GSM Traffic Management

Services
Mobility Concepts
Call Set Up
Security

Acknowledgements to:
1. Mr. Max Stepanov for some of the lecture
slides on GSM security
Maria Leonora Guico
2. SWEEP for lecture slides on GSM Tcom 126 2nd Sem Lecture 3
Services
 Subscriber’s action which uses the facilities
of the GSM network
 Classification of services:
1. Teleservices
2. Bearer services
3. Supplementary services
Teleservices
 Provide subscriber with necessary
capabilities including terminal equipment
functions to communicate with other
subscribers
 Examples:
 Speech (Telephony)
 Short Message Service
 Facsimile
Bearer Services
 Offer the basic technical capability for
transmission of binary data between end to
end terminals
 Bearer services are pure transport services
 Examples: Circuit or packet switch
service
Supplementary Services
 Supplementary services cannot be
assigned to a user without a basic service
 Modify or enhance a basic service and offer
the subscriber additional control functions
for this basic service.
 Examples of supplementary services that
can be used in association with the basic
service “Telephony” are:
 call forwarding
 call charge display
 call hold
 Traffic Management

 Where is the subscriber?

 Who is the subscriber?

 What does the subscriber want?

 Call Flow
Cellsite/ Base Station
MS (Mobile Controller Call routed through
Antenna
Station) base station’s
transceiver.
Makes a Call
Several base
stations may be
At all times, controlled by BSC
Operations and
Nearby cellsite picks
Maintenance
up call from mobile
Center monitors
the network

HLR,VLR, Mobile MSC or MTSO

Called party Switching
AuC and Center gets call and
EIR routes to called
Mobile switch queries party
several databases before
permitting call
GSM Operation
Speech Speech

Speech coding Speech decoding

13 Kbps
Channel Coding Channel decoding

22.8 Kbps
Interleaving De-interleaving
22.8 Kbps

Burst Formatting Burst Formatting

33.6 Kbps

Ciphering De-ciphering
33.6 Kbps
Radio Interface
Modulation Demodulation
270.83 Kbps
 Burst Formatting
Info contained in one time slot on the TDMA frame is called a burst.

There are five different types of bursts:

• Normal Burst (NB): used to carry information on traffic and control channels.

• Frequency Correction Burst (FB): used for frequency synchronization of the mobile.

• Synchronization Burst (SB): used for frame synchronization of the mobile.

• Access Burst (AB): used for random access and handover access.

• Dummy Burst: used when no other type of burst is to be sent.

Forward and Reverse Channels
Call Stages (Mobile-originated call) 1 of 3

Mobile unit initialization: Mobile unit scans and selects the

strongest setup control channel used for this system (Figure a).
Then a handshake takes place between the mobile unit and the
MTSO controlling this cell, through the BS in this cell, to identify
the user and register its location.
Mobile-originated call: Mobile unit originates a call by sending the
no. of the called unit on the preselected setup channel (Figure b).
Call Stages (Mobile-originated call) 2 of 3

Paging: MTSO attempts to complete the connection to the called

unit, sending a paging message to certain BSs depending on the
called mobile number (Figure c).
Call accepted: Called mobile unit recognizes its number on the setup
channel being monitored and responds to that BS, which sends the
response to the MTSO. MTSO sets up circuit between the calling and
called BSs, selects an available traffic channel within each BS's cell
and notifies each BS, which in turn notifies its mobile unit (Fig. d).
Call Stages (Mobile-originated call) 3 of 3

