Global System for

Mobile
Communications
(GSM)
Anindita Kundu
 Overview
• The 2nd Generation Mobile Phones

• Primary Goal: provide a mobile phone system that allows

users to roam throughout Europe and provide voice
services compatible to ISDN and PSTN systems.

• Digital Mobile Radio Network

• Powerful message signaling capabilities that facilitate and

enhance roaming

• Automatic Network Location Detection and Registration

• Provides terminal mobility along with personal mobility

through SIM.
 Versions
• GSM 900
– Initial deployment in Europe
– 890-915MHz for uplink and,
– 935-960MHz for downlink.

• GSM 1800
– also called Digital Cellular System – DCS 1800
– 1710-1785MHz for uplink and
– 1805-1880MHz for downlink.

• GSM 1900
– Also called Personal Communions Service – PCS 1900
– Mainly used in US
– 1850-1910 MHz for uplink
– 1930-1990MHz for downlink
System Architecture
 System Architecture
VLR EIR
Um Abis A
MS MSC HLR
BTS O
BSC

Radio Cell OMC

MSC HLR
MS BSC

BTS AuC
VLR
MS GMSC
ISDN / PSTN
Radio Cell
PDN

RSS NSS OSS

 System Architecture
• Mobile system (MS)
– Subscriber Identity Module (SIM)
• Static information
– Card Type
– Serial No.
– List of Subscribed Services
– Personal Identity No. (PIN)
– PIN Unblocking Key (PUK)
– Authentication Key (Ki)
– International Mobile Subscriber Identity (IMSI)
• Dynamic and Location Specific Information
– Cipher key (Kc)
– Temporary Mobile Subscriber Identity (TMSI)
– Location Area Identification (LAI)
– International Mobile Equipment Identity (IMEI)
• Device Specific
• Theft Protection and Tracking
 System Architecture
• Base Station Subsystem (BSS)
– Maintains radio connection with the MS
– Performs Coding / Decoding of voice
– Rate adaptation to and from the wireless network.
– Controlled by a Base Station Controller (BSC)
– Comprises of multiple Base Transceiver Station (BTS)

• Base Station Controller (BSC)

– Manages BTS
– Reserves Radio frequency
– Handles intra BTS handover
– Performs Paging of MS
– Multiplexes radio channels onto the fixed network connections at the A
interface.

• Base Transceiver Station (BTS)

– Comprises of all radio equipment
– Forms radio cells
– Consists of 16 or 64Kbps connection at the Abis interface.
– Depending upon its transmission power a GSM cell may range from
100m to 35km.
Function BTS BSC
Radio Channel Management
Frequency Hopping
Mapping Terrestrial onto radio channels
Terrestrial Channel Management
Channel Coding and Decoding
Rate Adaptation
Encryption and Decryption
Paging
Uplink Signal Management
Traffic Measurement
Authentication
Location registry and update
Handoff Management
 System Architecture
• Network Switching Subsystem (NSS) is
the main component of the public
mobile network GSM
– Switching,
– Mobility management,
– Interconnection to other networks,
– System control
• Components
– Mobile Services Switching Center (MSC)
– Gateway MSC (GMSC)
– Databases
 System Architecture
• The OSS (Operation Subsystem)
enables
– centralized operation,
– management, and
– maintenance of all GSM subsystems
• Components
– Operation and Maintenance Centre (OMC)
– Authentication Centre (AuC)
– Equipment Identity Register (EIR)
 NSS Components
• Mobile Services Switching Center (MSC)
– High performance digital ISDN switch
– Connects to other MSCs and BSCs via the A interface
– Forms the fixed backbone network of the GSM system
– Controls several BSCs in a geographical region
– Controls all signaling required for connection setup, connection release
and handover of connections to other MSCs using SS7.

• Gateway MSC (GMSC)

– Connects to other fixed networks like PSTN and ISDN
– Connects to Public Data Networks like X.25 using Internetworking
functions (IWF).

