mobile communications chapter 4: wireless telecommunication...
Post on 29-Aug-2020
3 Views
Preview:
TRANSCRIPT
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.1
Mobile CommunicationsChapter 4: Wireless
Telecommunication Systems
q Marketq GSM
q Overviewq Servicesq Sub-systemsq Components
q GPRSq DECT Not a part if this course!q TETRA Not a part if this course!q w-cdma (rel 99), IMT2000
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.2
The GSM family
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.3
1946 – First commercial mobile radio-telephone service by Bell and AT&T in Saint Louis, USA. Half duplex
1973 – First handheld cellular phone – Motorola.
1978 – First cellular net in Bahrein
1979 – NMT at 450MHz (Scandinavian countries)
1992 – Start of GSM
It all started like this
The first car mounted radio telephone – 1921
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.4
But what’s cellular?
HLR, VLR, AC, EIR
MSC
PSTN
BS
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.5
Basic Definitions
• Forward Link, Downlink, Downstream• The path from the network or base station to the mobile
• GSM terminology uses “Downlink”
• CDMA, AMPS and TDMA use “Forward Link”
• Most wireline technologies use “Downstream”
• Reverse Link, Uplink, Upstream• The path from the mobile to the network or base station
• GSM terminology uses “Uplink”
• CDMA, AMPS and TDMA use “Reverse Link”
• Most wireline technologies use “Upstream”
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.6
Duplex Techniques
Frequency channels
time
time
Forward Link
Reverse Link
Reverse Link
Reverse Link
Forward Link
Forward Link FDD
TDD
Frequency Division Duplex (FDD), Time Division Duplex (TDD)
GSMUMTS
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.7
GSM
Group Speicial Mobile
Global System for Mobile Communicaitons
1982 The GSM group was formed1986 Field trials in France1987 TDMA was chosen as access method1988 Memorandum of understanding -18 countries1991 Phase I specifications published1990 GSM specifications ported to DCS 18001992 Official commercial launch of GSM in Europe1995 GSM specifications ported to PCS 19002000 Responsibility for GSM Standard transferred to 3GPP (3rd Generation
Partnership Project)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.8
GSM frequency bands
• 890-915 MHz Uplink
• 935-960 MHz Downlink
• 1710-1785 MHz Uplink
• 1805-1880 MHz Downlink
• 1850-1910 MHz Uplink
• 1930-1990 MHz Downlink
• 900 MHz
• 2*25 MHz Bands
• 45 MHz Duplex Spacing
• 125 carriers
• 1800 MHz
• 2*75 MHz Bands
• 95 MHz Duplex Spacing
• 375 carriers
• 1900 MHz
• 2*60 MHz Bands
• 80 MHz Duplex Spacing
• 300 carriers
North America
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.9
SYSTEM ARCHITECTURE
PSTN GMSC
ISDN
PLMNMSC
BSC
BTS BTS
BSC
MSC
HLR
VLR VLR
AUCEIR
MS
AUC: AUthentication CenterOMC: Operation and Managing CenterBTS: Base Tranceiver StationBSC: Base Station ControllerEIR: Equipment Identity RegisterGMSC: Gateway MSCHLR: Home Location RegisterMS: Mobile StationMSC: Mobile Switching CenterVLR: Visiting Location Register
OMC
GSM is a PLMN (Public Land Mobile Network)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.10
GSM Mobile Communications
MS
GMSCMSCBSCBTS
Um
SS7
MS-SIM Abis
HLR VLR EIR AUC
Asub
A
PSTNISDN
BSC
BTSBTSBTS
BTSBTSBTS
MSC
VLRoptional
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.11
GSM: elements and interfaces
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
BSS
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.12
GSM Mobile Communications
860 870 880 890 900 910 920 930 940 950 960 970
25 MHz25 MHz10 10
4 4
P-GSM
E-GSM
R-GSM
*)
*) several other Systems:- Cordless Telephone CT1, CT1+, CT2- Telemetry / Telecommand- Terrestrial Trunked Radio (TETRA)- Digital Satellite System Receiver (DSSR)
Uplink Downlink
Duplex Distance 45 MHz
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.13
GSM Mobile Communications
1700 1750 1800 1850 1900 1950 200 2050 2100 2150 2200 2250
75 MHz
UMTSGSM 1800
DECT
1: Time Division Duplex (TDD)2: Frequency Division Duplex (FDD)3: Mobile Satellite System (MSS)
Uplink Downlink
Duplex Distance 95 MHz
75 MHz
1 2 3 1 2 3
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.14
R cell radiusK cluster sizeD repeating distance
GSM Mobile Communications
1
23
1
23
1
23
1
23
546
71
23
546
71
235
46
71
23
546
71
23
K = 12D
R
546
71
23
98 10
11
12
546
71
23
98 10
11
12
546
71
23
98 10
11
12
546
71
23
98 10
11
12
K = 7
K = 3
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.15
possible radio coverage of the cell
idealized shape of the cellcell
segmentation of the area into cells
GSM: cellular network
q use of several carrier frequenciesq not the same frequency in adjacent cellsq cell sizes vary from some 100 m up to 35 km depending on user density,
geography, transceiver power etc.q hexagonal shape of cells is idealized (cells overlap, shapes depend on
geography)q if a mobile user changes cells
handover of the connection to the neighbor cell
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.16
MACRO, MICRO AND PICO CELLS
By using small macro cells in combination with Tighter Frequency Reuse and a micro cellular overlay, the capacity of a standard 4/12 reuse cellular network with 7.5 MHz available spectrum can be increased eight-fold. The micro cellular network operates in a segmented frequency and from the nearby macro cells and provides the additional benefit of coverage redundancy.