Ongoing call: While connection is maintained, the mobile units

exchange voice or data signals, through respective BSs and MTSO
(Figure e).
Handoff: If a mobile unit moves out of range of one cell and into
the range of another during a connection, the traffic channel has to
change to one assigned to the BS in the new cell (Figure f).
Other Functions
 call blocking
 if all traffic channels are busy
 call termination
 when user hangs up; traffic channels are released
 call drop
 when BTS cannot maintain required signal strength for
certain period of time
 calls to/from fixed and remote mobile subscriber
 MTSO (MSC) connects mobile user and fixed line via
PSTN
 MTSO (MSC) connects to remote MTSO via PSTN or
dedicated lines
Roaming
 Users subscribe to roaming service to use service
outside their home region
 Signaling network used for message exchange
between home & visited network
 Roamer uses setup channels to register in new area
 MSC in visited areas requests authorization from
user’s Home Location Register
 Visitor Location Register informed of new user
 User can now receive & place calls
Mobility Concepts
 Location update – always initiated by
mobile station
 Paging
 Handover
Location Update
First time Location Update
 International Mobile Subscriber Identification
(IMSI) is sent
IMSI = MCC + MNC + MSIN (fixed 15 digits)
where: Mobile Country Code = 515
Mobile Network Code
Mobile Subscriber Identification Number
Generic Location Update
 The Mobile Station continues to monitor the
broadcast information
 If the Location Area Identity (LAI) being
broadcast by the network is other the one
stored in the SIM, the mobile station starts the
location update procedure
LAI = MCC + MNC + LAC
where: Mobile Country Code = 515
Mobile Network Code
Location Area Code
Generic Location Update Procedure
Elements involved in Location Update
Location Management
Location Area
• Divide coverage into non-overlapping group
of cells
• Assign each LA a unique ID; ID periodically
broadcast by each cell site

Two level database hierarchy HLR/VLR

• HLR points to VLR where mobile is located
• VLR entry points to LA where mobile was
last located
Other Types of Location Update
Power On
• also known as “IMSI attach” and location
registration
• done every time the mobile is switched on
Periodic Location Update
• performed after a present timer expires,
since the last transaction with the network
• timer value is dependent on the network
operator (defined in the BSC)
Paging
 Since the MSC only knows the location area of
the last location update, the current cell must be
determined first.
 Therefore, the MSC causes all BSC serving this
particular location area to issue a search (paging)
message in all the cells of this location area.
Paging (2)
 It can cross BSC boundaries. LA design is arbitrary. The
idea is to have a small paging area that could
accommodate the most number of subscribers
 The MS in the current cell provides a “paging response”
which is relayed via the BSC to the MSC.
 Handoff
 Base station monitors signal levels from its mobiles
 If signal level drops below threshold, MSC is notified & mobile
instructed to transmit on setup channel
 Base stations in vicinity of mobile instructed to monitor signal
from mobile on setup channel
 Results forwarded to MSC, which selects new cell
 Current BSS & mobile instructed to prepare for handoff
 MSC releases connection to first BSS and sets up connection to
new BSS (Hard handover)
 Mobile changes to new channels in new cell
 Brief interruption in connection (except for CDMA)
Handovers

 Between 1 and 2 – Inter BTS

/ Intra BSC
 Between 1 and 3 –
Inter BSC/ Intra MSC
 Between 1 and 4 –
Inter MSC

Handoff Types:
– Intra-cell handover
– Intra-BSC handover
– Intra-MSC hand-over
– Inter-MSC hand-over
Call Routing
 Call Originating from MS
 Call termination to MS
Call Set Up: Terminology
MSISDN (mobile subscriber international ISDN number)
MSISDN = CC + NDC + SN
where:
Country code = 63 (Philippines)
National Destination Code = e.g. 919 (Smart), 917 (Globe), 922 (Sun)
Subscriber Number = 2205071 (example)

MSRN (mobile subscriber roaming number)

MSRN = CC + NDC + SN

Note: MSRN has the same structure as MSISDN

International Mobile Subscriber Identification (IMSI)

IMSI = MCC + MNC + MSIN (fixed 15 digits)
where: Mobile Country Code = 515
Mobile Network Code = 03
Mobile Subscriber Identification Number = 0123456789
Call Set Up (Mobile originated call
to landline)
Outgoing Call to Landline
subscriber 1. MS sends dialled number to BSS
2. BSS sends dialled number to MSC
3,4 MSC checks VLR if MS is allowed
the requested service.If so,MSC asks
BSS to allocate resources for call.
5 MSC routes the call to GMSC
6 GMSC routes the call to local
exchange of called user
7, 8,
9,10 Answer back(ring back) tone is
routed from called user to MS via
GMSC,MSC,BSS
Call Set Up (PSTN originated call)

