GSM Communication
Flow
www.huawei.com
Page 2
Page 3
Page 4
TMSI
Reallocation
Equipment
Identification
HUAWEI TECHNOLOGIES CO., LTD.
Page 5
Authentication
Authentication may be executed during setup, location updating
Page 6
Provision of Triplets
At subscription time, each subscriber is assigned a subscriber authentication Key (Ki). Ki is
stored in the AUC along with the subscribers IMSI. Both are used in the process of
providing a triplet. The same Ki and IMSI are also stored in the SIM. In an AUC the
following steps are carried out to produce one triplet:
1. A non-predictable random number, RAND, is generated.
2. RAND and Ki are used to calculate SRES and Kc, using two different algorithms, A3 and
A8 respectively.
3. RAND, SRES and Kc are delivered together to the HLR as a triplet.
Page 7
Authentication Procedure
1.
2.
3.
4.
Page 8
1. RAND
MSC/VLR
3. SRES
2. MS calculates SRES using
RAND + Ki (SIM-card) through
A3 and Kc using RAND+Ki
through A8.
Page 9
Ciphering Procedure
Confidentiality means that user information and signaling exchanged between BTSs
and MSs is not disclosed to unauthorized individuals, entities or processes.
A ciphering sequence is produced using Kc and the TDMA frame number as inputs in
the encryption algorithm A5. The purpose of this is to ensure privacy concerning user
information(speech and data) as well as user related signaling elements.
In order to test the ciphering procedure some sample of information must be used. For
this purpose the actual ciphering mode command (M) is used.
1. M and Kc are sent from the MSC/VLR to the BTS.
2. M is forwarded to the MS.
3. M is encrypted using Kc (calculated earlier with SRES in the authentication
procedure) and the TDMA frame number which are fed through the encryption
algorithm, A5.
4. The encrypted message is sent to the BTS.
5. Encrypted M is decrypted in the BTS using Kc, the TDMA frame number and the
decryption algorithm, A5.
6. If the decryption of M was successful, the ciphering mode completed message is sent
to the MSC. All information over the air interface is ciphered from this point on.
Page 10
Ciphering Procedure
1. M+Kc
2. M
MSC/VLR
MS
4. Encrypted
TDMA
Frame no. Kc
6. Ciphering mode
complete
Mc
M
Decryption
process
using A5
Encryption
process
using A5
3. Encrypt M
5. Decryption of M successful
If yes
HUAWEI TECHNOLOGIES CO., LTD.
Kc
TDMA
Frame no.
Page 11
BSS
MSC
VLR
Page 12
HLR
BSS
MSC
VLR
RAND
<SDCCH>
RAND
Page 13
HLR
BSS
MSC
VLR
RAND
<SDCCH>
RAND
<SDCCH>
(SRES)
Page 14
HLR
BSS
MSC
VLR
RAND
<SDCCH>
RAND
<SDCCH>
(SRES)
4 Start Ciphering
Page 15
HLR
BSS
MSC
VLR
RAND
<SDCCH>
RAND
<SDCCH>
(SRES)
4 Start Ciphering
5 Cipher Mode Command
Cipher Mode Complete
<SDCCH>
<SDCCH>
Page 16
HLR
TMSI Reallocation
The Temporary Mobile Subscriber Identity (TMSI) is a temporary IMSI number
made known to an MS at registration. It is used to protect the subscribers identity
on the air interface. The TMSI has local significance only (that is, within the
MSC/VLR area) and is changed at time intervals or when certain events occur
such as location updating. Every operator can chose TMSI structure, but should
not consist of more than 8 digits.
MS
VLR
(TMSI)
Page 17
EIR Function
Equipment Identification Procedure
The equipment identification procedure uses the identity of the equipment itself (IMEI) to
ensure that the MS terminal equipment is valid.
1. The MSC/VLR requests the IMEI from the MS.
2. MS sends IMEI to MSC.
3. MSC/VLR sends IMEI to EIR.
4. On reception of IMEI, the EIR examines three lists:
A white list containing all number series of all equipment identities that have been
allocated in the different participating GSM countries.
A black list containing all equipment identities that has been barred.
A gray list (on operator level) containing faulty or non -approved mobile equipment.
