02 gsm hscsd_gprs

33
GSM (Global System for Mobile Communications) and Extensions Mobile Communication and Mobile Computing Prof. Dr. Alexander Schill http://www.rn.inf.tu-dresden.de Department of Computer Science Institute for System Architecture, Chair for Computer Networks

Transcript of 02 gsm hscsd_gprs

Page 1: 02 gsm hscsd_gprs

GSM (Global System for Mobile Communications) and Extensions

Mobile Communication and Mobile Computing

Prof. Dr. Alexander Schill

http://www.rn.inf.tu-dresden.de

Department of Computer Science Institute for System Architecture, Chair for Computer Networks

Page 2: 02 gsm hscsd_gprs

GSM: Properties

• cellular radio network (2nd Generation)

• digital transmission, integrated data communication

• roaming (mobility between different network operators)

• good transmission quality (error detection and -correction)

• scalable (large number of participants possible)

• security mechanisms (authentication, authorization, encryption)

• good resource use (frequency and time division multiplex)

• integration with fixed telephone network

• standard (ETSI, European Telecommunications Standards Institute)

2

Page 3: 02 gsm hscsd_gprs

GSM: Structure

3

AuC Authentication Center BSS Base Station Subsystem BSC Base Station Controller BTS Base Transceiver Station

EIR Equipment Identity Register

HLR Home Location Register

Fixed network Switching Subsystems

VLR

Radio Subsystems

HLR AuC EIR

(G)MSC

OMC

BTS

BTS BSC

BSS

MS

MS

Network Management

Call Management

Data networks

PSTN

MS

MS Mobile Station (G)SMC (Gateway) Mobile Switching Center OMC Operation and Maintenance Center PSTN Public Switched Telephone Network VLR Visitor Location Register

Page 4: 02 gsm hscsd_gprs

GSM: Structure

• Operation and Maintenance Center (OMC)

• logical, central structure with HLR, AuC und EIR

• Authentication Center (AuC)

• authentication, storage of symmetrical keys, generation of encryption keys

• Equipment Identity Register (EIR)

• storage of device attributes of allowed, faulty and blocked devices (white, gray, black list)

• Mobile Switching Center (MSC)

• networking center, partially with gateways to other networks, assigned to one VLR each

• Base Station Subsystem (BSS): technical radio center

• Base Station Controller (BSC): control center

• Base Transceiver Station (BTS): radio tower / antenna

4

Page 5: 02 gsm hscsd_gprs

GSM: Protocols, incoming call

5

VLR

BSS

BSS MSC GMSC

HLR BSS

BSS

(4)

(2) (4)

(5)

(3)

(10)

(6)

(11)

(7) (8)

(8)

(9)

(12)

(8)

(1)

(12)

(9)

(8) PSTN/ ISDN

(1) Call from fixed network was switched via GMSC

(2) GMSC finds out HLR from phone number

(3) HLR checks whether participant is authorized for corresponding service and asks for MSRN at the responsible VLR

(4) MSRN will be returned to GMSC, can now contact responsible MSC

Page 6: 02 gsm hscsd_gprs

GSM: Protocols, incoming call

6

VLR

BSS

BSS MSC GMSC

HLR BSS

BSS

(4)

(2) (4)

(5)

(3)

(10)

(6)

(11)

(7) (8)

(12)

(1)

(12)

(9)

(8) PSTN/ ISDN

(5) GMSC transmits call to current MSC

(6) Ask for the state of the mobile station

(7) Information whether end terminal is active

(8) Call to all cells of the Location Area (LA)

(9) Answer from end terminal

(10 - 12) Security check and connection setup

(8)

(9)

(8)

Page 7: 02 gsm hscsd_gprs

GSM: Protocols, outgoing call

7

VLR

BS

S BSS MSC GMSC

HLR BSS

(5)

(3) (4)

(2) (1)

(1) Connection request

(via random access channel, possible collision handling)

