Post on 24-Mar-2018
Aim: Study of GSM Model
Theory:
GSM (Global System for Mobile communications) is an open, digital cellular technology used
for transmitting mobile voice and data services. GSM supports voice calls and data transfer
speeds of up to 9.6 kbps, together with the transmission of SMS (Short Message Service). GSM
operates in the 900MHz and 1.8GHz bands in Europe and the 1.9GHz and 850MHz bands in the
US. GSM services are also transmitted via 850MHz spectrum in Australia, Canada and many
Latin American countries. The use of harmonised spectrum across most of the globe, combined
with GSM’s international roaming capability, allows travellers to access the same mobile
services at home and abroad. GSM enables individuals to be reached via the same mobile
number in up to 219 countries. Terrestrial GSM networks now cover more than 90% of the
world’s population. GSM satellite roaming has also extended service access to areas where
terrestrial coverage is not available.
GSM Architecture
The GSM network can be divided into three main parts:
The Base Station Subsystem (BSS)
The Network and Switching Subsystem (NSS)
The Operation and Support Subsystem (OSS)
Radio Station Subsystem
The RSS provides the interface between the ME and the NSS. It is in charge of the transmission
and reception. It may be divided into two parts:
Base Station Controller (BSC): It controls a group of BTSs and manages their radio
ressources. A BSC is principally in charge of handoffs, frequency hopping, exchange
functions and power control over each managed BTSs.
Base Transceiver Station (BTS) or Base Station: It maps to transceivers and antennas
used in each cell of the network. It is usually placed in the center of a cell. Its transmitting
power defines the size of a cell. Each BTS has between 1-16 transceivers depending on
the density of users in the cell.
Mobile Station
A Mobile Station consists of two main elements:
o The Subscriber Identity Module (SIM): It is protected by a four-digit Personal
Identification Number (PIN). In order to identify the subscriber to the system, the
SIM card contains amongst others a unique International Mobile Subscriber
Identity (IMSI). User mobility is provided through maping the subscriber to the
SIM card rather than the terminal as we done in past cellular systems.
o Mobile equipment/terminal (ME): The actual device used for communication.
Fig: GSM Architecture
The Network and Switching Subsystem (NSS)
Its main role is to manage the communications between the mobile users and other users, such as
mobile users, ISDN users, fixed telephony users, etc. It also includes data bases needed in order
to store information about the subscribers and to manage their mobility. The different
components of the NSS are described below.
MSC: the central component of the NSS. The MSC performs the switching functions of
the network. It also provides connection to other networks.
GMSC: A gateway that interconnects two networks: the cellular network and the PSTN.
It is in charge of routing calls from the fixed network towards a GSM user. The GMSC is
often implemented in the same machines as the MSC.
HLR: The HLR stores information of the subscribers belonging to the coverage area of a
MSC; it also stores the current location of these subscribers and the services to which
they have access. The location of the subscriber maps to the SS7 address of the Visitor
Location Register (VLR) associated to the MN.
VLR: contains information from a subscriber's HLR necessary to provide the subscribed
services to visiting users. When a subscriber enters the covering area of a new MSC, the
VLR associated to this MSC will request information about the new subscriber to its
corresponding HLR. The VLR will then have enough data to assure the subscribed
services without needing to ask the HLR each time a communication is established. The
VLR is always implemented together with a MSC; thus, the area under control of the
MSC is also the area under control of the VLR.
GSM Interworking Unit (GIWU): The GIWU provides an interface to various
networks for data communications. During these communications, the transmission of
speech and data can be alternated.
Operation and Support Subsystem (OSS)
It is connected to components of the NSS and the BSC, in order to control and monitor the GSM
system. It is also in charge of controlling the traffic load of the BSS. It must be noted that as the
number of BS increases with the scaling of the subscriber population some of the maintenance
tasks are transferred to the BTS, allowing savings in the cost of ownership of the system.
Authentication Center (AuC): It serves security purposes; it provides the parameters
needed for authentication and encryption functions. These parameters allow verification
of the subscriber's identity.
Equipment Identity Register (EIR): EIR stores security-sensitive information about the
mobile equipments. It maintains a list of all valid terminals as identified by their
International Mobile Equipment Identity (IMEI). The EIR allows then to forbid calls
from stolen or unauthorized terminals (e.g, a terminal which does not respect the
specifications concerning the output RF power).
