global system for mobile communication (gsm)-ii

8/22/2019 Global System for Mobile Communication (GSM)-II

1/39

Global System for MobileCommunication (GSM)

Muhammad Ali Raza Anjum

Part II


2/39

The Network Switching Subsystem The NSS plays the central part in every mobile

network.

While the BSS provides the radio access for the

MS, the various network elements within theNSS assume responsibility for the complete setof control and database functions required to setup call connections using one or more of thesefeatures:encryption,

authentication, and

roaming.


3/39

The Network Switching Subsystem

To satisfy those tasks, the NSS consists of the following:MSC (mobile switching center);

HLR (home location register)/authentication center (AuC);

VLR (visitor location register);

EIR (equipment identity register). The subsystems are interconnected directly or indirectly

via the worldwide SS7 network.

The network topology of the NSS is more flexible thanthe hierarchical structure of the BSS.

Several MSCs may, for example, use one common VLR;

The use of an EIR is optional, and the required numberof subscribers determines the required number of HLRs.


4/39


Figure 1 The NSS.


5/39


Figure on previous slide provides an

overview of the interfaces between the

different network elements in the NSS.

Note that most interfaces are virtual, that

is, they are defined as reference points for

signaling between the network elements.


6/39

Home Location Register andAuthentication Center

Every PLMN requires access to at least oneHLR as a permanent store of data.

The concept is illustrated in Figure on next slide.

The HLR can best be regarded as a largedatabase with access times that must be kept asshort as possible.

The faster the response from the database, the

faster the call can be connected. Such a database is capable of managing data

for literally hundreds of thousands subscribers.


7/39


Figure 2 Only the SIM and the HLR know the value of Ki.


8/39


Within the HLR, subscriber-specific parameters aremaintained, such as the parameter Ki, which is part ofsecurity handling.

It is never transmitted on any interface and is known onlyto the HLR and the SIM, as shown in Figure 2 on lastslide.

Each subscriber is assigned to one specific HLR, whichacts as a fixed reference point and where information onthe current location of the user is stored.

To reduce the load on the HLR, the VLR was introducedto support the HLR by handling many of the subscriber-related queries (e.g., localization and approval offeatures).


9/39


Because of the central function of the HLR and thesensitivity of the stored data, it is essential that everyeffort is taken to prevent outages of the HLR or the lossof subscriber data.

The AuC is always implemented as an integral part ofthe HLR.

The reason for this is that although GSM mentions theinterface between the AuC and the HLR and has evenassigned it a name, the H-interface, it was never

specified in sufficient detail to be a standalone entity.

The only major function assigned to the AuC is tocalculate and provide the authentication-triplets,


10/39


That is, the signed response (SRES), the

random number (RAND), and Kc.

For each subscriber, up to five such triplets can

be calculated at a time and sent to the HLR. The HLR, in turn, forwards the triplets to the

VLR, which uses them as input parameters for

authentication and ciphering.

Here is the process:


11/39


Ciphering [GSM 03.20] Used in GSM to encryptdata on the Air-interface between the mobilestation and the BTS.

Encryption applies only to the Air interface.

Therefore, tapping of a call still is possible on theterrestrial part of the connection.

Precondition for ciphering is successful

authentication. The process of authentication and activation of

ciphering is performed in the following steps:


12/39


o For each mobile station, the VLR stores up to five

different authentication triplets.Such a triplet consists

of SRES,RAND, and Kc, and was originally calculated

and provided by the HLR/AuC.

o At first, the MS is sending a connection request to thenetwork (e.g., LOC_UPD_REQ). Among others, this

request contains the ciphering key sequence number

(CKSN) and the mobile station classmark,which

indicates what ciphering algorithms (A5/X) areavailable in the mobile station.


13/39


The NSS (more precisely, the VLR) examines theCKSN and decides whether authentication isnecessary (see CKSN). Particularly to establish asecond connection while another connection alreadyexists (e.g.,for a multiparty call), it is obvious thatauthentication is not required a second time duringthe same network access. A message is sent to theMS in case authentication is necessary. This DTAPmessage (AUTH_REQ) contains the randomnumber, RAND, received from the HLR/AuC. TheMSmore precisely, the SIMuses the RAND andthe value Ki as well as the algorithm A3 to calculateSRES (authentication procedure)


14/39


The MS sends the result of this calculation, the

SRES, to the VLR.The VLR compares the SRES that

the MS has sent with the one that the HLR/AuC had

sent earlier.The authentication is successful if both

values are identical.Immediately after calculating SRES, the MS uses

RAND and Ki to calculate the ciphering key Kc via

the algorithm A8.

To activate ciphering, the VLR sends the value Kcthat the AuC has calculated and a reference to the

chosen A5/X algorithm via the MSC and the BSC to

the BTS.


15/39


Figure 3 Calculation of SRES from Ki and RAND by use of A3.


16/39


Figure 4 Calculation of Kc from Ki and RAND by use of A8.


17/39


The BTS retrieves the cipher key Kc and the informationabout the required ciphering algorithm from theENCR_CMD message and only forwards the informationabout the A5/X algorithm in a CIPH_MOD_CMD messageto the MS. That message triggers the MS to enable

ciphering of all outgoing data and deciphering of allincoming information. The MS confirms the change tociphering mode by sending a CIPH_MOD_COM message.

The algorithm A5/X uses the current value of the framenumber (FN) at the time tx together with the cipher key Kc

as input parameters.The output of this operation are theso-called ciphering sequences,each 114 bits long,whereby one is needed for ciphering and the other one fordeciphering.


18/39


The first ciphering sequence and the 114 bits of

useful data of a burst are XORed to provide the

encrypted 114 bits that are actually sent over the Air-

interface. Note that the ciphering sequences are

altered with every frame number, which in turnchanges the encryption with every frame number.

