Lecture06 Standards PDF

CS 8803 - Cellular and
Mobile Network Security:

GSM - In Detail
Professor Patrick Traynor

9/27/12
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12
Cellular Telecommunications
Architecture
Background
Air Interfaces
Network Protocols
Application: Messaging
Research
Georgia Tech Information Security Center (GTISC) 2

GSM
The Global System for Mobile Communications (GSM) is the

de facto standard for wireless communications with well
over 5 billion users.
As a comparison, there are approximately 1.5 billion Internet users.
The architectures of other network are similar, so knowing

how to speak GSM will get you a long way in this space.

Wireless Signaling and Control in GSM
Common Control Channel

Structure
Broadcast Channels
Channel Access from Mobile
Procedures and Messages for Call Control
Traffic Channel
Structure Handoffs

GSM Control Functions
Read System Parameters
Register
Receive and Originate Calls
Manage Handoffs

GSM Structure
Traffic Channel (per user in a call)
Common Control Channel (CCCH)
TCH (13 KBps)
Common Control Channel (CCCH)

Used for control information: registration, paging, call origination/termination.
Traffic Channel (TCH)

Information transfer
in-call control (fast/slow associated control channels)
GSM TDMA Frames
TDMA Frame:
Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msec
51 Multiframe:
Frame 0 Frame 1 Frame 2 ... Frame 50
235.365 msec

From Frames to Channels
26 Multiframe:
120.00 ms
}
0
1
2
3 Frame:
4 4.615ms
5
6
7

GSM CCCH
Reverse Forward Forward Forward Forward

(MS BS) (BS MS) (BS MS) (BS MS) (BS MS)
Random Access Paging and Broadcast Synchronization Frequency

Control Channel Access Grant Control Channel Correction
(RACH) Channel (PAGCH) Channel (SCH) Channel
(BCCH) (FCCH)
PCH
AGCH

GSM CCCH Structure
TDMA Frame:
Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msec
51 Multiframe:
Frame 0 Frame 1 Frame 2 ... Frame 50
235.365 msec
Uplink: Channel Name (Frame #)

RACH (0)
Downlink
... RACH (50)
FCCH (0) SCH (1) BCCH (2-5) PAGCH (6-9)
FCCH (10) SCH (11) PAGCH (12-19)
FCCH (20) SCH (21) PAGCH (22-29)
PAGCH (11)
FCCH (30) SCH (31) PAGCH (32-39)
FCCH (40) SCH (41) PAGCH (42-49) I (50)
CCCH/RACH always uses Slot 0 of each frame; other seven slots for TCH
TCH: 26 multi-frame repeats every 120 msec (13th and 16th frames are used by
Slow Associated Control Channel (SACCH) or is idle
GSM: BCCH
Broadcast to all users on the CCCH
No addressing
Used to acquire system parameters, so mobile may operate

with the system.
Key parameters (contained in RR SYSTEM INFORMATION MESSAGES):

RACH control parameters
cell channel descriptions (frequencies)
neighbor cells (frequencies)
cell id
Location Area ID (LAI)
Control Channel description

GSM: FCCH and SCH
Keeps system synchronization

What do you mean, synchronization?
Broadcasts Basestation ID
Why is this useful information?

GSM: Mobile Channel Access Procedures (RACH)
MS Communicates with BS over RACH

Only initially and must compete for this shared resource.
Feedback provided with AGCH

Points the user to a dedicated channel for real exchanges.
Functions:
Responses to paging messages
Location update (registration)
Call Origination

GSM: Paging Channel (PCH)
Used to send pages to mobile devices.

Notifications of incoming services (e.g., voice, data, SMS)
Done at regular intervals

Mobiles belong to a paging class
Allows the device to sleep, conserve power
More than 1 mobile paged at a time.

GSM: RACH and Slotted ALOHA (Layer 2)
Assumptions Operation
all frames same size
when node obtains fresh frame,
it transmits in next slot
time is divided into equal

no collision, node successfully
size slots, time to transmit 1
transmitted the frame
frame

if collision, node retransmits
nodes start to transmit frame in each subsequent slot
frames only at beginning of with prob. p until success
slots
clocks are synchronized
if 2 or more nodes transmit

in slot, all nodes detect
collision
GSM: More Slotted ALOHA
Pros Cons

collisions, wasting slots
single active node can

idle slots
continuously transmit at
full rate of channel
nodes may be able to
detect collision in less than
highly decentralized: only
time to transmit packet
slots in nodes need to
be in sync
clock synchronization
simple
GSM: Slotted ALOHA Efficiency
Efficiency is the long-run

