1. Special Topic: Mobile Security Part I - Introduction of Cellular Communications -- Dr. Frank Li CSCI 555

2. Background
# wireless (mobile) phone subscribers now exceeds # wired phone subscribers (5 to1)!
# wireless Internet-connected devices equals # wireline Internet-connected devices
laptops, Internet-enabled phones promise anytime untethered Internet access
two important (but different) challenges
wireless: communication over wireless link
mobility: handling the mobile user who changes point of attachment to network

3. Characteristics of selected wireless links
200
802.11n 54
802.11a,g
802.11a,g point-to-point
5-11
802.11b
4G: LTWE WIMAX 4
3G: UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO
Data rate (Mbps) 1
802.15
.384
2.5G: UMTS/WCDMA, CDMA2000
.056
2G: IS-95, CDMA, GSM
Indoor
10-30m
Outdoor
50-200m
Mid-range
outdoor
200m – 4 Km
Long-range
outdoor
5Km – 20 Km

4. Cellular Network Basics
There are many types of cellular services; before delving into details, focus on basics (helps navigate the “acronym soup”)
Cellular network/telephony is a radio-based technology; radio waves are electromagnetic waves that antennas propagate
Most signals are in the 850 MHz, 900 MHz, 1800 MHz, and 1900 MHz frequency bands
Cell phones operate in this frequency range (note the logarithmic scale)

5. Frequency Bands for U.S. Carriers
NETWORK
3G BANDS
3G FREQUENCIES
4G LTE BANDS
4G LTE FREQUENCIES
AT&T
GSM/UMTS/HSPA+
2, 5
1900, 850
2, 4, 12, 17
1900, 1700 abcde, 700 bc
VERIZON
CDMA
0, 1
850, 1900
2, 4, 13
1900, 1700 f, 700 c
T-MOBILE
2, 4
1900, 1700/2100
2, 4, 12
1900, 1700 def, 700 a
SPRINT
10, 1
800, 1900
25, 26, 41
1900 g, 850, 2500
US CELLULAR
5, 12
850, 700 ab
While the 700 MHz range in various bands has been the backbone of the U.S. 4G LTE coverage, in Europe and China carriers use different spectrum and bands, so phones from the United States may not work there. In Europe, most carriers base their networks on bands 3 (1800 MHz), 7 (2600 MHz) and 20 (800 MHz).
9/17/2018

6. Cellular Network Generations
It is useful to think of cellular Network in terms of generations:
1G: Analog cellular telephony
2G: Digital cellular telephony
3G: High-speed digital cellular telephony (including video telephony)
4G: IP-based “anytime, anywhere” voice, data, and multimedia telephony at faster data rates than 3G (to be deployed in 2012–2015)

7. Evolution of Cellular Networks1G 2G
2.5G 3G 4G

8. The Multiple Access Problem
The base stations need to serve many mobile terminals at the same time (both downlink and uplink)
All mobiles in the cell need to transmit to the base station
Interference among different senders and receivers
So we need multiple access scheme

9. Multiple Access Schemes
Frequency Division Multiple Access (FDMA)
Time Division Multiple Access (TDMA)
Code Division Multiple Access (CDMA)

10. Frequency Division Multiple Access
Each mobile is assigned a separate frequency channel for the duration of the call
Sufficient guard band is required to prevent adjacent channel interference
Usually, mobile terminals will have one downlink frequency band and one uplink frequency band
Different cellular network protocols use different frequencies
Frequency is a precious and scare resource. We are running out of it

11. Time Division Multiple Access
Guard time – signal transmitted by mobile terminals at different locations do no arrive at the base station at the same time
Time is divided into slots and only one mobile terminal transmits during each slot
Like during the lecture, only one can talk, but others may take the floor in turn
Each user is given a specific slot.
No competition in cellular network
Unlike Carrier Sensing Multiple Access (CSMA) in WiFi