• Databases (important: scalability, high capacity, low delay)

– Home Location Register (HLR):
• Central master database containing user data (permanent and semi-
permanent) of all subscribers assigned to the HLR
– Visitor Location Register (VLR):
• Local database for a subset of user data, including data about all user
currently in the domain of the VLR
 OSS Components
• Components
– Authentication Center (AUC)
• Protects user Identity and data transmission
• Contains algorithms for authentication
• Keys for encryption of data
• Generates values needed for user authentication in the HLR
– Equipment Identity Register (EIR)
• Database for all IMEI
• Maintains list of white, grey and blacklisted devices.
• Stolen or malfunctioning mobile stations can be locked and
sometimes even localized
– Operation and Maintenance Center (OMC)
• Monitors and Controls all network entities (using SS7 and X.25)
• Traffic Monitoring
• Security Management
• Accounting and Billing
 GSM Radio Channels

890MHz 915MHz 935MHz 960MHz

0 124 0 124

Guard Band of 25MHz

• GSM combines FDM and TDM:
bandwidth is subdivided into
channels of 200khz, shared by up to
eight stations, assigning slots for
transmission on demand.
• Advantages:
– Better protection against
tapping
– Protection against frequency
selective interference k1 k2 k3 k4 k5 k6

– Higher data rates compared to c

code multiplex f
• But: precise coordination
required
t
 GSM TDMA Frame Slots and Bursts

935-960MHz
124 Channels (200KHz) downlink

890-915MHz
124 Channels (200KHz) uplink

GSM TDMA Frame time

1 2 3 4 5 6 7 8

4.615ms
GSM Time Slot (Normal Burst)
Guard User User Guard
Trail S Training S Trail
Space Data Data Space
3 bits 57 bits 1 26 bits 1 57 bits 3
0.5465ms
0.577ms
 LOGICAL CHANNELS

TRAFFIC SIGNALLING

FULL RATE HALF RATE

Bm 22.8 Kb/S Lm 11.4 Kb/S
BROADCAST COMMON CONTROL DEDICATED CONTROL

FCCH SCH BCCH

RACH
PCH AGCH
FCCH -- FREQUENCY CORRECTION CHANNEL
SCH -- SYNCHRONISATION CHANNEL
BCCH -- BROADCAST CONTROL CHANNEL
PCH -- PAGING CHANNEL
RACH -- RANDOM ACCESS CHANNEL SDCCH SACCH FACCH
AGCH --ACCESS GRANTED CHANNEL
SDCCH --STAND ALONE DEDICATED CONTROL CHANNEL DOWN LINK ONLY
SACCH --SLOW ASSOCIATED CONTROL CHANNEL BOTH UP &
FACCH --FAST ASSOCIATED CONTROL CHANNEL UPLINK ONLY DOWNLINKS
 Broadcast Channels (BCH)
• Broadcast control channel (BCCH) is a base to mobile
channel which provides general information about the
network, the cell in which the mobile is currently
located and the adjacent cells

• Frequency correction channel (FCCH) is a base to

mobile channel which provides information for carrier
synchronization

• Synchronization channel (SCH) is a base to mobile

channel which carries information for frame
synchronization and identification of the base station
transceiver
 Common Control Channel
(CCH)
• Paging channel (PCH) is a base to mobile
channel used to alert a mobile to a call
originating from the network

• Random access channel (RACH) is a mobile to

base channel used to request for dedicated
resources

• Access grant channel (AGCH) is a base to

mobile which is used to assign dedicated
resources (SDCCH or TCH)
 Dedicated Control Channel
(DCCH)
• Stand-alone dedicated control channel (SDCCH) is a bi-
directional channel allocated to a specific mobile for
exchange of location update information and call set up
information

• Slow associated control channel (SACCH) is a bi-directional

channel used for exchanging control information between base
and a mobile during the progress of a call set up procedure. The
SACCH is associated with a particular traffic channel or stand
alone dedicated control channel

• Fast associated control channel (FACCH) is a bi-directional

channel which is used for exchange of time critical information
between mobile and base station during the progress of a call.
The FACCH transmits control information by stealing capacity
from the associated TCH
• If TCH/F is used for data
transmission it has 1 SACCH for slow
signaling

• If fast signaling required, FACCH

uses the time slots for TCH/F.