5. The result is sent to MSC/VLR, which then decides whether or not to allow network access
for the terminal equipment.
3. Check IMEI
1. IMEI Request
MSC/VLR
EIR
2. IMEI
4. Access/Barring info
HUAWEI TECHNOLOGIES CO., LTD.
Page 18
Equipment Identification
MS
1 Equipment ID
Request
BSS
MSC
< SDCCH>
Page 19
Equipment Identification
MS
1 Equipment ID
Request
2 ID Response
BSS
MSC
< SDCCH>
<SDCCH>
IMEI)
Page 20
Equipment Identification
MS
1 Equipment ID
Request
2 ID Response
BSS
MSC
< SDCCH>
<SDCCH>
IMEI)
3 Check IMEI
Check IMEI
Response
Page 21
Page 22
Page 23
Page 24
BSS
1 CHANNEL REQUEST
<RACH>
DCCH ASSIGN
<AGCH>
MSC
VLR
HLR
SIGNALING LINK
ESTABLISHED
Page 25
PSTN
BSS
1 CHANNEL REQUEST
<RACH>
DCCH ASSIGN
<AGCH>
MSC
VLR
HLR
SIGNALING LINK
ESTABLISHED
<SDCCH>
2 REQ. FOR SERVICE
CR
CC
Page 26
PSTN
BSS
1 CHANNEL REQUEST
<RACH>
DCCH ASSIGN
<AGCH>
MSC
VLR
HLR
SIGNALING LINK
ESTABLISHED
<SDCCH>
2 REQ. FOR SERVICE
CR
CC
3 AUTHENTICATION
SET Cipher MODE
Page 27
PSTN
BSS
1 CHANNEL REQUEST
<RACH>
DCCH ASSIGN
<AGCH>
MSC
VLR
HLR
SIGNALING LINK
ESTABLISHED
<SDCCH>
2 REQ. FOR SERVICE
CR
CC
3 AUTHENTICATION
SET Cipher MODE
4 SET-UP
<SDCCH>
SFOC
Call Info
Page 28
PSTN
BSS
1 CHANNEL REQUEST
<RACH>
DCCH ASSIGN
<AGCH>
MSC
VLR
HLR
SIGNALING LINK
ESTABLISHED
<SDCCH>
2 REQ. FOR SERVICE
CR
CC
3 AUTHENTICATION
SET Cipher MODE
4 SET-UP
<SDCCH>
SFOC
Call Info
5 EQUIP. ID REQ.
Page 29
PSTN
BSS
1 CHANNEL REQUEST
<RACH>
DCCH ASSIGN
<AGCH>
MSC
VLR
HLR
SIGNALING LINK
ESTABLISHED
<SDCCH>
2 REQ. FOR SERVICE
CR
CC
3 AUTHENTICATION
SET Cipher MODE
4 SET-UP
<SDCCH>
SFOC
Call Info
5 EQUIP. ID REQ.
6 COMPLETE CALL
CALL PROCEEDING
<SDCCH>
Page 30
PSTN
BSS
MSC
VLR
HLR
<SDCCH>
<FACCH>
circuit
Page 31
PSTN
BSS
<SDCCH>
<FACCH>
MSC
VLR
HLR
circuit
<FACCH>
MS hears ring
tone from land
phone
Page 32
PSTN
BSS
<SDCCH>
<FACCH>
MSC
VLR
HLR
circuit
<FACCH>
MS hears ring
tone from land
phone
9 Answer (ANS)Connect
Ring tone
stops
<FACCH>
Page 33
PSTN
BSS
<SDCCH>
<FACCH>
MSC
VLR
HLR
PSTN
circuit
<FACCH>
MS hears ring
tone from land
phone
9 Answer (ANS)Connect
Ring tone
stops
10 Connect Acknowledge
<FACCH>
<FACCH>
BILLING STARTS
HELLO!
