Beruflich Dokumente
Kultur Dokumente
Services
Mobility Concepts
Call Set Up
Security
Acknowledgements to:
1. Mr. Max Stepanov for some of the lecture
slides on GSM security
Maria Leonora Guico
2. SWEEP for lecture slides on GSM Tcom 126 2nd Sem Lecture 3
Services
Subscriber’s action which uses the facilities
of the GSM network
Classification of services:
1. Teleservices
2. Bearer services
3. Supplementary services
Teleservices
Provide subscriber with necessary
capabilities including terminal equipment
functions to communicate with other
subscribers
Examples:
Speech (Telephony)
Short Message Service
Facsimile
Bearer Services
Offer the basic technical capability for
transmission of binary data between end to
end terminals
Bearer services are pure transport services
Examples: Circuit or packet switch
service
Supplementary Services
Supplementary services cannot be
assigned to a user without a basic service
Modify or enhance a basic service and offer
the subscriber additional control functions
for this basic service.
Examples of supplementary services that
can be used in association with the basic
service “Telephony” are:
call forwarding
call charge display
call hold
Traffic Management
13 Kbps
Channel Coding Channel decoding
22.8 Kbps
Interleaving De-interleaving
22.8 Kbps
Ciphering De-ciphering
33.6 Kbps
Radio Interface
Modulation Demodulation
270.83 Kbps
Burst Formatting
Info contained in one time slot on the TDMA frame is called a burst.
• Normal Burst (NB): used to carry information on traffic and control channels.
• Frequency Correction Burst (FB): used for frequency synchronization of the mobile.
• Access Burst (AB): used for random access and handover access.
Handoff Types:
– Intra-cell handover
– Intra-BSC handover
– Intra-MSC hand-over
– Inter-MSC hand-over
Call Routing
Call Originating from MS
Call termination to MS
Call Set Up: Terminology
MSISDN (mobile subscriber international ISDN number)
MSISDN = CC + NDC + SN
where:
Country code = 63 (Philippines)
National Destination Code = e.g. 919 (Smart), 917 (Globe), 922 (Sun)
Subscriber Number = 2205071 (example)
HLR inquiry/
HLR looks up
Request routing info database for IMSI;
takes routing info
to target
MSC/VLR
Incoming Call from
1. Calling a GSM subscriber
Landline subscriber 2. Forwarding call to GSMC
3. Signal Setup to HLR
4. 5. Request MSRN from
VLR
6. Forward responsible MSC
to GMSC
7. Forward Call to current
MSC
8. 9. Get current status of
MS
10.11. Paging of MS
12.13. MS answers
14.15. Security checks
16.17. Set up connection
GSM Security Goals
Confidentiality and Anonymity on the radio
path
Strong client authentication to protect the
operator against the billing fraud
Prevention of operators from compromising
each others’ security
GSM Security Features
Key management is independent of equipment
Subscribers can change handsets without compromising
security
Subscriber identity protection
not easy to identify the user of the system intercepting a user
data
Detection of compromised equipment
Detection mechanism whether a mobile device was
compromised or not
Subscriber authentication
The operator knows for billing purposes who is using the
system
Signaling and user data protection
Signaling and data channels are protected over the radio path
Security Implementation
Authentication
verification of the subscriber
Each subscriber has authentication keys, Ki, stored in
Authentication center and SIM card
Performed by the VLR before call establishment and
location update
IMEI (international mobile equipment identity) Checking
Verification of mobile equipment by checking the
validity of IMEI
Ciphering (Encryption)
Encryption of the user speech in the air interface
User confidentiality
Avoidance of broadcasting user’s IMSI in the air
interface
Key Management Scheme
Ki – Subscriber Authentication Key
Shared 128 bit key used for authentication of
subscriber by the operator
Key Storage
Subscriber’s SIM (owned by operator, i.e.
trusted)
Operator’s Home Locator Register (HLR) of
the subscriber’s home network
SIM can be used with different equipment
Mobile Station (1)
1. Mobile Equipment (ME)
Physical mobile device
Identifiers
IMEI – International Mobile Equipment Identity
IMEI = TAC(6) + FAC(2) + SNR(6) + SP(1)
where:
TAC – type approval code
FAC – final assembly code
SNR – serial number
SP – spare (future use)
Mobile Station (2)
2. Subscriber Identity Module (SIM)
Smart Card containing keys, identifiers and algorithms
Identifiers
Ki – Subscriber Authentication Key
IMSI – International Mobile Subscriber Identity
TMSI – Temporary Mobile Subscriber Identity
IMSI is confidential identity of subscriber
After successful first time location update, mobile subscriber is
allocated TMSI (temporary mobile subscriber identity)
Subscriber is identified by TMSI for succeeding transactions
MSISDN – Mobile Station International Service Digital Network
PIN – Personal Identity Number protecting a SIM
LAI – location area identity
SIM Anatomy
Subscriber Identification Module (SIM)
Smart Card – a single chip computer containing
OS, File System, Applications
Protected by PIN
Owned by operator (i.e. trusted)
SIM applications can be written with SIM Toolkit
Authentication
Authentication Goals
Subscriber (SIM holder) authentication
Protection of the network against
unauthorized use
Create a session key
Authentication Scheme
Subscriber identification: IMSI or TMSI
Challenge-Response authentication of the
subscriber by the operator
Subscriber Identity Protection
TMSI – Temporary Mobile Subscriber Identity
Goals
TMSI is used instead of IMSI as a temporary subscriber identifier
TMSI prevents an eavesdropper from identifying subscriber
Usage
TMSI is assigned when IMSI is transmitted to AuC on the first phone
switch on
Every time a location update (new MSC) occur the networks assigns
a new TMSI
TMSI is used by the MS to report to the network or during a call
initialization
Network uses TMSI to communicate with MS
On MS switch off TMSI is stored on SIM card to be reused next time
The VLR performs assignment, administration and update of the TMSI
Detection of Compromised
Equipment
International Mobile Equipment Identifier (IMEI)
Identifier allowing to identify mobiles
IMEI is independent of SIM
Used to identify stolen or compromised equipment
Equipment Identity Register (EIR)
Black list – stolen or non-type mobiles
White list - valid mobiles
Gray list – local tracking mobiles
Central Equipment Identity Register (CEIR)
Approved mobile type (type approval authorities)
Consolidated black list (posted by operators)
Security in GSM
On air interface, GSM uses encryption and
TMSI instead of IMSI.
SIM: Provided 4-8 digit PIN to validate the
ownership of SIM
3 algorithms are specified :
- A3 algorithm for authentication
- A5 algorithm for encryption
- A8 algorithm for key generation
Location of Security Algorithm
Ki (128 bit) A3
Ki (128 bit) A8
KC (64 bit)
Logical Implementation of A3 and A8
Both A3 and A8 algorithms are
implemented on the SIM
Operator can decide which algorithm
to use.
Algorithms implementation is
independent of hardware
manufacturers and network operators.
Logical Implementation of A3 and A8
COMP128 is used for both A3 and A8 in most GSM
networks.
COMP128 is a keyed hash function
A5 A5
OMC
BTS
Exchange
System
VLR
BTS BSC MSC
HLR AUC
BTS EIR
A5 Encryption
Key generation and Encryption
Key generation and Encryption