12. FDMA/TDMA
combined FDMA/TDMA: divide spectrum in frequency channels, divide each channel into time slots
frequency
bands
time slots

13. Code Division Multiple Access
Use of orthogonal codes to separate different transmissions
Each symbol of bit is transmitted as a larger number of bits using the user specific code – Spreading
Bandwidth occupied by the signal is much larger than the information transmission rate
But all users use the same frequency band together
Orthogonal among users

14. CDMA
9/17/2018

15. CDMA unique “code” assigned to each user; i.e., code set partitioning
all users share same frequency, but each user has own “chipping” sequence (i.e., code) to encode data
allows multiple users to “coexist” and transmit simultaneously with minimal interference (if codes are “orthogonal”)
encoded signal = (original data) X (chipping sequence)
decoding: inner-product of encoded signal and chipping sequence

16. Wireless Link Characteristics (1)
important differences from wired link ….
decreased signal strength: radio signal attenuates as it propagates through matter (path loss)
interference from other sources: standardized wireless network frequencies (e.g., 2.4 GHz) shared by other devices (e.g., phone); devices (motors) interfere as well
multipath propagation: radio signal reflects off objects ground, arriving destination at slightly different times
…. make communication across wireless link much more “difficult”

17. Wireless Link Characteristics (2)
SNR: signal-to-noise ratio
larger SNR – easier to extract signal from noise (a “good thing”)
SNR vs. BER tradeoffs
given physical layer (i.e. given modulation scheme): increase power -> increase SNR->decrease BER
given SNR: choose physical layer that meets BER requirement, giving highest throughput
SNR may change with mobility: dynamically adapt physical layer (modulation technique, rate)
10-1
10-2
10-3
BER
10-4
10-5
What is dB (decibels) a logarithmic unit used to express the ratio of two values of a physical quantity, often power or intensity
BER bit error rate
10-6
10-7 10 20 30 40
SNR(dB)
QAM256 (8 Mbps)
QAM16 (4 Mbps)
BPSK (1 Mbps)

18. History of Mobile Communication - Old days
First telephone – Alexander Bell, 1880
The first car mounted radio
telephone – 1921

19. Going further
1946 – First commercial mobile radio-telephone service by Bell and AT&T in Saint Louis, USA. Half duplex (PTT)
1973 – First handheld cellular phone – Motorola.
First cellular net Bahrein 1978

20. What’s cellular network
MSC BS
PSTN
HLR, VLR, AC, EIR

21. Cellular principles Frequency reuse – same frequency in
many cell sites
Cellular expansion – easy to add new cells
Handover – moving between cells
Roaming - moving between networks

22. Cells in Cellular network
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
Cells in Cellular network
segmentation of the area into cells
cell
possible radio coverage of the cell
idealized shape of the cell
In telecommunications, a carrier wave, carrier signal, or just carrier, is a waveform (usually sinusoidal) that is modulated (modified) with an input signal for the purpose of conveying information. This carrier wave is usually a much higher frequency than the input signal.
carrier frequencies is the center frequency or the frequency of a carrier wave
Use of several carrier frequencies (what is it?)
Not the same frequency in adjoining cells
Cell sizes vary from some 100 m up to 35 km depending on user density, geography, transceiver power etc.
Hexagonal shape of cells is idealized (cells overlap, shapes depend on geography)
If a mobile user changes cells, handover of the connection to the neighbor cell
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 22

23. Network of Cells
Networks are made up of sites serving areas called cells. This may be shown as a honeycomb pattern but in practice cell shapes are NOT regular.

24. Cell Area Depends on Geography and Calls
Antennas must be near users. The size of each cell is dependent on the number of calls, the physical terrain and the frequency of operation.

25. Cell & Frequency planning
In the practice, cells are not hexagonal as in the theoretical studies.
Computer methods are being used for optimized planning of base station location and cell frequencies.
Path loss and link budgets are computed from the terrain features and antenna data.
9/17/2018

26. Cells Served by Base Stations
Each base station consists of a mast or existing building to support the antennas and associated transmission and network equipment.

