Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Mobility Management, Call Routing & Security
  2. 2. Mobility Management Routing Calls to Mobile StationsConfidentiality and Security Detailed Location Registration Scenario
  3. 3. Objectives At the end of this unit, you should be able to: • Explain why the mobile registration process is necessary • Describe how a call is automatically routed from PSTN to a mobile station • Explain why mobile authentication is necessary and how it works • Describe the various phases of mobile registration and the location updating process
  4. 4. Unit 3 Section 1 Mobility Management
  5. 5. Where is the Mobile Station? United Kingdom GSA PSTN Benelux GSA GPA 2 Belgium GPA 1 UK GPA 3 Netherlands
  6. 6. Location Areas and Cell Areas GPA Location Area 1 Location Area 3 Location Area 2 Cell Area
  7. 7. Location Areas and Cell Areas Cell Global Identification Number MCC MNC LAC CI Location Area Identification (LAI) Acronyms MCC - Mobile Country Code (Same as in the IMSI) –3 digits. MNC - Mobile Network Code (same as in the IMSI – 2 digits. LAC - Location Area Code used to identify a location area within a GSM PLMN – 2 octets. LAI - Location Area Identification CI - Cell Identity – 2 octets.
  8. 8. Location Areas andBase Station Systems PSTN MSC BSC 1 BSC 1 BTS Location BTS BTS Area 2 BTS BTS Location Area 1
  9. 9. MSC Areas and Location Areas GPA To PSTN MSC 1 MSC 2 MSC MSC Area 1 Area 2 Location Location Area 3 Area 1 Cell Cell Area Area Location Location Area 4 Cell Cell Area 2 Area Area
  10. 10. Network Operation - Examples Mobile Powers On/IMSI Attach Location Updating Mobile Powers Off/IMSI Detach Idle Mode Measurements BTS Mobile Makes a Call BTS Mobile Receives a Call BSC Measurements during a Call Handover MSC BSC MS
  11. 11. Registration and IMSI Attach HLR MSC VLR BSC
  12. 12. Radio CriterionC1 = (Received Level Average - p1) - (p2 - Maximum Power of Mobile) C1 must be greater than 0 for a cell to be used p1 and p2 are supplied by the BS p1 specifies the minimum receive level p2 specifies the maximum mobile transmit level All quantities are measured in dB
  13. 13. Registration SequenceSource: An Introduction to GSMRedl, Weber and Oliphant
  14. 14. Types of Location Registration • GEOGRAPHIC Based • TIME Based • ON/OFF Based
  15. 15. Time-Based Registration TIMER MANAGEMENT: • Timer is reset when mobile station activity has taken place. • Mobile Station initiates location updating when timer expires. • Mobile station timer value is kept in memory when turned off.
  16. 16. On/Off-Based Registration • IMSI Attach - mobile power-up = attach - mobile power-up causes a registration • IMSI Detach - mobile power-down = detach - mobile power-down causes a deregistration
  17. 17. Paging a Mobile Station Location Area BSS BSS Mobile Switching Centre DN DN - Location Area Mobile Station PSTN - Mobile ID BSS BSS BSS Location Area
  18. 18. Mobile Station Identification International Mobile Subscriber Identity (IMSI) Mobile Station Smart Card ISDN Number (SIM) (MSISDN) Jane Doe International Temporary Mobile Mobile Equipment Subscriber Identity (TMSI) Identity (IMEI) Smart Card (SIM) Mike = Jane Doe
  19. 19. Mobile Station Identification Numbers Used in GSM International Mobile Equipment Identity (IMEI) • Uniquely identifies mobile station equipment • Burnt in by the equipment manufacturer IMEI (15 digits) TAC – Type Approval Code (6 digits) TAC FAC SNR SP FAC – Final Assembly Code (2 digits) SNR – Serial Number (6 digits) SP – Spare (1 digit) International Mobile Subscriber Identity (IMSI) IMSI (15 digits) • IMSI is assigned to a MS at subscription time • IMSI uniquely identifies a given MS • IMSI is transmitted over the radio path only when necessary MCC MNC MSIN MCC – Mobile Country Code [3 digits] (home country) NMSI MNC – Mobile Network Code [2 digits] (home GSM PLMN) MSIN – Mobile Subscriber Identification Number (10 digits) NMSI – National Mobile Subscriber Identity Temporary Mobile Subscriber Identity (TMSI) TMSI (32 bits max) • TMSI is assigned to a MS by the VLR • TMSI uniquely identifies a MS within the area controlled by a given VLR
  20. 20. Country Codes Usedin Mobile Identities Partial List of Codes Country Codes (CC) Mobile Country Codes (MCC) Country used in land network used in GSM network United Kingdom 44 234, 235 Spain 34 214 France 33 208 Finland 358 244 Sweden 46 240 Italy 39 222 Ireland 354 272 United States 1 310 – 316 Australia 61 505 Japan 81 440, 441 Kuwait 965 419