HLR inquiry/
HLR looks up
Request routing info database for IMSI;
takes routing info
to target
MSC/VLR
Incoming Call from
1. Calling a GSM subscriber
Landline subscriber 2. Forwarding call to GSMC
3. Signal Setup to HLR
4. 5. Request MSRN from
VLR
6. Forward responsible MSC
to GMSC
7. Forward Call to current
MSC
8. 9. Get current status of
MS
10.11. Paging of MS
12.13. MS answers
14.15. Security checks
16.17. Set up connection
GSM Security Goals
 Confidentiality and Anonymity on the radio
path
 Strong client authentication to protect the
operator against the billing fraud
 Prevention of operators from compromising
each others’ security
GSM Security Features
 Key management is independent of equipment
 Subscribers can change handsets without compromising
security
 Subscriber identity protection
 not easy to identify the user of the system intercepting a user
data
 Detection of compromised equipment
 Detection mechanism whether a mobile device was
compromised or not
 Subscriber authentication
 The operator knows for billing purposes who is using the
system
 Signaling and user data protection
 Signaling and data channels are protected over the radio path
 Security Implementation
 Authentication
 verification of the subscriber
 Each subscriber has authentication keys, Ki, stored in
Authentication center and SIM card
 Performed by the VLR before call establishment and
location update
 IMEI (international mobile equipment identity) Checking
 Verification of mobile equipment by checking the
validity of IMEI
 Ciphering (Encryption)
 Encryption of the user speech in the air interface
 User confidentiality
 Avoidance of broadcasting user’s IMSI in the air
interface
Key Management Scheme
 Ki – Subscriber Authentication Key
 Shared 128 bit key used for authentication of
subscriber by the operator
 Key Storage
 Subscriber’s SIM (owned by operator, i.e.
trusted)
 Operator’s Home Locator Register (HLR) of
the subscriber’s home network
 SIM can be used with different equipment
Mobile Station (1)
1. Mobile Equipment (ME)
 Physical mobile device
 Identifiers
 IMEI – International Mobile Equipment Identity
IMEI = TAC(6) + FAC(2) + SNR(6) + SP(1)
where:
TAC – type approval code
FAC – final assembly code
SNR – serial number
SP – spare (future use)
Mobile Station (2)
2. Subscriber Identity Module (SIM)
 Smart Card containing keys, identifiers and algorithms
 Identifiers
 Ki – Subscriber Authentication Key
 IMSI – International Mobile Subscriber Identity
 TMSI – Temporary Mobile Subscriber Identity
 IMSI is confidential identity of subscriber
 After successful first time location update, mobile subscriber is
allocated TMSI (temporary mobile subscriber identity)
 Subscriber is identified by TMSI for succeeding transactions
 MSISDN – Mobile Station International Service Digital Network
 PIN – Personal Identity Number protecting a SIM
 LAI – location area identity
SIM Anatomy
 Subscriber Identification Module (SIM)
 Smart Card – a single chip computer containing
OS, File System, Applications
 Protected by PIN
 Owned by operator (i.e. trusted)
 SIM applications can be written with SIM Toolkit
Authentication
 Authentication Goals
 Subscriber (SIM holder) authentication
 Protection of the network against
unauthorized use
 Create a session key
 Authentication Scheme
 Subscriber identification: IMSI or TMSI
 Challenge-Response authentication of the
subscriber by the operator
 Subscriber Identity Protection
 TMSI – Temporary Mobile Subscriber Identity
 Goals
 TMSI is used instead of IMSI as a temporary subscriber identifier
 TMSI prevents an eavesdropper from identifying subscriber
 Usage
 TMSI is assigned when IMSI is transmitted to AuC on the first phone
switch on
 Every time a location update (new MSC) occur the networks assigns
a new TMSI
 TMSI is used by the MS to report to the network or during a call
initialization
 Network uses TMSI to communicate with MS
 On MS switch off TMSI is stored on SIM card to be reused next time
 The VLR performs assignment, administration and update of the TMSI
Detection of Compromised
Equipment
 International Mobile Equipment Identifier (IMEI)
 Identifier allowing to identify mobiles
 IMEI is independent of SIM
 Used to identify stolen or compromised equipment
 Equipment Identity Register (EIR)
 Black list – stolen or non-type mobiles
 White list - valid mobiles
 Gray list – local tracking mobiles
 Central Equipment Identity Register (CEIR)
 Approved mobile type (type approval authorities)
 Consolidated black list (posted by operators)
Security in GSM
 On air interface, GSM uses encryption and
TMSI instead of IMSI.
 SIM: Provided 4-8 digit PIN to validate the
ownership of SIM
 3 algorithms are specified :
- A3 algorithm for authentication
- A5 algorithm for encryption
- A8 algorithm for key generation
Location of Security Algorithm