27. The Mobile Switching Centre Connects Calls
Base stations are connected to a mobile switching centre where a call is connected to another mobile or fixed phone or the Internet.

28. Handover Between Cells while Moving
As a mobile moves the call is passed between neighbouring cells, a process called handover. If there are gaps in the coverage the call could be dropped.

29. Network Changed in Response to User Needs
As the number of users grows the larger cells will be divided into smaller sizes. As the cell size decreases, so also does the transmit power.

30. Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
Frequency planning 1
Frequency reuse only with a certain distance between the base stations
Standard model using 7 frequencies:
Fixed frequency assignment:
certain frequencies are assigned to a certain cell
problem: different traffic load in different cells
Dynamic frequency assignment:
base station chooses frequencies depending on the frequencies already used in neighbor cells
more capacity in cells with more traffic
assignment can also be based on interference measurements f4 f5 f1 f3 f2 f6 f7
9/17/2018
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 30

31. Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
Frequency planning 2
K = 3 cell cluster
K= 7 cell cluster
The total bandwidth for the system is K times the bandwidth occupied by a single cell
9/17/2018
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 31

32. 9/17/2018

33. Sectoring
9/17/2018

34. Cell Splitting
9/17/2018

35. Frequency Reuse Partitioning
9/17/2018

36. Evolution of Cellular Networks1G 2G
2.5G 3G 4G

37. First Generation (1G) 1G: Analog [voice] All systems are incompatible
No international roaming
Little capacity – cannot accommodate masses of subscribers

38. Second Generation (2G) 2G – digital [voice encoding]
Increased capacity
More security
Compatibility
Can use TDMA or CDMA for increasing capacity

39. Beyond 2G GPRS(114Kbps) EGDE(368Kbps) 3G(3.1Mbps) HSDPA(14Mbps)
HSPA+(168Mbps)
4G/LTE(299.6Mbps)
9/17/2018

40. 2.5 G
2.5 G: packet-switching
Connection to the internet is paid by packets and not by connection time.
Connection to internet is cheaper and faster [up to 56KBps]
The service name is GPRS – General Packet Radio Services
Enhanced Data rates for GSM Evolution (EDGE): 2.75G

41. Third Generation (3G) Permanent web connection at 2Mbps
Internet, phone and media: 3 in 1
The standard based on GSM is called UMTS.
The EDGE standard is the development of GSM towards 3G.

42. Use of Wideband CDMA: 3G Most common deployment
High Speed Packet Access (HSPA) extends and improves the performance of existing 3G
The world's first commercial W-CDMA service, FOMA, was launched by NTT DoCoMo in Japan in 2001.
Most common deployment
HSPA: upgrades to the original W-CDMA standard and offers speeds of 14.4 Mbit/s (down) and 5.76 MBit/s up.
HSPA+: further upgrade of HSPA, can provide theoretical peak data rates up to 168 Mbit/s (downlink) and 22 Mbit/s (uplink)

43. Fourth Generation (4G)
4G system provides mobile ultra-broadband Internet access
Through USB wireless modems, to laptops or smartphones, etc.
4G applications include amended mobile web access, IP telephony, gaming services, HD mobile TV, video conferencing
Two 4G systems are commercially deployed:
Mobile WiMAX
Long Term Evolution (LTE)

44. GSM

45. GSM Overview GSM stand for Global System for Mobile Communication
The GSM makes use of narrowband Time Division Multiple Access(TDMA) technique for transmitting signals.
Ability to carry 64 kbps to 120 kbps of data rates.
Presently GSM supports more than one billion mobile subscribers in more than 210 countries throughout the world.
The GSM provides basic to advanced voice and data services including Roaming service. 

