An Introduction to GSM


Published on

GSM Introduction , architecture, security etc

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

An Introduction to GSM

  1. 1. SABU M. THAMPI
  2. 2. Top 15 Countries in Cellular Subscribers Year-end 2005: Cellular Subscribers (#M) Share % 1. China 398 19.3 2. USA 202 9.9 3. Russia 115 5.6 4. Japan 95 4.6 5. Brazil 86 4.1 6. India 79 3.8 7. Germany 73 3.5 8. Italy 59 2.9 9. UK 58 2.8 10. France 47 2.3 11. Mexico 46 2.2 12. Turkey 40 1.9 13. Spain 39 1.9 14. South Korea 38 1.8 15. Indonesia 38 1.8 Top 15 Countries 1,414 68.5 Worldwide Total 2,065 100
  3. 3. Today, it has come a long way and is now used by over a billion people, in over 200 countries, making it 70% of the world’s mobile phone market.
  4. 4. Map of the world showing GSM coverage
  5. 5.  GSM criteria –  Good subjective speech quality  Low terminal and service cost  Support for international roaming – one system for all of Europe  Ability to support handheld terminals  Support for range of new services and facilities  Enhanced Features  ISDN compatibility  Enhance privacy  Security against fraud
  6. 6.  Late 1980’s GSM work was transferred to the European Telecommunication Standards Institute (ETSI) and SGM (Special Mobile Group) was created  Document the functionality and interaction of every aspect of the GSM network  1987 ETSI oversees the creation of GSM MoU (Memorandum of Understanding) Association
  7. 7.  Formal objective of the GSM MoU Association is the promotion and evolution of the GSM systems and GSM platforms  Concepts of a published international standard and a constantly evolving common standard are unique to GSM  Work groups throughout the world specifically designed to allow interested parties to meet and work on finding solutions to systems enhancements that will fit into existing programs of GSM operators
  8. 8.  Phase I of GSM specifications was published in 1990  International demand was so great that the system name was changed from Groupe Special Mobile to Global Systems for Mobile Communications (still GSM)  Commercial service started in mid-1991  1992 first paying customers were signed up for service  By 1993 there were 36 GSM networks in 22 countries  Early 1994 there were 1.3 million subscribers worldwide  By 1996 there were more than 25 million subscribers worldwide  By October 1997 it had grown to more than 55 million subscribers worldwide
  9. 9. Transmission techniques  In frequency division multiple access (FDMA), we separate radio channels or calls by frequency, like the way broadcast radio stations are separated by frequency. One call per channel.  In time division multiple access (TDMA) we separate calls by time, one after another. Since calls are separated by time TDMA can put several calls on one channel.  In code division multiple access (CDMA) we separate calls by code, putting all the calls this time on a single channel.
  10. 10. Building Blocks  AMPS – Advanced Mobile Phone System  TACS – Total Access Communication System  NMT – Nordic Mobile Telephone System
  11. 11.  AMPS – Advanced Mobile Phone System  analog technology  used in North and South America and approximately 35 other countries  operates in the 800 MHz band using FDMA technology
  12. 12.  TACS – Total Access Communication System  variant of AMPS  deployed in a number of countries  primarily in the UK
  13. 13.  NMT – Nordic Mobile Telephone System  analog technology  deployed in the Russia  operates in the 450 and 900 MHz band  first technology to offer international roaming – only within the Nordic countries
  14. 14. GSM System Architecture  Mobile Station (MS)  Mobile Equipment (ME)  Subscriber Identity Module (SIM)  Base Station Subsystem (BSS)  Base Transceiver Station (BTS)  Base Station Controller (BSC)  Network Subsystem  Mobile Switching Center (MSC)  Home Location Register (HLR)  Visitor Location Register (VLR)  Authentication Center (AUC)  Equipment Identity Register (EIR)
  15. 15.  A GSM network is divided into cells.  A group of cells is considered a location area.  A mobile phone in motion keeps the network informed about changes in the location area.  If the mobile moves from a cell in one location area to a cell in another location area, the mobile phone should perform a location area update to inform the network about the exact location of the mobile phone.
