Embed Size (px)
Citation preview
GSM
1
2
GSM Mobility Management
Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001Prof. M. Veeraraghavan, Polytechnic University, New York
• GSM architecture overview– Network layout– Protocols– Addresses & identifiers
• Location management– Call delivery + location update– Security
• Handover management
GSM characteristics
• previous standard in cellular communication were restrictive
• GSM – global digital standard for cellular phones that offered roaming facility
• first named Groupe Special Mobile and used in Europe; then usage extended to other continents
• GSM operate in frequency bands: 900MHz, 1800 MHz, 1900 MHz
• GSM provides voice and data services
GSMThe European TDMA Digital Cellular
Standard
• Services Provided By GSM 1. Telephony - Basic Teleservice
2. Other Services -Emergency calling -Voice Messaging
GSMThe European TDMA Digital Cellular
Standard
Services Provided By GSM (Cont..)
3. Bearer Services - Low Speed data transfer (upto 9.6 Kbps) -Group 3 Fax and Sms 4. Suplementary Services - call offering , call forwarding, call restriction, call waiting, call hold. - Multiparty teleconferencing, special schemes
Subscriber Identity Module (SIM) card
• SIM – a memory card (integrated circuit) holding identity information, phone book etc.
• GSM system support SIM cards• other systems, like CDMA do not support SIM
cards, but have something similar called Re-Usable Identification Module (RUIM)
International Mobile Equipment Identity (IMEI) key
• IMEI – a unique 15 digit number identifying each phone, is incorporated in the cellular phone by the manufacturer
• IMEI ex.: 994456245689001• when a phone tries to access a network, the
service provider verifies its IMEI with a database of stolen phone numbers; if it is found in the database, the service provider denies the connection
• the IMEI is located on a white sticker/label under the battery, but it can also be displayed by typing *#06# on the phone
International Mobile Subscriber Identity (IMSI) key
• IMSI – a 15-digit unique number provided by the service provider and incorporated in the SIM card which identifies the subscriber
• IMSI enables a service provider to link a phone number with a subscriber
• first 3 digits of the IMSI are the country code
Temporary Mobile Subscriber Identity (TMSI) key
• TMSI – is a temporary number, shorter than the IMSI, assigned by the service provider to the phone on a temporary basis
• TMSI key identifies the phone and its owner in the cell it is located; when the phone moves to a different cell it gets a new TMSI key
• as TMSI keys are shorter than IMSI keys they are more efficient to send
• TMSI key are used for securing GSM networks
Architecture of the GSM system
• GSM is a PLMN (Public Land Mobile Network)– several providers setup mobile networks
following the GSM standard within each country– components
• MS (mobile station)• BS (base station)• MSC (mobile switching center)• LR (location register)
– subsystems• RSS (radio subsystem): covers all radio aspects, • NSS (network and switching subsystem): call
forwarding, handover, switching• OSS (operation subsystem): management of the
network
GSM: elements and interfaces
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
BSS
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
12
GSM network layout
BSC
MSCBSC
BTS
EIRHLR
AUCVLR
BTS
BTS
Um
AAbisE
B,C
OMC
GMSC
PSTN
ISDN
Radio Subsystem
• Base Station Subsystem(BSS)• Base Transceiver Station(BTS)• Base Station Controller(BSC)• Mobile Station(MS):- SIM,IMSI, IMEI,
PIN, PUK, IMSI
Networking and switching subsystem
• NSS is the main component of the public mobile network GSM– switching, mobility management, interconnection to
other networks, system control, accounting, roaming, handovers between different BSSs.
• Components– Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC
– Databases (important: scalability, high capacity, low delay)
• Home Location Register (HLR)central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)
• Visitor Location Register (VLR)local database for a subset of user data, including data about all user currently in the domain of the VLR
Operation Subsystem
• The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems
• Components– Authentication Center (AUC)
• generates user specific authentication parameters on request of a VLR
• authentication parameters used for authentication of mobile terminals and encryption of user data on the air interface within the GSM system
– Equipment Identity Register (EIR)• registers GSM mobile stations and user rights• stolen or malfunctioning mobile stations can be locked and sometimes
even localized
– Operation and Maintenance Center (OMC)• different control capabilities for the radio subsystem and the network
subsystem. Functions are traffic monitoring, status reports, security management.