  21. 21. Mobile Station Mobile Equipment Plug-In SIM Card Type SIM IC Card Type SIM Mobile Station = Mobile Equipment + Subscriber Identity Module (SIM)
  22. 22. Subscriber Identity Module (SIM) - Continued 92316 005 GSM Test SIM 2To Contains: • International Mobile Subscriber Identity (IMSI) • Authentication key (Ki) • Personal Identification Number (PIN) • Subscriber information • Access control class • Cipher key (Kc)* • Temporary Mobile Station Identification (TMSI)* • Additional GSM services* • Location Area Identity (LAI)* • Forbidden Public Land Mobile Numbers (PLMNs)* *Updateable by network
  23. 23. Subscriber Identity Module (SIM)Hardware Spec 92316 005 GSM Test SIM 2To Highly Secure Processor Contact Type - Smart Card Communication via serial IO Data Rate 1MHz Contains ROM, RAM and EPROM
  24. 24. SIM Security Functions • Pin Code to unlock the mobile station. • 3 wrong attempts at PIN and SIM is blocked. • SIM may be unblocked with PIN Unblock Code (PUK). • 10 attempts at PUK and SIM is permanently disabled. • Second PIN and second PUK available in Phase 2 to support Closed User Groups and Fixed Dial Numbers. SIM and Phase 2+ • SIM Application Toolkit allows user applications (e.g. electronic banking) to be run on the SIM
  25. 25. Routing Calls Automatically To Mobile Stations
  26. 26. MSC Directory Number Allocation Trunks MSC Trunks Local Exchange PSTN MSC Directory Number Spectrum in MSC MSISDN Used to reference home subscribers MSRN Used to reference visiting subscribers
  27. 27. Home Location Register (HLR) Keys: • International Mobile Subscriber Identity (IMSI) • Mobile Subscriber ISDN Number (MSISDN) Contains: • International Mobile Subscriber Identity (IMSI) • Mobile Subscriber ISDN Number (MSISDN) • Permanent copy of subscriber data MSISDN • Mobile Station Roaming X - MSISDN - IMSI X - MSRN IMSI - Subscriber Data X
  28. 28. Visitor Location Register (VLR) Keys: • International Mobile Subscriber Identity (IMSI) • Temporary Mobile Subscriber Identity (TMSI) • Mobile Station Roaming Number (MSRN) Contains: • Mobile Station ISDN number (MSISDN) • International Mobile Subscriber Identity (IMSI) MSRN • Temporary Mobile Subscriber Identity (TMSI) X • Mobile Station Roaming Number (MSRN) • Location Area Code (LAC) of Mobile Station • Copy of subscriber data from HLR - MSISDN - IMSI IMSI - MSRN X X - LAC - TMSI - Subscriber Data TMSI X
  29. 29. Located Area, VLR,and HLR Relationship Home HLR SS7 Network VLR VLR VLR MSC MSC MSC MSC Area Area Area Area LA1 LA2 LA 3 LA 1 LA 2 LA1 System 1 System 2 System 3
  30. 30. Land to Mobile Call Routing Mobile Located in Non-Home MSC Area HLR MSISDN MSRN 3 4 BSS 1 Home MSISDN MSISDN MSC 1 2 BSS 2 PSTN MSRN TMSI TMSI 5 9 10 Visited BSS 1 MSRN MSC 6 7 8 BSS 2 MSRN TMSI & LAC Signalling VLR Voice Path
  31. 31. Land to Mobile Call Routing Mobile in Home MSC Area HLR MSISDN MSRN MSISDN TMSI BSS 1 TMSI MSISDN PSTN Home MSC BSS 2 MSRN TMSI & LAC VLR
  32. 32. Land to Mobile Call Routing Intelligent PSTN Routing BSS 1 Home MSC BSS 2 MSISDN MSISDN HLR PSTN MSRN MSISDN TMSI BSS 3 TMSI Visited MSC BSS 4 MSRN TMSI & LAC VLR
  33. 33. Land to Mobile Call Routing Routing Via a Gateway MSC BSS 1 Home MSC BSS 2 MSISDN MSISDN HLR PSTN Gateway MSRN MSC TMSI BSS 1 MSISDN TMSI MSRN Visited MSC BSS 2 MSRN TMSI & LAC Signalling Voice Path VLR
  34. 34. Dynamic Allocation of MSRN Visited GSM system Home GSM system Landline network Home VLR HLR MSC PSTN Mobile Registers Update Location. No MSRN, use LMSI Subscriber Data Incoming Call Need MSRN Get Route For LMSI MSRN MSRN Incoming Call Need MSRN Get Route For LMSI MSRN MSRN
  35. 35. GSM Confidentiality and Security Mechanisms
  36. 36. • Use of a temporary mobile station identity (TMSI) The temporary mobile station identity that is sent is not the mobile stations true identity.Instead, an alias is used by the network so no calling pattern can be seen by an observer.• Encryption for information on the radio pathEncryption involves changing bits in a manner known only to the network and the mobile station.Encryption occurs only on the radio link portion of the call.• Mobile station authentication procedureUsed to grant access to an MS via VLR. Same authentication keys stored in AUC and the MS isused.• Mobile station equipment validationEquipment validation is a process where the network can require the mobile station to transmit itsequipment serial number so the network can check the equipment against the Valid list, Suspect listor Fraudulent list contained in the Equipment Identity Register (EIR).