  16. 16. Cell  With cellular radio we use a simple hexagon to represent a complex object  the geographical area covered by cellular radio antennas are called cells.  Why a hexagon and not a circle to represent cells?  When showing a cellular system we want to depict an area totally covered by radio, without any gaps.  the circles leave gaps
  17. 17. The Mobile Station is made up of two entities: 1. Mobile Equipment (ME) 2. Subscriber Identity Module (SIM)
  18. 18. Mobile Equipment  Produced by many different manufacturers  Must obtain approval from the standardization body  Uniquely identified by an IMEI (International Mobile Equipment Identity)
  19. 19. Subscriber Identity Module (SIM)  Smart card containing the International Mobile Subscriber Identity (IMSI)  Allows user to send and receive calls and receive other subscribed services  Encoded network identification details  Protected by a password or PIN  Authentication key Ki  IMSI  PUK – Pin Unlocking Key  Can be moved from phone to phone – contains key information to activate the phone
  20. 20. Base Station Subsystem is composed of two parts that communicate across the standardized Abis interface allowing operation between components made by different suppliers 1. Base Transceiver Station (BTS) 2. Base Station Controller (BSC)  Functions of BSS  Radio resource control  Configuration of radio channels,  selection, allocation, deallocation of channels  Monitoring of radio channel busy/idle status  Encryption of radio interface
  21. 21. Base Transceiver Station (BTS)  Houses the radio transceivers that define a cell  Comprises all radio equipments i.e antennas, signal processing, amplifiers, necessary for radio transmission  Speech and data transmissions from the MS are recoded  Requirements for BTS: ruggedness reliability portability minimum costs
  22. 22. Base Station Controller (BSC)  Manages Resources for one or more BTSs  Handles call set up  Location update  Handover for each MS  Paging of the MS
  23. 23. Mobile Switching Center (MSC)  Switch speech and data connections between: Base Station Controllers Mobile Switching Centers GSM-networks Other external networks  Heart of the network  The main jobs: 1. connects calls from sender to receiver 2. collects details of the calls made and received 3. supervises operation of the rest of the network component 4. Echo cancellation 5. Interrogation of appropriate registers 6. Manage connections to BSS, other MSCs and PSTN/ISDN
  24. 24.  Home Location Registers (HLR) - The HLR contains information relevant to mobile subscribers ` - Two types of information are stored in the HLR:  Ø Subscription information  The identity code  Directory number allocated to the subscriber  The type of service(s) provided  Any related restrictions. Ø Location information  the address of the VLR in the area where the subscriber's MS is currently located  the address of the associated MSC.  The location information enables incoming calls to be routed to the MS.  When an MS moves from one VLR area to another, the location information in the HLR is updated with the new VLR and MSC addresses.  The VLR then creates a new entry for the MS, using subscription data copied from the HLR.
  25. 25.  Visitor Location Registers (VLR) - contains selected administrative information from the HLR - authenticates the user - tracks which customers have the phone on and ready to receive a call - periodically updates the database on which phones are turned on and ready to receive calls
  26. 26.  Authentication Center (AUC) - mainly used for security - data storage location and functional part of the network - Ki is the primary element  Equipment Identity Register (EIR) - Database that is used to track handsets using the IMEI (International Mobile Equipment Identity) - Made up of three sub-classes: The White List, The Black List and the Gray List - Optional database
  27. 27. Basic Features Provided by GSM  Call Waiting  - Notification of an incoming call while on the handset  Call Hold  - Put a caller on hold to take another call  Call Barring  - All calls, outgoing calls, or incoming calls  Call Forwarding  - Calls can be sent to various numbers defined by the user  Multi Party Call Conferencing  - Link multiple calls together
  28. 28. Full duplex communication example.  since the mobile unit and the base station both need circuitry to transmit on one frequency while receiving on another.  The two frequencies are paired and constitute a voice channel. Paths indicate direction of flow.