• Typical usage is:

TTTTTTTTTTTTSTTTTTTTTTTTTX
T=> user traffic in TCH/F
S=> signaling in SACCH
• 1 GSM Burst has 114 bytes of user data
and takes 4.615ms.

• 24 slots has 2.736Kbytes

• Time taken will be considered for 26 slots

= 0.1199s

• Data Rate = 22.8Kbps

• SACCH:
– 114bits -> 0.1199s
– 950bits per sec.
 GSM TDMA Frame Slots and Bursts

935-960MHz
124 Channels (200KHz) downlink

890-915MHz
124 Channels (200KHz) uplink

GSM TDMA Frame time

1 2 3 4 5 6 7 8

4.615ms
GSM Time Slot (Normal Burst)
Guard User User Guard
Trail S Training S Trail
Space Data Data Space
3 bits 57 bits 1 26 bits 1 57 bits 3
0.5465ms
0.577ms
 TDMA Format Time Slot
Fields
• Trail bits–allow synchronization of
transmissions from mobile units located at
different locations from base station

• Encrypted bits–encrypted data in blocks by

conventional encryption of 114 plaintext bits
into 114 cipher text bits. Encrypted bits are
then placed in two 57 bits fields in the time
slot

• Stealing bit-indicates whether block contains

data or is "stolen“ for urgent control signaling
 TDMA Format Time Slot
Fields
• Training sequence –used to adapt
parameters of receiver to the current path
propagation characteristics and to select the
strongest signal in case of multi path
propagation. Timing sequence is also known
as bit pattern that differs for different
adjacent cells.

• Guard bits–used to avoid overlapping with

other bursts due to different path delays
Frame, Multi-frame, Super-
frame, Hyper-frame
• A frame consists of 8 time slots of 4.615ms
duration.
• A multi-frame is a block of 26 frames used
to transfer information having a total
duration of 120ms.
• A super-frame consists of 26x51 TDMA
frames with duration of approx. 6.12sec.
– Since 26 is not a factor of 51, these frames slide
across each other so that at the end of 26x51
period, each of the 26 frames has aligned once
with each of the 51 control frames.
Frame, Multi-frame, Super-
frame, Hyper-frame
• Frame structure
– division of defined length of digital information into different
fields (information parts).
– GSM frame is 4.615 m sec
– composed of 8 time slots (numbered 0 through 7).
– During voice communication, one user is typically assigned to
each time slot within a frame.
– The GSM system also combines frames to form Multi frames.

• Multi frames
– frames that are grouped or linked together to perform specific
functions.
– Multi frames on the GSM system use established schedules for
specific purposes, such as coordinating with frequency hopping
patterns.
– Multi frames used in the GSM system include the 26 traffic
multi frame, 51 control multi frame, super frame, and hyper
frame.
 Frame, Multi-frame, Super-
frame, Hyper-frame
• Traffic Multi frame Structures
– The 26 traffic multi frame structure is used to
• send information on the traffic channel.
• combine user data (traffic), slow control signaling (SACCH), and idle
time period.
– The idle time period allows a mobile device to perform other necessary
operations such as monitoring the radio signal strength level of a
beacon channel from other cells.
– The time interval of a 26 frame traffic multi frame is 6 blocks of speech
coder data (120 m sec).

• Control Multi frame Structures

– The 51 control multi frame structure is used to send information on the
control channel.
– It is sub divided into logical channels that include the frequency
correction burst, the synchronization burst, the broadcast channel
(BCCH), the paging and access grant channel (PAGCH), and the stand-
alone dedicated control channel (SDCCH).
– The PAGCH is logically sub divided into PCH and AGCH.
Frame, Multi-frame, Super-
frame, Hyper-frame
• Super frame
– A super frame is a multi frame sequence that combines the
period of a 51 multi frame with 26 multi frames (6.12
seconds).
– The use of the super frame time period allows all mobile
devices to scan all the different time frame types at least once.

