GSM: Overview Formerly: Groupe Spéciale Mobile (founded 1982) Now: Global System for Mobile Communication Pan-European standard (ETSI, European Telecommunications Standardisation Institute) 1

Architecture of the GSM system GSM is a PLMN (Public Land Mobile Network) several providers setup mobile networks following the GSM standard within each country Main Components MS (mobile station) BS (base station) MSC (mobile switching center) LR (location register) Subsystems RSS (Radio SubSystem): covers all radio aspects, consist of BSS (BSC + several BTSs)and MS. NSS (Network and Switching Subsystem): call forwarding, handover, switching, comprising an MSC and associated registers. OSS (Operation SubSystem): management of the network 2

GSM: Architecture Overview fixed network PSTN BSC MSC GMSC OMC, EIR, AUC VLR HLR NSS with OSS RSS VLR BTS MS BSS – Base Station Sub-system BSC – Base Station Controller HLR – Home Location Register BTS – Base Transceiver Station VLR – Visitor Location Register TRX – Transceiver AuC – Authentication Centre MS – Mobile Station MSC – Mobile Switching Center GMSC – Gateway MSC EIR – Equipment Identity Register OMC – Operations and Maintenance Centre PSTN – Public Switched Telephone Network 3

GSM: Architecture Overview 4 Core

GSM: elements and interfaces NSS MS BTS BSC GMSC IWF OMC BTS BSC MSC A bis UmUm EIR HLR VLR A BSS PDN ISDN, PSTN RSS radio cell MS AUC OSS signaling O Several interfaces are defined between different parts of the system: 'A' interface between MSC and BSC 'Abis' interface between BSC and BTS 'Um' air interface between the BTS (antenna) and the MS 5

UmUm A bis A BSS radio subsystem MS BTS BSC BTS BSC BTS network and switching subsystem MSC fixed partner networks IWF ISDN PSTN PSPDN CSPDN SS7 EIR HLR VLR ISDN PSTN GSM: system architecture BSC BTS 6

System architecture: radio subsystem Components MS (Mobile Station) BSS (Base Station Subsystem): consisting of BTS (Base Transceiver Station): radio components including sender, receiver, antenna - if directed antennas are used one BTS can cover several cells BSC (Base Station Controller): switching between BTSs, controlling BTSs, managing of network resources, mapping of radio channels (U m ) onto terrestrial channels (A interface) Interfaces U m : radio interface A bis : standardized, open interface with 16 kbit/s user channels A: standardized, open interface with 64 kbit/s user channels UmUm A bis A BSS radio subsystem network and switching subsystem MS BTS BSC MSC BTS BSC BTS MSC 7

Tasks of a BSS are distributed over BSC and BTS  BTS comprises radio specific functions  BSC is the switching center for radio channels 8

BSS Network Topologies Base stations are linked to the parent BSC in one of several standard network topologies. The actual physical link may be microwave, optical fiber or cable. 9 Chain: cheap, easy to implement One link failure isolates several BTSs Ring: Redundancy gives some protection if a link fails More difficult to roll-out and extend - ring must be closed Star: most popular configuration for first GSM systems Expensive as each BTS has its own link One link failure always results in loss of BTS

The Mobile Station The mobile station consists of: mobile equipment (ME) subscriber identity module (SIM) The SIM stores permanent and temporary data about the mobile, the subscriber and the network, including: The International Mobile Subscribers Identity (IMSI) MS ISDN number of subscriber Authentication key (K i ) and algorithms for authentication check The mobile equipment has a unique International Mobile Equipment Identity (IMEI), which is used by the EIR. The IMEI may be used to block certain types of equipment from accessing the network if they are unsuitable and also to check for stolen equipment.  The two parts of the mobile station allow a distinction between the actual equipment and the subscriber who is using it. 10

System architecture: Network and Switching Subsystem Components oMSC (Mobile Switching Center) oIWF (Interworking Functions) oISDN (Integrated Services Digital Network) oPSTN (Public Switched Telephone Network) oPSPDN (Packet Switched Public Data Net.) oCSPDN (Circuit Switched Public Data Net.) Databases oHLR (Home Location Register) oVLR (Visitor Location Register) oEIR (Equipment Identity Register) network subsystem MSC fixed partner networks IWF ISDN PSTN PSPDN CSPDN SS7 EIR HLR VLR ISDN PSTN 11

Network and switching subsystem NSS is the main component of the public mobile network GSM switching, mobility management, interconnection to other networks, system control  Components Mobile Services Switching Center (MSC) and GMSC controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC Databases (important: scalability, high capacity, low delay) Home Location Register (HLR) central master database containing user data, permanent and semi- permanent data of all subscribers assigned to the HLR (one provider can have several HLRs) Visitor Location Register (VLR) local database for a subset of user data, including data about all user currently in the domain of the VLR 12