  29. 29. Advanced Features Provided by GSM  Calling Line ID  - incoming telephone number displayed  Alternate Line Service  - one for personal calls  - one for business calls  Closed User Group  - call by dialing last for numbers  Advice of Charge  - tally of actual costs of phone calls  Fax & Data  - Virtual Office / Professional Office  Roaming  - services and features can follow customer from market to market
  30. 30. Advantages of GSM  Crisper, cleaner quieter calls  Security against fraud and eavesdropping  International roaming capability in over 100 countries  Improved battery life  Efficient network design for less expensive system expansion  Efficient use of spectrum  Advanced features such as short messaging and caller ID  A wide variety of handsets and accessories  High stability mobile fax and data at up to 9600 baud  Ease of use with over the air activation, and all account information is held in a smart card which can be moved from handset to handset
  31. 31. SMS - also known as text messaging  Short Message Service (SMS) messages are 160 character text messages  sent using a SDCCH (slow speed data channel).  SMS delivery is a store-and-forward system  the message is sent to a Short Message Service Centre (SMSC), which then forwards them on to the destination mobile.  There is no provision in the GSM specification for diverting SMS messages
  32. 32. IMEI: *#06#
  33. 33. Logical and physical channels  GSM distinguishes between physical channels (the timeslot) and logical channels (the information carried by the physical channels).
  34. 34. GSM Radio Aspects  The uplink frequency band: 890-915 MHz  Downlink band: 935-960 MHz  Available 25MHz spectrum is partitioned into 24 carriers (Carrier spacing: 200KHz)  Each carrier in turn divided into 8 time slots (radio channels).
  35. 35. Traffic Channels (TCH)  Used to transmit user data (voice, fax)  Full rate TCH (TCH/F): data rate is 22.8 Kbit /s  Half rate TCH (TCH/H): 11.4 Kbit/s
  36. 36. Control Channels (CCH)  Used to control  medium access  Allocation of traffic channels  Mobility management  Three groups of CCH  BCCH – Broadcast control channel  BTS uses this channel to signal information to all MSs within a cell  Unidirectional channel (BTS to MS)  Broadcast information regarding the mobile’s serving cell as well as neighboring cell.  Continuously broadcasts in the downlink  BCCH includes  Frequency Correction Channel (FCCH) – accurate tuning to BS  Synchronization channel (SCCH) – Frame synchronization
  37. 37.  CCCH (Common Control Channel)  Used either for uplink or downlink communications  Paging (PCH) & Access Grant (AGCH) channels operate in the downlink direction  PCH – for paging a mobile  AGCH – to assign dedicated resources to the mobile  In the idle mode MS always listens to the paging channel for incoming calls  MS uses Random Access Channel (RACH) to send data to the BTS i.e. MS uses RACH to request access to the network.
  38. 38.  Dedicated Control Channel (DCCH)  Used for call set up and handoff i.e signalling between the network and the mobile.  SDCCH – Standalone dedicated control channel  SDCCH is used if MS has not established TCH with BTS  SDCCH for signaling – authentication, registration or other data needed for setting up a TCH  i.e provides reliable connection for signaling.  SACCH – Slow Associated Dedicated Control Channel  Used to exchange system information such as channel quality and signal power level.  FACCH – Fast Associated Dedicated Control Channel  To transfer handoff information during an active call
  39. 39. Interfaces  Um The air interface is used for exchanges between a MS and a BSS.  Abis This is a BSS internal interface linking the BSC and a BTS. The Abis interface allows control of radio frequency allocation in the BTS.  A The A interface is between the BSS and the MSC. The A interface manages the allocation of suitable radio resources to the MSs and mobility management.  B The B interface between the MSC and the VLR uses the MAP/B protocol. Most MSCs are associated with a VLR, making the B interface "internal". Whenever the MSC needs access to data regarding a MS located in its area, it interrogates the VLR using the MAP/B protocol over the B interface.  C The C interface is between the HLR and a GMSC or a SMS-G. Each call originating outside of GSM (i.e., a MS terminating call from the PSTN) has to go through a Gateway to obtain the routing information required to complete the call, and the MAP/C protocol over the C interface is used for this purpose. Also, the MSC may optionally forward billing information to the HLR after call clearing.
  40. 40.  D The D interface is between the VLR and HLR, and uses the MAP/D protocol to exchange the data related to the location of the MS and to the management of the subscriber.  E The E interface interconnects two MSCs. The E interface exchanges data related to handover between the anchor and relay MSCs using the MAP/E protocol.  F The F interface connects the MSC to the EIR, and uses the MAP/F protocol to verify the status of the IMEI that the MSC has retrieved from the MS.  G The G interface interconnects two VLRs of different MSCs and uses the MAP/G protocol to transfer subscriber information, during e.g. a location update procedure.  H The H interface is between the MSC and the SMS-G, and uses the MAP/H protocol to support the transfer of short messages.  I The I interface (not shown in Figure 1) is the interface between the MSC and the MS. Messages exchanged over the I interface are relayed transparently through the BSS.