16
GSM Mobility Management
• GSM architecture overview– Network layout– Protocols– Addresses & identifiers
• Location management– Call delivery + location update– Security
• Handover management
17
What is a location area (LA)?
• A powered-on mobile is informed of an incoming call by a paging message sent over the PAGCH channel of a cell
• One extreme is to page every cell in the network for each call - a waste of radio bandwidth
• Other extreme is to have a mobile send location updates at the cell level. Paging cut to 1 cell, but large number of location updating messages.
• Hence, in GSM, cells are grouped into Location Areas – updates sent only when LA is changed; paging message sent to all cells in last known LA
18
Addresses and Identifiers
• International Mobile Station Equipment Identity (IMEI)– It is similar to a serial number. It is allocated by equipment
manufacturer, registered by network, and stored in EIR
• International Mobile Subscriber Identity (IMSI)
MCC MNC MSIN
MCC: Country CodeMNC: Mobile Network CodeMSIN: Mobile Subscriber Identification Number
When subscribing for service with a network, subscriber receives (IMSI) and stores it in the SIM (Subscriber Identity Module) card.
The HLR can be identified by a VLR/MSC from the IMSI.
19
Addresses and Identifiers
• Mobile Subscriber ISDN (MSISDN)– The “real telephone number”:
assigned to the SIM– The SIM can have several MSISDN
numbers for selection of different services like voice, data, fax
CC NDC SN
NDC: National Destination Code (NDC identifies operator); SN: Subscriber Number; CC: Country Code;Digits following NDC identifies the HLR
20
Addresses and Identifiers
• Mobile Station Roaming Number (MSRN)– It is temporary location dependent
ISDN number– It is assigned by local VLR to each MS
in its area.
CC NDC SN
21
Addresses and identifiers
• Temporary Mobile Subscriber Identity (TMSI)– It is an alias of the IMSI and is used in its place for
privacy.– It is used to avoid sending IMSI on the radio path.– It is an temporary identity that is allocated to an MS
by the VLR at inter-VLR registration, and can be changed by the VLR
– TMSI is stored in MS SIM card and in VLR.
22
TMSI, IMSI, MSRN and MSISDN
• Unlike MSISDN, IMSI is not known to the GSM user. The CC of MSISDN translates to an MCC of IMSI as follows, e.g, Denmark CC: 45 MCC: 238
• TMSI is used instead of IMSI during location update to protect privacy. As user moves, TMSI is used to send location update. Thus a third party snooping on the wireless link cannot track a user as he/she moves.
• MSRN is the routing number that identifies the current location of the called MS. – MSRN is temporary network identity assigned to a
mobile subscriber. – MSRN identifies the serving MSC/VLR.– MSRN is used for call delivery (calls incoming to an
MS).• MSISDN is the dialed number to reach a GSM user
23
Addresses and Identifiers
• Location Area ID (LAI)– CC: Country Code, MNC:Mobile Network
Code, LAC: Location Area Code– LAI is broadcast regularly by Base
Station on BCCH– Each cell is identified uniquely as
belonging to an LA by its LAI
CC MNC LAC
24
Location management
• Set of procedures to:– track a mobile user– find the mobile user to deliver it calls
• Current location of MS maintained by 2-level hierarchical strategy with HLRs and VLRs.
25
Ways to obtain MSRN
1. Obtaining at location update – MSRN for the MS is assigned at the time of each location update, and is stored in the HLR. This way the HLR is in a position to immediately supply the routing info (MSRN) needed to switch a call through to the local MSC.