GSM Protocol stack
Fig: Protocol Architecture for signaling
Above figure shows the architecture of protocols used within the GSM system, with signaling
protocols, interfaces as well as the entities.
Again the main area of focus is in the Um interface, this is because the other interfaces occur
between entities in a fixed network. The physical layer, Layer 1 handles all the radio specific
functions. This layer includes the creation of bursts according to the five different formats, the
multiplexing of bursts into TDMA frames, synchronization with the BTS, detection of the idle
channels and the measurement of the channel quality on the downlink. At Um, the physical layer
uses GSMK (Gaussian Shift Minimum Keying) for the digital modulation and performs
encryption/decryption of data This means that encryption is not performed end-to-end, but only
between MS and BTS over the air interface.
The synchronization also includes the correction of the individual path delay between the MS
and the BTS, all MSs within a cell can use the same BTS and hence must be synchronized to the
BTS. This is due to the fact that the BTS generated the time-structure of the frames and slots etc.
This can be problematic since in this context there are different RTTs (Round Trip Time).
Therefore the BTS sends the current RTT to MS, which then adjusts its access time so that all
bursts reach the BTS within their limits.
The physical layer has several main tasks that comprise the channel coding, error
detection/correction; this is directly combined with the coding mechanisms. FEC (Forward Error
Correction) is used extensively in the coding channel, FEC adds redundancy to the user data,
thus allowing for the detection and correction of selected errors. The power of the FEC scheme
depends on the amount of redundancy, coding algorithm, and any further interleaving of data to
minimize the effects of burst errors. Whats more the FEC is the reason that error
detection/correction occurs in the physical layer. This differs to the ISO/OSI reference model
where it occurs in layer two. The GSM physical layer tries to correct errors, however it does not
deliver erroneous data to the higher layers.
GSM logical channels use different coding schemes with different correction capabilities, for
example speech channels need the additional coding of voice data after analogue to digital
conversion. This is in order to reach a data rate of 22.8 kbit/s (using the 13 kbit/s from the voice
codec plus redundancy, CRC bits, and interleaving. When GSM was envisaged it was assumed
that voice would be the main service so the physical also contains special functions, for instance
VAD (Voice Activity Detection), which transmits voice data only when there is a voice signal.
In the duration between voice activity, the physical layer generates a comfort noise to fake a
connection, however no actual transmission takes place.
Signaling between the entities within the GSM network requires the use of the higher layers. For
this, the LAPDm (Link Access Procedure for the D-Channel) protocol has been defined at the
Um interface for layer two. LAPDm is a lightweight version of LAPD, in that it does not require
synchronization flags or check summing for error detection, these are not needed as these
functions are already performed in the physical layer of the GSM network. LAPDm, however
offers reliable data transfer over connections, re-sequencing of data frames and flow control. Due
to the fact that there is no buffering between layer one and two, the LAPDm has to obey the
frame structures, recurrence patterns etc defined for the reassembly of data and
acknowledged/unacknowledged data transfer.
Layer three in the GSM network is made up of several sublayers, the lowest sublayer is the RR
(Radio Resource Management). Only part of this layer the RR', is implemented in the BTS, the
remainder of the RR is situated in the BSC. The BSC via the BTSM (Base Transceiver Station
Management) are responsible for the functions of the RR'. The RR' has the function of setting up,
maintenance and release of the radio channels. Also the RR' has direct access to the physical
layer for radio information and offers a reliable connection to next higher layer.
Radio Resource Management (RR) is a protocol to create, maintain and delete radio link
channels. RR´ defines a subset of RR. This protocol is also responsible for measuring the
channel quality measurement, radio field strength and synchronization control, handover
and data ciphering. A RR message contains a protocol discriminator for protocol
identification, a transaction ID, and a message type. The data itself is carried in an
Information Element (IE) of fixed or variable length (here, an additional Length Indicator
(IE) is necessary).
Mobility Management (MM) is a protocol for supporting Terminal Equipment (TE)
mobility. MM procedures need a pre-established RR connection consisting of a logical
channel and a LAPDm connection. Signaling is carried out between the MS and the
MSC, thus it is transparent to the BSS. There are three MM procedure categories:
o Common procedures like TMSI reallocation, authentication, identity requests, and
IMSI detachments can always be carried out independently of each other.
o Specific procedures are mutually exclusive. A specific procedure like a location
update and an IMSI attachment cannot be executed as long as another one is being
executed. Specific procedures are also mutually exclusive to MM-connections.
o Mobility management procedures create, maintain and tear down MM
connections. MM connections are created upon requests from the higher Call
Management (CM) sublayer. Each CM instance is assigned its own MM
connection.