  41. 41.  Layer 1- Physical Layer  Handles radio-specific functions’  Synchronization with the BTS  Detection of idle channels  Measurement of the channel quality on the downlink  Physical layer at Um interface performs encryption/decryption of data.
  42. 42.  Synchronisation  Includes the correction of the individual path delay between an MS and the BTS  All MSs within a cell use the same BTS  They must be synchronized to the BTS  BTS generates the time-structure of frames i.e An MS close to the BTS has a very short RTT whereas an MS 35 KM away has 0.23ms  BTS sends the current RTT to the MS, which then adjust its access time so that all bursts reach BTS within their limits.
  43. 43.  Layer 2  LAPDm - Link Access Protocol for D Channel  Reliable data transfer  Flow control  Reassembly of data  Acknowledged/ unacknowledged service
  44. 44. Layer 3 – Network Layer  Three sub layers  CM - The Communication (connection) Management (CM) layer consists of setting up calls at the users' request.  Its functions are divided in three:  Call control, which manages the circuit oriented services;  Supplementary services management, which allows modifications and checking of the supplementary services configuration;  Short Message Services, which provides point-to-point short message services.  MM - The Mobility Management (MM) layer is in charge of maintaining the location data, in addition to the authentication and ciphering procedures.  Provides functions necessary to support terminal registartion, location updating, authentication  MM replaces IMSI with TMSI
  45. 45.  RR - The Radio Resource (RR) Management layer is in charge of establishing and maintaining a stable uninterrupted communications path between the MSC and MS over which signalling and user data can be conveyed.  Handovers are part of the RR layers responsibility. Most of the functions are controlled by the BSC, BTS, and MS, though some are performed by the MSC (in particular for inter-MSC handovers.).  RR manages logical channels, signal quality measurement, reporting and handoff  RR‘ - The RR' layer is the part of the RR functionality which is managed by the BTS.  Responsible for channel establishment and release  handoff,  paging  BTSM - The Base Transceiver Station Management (BTSM) is responsible for transferring the RR information (not provided for in the BTS by the RR' protocol) to the BSC.
  46. 46.  BSSAP - The Base Station System Application Part (BSSAP) is split into two parts, the BSSMAP and the DTAP (not shown in the above figure).  Messages which are not transparent to the BSC are carried by the Base Station System Management Application Part (BSSMAP), which supports all of the procedures between the MSC and the BSS that require interpretation and processing of information related to single calls, and resource management.  The messages between the MSC and MS which are transparent to the BSC (MM and CM messages) are catered for by the Direct Transfer Application Part (DTAP).  SS7 – Signalling System No.7  Signalling between an MSC and a BSC  Transfers all management information between MSCs, HLR, VLR, AUC, EIC and OMC.  SCCP - The Signalling Connection Control Part (SCCP) from SS7.  MTP - The Message Transport Part (MTP) of SS7.
  47. 47. Mobile Originated Call  A mobile user originates a call by keying in the called number and depressing the send key  The mobile transmits an access request on the uplink signaling channel  If the network can process the call, the BS sends a speech channel allocation message.  MS locks the designated speech channel allocated to that cell  Network proceeds to setup the connection to the called party  A terminal updation procedure may also be invoked to ensure that the terminal originating the call is a legitimate terminal.
  48. 48. Mobile Terminated Call  The network establishes the current location area for the called mobile through signaling between HLR and VLR.  The call is routed to the current serving MSC  The serving MSC initiates a paging message over the downlink signaling channel toward cells contained in the appropriate paging area.  If the mobile is tuned on, it receives the page and sends a page response to its nearest BS on the signaling channel.  The BS sends a speech channel allocation message to the mobile station and informs the network so that the two halves of the connection can be completed.