• Hyper frame
– A hyper frame is a multi frame sequence that is composed of
2048 super frames,
– It is the largest time interval in the GSM system (3 hours, 28
minutes, 53 seconds).
– Every time slot during a hyper frame has a sequential number
(represented by an 11 bit counter) that is composed of a frame
number and a time slot number.
– This counter allows the hyper frame to synchronize frequency
hopping sequence, encryption processes for voice privacy of
subscribers' conversations.
 8 slot TDMA frames are typically organized into 26-
frame multi frame. One of the frame in multi frame is
used for control signaling and the other is currently
unused, leaving 24 frame for data traffic.
 So each traffic channel receives one slot/frame and 24
frames/120ms multi frame, then the resulting data
rate is:

 The GSM specification also allows half rate traffic

channels, with two traffic channels occupying one time
slot in 12 of the 26 frames. With the use of half rate
speech coders, this effectively doubles the capacity of
the system.
 There is also a 51 frame used for control traffic.
GSM Protocol and Signaling
• Structured into 3 layers:
– Layer 1-Physical:
• Uses the channel structures
• Performs radio transmission
– Layer 2- Data Link Layer
• Link Access Protocol Dm (LAPDm) across across the
Um interface.
• Link Access Protocol D channel(LAPD) across the Abis
interface.
• Message Transfer Part (MTP) of SS7 used across the
A interface
– Layer 3
• MM
• RM
• CM
 RRM
• Channel assignment, change and release
• Ciphering (encryption) command and
response for data security
• Signal quality measurements (RSS, BER)
which enable handover whenever
required.
• Interference Reduction
– Adaptive Power control
– Discontinuous transmission reception
– Slow frequency hopping
 MM
• Supports user mobility
• Location management, authentication
procedure and handover management
• LM:
– Geographic location change (LA change)
– on/ off based (IMSI Attach / Detach)
– Time based (periodic registration)
– Paging
• Authentication
• Identification by IMSI response
• Handover management
 Location Update Procedure
• Procedure that keeps track of a mobile user in the roaming
state

• Purpose is to route an incoming call by sending a paging

message over the PCH channel.

• If network sends paging message to all the cells (blanket

paging), wastage of radio bandwidth

• If every cell generates location update message, during

movement of the MS, large number of location update
messages are required.

• Considering the tradeoff between the 2, concept of

Location Area comes up.
 Location Area
• Group of cells to which a paging
message is to be sent.

• MSC, HLR and VLR participates in the

location area update process.

• Procedure associated with location

update is IMSI attach / detach
 IMSI Attach/Detach
• When a MS is switched on, the IMSI attach procedure is
executed.

• This procedure is required for the MSC and VLR to register

the MS in the network. If the MS has changed LA while it
was powered off the IMSI attach procedure will lead to
a LU.

• When the MS is switched on, it searches for a mobile

network to connect to. Once the MS identifies its desired
network, it sends a message to the network to indicate that
it has entered into an idle state.

• The VLR checks its database to determine whether there is

an existing record of the particular subscriber.

• If no record is found, the VLR communicates with the

subscriber's HLR and obtains a copy of the subscription
information. The obtained information is stored in the
database of the VLR. Then an acknowledge message is sent
to the MS.
 IMSI Attach/Detach
• Steps for IMSI attach procedure are as
follows:
– MS sends a Channel Request message to the
BSS on the RACH.

– BSS responds on the AGCH with an Immediate

Assignment message and assigns an SDCCH to
the MS.

– The MS immediately switches to the assigned

SDCCH and sends a LU Request to the BSS.
The MS sends either IMSI or TMSI to the BSS.

– The BSS acknowledges the message. This ack

tells the MS that the BTS has received the
message, it does not indicate that the LU has
been processed.
 IMSI Attach/Detach
– The BSS forwards the LU Request to the MSC/VLR.