46. Why GSM? Improved spectrum efficiency. International roaming.
Low-cost mobile sets and base stations.
High-quality speech.
Compatibility with Integrated Services Digital Network (ISDN) and other telephone company services.
Support for new services.

47. Architecture of the GSM system
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
Architecture of the GSM system
GSM is a PLMN (Public Land Mobile Network)
several providers setup mobile networks following the GSM standard within each country
GSM subsystems
RSS (radio subsystem): covers all radio aspects
NSS (network and switching subsystem): call forwarding, handover, switching
OSS (operation subsystem): management of the network
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 47

48. Interfaces in GSM Network
The interfaces defined sub-systems include:
’A’ interface between NSS and BSS
‘Abis’ interface between BSC and BTS (within the BSS)
‘Um’ air interface between the BSS and the MS
(in the next slide)

50. GSM Network Component Terminology
TRX – Transceiver
AuC – Authentication Center
MS – Mobile Station
EIR – Equipment Identity Register
OMC – Operations and Maintenance Center
PSTN – Public Switched Telephone Network
BSS – Base Station Sub-system
BSC – Base Station Controller
HLR – Home Location Register
BTS – Base Transceiver Station
MSC – Mobile Switching Center
VLR – Visitor Location Register

51. Ingredients 1: Mobile Phones, PDAs...
The visible but smallest part of the network!
Consists of
Mobile Equipment (ME)
Subscriber Identity Module (SIM)

52. Ingredients 2: Antennas

53. Ingredients 3: Infrastructure 1
Base Stations
Cabling
Microwave links

54. Base Station Subsystem (BSS)
BSS consist of
Base Transceiver Station (BTS):
- Encodes, encrypts, multiplexes, modulates and feeds the RF signals to the antenna.
- Communicates with Mobile station and BSC - Consists of Transceivers (TRX) units
Base Station Controller (BSC):
- Manages Radio resources for BTS
- Assigns Frequency and time slots for all MS’s in its area
- Handles call set up
- Handover for each MS
- It communicates with MSC and BTS

55. Ingredients 3: Infrastructure 2
Not visible, but comprise the major part of the network (also from an investment point of view…)
Management
Data bases
Switching units
Monitoring

56. Network Switching Subsystem(NSS)
NSS consist Of
- Mobile Switching Center (MSC):
Heart of the network which manages communication between GSM and other networks
- Home Location Register (HLR):
Stores information about each subscriber and update the information in HLR as soon as the subscriber leaves its current local area.
- Visitor Location Register (VLR):
Controls mobiles roaming by updating VLR Database.
- Authentication Center (AUC)
Contains the algorithms for authentication and prevent fraud operation.
- Equipment Identity Register (EIR) Stores all devices identifications registered for this network

57. Call from Mobile Phone to PSTN
The MSC/VLR receives the message of a call request.
The MSC/VLR checks if the mobile station is authorized to access the network. If so, the mobile station is activated. If the mobile station is not authorized, service will be denied.
MSC/VLR analyzes the number and initiates a call setup with the PSTN.
MSC/VLR asks the corresponding BSC to allocate a traffic channel (a radio channel and a time slot).
The BSC allocates the traffic channel and passes the information to the mobile station.
The called party answers the call and the conversation takes place.
The mobile station keeps on taking measurements of the radio channels in the present cell and neighboring cells and passes the information to the BSC. The BSC decides if handover is required, if so, a new traffic channel is allocated to the mobile station and the handover is performed. If handover is not required, the mobile station continues to transmit in the same frequency.