<TCH>
Page 34
Page 35
BSS
MSC
VLR
HLR
GMSC
PSTN
(MSISDN)
Page 36
BSS
MSC
VLR
HLR
GMSC
(MSISDN)
PSTN
(MSISDN)
Page 37
BSS
MSC
VLR
HLR
GMSC
(MSISDN)
(MSISDN)
(MSRN)
(MSRN)
(MSRN)
PSTN
Page 38
BSS
MSC
VLR
HLR
GMSC
(MSISDN)
(MSISDN)
(MSRN)
(MSRN)
(MSRN)
4 Send Info For I/C
Call Setup
PSTN
(MSRN)
Page 39
BSS
MSC
VLR
HLR
GMSC
(MSISDN)
(MSISDN)
(MSRN)
(MSRN)
(MSRN)
4 Send Info For I/C
Call Setup
5 Page
Paging Request
PSTN
(MSRN)
<PCH>
(TMSI)
Page 40
BSS
MSC
HLR
GMSC
<RACH>
DCCH Assign
<AGCH>
Signaling Link
Established
<SDCCH>
Page Response
<SDCCH>
CR
(TMSI)
*Authentication
VLR
(TMSI &
Status)
(Status)
Page 41
PSTN
BSS
MSC
HLR
GMSC
<RACH>
DCCH Assign
<AGCH>
Signaling Link
Established
<SDCCH>
Page Response
<SDCCH>
CR
(TMSI)
*Authentication
7 Complete Call
Setup
VLR
(TMSI &
Status)
(Status)
<TMSI>
<SDCCH>
Page 42
PSTN
BSS
MSC
<AGCH>
Signaling Link
Established
<SDCCH>
Page Response
<SDCCH>
GMSC
PSTN
CR
(TMSI)
*Authentication
8 Call Confirmation
HLR
<RACH>
DCCH Assign
7 Complete Call
Setup
VLR
(TMSI &
Status)
(Status)
<TMSI>
<SDCCH>
<SDCCH>
Ring Tone at
the land
phone
Page 43
BSS
(channel)
MSC
VLR
HLR
GMSC
PSTN
(circuit)
<FACCH>
Ring Tone at
the land
phone
<TCH>
Alert
Address Complete
Page 44
BSS
(channel)
MSC
VLR
HLR
GMSC
PSTN
(circuit)
<FACCH>
Ring Tone at
the land
phone
<TCH>
Alert
Address Complete
10 Connect
<FACCH>
Ringing stops
at land phone
Subscriber
picks up
Connect ACK ANS
< FACCH>
Billing
starts
<TCH>
Hello...
Page 45
Page 46
Page 47
a location update.
Page 48
Location Update
IMSI Attach
Saves the network from paging a MS which is not active in the system.
When MS is turned off or SIM is removed the MS sends a detach signal to the
period of time.
This time ranges from 0 to 255 deci-hours.
Periodic location timer value is broadcast on BCCH sys info messages.
Page 49
Intra-VLR Location
Update Sequence
Inter-VLR Location
Update Sequence
Page 50
BSS
MSC
VLR
HLR
<RACH>
<AGCH>
Only sent to HLR
if this is the first
time the MS has
Location Updated
in this VLR
Page 51
BSS
MSC
VLR
HLR
<RACH>
<AGCH>
<SDCCH>
Page 52
BSS
MSC
HLR
<RACH>
<AGCH>
Only sent to HLR
if this is the first
time the MS has
Location Updated
in this VLR
<SDCCH>
VLR
Page 53
BSS
MSC
VLR
HLR
<RACH>
<AGCH>
Only sent to HLR
if this is the first
time the MS has
Location Updated
in this VLR
<SDCCH>
<TMSI>
<SDCCH>
<TMSI>
Page 54
BSS
MSC
VLR
HLR
<RACH>
<AGCH>
Only sent to HLR
if this is the first
time the MS has
Location Updated
in this VLR
<SDCCH>
<TMSI>
<SDCCH>
<TMSI>
<SDCCH>
Page 55
<RACH>
BSS
MSC
VLR
HLR
<AGCH>
Only sent to HLR
if this is the first
time the MS has
Location Updated