Deciphering takes place exactly the same way but in

the opposite direction


19/39


Figure 5 Functionality of ciphering of data.


20/39


Figure 6 Functionality of deciphering of data.


21/39

Visitor Location Register

The VLR, like the HLR, is a database

But its function differs from that of the HLR While theHLR is responsible for more static functions, the VLRprovides dynamic subscriber data management.

Consider the example of a roaming subscriber. As the subscriber moves from one location to another,data are passed between the VLR of the location thesubscriber is leaving (old VLR) to the VLR of thelocation being entered (new VLR).

In this scenario, the old VLR hands over the related datato the new VLR.

There are times when the new VLR has to request thesubscribers HLR for additional data.


22/39


This question then arises: Does the HLR in GSMassume responsibility for the management of thosesubscribers currently in its geographic area?

The answer is NO.

Even if the subscriber happens to be in the home area,the VLR of that area handles the dynamic data.

This illustrates another difference between the HLR andthe VLR.

The VLR is assigned a limited geographical area, whilethe HLR deals with tasks that are independent of asubscribers location.


23/39


The term HLR areahas no significance in GSM, unlessit refers to the whole PLMN.

Typically, but not necessarily, a VLR is linked with asingle MSC.

The GSM standard allows, as Figure on next slideillustrates, the association of one VLR with severalMSCs.

The initial intentions were to specify the MSC and theVLR as independent network elements.

However, when the first GSM systems were put intoservice in 1991, numerous deficiencies in the protocolbetween the MSC and the VLR forced the manufacturersto implement proprietary solutions.


24/39


Figure 7 The NSS hierarchy.


25/39


That is the reason the interface betweenthe MSC and the VLR, the B-interface, isnot mentioned in the specifications of

GSM Phase 2.GSM Recommendation 09.02 now

provides only some basic guidelines onhow to use that interface.

Table on next slide lists the most importantdata contained in the HLR and the VLR.


26/39



27/39



28/39

The Mobile-Services Switching Center

From a technical perspective, the MSC is just an ordinaryIntegrated Services Digital Network (ISDN) exchange withsome modifications specifically required to handle themobile application.

That allows suppliers of GSM systems to offer their

switches, familiar in many public telephone networks, asMSCs.

SIEMENS with its EWSD technology and ALCATEL withthe S12 and the E10 are well-known examples that benefitfrom such synergy.

The modifications of exchanges required for the provisionof mobile service affect, in particular, the assignment ofuser channels toward the BSS, for which the MSC isresponsible, and the functionality to perform and controlinter-MSC handover.


29/39

The Mobile-Services Switching Center

That defines two of the main tasks of the MSC.

We have to add the interworking function (IWF),

which is needed for speech and nonspeech

connections to external networks. The IWF is responsible for protocol conversion

between CC and the ISDN user part (ISUP), as

well as for rate adaptation for data services.


30/39

Gateway MSC

An MSC with an interface to other networks is called agateway MSC.

Figure on next slide shows a PLMN with gateway MSCsinterfacing other networks.

Network operators may opt to equip all of their MSCs with

gateway functionality or only a few. Any MSC that does not possess gateway functionality has

to route calls to external networks via a gateway MSC.

The gateway MSC has some additional tasks during theestablishment of a mobile terminating call from an external

network. The call has to enter the PLMN via a gateway MSC, which

queries the HLR and then forwards the call to the MSCwhere the called party is currently located.


31/39

Gateway MSC

Figure 8 The functionality of the gateway MSC.


32/39

The Relationship Between MSC and VLR

The sum of the MSC areas determines the geographicarea of a PLMN.

Looking at it another way, the PLMN can be consideredas the total area covered by the BSSs connected to theMSCs.

Since each MSC has its own VLR, a PLMN also couldbe described as the sum of all VLR areas.

Note that a VLR may serve several MSCs, but one MSCalways uses only one VLR. Figure on next slideillustrates this situation.

That relationship, particularly the geographicinterdependency, allows for the integration of the VLRinto the MSC.


33/39


All manufacturers of GSM systems selected that option,since the specification of the B-interface was not entirelyavailable on time.

In GSM Phase 2, the B-interface is no longer an open

interface (as outlined above). It is expected that this trend will continue.

A network operator still has the freedom to operateadditional MSCs with a remote VLR, but that issomewhat restrictive in that all the MSCs must besupplied by the same manufacturer.


34/39


Figure 9 Geographic relationship between the MSC and the VLR.


35/39

Equipment Identity Register

The separation of the subscriber identity from theidentifier of the MS

(described in last slides) also bears a potential pitfall forGSM subscribers.

Because it is possible to operate any GSM MS with anyvalid GSM SIM, an opportunity exists for a black marketin stolen equipment.

To combat that, the EIR was introduced to identify, track,and bar such equipment from being used in the network.

Each GSM phone has a unique identifier, its IMEI, whichcannot be altered without destroying the phone.


36/39


The IMEI contains a serial number and a type identifier. Like the HLR or the VLR, the EIR basically consists of a

database

It maintains three lists:

the white list contains all the approved types of mobilestations;

the black list contains those IMEIs known to be stolen orto be barred for technical reasons; and

the gray list allows tracing of the related mobile stations.

The prices for mobile equipment have fallen dramaticallydue to the great success of GSM

Consequently, the theft rate is low.


37/39


Figure 10 Contents of the EIR.


38/39


Several GSM operators have decided not to install the

EIR or, at least, to postpone such installation for a while.

If the EIR is installed, there is no specification on when

the EIR should be interrogated.

The EIR may be queried at any time during call setup or

location update.


39/39

That is ALL for today!!!

I value your patience & timeTHANK YOUVERY MUCH

global system for mobile communication (gsm)-ii

Documents