04 Tm2106euo1_eg0001 CDMA System Performance

8/9/2019 04 Tm2106euo1_eg0001 CDMA System Performance

1/84

CDMA System Performance Siemens

TM2106EU01EG_0001 1

CDMA System Performance

Contents

11.1233.13.23.33.43.4.13.4.23.4.33.4.43.5

3.5.144.14.1.14.24.356

77.17.288.18.28.3

Digital TransmissionPCM30: Transmission in GSM fixed network partPCM30Power Control in CDMAEffect of No Power ControlThe NEAR FAR ProblemClassification of Power Control TechniquesPower Control Techniques for DS-CDMA

REVERSE LINK OPEN-LOOP POWER CONTROLFORWARD LINK POWER CONTROLREVERSE LINK POWER CONTROLREVERSE LINK CLOSED-LOOP POWER CONTROL

RAKE Receiver

RAKE Receiver StructureHANDOFFSOFT HANDOVER

THE IMPORTANCE OF SOFT HANDOFFSofter Handover Implementation of SOFT HANDOVERMULTIUSER DETECTIONCDMA Security Codes

Security in CDMAAuthenticationVoice PrivacySecurity in GSMEncryption for secrecy in GSMTMSI allocationIMEI Check

36915161820222426272831

3437383840424548

55586067687072


2/84

Siemens CDMA System Performance

TM2106EU01EG_0001

2


3/84


TM2106EU01EG_0001 3

Digital Transmission


4/84


TM2106EU01EG_0001

4

As mentioned befor, that voice speech undergoes several processes through the networklike: -

Analog to Digital conversion (A/D). Speech Compression.

The reason for voice digitizing is to enable it to be transmitted through distances withoutdistortion or degradiation by using PCM or Pulse Code Modulation, and the amount of information can be reduced by using Speech Compression by using CELP or Code ExcitedLinear Predictive.


5/84


TM2106EU01EG_0001 5

Fig.1

Fig.2


6/84


TM2106EU01EG_0001

6

1.1 PCM30: Transmission in GSM fixed network part

Information (conversations, data, signaling) is exclusively transmitted digitally via

PCM30 lines in the GSM-PLMNs fixed network part.

Pulse Code Modulation PCM Sampling values of a speech information are transmittedusing binary code words (digitally) in PCM.

Due to the digital structure of the message, the PCM signals are less susceptible tointerference than analogue signals. Regenerators reconstruct the original digital signal atthe receiving end. Analogue signals, on the other hand, can only be amplified (includingnoise peaks).

Amongst other things, during Pulse Code Modulation (PCM) an analogue oscillation isconverted into a digital signal. A PCM signal can be transmitted alone or be embedded in a

TDMA frame with other PCM signals (multiplexing). The conversion of an analoguetelephone signal into a digital signal is carried out in

Three steps:

1. Band limitation: A bandpass filter restricts the incoming signal to the audible frequencies,i.e. to 300 to 3400 Hz.

2. Sampling: Sampling values are taken at fixed intervals from the limited telephone signal.The sampling frequency must be greater than twice the highest frequency within theanalogue signal (Shannon Theorem). Internationally specified: 8000 Hz.

3. 8-bit coding: Every amplitude value of the sampled (Pulse Amplitude Modulated -

PAM) signal is transformed into an 8-bit word. The 8-bit word enables the analogue signalto be represented in 256 quantization intervals.

Since the transmission of an 8-bit word requires only a portion of the sampling interval (125micro seconds) of the analogue signal, the 8-bit information is temporally multiplexed(TDMA-procedure). 8 bits are transmitted in each time slot.

Using PCM30 transmission systems, a total of 30 digital user values can be transmitted inthe time frame of the sampling period of an analogue value, i.e. in 125 microseconds.


7/84


TM2106EU01EG_0001 7

Fig.3


8/84


TM2106EU01EG_0001

8


9/84


TM2106EU01EG_0001 9

2 PCM30


10/84


TM2106EU01EG_0001

10

PCM30 transmission systems use digital transmission lines or radio relay. A PCM30 frameconsists of 32 time multiplexed time slots.

The 32 time slots can contain pulse code modulated message information (speech, data) or signaling information in the form of 8-bit words.

The total bit rate of a PCM30 line is 2048 kbit/s Time slot 0: alternately frame identification word and service word (alarms). Time slots 1-15 and 17-31: calls or data. Time slot 16: signaling channel.

The pulse frames are transmitted in a direct sequence.


11/84


TM2106EU01EG_0001 11

Fig.4


12/84


TM2106EU01EG_0001

12

Code Excited Linear Predictive (CELP)

The key to reduce the bit rate is to send information about the speech instead of thespeech itself.

CELP samples the frequency componenets of the speech by using an algorithm, whichdescribes the speech in terms of different parameters.

These parameters are represented as the Linear Prediction of the speech.

This representation of parameters requires fewer bits to be represented and therefore thespeech is considered as compressed.

At the receiving end, these parameters are used to control a speech synthesizer, whichuses the inverse algorith to return the speech back.

The CELP conversion in CDMA is performed using Vocoding and Transcoding.

Vocoding converts the analog speech to compressed digital voice data (CELP).Transcoding transforms the PCM formatted data into compressed formatted data (CELP).


13/84


TM2106EU01EG_0001 13

Fig.5


14/84


TM2106EU01EG_0001

14


15/84


TM2106EU01EG_0001 15

3 POWER CONTROL in CDMA


16/84


TM2106EU01EG_0001

16

In recent years the cellular communications market has exploded. The main goal of cellular communications systems is to enable communication services irrespective of time andlocation.