2. Obtaining on a per call basis – This case requires that the HLR has at least an identification for the currently responsible VLR. When routing info is requested from the HLR, it first has to obtain the MSRN from the VLR. This MSRN is assigned on a per call basis, i.e. each call involves a new MSRN assignment
26
Routing information: case when MSRN is selected per call by
VLR/MSC
• If MSRN is allocated to each subscriber visiting at an MSC, then the number of MSRNs required is large. If instead, an MSRN is allocated only when a call is to be established, then the number of MSRNs is roughly equal to number of circuits at MSC – a much smaller number – hence MSRNs typically allocated per call by VLR/MSC
MSISDN
GMSC
HLR
MSI
SDN
MSC/VLR
MSR
N
IMSI
MSR
N
MSISDNIMSI, VLR number
MSRN
27
Call routing to a mobile station: case when HLR returns MSRN
GMSC
BSC
BSC
EIR
HLR
AUCVLR
MSCBTS
BTS
BTS
LA 1
LA 2
ISDN1
MS
1
MSISDN
6
TMSI
4
MSRN
3
MSRN
2
MSISDN
7
TMSI
7
TMSI
7
TMSI
8
TMSI
5
MSRN
MSC
28
Messages exchanged: call delivery
PSTNGMSC
HLR VLR
Target
MSC
Originating Switch
GMSC HLR VLR
Target MSC
1. ISUP IAM2. MAP_SEND_ROUTING_INFO
3. MAP_PROVIDE_ROAMING_NUMBER
4. MAP_PROVIDE_ROAMING_NUMBER_ack
5. MAP_SEND_ROUTING_INFO_ack
6. ISUP IAM
1
2 3
45
6
Mobile Terminated Call
PSTNcallingstation
GMSC
HLR VLR
BSSBSSBSS
MSC
MS
1 2
3
4
5
6
7
8 9
10
11 12
1316
10 10
11 11 11
14 15
17
• 1: calling a GSM subscriber• 2: forwarding call to GMSC• 3: signal call setup to HLR• 4, 5: request MSRN from
VLR• 6: forward responsible
MSC to GMSC• 7: forward call to • current MSC• 8, 9: get current status of
MS• 10, 11: paging of MS• 12, 13: MS answers• 14, 15: security checks• 16, 17: set up connection
Mobile Originated Call
• 1, 2: connection request• 3, 4: security check• 5-8: check resources (free
circuit)• 9-10: set up call
GMSC
VLR
BSS
MSC
MS1
2
6 5
3 4
9
10
7 8
31
Find operation in GSM
• ISDN switch recognizes from the MSISDN that the call subscriber is a mobile subscriber. Therefore, forward the call to the GMSC of the home PLMN (Public Land Mobile Network)
• GMSC requests the current routing address (MSRN) from the HLR using MAP
• By way of MSRN the call is forwarded to the local MSC
• Local MSC determines the TMSI of the MS (by querying VLR) and initiates the paging procedure in the relevant LA
• After MS responds to the page the connection can be switched through.
Security in GSM• Security services
– access control/authentication• user SIM (Subscriber Identity Module): secret PIN
(personal identification number)• SIM network: challenge response method
– confidentiality• voice and signaling encrypted on the wireless link (after
successful authentication)– anonymity
• temporary identity TMSI (Temporary Mobile Subscriber Identity)
• newly assigned at each new location update (LUP)• encrypted transmission
• 3 algorithms specified in GSM– A3 for authentication (“secret”, open interface)– A5 for encryption (standardized)– A8 for key generation (“secret”, open interface)
“secret”:• A3 and A8 available via the Internet• network providers can (and do) use stronger mechanisms
Security in GSMGSM offers several security services using confidential information stored in the AuC and in the individual SIM. The security services offered by GSM are explained below:
• Access control and authentication• Confidentiality• Anonymity
Three algorithm have been specified to provide security services in GSM. Algorithm A3 is used for authentication, A5 for encryption and A8 for the generation of cipher key
Authentication
• Before a subscriber can use any service from the GSM network, he or she must be authenticated.
• Authentication is based on the SIM, which stores the individual authentication key Ki , the user identification IMSI and the algorithm used for authentication A3.
GSM - authentication
A3
RANDKi
128 bit 128 bit
SRES* 32 bit
A3
RAND Ki
128 bit 128 bit
SRES 32 bit
SRES* =? SRES SRES
RAND
SRES32 bit
mobile network SIM
AC
MSC
SIM
Ki: individual subscriber authentication key SRES: signed response
Encryption
• To ensure privacy, all messages containing user-related information are encrypted in GSM over the air interface. After authentication, MS and BSS can start using encryption by applying the cipher key kc .
