Wireless networks

Philippe Jacquet

INRIA

Ecole Polytechnique

France

Mobile phones

GSM network

• « 1 km in the air, 1000 km in wires »

• BTS: Base station Transceiver System• BSC: Base Station Controller• MSC: Mobile Switching Center• VLR: Visitor Location Register• HLR: Home Location Register

mobile BTS BSC MSC

VLR

HLR

Fixed networks

Wireless interface

• Uplink frequencies, downlink frequencies

• Each frequency divided in eight periodic slots (channels)

• One signalisation channel +seven voice channels.

Wireless interface

• Frequency organisation

Middample: training sequenceBurst=packet

Slot organisation

Urban coverage

Security in GSM

• Authentification: high level security– Impossibility of account parameter highjacking

is contractual

• Encryption: low level security– Possibility of eavedropping by government

agencies

SIM chip: contains all security

• Subscriber Identity Module– Subscriber identifier IMSI– PIN code– Key Ki for authentification– last dialed numbers and areas

Security GSM Algorithms

• Algorithme A3 for authentification based on Ki key. – Ki 128 bits deposited in SIM, is known by

operator

• Algorithm A8 to create an encryption Kc key

• Algorithm A5 for voice encryption from Kc.

on mobile terminal

• At request the network sends a 128 bits random number RAND.• SRES=A3(RAND,Ki) 32 bits

– Ki impossible to get from SRES and RAND

• Kc=A8(RAND,Ki) 64 bits– Ki impossible to get from Kc and RAND

• code=A5(Kc,info)– Kc easy to get from clear 64 bits on air

– breakable in less than 2 minutes on regular PC.

Authentification

• Operateur sends a number RAND

• Operator and mobile terminal separately computes SRES– Mobile sends SRES to operator

• If both SRES are identical, then user is authentified

authentification

SIM VLR

RANDKi

SRES

test =

Ki

SRES=A3(RAND,Ki)

SRES=A3(RAND,Ki)

accepté

Encryption

• Mobile and operator compute Kc.

• Encrypt and decipher infos with same algorithm A5.– Add each data 114 bits block with pseudo-

random 114 bits– Pseudo-random bits computed with Kc and

info block number (algorithme A5).– Brute force attack costs 240

Data in voice: GPRS

• General Packet Radio System– Enable GSM modem for internet connection– Use idle slots on frequencies pour send and receive

data– Charged on per volume basis (voice charged per

duration)

• Require a protocol stack and a security level and « IP ».

GPRS Protocols

Additional elements

in GSM for GPRS • SGSN (Serving GPRS Support node)• GGSN (Gateway GPRS Support node)• Un tunnel protocol GTP• Specific authentification procedures

mobileBTS BSC MSC

VLR

HLR

Réseau fixe

internet

SGSN

GGSN

Authentification

• First: GSM authentification• Second: GPRS authentification• Creation of a network identitier for IP

Encryption

• Regular wireless encryption– Unreliable but needs radio vicinity to break

• Require IP encryption– SSH (Secure Shell)

GPRS encryption

WAP protocol

Ipsec protocol

IPsec Encapsulating Security Payload (ESP)

IPsec Authentification Headertransport mode

IPsec ESP-tunnel mode

UMTS and CDMA

• UMTS is the next generation mobile phone– 3G, (GSM=2G)– Based on CDMA/TDMA

Frame=10msFrame=12 slots of 0.666 ms each

UMTS and CDMA

• Slots are periodic– Many users can use the same slot– Sharing via code division

freq

uenc

ies

GSM

code

s

UMTS

Code Division Multiple Access

• Equivalent to digital fourier transform

€

y(t) = x × c(t)

Slow symbolContains info

Fast codeSeparates transmitters

Code Division Multiple Access

• Basic hypothesis

• Data extraction

€

y(t) = x1c1(t) + x2c2(t) +L

€

c i(θ)c j (θ)dθ = δij∫

€

c i(θ)c j (θ + t)dθ ≈ δij (t)∫

€

x i = y(θ)c i(θ)dθ∫

Code Division Multiple Access

• Advantages– Many codes can be given to a single user– Flexibility of use– More bandwidth occupation

• Drawback:– Sensitive to near-far effect– Must equalize power

CDMA in Wifi

• User modulate datas on a code– No Code division– Allow to fight inter-symbol fading