58. GSM Architecture OMC, EIR, AUC fixed network HLR GMSC NSS with OSS VLR
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
GSM Architecture
OMC, EIR, AUC
fixed network
HLR
GMSC
NSS
with OSS
VLR
MSC
VLR
MSC
BSC
BSC
RSS
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 58

59. Call from PSTN to Mobile Phone
The Gateway MSC receives the call and queries the HLR for the information needed to route the call to the serving MSC/VLR.
The GMSC routes the call to the MSC/VLR.
The MSC checks the VLR for the location area of the MS.
The MSC contacts the MS via the BSC through a broadcast message, that is, through a paging request.
The MS responds to the page request.
The BSC allocates a traffic channel and sends a message to the MS to tune to the channel. The MS generates a ringing signal and, after the subscriber answers, the speech connection is established.
Handover, if required, takes place, as discussed in the earlier case.

60. GSM frequency bands
GSM comes in three flavors(frequency bands): 900, 1800, 1900 MHz.
Voice is digitized using Full-Rate coding.
20 ms sample => 260 bits . 13 Kbps bitrate

61. GSM frequency bands (examples)
Type
Channels
Uplink [MHz]
Downlink [MHz]
GSM 850
GSM 900
classical
Extended
0-124,
124 channels
+49 channels
GSM 1800
GSM 1900
GSM-R
exclusive
, 0-124
69 channels
Additionally: GSM 400 (also named GSM 450 or GSM 480 at / or / MHz)
Please note: frequency ranges may vary depending on the country!
Channels at the lower/upper edge of a frequency band are typically not used

62. GSM - TDMA/FDMA higher GSM frame structures GSM TDMA frame 1 2 3 4 5 6
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
GSM - TDMA/FDMA
MHz
124 channels (200 kHz)
downlink
frequency
MHz
124 channels (200 kHz)
uplink
higher GSM frame structures
time
GSM TDMA frame 1 2 3 4 5 6 7 8
4.615 ms
GSM time-slot (normal burst)
guard
space
guard
space
tail
user data S
Training S
user data
tail
3 bits
57 bits 1
26 bits 1
57 bits 3
546.5 µs
577 µs
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 62

63. Sharing GSM uses TDMA and FDMA.
FDMA: e.g. 25MHz freq. is divided into 124 carrier frequencies. Each base station gets few of those.
TDMA: e.g. each carrier frequency is divided into bursts [0.577 ms]. 8 bursts are a frame.

64. Channels The physical channel in GSM is the timeslot.
The logical channel is the information which goes through the physical channel
Both user data and signaling are logical channels.

65. Traffic Channel
User data is carried on the traffic channel (TCH) , which is defined as 26 TDMA frames.
There are lots of control channels for signaling, base station to mobile, mobile to base station (“aloha” to request network access)

66. SS7 Signaling protocol for networks Packet switching [like IP]
For communication between HLR and VLR (allowing roaming) and other advanced capabilities.
GSM’s protocol which sits on top of SS7 is MAP – mobile application part

67. Localizing and Calling
To locate an MS and to address it, several numbers are needed:
Mobile station international ISDN number (MSISDN)
International mobile subscriber identity (IMSI)
Temporary mobile subscriber identity (TMSI)
Mobile station roaming number (MSRN)

68. Mobile station international ISDN number
Mobile Subscriber Integrated Services Digital Network-Number
MSISDN is a number uniquely identifying a subscription in a GSM or a UMTS mobile network.
It is the telephone number to the SIM card in a mobile/cellular phone.
For a GSM user, Phone number is not associated with a certain device but with the SIM, which is personalized for a user
MSISDN number (e.g., ) consists of
country code (CC): 49 for Germany
national destination code (NDC): network provider 179
subscriber number (SN):

69. International Mobile Subscriber Identity (IMSI)
GSM uses the IMSI for internal unique identification of a subscriber. IMSI consists of a
Mobile country Code (MCC) (e.g., 240 for Sweden)
Mobile Network Code (MNC)
Mobile Subscriber Identification Number (MSIN).

70. Temporary Mobile Subscriber Identity (TMSI)
To hide IMSI (which gives away the exact identity), GSM uses 4-byte TMSI for local subscriber identification.
TMSI is selected by the current VLR and is only valid temporarily and within the location area of the VLR
TMSI and LAI are sufficient to identify a user for an ongoing communication; the IMSI is not needed).
A VLR may change the TMSI periodically.