(2) Transfer by BSS

(3-4) Authorization control

(5) Switching of the call request to fixed network

Page 8: 02 gsm hscsd_gprs

Radio structure

8

1 TDMA-Slot, 144 Bit in 4,615 ms

8 TDMA-channels, together 271 kBit/s including error protection information

124 radio frequency channels (carrier), each 200 kHz

2 frequency bands, each 25 MHz, divided into radio cells

890

935

915 MHz

960 MHz

downlink

uplink

• One or several carrier frequencies per BSC

• Physical channels defined by number and position of time slots

Page 9: 02 gsm hscsd_gprs

GSM: channel structure

Traffic Channel

• Full-rate codec (13 kbit/s; differential encoding)

• Half-rate codec: more efficient speech encoding at 7 kbit/s (two phone calls per time slot can be encoded)

Paging Channel

• Signalize incoming calls (BSC to MS)

(Broadcast) Control Channel

• Allocation of identity, frequency order etc. (BSC to MS)

• Monitoring of BSCs for recognition of handover

Random Access Channel

• Control of channel entry with Aloha-procedure for collision handling between competing participants (MS to BSC)

9

Page 10: 02 gsm hscsd_gprs

Databases

Home Location Register (HLR), stores data of participants which are registered in an HLR-area

• Semi-permanent data: Call number (Mobile Subscriber International ISDN Number) - MSISDN,

e.g. +49/171/333 4444 (country, network, number)

Identity (International Mobile Subscriber Identity) - IMSI: MCC = Mobile Country Code (262 for .de) + MNC = Mobile Network Code (01-T-Mobile, 02-Vodafone, 03-eplus, 07-O2) + MSIN = Mobile Subscriber Identification Number

Personal data (name, address, mode of payment)

Service profile (call transfer, roaming-limits etc.)

• Temporary data: MSRN (Mobile Subscriber Roaming Number) (country, network, MSC)

VLR-address, MSC-address

Authentication Sets of AuC (RAND (128 Bit), SRES (128 Bit), KC (64Bit))

Billing data

10

Page 11: 02 gsm hscsd_gprs

Databases

Visitor Location Register (VLR)

local database of each MSC with following data:

• IMSI, MSISDN

• Service profile

• Billing and accounting information

• TMSI (Temporary Mobile Subscriber Identity) - pseudonym for data security

• MSRN

• LAI (Location Area Identity)

• MSC-address, HLR-address

11

Page 12: 02 gsm hscsd_gprs

Location Area: Concept

12

MSC-area

HLR

VLR

Location

area advantage of the architecture: Location Update in case of limited mobility only at VLR, rarely at (perhaps very remote) HLR

Page 13: 02 gsm hscsd_gprs

Localization with GSM

13

participant call number in HLR

country code

Network provider

Internal area

+49 (0)177-26 32311

LA 5

LA 3 LA 2

LA 3

0x62F220 01E5 e.g.

VLR 10 VLR 9 IMSI LA 2

HLR 1 32311 VLR 9 IMSI

Page 14: 02 gsm hscsd_gprs

Data transmission

• Each GSM-channel configurable as data channel • Kinds of channels:

non-transparent (repeat of faulty data frames; very low error rate, but also very low throughput below 10 kbit/s)

transparent (only very simple forward error correction; slightly higher data rate; error rate 10-3 up to 10-4)

in practice, only faster extensions like GPRS, UMTS and LTE are used (explained later)

Speech channels have higher priority than data channels

• Short-Message-Service (SMS) connectionless transmission (up to 160 Byte) on signaling

channel

• Cell Broadcast (CB) connectionless transmission (up to 80 Byte) on signaling

channel to all participants in one cell or location area, e.g. for location based services; further refinement: triangulation-based location check like in global positioning system (GPS)

14

Page 15: 02 gsm hscsd_gprs

Data transmission - structure

15

MSC BSC

BTS

IWF

Modem

PSTN

Internet

Modem TA

ISDN

IWF - Inter Working Function

TA - Terminal Adapter

Page 16: 02 gsm hscsd_gprs

Security aspects: Subscriber Identity Module (SIM)

• Chip-card (Smart Cart) to personalize a mobile subscriber (MS):

• IMSI (International Mobile Subscriber Identity)

• symmetric key Ki of participant, stored also at AuC

• algorithm “A3” for Challenge-Response-Authentication

• algorithm “A8” for key generation of Kc for content data

• algorithm “A5” for encryption

• PIN (Personal Identification Number) for access control

• Temporary data:

• TMSI (Temporary Mobile Subscriber Identity) - pseudonym

• LAI (Location Area Identification)

