Upload
islam-barakat
View
238
Download
0
Embed Size (px)
DESCRIPTION
438 Lecture 5
Citation preview
Mobility Management, Call Routing &
Security
Mobility Management
Routing Calls toMobile Stations
Confidentiality and Security
Detailed LocationRegistration Scenario
Objectives
At the end of this unit, you should be able to:
• Explain why the mobile registration process is necessary
• Describe how a call is automatically routed from PSTN to a mobile station
• Explain why mobile authentication is necessary and how it works
• Describe the various phases of mobile registration and the location updating process
Unit 3 Section 1
Mobility Management
Where is the Mobile Station?
PSTN
BeneluxGSA
UnitedKingdom
GSA
GPA 1UK
GPA 2Belgium
GPA 3Netherlands
Location Areas and Cell Areas
Location Area 1
Location Area 3Location Area 2
GPA
CellArea
Location Areas and Cell Areas
Cell Global Identification Number
MCC MNC LAC CI
Location Area Identification (LAI)
AcronymsMCC - Mobile Country Code (Same as in the IMSI) –3 digits.MNC - Mobile Network Code (same as in the IMSI – 2 digits.LAC - Location Area Code used to identify a location area within a GSM PLMN – 2 octets.LAI - Location Area IdentificationCI - Cell Identity – 2 octets.
Location Areas and Base Station Systems
LocationArea 2
LocationArea 1
PSTN
BTS
BTS
BTS BTS
BTS
BSC 1
BSC 1
MSC
MSC Areas and Location Areas
LocationArea 2
LocationArea 1
LocationArea 4
LocationArea 3
MSC 2MSC 1
To PSTN
CellArea
CellArea
CellArea
CellArea
GPA
MSCArea 2
MSCArea 1
Network Operation - Examples
MSC
BSC
BTS
BTS
BSC
MS
Mobile Powers On/IMSI Attach
Location Updating
Mobile Powers Off/IMSI Detach
Idle Mode Measurements
Mobile Makes a Call
Mobile Receives a Call
Measurements during a Call
Handover
Registration and IMSI Attach
HLR
BSC
MSC
VLR
Radio Criterion
p1 and p2 are supplied by the BS
p1 specifies the minimum receive level
p2 specifies the maximum mobile transmit level
All quantities are measured in dB
C1 = (Received Level Average - p1) - (p2 - Maximum Power of Mobile)
C1 must be greater than 0 for a cell to be used
Registration Sequence
Sou
rce:
An
In
trod
uct
ion
to
GS
MR
edl,
Web
er a
nd
Oli
ph
ant
Types of Location Registration
• GEOGRAPHIC Based
• TIME Based
• ON/OFF Based
Time-Based Registration
TIMER MANAGEMENT:
• Timer is reset when mobile station activity has taken place.
• Mobile Station initiates location updating when timer expires.
• Mobile station timer value is kept in memory when turned off.
On/Off-Based Registration
• IMSI Attach- mobile power-up = attach- mobile power-up causes a registration
• IMSI Detach- mobile power-down = detach- mobile power-down causes a deregistration
Paging a Mobile Station
BSS
BSS
BSS
BSS
BSS
PSTN- Location Area- Mobile ID
DN
DN
Location Area
Location Area
Mobile Switching Centre
Mobile Station
Mobile Station Identification
Mike = Jane Doe
Temporary Mobile Subscriber Identity (TMSI)
InternationalMobile Equipment
Identity (IMEI)Smart Card
(SIM)
Jane Doe
International Mobile Subscriber Identity (IMSI)
Smart Card(SIM)
Mobile StationISDN Number
(MSISDN)
Mobile Station Identification Numbers Used in GSM
International Mobile Equipment Identity (IMEI)• Uniquely identifies mobile station equipment• Burnt in by the equipment manufacturer
TAC – Type Approval Code (6 digits)FAC – Final Assembly Code (2 digits)SNR – Serial Number (6 digits)SP – Spare (1 digit)
International Mobile Subscriber Identity (IMSI)• IMSI is assigned to a MS at subscription time• IMSI uniquely identifies a given MS• IMSI is transmitted over the radio path only when necessary
MCC – Mobile Country Code [3 digits] (home country)MNC – Mobile Network Code [2 digits] (home GSM PLMN)MSIN – Mobile Subscriber Identification Number (10 digits)NMSI – National Mobile Subscriber Identity
Temporary Mobile Subscriber Identity (TMSI)• TMSI is assigned to a MS by the VLR• TMSI uniquely identifies a MS within the area controlled by a given VLR
TMSI (32 bits max)
MCC MNC MSIN
IMSI (15 digits)
NMSI
TAC FAC SNR SP
IMEI (15 digits)
Country Codes Used in Mobile Identities
Partial List of Codes
Country
United Kingdom
Spain
France
Finland
Sweden
Italy
Ireland
United States
Australia
Japan
Kuwait
Country Codes (CC) used in land network
44
34
33
358
46
39
354
1
61
81
965
Mobile Country Codes (MCC) used in GSM network
234, 235
214
208
244
240
222
272
310 – 316
505
440, 441
419
Mobile Station
Mobile Station = Mobile Equipment + Subscriber Identity Module (SIM)
SIM Card
Mobile Equipment
Plug-InType SIM
IC Card Type SIM
Subscriber Identity Module (SIM) - Continued
Contains:
• International Mobile Subscriber Identity (IMSI)
• Authentication key (Ki)
• Personal Identification Number (PIN)
• Subscriber information
• Access control class
• Cipher key (Kc)*
• Temporary Mobile Station Identification (TMSI)*
• Additional GSM services*
• Location Area Identity (LAI)*
• Forbidden Public Land Mobile Numbers (PLMNs)*
*Updateable by network
GSM Test SIM 2To
92316 005
Subscriber Identity Module (SIM)Hardware Spec
GSM Test SIM 2To
92316 005
Highly Secure Processor
Contact Type - Smart Card
Communication via serial IO
Data Rate 1MHz
Contains ROM, RAM and EPROM
SIM Security Functions
• Pin Code to unlock the mobile station.