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.17
B = 200 kHz
B
B
B
B
Guard Band
···
f
fN
fk
f2
f1
0
RadioFrequencyChannels
Guard Band fL
fU
FrequencyBand
...
GSM Mobile Communications
t
...0 1 2 ... 7 0 1
...0 1 2 ... 7 0 1
...0 1 2 ... 7 0 1
...0 1 2 ... 7 0 1
Time Slots
Frame
T
T ≈ 577 µs
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.18
TDMA: FRAME
0 1 2 3 4 5 6 7
4.613 ms
156.25 bit/s
0.579 ms12
34
56
70
0
Traffic channels
• A slot lasts for a duration of 156.25 bit times
• The slot lasts 15/26 ms=579.9 micro s
• so a frame takes 4.613 ms
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.19
f2 f1 ...0 1 2 ... 7 0 1
...0 1 2 ... 7 0 1
GSM Radio Interface Um
156.25 Bits in 576.923 µs (3.6923 µs/Bit)
useful part
Power p(t)
t
8.25 Bits Guard Period26 Training Bits
2 x 58 Encrypted Bits
3 Tail Bits 3 Tail Bits
Tail Bits:
Set to zeroCan be used toEnhance the receiverperformance
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.20
GSM Radio Interface Um
Structure of Normal Burstq 2 x 3 Tail Bits (TB)q 2 x 58 Encrypted Bits (Payload for Traffic and Control Channels)
l 2 x 1 Stealing Flag (Switch between Traffic / Control Payload)l 2 x 57 Payload Bits
q 26 Bits Training Sequence (Midamble)l Fixed bit sequence used for channel estimation allowing optimum channel equalization
Five Different Types of Burstq Normal Burst - Traffic and Control Payloadq Frequency Correction Burst - All Zeroes Sequenceq Synchronization Burst - Special Fixed Sequenceq Access Burst - Extended Guard Period of 68.25 Bits (252 µs)q Dummy Burst
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.21
GSM Radio Interface Um
Thanks to the time shift of 3 time slots between the BTS TX and RX TDMA frames, the MS is not required to receive and transmit simultaneously. This simplifies the MS hardware.
The MS continuously aligns its TX frame start based on the Timing Advance (TA) measurements received from the BTS
The extended guard period of the access burst (252 µs) allows a maximum range between MS and BTS of 35 km.
0 1 2 3 4 5 6 7
0 1 2 3 4 5 6 7
BTS
RX
TX
0
MS
0 TA = 2·Δt
0 1 2 3 4 5 6 7 TX
0 1 2 3 4 5 6 7 RXΔt = s / c
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.22
GSM Radio Interface Um
ControlChannels
(CCH)
TrafficChannels
(TCH)
Full Rate(TCH/F)
Half Rate(TCH/H)
DedicatedControl
Channels
Stand Alone Dedicated Control Channel (SDCCH)Fast Associated Control Channel (FACCH)
Slow Associated Control Channel (SACCH)
CommonControl
Channels
Paging Channel (PCH)
Random Access Channel (RACH)Access Grant Channel (AGCH)
Notification Channel (PCH)
BroadcastChannels
Synchronization Channel (SCH)Frequency Control Channel (FCCH)
Broadcast Control Channel (BCCH)
Downlink (DL)
Uplink (UL)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.23
GSM Radio Interface Um
Broadcast Channels are used for synchronisation purposes and broadcasting of cell-specific information in the downlink from BTS to MS
Frequency Correction Channel (FCCH)carries information for frequency correction of the MS
Synchronization Channel (SCH) carries information for frame synchronization of the MS (e.g. TDMA frame number FN) and for identification of the BTS (e.g Base Station Identity Code BSIC)
Broadcast Control Channel (BCCH)broadcasts general information on the BTS as well as cell-specific information like control channel organisation, frequency hopping sequences, cell identification, etc.
