Florida Institute for Cybersecurity (FICS) Research

CIS 6930 - Cellular and Mobile Network Security:

CDMA/UMTS Air Interface

Professor Patrick Traynor10/11/2018

Florida Institute for Cybersecurity (FICS) Research

UMTS and CDMA• 3G technology - major change from GSM (TDMA)

• Based on techniques originally employed by Verizon (IS-95)

• Signal is encoded so that it can be recovered from “noise” (other signals)

2

Florida Institute for Cybersecurity (FICS) Research

New Considerations• Technology differences

• Power control• Frequency re-use & handoffs• Number of users• Modulation (Phase Shift Keying)

• Traffic differences• What is the primary difference between 2G and 3G?

3

Florida Institute for Cybersecurity (FICS) Research

Code Division Multiple Access• used in several wireless broadcast channels (cellular, satellite, etc) standards

• unique “code” assigned to each user ; i.e., code set partitioning

• all users share same frequency, but each user has own “chipping” sequence (i.e., code) to encode data

• encoded signal = (original data) X (chipping sequence)

• decoding: inner-product of encoded signal and chipping sequence

• allows multiple users to “coexist” and transmit simultaneously with minimal interference (if codes are “orthogonal”)

• What does it mean for two vectors to be orthogonal?

4

Florida Institute for Cybersecurity (FICS) Research

CDMA Encode/Decode

5

slot 1 slot 0

Zi,m= di.cm

d0 = 1

1 1 1 1

1- 1- 1- 1-

1 1 1 1

1- 1- 1- 1-

1 1 11

1-1- 1- 1 -

slot 0 channel output

slot 1 channel output

channel output Zi,m

sendercode

data bits

slot 1 slot 0

d1 = -1

d0 = 1

slot 0 channel output

slot 1 channel output

receiver

code

received input

Di = Σ Zi,m.cm

m=1

M

M

d1 = -1

1 1 1 1

1- 1- 1- 1-

1 1 11

1-1- 1- 1 -

1 1 1 1

1- 1- 1- 1-

1 1 1 1

1- 1- 1- 1-

1 1 1 1

1- 1- 1- 1-

Florida Institute for Cybersecurity (FICS) Research

CDMA: two-sender interface

6

Florida Institute for Cybersecurity (FICS) Research

CDMA Benefits• Higher capacity

• interference limited = high efficiency

• uses voice activity detection to reduce transmission bandwidth

• Improved quality

• soft handoff• CDMA has frequency, spatial, and time diversity to adapt to errors

• Ease of deployment• no frequency planning; frequency reuse = 1

• Increased talk time

• power control ensures that the UE transmits at optimum power, resulting in longer battery life.

7

Florida Institute for Cybersecurity (FICS) Research

CDMA Privacy• Given that all signals look like noise unless you have the despreading

sequence, what sort of privacy does CDMA offer?• Ideally, you should get a 2N search space...• Zhang et al. show that the IS-95 long code of 42 bits can be cracked by

capturing 42 frames and solving 42 linear equations• Break takes approximately 840 ms.• What is the security implication?

8

Florida Institute for Cybersecurity (FICS) Research

Universal Mobile Telecommunications System: UMTS

• Specifications:• Frequencies: 700, 850, 900, 1700, 1900, 2100 MHz (5 MHz channels)

worldwide; FDD• Chipping codes: up to 512 bits• Power control: up to1500x per second• Time division: 10 ms frames, 1 frame = 15 time slots

• Borrows extensively from GSM protocols• Major changes:

• CDMA Technology: Channel structure/handoffs/power control• Security -- increased use of cryptographic constructions• Data infrastructure

9

Florida Institute for Cybersecurity (FICS) Research

Entities: New names, old faces• UE = User Equipment• Node-B • RNC = Radio Network Controller

10

BTS

BSC

BTS BTS

MSUE

RNC

Node-B

Node-B Node-B

Florida Institute for Cybersecurity (FICS) Research

Channels: Old & New

11

GSM BCCH PCH

AGCH SDCCH

TCH RACH SCH

CCCH

UMTS BCCH PCH AICH DCCH DTCH RACH SCH

CCCH

Florida Institute for Cybersecurity (FICS) Research

Channel Types• Logical: defines a logical task or use in the network

• Transport: defines the way logical data is prepared

• Physical: defines the actual channel (i.e. chipping code) used to transmit data

12

Florida Institute for Cybersecurity (FICS) Research

Logical Channels• Broadcast Control Channel (BCCH): Provides

common information about the cell to UEs.

