final gsm1
DESCRIPTION
College Tech Ppt2TRANSCRIPT
www.awesomebackgrounds.com
p0101011
010101
01010110101011
GSM
Introduction to GSMIntroduction to GSM
• Problem:Problem: Beginning of 1980s - European countries were using many and different incompatible mobile phone systems. Increased needs for telecommunication services
• Action by CEPTAction by CEPT: founded a group to specify a common mobile system for WESTERN EUROPE
• Name of the Group and System: Name of the Group and System: GSM– “Groupe Speciale Mobile”– Global System for Mobile Communications
•Advantage of GSM:Advantage of GSM:
• Digital Radio Path = system tolerates more inter-cell interference, thus efficient use of RF
• Better Quality of speech• Data transmission is supported• New services offered due to ISDN
compatibility• International Roaming possible• Large market = increased competition and
lower investment for operators and rates for users.
Three Subsystems in GSM Three Subsystems in GSM NetworkNetwork• Network Switching Subsystem (NSS)• Base Station Subsystem (BSS)• Network Management System
Base Station Controller (BSC ) handles allocation of radio channels, receives measurements from the mobile phones, controls handovers from BTS to BTS . A key function of the BSC is to act as a concentrator where many different low capacity connections to BTSs (with relatively low utilisation) become reduced to a smaller number of connections towards the Mobile Switching Center (MSC)
The Base Transceiver Station, or BTS, contains the equipment for transmitting and receiving of radio signals (transceivers), antennas, and equipment for encrypting and decrypting communications with the Base Station Controller (BSC).
TRAU (Transcoder and Rate Adaptation Unit). The transcoding function converts the voice channel coding between the GSM . compress voice channels from the 64 kbit/s PCM standard to the 13 kbit/s rate used on the air interface.
Packet Control UnitIt performs some of the processing tasks of the BSC, but for packet data. The allocation of channels between voice and data is controlled by the base station, but once a channel is allocated to the PCU, the PCU takes full control over that channel.
• How does the network keep track How does the network keep track of the subscribers?of the subscribers?– Through LOCATION UPDATE– Through the help of various
DATABASES
+ =
MobileEquipment
SubscriberIdentityModule Mobile
Station
GSMNetwork
AirInterface
• The Subscriber Identity Module (SIM)– a small memory device mounted on a card that
contains user specific identification– The SIM is a detachable smart card containing the
user's subscription information and phonebook – the SIM + mobile equipment = mobile station (MS), a
device able to access services in a GSM network via the Air interface.
The First DatabaseThe First Database
• The Visitor Location Register (VLR)– database which temporarily keeps record of subscribers
currently located in the service area of the MSC– to inform the HLR that a subscriber has arrived in the
particular area covered by the VLR – to track where the subscriber is within the VLR area
(location area) when no call is ongoing – to allocate roaming numbers during the
processing of incoming calls
The Second The Second DatabaseDatabase
Mobile Switching Center
VisitorLocatio
nRegiste
r
• The Home Location Register (HLR)– The HLR is a database used for storage and
management of subscriptions. – stores permanent data about subscribers,
including a subscriber's service profile, location information, and activity status.
– When an individual buys a subscription he or she is registered in the HLR of that operator.
The Third DatabaseThe Third Database
Home LocationRegister
SECURITY AND AUTHENTICATION
SIM CARDS • SIM cards store network specific information used to
authenticate and identify subscribers on the Network. ICCID IMSI Authentication Key (Ki) Local Area Identity (LAI) Operator-Specific Emergency Number SMSC (Short Message Service Center) number Service Provider Name (SPN) Service Dialing Numbers (SDN) Value Added Service (VAS) applications
• IMSI International Mobile Subscriber Identity is a unique
number stored in the Subscriber Identity Module (SIM) inside the phone and is sent by the phone to the network.
IMSI: 284011234567890
MCC 284 Bulgaria
MNC 01 MobilTel
MSIN 1234567890
IMSI analysis is the process of examining a subscriber's IMSI to identify which network the IMSI belongs to and whether subscribers from that network are allowed to use a given network . If they are not local subscribers, this will
require a roaming agreement.
• AUTHENTICATION CENTER (AUC)— authentication and encryption parameters that verify the
user's identity• ensure the confidentiality of each call. • FUNCTION OF AUC: AUC generates data known as triplets for the MSC to
use during the procedure. The security of the process depends upon a shared secret between the AUC and the SIM called the Ki.
The AUC stores the following data for each IMSI:• the Ki
• Algorithm id (the standard algorithms are called A3 or A8, but
an operator may choose a proprietary one).
• AUTHENTICATION PROCESS:
• Ki is a 128-bit value securely burned into the SIM during manufacture and is also securely replicated onto the AUC.
• This Ki is never transmitted between the AUC and SIM
• Each SIM holds a unique Ki assigned to it by the operator during the personalization process.
