final report--important
TRANSCRIPT
2
Contents Page No.
1. Introduction 3
2. E10B exchange 5
3. OCB exchange 12
4. GSM 23
5. CDMA 29
INDEX
3
INTRODUCTION
BSNL “BHARAT SANCHAR NIGAM LIMITED” is abbreviated as BSNL. It is
fourth largest department of Telecommunication Company in Asia and seventh in world today. Which is one of the most earning revenue in India? Above more than 3 laces employees, officer and engineers working in BSNL at present.
Previously electro mechanically exchanges for use in India namelyStrowger type exchange, cross bar exchange was there.
These manual telephone exchanges suffered from some disadvantages. To overcome this automatic exchange was introduced in this system. In
1980’s PITHROTHA LTD. Introduced “C-DOT” exchange in India. These exchanges replaced by electro mechanical exchange. These exchange which has wide range of capacity replaced electro mechanical exchange, C-DOT-128, C-DOT-256, C-DOT-512, C-DOT-1024(SBM) exchange, C-DOT-2048(MBM) exchange and so on.
Besides C-DOT exchange ILT exchange, E-10B exchange also proved of mild stone in Telecommunication Sector to replace electromechanical exchanges, which were most sophisticated and modern latest techniques electronics exchanges.
There after it was OCB-283 exchange which proved very important exchange in this series to replace electro mechanical exchanges.Now it is “WLL” & “GSM” mobiles which is also proved a mild stone in Telecommunication sector. It was 31st march 2002 when BSNL started these GSM mobile and today it has provided almost 35 lacks mobiles in all over country. WLL system which is also a mobile with limited mobility in city & can have Tele communication facility in that area almost. While GSM can cover all cities of the country.
4
General Arrangement For Connecting Telephones
5
E10B (Electronic 10 Binary Exchange)
Introduction:An E10B Exchange has 4 main blocks: The Connection unit, Switching Net work, Control units and Operation & Maintenance Centre.
Maximum 45,000 lines and 5000 circuits can be connected with one exchange.
System: Time Division Switching (TST Switch)
PCM principle used
2 Mb PCM link and 30 channels per PCM link
8 bits per telephone channel
Stored Program Control (SPC)
Dedicated Processor for switching function
Non-Dedicated Processors for operation functions
Power Supply: - 48 v DC for Main Exchange and satellite exchange, 220v 50 Hz for OMC.
Temperature:
Exchange 18 to 20 C
Satellite Xge. 5 to 35 C
OMC 15 to 28 C
Salient Features: The typical phases in establishing a local call are Pre Selection, Selection,
Connection & Charging and Disconnection.
6
Subscriber connection unit (CSE) while scanning the subscribers line every 4 msec, If the off hook condition continues for 64 msec it is taken as a “New call”.
The processing time of the Register is 32 micro seconds. The connection units are URA, URM, ETA and BDA. The control units are MR, MQ, UGCX, TR, TX, OC and DSF. In OMC, the Disk access time (UD50) is 75 msec and it is of Random access
type memory. The use of ring on the magnetic tape is to enable Write operation. MATR is the auxiliary memory of translator. Volume name can be of maximum 6 characters. Clocks of exchanges and OMC are set right automatically every 18 minutes. The detailed billing message consists of 41 bytes. The number of ordinary calls that can be charged simultaneously by each
charging unit is 2000. PGV (Permanent Glow Visual): this show the type of faults Red color shows critical fault, Orange shows urgent fault and yellow shows
non-urgent faults. It can be diagnose through computer. There are 3 types of alarm category IM (immediate or urgent intervention ),
ID ( delayed or non-urgent intervention), SI (without any intervention or no action).
E10B exchange has rows namely C, K, L and M, out of which normally C row have connection units and other rows have control units.
Tone generators are available in the First Two ETA racks.
Transmission The call is transmitted from telephone to:
Caller
/
D.P
7
/Pillar/
MDF
/
Exchange
/
Tax
/
Exchange
/
MDF
\
Pillar
\
D.P
\
Receiver
E-10B (ELECTRONICS - 10 BINARY) Here we came to know about function of:--
OMC: -- Operation maintenance centre.OC:--Monitoring unit.
8
ETA:--Frequency sender and receiver.URM:--Multiplex connection unit.(5 unit)CSE:--Subscriber connection unit.DSF:--Stand by charge unit.MR:--Multiresistor (5 unit)MQ:--Marker (2 unit)TR:--Translator (2 unit)TX:--Tax (charging unit) (2 unit)RLM:--Remote lining unit.COM:--Switching module.CX: -- Switching unit.