  49. 49. Location Update  MS monitors the information broadcast by the network on the signaling channel and updates the operating parameters as necessary.  Also checks the location information (location area identity) broadcast by the new cell  GSM network identifies each cell via the cell global identity (CGI), Number assigned to each cell.  If it differs from the previous cell, the mobile advises the network of its new information  BS updates its location registers.
  50. 50. Inter – VLR  MS sends a location update request to the VLR (new) via the BSS and MSC  VLR sends a Location update message to the HLR serving the MS which includes the address of the VLR (new) and the IMSI of the MS  (this updating of the HLR is not required if the new LA is served by the same VLR as the old LA)  The service and security related data for the MS is downloads to the new VLR.  The MS sent an acknowledgment of successful location update  The HLR requests the old VLR to delete data relating to the relocated MS.
  51. 51. HANDOVER  Single cells do not cover the whole service area  The smaller the cell size and the faster the movement of a mobile station through the cells  More handovers of ongoing calls required.
  52. 52. Possible Handover Scenarios  Inter-cell, intra-BSC handover: MS moves one cell to another , but stays within the control of the same BSC  Inter-BSC, intra-MSC handover: perform handovers between cells controlled by different BSCs  Inter – MSC handover – handover between two cells belonging to different MSCs
  53. 53. Between Calls  Every so often each mobile reports its position by sending a Location Update.  The mobiles decide when to do this, so that they don't all report in at once.  you may suddenly get old SMS messages when a Location Update occurs.  When the mobile is switched off, it signals a log-off (known as an IMSI Detach) to the network so that it won't try to search for a switched-off mobile.  It is possible that this doesn't happen (if switched off out of coverage, for example). In such a case, the network won't notice until the next scheduled Location Update has been missed.
  54. 54. During a Call  When a call is in progress, during the time between sending and receiving data, the handset monitors the signal it gets from the 16 nearby cells listed in the current cell's Neighbour List  every second it reports the signal level of the best six of them to the BSC, using a Slow Access Control Channel (SACCH).  the idea is to switch to the cell with the best signal to economize on power in the mobile  The decision to switch to another cell can be made by the mobile or by the BTS: the latter usually because it is getting too busy.  Occasionally, the handoff fails, and the mobile has to start again, scanning for a network for a fresh start. This can happen when unusual signal propagation has led it to register on a far distant cell, over the hilltops, which has a neighbour list of cells nowhere near the mobile!
  55. 55. Inter- MSC handoff  BSC A informs MSC A that MS needs handover from BTS A to BTS B  MSC A informs MSC B that a handover from BTS A to BTS B is underway  MSC A commands BSC A/ BTS A to proceed with handover to BTS B  MS informs BTS B that it is on specified channel on BTS B  BTS B informs BSC A/ MSC A that handover is complete  MSC B informs MSC A that handover to BTS B is complete.
  56. 56. Security  To protect the network against unauthorised access  To protect the privacy of the mobile subscribers against eavesdropping  Security with SIM –PIN, PUK  IMSI, TMSI – MS  EIR  AUTHENTICATION KEY Ki  Authentication algorithm A3  Cipher key generation algorithm A8  Encryption algorithm A5 – programmed into MS  IMSI and Ki are specific to each MS  A3 and A8 can be different for network operators  A5 is unique
  57. 57. Distribution of Security Features in the GSM Network
  58. 58. Ciphering Key Generation Mechanism Ki Ki A8 A8 MS uses its Kc to cipher the radio path using encryption algorithm A5
  59. 59. 1. At terminal location update, VLR sends IMSI to the HLR 2. HLR returns security triplets – RAND, SRES, Kc to the VLR 3. For authentication and ciphering key VLR sends RAND to the MS 4. Using stored A3 algorithm and secret key Ki stored in the SIM, and RAND provided by the VLR, the MS calculates the SRES and returns it to the VLR. 5. Using the A8 algorithm and Ki, MS also calculates the cipher key Kc 6. If the SRES returned by the MS matches with the stored SRES in the VLR, the VLR sends the cipher key Kc to the BTS which uses Kc for ciphering the radio path
  60. 60. GSM Authentication Mechanism
  61. 61. How incoming calls are handled when a GSM mobile is roaming on another network  Roaming allows a GSM phone user to make and receive calls using any other GSM network.  phone number remains the same  When your phone registers on the foreign network, the local VLR tells your home HLR where you are.  HLR gets the AuC to pass a seed number and response pair to the roamed-to network, which then uses it to authenticate your mobile account identity.  Once that is done, the HLR records which VLR your phone is in, and so any incoming calls are passed to it.
