Signal Processing in GSM
Signal Processing in GSM
Signal Processing in GSM
Lecture 10
Channel Coding
Interleaving
Authentication & Ciphering
GMSK Modulation
Identifiers
Channel Coding
For channel coding 260 bits of data in a TRAU frame separated
into
182 class-1 bits (very important) and
78 class-2 bits (less important)
Channel coding protects the two classes with different priorities
After channel coding original data packet of 260 bits (user data)
or 184 bits (signaling data) extended to a data block of length
456 bits
Data block then mapped on various bursts for the actual
transmission
Channel Coding for User Data
Channel Coding for Signalling
Data
Interleaving
Packets of 456 bits spread over a larger time period in separate
TSs
Spreading depends on application the bits represent
Signalling & data traffic are spread more than voice traffic
Goal - to minimize the impact of Air-interface peculiarities that
account for rapid, short-term changes of the quality of the
transmission channel
A particular channel may be corrupted for a very short period of
time and all the data sent during that time are lost
That could lead to loss of complete data packets of n times 114
bits
Interleaving does not prevent loss of bits
If there is a loss, the same number of bits are lost
However, in interleaving, the lost bits are part of several
different packets bits
These few bits can be recovered by error-correction
mechanisms
Interleaving
Authentication
Problem- unauthorised access to telecom services via
cloning of a valid user identifier
GSM anticipated this and defined an authentication
procedure
A user is challenged to provide proof of the claimed
identity
User accesses network and provides the user
identifier
Network sends a random number (RAND) to the MS
Which together with Ki provide a response (SRES)
Ciphering
MS sends a connection request to the
network
Among others, this request contains
Ciphering key sequence number (CKSN)
Mobile station class mark
Which indicates the available ciphering
algorithms (A5/X) in the mobile station
Ciphering
VLR examines the CKSN and decides whether authentication is necessary
Authentication not required a second time during the same network access
Multiparty call- an example of second connection while another connection
already exists
A message sent to the MS in case authentication is necessary
Message contains the random number, RAND
SIM uses the RAND, value Ki and algorithm A3 to calculate SRES
MS sends SRES to the VLR
VLR compares this SRES with the one earlier sent by HLR/AuC
Auth successful if both values are identical
Immediately after SRES, the MS calculates ciphering key Kc using RAND, Ki and
algorithm A8
To activate ciphering, the VLR sends
Value Kc that the AuC has calculated
A reference to the chosen A5/X algorithm
Via the MSC and the BSC to the BTS
Calculation of SRES & Kc
Ciphering
BTS retrieves from the ENCR_CMD message
Kc
Info about the required ciphering algorithm
BTS only forwards info about the A5/X algorithm in a CIPH_MOD_CMD message to the MS
Which triggers MS to enable
Ciphering of all outgoing data and
Deciphering of all incoming information
MS confirms the change to ciphering mode by sending a CIPH_MOD_COM message
A5/X uses the current value of the frame number (FN) at the time and Kc as input
parameters
Output of this operation are ciphering sequences, each 114 bits long, one is needed for
ciphering and the other one for deciphering
First ciphering sequence and the 114 bits of useful data of a burst are XORed
To provide encrypted 114 bits that are actually sent over the Air-interface
Ciphering sequences altered with every frame number
Which in turn changes the encryption with every frame number
Deciphering takes place exactly the same way but in the opposite direction
Ciphering
De-ciphering
Authentication
= ?
NSS
RAND = RANDom number
SRES = Signed RESponse
Kc = Ciphering Key
Ki = Identification Key
RAND
Kc
RAND (128 bits)
SIM card
G S M
Global GSM Mobility
Card
The Smart Card to use
A8
A3
Ki Ki
A3
A8
MS
AUC
(A3 and A8)
(RAND, SRES, Kc)
SRES
SRESm
(32 bits)
SRESm
CIPHER
MODE
Ki (128 bits)
Ki (128 bits)
A3
A8
A3
A8
BSS
OK
Radio
Interface
Kc
A3
Ki
RAND
SRESm
Purpose:
Avoid logging of lost,
stolen or
forgery SIM-Cards.
5
Triplets
3
AUC
(A3 and A8)
(RAND, SRES, Kc)
HLR
MSC
BTS
BSS
BSC
4
SRESm
6
1
1
4
6
4
6
SRESm
Authentication
7
Ciphering
Command
7
CIPHER
MODE
3
2
VLR
SRESm = SRES ?
S
R
E
S
m
6
7
4
Ciphered
data
MS BTS
Radio
interface
Frame Number
(22 bits)
Kc (64 bits)
+
Kc (64 bits)
Ciphering
+
+
+
: exclusive-or
+
A5 A5
Frame Number
(22 bits)
Block
(114 bits)
Data to transmit
Received data Data to transmit
Received data
Block
(114 bits)
Block
(114 bits)
Block
(114 bits)
BTS
BSS
BSC
VLR
(Rand, SRES, Kc)
A5
Kc
TDMA#
+
A8
Ki
Rand
Kc
MSC
Kc
Kc
2
Ciphered
data
5
CIPHERING
SET CIPHER MODE
(Kc)
1
3
CIPHER MODE COMMAND
4
CIPHER MODE COMPLETE
CIPHER MODE
COMPLETE
6
Purpose: avoid communication to be
tapped.