• 3 wrong attempts at PIN and SIM is blocked.
• SIM may be unblocked with PIN Unblock Code (PUK).
• 10 attempts at PUK and SIM is permanently disabled.
• Second PIN and second PUK available in Phase 2 to support Closed User Groups and Fixed Dial Numbers.
SIM and Phase 2+
• SIM Application Toolkit allows user applications (e.g. electronic banking) to be run on the SIM
Routing Calls Automatically
To Mobile Stations
MSC Directory Number Allocation
PSTN
MSC
MSC
LocalExchange
MSISDN
MSRN
Directory Number Spectrum in MSC
Trunks
Trunks
Used to reference home subscribers
Used to reference visiting subscribers
Home Location Register (HLR)
Keys:• International Mobile Subscriber Identity (IMSI)• Mobile Subscriber ISDN Number (MSISDN)
Contains:• International Mobile Subscriber Identity (IMSI)• Mobile Subscriber ISDN Number (MSISDN)• Permanent copy of subscriber data• Mobile Station Roaming
- MSISDN
- IMSI
- MSRN
- Subscriber DataIMSI
X
X
MSISDN
X
Visitor Location Register (VLR)
- MSISDN
- IMSI
- MSRN
- LAC
- TMSI
- Subscriber Data
X
TMSIX
IMSIX
MSRNX
Keys:• International Mobile Subscriber Identity (IMSI)• Temporary Mobile Subscriber Identity (TMSI)• Mobile Station Roaming Number (MSRN)
Contains:• Mobile Station ISDN number (MSISDN)• International Mobile Subscriber Identity (IMSI)• Temporary Mobile Subscriber Identity (TMSI)• Mobile Station Roaming Number (MSRN)• Location Area Code (LAC) of Mobile Station• Copy of subscriber data from HLR
Located Area, VLR, and HLR Relationship
VLR VLR VLR
HomeHLR
SS7 Network
MSCArea
MSCArea
MSCArea
MSCArea
LA 1 LA 2 LA1LA1 LA2 LA 3
System 1 System 2 System 3
Land to Mobile Call Routing
Mobile Located in Non-Home MSC Area
BSS 1
BSS 2
HomeMSC
BSS 1
BSS 2
VisitedMSC
HLR
VLR
PSTN
TMSI & LACMSRN
TMSIMSRN
MSRN
MSISDNMSISDN
MSISDN MSRN
TMSI
Signalling
Voice Path
1 2
5
3 4
6
7 8
9 10
Land to Mobile Call Routing
Mobile in Home MSC Area
PSTN
VLR
HLR
Home
MSC
TMSI & LACMSRN
MSISDN MSRN
MSISDNBSS 1
BSS 2
TMSI
TMSI
MSISDN
Land to Mobile Call Routing
Intelligent PSTN Routing
PSTN
VLR
HLR
TMSI & LACMSRN
MSISDN
MSRN
MSISDN BSS 3
BSS 4
VisitedMSC
MSISDN
TMSI
TMSI
BSS 1
BSS 2
HomeMSC
Land to Mobile Call Routing
Routing Via a Gateway MSC
PSTN
VLR
HLR
TMSI & LACMSRN
MSISDN
MSRN
MSISDNBSS 1
BSS 2
VisitedMSC
MSISDN
TMSI
TMSI
BSS 1
BSS 2
HomeMSC
GatewayMSC
MSRN
Signalling
Voice Path
Dynamic Allocation of MSRN
VLR HLRHomeMSC
PSTN
Mobile Registers Update Location.No MSRN, use
LMSI
Subscriber Data
Need MSRNFor LMSI
MSRN
Need MSRNFor LMSI
MSRNMSRN
Get Route
MSRN
Get Route
Incoming Call
Incoming Call
Home GSM systemVisited GSM system Landline network
GSM Confidentiality and
Security Mechanisms
• Use of a temporary mobile station identity (TMSI)
The temporary mobile station identity that is sent is not the mobile station's true identity. Instead, an alias is used by the network so no calling pattern can be seen by an observer.