Data stored in SIM:

• A3 and A8 algorithms
• IMSI
• Ki
GSM System Identifiers
Terms Defined
Ki - 128-bit Individual Subscriber Authentication Secret key
shared between the Mobile Station (MS) and the Home
Location Register (HLR) of the subscriber’s home network.
RAND - 128-bit random challenge generated by the HLR
SRES - 32-bit Signed Response generated by the MS and
the MSC.
Kc - 64-bit ciphering key used as a Session Key for
encryption of the over-the-air channel. Kc is generated by
the Mobile Station from the random challenge presented
by the GSM network and the Ki from the SIM utilizing the
A8 algorithm.
A3 – MS Authentication Algorithm
 Goal
 Generation of SRES response to MSC’s random
challenge RAND

RAND (128 bit)

Ki (128 bit) A3

SRES (32 bit)

Authentication
 AuC – Authentication Center
 Provides parameters for authentication and
encryption functions (RAND, SRES, Kc)
 HLR – Home Location Register
 Provides MSC (Mobile Switching Center) with
triples (RAND, SRES, Kc)
 Handles MS location
 VLR – Visitor Location Register
 Stores generated triples by the HLR when a
subscriber is not in his home network
 One operator doesn’t have access to subscriber
keys of the another operator.
Authentication in GSM
Authentication in GSM
A8 – Voice Privacy Key Generation
Algorithm
 Goal
 Generation of session key Kc
 A8 specification was never made public

RAND (128 bit)

Ki (128 bit) A8

KC (64 bit)
Logical Implementation of A3 and A8
 Both A3 and A8 algorithms are
implemented on the SIM
 Operator can decide which algorithm
to use.
 Algorithms implementation is
independent of hardware
manufacturers and network operators.
Logical Implementation of A3 and A8
 COMP128 is used for both A3 and A8 in most GSM
networks.
 COMP128 is a keyed hash function

RAND (128 bit)

Ki (128 bit) COMP128

128 bit output

SRES 32 bit and Kc 64 bit
 A5 – Encryption Algorithm
 A5 is a stream cipher
 Implemented very efficiently on hardware
 Design was never made public
 Variants
 A5/1 – the strong version
 A5/2 – the weak version
 A5/3
 GSM Association Security Group and 3GPP
design
 Based on Kasumi algorithm used in 3G
mobile systems
 Logical A5 Implementation
Mobile Station BTS

Fn (22 bit) Kc (64 bit) Fn (22 bit) Kc (64 bit)

A5 A5

114 bit 114 bit

Data (114 bit) Ciphertext (114 bit) Data (114 bit)
XOR XOR

Real A5 output is 228 bit for both directions

 A5 Encryption
Mobile Stations Base Station Network Subscriber and terminal
Subsystem Management equipment databases

OMC
BTS
Exchange
System
VLR
BTS BSC MSC
HLR AUC

BTS EIR

A5 Encryption
Key generation and Encryption
Key generation and Encryption