€

y(t) =α (t)∗xc(t)

€

xα (t) ≈ c(θ + t)y(θ)dθ∫

Wave propagation

• Signal attenuation with distance

– P0 nominal power

– Isotropic medium=2 in vaccum

€

r

€

x

€

y =αx + β

€

α =P0F(r)

€

F(r) =1

rγ

Wave propagation

• Antenna variation

• Distance Fading– Non isotropic medium

– Rayleigh fading: is gaussian

€

u =r

r

€

F(r) =G(u)

rγ

€

F(r) =H(r)

rγ

€

logH(r)

Wave propagation

• Inter-symbol fading– diffraction on obstacles creates delayed echos

Emitted Signalechos

Received Signal€

x(t)

€

y(t) =α ∗x(t) + β (t)

Wave propagation

• Inter-symbol fading– Attenuation is now a convolution

• T: most delayed echo• Average fading is distance fading:€

α ∗x(t) = α (θ)x(t −θ)dθ0

T

∫

€

α = α(θ)dθ = P0F(r)0

T

∫

Inter-symbol fading

• The typical echo delay T increases with distance• Depends on medium

– in vaccum– in 1D homogenous medium– in 2D homogenous medium– with ½<h<1 in « fractal » medium

• Effect of inter-symbol fading– Does not affect significantly Shannon capacity limit– But: complicates the decoding when T is comparable to inter-

symbol time (1/W)

€

T = 0

€

T ∝ r c−1

€

T ∝ r c−1

€

T ∝ ( r c−1)h

Inter-symbol fading

• Example of fractal medium : urban area

Parc central

Eglise

Boulevard nord

Boulevard sud

Complexity of signal processing

• Signal processing– First level signal decoding– Mainly digital

• Equalization– Reverse the convolution fading

– With noise

€

α−1∗y(t) = α −1(−θ)y(t +θ)dθ = x(t)∫

€

α−1∗y(t) = x(t) +α −1∗β (t)

Complexity of signal processing

• Equalization– Emission of a known training sequence x(t), received

y(t)

– Knowledge of both x(t) and y(t) gives α(t) and α-1(t) in theory.

– Discretized sampling with frequency

=1/

Complexity of signal processing

• Resolution of a linear system

• Of dimension– Resolution takes operations– Must be repeated every time fading changes:

• If , then the processing computing power is

€

x(j

ν) = α −1(−

i

ν)y(j − i

ν)

i

k

∑

€

k > νT >WT

€

k 2 =O(T 2W 2)

€

T ∝ rh

€

O( r2hW 2) =O( r

2hI2)

Complexity of signal processing

• In general a wireless interface is calibrated for– A minimal SNR and a fixed capacity I – A maximal signal processing power

• Therefore for a limit range R– There exists a minimal nominal power P0.

Complexity of signal processing

• Diagram Capacity-Range

  

GSMUMTS

Wifi BIEEE 802.11

Hiperlan1&2IEEE802.11a-g

UMTS pico-cell UMTS

micro-cell

Capacityin bit/s

range in m

bluetooth

Error suppression

• Error Detection via check sum– Message=binary polynomial

– Check sum is the rest of division of message polynomial by a known polynomial of degree 32.

– The check sum is then 32 bits– The receiver compare with transmitted check sum

(failed error detection probability 2-32)

message Check sum

∑k

kzk)(bit

Error suppression

• Two kinds of error suppression – Forward Error Correction (FEC)– Automatic Repeat Query (ARQ)

Error suppression

• FEQ: forward error correction– Addition of extra bits to message to help correction

of corrupted blocks. E.g. sum of all blocks.– Detection of corrupted blocks via local check

sums.– Matrix n(n+r) has all n n sub-matrices

reversible– Encoding rate = n/(n+r)

=

1

1

(0)

(0)Message Encoded Message

Error suppression

• Data interleaving to spread error burts

Error suppression

• ARQ: Automatic Repeat Query– The receiver acknowledge correctly received

blocks– Emitter repeats non acked blocks

1 2 3 4 5 6 7 8ACK: 1,2,5,7

3 4 6 8ACK: 4,8

3 6ACK: 3,6

3 6ACK: 3,6