Due to the dramatic increase in number of users and In order to meet the growing demandsof subscribers for different kinds of services, such as conferencing, multimedia, data baseaccess, Internet, etc., it is necessary to have higher data rates up to 2Mb/s and morestringent Quality of Service (QoS) requirements.

Since it is necessary to have higher data rates and more stringent QoS requirements, newtransmission technologies and improved radio resource management, especially power control, and handoff, are required for cellular communication systems.

Power control is one of the most important system requirement, and it is analyzed for cellular networks based on FDMA and TDMA, and for DS-CDMA cellular networks, In mostmodern systems, both base stations and mobiles have the capability of real-time (dynamic)adjustment of their transmit powers.

3.1 Effect of NO Power Control:

In case of no power control, if a mobile station signal is received at the base station with atoo low level of received power [MS is far from the cell site, or in an unusual highattenuation channel], High level of interference is experienced by this mobile and itsperformance (BER) will be degraded.

On the other hand, if the received power level is too high, the performance of this mobile isacceptable, but increases interference to all other mobile stations that using the same

channel.The necessity for power control in FDMA/TDMA-based cellular networks stems from therequirement for co-channel interference management. This type of interference is causedby frequency reuse due to limited available frequency spectrum. By a proper power adjustment, the harmful effects of co-channel interference can be reduced. This allows amore "dense" reuse of resources and thus higher capacity.

Fast power control is essential in CDMA systems. Since many subscribers transmit in thesame frequency band and as the same frequency can be used in principle in each cell(re-use = 1), each user can cause interference for the others.

The power control is used to limit interferences. The capacity of the CDMA systems ismainly limited by the level of the (inter-and intra-cell) interferences.

As a result, an optimized power control greatly optimizes the system capacity.

The power control is also used to solve the called NEAR-FAR problem.


17/84


TM2106EU01EG_0001 17

Fig.6


18/84


TM2106EU01EG_0001

18

3.2 The NEAR FAR Problem

For different UE with identical transmission power, the power received at the BTS of UElocated near the BTS is more powerful than the power of the more remote UE. This meanthat only the information of the UE near to the BTS can be interpreted . This must beprevented as much as possible. In ideal cases , the power received at the BTS is identicalfor all UE served by the BTS (assuming the transfer rates are identical) . This ideal situationalso represents the maximum capacity of the cell .

Genuine fast power control is necessary because of the mobility of the UE. This mobilitycauses rapid variation in the attenuation of the power of the UE. Let us consider the shownexample:

If the mobiles are permitted to transmit the same power from two different distances, theratio of the received signals at the base station will be as in equation (1).

Equation (1) implies that if d1 d2 the received signal will be different for different mobilesdepending on the propagation environment and the respective distances. For example, if d2 = 4d1 and = 4 (typical dense urban environment), P (UE1) from mobile1 will be 256times (24dB) stronger than P (UE2) from mobile2, and the base station receiver will beunable to recover P (UE1). Therefore, the transmitting power of each mobile has to becontrolled so that its received power at the cell site is constant to a predetermined level,irrespective of the distance. Therefore, the objective of the mobile power control is toproduce a nominal received power from all mobiles in a given cell or a sector.

Because of that, well-defined power control is essential for proper functioning of the DS-CDMA system. In the absence of power control the capacity of the DS-CDMA mobilesystem is very low, even lower than that of mobile systems based on FDMA.

One of the reasons for the use of power control both in FDMA/TDMA and in DS-CDMAnetworks is to prolong battery life by using a minimum of transmitter power to achieve therequired transmission quality.

According to the above-mentioned facts, for proper operation of a modern high-capacitycellular radio system, power control is an essential feature.


19/84


TM2106EU01EG_0001 19

Fig.7

P (UE1)/ P (UE2) = (d2 /d1) (1)

Where

P(UE1) = received signal power from mobile 1.

P(UE2) = received signal power from mobile 2.

d1 & d2 = distances between mobil1 and mobile2 and the BTS respectively

= path-loss slope (propagation environment).


20/84


TM2106EU01EG_0001

20

3.3 Classification of Power Control TechniquesAccording to what is measured to determine power control command, power controltechniques can be classified into three categories:

Strength-based. SIR-based. BER-based.

Strength-based.

In strength-based schemes the strength of a signal arriving at the base station from amobile is measured to determine whether it is higher or lower than the desired strength.The command to lower or rais the transmit power is made accordingly.

SIR-based.

In SIR-based schemes the measured quantity is the SIR where interference consists of channel noise and multi-user interference. Strength-based power control is easier toimplement but SIR-based power control reflects better system performance such as QoSand capacity. A serious problem associated with SIR-based power control is the potential toget positive feedback to endanger the stability of the system. Positive feedback arises in asituation when one mobile under instructions from the base station has to raise its transmitpower in order to deliver a desirable SIR to the base station, but the increase in its power also results in an increase in interference to other mobiles so that these other mobiles arethen forced to also increase their power, etc. In the case of N mobiles in the system, thisbecomes a typical non-cooperative N-person game problem.

BER-based.

In BER-based power control, BER is defined as an average number of erroneous bitscompared to the original sequence of bits. If the signal and interference powers areconstant, the BER will be a function of the SIR, and in this case the QoS is equivalent.However, in reality the SIR is time-variant and thus the average SIR will not correspond tothe average BER. In this case the BER is a better quality measure. Since the channelcoding is implemented in every practical system, power control can be based on theaverage number of erroneous frames as well.

According to update strategies, power control algorithms can be classified as follows: - Those where the transmit power step size is fixed (fixed step size algorithm) Those where the transmit power step size is made adaptive to the channel variation.


21/84


TM2106EU01EG_0001 21

Fig.8


22/84


TM2106EU01EG_0001

22

A specific example of the adaptive step size approach is the inverse update algorithm,which increases or decreases the mobile users' transmit power by the actual differencebetween the received signal power and the desired received signal power.