ControlChannels
(CCH)
DedicatedControl
Channels
CommonControl
Channels
BroadcastChannels
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.24
GSM Radio Interface Um
Common Control Channels are point-to-multipoint channels used mainly for access control
Paging Channel (PCH) - downlink onlyused by the BTS for paging and localizing the MS
Random Access Channel (RACH) - uplink only used by any MS to request allocation of a signalling channel (SDCCH). A slotted Aloha protocol is used, so collisions among concurring MS are quite possible.
Access Grant Channel (AGCH) - downlink only used to allocate a SDCCH or directly a TCH
Notification Channel (NCH) - downlink onlyused to notify MS of voice group and voice broadcast calls (ASCI feature)
ControlChannels
(CCH)
DedicatedControl
Channels
CommonControl
Channels
BroadcastChannels
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.25
GSM Radio Interface Um
Dedicated Control Channels are bidirectional point-to-point channels, that allow authentication, signalling, handover and the exchange of measurement values.
Stand Alone Dedicated Control Channel (SDCCH) used for call setup (authentication, signalling, assignmentof actual TCH), localisation updates and SMS
Slow Associated Control Channel (SACCH)is always coupled with a SDCCH or TCH and is used for the exchange of measurement values and control parametersq Downlink : Control of MS Power Level and MS Timing Advanceq Uplink : Measurement reports (MS reception levels) used
by the BTS for its handover-decisionsFast Associated Control Channel (FACCH)
is activated in case of increased signalling demand e.g. during handover. Bandwidth is stolen from associated TCH
ControlChannels
(CCH)
DedicatedControl
Channels
CommonControl
Channels
BroadcastChannels
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.26
GSM Radio Interface Um
Full Rate Traffic Channel (TCH / F) Speech Codecq Speech @ 13 kbps (TCH / FS) Full Rateq Speech @ 12.2 kbps (TCH / EFS) Enhanced Full Rateq Data @ 14.4 kbps (TCH / F14.4)q Data @ 9.6 kbps (TCH / F9.6)q Data @ 4.8 kbps (TCH / F4.8)q Data @ ≤ 2.4 kbps (TCH / F2.4)
Half Rate Traffic Channel (TCH / H) Speech Codecq Speech @ 6.5 kbps (TCH / HS) Half Rateq Data @ 4.8 kbps (TCH / H4.8)q Data @ ≤ 2.4 kbps (TCH / H2.4)
Traffic Channels are used for bidirectional transmission of circuit switched voice or data.
TrafficChannels
(TCH)
Full Rate(TCH/F)
Half Rate(TCH/H)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.27
PCH Paging Channel
RACH Random Access Ch.
AGCH Access Grant Ch.
SDCCH Stand-alone Dedicated Control Channel
FACCH Fast Associated Control Channel
TCH Traffic Channel
GSM Radio Interface Um
MS BTSPaging RequestPCH
Paging Response
Call ConfirmationAssign Command
SetupAuthentication / Cipher Mode
SDCCH
Voice or DataPCH
Channel AssignmentAGCH
Channel RequestRACH
Assign Completion
Connect Acknowledge
AlertConnect FACCH
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.28
GSM Radio Interface Um
every20 ms
78 182
78 182
3 bit CRC4 tail bits
78 189 189
160 Samples
260 bits
267 bits
456 bits
4 blocks @ 114 Bits
RPE-LPCCodec
BlockCoding
ConvolutionalCoding
Inter-leaving
sensitive (class I)insensitive (class II)
1 2 3 8Encryption
456 bits spreadover 8 bursts
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.29
1 2 3 4 5 6 7 8
higher GSM frame structures
935-960 MHz124 channels (200 kHz)downlink
890-915 MHz124 channels (200 kHz)uplink
frequ
ency
time
GSM TDMA frame
GSM time-slot (normal burst)
4.615 ms
546.5 µs577 µs
tail user data TrainingSguardspace S user data tail
guardspace
3 bits 57 bits 26 bits 57 bits1 1 3
GSM - TDMA/FDMA
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.30
GSM hierarchy of frames
0 1 2 2045 2046 2047...
hyperframe
0 1 2 48 49 50...