• Kc is generated using the individual key Ki and a random value by applying the algorithm A8.
• The SIM in the MS and the network both calculate the same Kc based on the random value RAND.
• MS and BTS can now encrypt and decrypt data using the algorithm A5 and the cipher key Kc.
GSM - key generation and encryption
A8
RANDKi
128 bit 128 bit
Kc
64 bit
A8
RAND Ki
128 bit 128 bit
SRES
RAND
encrypteddata
mobile network (BTS) MS with SIM
AC
BSS
SIM
A5
Kc
64 bit
A5
MSdata data
cipherkey
38
Location registration
• MS has to register with the PLMN to get communication services
• Registration is required for a change of PLMN• MS has to report to current PLMN with its IMSI and receive
new TMSI by executing Location Registration process.• The TMSI is stored in SIM, so that even after power on or off,
there is only normal Location Update.• If the MS recognizes by reading the LAI broadcast on BCCH
that it is in new LA, it performs Location Update to update the HLR records.
• Location update procedure could also be performed periodically, independent of the MS movement.
• The difference in Location Registration and Location Update is that in location update the MS has already been assigned a TMSI.
39
Location registrationMS BSS/MSC VLR HLR AUC
IMSI Ki
A3 & A8
=
Generate TMSI
Loc.Upd.Req
(IMSI,LAI)Upd Loc.Area
(IMSI,LAI)Aut.Par.Req Auth.Info.Req
(IMSI)
(RAND)
Authenticate(IMSI,Kc,
RAND,SRES)
Aut. Info.
(IMSI)
(RAND)
Authentic. Req (IMSI,Kc, RAND,SRES)
Auth.Info
Auth.Resp.
(SRES)(SRES)
Auth.Resp
Update Location
(IMSI,MSRN)
SRES
RANDKi
Kc SRES
Contd...
40
(…contd) Location registration.
MS BSS/MSC VLR HLR AUC
A5
Generate TMSI
(Kc)
Start Ciph.
Ciph.Mod.Com.
Message MKc
Kc(M)
Ins.Subsc.Data
(IMSI)
Forw. New TMSI
(TMSI)Subs.Dat.Ins.Ack
Loc.Upd.Accept
(IMSI)Loc.Upd.Accept
Ciph.Mod.Kc(M)
A5
Kc(M)Kc
M
TMSI Realloc.Ack
TMSI Realloc.Cmd.
TMSI.Ack
Loc.Upd.Accept can be combined
New TMSI is received by MS
(TMSI Reallocation) in ciphering mode.
41
Location updateMS BSS/MSC VLR HLR AUC
IMSI, TMSIKi, Kc, LAI
Start ciphering.
Authentication
Loc.Upd.Req
(TMSI,LAI)Update Loc.Area
(TMSI,LAI)
Update Location
(IMSI,MSRN)
Generate TMSI
Start ciphering
(Kc) IMSI
Insert Subscriber. data
Subs. Data Insert Ack(contd..)
42
(..contd) Location update.
MS BSS/MSC VLR HLR AUC
(IMSI)
Auth.Info.Req
(IMSI,Kc, RAND,SRES)
Auth.Info
Start ciphering.
Forward new TMSI
Auth. Para. Req
Loc. Upd. Acept
Loc. Upd. Acept
TMSI AckTMSI Reallocation
Complete
TMSI Realloc. Cmd.
(TMSI)
Auth. Info.
(IMSI,Kc, RAND,SRES)
(IMSI)
(IMSI)
Loc. Upd. Acept
GSMThe European TDMA Digital Cellular
Standard
• Handoff
BSCBSC BSC
MSC MSC
GMSC Handoff is of
3 types
1. Intra BSC
2 Inter BSC
3. Inter MSC
44
Handover procedures in GSM
BSC
MSC-A
BSC
MSC-B
BTS 1
BTS 3
BTS 2
BSC
MSC-C
BTS 3
Connection route
1
2
34
5
6
7
8
8
9
4 types of handover
MSC MSC
BSC BSCBSC
BTS BTS BTSBTS
MS MS MS MS
12 3 4