Power control command in fixed step size algorithms is a simple 1-bit command. It hasbeen shown that the inverse algorithm is superior to the fixed step size algorithm. However,the fixed step size algorithm is easier to implement because the inverse algorithm needsadditional bandwidth on the return channel to carry the power control step size instead of the1-bit control command as in fixed step size algorithm. A compromise would be to use anadaptive delta-modulation algorithm.


23/84


TM2106EU01EG_0001 23

3.4 Power Control Techniques for DS-CDMA

One of the possible classifications is: Power control for reverse link (from mobiles to base stations). Power control for forward link (from base stations to mobiles).

Power control for DS-CDMA reverse link is the single most important system requirementbecause of the Near/ Far effect. In this case, it is necessary to have a dynamic range for control on the order of 80dB . For the forward link, no power control is required in a singlecell system, since all signals are transmitted together and hence vary together. However inmultiple cell systems, interference from neighboring cell sites fades independently from thegiven cell site and thereby degrades performance. Thus it is necessary to apply power control in this case also, to reduce intercell interference.

Also, power control techniques can be classified as follows: Closed-loop power control. Open-loop power control.

A combined technique consisting of closed-loop and open-loop power control

Closed-loop power control is feasible in a terrestrial cellular environment. However, inmobile communications systems using multiple low earth orbital satellites, the fades occur too rapidly for the closed-loop power control to track, due to the large round trip propagationdelay. In this case, the solution is open-loop power control.

In open-loop power control, the mobile user estimates the channel state on the forward link,and this estimate is used as a measure of the channel state on the reverse link. Thesetechniques can compensate for path loss and large-scale variations such as shadowing,but it is not possible to compensate multipath fading because reverse and forward links arenot correlated. It has been shown that capacity degrades by 5 percent for a 1dB open-looppower control error, by 25 percent for a 2dB power control error, and by 44 percent for a3dB power control error.Power controls for DS-CDMA according to the IS-95 standard consists of reverse link open-loop power control, reverse link closed-loop power control, and forward link power control.


24/84


TM2106EU01EG_0001

24

3.4.1 Reverse link open-loop power control

Reverse link (mobile to base station) open loop power control is accomplished by adjusting

the mobile transmit power so that the received signal at the base station is constantirrespective of the mobile distance; where each mobile computes the relative path loss andcompensates the loss by adjusting its transmitting power. The total received power atcell site is the sum of all powers, which determines the system capacity. As shown we cansay that the reverse link open loop p

the

ower control is primarily a function of the mobiletations. The base stations take an active role in the reverse link closed-loop power controls

and the forward link power control.


25/84


TM2106EU01EG_0001 25

Fig. 9


26/84


TM2106EU01EG_0001

26

3.4.2 Forward link power control:

Forward link (base station to mobile) power control is a one step process .The base stationcontrols its transmitting power so that a given mobile receives extra power to overcomefading, interference, BER, etc. In this mechanism, the cell site reduces its transmittingpower while the mobile computes the frame error rate (FER). Once the mobile detects 1%FER, it sends a request to stop the power reduction .The adjustment process occurs onceevery 15 to 20 ms.


27/84


28/84


TM2106EU01EG_0001

28

3.4.4 Reverse link closed-loop power control:

Reverse link closed-loop power control is accomplished by mans of power up or power down command originating from the cell site. A single power control bit (1for power downby 0.5 dB and 0 for power up by 0.5 dB) is inserted into the forward encoded data stream ,every 1.25 ms. Upon receiving this command from the base station , the mobile respondsby adjusting the power by an amount (0.5dB).In order to lower processing delay and to save bandwidth in the forward link, command bits

for power control from the base to the mobile station are not coded and they aresusceptible to errors. It has been shown that every 1dB power control error standarddeviation increase roughly translates into a loss in capacity of 10 users.

The rate of power control adjustment command transmission must be high enough topermit tracking of Raleigh fading in the reverse link. It is important that the latency indetermining the power control signal and the transmission process be kept small so that thechannel conditions will not change significantly before the control bit can be received andacted upon. It has been shown that in a multi-cell system under flat fading conditions,increasing the update rate from 800Hz to 2KHz, results in a capacity improvement on theorder of 50 percent. In the case of multipath fading, the capacity improvement is only 10percent, and it can be concluded that increasing the update rate results in diminishingcapacity improvements, as the channel becomes more and more frequency-selective.


29/84


TM2106EU01EG_0001 29

Fig.10


30/84


TM2106EU01EG_0001

30


31/84


TM2106EU01EG_0001 31

3.5 RAKE Receiver


32/84


TM2106EU01EG_0001

32

A spread-spectrum signal waveform is well matched to the multipath channel. In amultipath channel, the original transmitted signal reflects from obstacles such as buildings,and mountains, and the receiver receives several copies of the signal with different delays.If the signals arrive more than one chip apart from each other, the receiver can resolvethem. Actually, from each multipath signals point of view, other multipath signals can beregarded as interference and they are suppressed by the processing gain. However, afurther benefit is obtained if the resolved multipath signals are combined using RAKEreceiver. Thus, the signal waveform of CDMA signals facilitates utilization of multipathdiversity. Expressing the same phenomenon in the frequency domain means that thebandwidth of the transmitted signal is larger than the coherence bandwidth of the channeland the channel is frequency selective (i.e., only part of the signal is affected by the fading).


33/84


TM2106EU01EG_0001 33

Fig.11


34/84


TM2106EU01EG_0001

34

3.5.1 RAKE Receiver Structure

RAKE receiver consists of correlators, each receiving a multipath signal. After despreadingby correlators, the signals are combined using, for example, maximal ratio combining.