  37. 37. Authentication Concept Random NumberServing Network Generator Mobile Station Random Number Secret Data Authentication Authentication Secret Data Algorithm Algorithm Authentication Authentication Response Response No = Yes Deny Grant Access Access
  38. 38. GSM Authentication Example Visited System Home System 1 AUC VLR HLR RAND, SRES RAND, SRES K i SRES RAND 1. RAND, SRES sent to visited system’s VLR 2. RAND transmitted to mobile 3 MSC 2 3. SRES transmitted from mobile in response SRES RAND RAND BSS Mobile Station (MS) SRES K i
  39. 39. Generating the Signed Response (SRES) and CipherKey (KC) Home System’s Mobile Station AUC IMSI/TMSI Random Number (RAND) RAND RAND RAND RAND Ki Ki Ki Ki A8 A3 A3 A8 128 bits Kc SRES SRES Kc Ki - Individual subscriber authentication key (128 bits) SRES - Signed response (32 bits) Kc - Cipher Key (64 bits) A3 - Authentication algorithm RAND - Random number (128 bits) A8 - Cipher Key generating algorithm
  40. 40. Authentication Process Network View AUC Home System Ki A3 & A8 RAND HLR Visited System RAND IMSI RAND Kc SRES SRES MS RAND, SRES Kc RAND, Kc RAND, SRES Kc VLR RAND, SRES Kc BSS RAND, SRES Kc SRES RAND, SRES Kc
  41. 41. Equipment Validation Process EIR IMEI CHECK CHECK IMEI Response 4 3 Request IMEI 1 MSC MS 2 IMEI
  42. 42. Detailed LocationRegistration Scenario
  43. 43. Location Updating
  44. 44. Phases of a Location Update • 1) Request for Service • 2) Authentication* • 3) Update Location Registers • 4) Ciphering* • 5) TMSI Reallocation *Phase might not occur
  45. 45. Mobile Location Update: Request for Service Um A B New MS BSS MSC VLR Channel Request (on RACH) 1 Dedicated Signalling Channel Assignment (on AGCH) 2 Location Update Request TMSI, LAI (on SDCCH) 3 Location Update Request 4 Location Update Request 5 Request IMSI 6 Request IMSI 7 IMSI Acknowledge 8 IMSI Acknowledge 9
  46. 46. Mobile Location Update : Authentication B D New MS MSC HLR AUC VLR Get Authentication Parameters IMSI 10 Get Authentication Parameters IMSI 11 Authentication Parameters 12 RAND, SRES, Kc Authentication Parameters 13 RAND, SRES, Kc Authenticate Mobile Station 14 RAND Authenticate Mobile Station RAND 15 Authenticate Response SRES 16 Authenticate Response SRES 17
  47. 47. Mobile Location Update: Update Location D D New Old HLR VLR VLR Update Location MSRN 18 Location Updated Customer Profile 19 De-register Mobile Station 20 Mobile Station De-registered 21
  48. 48. Mobile Location Update: Ciphering Um A B New MS BSS MSC VLR Set Ciphering Kc 22 Encipher Command Kc 23 Cipher Mode Command 24 Cipher Mode Complete 25 Encipher Complete 26
  49. 49. Mobile Location Update: TMSI Reallocation Um A B New MS BSS MSC VLR Location Update Accept new TMSI 27 Location Update Accept new TMSI 28 Location Update Complete 29 Clear Signalling Connection 30 Release Radio Signalling Channel 31 Clear Complete 32