• When the MSC asks the AUC for a new set of triplets for a particular IMSI, the AUC first generates a random number known as RAND. This RAND is then combined with the Ki to produce two numbers as follows:
The Ki and RAND are fed into the A3 algorithm and a number known as Signed RESponse or SRES is calculated.
The Ki and RAND are fed into the A8 algorithm and a session key called Kc is calculated.
• TRIPLET NUMBER:• The triplets are RAND,SRES,KC. they are stored in the
AUC. They are sent to the mobile switching centre.
• MSC sends the RAND part of the triplet to the SIM. The SIM then feeds this number and the Ki (which is burned onto the SIM) into the A3 algorithm as appropriate and an SRES is calculated and sent back to the MSC .
• If this SRES matches with the SRES in the triplet generated from the authentication center.
• The SIM card is made valid and authenticated.
GSM Security Management AC VLR BTS Air Interface ME SIM
A3
A8A8 A5 A5
A3Authentication
EIR MEIMEI Checking
Ciphering
COMPARING
RAND
KiKiSRES SRES
A3A3
A8Kc Kc
Traffic Traffic
A8A5 A5
Request of IMEI
Provide IMEI
Encrypted DataEncrypted Data
• International Mobile Equipment Identity : The International Mobile Equipment Identity
or IMEI is a number unique to every GSM and UMTS mobile phone
• The IMEI number is used by the GSM network to identify valid devices .
• The IMEI (14 digits plus check digit) or IMEISV (16 digits) includes information on the origin, model, and serial
number of the device
Reporting Body Identifier, indicating the GSMA-approved group that allocated the model TAC
The remainder of the TAC
Serial sequence of the model
Luhn check digit of the entire number (or zero)
Software Version Number (SVN).
AA BBBBBB CCCCCC D EE
• The model and origin comprise the initial 8-digit portion of the IMEI/SV, known as the Type Allocation Code (TAC)
• The remainder of the IMEI is manufacturer-defined, with a Luhn check digit at the end (which is never transmitted).
• The IMEISV drops the Luhn check digit in favour of an additional 2 digits for the Software Version Number (SVN) in the format AA-BBBBBB-CCCCCC-EE
• For example • IMEI code 35-209900-176148-1 IMEISV code 35-209900-176148-23 tells us the following:
TAC: 352099 so it was issued by the BABT and has the allocation number 2099FAC: 00 so it was numbered during the transition phase from the old format to the new format (described below)SNR: 176148 - uniquely identifying a unit of this modelCD: 1 so it is a GSM Phase 2 or higherSVN: 23 - The 'software version number' identifying the revision of the software installed on the phone.
• Retrieving IMEI information from a GSM device• On many devices the IMEI number can be retrieved by
entering *#06#.
• The IMEI can frequently be displayed through phone menus, under a section titled 'System Information', 'Device', 'Phone Info' or similar. Many phones also have the IMEI listed on a label in the battery compartment.
• Retrieving IMEI Information from a Sony or Sony Ericsson handset can be done by entering these keys: Right * Left Left * Left * (Other service menu items will be presented with this key combination).
• The IMEI information can be retrieved from most Nokia mobile phones by pressing *#92702689# (*#WAR0ANTY#), this opens the warranty menu in which the first item is the serial number (the IMEI). The warranty menu also shows other information such as the date the phone was made and the life timer of the phone.
• Blacklisted or Barred Handsets If your phone is lost , report it to your service provider (your network) immediately.
• Add your phones serial number onto a national blacklist database CENTRAL EQUIPMENT IDENTITY REGISTER(CEIR).
• At this point the IMEI number of your handset is cross referenced with the Central Equipment Identity Register. If the IMEI number of your handset
• 1) Refuse to send a signal to your phone (No signal strength at all)
2) OR WILL supply a signal but will not allow any outgoing or incoming calls
• Changing the IMEI number is illegal.
Location UpdateLocation Update• Location Registration (power
on) - IMSI Attach.