Since the received multipath signals are fading independently, diversity order and thusperformance are improved. Fig. Illustrates the principle of RAKE receiver. After spreadingand modulation the signal is transmitted and it passes through a multipath channel, whichcan be modeled by a tapped delay line (i.e., the reflected signals are delayed andattenuated in the channel). In Fig. We have three multipath components with differentdelays (t1, t2, and t3) and attenuation factors (a1, a2, and a3), each corresponding to adifferent propagation path. The RAKE receiver has a receiver finger for each multipathcomponent. In each finger, the received signal is correlated by a spreading code, which istime-aligned with the delay of the multipath signal. After despreading, the signals areweighted and combined. In Fig., maximal ratio combining is used, that is, each signal isweighted by the path gain (attenuation factor). Due to the mobile movement the scatteringenvironment will change, and thus, the delays and attenuation factors will change as well.Therefore, it is necessary to measure the tapped delay line profile and to reallocate RAKEfingers whenever there is need. Small-scale changes, less than one chip, are taken care of by a code-tracking loop, which tracks the time delay of each multipath signal.


35/84


TM2106EU01EG_0001 35

Fig.12


36/84


TM2106EU01EG_0001

36


37/84


TM2106EU01EG_0001 37

4 HANDOFF


38/84


TM2106EU01EG_0001

38

The act of transferring support of a mobile from one base station to another is termedhandoff. Handoff occurs when a call has to be handed off from one cell to another as theuser moves between cells. In a traditional "hard" handoff, the connection to the current cell

is broken, and then the connection to the new cell is made. This is known as a "break-before-make" handoff.

In a CDMA system the same frequency band is shared between all the cells. Thus there iswell-defined efficient bandwidth utilization. Though there is frequency reuse , the orthogonalnature of the waveforms serves to distinguish between the signals that occupy the samefrequency band.

4.1 SOFT HANDOVER

In soft handover a mobile station is connected to more than one base stationsimultaneously. Soft handover is used in CDMA to reduce the interference into other cellsand to improve performance through macro diversity.

4.1.1 The Importance Of Soft Handoff

In power controlled CDMA systems soft handoff is preferred over hard handoff strategies.This is more pronounced when the IS-95 standard is considered wherein the transmitter [the base station] power is adjusted dynamically during the operation. Here the power control and soft handoff are used as means of interference-reduction, which is the primaryconcern of such an advanced communication system. The previous and the new widebandchannels occupy the same frequency band in order to make an efficient use of bandwidth,which makes the use of soft handoff very important. The primary aim is to maintain acontinuous link with the strongest signal base station otherwise a positive power controlfeedback would result in system problems. Soft handoff ensures a continuous link to thebase station from which the strongest signal is issued. Soft handoff requires less power,which reduces interference and increases capacity.


39/84


TM2106EU01EG_0001 39

Fig.13


40/84


TM2106EU01EG_0001

40

4.2 Softer Handover

Is a soft handover between two sectors of a cell. As known that, in a cellular system there

is spatial separation between cells using the same frequencies). This is called thefrequency reuse concept.

Because of the processing gain, such spatial separation is not needed in CDMA, andfrequency reuse factor of one can be used. Usually, a mobile station performs a handover when the signal strength of a neighboring cell exceeds the signal strength of the current cellwith a given threshold. Since in a CDMA system the neighboring cell frequencies are thesame as in the given cell, this type of approach would cause excessive interference into theneighboring cells and thus a capacity degradation. In order to avoid this interference, aninstantaneous handover from the current cell to the new cell would be required when thesignal strength of the new cell exceeds the signal strength of the current cell. This is not,

however, feasible in practice. The handover mechanism should always allow the mobilestation to connect into a cell, which it receives with the highest power (i.e., with the lowestpathloss).


41/84


TM2106EU01EG_0001 41

Fig.14


42/84


TM2106EU01EG_0001

42

4.3 Implementation of SOFT HANDOVER

Fortunately, the signal structure of CDMA is well suited for the implementation of softhandover. This is because in the uplink, two or more base stations can receive the samesignal because of the reuse factor of one; and in the downlink the mobile station cancoherently combine the signals from different base stations since it sees them as justadditional multipath components. This provides an additional benefit called macro diversity(i.e., the diversity gain provided by the reception of one or more additional signals).

A separate channel called pilot is usually used for the signal strength measurements for handover purposes.

In the downlink, however, soft handover creates more interference to the system since the

new base station now transmits an additional signal for the mobile station. It is possible thatthe mobile station cannot catch all the energy that the base station transmits due to alimited number of RAKE fingers. Thus, the gain of soft handover in the downlink dependson the gain of macro diversity and the loss of performance due to increased interference.

In the uplink the mobile station signal is received by the two base stations, which, after demodulation and combining, pass the signal forward to the combining point, typically tothe base station controller (BSC). In the downlink the same information is transmitted viaboth base stations, and the mobile station receives the information from two base stationsas separate multipath signals and can therefore combine them.


43/84


TM2106EU01EG_0001 43

Fig.15


44/84


TM2106EU01EG_0001

44


45/84


TM2106EU01EG_0001 45

5 MULTIUSER DETECTION


46/84


TM2106EU01EG_0001

46

The current CDMA receivers are based on the RAKE receiver principle, which considersother users signals as interference. However, in an optimum receiver all signals would bedetected jointly or interference from other signals would be removed by subtracting them

from the desired signal. This is possible because the correlation properties between signalsare known (i.e., the interference is deterministic not random).