71. Mobile Station Roaming Number (MSRN)
Another temporary address that hides the identity and location of a subscriber is MSRN.
The VLR generates this address on request from the MSC, and the address is also stored in the HLR.
MSRN contains the current visitor country code (VCC), the visitor national destination code (VNDC), the identification of the current MSC together with the subscriber number.
The MSRN helps the HLR to find a subscriber for an incoming call.

72. Mobile Terminated Call
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
Mobile Terminated Call
1: calling a GSM subscriber
2: forwarding call to GMSC
3: signal call setup to HLR
4, 5: request MSRN from VLR
6: forward responsible MSC to GMSC
7: forward call to current MSC
8, 9: get current status of MS
10, 11: paging of MS
12, 13: MS answers
14, 15: security checks
16, 17: set up connection 4
HLR
VLR 5 8 9 3 6 14 15
PSTN 7
calling
station
GMSC
MSC 1 2 10 13 10 10 16
BSS
BSS
BSS 11 11 11 11 12 17 MS
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 72

73. Mobile Originated Call
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
Mobile Originated Call
1, 2: connection request
3, 4: security check
5-8: check resources (free circuit)
9-10: set up call
VLR 3 4
PSTN 6 5
GMSC
MSC 7 8 2 9 1 MS
BSS 10
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 73

74. 4 types of handover Intra-cell Inter-cell, intra-BSC
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
4 types of handover 1 2 3 4 MS MS MS MS
BTS
BTS
BTS
BTS
BSC
BSC
BSC
MSC
MSC
Intra-cell
Inter-cell, intra-BSC
Inter-BSC, Intra-MSC
Inter-MSC
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 74

75. Handover decision receive level BTSold receive level BTSnew HO_MARGIN
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
Handover decision
receive level
BTSold
receive level
BTSnew
HO_MARGIN MS MS
BTSold
BTSnew
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 75

76. Components of cellular network architecture
recall
correspondent
wired public telephone
network
MSC
MSC
MSC
MSC
MSC
different cellular networks,
operated by different providers

77. Handling mobility in cellular networks
home network: network of cellular provider you subscribe to (e.g., Sprint PCS, Verizon)
home location register (HLR): database in home network containing permanent cell phone #, profile information (services, preferences, billing), information about current location (could be in another network)
visited network: network in which mobile currently resides
visitor location register (VLR): database with entry for each user currently in network
could be home network

78. GSM: indirect routing to mobile
HLR
home
network
correspondent 2
home MSC consults HLR,
gets roaming number of
mobile in visited network
home
Mobile
Switching
Center 1
call routed
to home network 3
home MSC sets up 2nd leg of call
to MSC in visited network
Public switched
telephone
network
VLR
Mobile
Switching
Center 4
MSC in visited network completes
call through base station to mobile
mobile
user
visited
network

79. GSM: handover with common MSC
handover goal: route call via new base station (without interruption)
reasons for handover:
stronger signal to/from new BSS (continuing connectivity, less battery drain)
load balance: free up channel in current BSS
GSM does not mandate why to perform handoff (policy), only how (mechanism)
handover initiated by old BSS
VLR
Mobile
Switching
Center
old
routing
new
routing
old BSS
new BSS

80. GSM: handover with common MSC
1. old BSS informs MSC of impending handoff, provides list of 1+ new BSSs
2. MSC sets up path (allocates resources) to new BSS
3. new BSS allocates radio channel for use by mobile
4. new BSS signals MSC, old BSS: ready
5. old BSS tells mobile: perform handoff to new BSS
6. mobile, new BSS signal to activate new channel
7. mobile signals via new BSS to MSC: handoff complete. MSC reroutes call
8 MSC-old-BSS resources released
VLR
Mobile
Switching
Center 2 4 1 7 8 3
old BSS 5 6
new BSS