in this VLR
<SDCCH>
<TMSI>
<SDCCH>
<TMSI>
<SDCCH>
<SDCCH>
<SDCCH>
Page 56
Page 57
BSS
MSC
VLRn
HLR VLRo
<RACH>
1 Channel Request
<AGCH>
DCCH Assign
Page 58
BSS
MSC
VLRn
HLR VLRo
<RACH>
1 Channel Request
<AGCH>
DCCH Assign
<SDCCH>
2 Location Update Request
Page 59
BSS
MSC
VLRn
HLR VLRo
<RACH>
1 Channel Request
<AGCH>
DCCH Assign
<SDCCH>
2 Location Update Request
LAI & IMSI
3 Authentication Para. Req
Authentication & Ciphering
Page 60
BSS
MSC
VLRn
HLR VLRo
<RACH>
1 Channel Request
<AGCH>
DCCH Assign
<SDCCH>
2 Location Update Request
Page 61
BSS
MSC
VLRn
HLR
<RACH>
1 Channel Request
<AGCH>
DCCH Assign
<SDCCH>
2 Location Update Request
Page 62
VLRo
BSS
MSC
VLRn
HLR
Page 63
VLRo
BSS
MSC
VLRn
HLR
7 Clear Command
Clear Complete
Page 64
VLRo
BSS
MSC
VLRn
HLR
<RACH>
1 Channel Request
<AGCH>
DCCH Assign
Page 65
VLRo
BSS
MSC
VLRn
HLR VLRo
<RACH>
1 Channel Request
<AGCH>
DCCH Assign
<SDCCH>
2 Location Update Request
LAI & TMSI
Page 66
BSS
MSC
VLRn
HLR VLRo
<RACH>
1 Channel Request
<AGCH>
DCCH Assign
<SDCCH>
2 Location Update Request
LAI & TMSI
TMSI&LAIO
3 Provide Identification
provide Identification Ack
TMSI,IMSI,KC,R,S)
Page 67
BSS
MSC
VLRn
HLR VLRo
<RACH>
1 Channel Request
<AGCH>
DCCH Assign
<SDCCH>
2 Location Update Request
3 Provide Identification
TMSI,IMSI,KC,R,S)
Page 68
BSS
MSC
VLRn
HLR
5 Cancellocation
Cancellocation
Ack
.
Page 69
VLRo
BSS
MSC
VLRn
HLR
5 Cancellocation
Cancellocation
Ack
.
6 Forward New TMSI
Location Update Accept
TMSI Reallocate Complete
TMSI ACK
Page 70
VLRo
BSS
MSC
VLRn
HLR
5 Cancellocation
Cancellocation
Ack
.
6 Forward New TMSI
Location Update Accept
TMSI Reallocate Complete
TMSI ACK
7 Clear Command
Clear Complete
Page 71
VLRo
Page 72
MO SMS Transfer
MS
1 CHANNEL REQUEST
DCCH ASSIGN
BSS
MSC
VLR Interworking SC
MSC
<RACH>
<AGCH>
SIGNALING LINK
ESTABLISHED
Page 73
MO SMS Transfer
MS
1 CHANNEL REQUEST
DCCH ASSIGN
BSS
MSC
VLR Interworking SC
MSC
<RACH>
<AGCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
<SDCCH>
CR
CC
Page 74
MO SMS Transfer
MS
1 CHANNEL REQUEST
DCCH ASSIGN
BSS
MSC
VLR Interworking SC
MSC
<RACH>
<AGCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
<SDCCH>
CR
CC
3 AUTHENTICATION
SET Cipher MODE
Page 75
MO SMS Transfer
MS
1 CHANNEL REQUEST
DCCH ASSIGN
BSS
MSC
VLR Interworking SC
MSC
<RACH>
<AGCH>
SIGNALING LINK
ESTABLISHED
<SDCCH>
CR
CC
3 AUTHENTICATION
SET Cipher MODE
4 RP_MO_DATA
SIF_MO_SMS
SIF_MO_SMS-Ack
Page 76
MO SMS Transfer
MS
5 MO_Forward_SM
BSS
MSC
VLR Interworking SC
MSC
(SC_No.)
Short_Message
Short_Message_Ack
MO_Forward_SM_Ack
Page 77
MO SMS Transfer
MS
BSS
MSC
VLR Interworking SC
MSC
(SC_No.)