0 1 24 25...
superframe
0 1 24 25...
0 1 2 48 49 50...
0 1 6 7...
multiframe
frame
burst
slot577 µs
4.615 ms
120 ms
235.4 ms
12 frames
one frame for ”slow signalling”for all the 8 slots
SACCH
12 frames
1 empty frame
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.31
GSM hierarchy of frames
0 1 2 2045 2046 2047...
hyperframe
0 1 2 48 49 50...
0 1 24 25...
superframe
0 1 24 25...
0 1 2 48 49 50...
0 1 6 7...
multiframe
frame
burst
slot577 µs
4.615 ms
120 ms
235.4 ms
6.12 s
3 h 28 min 53.76 s
Larger framesfor encryption
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.32
GSM protocol layers for signaling
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /2.048 Mbit/s
MS BTS BSC MSC
BSSAP BSSAP
CM: Call management, MM: Mobility management, RR: Radio Resource management
Protocol Architecture of GSM
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /2.048 Mbit/s
MS BTS BSC MSC
BSSAP BSSAP
Interfaces:
is here of main interests
are intefaces from the fixed network
Um Abis A
Um
Abis A
Layer 3
Layer 2Layer 1
Layer 1 (physical) : radio
Handles all radio specific functions
• creation of bursts – 5 different formats
• multiplexing of bursts into TDMA frames
• synchronisation with the BTS (see next slide)
• detection of idle channels
• measurements of channel quality at downlink
• the physical layer at Um uses GMSK modulation
• performs enchryption/decryption of data
CM
MM
RR
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
Um Abis
MS BTS
Layer 1: Synchronization: The distance between the MS and the BTS
An MS 35 km from the BTS has a round trip time (RTT) of 0.23 ms!!!
The BTS sends the current RTT to the MS, which then adjusts its access time!!!
Adjusting the access is controlled by the variable timing advance, where a burst can be shifted up to 63 bit times ealier => 0.23 ms. (each bit is 3.69 micro seconds long).
Max 35 km between a BTS and a MS!!
0 1 2 3 4 5 6 7
0 1 2 3 4 5 6 7
BTS
RX
TX
0
MS
0 TA = 2·Δt
0 1 2 3 4 5 6 7 TX
0 1 2 3 4 5 6 7 RXΔt = s / c
Layer 1 (physical) : radio
Handles all radio specific functions
CM
MM
RR
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
Um
MS BTS
Channel coding and error detection/correction!
78 182
78 182
3 bit CRC4 tail bits
78 189 189
sensitive (class I)insensitive (class II)
The physical layer tries to correct errors, but it doesnot deliver erroneous data to the higher layers.
The error correction introduses a delay of about 60 ms!
Layer 2 (data link) - LAPDm
It is said to be a lightweight LAPD protocol as it does not handle error correction/detection.
It handles:
• segmentation and reassembly of data and acknowledges/unacknowledged data transfer
• re-sequencing of data frames and flow control!
CM
MM
RR
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
UmMS BTS
Layer 3
Layer 2Layer 1
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /2.048 Mbit/s
MS BTS BSC MSC
BSSAP BSSAP
The network layer in GSM comprises several sublayers!
The lowest sublayer is the Radio Resource Management (RR)!
Just a part of it is implemented in the BTS, the remainder in the BSC!
Setup,maintenence andreleaseof radio channels
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /2.048 Mbit/s
MS BTS BSC MSC
BSSAP BSSAP
The network layer in GSM comprises several sublayers!
Mobility Management (MM) contains functions for registrationauthentificationlocation update
It also provides a temporary mobile subscriber identity (TMSI) that replaces the international mobile subscriber identity (IMSI) which hides the real identity of an MS user over the air interface.
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /2.048 Mbit/s
MS BTS BSC MSC
BSSAP BSSAP
The network layer in GSM comprises several sublayers!
Call Management (CM) contains functions for:
call control (CC): point-to point connection between two terminals call establishment, call clearing, etc.short message service (SMS): using control channels SDCCH and SACCH supplementary services (SS): user identification, forwarding, etc.