The capacity of a direct sequence CDMA system using RAKE receiver is interferencelimited. In practice this means that when a new user, or interferer, enters the network, other users service quality will go below the acceptable level. The more the network can resistinterference the more users can be served. Multiple access interference that disturbs abase or mobile station is a sum of both intra- and inter-cell interference. Multiuser detection(MUD), also called joint detection and interference cancellation (IC), provides a means of reducing the effect of multiple access interference, and hence increases the systemcapacity. In the first place MUD is considered to cancel only the intra-cell interference,meaning that in a practical system the capacity will be limited by the efficiency of thealgorithm and the inter-cell interference. In addition to capacity improvement, MUDalleviates the near/far problem typical to DS-CDMA systems. A mobile station close to abase station may block the whole cell traffic by using too high a transmission power. If thisuser is detected first and subtracted from the input signal, the other users do not see theinterference. Since optimal multiuser detection is very complex and in practice impossibleto implement for any reasonable number of users, a number of suboptimum multiuser andinterference cancellation receivers have been developed. The suboptimum receivers canbe divided into two main categories: linear detectors and interference cancellation. Linear detectors apply a linear transform into the outputs of the matched filters that are trying toremove the multiple access interference using too high a transmission power. If this user isdetected first and subtracted from the input signal, the other users do not see theinterference. Since optimal multiuser detection is very complex and in practice impossibleto implement for any reasonable number of users, a number of suboptimum multiuser andinterference cancellation receivers have been developed. The suboptimum receivers canbe divided into two main categories: linear detectors and interference cancellation. Linear detectors apply a linear transform into the outputs of the matched filters that are trying toremove the multiple access interference (i.e., the interference due to correlations betweenuser codes). Examples of linear detectors are decorrelator and linear minimum meansquare error (LMMSE) detectors. In interference cancellation multiple access interference isfirst estimated and then subtracted from the received signal. Parallel interferencecancellation (PIC) and successive (serial) interference cancellation (SIC) are examples of interference cancellation.


47/84


TM2106EU01EG_0001 47

Fig.16


48/84


TM2106EU01EG_0001

48


49/84


TM2106EU01EG_0001 49

6 CDMA Security Codes


50/84


TM2106EU01EG_0001

50

A Key

A 64-bit cryptographic key variable stored in the semi-permanent memory of the mobilestation and also known to the Authentication Center (AC or HLR/AC) of the wirelesssystem. It is entered when the mobile station is first put into service with a particular subscriber, and usually will remain unchanged unless the operator determines that its valuehas been compromised. The A-key is used in the SSD generation procedure.

SSD

SSD is a 128-bit pattern stored in the mobile station (in semi-permanent memory) andreadily available to the base station,

SSD is partitioned into two distinct subsets. Each subset is used to support a differentprocess.

SSD_A is used to support the authentication procedures; and

SSD_B is used to support CDMA voice privacy, and message confidentiality for CDMA SSD_A :

The SSD_A is a 64-bit binary quantity in the semi-permanent memory of the mobile stationand also known to the Authentication Center. It may be shared with the serving MSC.

SSD_B

The SSD_B is used in the computation of the authentication response. A 64-bit binaryquantity in the semi permanent memory of the mobile station and also known to the

authentication Center. It may be shared with the serving MSC. It is used in the computationof the CMEA key, VPM (Voice Privacy Mask) and Data Key (for data services).

Random Challenge Memory (RAND)

A 32-bit value held in the mobile station. When operating in the analog mode, it is theconcatenation of the last RAND1_A and RAND1_B values received in Random ChallengeA and Random Challenge B Global Action Messages appended to the overhead messagetrain of the Forward Analog Control Channel. Both RAND1_A and RAND1_B must bereceived on the same control channel and in the same Overhead Message Train in order for a valid RAND to exist. When operating in the CDMA Mode, it is equal to the RANDvalue received in the last Access Parameters Message of the CDMA Paging Channel.RANDs is used in conjunction with SSD_A and other parameters, as appropriate, toauthenticate mobile station originations, terminations and registrations.


51/84


52/84


TM2106EU01EG_0001

52

ESN :

The Electronic Serial Number ESN is a 32-bit binary number that uniquely identifies themobile station to any cellular system. It must be factory-set and not readily alterable in thefield. Modification of the ESN will require a special facility not normally available tosubscribers. The circuitry that provides the ESN must be isolated from fraudulent contactand tampering. Electronic storage devices mounted in sockets or connected with a cableare deemed not to comply with this requirement. Attempts to change the ESN circuitry mustrender the mobile station inoperative. At the time of issuance of initial type acceptance, themanufacturer shall be assigned a Manufacturers (MFR) Code within the eight most-significant bits (bit 31 through bit 24) of the 32-bit serial number. Bits 23 through 18 shall bereserved (initially all zero), and bits17 through 0 shall be uniquely assigned by eachmanufacturer. When a manufacturer has used substantially all possible combinations of

serial numbers within bits 17 through 0, the manufacturer may submit notification to theFCC. The FCC will allocate the next sequential binary number within the reserve block (bits23 through 18).

IMSI

Mobile stations are identified by the International Mobile Station Identity (IMSI). The IMSIconsists of up to 15 numerical characters (0-9). The first three digits of the IMSI are themobile country code (MCC), and the remaining digits are the national mobile station identity(NMSI). The NMSI consists of the mobile network code (MNC) and the mobile stationidentification number (MSIN).

An IMSI that is 15 digits in length is called a class 0 IMSI (the NMSI is 12 digits in length);an IMSI that is less than 15 digits in length is called a class 1 IMSI (the NMSI is less than12 digits in length). The IMSI_S is a 10-digit (34-bit) number derived from the IMSI. Whenthe IMSI has ten or more digits, IMSI_S is equal to the last ten digits. When the IMSI hasfewer than ten digits, the least significant digits of IMSI_S are equal to the IMSI and zerosare added to the most significant side to obtain a total of ten digits. The 10-digit IMSI_Sconsists of 3- and 7-digit parts, called IMSI_S2 and IMSI_S1, respectively; IMSI_S ismapped into a 34-bit number.