OMC: -- Operation maintenance centreThe operations and maintenance center (OMC) is connected to all equipment in the switching system and to the BSC. The implementation of OMC is called the operation and support system (OSS). The OSS is the functional entity from which the network operator monitors and controls the system. All the data from the DSF is brought here and then processed. An important function of OSS is to provide a network overview and support the maintenance activities of different operation and maintenance organizations
OC:--Monitoring unitThe Monitoring unit (OC) is one of the control unit and provides an interface between the OMC and the units of each E10B exchange. There is only one Monitoring unit in each exchange, OC is connected with OMC via ETM (Message Transmission Equipment) and ETM is available in the OMC room.
9
ETA:--Frequency sender and receiverThe Frequency sender/receiver unit (ETA) consists of Frequency receiver (RF), Tone Generators (GT), Conference circuits (CCF). ETA forms part of the connection unit and the max no. of ETA’s being 16 and min 2.
URM:--Multiplex connection unit
URM (Multiplex connection unit) having Links LRE,LRS and LVS with Switching network; Link LT with multi register, Charging unit; Link LU with Marker and Link LC with monitoring unit. The maximum number of URM’s being 5 units. URM logic switch over can be periodic for every 24 hours
CSE:--Subscriber connection unitSubscriber connection unit (CSE) while scanning the subscribers line every 4 msec, If the off hook condition continues for 64 msec it is taken as a “New call”. The numbers of the subscribers are created here. 1 rack contains 4 slots each slots contains 16 cards, each card containing 16 numbers. Hence it may generate 1K (1024) number. For each number 2 wires are dedicated and these 2 wires are converted into 4 wires at internally printed circuit board, also at the subscriber’s end these 2 wires are converted into 4 wires in the instrument, 2 for receiving signals where as other 2 for transmitting signals.
Each PCM 30 time slots and there are 4 PCM thus 120 time slots. If 1024 calls hooked-off simultaneously, then only 120 of them will get dial tone and others are discarded.
Power Supply Unit:It provides different voltages for different situations:
10
When instrument is idle: 5 V
Call connected: 12 V
Ringing: 75 V
DSF:--Stand by charge unitIt store data and forward it. It store data in magnetic tapes. Its size depends on blocks. It stores data regarding billing. The DSF (Stand by Charge recording unit) has two main functions; Data save and Regeneration. . In DSF, the tape is read while winding is reverse because if the link with the OMC goes down again, the same tape must be used to save messages from the charging unit with the tape winding forward.
MR:--Multiresistor When an instrument is hooked-off, then temporarily a MR is allotted to that number & when the person starts dialing a number each number store in the MR & that MR is allotted to the number till the call ends. In this 8085 microprocessor is used. The number of multi registers (MR’s) varies between two to six, depending on the traffic capacity and it operates of a traffic (load) sharing basis. One MR has got 256 registers and out of which 254 registers are used for the setting up or releasing of calls and other two are used for housekeeping purpose.
MQ:--Marker It works at initial stage. It allots work to each rack. Marker (MQ) is responsible for routing the principal switching messages between the various units of an exchange.
11
TR:--Translator It store data regarding subscribers like facilities available- STD, fixed dialing, etc. When instrument is hooked-off. It decides whether dial tone is to be provided or not. If yes, then it allots MR to it in which dialed number is stored then routing is done to the dialed number and call is connected. At the time of call end, meter is increased and charged units are sent to DSF.
TX:--Tax (charging unit)There are 3 functional sub-systems in TX: Interchange unit, Charging register unit and I/O interface. The monitoring continuity of connections in switching network will be once in 16 minutes by TX.
The sub meter data and Traffic observations are stored in Auxiliary memory of TX.
500 registers are there in Data memory of TX; each register can handle four local calls simultaneously.
TAX (Trunk auto exchange) This section deals when a caller picks up the receiver, gets the dial tone and how the call is made and processed.
CX: -- Switching unitCX employs 4 wire (4W) switching for connecting the time slots of calling and called parties
12
OCB (ORGAN CONTOL BOARD):OCB-283 is digital switching system which supports a variety of communication needs like basic telephony, ISDN, digital cellular radiotelephony, etc. This system has been developed by CIT ALCATEL of France and therefore has many similarities to its predecessor E-10B (also known as OCB-181 in France).
13
OCB EXCHANGE SYSTEM
SALIENT FEATURES
It is a digital switching with single ‘T’ stage switch. A maximum of 2048 PCM’s can be connected.
It supports both analog and digital subscribers. The system has ‘automatic’ recovery feature. When a serious fault occurs in
a control unit, it gives a message to SMM. The SMM puts this unit out of service, loads the software of this unit in a back up unit and brings it into service. Diagnostic programmers are run on the faulty unit and the diagnostics is printed on a terminal.
Various units of OCB 283 system are connected over token rings. This enables fast exchange of information and avoids complicated links and wiring between various units.
The charge accounts of subscribers are automatically saved in the disc, once in a day. This avoids loss of revenue in case of battery failure.