Numbers to locate and address an MS• Mobile station international ISDN number (MSISDN)
• the MSISDN follows the ITU-T standard E.164 for addresses like in ISDN networks this number consists of the country code (CC), the national destination code (NDC), i.e. the address of the national network provider and HLR and the subscriber number (SN)
• International mobile subscriber identity (IMSI)
• the GSM uses the IMSI for international unique identification of a subscriber. IMSI consists of a Mobile country code (MCC), the mobile network code (MNC) (i.e. the code of the HLR), and finally the mobile subscriber identification number (MSIN)
• Temporary mobile subscriber identity (TMSI)
• to hide the IMSI which would give away the exact identity of the user
• Mobile station roaming number (MSRN)
• another temporary address that hides the identity and location of a subscriber is MSRN.
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.42
GSM Mobile Communications
International Mobile Equipment Identifier (IMEI)q Unique serial number assigned by equipment manufacturer
International Mobile Subscriber Identifier (IMSI)q Unique subscriber identification number, stored on SIM-card
Mobile Subscriber ISDN Number (MSISDN)q Actual phone number structured according to ITU-T E.164
l Country Code (CC) up to 3 digitsl National Destination Code (NDC) 2 to 3 digitsl Subscriber Number (SN) with a maximum of 10 digits
q Strict separation of subscriber identification (IMSI)and phone number (MSISDN)
q Several MSISDN numbers can be assigned to a single IMSI(used for service selection)
q The mapping between MSISDN and IMSI is not public
HSCSD: High Speed Circuit Switched Data
Chapter: 4.1.8.1
Read yourselves!
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.44
Mobile Terminated Call
PSTNcallingstation GMSC
HLR VLR
BSSBSSBSS
MSC
MS
1 2
3
45
6
7
8 9
10
11 12
1316
10 10
11 11 11
14 15
17
1: calling a GSM subscriber2: forwarding call to GMSC3: signal call setup to HLR4, 5: request MSRN (Mobile Station Roaming Number) from VLR6: forward responsible MSC to GMSC7: forward call to current MSC8, 9: get current status of MS10, 11: paging of MS12, 13: MS answers14, 15: security checks16, 17: set up connection
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.45
Mobile Originated Call
PSTN GMSC
VLR
BSS
MSC
MS1
2
6 53 4
9
10
7 8
1, 2: connection request3, 4: security check5-8: check resources (free circuit)9-10: set up call
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.46
4 types of handover
MSC MSC
BSC BSCBSC
BTS BTS BTSBTS
MS MS MS MS
12 3 4
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.47
Handover decision
receive levelBTSold
receive levelBTSold
MS MS
HO_MARGIN
BTSold BTSnew
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.48
Handover procedure
HO access
BTSold BSCnew
measurementresult
BSCold
Link establishment
MSCMSmeasurementreport
HO decisionHO required
BTSnew
HO request
resource allocationch. activation
ch. activation ackHO request ackHO commandHO commandHO command
HO completeHO completeclear commandclear command
clear complete clear complete
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.49
Security in GSM
Security servicesq access control/authentication
l user SIM (Subscriber Identity Module): secret PIN (personal identification number)
l SIM network: challenge response methodq confidentiality
l voice and signaling encrypted on the wireless link (after successful authentication)
q anonymityl temporary identity TMSI
(Temporary Mobile Subscriber Identity)l newly assigned at each new location update (LUP)l encrypted transmission
3 algorithms specified in GSMq A3 for authentication (“secret”, open interface)q A5 for encryption (standardized)q A8 for key generation (“secret”, open interface)
“secret”:• A3 and A8 available via the Internet• network providers can use stronger mechanisms
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.50
GSM - authentication
A3
RANDKi
128 bit 128 bit
SRES* 32 bit
A3
RAND Ki
128 bit 128 bit
SRES 32 bit
SRES* =? SRES SRES
RAND
SRES32 bit
mobile network SIM
AC
MSC
SIM
Ki: individual subscriber authentication key SRES: signed response
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.51
GSM - key generation and encryption
A8
RANDKi
128 bit 128 bit
Kc
64 bit
A8
RAND Ki
128 bit 128 bit
SRES
RAND
encrypteddata
mobile network (BTS) MS with SIM
AC
BSS
SIM
A5
Kc
64 bit
A5MS
data data
cipherkey
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.52
End
top related