  62. 62.  Choosing a Foreign Network When you take a GSM mobile phone to another country, the handset will try to find its home network, and will probably fail. It will then scan for all the networks it can detect, and then decide which to use. Normally, this decision is left to the handset with the "Automatic" setting, but users can select a particular network.
  63. 63. Preferred list  The handset will choose one of the networks listed in the SIM card's preferred list, if a network listed offers sufficient signal.  Failing that, it will select any of the networks available, provided that it is giving a strong enough signal.  Handsets are supposed to treat all networks equally if the signal exceeds a certain threshold, but in practice, they seem to go for the strongest.  the signal seems strong at airports!
  64. 64. Making an outgoing call when roaming  The handset contacts the base station (BTS), asking for access.  The BTS passes the request back and it reaches your home network's HLR, which checks that your account is allowed roaming facilities.  The reply comes back, and your phone is permitted to register.  The VLR allocates your account a temporary phone number, but you never get to know what this is.
  65. 65.  GPRS is a packet based radio service  Advantages  Fast data transfer rate  Always on connection  Broad application support – web access, file transfers, multimedia , WAP  Security – RADIUS  Remote Authentication Dial In User Service
  67. 67.  SGSN – Serving GPRS Support Node  Responsible for tracking the state of the mobile station and its movements.  Handles the data connection between the mobile device and the network.  Gateway GPRS Support Node – GGSN  Handles the link between the GPRS network and the other data networks.  Each of those network is given an Access Point Name (APN).
  68. 68.  GPRS Attachment  Ms register with SGSN  Network checks if the user is authorised  Copied the user profile from the HLR to the SGSN  Assigns a packet temporary mobile subscriber identity (PTMSI) to the user  Disconnection – GPRS detach  Detach is initiated by either MS or network
  69. 69.  Session Management  MS apply for one or more addresses used in the PDN (IP address0  For each session a PDP context is created  PDP address is assigned to the MS (  PDP context contains IP, address of GGSN  Context is stored in the MS, SGSN and GGSN.  Now MS is able to send and receive packets  Mapping between PDP and IMSI enables GGSN to transfer data packets between PDN and MS.
  70. 70. Enhanced Data rates for GSM Evolution (EDGE) or Enhanced GPRS (EGPRS)  allows for increased data transmission rate and improved data transmission reliability.  classified as a 2.75G network technology.  EDGE has been introduced into GSM networks around the world since 2003, initially in North America.  It can be used for any packet switched applications such as an Internet connection.  High-speed data applications such as video services and other multimedia benefit from EGPRS' increased data capacity.  EDGE requires no hardware changes to be made in GSM core networks, but base stations must be modified.  EDGE compatible transceiver units must be installed and the base station subsystem (BSS) needs to be upgraded to support EDGE.
  71. 71.  3G –WCDMA (UMTS)- Wideband CDMA  CDMA2000  3.5G – HSDPA( High speed downlink packet access) – 2 Mbits/s  3.75G – HSUPA (High speed uplink packet access) – 5.76 Mbits/s  4G – WiMax also known as 3G AND BEYOND – allows smmoth video transmission – 20M bits/ sec
  72. 72.  GSM is a digital mobile telephone system that is widely used in Europe and other parts of the world.  GSM uses a variation of Time Division Multiple Access (TDMA) and is the most widely used of the three digital wireless telephone technologies (TDMA, GSM, and CDMA).  GSM operates in the 900MHz, 1800MHz, or 1900Mhz frequency bands.  GSM is the de facto wireless telephone standard in Europe.  GSM has over one billion users worldwide and is available in 190 countries.  users can often continue to use their mobile phones when they travel to other countries.  GSM together with other technologies is part of an evolution of wireless mobile telecommunication that includes High-Speed Circuit-Switched Data (HCSD), General Packet Radio System (GPRS), Enhanced Data GSM Environment (EDGE), and Universal Mobile Telecommunications Service (UMTS).
  73. 73. THANK YOU