Mobile Switching Center The MSC (mobile switching center) plays a central role in GSM switching functions additional functions for mobility support management of network resources interworking functions via Gateway MSC (GMSC) integration of several databases  Functions of a MSC specific functions for paging and call forwarding termination of SS7 (signaling system no. 7) mobility specific signaling location registration and forwarding of location information provision of new services (fax, data calls) support of short message service (SMS) generation and forwarding of accounting and billing information MSC VLR 13

Gateway MSC A Gateway Mobile Switching Centre (GMSC) is a device which routes traffic entering or exiting a mobile network to the correct destination The GMSC accesses the network’s HLR to find the location of the required mobile subscriber A particular MSC can be assigned to act as a GMSC The operator may decide to assign more than one GMSC 14 fixed network MSC GMSC VLR HLR VLR

Visitor Location Register Each MSC has a VLR VLR stores data temporarily for mobiles served by the MSC  Information stored includes: IMSI Mobile Station ISDN Number Mobile Station Roaming Number Temporary Mobile Station Identity Local Mobile Station Identity The location area where the mobile station has been registered Supplementary service parameters 15 MSC VLR

Home Location Register Stores details of all subscribers in the network, such as: Subscription information Location information: mobile station roaming number, VLR, MSC International Mobile Subscriber Identity (IMSI) MS ISDN number Tele-service and bearer service subscription information Service restrictions Supplementary services Together with the AuC, the HLR checks the validity and service profile of subscribers  Notice that the VLR stores the current Location Area of the subscriber, while the HLR stores the MSC/VLR they are currently under. This information is used to page the subscriber when they have an incoming call. 16 HLR AuC

Operation subsystem The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems  Components Authentication Center (AUC) generates user specific authentication parameters on request of a VLR authentication parameters used for authentication of mobile terminals and encryption of user data on the air interface within the GSM system Equipment Identity Register (EIR) registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes even localized. The EIR controls access to the network by returning the status of a mobile in response to an IMEI query Operation and Maintenance Center (OMC) different control capabilities for the radio subsystem and the network subsystem 17

Activities and Operations Main activities which the network must carry out are: Switching mobile on (IMSI attach) Switching mobile off (IMSI detach) Location updating Making a call (mobile originated) Receiving a call (mobile terminated) Cell measurements and handover 18 Base Station (BS) Mobile Station (MS) Mobility management

IMSI Attach (Switch on) Mobile camps on to best serving BTS Mobile sends IMSI to MSC MSC/VLR is updated in HLR Subscriber data including current location area is added to local VLR MSC and HLR carry out authentication check - challenge and response using K i Optionally EIR checks for status of mobile (white/grey/black) 19 MSC VLR BSC HLR AuC EIR

IMSI Detach (Switch off) Mobile informs MSC it is switching off HLR stores last location area for mobile VLR records that mobile is no longer available on network Mobile powers down 20 MSC VLR BSC HLR AuC

Location Updates Automatic Location Update –when mobile moves to new location area Periodic Location Update – checks that mobile is still attached to network Updates location area in VLR If move is to a new MSC/ VLR then HLR is informed 21 MSC VLR BSC HLR AuC BSC MSC VLR BSC

Mobile Terminated Call PSTN calling station GMSC HLR VLR BSS MSC MS : calling a GSM subscriber 2: forwarding call to GMSC 3: signal call setup to HLR 4, 5: request (Mobile station roaming number)MSRN from VLR 6: forward responsible MSC to GMSC 7: forward call to current MSC 8, 9: get current status of MS 10, 11: paging of MS 12, 13: MS answers 14, 15: security checks 16, 17: set up connection 22

Mobile Originated Call PSTN GMSC VLR BSS MSC MS , 2: connection request 3, 4: security check 5-8: check resources (free circuit) 9-10: set up call 23

MTC/MOC BTSMS paging request channel request immediate assignment paging response authentication request authentication response ciphering command ciphering complete setup call confirmed assignment command assignment complete alerting connect connect acknowledge data/speech exchange BTSMS channel request immediate assignment service request authentication request authentication response ciphering command ciphering complete setup call confirmed assignment command assignment complete alerting connect connect acknowledge data/speech exchange MTCMOC 24

Network Area 25 With the mobility of a subscriber handover occurs. As mobile moves around it monitors signal strength and quality from neighbor cells BSS determines when handover should occur, based on cell measurements and traffic loading on neighbor cells. A subscriber outside of their PLMN service area may access their normal service with a roaming agreement.