5 MO_Forward_SM
Short_Message
Short_Message_Ack
MO_Forward_SM_Ack
6 RP_ACK
"Send Successfully" is displayed on the mobile
Page 78
MT SMS Transfer
For Forwarding a
Short Message
Page 79
Servicing
MSC
VLR
HLR
Gateway
MSC
1 Short Message
SRI_For_SM
SRI_For_SM_Ack
MT_Forward_SM
Page 80
SC
Servicing
MSC
VLR
HLR
Gateway
MSC
1 Short Message
SRI_For_SM
SRI_For_SM_Ack
MT_Forward_SM
2 SIF_MT_SMS
Page
Page
Page 81
SC
Servicing
MSC
VLR
HLR
Gateway
MSC
1 Short Message
SRI_For_SM
SRI_For_SM_Ack
MT_Forward_SM
2 SIF_MT_SMS
Page
Page
3 Paging Response
Authentication and Ciphering
Page 82
SC
Servicing
MSC
VLR
HLR
Gateway
MSC
1 Short Message
SRI_For_SM
SRI_For_SM_Ack
MT_Forward_SM
2 SIF_MT_SMS
Page
Page Request
3 Paging Response
Authentication and Ciphering
4 Short_Message
Short_Message_Ack
MT_Forward_SM_Ack
Short_Message_Ack
Page 83
SC
Servicing
MSC
VLR
HLR
Gateway
MSC
1 Short Message
SRI_For_SM
SRI_For_SM_Ack
MT_Forward_SM
MT_Forward_SM
(The More message To
Send Flag is True)
Page 84
SC
Servicing
MSC
VLR
HLR
Gateway
MSC
1 Short Message
SRI_For_SM
SRI_For_SM_Ack
MT_Forward_SM
MT_Forward_SM
(The More message To
Send Flag is True)
2 SIF_MT_SMS
Page
Paging Request
Page 85
SC
Servicing
MSC
VLR
HLR
Gateway
MSC
1 Short Message
SRI_For_SM
SRI_For_SM_Ack
MT_Forward_SM
MT_Forward_SM
(The More message To
Send Flag is True)
2 SIF_MT_SMS
Page
Paging Request
3 Paging Response
Authentication and Ciphering
Page 86
SC
Servicing
MSC
VLR
HLR
Gateway
MSC
4 Short_Message
Short_Message_Ack
MT_Forward_SM_Ack
Short_Message_Ack
Page 87
SC
Servicing
MSC
VLR
HLR
Gateway
MSC
4 Short_Message
Short_Message_Ack
MT_Forward_SM_Ack
Short_Message_Ack
5 Short_Message
MT_Forward_SM
MT_Forward_SM
(The More message To
Send Flag is False)
Short_Message
Short_Message_Ack
MT_Forward_SM_Ack
Short_Message_Ack
Page 88
SC
Page 89
Handover Sequence
Inter - BSS handover
sequence
Inter - MSC handover
sequence
Page 90
MS
1 Periodic Measurement
reports
nBSS
<SACCH>
Page 91
MSC
MS
1 Periodic Measurement
reports
nBSS
<SACCH>
2 Handover required
Page 92
MSC
MS
1 Periodic Measurement
reports
nBSS
MSC
<SACCH>
2 Handover required
3 Handover Request
Page 93
MS
1 Periodic Measurement
reports
nBSS
MSC
<SACCH>
2 Handover required
3 Handover Request
Page 94
MS
1 Periodic Measurement
reports
nBSS
MSC
<SACCH>
2 Handover required
3 Handover Request
<FACCH>
HO Ref. No.
Page 95
MS
1 Periodic Measurement
reports
nBSS
MSC
<SACCH>
2 Handover required
3 Handover Request
<FACCH>
HO Ref. No.
<FACCH>
Page 96
MS
1 Periodic Measurement
reports
nBSS
MSC
<SACCH>
2 Handover required
3 Handover Request
<FACCH>
HO Ref. No.
<FACCH>
7 Handover Complete
Page 97
MS
1 Periodic Measurement
reports
nBSS
MSC
<SACCH>
2 Handover required
3 Handover Request
<FACCH>
HO Ref. No.
<FACCH>
7 Handover Complete
8 Clear Command
Page 98
MS
1 Periodic Measurement
reports
nBSS
MSC
<SACCH>
2 Handover required
3 Handover Request
<FACCH>
HO Ref. No.
