GSM Architecture

GSM
Various subsystems
1. Network Subsystem includes the equipments
and functions related to end-to-end call.

2. Radio Subsystem includes the equipments and

functions related to the management of the
connections on the radio path.

3. Operations and Maintenance subsystem

includes the operation and maintenance of GSM
equipment for the radio and network interface.
 1 MSC=16 BSC Network Architecture
1 BSC=1024 TRU
OSS
HLR
(
B
PSTN
T
S ISDN

B
T MSC VLR
S BSC
BSC Data
Networks
A Interface
B A-bis interface
T
S

Air interface MSC VLR

BSC:BASE STATION CONTROLLER, BTS: BASE TRANSRECEIVER STATION, OSS: OPERATION AND SUPPORT
SUBSYSTEM.ss
GSMNetwork Structure
• GSM Service Area: Total area served by the
combination of all member countries where a
mobile can be served.
• PLMN Service Area:It is one N/W area.
• MSC Service Area:There can many MSC/VLR in
one PLMN area.It is one Mobile Exch. Area.
• GMSC: All I/C calls for PLMN N/W will be
routed through GMSC. In a GSM/PLMN N/W all
mobile terminated calls will be routed to a
Gateway MSC. Call connections between
PLMNs , or to fixed N/Ws must be routed to a
GMSC.The GMSC contains the Inter working
functions to make these connections.
• Location Area
• Cells
LOCATION AREA:There are several LA in a MSC/VLR
combination A LA is a part of the MSC/VLR service area in
which a MS may move freely without updating location
information to the MSC/VLR exchange that control the LA.
Within a LA a paging message is broadcast in order to find
the called mobile subs. LA can be identified by system using
the LAI.
CELL.A cell is an identity served by one BTS. The MS
distinguishes between cells using the BASE STATION
IDENTIFICATION CODE(BSIC) that the cell site broadcast
over the air.
GSM
PLMN Service Area

II II
MSC
MSC VLR

MSC VLR
V
MSC VLR

III IV
GSM
MSC Service Area

LA2
VLR LA3
LA1
MSC

LA4 LA6
LA5
GSM
Cells LA2

LA3
LA1
VLR
C3 LA6
LA4 C2
C1
MSC
C4
C5
LA5 C6
C=CELL
GSM
Relation between areas in GSM

CellArea
Location
Area served by a BTS
Location Area
MSC Service Area
PLMN Service Area
GSM Service Area
GSM
LA Coding
MCC MNC LAC

3 digit 3 digit 2 Octets

LAI
MCC:Mobile country code, MNC: Mobile N/W Code,
LAC: Location Area code
GSM
Functions of Mobile Station
• Voice and data transmission
• Frequency and time synchronization
• Monitoring of power and signal quality
of the surrounding cells
• Provision of location updates even
during inactive state
• Equalization of multi path distortions
GSM
Mobile Station

• Portable, vehicle mounted, hand held

• MS identified by unique IMEI(International Mobile Equipment
Identity)

• Shall display at least last ten received, dialled

and missed calls
• Minimum talk time of 1hr 30 min. and
standby time of 80 hrs
• 160 characters long SMS
GSM
Mobile Station - Power Levels
Power Max. Peak Tolerance (dB)
Class Power Normal Extreme
1 20W +/- 2 +/- 2.5
(43 dBm) Vehicle
2 8W +/- 2 +/- 2.5 mounted
(39 dBm)
3 5W +/- 2 +/- 2.5
(37 dBm)
4 2W +/- 2 +/- 2.5
(33 dBm)
5 0.8W +/- 2 +/- 2.5
(29 dBm)
Mobile station Power adjustable in 2 db steps.down to 13
db(20mw) , under remote control from BTS .
BTS measure received power from MS (minimum) .
This is to minimize Co-channel Interference. Adjustment
with 13 TDMA frame(60 ms).
The required power level is determined by BSC.
GSM
SIM Card
• SIM Module
• Unique Subscriber’s ID IMSI and ISDN
• PIN( Personal Identification Number)
• Key Ki( Identification Key) , Kc and A3,A5 and A8
algorithms
• SIM has CPU, ROM, RAM and EPROM
GSM
Mobile Identification Numbers
• IMEI
• MSISDN
• IMSI
• TMSI
• MSRN
GSM
MSISDN
• Mobile Subscriber’s ISDN Number
• The MSISDN is registered in the telephone directory and
used by the calling party for dialing.
• MSISDN shall not exceed 15 digits.
• NDS--National Significant Number---Give Routing
Information to reach HLR
• N(S)N--National Significant Number
1 to 3 digits Variable Variable
CC NDC SN
N(S)N
MSISDN : not more than 15 digits
GSM
IMSI
• International mobile subscriber’s
Identity
• The IMSI is an unique identity which is used
internationally and used within the network to
identify the mobile subscribers.
• The IMSI is stored on the subscriber identity
module (SIM), the HLR, VLR and AC
database.
 GSM
IMSI 3 digits
3 digits Not more than 9 digits