Call Management (CM) is a protocol containing three subprotocols:
o Call Control (CC) creates, maintains and deletes calls. Several parallel calls can
be established. Thus for each call, one CC instance is created in the MS, and
another one in the MSC. CC instances communicate with each other via dedicated
MM instances they own.
o The Short Message Service (SMS) is divided into the SMS Control Layer (SMS-
CL) and the SMS Relay Layer (SMS-RL). These layers need previously
established MM, RR and LAPDm connections.
o Supplementary Services (SS) provide an entry point to access the GSM
supplementary services. Applications from upper layers may enter the CM via the
Service Access Points (SAP) MNCC-SAP, MNSS-SAP and MNSMS-SAP or
bypass the CM by directly entering the MMREG-SAP of MM.
Signaling Connection Control Part (SCCP) is a SS7 protocol for establishing and
maintaining identifiable control connections. At the A-interface, SCCP offers connection
oriented and connectionless transport services.
Base Station System Application Part (BSSAP) is a signaling protocol at the A interface.
BSSAP uses services offered by the SCCP and is further divided into three sub-parts:
o The Direct Transfer Application Part (DTAP) offers services for signaling
between the MS and the MSC (CM,MM). DTAP signals only use connection
oriented SCCP services.
o The Base Station System Management Application Part (BSSMAP) transports
signals concerning a single MS, physical channels of the radio link as well as
global commands for the BSC resource management between an MSC and an
BSC. BSSMAP procedures use connection oriented and connectionless SCCP
services.
o The Base Station System Operation and Maintenance Application Part
(BSSOMAP) transports network management messages from the OMC over the
MSC to a BSC.
Mobile Application Part (MAP) is the GSM specific enhancement of SS7 for
1. management of roaming functions like location registration/updating, IMSI
attach/detach and handover
2. subscriber management
3. IMEI management
4. authentication and identification
5. SMS.
MAP has special interfaces to other GSM network nodes.
Localization and calling
One of the main features of GSM system is the automatic, worldwide localization of it's users.
The GSM system always knows where a user is currently located, and the same phone number is
valid worldwide. To have this ability the GSM system performs periodic location updates, even
if the user does not use the MS, provided that the MS is still logged on to the GSM network and
is not completely switched off. The HLR contains information about the current location, and the
VLR that is currently responsible for the MS informs the HLR about the location of the MS
when it changes. Changing VLRs with uninterrupted availability of all services is also called
roaming. Roaming can take place within the context of one GSM service provider or between
two providers in one country, however this does not normally happen but also between different
service providers in different countries, known as international roaming.
To locate an MS and to address the MS, several numbers are needed:
MSISDN (Mobile Station International ISDN Number): The only important number
for the user of GSM is the phone number, due to the fact that the phone number is only
associated with the SIM, rather than a certain MS. The MSISDN follows the E.164, this
standard is also used in fixed ISDN networks.
IMSI (International Mobile Subscriber Identity): GSM uses the IMSI for internal
unique identification of a subscriber.
TMSI (Temporary Mobile Subscriber Identity): To disguise the IMSI that would give
the exact identity of the user which is signaling over the radio air interface, GSM uses the
4 byte TMSI for local subscriber identification. The TMSI is selected by the VLR and
only has temporary validity within the location area of the VLR. In addition to that the
VLR will change the TMSI periodically.
MSRN (Mobile Station [Subscriber] Roaming Number: This is another temporary
address that disguises the identity and location of the subscriber. The VLR generates this
address upon request from the MSC and the address is also stored in the HLR. The
MSRN is comprised of the current VCC (Visitor Country Code), the VNDC (Visitor
National Destination Code) and the identification of the current MSC together with the
subscriber number, hence the MSRN is essential to help the HLR to find a subscriber for
an incoming call.
All the numbers described above are needed to find a user within the GSM system, and to
maintain the connection with a mobile station. The following scenarios below shows a MTC
(Mobile Terminate Call) and a MOC (Mobile Originated Call).
MTC (Mobile Terminate Call)
1. The PSTN subscriber dials the MS’s telephone number (MSISDN), the MSISDN is
analyzed in the PSTN, which identifies that this is a call to a mobile network subscriber.