!azeq?tcyui
p?sdq!f? j
sdf!? okgrh
IMEI
Mobile station equipment identity
Not mandatory for the network operator to
query the IMEI
Purpose of the IMEI is to prevent passive
theft protection
EIR maintains information on stolen mobile
equipment in a black list, which makes
stolen mobile equipment useless
IMEI
IMEI comprises following:
A 24-bit-long type approval
code (TAC)
Before any mobile equipment is
brought into service, it
undergoes a test to show that it
complies with safety regulations
and functionality requirements
Process called type approval,
and the requirements are
specified by GSM
An 8-bit-long final assembly
code (FAC) identifies the
manufacturing facility
A 24-bit-long serial number
A spare field, currently not used
Type Approval
Code
TAC FAC SNR
SP
Final Assembly
Code
Serial number (SPare)
MOBILE IDENTIFICATION
IMEISV
IMEI plus a software
version number
(SVN)
Which can be
modified by the
manufacturer in
case of a software
update
IMSI
International mobile subscriber identity
An identifier for a GSM subscriber
Part of the subscriber data stored on (SIM)
card
Uniquely identifies one subscription
worldwide
Structure similar to the ISDN number, defined
in ITU-T Recommendation E.164
IMSI
15-digit number and is
composed of :
Mobile country code (MCC),
Mobile network code (MNC)
Mobile subscriber
identification number (MSIN)
MSIN of the IMSI not used as
the subscribers telephone
number
To make tracking more
difficult, IMSI used only as an
identifier when the temporary
mobile subscriber identity
(TMSI) not available, e.g., for
initial system connections
MCC & MNC
Mobile country code
A three-digit identifier
Uniquely identifies a country (not a
PLMN)
Mobile network code
A two-digit identifier
Used (like the 3-bit-long NCC) to
uniquely identify a PLMN
IMSI Attach/Detach
BTS permanently broadcasts parameter ATT in the BCCH message
Which indicates whether the IMSI attach/detach procedure is required
IMSI detach informs network that
An MS will go into an inactive state
And is no longer available for incoming calls
For example, due to power down or because the SIM is removed
MS sends an IMSI_DET_IND message to the network each time it is powered down
VLR keeps track of this state
This approach saves radio resources and processing time
Call processing can switch to secondary call treatment
without first sending a PAGING message and then waiting for expiration of respective timers
Secondary call treatment means initiating
Call forwarding
Voice mail, or
Telling caller that the subscriber currently not reachable
Complementary to IMSI detach is IMSI attach
It indicates to network that a mobile station is active again
IMSI attach is related to periodic location updating
The location updating procedure is utilized to perform IMSI attach
IMSI Attach
MSC BTS
BSS
BSC
VLR
3
4
5
4
6
1
CHANNEL
REQUEST
2
IMMEDIATE
ASSIGNMENT
LOCATION UPDATING
REQUEST (IMSI Attach)
3
5
LOCATION UPDATING
ACCEPT (LAC, TMSI)
4
Authentication
Procedure
IMSI Detach
MSC
BTS
BSS
BSC
VLR
1
CHANNEL
REQUEST
2
IMMEDIATE
ASSIGNMENT
IMSI DETach
INDication
3
4
CHANNEL
RELEASE
IMSI DETach
INDication
3
TMSI
Temporary mobile subscriber identity
Identifies a mobile subscriber, like the IMSI
4-byte-long
Unlike the IMSI, TMSI has only temporary significance
VLR assigns a TMSI upon location registration for confidentiality
So not required to transfer the IMSI over the Air-interface
frequently
Assignment and use of the TMSI only possible with active
ciphering
TMSI can take any value, except FF FF FF FFhex
This value reserved in case SIM does not contain a valid IMSI
MSISDN
Mobile subscriber ISDN
Dir No of a mobile subscriber
Example: 49 171 5205787 is
the directory number of a
subscriber to the D1 network
in Germany
Country code (CC) identifies a
country or region (e.g., 49 for
Germany, 1 for the United
States);
National destination code
(NDC) identifies the PLMN
(e.g., 171 for the operator
D1)
Subscriber number (SN) is a
unique identifier within the
PLMN
MSRN
Mobile station roaming number
A temporary identifier used for mobile
terminating calls
To route a call from the gateway MSC to the
serving MSC/VLR
VLR assigns MSRN when a request for
routing information is received from the HLR
MSRN released after the call has been set up
MSRN used solely to route an incoming call
and contains no information to identify the
caller or the called party
Contains following codes:
Country code (CC) is the prefix of a country
National destination code (NDC) identifies the
PLMN (e.g., 172 is the D2 operator of
Germany);
Temporary subscriber number (temp. SN)
assigned by the serving MSC/VLR of the
called subscriber
NDC
National destination code
Part of an ISDN number as defined by ITU-T