81. GSM: handover between MSCs
anchor MSC: first MSC visited during call
call remains routed through anchor MSC
new MSCs add on to end of MSC chain as mobile moves to new MSC
optional path minimization step to shorten multi-MSC chain
home network
Home MSC
correspondent
anchor MSC
PSTN
MSC
MSC
MSC
(a) before handover

82. GSM: handover between MSCs
anchor MSC: first MSC visited during call
call remains routed through anchor MSC
new MSCs add on to end of MSC chain as mobile moves to new MSC
optional path minimization step to shorten multi-MSC chain
home network
Home MSC
correspondent
anchor MSC
PSTN
MSC
MSC
MSC
(b) after handover
Wireless, Mobile Networks

83. Handover procedure MS BTSold HO access BSCold MSC BSCnew BTSnew
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
Handover procedure MS
BTSold
BSCold
MSC
BSCnew
BTSnew
measurement
report
measurement
result
HO decision
HO required
HO request
resource allocation
ch. activation
ch. activation ack
HO request ack
HO command
HO command
HO command
HO access
Link establishment
HO complete
HO complete
clear command
clear command
clear complete
clear complete
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 83

84. Roaming
When a MS enters another operators network, it can be allowed to use the services of this operator
Operator to operator agreements and contracts
Higher billing
The MS is identified by the information in the SIM card and the identification request is forwarded to the home operator
The home HLR is updated to reflect the MS’s current location

85. Security in GSM Security services Three algorithms specified in GSM
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
Security in GSM
Security services
access control/authentication
user - SIM (Subscriber Identity Module): secret PIN (personal identification number)
SIM-network: challenge response method
confidentiality
voice and signaling encrypted on the wireless link (after successful authentication)
anonymity
temporary identity TMSI
newly assigned at each new location update (LUP)
encrypted transmission
Three algorithms specified in GSM
A3 for authentication (“secret”, open interface)
A5 for encryption (standardized)
A8 for key generation (“secret”, open interface)
“secret”:
A3 and A8 available via the Internet
network providers can use stronger mechanisms
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 85

86. GSM - authentication SIM mobile network RAND Ki RAND RAND Ki 128 bit
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
GSM - authentication
SIM
mobile network
RAND Ki
RAND
RAND Ki
128 bit
128 bit
128 bit
128 bit AC A3 A3
SIM
SRES* 32 bit
SRES bit
SRES* =? SRES
SRES
MSC
SRES
32 bit
Ki: individual subscriber authentication key SRES: signed response
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 86

87. GSM - key generation and encryption
Universität Karlsruhe
Institut für Telematik
Mobilkommunikation
SS 1998
GSM - key generation and encryption
mobile network (BTS)
MS with SIM
RAND Ki
RAND
RAND Ki AC
SIM
128 bit
128 bit
128 bit
128 bit A8 A8
cipher
key Kc
64 bit Kc
64 bit
data
encrypted data
SRES
data
BSS MS A5 A5
Prof. Dr. Dr. h.c. G. Krüger
E. Dorner / Dr. J. Schiller 87

88. GPRS GPRS attempts to reuse the existing GSM network elements
Also try to build a packet-based mobile cellular network
Deployment of GPRS requires the installation of new core network elements
Serving GPRS support node (SGSN)
Gateway GPRS support node (GGSN)

89. GSM Network Architecture For 2.5G
SGSN: Service GPRS Support Node
GGSN: Gateway GPRS Support Node

90. Enhanced Data rates in GSM Environment (EDGE)
EDGE is enhancement of GPRS
Improved data transmission rate as a backward compatible extension to GSM
Also considered as pre-3G technology
EDGE delivers higher bit-rate per radio channel resulting increased capacity and performance than GPRS
Pick bit-rates up to 1Mbps
Typical bit-rates 400 kbps
Use high-order PSK or 8-phase shift keying