ORYX :

ORYX is the algorithm used to encrypt data sent over digital cellular phones. It is a streamcipher based on three 32-bit LFSRs. It is distinct from CMEA, which is a block cipher usedto encrypt the cellular data control channel.

CAVE :

CAVE expands to Cellular Authentication Voice and Encryption Algorithm. CMEA :

CMEA is the encryption algorithm developed by the Telecommunications IndustryAssociation to encrypt digital cellular phone data. It uses a 64-bit key and features avariable block length. CMEA is used to encrypt the control channel of cellular phones. It isdistinct from ORYX, an also insecure stream cipher that is used to encrypt data transmittedover digital cellular phones.


53/84


TM2106EU01EG_0001 53

Fig.19

Fig.20

Fig.21

Fig.22


54/84


TM2106EU01EG_0001

54


55/84


TM2106EU01EG_0001 55

7 Security in CDMA


56/84


TM2106EU01EG_0001

56

Since the birth of the cellular industry, security has been a major concern for both serviceproviders and subscribers. Service providers are primarily concerned with security to

prevent fraudulent operations such as cloning or subscription fraud, while subscribers aremainly concerned with privacy issues.

The security protocols with CDMA networks are among the best in the industry.

By design, CDMA technology makes eavesdropping very difficult, whether intentional or accidental.

Unique to CDMA systems, is the 42-bit PN (Pseudo-Random Noise) Sequence calledLong Code to scramble voice and data.

CDMA network security protocols rely on a 64-bit authentication key (A-Key) and theElectronic Serial Number (ESN) of the mobile. A random binary number called RANDSSD,

which is generated in the HLR/AC, also plays a role in the authentication procedures.The A-Key is programmed into the mobile and is stored in the Authentication Center (AC) of the network. In addition to authentication, the A-Key is used to generate the sub-keys for voice privacy and message encryption.

CDMA uses the standardized CAVE (Cellular Authentication and Voice Encryption)algorithm to generate a 128-bit sub-key called the Shared Secret Data (SSD). The A-Key,the ESN and the network-supplied RANDSSD are the inputs to the CAVE that generatesSSD. The SSD has two parts: SSD_A (64 bit), for creating authentication signatures andSSD_B (64 bit), for generating keys to encrypt voice and signaling messages. The SSD canbe shared with roaming service providers to allow local authentication. A fresh SSD can begenerated when a mobile returns to the home network or roams to a different system.


57/84


TM2106EU01EG_0001 57


58/84


59/84


TM2106EU01EG_0001 59

Fig.23


60/84


TM2106EU01EG_0001

60

7.2 Voice privacy

Most of the voice privacy mask is ignored, but the last 42 bits are used as an offset for the

ta privacy

ort messages (paging), and DTMF tones are put into data

output of a linear feedback shift register. Cryptographically this is also not very strong, butthis output is used as a spreading code for the spread spectrum transmission. This meansthat, without knowing the code in advance, it is difficult to even sort out the signal from thebackground noise.

Signaling da

Data such as numbers dialed, shpackets and are encrypted using CMEA (Cellular Message Encryption Algorithm). This is avariable length block cipher, which works by a table walk using a key-derived somewhatrandom table, a self-inverse folding and the inverse of the first step. This makes thealgorithm itself self-inverse, which isnt such a hot idea in retrospect.


61/84


TM2106EU01EG_0001 61

Fig.24

Fig.25

Fig.2

6


62/84


TM2106EU01EG_0001

62

Signaling Message Encryption

In an effort to enhance the authentication process and to protect sensitive subscriber raffic

is controlled for each call individually. The initial encryption

the CAVE algorithm to generate a Private Long Code

e

CMEA key with the Enhanced CMEA

re

ymity

port the assignment of a Temporary Mobile Station Identifier (TMSI) to

kes it more difficult to correlate a mobile users transmission to a mobile

information (such as PINS), a method is available to encrypt certain fields of selected tchannel signaling messages.

Signaling message encryptionmode for the call is established by the value of the signaling encryption field in theencryption message at the channel assignment. Every reverse traffic channel messagecontains an encryption field, which identifies the message encryption mode active at thetime the message was created.

The mobile uses the SSD_B andMask (derived from an intermediate value called Voice Privacy Mask, which was used inlegacy TDMA systems), a Cellular Message Encryption Algorithm (CMEA) key (64 bits),and a Data Key (32 bits). The Private Long Code Mask is utilized in both the mobile and thnetwork to change the characteristics of a Long code. This modified Long code is used for voice scrambling, which adds an extra level of privacy over the CDMA air interface. ThePrivate Long Code Mask doesnt encrypt information, it simply replaces the well-knownvalue used in the encoding of a CDMA signal with a private value known only to both themobile and the network. It is therefore extremely difficult to eavesdrop on conversationswithout knowing the Private Long Code Mask.

Additionally, the mobile and the network use the(ECMEA) algorithm to encrypt signaling messages sent over the air and to decrypt theinformation received. A separate data key , and an encryption algorithm called ORYX, aused by the mobile and the network to encrypt and decrypt data traffic on the CDMAchannels.

Anon

CDMA systems supa mobile to represent communications to and from a certain mobile in over the air transmissions.

This feature mauser.


63/84


TM2106EU01EG_0001 63

Fig.27


64/84


TM2106EU01EG_0001

64

SSD update procedure

e process by which the base station confirms the identity of the

update message, the mobile station sets the input parameters

ure

SSD-generation

station then elects a 32-bit random number (RANDBS), and sends it to the base

, ESN,

-SIGNATURE.

the mobile station in a base

l.