in Recommendation E.164
Typically, the NDC addresses an area
May also be used to address a service, just as
the NDC 800 addresses free phone service in
the United States
In Germany, the NDCs 171 and 172 used to
address the two GSM 900 operators
CKSN
Ciphering key sequence number
A 3-bit-long value
References to a ciphering key, Kc
When a particular Kc is stored in the MS and the MSC/VLR, a CKSN is
assigned as well
Allows MS and network a negotiation of the Kc without compromising
security by transmitting the value of Kc over the air
Particularly when an MS tries to establish an additional or subsequent
operation with the network
In such a case, when the MS requests a connection, it sends its last
valid CKSN to the VLR
VLR then decides, based on the CKSN, if ciphering can start
immediately or if another authentication is required
VLR may decide to request another authentication, even if the CKSN
matches the VLRs entry
LMSI
Local mobile subscriber identity
A 4-byte-long parameter
VLR assigns it to a subscriber on a temporary basis
Purpose is to expedite queries in the VLR
When the LMSI is assigned, both sides do not only
use the IMSI but also the LMSI
Although no use for the LMSI in the HLR, but it still
must be stored in the HLR
HLR required to send the LMSI whenever data
between the two databases exchanged
CI
Cell identity
A 2-byte-long hexadecimal identifier
CI together with the location area (LAI)
uniquely identifies a cell within a PLMN
Location area (LA)
LA comprises at least one but typically several BTSs
Defined for the following purpose:
An MS that changes the serving cell in the same location
area does not need to perform a location update
When network tries to establish a connection to an MS for a
mobile terminating call, PAGING message is sent to only
those BTSs that belong to the current location area of the
MS
LA therefore, serves mainly one purpose
Reduction of signalling load
Every BTS broadcasts the LA via the parameter
location area identity (LAI)
Location area
Even during an active call, LA
communicated to the MS
(particularly important in a
handover)
Shaded, one-digit field is a filler
(1111bin)
Extends three-digit MCC to 2 bytes
Actual location area code (LAC) is
four digits long
LAC is an identifier that can be
assigned by the network operator
All values, except 0000hex and FFFE
hex allowed
Those two values reserved for cases
when the LAI on a SIM has been
deleted
Registration: The Very First
Location Update
1. Channel allocation (Connection request procedure):
MS sends (on RACH) a CHANNEL REQUEST message
Network responds with IMMEDIATE ASSIGNMENT (on
dedicated channel)
2. MS sends to BSS a LOCATION UPDATING REQUEST
message with IMSI
3. VLR triggers and monitors the Authentication procedure and
can also activate Ciphering procedure
4. VLR stores the LA of the MS and informs the HLR which:
stores VLR identity
downloads the subscriber profile, if the MS is allowed to roam
5. VLR may assign a TMSI and sends it to the MS in the
LOCATION UPDATING ACCEPT message
6. MSC releases the connection
LAI
HLR
IMSI
VLR id
TMSI
IMSI
TMSI
Release
VLR
IMSI
TMSI
LAI
MSC
BTS
BSS
BSC
Registration: the Very First
Location Update
2
3
5
1
2
6
1
2
3
5
6
4
3
TMSI
5
BSIC
Base station identity code
An identifier for a BTS
Does not uniquely identify a single BTS, since it is
reused several times per PLMN
Purpose of the BSIC is to allow the MS to identify and
distinguish among neighbor cells, even when
neighbor cells use the same BCCH frequency
Since BSIC is broadcast within SCH of a BTS, MS
need not even have to establish a connection to a
BTS to retrieve the BSIC
BSIC
Consists of the
Network color code
(NCC), which
identifies the PLMN
Base station color
code (BCC)
NCC
Network color code
3-bit-long code
Identifies the PLMN
Is part of the BSIC and
Is broadcast in the synchronization
channel
BCC
Base station color code
3-bit-long parameter
Part of the BSIC
Used to distinguish among the eight different
training sequence codes (TSCs)
BTS may use these TSCc on the CCCHs to
distinguish between neighbor BTSs without
the need for the MS to register on any other
BTS
PIN
Personal identification number
A four- to eight-digit number
Provides limited protection against unauthorized use.
Can be changed by the user and is stored on the
SIM.
Optional and can be disabled
When enabled, the PIN needs to be entered at power
up
When the wrong PIN entered three consecutive
times, the SIM is blocked and
Only the PIN unblocking key (PUK) can release the
Pin
PUK
PIN unblocking key
A 10-digit code stored on the SIM
Cannot be altered by the user
Unblocks a SIM that was blocked due to
wrong PIN entry three consecutive
times