MCC MNC MSIN

NMSI

IMSI : Not more than 15 digits

MCC--Mobile Country Code, MNC--Mobile N/W Code, MSIN--Mobile

Station Identification Number
NMSI--National Mobile Station Identity,assigned by Individual
Administration.
Mobile station Identification Number. It identifies the subs. In a PLMN.
First 3 digit identifies the Logical HLR-id of Mobile subs.
 GSM, TMSI
• Temporary Mobile subscriber’s Identity
• The TMSI is an identity which guarantees the integrity
of the mobile subscribers on the radio interface and
protect the Subs. from being identified by those
attempting to monitor the Radio CHL.
• The VLR assigns a TMSI to each mobile subscribers
entering the VLR area.
• Assigned only after successful authentication.
• TMSI has only local significance i.e. within VLR & area
controlled by the VLR
• TMSI changes on location updation
• TMSI is less than 8 digit
 GSM
MSRN
Mobile Station Roaming Number
• The MSRN is used in the GMSC to set up a
connection to the visited MSC/VLR.
• MSRN--is a temporary identity which is
assigned during the establishment of a call to a
roaming subs.
CC NDS SN

CC--Country Code, NDC--National Destination Code, SN-- Subs. No.

GSM
IMEI
• International Mobile Equipment
Identity
• The IMEI is an unique code allocated to each
mobile equipment. It is checked in the EIR.
• IMEI check
 White List

 Grey List

 Black List
 RADIO SUB SYSTEM (RSS)

MSC/VLR

BSC BSC

BSC
RSS

n BTS n BTS
GSM
FUNCTION OF BTS -I
• Encodes, encrypts, multiplexes, modulates
and feeds the RF signals to the antenna

• Transcoding and rate adaption Functionality

• Time and frequency synchronisation signals

transmission.

• 11 power classes from .01 watts to 320

watts
GSM
FUNCTION OF BTS -II

• Frequency hopping

• Random access detection

• Uplink radio channel measurements

• BTS mainly consists of a set of transceivers

(TRX).
 FREQUENCY HOPPING
The Mobile Radio Channel is a Frequency selective Fading
channel, slow hopping freq. Of a CHL.changes with every
TDMA Frame. RATE--216.7 Hops/sec. It reduces the S/N
ratio.
Base Band Hoping: It involves hopping between freq. On
different transreceivers in a cell.
Synthesizer Hoping: Hopping from freq. To freq. On the
same transreceiver in a cell.
 TIMING ADVANCE

ItItIiisIta solution to time alignment. It works by instructing the

mis aligned MS to transmit its burst earlier or later than it
normally would.
Transmission would occur earlier or later related to previous
position ,to reach its timeslot at the BTS in right time .
Max. bit times= 63. For 35 KM.
With extended range distances up 70 Km or even 121 Km can
be handled, using 2 T/S.
GSM
FUNCTIONS OF BSC-I

• It is connected to BTS and offloads

MSC
• Radio resource management
• Inter-cell handover
• Reallocation of frequencies
• Power control
GSM
FUNCTIONS OF BSC-II

• Time delay measurement of the received

signals from MS with respect to BTS clock.