SD-Update procedure to

, the mobile station discards SSD-A-NEW and SSD-B-New. The

e station and its associated HLR/AC , not in

Authentication refers to thmobile station. The successful authentication can be achieved only when the base stationpossesses identical sets of shared secret data (SSD) with the mobile station.

The base station sends an SSD update message order on either the paging channel or theforward traffic channel.

Upon receipt of the SSD(RANDSSD, ESN, A-Key) to the SSD-generation algorithm.

The mobile station then executes the SSD-generation proced

SSD-A NEW and SSD-B NEW are generated as the outputs of theprocedure

The mobilestation in a base station challenge order on the access channel or reverse channel

Both the mobile station and the base station then set the input parameters (RANDBSMIN 1, SSD-A-NEW) of the Auth-Signature procedure (including DM algorithm) andexecute the Auth-Signature procedure

AUTHBS is set to the 18-bit result AUTH

The base station sends its computed value of AUTHBS to

station challenge confirmation order on the paging channel or the forward traffic channeUpon receipt of the base station challenge confirmation order, the mobile station comparesthe received value of AUTHBS to its internally generated value.

If the comparison is successful, the mobile station executes the Sset SSD-A and SSD-B to SSD-A-New and SSD-B-NEW, respectively. The mobile stationthen sends an SSD update confirmation order to the base station, indicating successfulcompletion of the SSD update. The base station sets SSD-A and SSD-B to the valuescomputed by the HLR/AC

If the comparison has failedmobile station then sends an SSD update reject order to the base station, indicatingunsuccessful completion of the SSD update

SSD updates are carried out only in the mobilthe serving system. The serving system obtains a copy of the SSD computed by theHLR/AC via the intersystem communication with the mobile station's HLR/AL.


65/84


TM2106EU01EG_0001 65

Fig.28


66/84


TM2106EU01EG_0001

66


67/84


TM2106EU01EG_0001 67

8 Security in GSM


68/84


TM2106EU01EG_0001

68

GSM, the picture is quite different, although conceptually similar. The challenge is

r SIM

t

e

e sent to the mobile station

ed after authentication succeeds.

and indeed COMP128 was

of A5/1, in which the stepping is controlled by a fourthlled

Inunique, and is generated within the home system (the system where the phone is

egistered). The algorithm and the master key are both stored on a smart card called a(Subscriber Identity Module). This allows for the possibility that the algorithm may actuallyvary with different service providers, and indeed this is the case for about 40% of phones.The interface to which the algorithm adheres is called A3, and it accepts a 64 bit challengeand produces a 64 bit response, based on the secret key in the SIM. At the same time, analgorithm whose interface is called A8 calculates the corresponding session key for privacyduring the call. The standard algorithm performing these functions together is calledCOMP128. This algorithm is held tightly secret by the GSM MoU (Memorandum of Understanding Group); only the interface to it is public. Because the algorithm might noeven be known at a visited system, the home system has to perform all of the verificationand key generation functions. As an optimization for network traffic, a number of triplets ar forwarded upon the first access.These consist of:

1. A challenge to b

2. The expected response

3. The session key to be us

Relying on the secrecy of the algorithm is rarely a good move,disclosed in 1998. Furthermore, the algorithm is weak, allowing disclosure of the A-Key witha few million interactions with the SIM card.

8.1 Encryption for secrecy in GSM

In GSM the situation for secrecy of voice, signaling data and user data is simple. Once thesession has been authenticated, encryption is turned on and everything is protected by thesame algorithm, a stream cipher notionally known as A5. Actually, there are three differentalgorithms, which are negotiated between the phone and the network. A5/1 is based onthree shift registers with complicated stepping control; the exact algorithm was reverseengineered early in 1999.

A5/2 is a weakened versionindependent shift register. There is also the option of no encryption, colloquially caA5/0. The first two of these algorithms are also tightly controlled by the GSM MoU. Unlikethe A3/A8 algorithm(s), though, these ones are built into the phone itself, because the SIMdoesnt have enough CPU power to calculate the outputs in real time.


69/84


TM2106EU01EG_0001 69

Fig.29


70/84


TM2106EU01EG_0001

70

8.2 TMSI allocationhe identity of the mobile subscriber with whom it is in contact. Thus, during

the initial phase of communication setup, when the identity of the mobile subscriber is still unknown, the

y Mobile Subscriber Identity TMSI.

ociated to the VMSC.

been allocated by thehe MS, to deliver the

Since the network is aware of t

transmitted signaling information cannot be ciphered. During this phase a third party may identify a subscriber and the desired service.In order to protect the identity of the subscriber in this phase, a temporary identification of the subscriber isdistributed: the Temporar The TMSI is used instead of the real user identity, the International Mobile Subscriber Identity IMSI. This TMSI is allocated by the VLR, which is assThe MS usually identifies itself with the TMSI in the initial access phase to the VLR.The VLR uses this TMSI to re-identify the IMSI. This is only possible if the TMSI hassame VLR. If not, the VLR has to request the VLR, which has allocated the TMSI to tIMSI. Therefore, the TMSI is in most cases transmitted together with the old LAI, which identifies uniquely aVLR. The request VLR - VLR is only possible, if both VLR belong to the same PLMN.Therefore, the IMSI has to be transmitted via Um at the first registration in a new PLMN and obviously at thevery first usage of the SIM card (i.e. in the case of Location Registrations).A new TMSI (TMSI re-allocation) can optionally be allocated to the MS after every authentication & cipher start (and the optional IMEI check).