• Paging Control Channel (PCCH): Provides information about incoming calls and how to listen for them.

• Dedicated Control Channel (DCCH): A two-way assigned channel that carries control information to and from a single UE.

• Common Control Channel (CCCH): A two-way shared channel that carries control information.

• Dedicated Traffic Channel (DTCH): A two-way assigned channel that carries traffic to and from a single UE.

13

Florida Institute for Cybersecurity (FICS) Research

Transport Channels• Dedicated Transport Channel (DCH): carries data to and from a specific UE• Broadcast Channel (BCH): Broadcasts network and cell information• Forward Access Channel (FACH): Carries control information to UEs for shared channels.• Random Access Channel (RACH): Carries channel requests to the network from the UE.• Paging Channel (PCH): Carries incoming call alerts.• Uplink Common Packet Channel (CPCH):

Carries packet data to the network.• Downlink Shared Channel (DSCH): Carries

packet data to the UE.

14

Florida Institute for Cybersecurity (FICS) Research

Physical Channels: Signaling• Forward (to UE):

• Primary Common Control Physical Channel (PCCPCH): Carries the BCH• Secondary Common Control Physical Channel (SCCPCH): Carries the FACH and the PCH• Synchronization Channel (SCH): Synchronizes time with the network• Common Pilot Channel (CPICH): Informs the user of the Primary Scrambling Code (PSC)• Acquisition Indicator Channel (AICH): Used to carry dedicated channel assignments to UEs• Paging Indication Channel (PICH): Provides the UE with information about how pages are sent. This

informs the UE how often to wake up and listen for pages.• Reverse (to Node-B):

• Physical Random Access Channel (PRACH): Carries the RACH

15

Florida Institute for Cybersecurity (FICS) Research

Physical Channels: Traffic• Bi-Directional:

• Dedicated Physical Data Channel (DPDCH): Carries a DCH• Dedicated Physical Control Channel (DPCCH): Carries control information (e.g., identifiers, power

control)• Forward (to UE):

• Physical Downlink Shared Channel (PDSCH): carries packet data to a UE.• CPCH Status Indication Channel (CSICH): Indicates the status of the CPCH• Collision Detection/Channel Assignment Indication Channel

(CD/CA-ICH): Indicates if data sent over the CPCH has been successfully received or if a collision occurred.

• Reverse (to Node-B):• Physical Common Packet Channel (PCPCH): Carries the CPCH

16

Florida Institute for Cybersecurity (FICS) Research

How a connection is made• SCH• CPICH• PCCPCH

17

Synchronize Time (SCH)

Acquire cell information (PCCPCH)Acquire PSC (CPICH)

Node-B UE

Florida Institute for Cybersecurity (FICS) Research

How a call is sent/received• DPDCH (DCCH & DTCH) + DPCCH

18

Node-B UE

Page sent over PCH (SCCPCH) Page response over RACH (PRACH)

Chipping & scrambling code assigned (AICH) Authentication over DCCH (DPDCH + DPCCH)Call connect over DTCH (DPDCH + DPCCH)

Florida Institute for Cybersecurity (FICS) Research

Mappings• Source: http://www.authorstream.com/Presentation/3627946-387767-wcdma-air-interface-fundamentals-science-technology-ppt-powerpoint/

19

Florida Institute for Cybersecurity (FICS) Research

Spreading Codes• Orthogonal Variable Spreading Factor (OVSF) vs scrambling codes

• OVSF codes are typical chipping/spreading codes• Scrambling codes can be multiplied into OSVF codes to provide more

user channels• Long vs. short codes

• Uplink: code lengths up to 256 (+ 16.8 M scrambling codes)• Downlink: code lengths up to 512• Why are these numbers different?

20

Florida Institute for Cybersecurity (FICS) Research

Power Control• CDMA provides optimal performance when all signals are received at

approximately the same strength.• When a DTCH is assigned, the Node-B sends reports of the RSS (received

signal strength) to the UE, alerting it at what power to transmit.• Power control commands sent up to 1500 times per second

21

Florida Institute for Cybersecurity (FICS) Research

Handoffs• 4 types: hard, soft, softer, network (2G 3G)• Soft handoff overview:

• Frequency reuse = 1• UE will receive signal from multiple

Node-Bs.• Extract signals of old and new tower

simultaneously using different chipping codes.

• Remain connected to old Node-B until re-registered with new Node-B

22