The traffic handling capacity of the system is huge. The exchange can be managed either locally or from an NMC through
64kb/s link. The hard disc is very small in size, compact and maintenance free. It has a
very huge memory capacity of 1.2 Giga bytes.
14
Duplicated Switching:The switching is done in OCB-283 in two fully duplicated branches simultaneously. For this purpose from each connection units the LR links originate in two parallel branches towards two parallel sets of switching matrices called SMX A and SMX B. The branches of such network are called A and B branches. Also the receive side LR links come from both the SMX’s A & B and are terminated on the respective connection units. The duplicated branches of switching have been designed to provide high reliability switching path for such diverse purposes as data switching, video conference, ISDN applications etc.With the duplicated paths of switching if there is error in one path the other path which is good can be used continuous without interrupting the call in progress.
Subscriber Connection Unit (CSN): A CSN basically consists of 1 basic rack and 3 extension racks capacity of
CSN is 5000.Subs may be analog and digital. CSN are so designed that they can be equipped with either analogue or
digital subscriber or both. The cards for analog and digital subscribers are different, but can be equipped in any slot of the shelf.
CSN can be either placed in the exchange switch room or at a remote location. Further, subscriber card shelf can also be placed at the rack or at a remote location. These features provide great flexibility to meet any type of requirement of dense or sparse connection densities. Depending on their location, CSN is known as CSNL or CSND and subscriber shelf is known as local or remote concentrator.
BRIEF DESCRIPTION OF THE FUNCTIONAL COMPONENTS:
15
1. BT (TIME BASE):Time pulses are generated in triplicate and distributed to LR’s at switching unit.The time base is usually synchronized with the network by a synch. Interface. It gets the clock from PCMs which carry traffic also and synchronizes the local clock with the PCM clock and thus network synchronization is achieved.
2. HOST SWITCHING MATRIX:This is a pure switch of maximum 2048 LRs connectivity capability. The switching of LR time slots are controlled by the function com which in turn obtains the particulars from call handler known as multiregister.
3. AUXILIARIES:Auxiliary Equipment Manager (ETA).It supports following functions:-Tone generation
-Frequency generation and reception-Conference call facility-Exchange clock
16
4. CALL HANDLER (MR):This obtains necessary data from subs. & ckts. & process for connection and disconnection of call with the help of a database manager TR. In addition this helps in carrying out ckt. tests and some observations. It establishes and releases the calls. It takes real time decisions for processing of a call. The MR also consults TR to find out subscribers entitlements
5. DATA MANAGER (TR):This is responsible for managing &storing various subscriber and trunks related database. The data is returned by the call handler as & when required during call processing.It also stores routing and analysis data. It converts (or) translates the received digits into equipment number of the called subscriber.
6. CHARGING FUNCTION (TX):This function is responsible for charge computation on the basis of certain charging parameters supplied by the translator during analysis of digits received from a source. This also prepares detailed billing messages & forwarding the same to the operation & maintenance function for further processing.
7. MATRIX HANDLER (GX):This function is responsible for processing and for defense of connections on receipt of--Request for connection & disconnection from MR or MQ.-Fault in connection
8. MESSAGE DISTRIBUTION FUNCTION MARKER:Its function is to format if required & distribute messages. Also supervises semi permanent links& inter messages between different communication multiplexes.
9. PCM CONTROLLER (URM):PCM interface receives PCM from other exchanges remote subs. access units, access networks and digital recorded announcement systems and the URM function carries out the following—-hdb3/binary code conversion-injection/extraction of TS 16 for CAS.
17
10. OM FUNCTION:This function enables to create all data required for subs/circuits and their testing.This also enables spontaneously issuing faults & alarm messages in case of indications coming from OCB units. Also provides features for saving detail billing/bulk billing messages on magnetic tape. It possesses a two way communication path with the exchange.
11. This is implemented in CSNL/CSBD & is responsible to forward new call connection & disconnection requests to control functions.
HARDWARE ARCHITECTURE:
18
CONTROL FUNCTIONS-CONCEPT OF STATIONFor all control function OCB uses concept of a station. Following type of stations is available:1. SMT - Trunk Multiprocessor Station2. SMA - Auxiliary Multiprocessor Station3. SMX - Switch Multiprocessor Station4. SMC - Command or Control Multiprocessor Station5. SMM - Maintenance Multiprocessor Station6. STS - Synchronization and Time Base Station
19
SMT-Trunk Multiprocessors StationIt is also known as PCM trunk control station. The SMT is a interface for PCM’s coming from the particular exchange and the remaining world. The current version of SMT being supplied to India is SMT 2G.Function of SMT--Provides terminations of a maximum of 128 PCM’s from trunks-Transforming the intelligence in PCM to LR for switching to destinations and transforming the switched LR time slot into PCM.