71/84


TM2106EU01EG_0001 71

0Fig.3


72/84


TM2106EU01EG_0001

72

8.3 IMEI Checkcurity mechanism authentication, ciphering and TMSI allocation, the check of the

IR

mit the IMEI during

In contrast to the other seInternational Mobile Equipment Identity IMEI is optional. It depends on the operators decision whether an Eis implemented and IMEI checks are done.IMEI check serves to identify stolen, expired or faulty mobile equipment. An IMEI clearly identifies a particular mobile device and contains information about the place of manufacture, type approval code and the serialnumber of the equipment.The IMEI consists of: Type Approval Code TAC, Final Assembly Code FAC, and SerialNumber SNR and a Software Version Number SVN.

Station MS will be requested to subIf an IMEI check in the PLMN is intended, the Mobilecall setup after authentication and cipher command. The MS sends back its IMEI. The IMEI is routed to theEIR of the PLMN.A check occurs here to find out whether the IMEI is registered on the black or gray list, i.e. whether the MS isblocked from further use of the PLMN, or whether it has to be observed.


73/84


74/84


TM2106EU01EG_0001

74

CALL PROCESSINGl, a mobile station goes through several states:

tate.

bile acquires a pilot channel by searching all the PN Offsets possibilities

hannel.

e the necessary

on the

successful the mobile enters the traffic state.

In getting to a traffic channe System initialization System idle state System access Traffic channel s

nI

asystem initialization state the mo

nd selecting the strongest pilot signal. Once the pilot is acquired, the sync channel is acquired using the W32Walsh function and the detected pilot channel.Then the mobile obtains the system configuration and timing information.

Next the mobile enters the system idle state where it monitors the paging c If a call is being placed or received, the mobile enters the system access state wher parameters are exchanged.The mobile transmits its response on the access channel and the base station transmits its responsepaging channel.

When the access attempt is


75/84


TM2106EU01EG_0001 75

Fig.32


76/84


TM2106EU01EG_0001

76

Mobile Station Initialization State

The Mobile Station Initialization State consists of the following substates:

CDMA system.

ion for a CDMA system.

e mobile station shall update all active registration timers

System Determination Substate:In this substate, the mobile station selects which system to use.

Pilot Channel Acquisition Substate:In this substate, the mobile station acquires the Pilot Channel of a

Sync Channel Acquisition Substate:

this substate, the mobile station obtains system configuration and timing informatIn Timing Change Substate:

n this substate, the mobile station synchronizes its timing to that of a CDMA system. While in the MobileIStation Initialization State, th


77/84


78/84


TM2106EU01EG_0001

78

Mobile Termination Call

e BTS uses the paging channel to send a page message to the

sponse message to the BTS via the access

sets up forward and reverse traffic channel to be used during the call.

ver

e channel assignment message, the MS sets up the traffiction.

ll

age over the forward traffic channel to alert

wering, the MS sends a Connect message and the call is established

sage over the forward traffic

lso responds by sending a Release message over the reverse traffic

1. To receive a call, thMS, which notifies it that, it has a call.

2. The MS responds by sending a page rechannel.

3. The BTS

4. The BTS also, begins time synchronization with the MS, by sending Null Data othe forward traffic channel, then sending a channel assignment message over thepaging channel.

5. After receiving thchannel and receive the Null Data sequence to identify the start of a connec

6. After being in synchronization, the BTS sends a Base Station Acknowledgemessage via the forward traffic channel, and the MS responds by sending NuData over the reverse traffic channel.

7. Then the BTS transmits alerting messthe user.

8. When ansnow until one of the users ends it by hanging up.

9. The BTS detects that and sends a Release meschannel.

10. The MS achannel, after that the two traffic channels are seted free.


79/84


TM2106EU01EG_0001 79

Fig.34

Fig.35


80/84


TM2106EU01EG_0001

80

Mobile Originating Call

alled number, the MS sends origination message on the Access

responds by setting up traffic channel, and transmitting Null data over the

a channel Assignment message to the MS over a Paging

ormation.

the

ng Null data over the reverse traffic channel.

S are idle-

e conversation continues until one of the users hangs up, assuming that the MS

then sends a release message via the forward traffic channel, which frees

1. After dialing the cchannel.

2. The BTSforward traffic channel.

3. After that the BTS sendschannel telling the MS which traffic channels to use during the call.

4. The MS sets up the traffic channel and begins sending preamble inf

5. The BTS sends a Base Station Acknowledgment message to the MS throughforward traffic channel,

6. The MS starts transmitti

7. Now, the forward and the reverse channels between the MS and the BTestablished and the caller will hear a ring back tone if the called subscriber is.

8. Thuser ends the call, the MS sends a release message over the reverse trafficchannel.

9. The BTSup both the forward and reverse traffic channels.


81/84


TM2106EU01EG_0001 81

Fig.36

Fig.37


82/84


TM2106EU01EG_0001

82

PROTOCOL LAYERING

The following Figure shows a simplified logical view of the CDMA protocol structure for the Paging Channel,Access Channel, Forward Traffic Channel and Reverse Traffic Channel. This protocol is divided intoconceptual layers. Layer 1 is the physical layer of the digital radio channel, including those functionsassociated with the transmission of bits, such as modulation, coding, framing, and canalization via radiowaves.

Between Layer 1 and Layer 2 is a Multiplex Sublayer containing the multiplexing functions that allow sharingof the digital radio channel for user data and signaling processes. For user data, protocol layering above theMultiplex Sublayer is service option dependent and, where used, will be described in standards for the serviceoptions.

For the signaling protocol described in this standard, two higher layers are defined.

Signaling protocol Layer 2 is the protocol associated with the reliable delivery of signaling

Layer 3 messages between the base station and the mobile station, such as message retransmission andduplicate detection. Signaling Layer 3 is the protocol associated with call processing, radio channel control,and mobile station control, including call setup, handoff, power control, and mobile station lockout.


83/84


84/84


Documents

04 Tm2106euo1_eg0001 CDMA System Performance