<FACCH>
7 Handover Complete
8 Clear Command
9 Periodic Meas. reports
HUAWEI TECHNOLOGIES CO., LTD.
<SACCH>
Page 99
Page 100
Inter-MSC handover
MSCA
MSCB
1 PrepareHandover
2 Allocate HandoverNo.
3 Send Handover Report
4 PrepareHandover_Ack
5 Send HO Report_Ack
6 Initial
Address Message
Address Completed
Answer
Page 101
VLRB
Inter-MSC handover
MSCA
MSCB
VLRB
1 PrepareHandover
2 Allocate HandoverNo.
3 Send Handover Report
4 PrepareHandover_Ack
5 Send HO Report_Ack
6 Initial
Address Message
Address Completed
Answer
Page 102
Inter-MSC handover
MSCA
MSCB
VLRB
1 PrepareHandover
2 Allocate HandoverNo.
3 Send Handover Report
4 PrepareHandover_Ack
5 Send HO Report_Ack
6 Initial
Address Message
Address Completed
Answer
Page 103
Inter-MSC handover
MSCA
MSCB
VLRB
1 PrepareHandover
2 Allocate HandoverNo.
3 Send Handover Report
4 PrepareHandover_Ack
5 Send HO Report_Ack
6 Initial
Address Message
Address Completed
Answer
Page 104
Inter-MSC handover
MSCA
MSCB
1 PrepareHandover
2 Allocate HandoverNo.
3 Send Handover Report
4 PrepareHandover_Ack
5 Send HO Report_Ack
6 Initial
Address Message
Address Completed
Answer
Page 105
VLRB
Inter-MSC handover
MSCA
MSCB
1 PrepareHandover
2 Allocate HandoverNo.
3 Send Handover Report
4 PrepareHandover_Ack
5 Send HO Report_Ack
6 Initial
Address Message
Address Completed
Answer
Page 106
VLRB
Inter-MSC handover
MSC/VLRA
MSC/VLRB
Page 107
Inter-MSC handover
MSC/VLRA
MSC/VLRB
Page 108
Inter-MSC handover
MSC/VLRA
MSC/VLRB
HLRA
9 SendAuth. Info
Auth Info
Update Location
InsertSubs.Data
InsertSubs.Data_Ack
UpdateLocation_Ack
Cancellocation
Cancellocation_Ack
Page 109
MSC/VLRB
1 PrepareSubsequentHOV
PrepareHandover
PrepareHandover
PrepareSubsequentHOV
2 Initial and Final
Address Message
Address Complete
Answer
3 RLS
RLC
Page 110
HLRA
MSC/VLRB
1 PrepareSubsequentHOV
PrepareHandover
PrepareHandover
PrepareSubsequentHOV
2 Initial and Final
Address Message
Address Complete
Answer
3 RLS
RLC
Page 111
HLRA
MSC/VLRB
1 PrepareSubsequentHOV
PrepareHandover
PrepareHandover
PrepareSubsequentHOV
2 Initial and Final
Address Message
Address Complete
Answer
3 RLS
RLC
Page 112
HLRA
MSC/VLRB
MSC/VLRC
4 ProcessAccessSignal
ForwardAccessSignal
5 RLS
RLC
6 SendEndSignal
SendEndSignal_Ack
7 Location Update
Page 113
MSC/VLRB
MSC/VLRC
4 ForwardAccessSignal
ProcessAccessSignal
5 RLS
RLC
6 SendEndSignal
SendEndSignal_Ack
7 Location Update
Page 114
MSC/VLRB
MSC/VLRC
4 ForwardAccessSignal
ProcessAccessSignal
5 RLS
RLC
6 SendEndSignal
SendEndSignal_Ack
7 Location Update
HUAWEI TECHNOLOGIES CO., LTD.
Page 115
MSC/VLRB
MSC/VLRC
4 ForwardAccessSignal
ProcessAccessSignal
5 RLS
RLC
6 SendEndSignal
SendEndSignal_Ack
7 Location Update
HUAWEI TECHNOLOGIES CO., LTD.
Page 116
Summary
1. GSM Security Management
2. GSM Basic Call Sequence
3. Location Update Sequence
4. SMS Sequence
5. Handover Sequence
Page 117
Thank You
www.huawei.com