• Generic - every time MS detects a change in Location
Area• Periodic - location updates at
regular intervals set by the operator. (default 7 hours)
BTS1BSC
1
MSC
VLR1
MSC
VLR2
LAI 1
MSB
First time Location Update (1)
Loc Up
HLR
IMSI RequestIMSI
Loc Up + TMSI
Authen
VLR DBIMSI MSRN LAI DATA310+02+1234567890 1
HLR DBMSISDN IMSI VLR Address Sub. Data63+918+9499247 310+02+1234567890 vlr 2 services
BTS1BSC
1
MSC
VLR1
MSC
VLR2
LAI 1
MSB
Generic Location Update
TMSI + LAIHLR
Loc Up + new TMSI
TMSI
IMSISecurity Info
Subscriber Info
UpdateDel olddata
Authentication
VLR 1DBIMSI MSRN LAI
310+02+1234567890 x
HLR DBMSISDN IMSI VLR Address Sub. Data63+918+9499247 310+02+1234567890 vlr1 services
VLR2 DBIMSI MSRN LAI DATA310+02+1234567890 1 services
HLR DBMSISDN IMSI VLR Address Sub. Data63+918+9499247 310+02+1234567890 vlr 2 services
Call Establishment (PSTNO-MT)
PSTNBTS
1BSC1MSC 1
VLR1
MSC 2VLR2
HLRHLR Enquiry
HLR DBMSISDN IMSI VLR Address Sub. Data63+918+9499247 310+02+1234567890 vlr2 services
VLR DBIMSI MSRN LAI DATA310+02+1234567890 1services
LAI 1
MSRNPOOL
MSB
IMSI
A
B
MSISDN
MSISDN (B)CC+ NDC + SN 63 918 9499247
IMSI = MCC+MNC+MSIN
MSRN = CC+NDC+SN
MSISDN
Paging Paging • What the network does to locate the
called subscriber.• Service Area of VLR is divided into
smaller areas called Location Areas (LA)• LAI - Location Area Identity
– LAI = MCC + MNC +LAC
• VLR knows the LA of the subscriber• VLR2 DB• IMSI MSRN LAI DATA• 310+02+1234567890 1 services
• All the BTSs within that LA is paged for the subscriber.
PSTNBTS
1BSC 1
MSC
VLR1
MSC
VLR2
LAI 1
MS
A
B
Call Establishment (MO-PSTNT)
MSISDN
MSISDN (A)CC+ NDC + SN 63 2 5113580HLR
VLR DBIMSI MSRN LAI Services 2 Speech
BTS1
BTS2BSC
2
BSC 1
MSC
VLR1
MSC
VLR2
HLR
HLR Enquiry
LAI 1
LAI2
MSRN
MS
MSB
IMSIB
C
Call Establishment (MO-MT)
MSISDN
MSISDN (C)CC+ NDC + SN 63 918 9499247
IMSI = MCC+MNC+MSIN
MSRN = CC+NDC+SN
MSISDN
HLR DBMSISDN IMSI VLR Address Sub. Data63+918+9499247 310+02+1234567890 vlr1 services
HandoverHandover• The process by which an ongoing call
handled by one cell is transferred to another cell.
• Two reasons for Handover:– Handover due to Measurements– Handover due to Traffic Reasons
• Four Types of Handover:– Intra cell - Intra BSC Handover– Inter cell - Intra BSC Handover– Inter cell - Inter BSC Handover– Inter MSC Handover
Handover (1)
MSC/VLR 1 MSC/VLR 2
BSC1 BSC2 BSC3
BTS4BTS3BTS2BTS1
PSTN
HLR
A
BMeasurement Report
Handover (2)
MSC/VLR 1 MSC/VLR 2
BSC1 BSC2 BSC3
BTS4BTS3BTS2BTS1
PSTN
HLR
B
A
I am OK
Handover (3)
MSC/VLR 1 MSC/VLR 2
BSC1 BSC2 BSC3
BTS4BTS3BTS2BTS1
PSTN
HLR
B
A
Measurement Report
Handover (4)
MSC/VLR 1 MSC/VLR 2
BSC1 BSC2 BSC3
BTS4BTS3BTS2BTS1
PSTN
HLR
B
A
I am OK
Handover (5)
MSC/VLR 1 MSC/VLR 2
BSC1 BSC2 BSC3
BTS4BTS3BTS2BTS1
PSTN
HLR
B
A
Measurement Report
Handover (6)
MSC/VLR 1 MSC/VLR 2
BSC1 BSC2 BSC3
BTS4BTS3BTS2BTS1
PSTN
HLR
B
A
I am OK
Handover (7)
MSC/VLR 1 MSC/VLR 2
BSC1 BSC2 BSC3
BTS4BTS3BTS2BTS1
PSTN
HLR
B
A
TransmissionTransmission
AIR INTERFACEFrequency Allocation
Radio Channel
DOWNLINK935 - 960 MHz1805-1880 MHz
UPLINK890-915 MHz1710-1785 MHz
Air Interface
Cell SiteMobile
TerminologiesTerminologies• Uplink - signal flow from MS to BTS• Downlink - signal flow from BTS to MS• Transceivers (TRX) - devices in the BTS
that transmit and receive radio signals in each of the GSM channels.
• Implementation of Digital Radio Transmission in GSM:– FDMA (Frequency Division Multiple Access)– TDMA (Time Division Multiple Access)
LOGICAL CHANNELS
• Common Channels - used for broadcasting different info to MS and setting up of signaling channels between MSC/VLR and the MS
• Dedicated Channels - used to facilitate the discussions between the MS and the BTS, BSC and MSC/VLR.