– The MSC/VLR forwards the IMSI to the HLR and requests

verification of the IMSI as well as Authentication
Triplets.

– The HLR will forward the IMSI to the AuC and request
authentication triplets.

– The AuC generates the triplets and sends them along

with the IMSI, back to the HLR.

– The HLR validates the IMSI by ensuring it is allowed on

the network and is allowed subscriber services. It then
forwards the IMSI and Triplets to the MSC/VLR.

– The MSC/VLR stores the SRES and the Kc and forwards

the RAND to the BSS and orders the BSS to authenticate
the MS.
 IMSI Attach/Detach
– BSS sends the Authentication Request
message to the MS. The only parameter sent
in the message is the RAND.

– The MS uses the RAND to calculate the SRES

and sends the SRES back to the BSS on the
SDCCH in an Authentication Response. The
BSS forwards the SRES up to the MSC/VLR.

– The MSC/VLR compares the SRES generated

by the AuC with the SRES generated by the
MS. If they match, then authentication is
completed successfully.
 IMSI Attach/Detach
– The MSC/VLR forwards the Kc for the MS to
the BSS. The Kc is NOT sent across the Air
Interface to the MS. The BSS stores the Kc and
forwards the Set Cipher Mode command to the
MS. The CIPH_MOD_CMD only tells the MS
which encryption to use (A5/X), no other
information is included.

– The MS immediately switches to cipher mode

using the A5 encryption algorithm. All
transmissions are now enciphered. It sends a
Ciphering Mode Complete message to the BSS.
 Security in GSM-networks
SIM
• Challenge-Response-method (cryptographic
algorithm: A3)
Pseudonyms of participants at the Radio
interface
• Temporary Mobile Subscriber Identity (TMSI)
Connection encoding on the Radio interface
• Key generation: A8
• Encryption: A5
Security aspects: Authentication
MS MSC, VLR, AuC
Ki max. 128 Bit

Authentication Request Random number

A3 RAND (128 Bit) generator

Ki

A3

SRES

Authentication Response
SRES (32 Bit)
=
• Location Registration
• Location Update with VLR-change
• Call setup (in both directions)
• SMS (Short Message Service)
 Security aspects: Session
Key
MS Netz
Ki

Authentication Request Random number

A8 RAND (128 Bit)
generator

Kc 64 Bit
Ki

A8
• Key generation: Algorithm A8
– Stored on SIM and in AuC
Kc
– with Ki parametric one way function
– no (Europe, world wide) standard
– can be determined by net operator
– Interfaces are standardized
– combination A3/A8 known as COMP128
 Security aspects: encryption at
the Radio interface
MS Net
TDMA-frame- Ciphering Mode Command TDMA-frame-
K number number Kc
c

A5 A5
Key block
Ciphering Mode Complete
+ +
Plain text block Encrypted Text Plain text block

114 Bit

• Data encryption through algorithm A5:

– stored in the Mobile Station
– standardized in Europe and world wide
– weaker algorithm A5* or A5/2 for specific
countries
 IMSI Attach/Detach
– The MSC/VLR sends a Location Updating
Accept message to the BSS.
– It also generates a new TMSI for the MS.
– TMSI assignment is a function of the VLR.
– The BSS will either send the TMSI in the
LOC_UPD_ACC message or it will send a
separate TMSI Reallocation Command
message.
– In both cases, since the Air Interface is now in
cipher mode, the TMSI is not compromised.
 IMSI Attach/Detach
– The MS sends a TMSI Reallocation Complete
message up to the MSC/VLR.

– The BSS instructs the MS to go into idle mode

by sending it a Channel Release message. The
BSS then releases the SDCCH.