For max efficiency with N
fraction of successful slots nodes, find p* that
when there are many nodes, each maximizes
with many frames to send Np(1-p)N-1
Suppose N nodes with
For many nodes, take limit
of Np*(1-p*)N-1 as N goes
many frames to send,
each transmits in slot to infinity, gives 1/e = .37
with probability p
prob that node 1 has At best: channel

success in a slot has maximum
= p(1-p)N-1 throughput of
37%!
prob that any node has a
success = Np(1-p)N-1
GSM: RACH Procedures (Layer 2)
Mobile
sends assignment request with information
Basestation
sends back assignment with information echoed
Creates Radio Resource (RR) connection

Standalone Dedicated Control Channel
May be a physical channel
May be a traffic channel in signaling-only mode
May eventually be bandwidth stolen from TCH (associated control
channel).

Basic Flow on Air Interface
Alert phone of incoming activity

Request dedicated signaling channel
Signal
Release signaling channel

GSM Signaling
Signaling in GSM occurs over the Radio Interface Layer

3 (RIL-3).
Technically layer 3, but debatable from OSI perspective as
application-esque things happen here.
Control messages are handled by protocol control

processes and include Call Control (CC), Mobility
Management (MM), Radio Resource management (RR),
Short Messaging Service management (SMS) and
Supplementary Services management (SS).

Time Out: Privacy?
With all of this signaling going over well-known

channels, isnt there a risk of user tracking/profiling?
Think about the PCH... what is transmitted here?

GSM Registration
Types
Power up and down
Location Area changes (mobility)
Periodic
User Privacy
Mobile device may transmit real address: International Mobile
Subscriber Identity (IMSI)
Get back temporary id (TMSI)
Unique to a local area
Subsequent registrations use TMSI

GSM: Registration, High Level
Get SDCCH
RR connection established
Authenticate
Cipher
UpdateLocation
Release RR connection

GSM Registration: Gory Details
Get SDCCH
RR connection established
LOC UPD RQST
Authentication Request (RAND)
Authentication Response (SRES)
Cipher Mode
Cipher Mode Complete

LOC UPD ACC (TMSI Assigned)
TMSI RE-ALLOC Complete
Release RR connection
More details on this authentication procedure soon...

GSM: Call Termination (Receive a Call)
Page Request (TMSI)
Get SDCCH
Channel Request
Channel Assignment
RR connection
established
SABM(Page Response)
UA(Page Response)
Authentication and Ciphering

SETUP
Call Confirmed
Alert
Assignment Command
Assignment Complete
Connect
Connect ACK

GSM: Call Origination
Get SDCCH
Channel Request
Channel Assignment
RR connection
established
SABM(CM Service Req - Call Orig)

UA(CM Service Request - Call Orig)
Authentication and Ciphering

SETUP
Call Proceeding
Alert
Assignment Command
RR connection
Assignment Complete
release
Connect
Connect ACK

GSM: Mobile Assisted Handoff (MAHO)
MSC Old BS New BS
Measurement Report
Measurement Report
Measurement Report
Measurement Report
Handoff Order
Handoff Access
Handoff Access
Handoff Complete

Measuring Mobility-Generated Load
How do we estimate the traffic load caused by handoffs?
Simplest mobility model - assume conservation of flow and

random movements at constant velosity.
Rate of boundary crossings = vL

= density of users, v = velocity and L is perimeter

Practice
VLR
Calculate the load at the VLR per second if each mobile

creates an Update LA and creates a Reg Cancel.
Assume:
L = 80 miles
=150 users/mi2
v = 45 miles/hour

Example
Boundary crossing rate:

150 45 80 1 hour
3600 secs
= 48 crossings/sec
Load on VLR from mobility is 144 operations/sec:

updates (3): Update LA, Reg Cancel, Auth Info

Example, cont
Assume 3 calls/user/hour (1.5 in, 1.5 out on average)
for each incoming call there is one database query (MSRN)
= 150 users/mi2, L = 80 miles

each area contains 150 x (80/4)2 = 60,000 users
= 25 calls/second
Total Load
25 queries/second (call related)
144 updates/second (mobility related)
Conclusion
mobility substantially dominates the database load
GSM: Short Messaging Service
Bi-directional
Acknowledged Service
Store-and-Forward Service
140 octets/160 characters (concatenation possible)
Uses SDCCH signaling channel
Two services - cell broadcast and point to point