91. 3G Third Generation Mobile Communications Technology (IMT-2000)
IMT-2000 standard developed by Third-Generation Partnership Project (3GPP).
In Europe, 3G is called UMTS (Universal Mobile Telecommunications System)

92. Evolution from 2G IS-95 GSM- EDGE GPRS HSCSD IS-95B Cdma2000-1xRTT
IS-136 & PDC
GSM-
EDGE
GPRS
HSCSD
IS-95B
Cdma2000-1xRTT
Cdma2000-1xEV,DV,DO
Cdma2000-3xRTT
W-CDMA
TD-SCDMA 2G 3G
2.5G
3GPP
3GPP2

93. Why 3G?
In EDGE, Packet transfer air interface behaves like a circuit switch call. Thus, Packet connection efficiency was lost.
Same Network Standard for world wide.
Need a Faster Mobile Technology
3G increased bandwidth, up to
384 Kbps when a device is moving,
128 Kbps in a car &
2 Mbps in fixed applications

94. History of 3G
Oct 2001: NTT DoCoMo in Japan branded FOMA, based on W-CDMA
January 2002, SK Telecom in South Korea on the CDMA2000 1xEV-DO based on CDMA
March 2003, Europe(UK & Italy) based on W-CDMA
In USA, 1st 3G network was by Monet Mobile Networks & 2nd was Oct 2003 Verizon Wireless both on CDMA2000 1x EV-DO

95. 3G Features Wireless voice call and SMS Video calls Video-conferencing
Enhanced audio and video streaming
Location-based services (GPS)
Mobile TV
HSPA(High Speed Packet Access)data transmission
14.4 Mbps on the downlink
5.8 Mbps on the uplink

96. Technologies of 3G W-CDMA :Wideband Code Division Multiple Access.
CDMA 2000: Code Division Multiple Access.
TD-SCDMA: Time-division Synchronous CDMA
3.5G/3.5G+ is enhancement to 3G.
 High-Speed Packet Access(HSPA)
Evolved High-Speed Packet Access (HSPA+)

97. Comparison Technology/ Features 2.5 G/2.5G+ 3G/3.5G Start 1985 1992
Deployment
1999/2003
2001/2008
Data Bandwidth
40-500kbps
2Mbps/14.4 Mbps
Bandwidth per Carrier
200kHz
5MHz
Standard
GPRS/EDGE
WCDMA/CDMA2000 1xEVDO
Technology
Digital Cellular Technology
Board Bandwidth CDMA, IP Technology
Service
Higher Capacity packet data
Integrated high quality audio, video and data
Multiplexing
TDMA/CDMA
CDMA
Switching
Circuit for Network and air interface ; Packet for Core Network
Circuit for air Interface;
Packet for all others.
Core Network
PSTN and Packet Network
Packet Network
Handoff
Horizontal
Security
A5/1
KASUMI

98. 4G 4G is also referred to as LTE (Long Term Evolution)
Not a single technology or standard, rather a collection of technologies and protocols
aimed at creating fully packet-switched networks
4G networks are projected to provide speeds of 100 Mbps while moving and 1 Gbps while stationary.

99. Evolution towards 4G

100. Evolution in Network Structure
1G/2G: Circuit switching only
2.5G/3G: Both circuit switching and packet switching
4G: Circuit switching eliminated; packet switch only (All-IP)
Source: LTE Network Evolution and Technology Overview, White Paper by Tektronix Communications, USA

101. Evolution in Data Rate
1 Peak data rate for GSM/GPRS; 2 Peak data rate for HSPA+; 3 Peak data rate for LTE Advanced

102. LTE Architecture No circuit switching element Two networks:
Evolved UTRAN (E-UTRAN)
Evolved Packet Core (EPC)
No circuit switching element
Source: LTE Network Evolution and Technology Overview, White Paper by Tektronix Communications, USA

103. Advantages of LTE