• Encryption key Kc

16

Page 17: 02 gsm hscsd_gprs

Security aspects: Authentication

17

MSC, VLR, AuC MS

Authentication Request

RAND (128 Bit)

Random number generator

A3

SRES

SRES (Signed Response; 32 Bit)

A3

Authentication Response =

• Location Registration

• Location Update with VLR-change

• Call setup (in both directions)

• SMS (Short Message Service)

128 Bit

iK

iK

Page 18: 02 gsm hscsd_gprs

Security aspects: Session Key

18

Network

MS

Authentication Request

RAND (128 Bit)

A8

A8

64 Bit or 128 Bit

cK• Key generation: Algorithm A8

– Stored on SIM and in AuC

– one way function parameterized with Ki

– no global standard, can differ between countries

– can be determined by network operator

– Interfaces are standardized

iK

Random number generator

cK

iK

Page 19: 02 gsm hscsd_gprs

Security aspects: Encryption

19

Net MS

Ciphering Mode Command

A5 A5

• Data encryption with algorithm A5:

– stored in the Mobile Station

– standardized in Europe and world wide

– enhancement: A5/3 with improved security and 128 Bit key length

cKTDMA-frame- number

TDMA-frame- number

Key block

+ Plain text block

+

Plain text block

Ciphering Mode Complete

Encrypted Text

114 Bit

cK

Page 20: 02 gsm hscsd_gprs

GSM-Security: assessment

• low key length Ki with max. 128 Bit (could be hacked by using Brute Force Attack in less than an hour using a regular computers as documented recently again)

• key generation and -administration not controlled by the participants (symmetric: network operator knows all keys)

• cryptographic methods secret, so they were not „well examined“ (but A5/3 and other enhancements open now)

• no mutual authentication; attacker can pretend a GSM-Net

• no end-to-end encryption or end-to-end authentication

20

Page 21: 02 gsm hscsd_gprs

HSCSD: High Speed Circuit Switched Data

• GSM extension for higher data rates

• parallel usage of several time slots (TS) of one frequency on Um (air interface)

• channel bundling with asymmetric transmission

(1 TS Uplink / 3 TS or 4 TS Downlink)

• Data rates up to 4 * 14,4 kbit/s = 57,6 kbit/s

(theoretically 8 time slots, but limited bundling in practice)

21

Page 22: 02 gsm hscsd_gprs

HSCSD: structure

22

BTS

IWF - Inter Working Function

TA - Terminal Adapter

n time slots of each TDMA frame

(theoretically max. 8)

MSC BSC IWF

Modem

PSTN

Internet

Modem TA

ISDN

Page 23: 02 gsm hscsd_gprs

HSCSD: changes

23

Um Abis A

MSC BSC BTS

n time slots of each TDMA frame

(theoretically max. 8)

certain changes are necessary at the component

several changes of the software/firmware

minimal changes of the software/firmware

multiplex of the time slots on each 64 kBit/s

channel

Page 24: 02 gsm hscsd_gprs

HSCSD radio interface

• parallel usage of several time slots limited to one frequency, in half-duplex mode due to technical limitations of the end devices

• Cost factor limits number of used TS to (2+2) or (1+3, uplink, downlink); (1+4) with improved timing

24

Required time for setting to receiving mode

7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0

4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5

Required time for setting to transmission mode

Required time for signal strength measure and setting to receiving mode

MS RECEIVE

MS TRANSMIT

MS MONITOR

Page 25: 02 gsm hscsd_gprs

Assessment of HSCSD

+ existing network structure and accounting model maintained; only small changes were necessary

+ HSCSD is still circuit switched

+ has defined QoS-settings (data rate, delay)

one logical channel will be established on all interfaces for the time of the connection (inefficient)

badly suited for burst-like traffic (Internet) or Flat Rate billing (Logistics)

Only limited international acceptance (Roaming!)

