 7 kbit/s Control Channel • Signal information • Monitoring of the BSCs for recognition of handover Broadcast Control Channel • BSC to MS (identity, frequency order etc.) Random Access Channel • Control of channel entry with Aloha-procedure Paging Channel • signalize incoming calls
53
Mobile Communication and Mobile Computing
Databases Home Location Register (HLR), stores data of participants which are registered in an HLR-area – Semi-permanent data: • Call number (Mobile Subscriber International ISDN Number) - MSISDN, e.g. +49/171/333 4444 (country, network, number) • identity (International Mobile Subscriber Identity) - IMSI: MCC = Mobile Country Code (262 for .de) + MNC = Mobile Network Code (01-D1, 02Vodafone-D2, 03-eplus, 07-O2) + MSIN = Mobile Subscriber Identification Number • Personal data (name, address, mode of payment) • Service profile (call transfer, Roaming-limits etc.)
– Temporary data: • MSRN (Mobile Subscriber Roaming Number) (country, net, MSC) • VLR-address, MSC-address • Authentication Sets of AuC (RAND (128 Bit), SRES (128 Bit), KC (64Bit)) • billing data
54
Mobile Communication and Mobile Computing
Databases Visitor Location Register (VLR) • local database of each MSC with following data: – – – –
IMSI, MSISDN service profile accounting information TMSI (Temporary Mobile Subscriber Identity) - pseudonym for data security – MSRN – LAI (Location Area Identity) – MSC-address, HLR-address
55
Mobile Communication and Mobile Computing
GSM: Location areas MSC-area = VLR-area
Handover
Location Area (LA) radio- with cell BTS
LA = smallest addressable unit
56
Mobile Communication and Mobile Computing
Cooperation of HLR, VLR HLR
MSC-area
VLR
advantage of the architecture: Location Update in case of limited mobility only at VLR, rarely at (perhaps very remote) HLR
Location area
57
Mobile Communication and Mobile Computing
58
Localization at GSM VLR 10
VLR 9 IMSI LA 2
HLR 26 32311 VLR 9 IMSI
z.B. 0x62F220 01E5
LA 3
+49 0177-26 32311
LA 2 participant call number in HLR
LA 5
LA 3
Internal area Network provider country code
Mobile Communication and Mobile Computing
59
Data transmission • • • • •
each GSM-channel configurable as a data channel; similar structure like ISDN-B and -D-channels data rates up to 9600 bit/s delay approximately 200 ms speech channels have higher priority than data channels kinds of channels: – transparent (without error correction; however FEC; fixed data rate; error rate 10-3 up to 10-4) – non-transparent (repeat of faulty data frames; very low error rate, but also less throughput)
•
Short-Message-Service (SMS) – connectionless transmission (up to 160 Byte) on signaling channel
•
Cell Broadcast (CB) – connectionless transmission (up to 80 Byte) on signaling channel to all participants, e.g. for location based services
Mobile Communication and Mobile Computing
Data transmission - structure BSC
MSC IWF
ISDN
UDI BTS
Modem TA
PSTN Internet
IWF - Inter Working Function UDI - Unspecified Digital TA - Terminal Adapter
Modem
60
Mobile Communication and Mobile Computing
Security aspects: Subscriber Identity Module (SIM) Chip-card (Smart Cart) to personalize a mobile subscriber (MS): • • • • • •
IMSI (International Mobile Subscriber Identity) symmetric key Ki of participant, stored also at AuC algorithm “A3” for Challenge-Response-Authentication algorithm “A8” for key generation of Kc for content data algorithm “A5” for encryption PIN (Personal Identification Number) for access control
Temporary data: • • •
TMSI (Temporary Mobile Subscriber Identity) - pseudonym LAI (Location Area Identification) Encryption key Kc
61
Mobile Communication and Mobile Computing
MS Ki
A3
Security aspects: Authentication max. 128 Bit Authentication Request RAND (128 Bit)
MSC, VLR, AuC Random number generator
Ki
A3 SRES Authentication Response SRES (32 Bit)
• • • •
Location Registration Location Update with VLR-change Call setup (in both directions) SMS (Short Message Service)
=
62
Mobile Communication and Mobile Computing
Security aspects: Session Key MS
Network
Ki
A8 Kc
•
Authentication Request RAND (128 Bit) 64 Bit
Key generation: Algorithm A8 – – – – –
Stored on SIM and in AuC one way function parameterized with Ki no (Europe, world wide) standard can be determined by network operator Interfaces are standardized
Random number generator
Ki
A8 Kc
63
Mobile Communication and Mobile Computing
Security aspects: encryption at the Radio interface MS
Net
TDMA-framenumber K
Ciphering Mode Command
c
TDMA-framenumber Kc
A5
A5
Key block
+ Plain text block
Ciphering Mode Complete Encrypted Text
114 Bit
•
Data encryption through algorithm A5: – stored in the Mobile Station – standardized in Europe and world wide – weaker algorithm A5* or A5/2 for specific countries
+ Plain text block
64
Mobile Communication and Mobile Computing
GSM-Security: assessment • cryptographic methods secret, so they are not „well examined“ • symmetric procedure – consequence: storage of secret user keys with network operators required • low key length Ki with max. 128 Bit (could be hacked by using Brute Force Attack in 8-12 hours) • no mutual authentication – consequence: Attacker can pretend a GSM-Net • no end-to-end encryption • no end-to-end authentication • Key generation and -administration not controlled by the participants
65
Related Documents
Gsm Overview
June 2020 5
Gsm Overview
November 2019 7
Gsm Overview
November 2019 4
Gsm Overview: ~varun Ranjit Singh
May 2020 13
Gsm
May 2020 43