• Encryption for information on the radio path
Encryption involves changing bits in a manner known only to the network and the mobile station. Encryption occurs only on the radio link portion of the call.
• Mobile station authentication procedure
Used to grant access to an MS via VLR. Same authentication keys stored in AUC and the MS is used.
• Mobile station equipment validationEquipment validation is a process where the network can require the mobile station to transmit its equipment serial number so the network can check the equipment against the Valid list, Suspect list or Fraudulent list contained in the Equipment Identity Register (EIR).
Authentication Concept
Random Number Generator
AuthenticationAlgorithm
AuthenticationAlgorithm
Secret Data Secret Data
Random Number
AuthenticationResponse
Yes
No
AuthenticationResponse
=
Mobile StationServing Network
Grant Access
Deny Access
GSM Authentication Example
VLR
MSC
BSS
HLRAUC
SRES
RAND
RANDSRES
RANDSRES
RAND, SRESRAND, SRES
23
1
Ki
Ki
Mobile Station (MS)
Visited System Home System
1. RAND, SRES sent to visited system’s VLR2. RAND transmitted to mobile3. SRES transmitted from mobile in response
Generating the Signed Response (SRES) and Cipher Key (KC)
Ki - Individual subscriber authentication key (128 bits)Kc - Cipher Key (64 bits)RAND - Random number (128 bits)
Kc SRES
A8A3
KcSRES
KiKi
RANDRAND
Home System’s AUC
A3A8KiKi
RANDRAND
Mobile Station
128 bits
IMSI/TMSI
Random Number (RAND)
SRES - Signed response (32 bits)A3 - Authentication algorithmA8 - Cipher Key generating algorithm
Authentication Process Network View
BSS
SRES
RAND
MS
RAND, SRES Kc
RAND, SRES Kc
RAND, SRES Kc
RAND, SRES Kc
RAND, SRES Kc
VLR
RAND, Kc
SRES
AUC
Ki
RANDA3 & A8
HLR
RAND Kc SRESIMSIVisited System
Home System
Equipment Validation Process
MSC
Request IMEI 1
IMEI2
CHECK IMEI
3
EIR
IMEI CHECK
Response
4
MS
Detailed Location
Registration Scenario
Location Updating
VLRHLR
MSC 2
VLR
BSCBSCBSC
MSC 1
Phases of a Location Update
• 1) Request for Service
• 2) Authentication*
• 3) Update Location Registers
• 4) Ciphering*
• 5) TMSI Reallocation
*Phase might not occur
Mobile Location Update: Request for Service
NewVLR
BMSCBSSMS
AUm
1
2
3
4
5
6
7
8
9
Channel Request (on RACH)
Dedicated Signalling ChannelAssignment (on AGCH)
Location Update RequestTMSI, LAI (on SDCCH)
Location Update Request
Location Update Request
Request IMSI
Request IMSI
IMSI Acknowledge
IMSI Acknowledge
Mobile Location Update : Authentication
10
11
12
13
14
15
16
17
HLRD
NewVLR
MSCMSB
Get AuthenticationParameters IMSI
Get AuthenticationParameters IMSI
AuthenticationParameters
AuthenticationParameters
Authenticate MobileStation
Authenticate ResponseSRES
AUC
RAND, SRES, Kc
RANDAuthenticate Mobile
Station RAND
Authenticate ResponseSRES
RAND, SRES, Kc
Mobile Location Update: Update Location
18
19
20
21
OldVLR
HLRNewVLR
D
Update LocationMSRN
Location UpdatedCustomer Profile
De-registerMobile Station
Mobile StationDe-registered
D
Mobile Location Update: Ciphering
NewVLR
BMSCBSSMS
AUm
22
23
24
25
26
Set Ciphering Kc
Encipher Command Kc
Cipher Mode Command
Cipher Mode Complete
Encipher Complete
Mobile Location Update: TMSI Reallocation
NewVLR
BMSCBSSMS
AUm
27
28
29
30
31
Location Update Acceptnew TMSI
Location Update Complete
Clear SignallingConnection
Release RadioSignalling Channel
32Clear Complete
Location Update Acceptnew TMSI