– The MSC/VLR sends an Update Location

message to the HLR. The HLR records which
MSC/VLR the MS is currently in, so it knows
which MSC to point to when it is queried for
the location of the MS.
 GSM Procedures
• MS Power Off
– Sends detach message to inform the
network that it is no longer available
• MS Power On
– Sends attach message to inform the
network about its presence
– Idle Mode (Active)
– Service Mode (Call Processing)
 GSM Procedures
• Idle mode:
– Gets network identity, frequency, timing and
frame number information on BCH
– IMSI Attach Process
– Authentication when channel requested for
location update.
– Listens to PCH for Paging (Incoming call alert)
 GSM Procedures
• Idle mode:

MS BSS MSC VLR HLR

Channel Request

Channel Assigned

Location Update Request

Authentication Request

Authentication Response

Authentication Verification

TMSI / LAI Assigned

Acknowledge
Update

Channel Release
 GSM Procedures
• Service mode:
– Mobile Originated Call (Outgoing)
• Call Establishment Procedure
– Mobile Terminated Call (Incoming)
– Handover
 Mobile Originated Call

MS BSS
Channel Request on RACH

Assign SDCCH on AGCH

Call Establishment Request, Authentication, Encryption, Dialing, Routing &

TCH Request on SDCCH

TCH & Call Established on FACCH

 Mobile Originated Call
MS BSS MSC VLR PSTN
Setup (Dialed Digits + Encryption)
Send info for Outgoing call (Call
Restriction Query)

Complete Call
Call Proceed (on SDCCH)

Trunk Assignment
Assignment of
TCH (SDCCH)
Assignment Assignment
Complete Complete
Initial Address Message (IAM)
(voice path from
MS to MSC)
Answer Complete Message (ACM)
Alerting (Ring heard)
Answer
Connect

Connect Acknowledgement
 Mobile Terminated Call

MS BSS
Paging request on PCH using TMSI

Channel Request on RACH

Assign SDCCH on AGCH

Paging Response, other signaling and TCH assignment

 Mobile Terminated Call
MS BSS MSC VLR HLR PSTN
Initial Address Message (IAM)
Send Routing Information
Routing Information

Send Info for

Incoming Call
Page LA and
Page message to TMSI
appropriate BSCs
Page request TMSI

Channel Request on
RACH
Assign SDCCH on AGCH
Page Response on SDCCH
Page Response
Access Request

Setup Complete Call

Call Confirmed
Alert
Setup Complete
Connect

Connect Acknowledge
Answer
End of MSC –
VLR Dialogue
 Call Release
• MS sends disconnect message to
MSC
• MSC sends release message to PSTN
• PSTN sends release complete
message to MSC
• MSC through BSS asks MS to release
resources
• MS informs release completion
 Handover
Serving Target
MS MSC
BSS BSS
Measurement
Report
HO Required
HO Request

HO Request Ack

HO Command
HO Command

HO Complete Handover
HO Complete
Release Command

Release Complete
 SS7 Signaling

• SSP: Signal Switching Point

• STP : Signal Transfer Point
• SCP: Signal Control Point
• SS7 is used in PSTN as well as in Mobile Networks
SS7 Protocol Stack
 SS7 Protocol Stack
• MTP 1,2,3:
– Physical, flow control/error
control/security and message
id/Routing/ NW Management
– Common Transport Layer for
secure and reliable routing of
messages, with higher layers
providing the content
– Interpret directions from higher
layers and uses the
64Kbps/565Kbps signaling links
to route messages to destination
• TUP/ISUP/BISUP:
– Circuit Related Call Control
Protocols to establish/release
voice calls and data sessions
– Specific messages such as
IAM/SAM by originating SSP,
ACM for acknowledgement by
receiving SSP, Clear/Release
messages etc transmitted.
 SS7 Protocol Stack
• SCCP
– Provides other functions such as
Connection oriented or
connectionless data transfer.
• TCAP:
– For query and retrieval of data
from database
– Initiates queries and receives
responses
– Unbundled messages received into
components and sends to
appropriate higher layers
• ASP
– MAP, IS 41 etc use TCAP to process
their operations and SCCP to
transport data to destination
– Mobile core network interfaces are
based on SS7 and MAP defines
them
 GSM and SS7
• Signaling between the fixed
components of the network like HLR
and VLR is accomplished through
Message Application Part (MAP). MAP
is built on TCAP.