• also uses more resources on the radio interface

problems with handover into a new cell

25

Page 26: 02 gsm hscsd_gprs

GPRS: General Packet Radio Service

• GSM extension based on packet switching service

(end-to-end) and channel bundling based on multiple time slots

• Data rates up to 171,2 kbit/s (theoretical) – in practice however similar to HSCSD

• Effective and flexible administration of the radio interface; adaptive channel encoding

• Internetworking with IP networks standardized

• Dynamic sharing of resources with „classical“ GSM speech services

• Advantage: Billing and Accounting according to data volume

26

Page 27: 02 gsm hscsd_gprs

GPRS: Structure

27

MSC BSC

BTS Internet

HLR

GSM

GPRS Backbone Frame Relay / ATM

GGSN

GGSN SGSN

Border Gateway

GPRS Nets other

operators

other packet switching networks

SGSN - Serving GPRS Support Node

GGSN - Gateway GPRS Support Node

signalization data

user data

Page 28: 02 gsm hscsd_gprs

GPRS: Changes

28

GMSC

Circuit switched traffic

HLR/AuC GPRS register

MAP

MAP A

GGSN

Abis

Gb

Gn Gi

other packet switched networks

public fixed networks

Packet switched traffic

Gs

Um

n time slots (TS) per

TDMA frame (theoretically max. 8)

per packet!

modified network components

new components or extensively modified components

Existing components

PCU - Packet Control Unit

SGSN

MSC

BSC BTS

PCU

Page 29: 02 gsm hscsd_gprs

MAP Signalization (SGSN)

MAP Signalization

(GGSN)

Tasks: SGSN, GGSN

29

SGSN: - packet delivery - mobility management - session management - QoS - Security - Billing

External Data Domain

Intranet

SGSN

HLR

Internet

BSS PCU

BSS PCU

BSS PCU

Client

GGSN

Client

Server

SGSN, GGSN: - Routing and Signalization - Mapping to PDP (Packet Data Protocol) - Address conversion (IP to GSM) - Resource management

SGSN

Page 30: 02 gsm hscsd_gprs

Quality of Service

• QoS profile agrees service parameters inside the whole network for the duration of PDP (Packet Data Protocol) context (session):

temporary address (IP) for mobile station

tunneling information, among others GGSN, which is used for access to corresponding packet switched network

type of the connection

QoS profile

• QoS profile commits:

precedence class, priority against other services (high, normal, low)

packet delay class, times valid for traffic inside the GPRS network

reliability class

peak throughput class

mean throughput class 30

Page 31: 02 gsm hscsd_gprs

Quality of Service: Examples

31

Packet delay classes

Error classes

GPRS data rates

(only CS-1 and CS-2 comprise reasonable error correction and are relevant in practice)

Coding # of timeslots

Scheme 1 2 3 4 5 6 7 8

CS-1 9,05 18,1 27,15 36,2 45,25 54,3 63,35 72,4

CS-2 13,4 26,8 40,2 53,6 67 80,4 93,8 107,2

CS-3 15,6 31,2 46,8 62,4 78 93,6 109,2 124,8

CS-4 21,4 42,8 64,2 85,6 107 128,4 149,8 171,2

Probability for

Class Lost packet Duplicated p. Out of Sequence p. Corrupted p.

1 10-9 10-9 10-9 10-9

2 10-4 10-5 10-5 10-6

3 10-2 10-5 10-5 10-2

Size: 128 octets Size: 1024 octets

Class Mean Delay 95% Delay Mean Delay 95% Delay

1 (predicitive) < 0,5 s < 1,5 s < 2 s < 7 s

2 (predicitive) < 5 s < 25 s < 15 s < 75 s

3 (predicitive) < 50 s < 250 s < 75 s < 375 s

4 (best effort) Best effort

Page 32: 02 gsm hscsd_gprs

Assessment of GPRS

+ An up to four times higher data rate in comparison to ordinary GSM data services

+ better resource management through packet switched service

+ „always on” data service (email, etc.)

+ GPRS is a more suitable carrier for the mobile Internet

- IP-derivate, no true service guarantees (QoS)

- GPRS does not provide the data rates that advertising has sometimes promised, therefore most operators migrated to UMTS and LTE where possible, e.g. in urban areas

32

Page 33: 02 gsm hscsd_gprs

Some further readings

• ETSI standards (GSM etc.) in general:

www.etsi.org

• GSM, HSCSD, GPRS: good overviews on www.wikipedia.org

• GPRS tutorial:

www.telecomspace.com/datatech-gprs.html

• SMS tutorial:

www.developershome.com/sms/

33