• Performs traffic concentration to reduce the

number of lines from BSC to MSC.
GSM
MSC-BSS Configurations
Multi - cell site (sector Cells
Configuration -5 BTS
A
A
BSS
Single - cell site
Configuration -1

A BTS Many single

MSC BSS A-bis BTS BTS
cell sites

BSC BTS BTS

A-bis

BTS Multi - cell site =

MCC: Mobile Switching Centre Configuration -6
multi--BTS site
BSS: Base Station System
BSC: Base Station Controller
BTS: Base Transceiver Station
 Network and Switching
Subsystem (NSS)
SS7 Signalling
Traffic Path VLR D

C HLR AUC
F
E
Other
EIR A
MSC MSC

(PSTN)

(BSS)
GSM
MSC ( MOBILE SWITCHING CENTRE)
• Manages communication between GSM &
other network
• Call setup functions, basic switching are done
• MSC takes into account the RR allocation in
addition to normal exchange functions
• MSC does gateway function while its customers
roams to other network by using HLR /VLR
GSM
MSC Functions - I
• Paging, specifically call handling
• Location updation
• Handover management
• Billing for all subscribers based in its area
• Reallocation of frequencies to BTSs in its area
to meet heavy demands
GSM
MSC Functions - II
• Echo canceller operation control

• Signaling interface to databases like HLR, VLR.

• Gateway to SMS between SMS centers and

subscribers

• Handle interworking function while working as

GMSC
 INTERWORKING FUNCTION
-It provide the Interfacing Capability to Data N/Ws.
-IMF. A part of MSC, provides the subscriber with
access to data rate and protocol conversion facilities so
that data can be transmitted between GSM Data
Terminal Equipment ( DTE ) and a land line DTE.
GSM
VISITOR LOCATION REGISTER (VLR)-I

• It controls those mobiles roaming in its area.

• VLR reduces the number of queries to HLR

• One VLR may be incharge of one or more LA.

• VLR is updated by HLR on entry of MS its area.

• VLR assigns TMSI which keeps on changing.

• IMSI detach and attach operation

GSM
Data in VLR
• IMSI & TMSI
• MSISDN
• MSRN.
• Location Area
• Supplementary service parameters
• MS category
• Authentication Key
Home Location Register(HLR)

• Reference store for subscriber’s parameters,

numbers, authentication & Encryption values.

• Current subscriber status and associated VLR.

• Both VLR and HLR can be implemented in the

same equipment in an MSC.

• one PLMN may contain one or several HLR.

Home Location Register(HLR)….
• Permanent data in HLR
• Data stored is changed only by man-machine.

• IMSI, MS-ISDN number.

• Category of MS ( whether pay phone or not )

• Roaming restriction ( allowed or not ).

• Supplementary services like call forwarding

 Home Location Register(HLR)….

• Temporary data in HLR

• The data changes from call to call & is dynamic

• MSRN

• RAND /SRES and Kc

• VLR address , MSC address.

• Messages waiting data used for SMS

AUTHENTICATION CENTRE (AUC )-I

• AUC is a separate entity and physically

included in HLR

• Protect against intruders in air interface

• Authentication (Ki) and ciphering (Kc)

key are stored in this data base.

• Keys change randomly with each call

• Keys are never transmitted to MS on air

Only calculated response are sent.
AUTHENTICATION & ENCRIPTION

• AUC
Database SRES RAND
Kc
IMSI1 ki1 HLR
Algorithm for
IMSI2 ki2 Ciphering
A8 Kc
IMSI3 ki3
64 bits
Algorithm for
Generation Authentication SRES
of Random A3
Number 32 bits
RAND
RAND
GSM
EQUIPMENT IDENTITY REGISTER ( EIR )

• This data base stores IMEI for all registered

mobile equipments and is unique to every ME.

• Only one EIR per PLMN.

• White list : IMEI, assigned to valid ME.