LOGICAL CHANNELS
11 Logical Channels in the GSM system:
2 are used for Traffic
9 are used for Control Signaling
LOGICAL CHANNELSTRAFFIC CHANNELS (TCH)
Full Rate ChannelHalf Rate Channel
CONTROL CHANNELS Broadcast Channels (BCH)
Frequency Correction Channel (FCCH)Synchronization Channel (SCH)Broadcast Control Channel (BCCH)
Common Control Channels (CCCH)Paging Channel (PCH)Random Access Channel (RACH)Access Grant Channel (AGCH)
Dedicated Control Channels (DCCH)Stand alone Dedicated Control Channel (SDCCH)Slow Associated Control Channel (SACCH)Fast Associated Control Channel (FACCH)
FCCH = FREQUENCY CORRECTION CHANNEL=> To tell the Mobile that this is the BCCH carrier => To able the Mobile to synchronize to the frequency (Downlink only)
SCH = SYNCHRONISATION CHANNEL=> Used for sending BSIC (Base station Identity Code)=> Give TDMA frame number to the Mobile. (Downlink only)
BCCH = BROADCAST CONTROL CHANNEL=> Used for sending information to the mobile like CGI (Cell Global identity), LAI (Location Area Identity), BCCH carriers of the neighboring cells, maximum output power allowed in the cell. (Downlink only)
BROADCAST CHANNELS
Hey! Don’t shoutat me, lower your
power...
BROADCAST CHANNELSall downlink!
FCCH
SCH TDMA…BSIC...
BCCH
Hey. I’m aGSM emitter!
GSM?
GSM!!!
LA…neighbors…cell info…max power...
Ok…ok
PCH = PAGING CHANNEL=> Used for paging the Mobile. (Downlink only) Reason could be an incoming call or an incoming Short Message. RACH = RANDOM ACCESS CHANNEL=> Used for responding to the paging (terminating), Location updating or to make call access (originating) by asking for a signaling channel. (Uplink only)
AGCH = ACCESS GRANT CHANNEL=> Used to allocate SDCCH to the mobile. (Downlink only)
COMMON CONTROL CHANNELS
COMMON CONTROL CHANNELS
PCH downlink only
Hello! You have a call.
RACH uplink only
Hello! I have to setup a call.
I need SDCCH.
AGCH downlink only
Ok. Use SDCCH.
SDCCH = STAND ALONE DEDICATED CONTROL CHANNEL=> Used for allocating voice channel (TCH) to the mobile (call setup) and Location updating.=> Send Short Text message to Idle Mobile (Uplink & Downlink)
SACCH = SLOW ASSOCIATED CONTROL CHANNEL=> Used for sending information to the mobile like CGI (Cell Global identity), LAI (Location Area Identity), BCCH of all the neighbors cells.=> Send Short Text message to Busy Mobile (Downlink)=> Used for sending signal strength & bit error rate measurement of the serving cell and signal strength of the BCCHs of the neighboring cells. (Uplink)
FACCH = FAST ASSOCIATED CONTROL CHANNEL => Used for handover. (Uplink & Downlink)
DEDICATED CONTROL CHANNELS
DEDICATED CONTROL CHANNELSuplink and downlink
SDCCH
handover
FACCH
On SDCCH:-call set up signaling-location updating-periodic registration-SMSetc…..
On SACCH-used to send signal strength & bit error rate measurement of the serving cell
SACCH
=> SMS messages are short TEXT messages up to 160 characters in length that you can send or receive. The messages are not sent straight to the other mobile but is sent to message centre operated by the Network provider.=> If the mobile was switched off or is at outside of the coverage area, the message is stored in the Message Service Center. The message will be offered to the subscriber when the mobile is switched on again or has reentered the coverage area again.=> If the mobile is in the Idle mode the short message will be send through the SDCCH. If the mobile is Busy the short message will send through the SACCH.
CBCH = CELL BROADCAST CHANNEL=> Used for sending short messages to all the mobiles within a geographic area. Up to 93 characters can be sent. => If the mobile is in the Idle mode then the short message will be send through the CBCH. If the mobile is Busy, it will not be sent.
SMS(SHORT MESSAGE SERVICE)
FUTURE OF GSM
• UMTS Universal Mobile Telecommunications System (UMTS) is one of
the third-generation (3G) cell phone technologies It uses WCDMA access method It is also called as 3GSM
1GB SIM CARD The new 1 GB S-SIM card utilizes System-in-Package
(SiP) technology that enables it to carry the high-capacity NAND flash memory module without increasing the size of the standard SIM card.
CONCLUSION
• What is GSM?• Advantages of GSM• Security and authentication • Location updates• Handover• Channels• Future of GSM
• Google.com• Wikipedia.org• Howstuffworks.com
REFERENCES
www.awesomebackgrounds.com
p0101011
010101
01010110101011
Queries?