A connection is established to the MS’s home GMSC. The PSTN sends an Initial
Address message (IAM) to the GMSC.
2. The GMSC analyzes the MSISDN to find out which HLR, the MS is registered in, and
queries the HLR for information about how to route the call to the serving MSC/VLR.
The HLR looks up the MSISDN and determines the IMSI and the SS7 address for the
MSC/VLR that is servicing the MS. The HLR also checks if the service, “call forwarding
to C-number” is activated, if so, the call is rerouted by the GMSC to that number.
3. The HLR then contacts the servicing MSC/VLR and asks it to assign a MSRN to the call.
[MSRN - Mobile Station Routing Number].
4. The MSC/VLR returns an MSRN via HLR to the GMSC.
Fig: MTC (Mobile Terminate Call)
5. The GMSC sends an Initial Addressing message (IAM) to the servicing MSC/VLR and
uses the MSRN to route the call to the MSC/VLR. Once the servicing MSC/VLR
receives the call, the MSRN can be released and may be made available for reassignment.
6. The MSC/VLR then orders all of its BSCs and BTSs to page the MS. Since the
MSC/VLR does not know exactly which BSC and BTS the MS is monitoring, the page
will be sent out across the entire Location Area(LA).
7. When the MS detects the paging message to the BTS’s in the desired LA. The BTS’s
transmit the message over the air interface using PCH. To page the MS, the network uses
an IMSI or TMSI valid only in the current MSC/VLR service area.
8. When the MS detects the paging message, it sends a request on RACH for a SDCCH.
9. The BSC provides a SDCCH, using AGCH.
10. SDCCH is used for the call set-up procedures. Over SDCCH all signaling preceding a
call takes place. This includes: Marking the MS as “active” in the VLR. Authentication
procedure (Start ciphering, Equipment identification).
11. The MSC/VLR instructs the BSC/TRC to allocate an idle TCH. The BTS and MS are
told to tune to the TCH. The mobile phone rings. If the subscriber answers, the
connection is established.
MOC (Mobile Originated Call)
Fig: MOC (Mobile Originated Call)
It is much simpler to perform a mobile originated call(MOC) compared to a MTC. The MS
transmits a request for new connection(1), the BSS forwards this request to MSC(2). The MSC
then checks if this user is allowed to set up a call with requested service(3 and 4) and checks if
the availability of resources through the GSM network and into the PSTN. If all resources are
available, the MSC sets up a connection between the MS and fixed network.
In addition to the steps mentioned above, other messages are exchanged between MS and BTS as
shown in following figure.
Fig: Other messages are exchanged between MS and BTS
GSM Handover
Handover is the procedure that transfers an ongoing call from onecell to another as the user’s
moves through the coverage area of cellular system. The purpose of the handover procedure it to
preserve ongoing calls when the mobile station moving from one cell to another. In GSM
measurements reports to perform the handover, which is made by the serving BSC which has no
direct knowledge of the radio quality. These measurements reports contain the radio signal
quality of the downlink from the BTS to MSC of the call and up to five neighboring cells. The
serving BTS measures the uplink from the MSC to BTS radio signal quality of the call and
forward in the measurements reports. The information in the measurements reports the BSC is
able to decide whether a handover to another cell is needed. These measurements reports are
periodically transmitted from the MSC to BSC on the SACCH channel assigned to each
communication for every connection. Handover initiation is the process of deciding when a
request to a handover. Handover is based on received signal strength (RSS) from the current base
station and the neighboring base station.
There are different categories of GSM handover which involves different parts of the GSM
network. Changing cells within the same BTS is not complicated as the changing of the cell
belonging to different MSC. There are mainly two reasons for this kind of handover. The mobile
station moves out of the range station or the antenna of BTS respectively. Secondly the wire
infrastructure the MSC or the BSC may decide that the traffic in one cell is too high and move
some to other cells with lower load. These are the main reasons that initiate different kinds of
handover. Following are the different kinds of handover and their details.