• Black list : IMEI reported stolen
• Gray list : IMEI having problems like faulty
software, wrong make of equipment etc.
Operations and Maintenance Centre
OMC
The centralized operation of the various units in
the system and functions needed to maintain the
subsystems.

Dynamic monitoring and controlling of the

network
Functions Of OMC

-O&M data function

-Configuration management

--Fault report and alarm handling

-Performance supervision/management

-Storage of system software and data

GSM
Security Management
• Four basic security services provided
by GSM

• Anonymity : TMSI Assignment

• Authentication
• Encryption:
• PIN
 ENCRIPTION/CIPHERING

To encode the burst so that it can not be

interpreted by any other device than the
receiver. The ciphering algorithm in GSM is
called A5 algorithm. It does not bits to burst,
meaning that the I/P and O/P to the ciphering
process is the same as the I/P: 456 bits per sec.
 GSM
Encryption Process
Plain Text

KEY Encryption
Process

Cipher-text
GSM
Generic Authentication
Process
RAND
Ki RAND Ki

Radio Path
IMSI
A3 A3 IMSI

SRES
Response Compare
SRES
Yes/No
 Authentication

• Authentication is used to check the validity of a

mobile subscriber.

At MS At N/W

Ki Ki
RAND( 128 bits )

A3 A3

SRES SRES
=? ( 32 bits )

AUTHENTICATION
• Ki ( 128 bits) : Identification Key
- Purpose : Ki is used to calculate SRES and Kc.
- Ki is stored in SIM and HLR.
- Ki is never transmitted over signaling
network.
• RAND ( 128 bits ):Random Number
- Purpose : RAND is used to calculate SRES and Kc.

• Kc ( 64 bits ) : Ciphering Key

- Purpose : Kc is used to encrypt data over radio
interface.

• SRES ( 32 bits) :Signed Response

 Ciphering

• Ciphering is used to encrypt data on radio interface.

RAND Ki
Kc generation is done at the
time of Authentication.
A8
Frame
No. (22
bits ) Kc ( 64 bits)

A5

Ciphering Stream
Ciphered Bits
XOR
Information Bits ( 114 bits )

CIPHERING
 Authentication Procedure-I
• Authentication procedure is always initiated and
controlled by the n/w.
The purpose of authentication procedure is two fold
:
1. To check identity provided by the MS.
2. To supply n/w parameters to MS to calculate Kc.

Authentication Request
TIME

Authentication Response

Authentication Reject

MS AUTHENTICATION PROCEDURE N/W

Authentication done on each location update and for each new service.but not always,decided by
 Authentication Procedure -II
-When to start Authentication ?
-N/W decides to initiate authentication in the following
scenarios:
A. If CKCN( Ciphering Key Seq. No.) in any initial message
from MS does not match with that stored at self end.
B. After some predetermined number of accesses to the N/W
 Authentication Procedure-III
1. N/W initiates authentication by sending Authentication
Request message to the MS
2. Authentication Response by the MS
--MS calculates SRES and Kc after getting RAND from
AUTHENTICATION REQUEST MESSAGE .
-It stores Kc and CKSN (from message) into SIM.
-It sends SRES to the N/W.
3.Authentication Response Processing at N/W
- N/W compares SRES received from MS and that stored at self
end.
 Authentication Procedure
- If mismatch occures, N/W sends Authentication Reject
message to MS and cleans up all MM( Mobility & Management
) connections.
-If it matches then N/W proceeds for further activities.
4.Authentication Reject message at MS
- Ms sets update status in MS to ROAMING NOT
ALLOWED.
-deletes TMSI, LAI and CKSN from SIM.
-considers SIM as invalid until MS switched off or SIM
removed.
 Authentication Procedure-V
Authentication Triplets :

- At n/w side, authentication procedure requires

authentication triplets.
- Authentication triplets contains
-RAND ( 128 bits ).
- SRES ( 32 bits ).
- Kc ( 64 bits ).
- The network can have more than one triplets.
- The operator can allow reuse of triplets.
- The index of currently used triplet is called CKSN
( Ciphering Key Sequence Number ).