Cell broadcast exists in the standards only at this time.
Three types - user specific, ME-specific, SIM-specific

GSM: SMS Examples - Mobile Termination
Page
Page Response
SMS Delivery

GSM: SMS Examples - Mobile Termination
Page
Page Response
CP-Data (RP-Data (SMS Delivery))

CP-ACK
CP-Data (RP-ACK)
CP-ACK

Other Air Interfaces
IS-54/IS-136/D-AMPS
digital, TDMA
IS-95
digital, CDMA
CDMA2000
3G
UMTS
W-CDMA
3G

IS-54/IS-136
First North American standards
Converted traffic channels (IS-54) and control channels

(IS-136) to digital.
Phones could gracefully degrade to AMPS if neither of these
networks were available.
IS-54 was the first to consider security.

Used the Cellular Message Encryption Algorithm (CMEA) to
protect the control channel and Cellular Authentication,
Voice Privacy and Encryption (CAVE) to protect voice.
Both algorithms later shown to be weak.

IS-95
Code Division Multiple Access (CDMA) Transmission
Similar call processing to GSM and IS-136
1.23 MHz carriers, each with 65 sub-code channels
Operates in similar bands as AMPS/IS-136

Network Architecture: IS-95/CDMA2000
VLR
BSC MSC HLR
BS
PSTN AAA
RNC/
PDSN
PCF
BS HA Internet

RNC/PCF
Performs frame-selection/power control
BSC
Coordinates handoff for voice users
Terminates Radio Link Protocol w/ mobiles performs frame-selection/power control

Performs packet and burst control functions
MSC

PDSN
terminates PPP with clients
call control and mobility management
interfaces to the PSTN for voice users

provides FA support for MIP-enabled Clients
AAA

AAA
Provides Authentication, Authorization and
provides location management and AAA functions for
voice users.
Accounting for Data users

Lecture06 Standards PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Lecture06 Standards PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

CS 8803 - Cellular and

Mobile Network Security:

Professor Patrick Traynor

Georgia Tech Information Security Center (GTISC) 2

The Global System for Mobile Communications (GSM) is the

The architectures of other network are similar, so knowing

Georgia Tech Information Security Center (GTISC) 3

Common Control Channel

Georgia Tech Information Security Center (GTISC) 4

Read System Parameters

Receive and Originate Calls

Georgia Tech Information Security Center (GTISC) 5

Traffic Channel (per user in a call)

Common Control Channel (CCCH)

TCH (13 KBps)

Common Control Channel (CCCH)

Traffic Channel (TCH)

Georgia Tech Information Security Center (GTISC) 7

Georgia Tech Information Security Center (GTISC) 8

Reverse Forward Forward Forward Forward

Random Access Paging and Broadcast Synchronization Frequency

Georgia Tech Information Security Center (GTISC) 9

Uplink: Channel Name (Frame #)

Broadcast to all users on the CCCH

Used to acquire system parameters, so mobile may operate

Key parameters (contained in RR SYSTEM INFORMATION MESSAGES):

Georgia Tech Information Security Center (GTISC) 11

Keeps system synchronization

Georgia Tech Information Security Center (GTISC) 12

MS Communicates with BS over RACH

Feedback provided with AGCH

Georgia Tech Information Security Center (GTISC) 13

Used to send pages to mobile devices.

Done at regular intervals

More than 1 mobile paged at a time.

Georgia Tech Information Security Center (GTISC) 14

clocks are synchronized

if 2 or more nodes transmit

Efficiency is the long-run

prob that node 1 has At best: channel

Creates Radio Resource (RR) connection

Georgia Tech Information Security Center (GTISC) 18

Alert phone of incoming activity

Georgia Tech Information Security Center (GTISC) 19

Signaling in GSM occurs over the Radio Interface Layer

Control messages are handled by protocol control

Georgia Tech Information Security Center (GTISC) 20

With all of this signaling going over well-known

Georgia Tech Information Security Center (GTISC) 21

Subsequent registrations use TMSI

Georgia Tech Information Security Center (GTISC) 22

Georgia Tech Information Security Center (GTISC) 23

Cipher Mode Complete

More details on this authentication procedure soon...

Georgia Tech Information Security Center (GTISC) 24

Page Request (TMSI)

Authentication and Ciphering

Georgia Tech Information Security Center (GTISC) 25

SABM(CM Service Req - Call Orig)

Authentication and Ciphering

Georgia Tech Information Security Center (GTISC) 26

MSC Old BS New BS

Georgia Tech Information Security Center (GTISC) 27