4 types of handover 1: within a cell (from a channel to another) 2: within the same location area (from a cell to another under the control of the same BSC) 3: within the same MSC/VLR service area (under the same MSC control) 4: within the PLMN service area(from one MSC to another) From PLMN service area to another PLMN (operator): Roaming MSC BSC BTS MS

Handover decision I Many handover strategies prioritize handover requests over call initiation requests when allocating unused channel in a cell site. Since having a call abruptly terminated while in a middle of a conversation is more annoying than being blocked occasionally on a new call attempt. Guard channel concept :a fraction of the total available channels is reserved exclusively for handover requests from ongoing calls which may be handed off onto the cell. Handover must be performed successfully and as infrequently as possible, and be imperceptible to the users. Def: Dwell time is the time over which a call may be maintained within a cell, without handover. Depends on (signal propagation, interference, distance between MS and BS, speed, etc.) 27 receive level BTS old receive level BTS new MS HO_MARGIN BTS old BTS new Actual measured power Average of measured power

Handover decision II 28

Umbrella Cell High speed MS pass through the coverage area of a cell within a matter of seconds, whereas pedestrian MS may never need a handoff during a call. Umbrella cell: provide large coverage area to high speed MS while providing small coverage area to MS travelling at low speed. 29 Large Umbrella cell (Macrocell) for high speed traffic Small microcells for slow speed traffic

Handover procedure in GSM HO access BTS old BSC new measurement result BSC old Link establishment MSC MS measurement report HO decision HO required BTS new HO request resource allocation ch. activation ch. activation ack HO request ack HO command HO complete clear command clear complete 30

Roaming Allows subscriber to travel to different network areas, different operator’s networks, different countries - keeping the services and features they use at home. Billing is done through home network operator, who pays any other serving operator involved. Requires agreements between operators on charge rates, methods of payments etc. Clearing house companies carry out data validation on roamer data records, billing of home network operators and allocation of payments. 31

Security issues Authentication: Procedure of verifying the authenticity of an entity (user, terminal, network, network element). In other words, is the entity the one it claims to be? Data integrity: The property that data has not been altered in an unauthorised manner. Confidentiality: The property that information is not made available to unauthorised individuals, entities or processes. Anonymity: Preventing unencrypted transmission of user ID information such as IMSI number over the air interface. 32

Security in GSM Security services access control/authentication user  SIM (Subscriber Identity Module): secret PIN (personal identification number) SIM  network: challenge response method confidentiality voice and signaling encrypted on the wireless link (after successful authentication) anonymity temporary identity TMSI (Temporary Mobile Subscriber Identity) is given to the user after switching on which use IMSI. newly assigned at each new location update (LUP) encrypted transmission 3 algorithms specified in GSM A3 for authentication (“secret”, open interface) A5 for encryption (standardized) A8 for key generation (“secret”, open interface) “secret”: A3 and A8 available via the Internet network providers can use stronger mechanisms 33

GSM - authentication A3 RANDKiKi 128 bit SRES* 32 bit A3 RANDKiKi 128 bit SRES 32 bit SRES* =? SRES SRES RAND SRES 32 bit mobile network SIM AuC MSC SIM K i : individual subscriber authentication keySRES: signed response 34

GSM - key generation and encryption A8 RANDKiKi 128 bit K c 64 bit A8 RANDKiKi 128 bit SRES RAND encrypted data mobile network (BTS) MS with SIM AC BTS SIM A5 K c 64 bit A5 MS data cipher key 35

GSM: Mobile Services GSM offers several types of connections voice connections, data connections, short message service multi-service options (combination of basic services) Three service domains offered to the end user: Telematic Services: service completely defined including terminal equipment functions - telephony and various data services. Bearer Services: basic data transmission capabilities - protocols and functions not defined Supplementary Services. 36

Tele Services I  Telecommunication services that enable voice communication via mobile phones  All these basic services have to obey cellular functions, security measurements etc.  Offered services mobile telephony primary goal of GSM was to enable mobile telephony offering the traditional bandwidth of 3.1 kHz Emergency number - mandatory for all service providers -free of charge -connection with the highest priority (preemption of other connections possible) -Emergency calls can override any locked state the phone may be in -May be initiated from a mobile without a SIM - common number throughout Europe (112) -If the national emergency code is used the SIM must be present Multinumbering several ISDN phone numbers per user possible 37

Tele Services II Additional services Non-Voice-Teleservices group 3 fax voice mailbox (implemented in the fixed network supporting the mobile terminals) electronic mail (MHS, Message Handling System, implemented in the fixed network) Short Message Service (SMS) alphanumeric data transmission to/from the mobile terminal using the signaling channel, thus allowing simultaneous use of basic services and SMS DTMF - Dual Tone Multi-Frequency - used for control purposes – remote control of answering machine, selection of options. Cell Broadcast - short text messages sent by the operator to all users in an area, e.g. to warn of road traffic problems, accidents 38

Bearer Services  Telecommunication services to transfer data between access points  Specification of services up to the terminal interface (OSI layers 1-3)  Different data rates for voice and data (original standard) data service (circuit switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: bit/s data service (packet switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: bit/s 39

Supplementary services  Services in addition to the basic services, cannot be offered stand-alone  Similar to ISDN services besides lower bandwidth due to the radio link  May differ between different service providers, countries and protocol versions  Important services identification: forwarding of caller number suppression of number forwarding automatic call-back conferencing with up to 7 participants locking of the mobile terminal (incoming or outgoing calls)... 40