Fig: Handovers in GSM
1. Intra-cell BTS Handover:
The terms intra-cell and intra BTS handover are used both for frequency change. There is
a slight between them but usually they are considered the same. The term intra-cell
handover in not real as it deals with the frequency change of a going call. The frequency
change occur when the quality of the communication link degrading and the
measurements of the neighboring cells better than the current cell. In this situation the
BSC which controls the BTS serving the MSC order the MSC and BTS to switch to
another frequency which offers better communication link for the call. The
communication link degradation is caused by the interference as the neighboring cell
using the same frequencies and its better to try another channel. In the intra BTS
handover cell involved are synchronized.
2. Intra-BSC Handover:
The intra-BSC handover is performed when the MSC changes the BTS but not the BSC.
The intra BBSC handover is entirely carried out by the BSC, but the MSC is notified
when the handover has taken place. If the targeted cell is in different location area then
the MSC needs to perform the location updates procedure after the call. In the intra-BSC
handover both synchronized and non synchronized handover are possible.
3. Intra-MSC Handover:
In the intra-MSC handover when the BSC decides that handover is required but the
targeted cell is controlled by different BSC then it needs assistance form the connected
MSC. In comparison to the pervious handover discussed the MSC mandatory for this
kind of handover. Responsibilities of the MSC do not include processing the
measurements of the BTS or MSC but to conclude the handover. This kind of handover
can be other intra-MSC or Inter-MSC. In the intra-MSC handover the targeted cell is
allocate in different BSC connected by the same MSC. The MSC contacts the targeted
BSC for allocation of the required resources and inform the BSC when they are ready.
After the successful resources allocation the MSC instructed to access the new channel
and the call is transferred to the new BSC.
4. Inter-MSC Handover:
The inter-MSC handover is performed when the two cells belonging to different MSC in
the same system. In the inter-MSC handover the targeted cell is connected is connected to
different MSC than the one currently serving the call MSC.
GSM Security
The security methods standardized for the GSM System make it the most secure cellular
telecommunications standard currently available. Although the confidentiality of a call and
anonymity of the GSM subscriber is only guaranteed on the radio channel, this is a major step in
achieving end-to- end security.
The subscriber's anonymity is ensured through the use of temporary identification numbers. The
confidentiality of the communication itself on the radio link is performed by the application of
encryption algorithms and frequency hopping which could only be realized using digital systems
and signaling.
Mobile Station Authentication:
The GSM network authenticates the identity of the subscriber through the use of a
challenge-response mechanism. A 128-bit random number (RAND) is sent to the MS.
The MS computes the 32-bit signed response (SRES) based on the encryption of the
random number (RAND) with the authentication algorithm (A3) using the individual
subscriber authentication key (Ki). Upon receiving the signed response (SRES) from the
subscriber, the GSM network repeats the calculation to verify the identity of the
subscriber.
The calculation of the signed response is processed within the SIM. This provides
enhanced security, because the confidential subscriber information such as the IMSI or
the individual subscriber authentication key (Ki) is never released from the SIM during
the authentication process.
Signaling and Data Confidentiality:
The SIM contains the ciphering key generating algorithm (A8) which is used to produce
the 64-bit ciphering key (Kc). The ciphering key is computed by applying the same
random number (RAND) used in the authentication process to the ciphering key
generating algorithm (A8) with the individual subscriber authentication key (Ki). As will
be shown in later sections, the ciphering key (Kc) is used to encrypt and decrypt the data
between the MS and BS.
An additional level of security is provided by having the means to change the ciphering
key, making the system more resistant to eavesdropping. The ciphering key may be
changed at regular intervals as required by network design and security considerations. In
a similar manner to the authentication process, the computation of the ciphering key (Kc)
takes place internally within the SIM. Therefore sensitive information such as the
individual subscriber authentication key (Ki) is never revealed by the SIM.
Encrypted voice and data communications between the MS and the network is
accomplished through use of the ciphering algorithm A5. Encrypted communication is
initiated by a ciphering mode request command from the GSM network. Upon receipt of
this command, the mobile station begins encryption and decryption of data using the
ciphering algorithm (A5) and the ciphering key (Kc).
Subscriber Identity Confidentiality:
To ensure subscriber identity confidentiality, the Temporary Mobile Subscriber Identity
(TMSI) is used. The TMSI is sent to the mobile station after the authentication and
encryption procedures have taken place. The mobile station responds by confirming
reception of the TMSI. The TMSI is valid in the location area in which it was issued. For
communications outside the location area, the Location Area Identification (LAI) is
necessary in addition to the TMSI.
Conclusion: Hence we studied GSM model, its architecture, protocol stack, calling and
localization and security.