SMA-Auxiliary Multiprocessor StationFunction of SMA--Tone generation (GT)Tone generators generate various tones required to be connected during call processing. These tones are Dial tone, busy tone, Ring back tone, processing tone etc.-Conference call (CCF)The conference circuits are used to set up connection between a maximum of 4 subscribers. -ClockThe time base is obtained by the SMA from STS via the switch over GLR cable. Types of software used areETA –frequency decoderPUPE-to handle signaling
SMX-Switching Multiprocessor StationThe station is responsible for carrying out connection of an incoming LR time slot to an outgoing LR time slot.-clock reception from STS & distribution-fault and alarm processingThe SMX is connected on 4Mbps links to units like SMT, SMA referred to as peripherals.
SMC—Main Control StationAll the control functions are supported in SMC and one or more of these functions can be used during call processing. The main control functions are MR, TR, TX, MQ etc. Relative position of SMC in OCB exchange as shown in fig.
20
Control functions in SMC communicate on MIS while other communicates with SMC on MAS. There are 6 common control functions in OCB-283. The following list illustrates their minimum and maximum numbers.• MQ-marker• MR-multiregister, call analyser• TR –translator• TX-charging unit
SMM-Maintenance Multiprocessor StationThe SMM provides the facility for carrying out operation and maintenance of OCB units and also manage the data base. It carries out following functions:--database management and storage-central defense of the OCB system-supervisor of token rings-processing of various commands-general initialization of the exchangeIt provides local link for data processing devices and administration terminals.
It consists of two units –one act as pilot and other as a standby. Both systems share a common communication bus supporting various communication peripherals.The two subsystems are referred as SMMA and SMMB.
21
STS-Synchronization and Time base StationThis is clock system of OCB-283 system which happens to be the most vital unit of any digital switching system as switching takes place at the strobe of clock. The clock needs to be synchronized with the network. This ensures almost a common clock at every switching station. The clock system in OCB-283 therefore consists of two parts-synchronization part and time base generator part.
OCB Exchange-Local loop
Facilities to analogue subscribers-
• A line can be made only outgoing or incoming.
• Immediate hot line facility-The subscriber is connected to another predetermined subscriber on lifting the handset without dialing any number.
• Delayed hot line facility-When subscriber lifts the handset, dial tone is provided he can dial any number. If he does not dial a number, within a predetermined time, he is connected to predetermined number.
22
• Abbreviated dialing-The subscriber can record a short code and its corresponding full number in the memory. Later he dial this number, he has to only dial short code.
• Call forwarding-When activated, incoming calls to the subscriber gets transferred to the number mentioned by the subscriber while activating the facility.
• Conference between four subscribers-Two subscribers while in conversation can include two more subscribers by pressing button and dialing their numbers.
• Call waiting indication-When a subscriber is engaged in conversation and if he gets an incoming call, an indication is given in the form of tone. Hearing this, the subscriber has option, either to hold the subscriber in conversation and attend the waiting call or to disconnect this subscriber and attend the waiting call. In the former case, he can revert back to the earlier subscriber.
• Automatic call back on busyIf this facility is activated and if the called subscriber is found busy, the calling subscriber simply replaces the receiver. The system keeps watch on the called subscriber and when it becomes free, a ring is given to both the subscribers. On lifting they can talk to each other.
• Priority line-Calls from this line are processed and put through even when the number of free channels is within a threshold.
• Malicious call identification- In this category, the number of calling subscriber is printed on the terminal
• Battery reversal- The system extends battery reversal when called subscriber answers.
• Detailed billing-The system provides detailed bills giving details of date, time, etc.
23
CDMA (Code division multiple access)
What is CDMA
Both an access method and air-interface Uses DSSS and ECC Frequency reuse factor is 1 3 systems IS-95 2G, W-CDMA, and CDMA2000
TYPES OF CHANNELS
Control channel 1) Forward (Downlink) control channel
2) Reverse (Uplink) control channel
Use
r 1
Time
Frequency
Use
r 2
Use
r n
Code
...
24
Traffic channel1) Forward traffic (traffic or information) channel 2) Reverse traffic (traffic or information) channel
Note: Ci’ x Cj’ = 0, i.e., Ci’ and Cj’ are orthogonal codes,
Ci x Cj = 0, i.e., Ci and Cj are orthogonal codes
MS #1MS #2
MS #n B
S
C
1’C
2’
C
n’
C
1C
2
C
n
… ……
Reverse channels
(Uplink)
Forward channels
(Downlink)
Frequency f ’
Frequency f
25
INTERFERENCE IN CDMA
WORKING OF CDMAEach bit (zero or one) is spread into N smaller pulses/chips (a series of zeros and ones). The receiver which knows the spread pattern (code) will be able to recover the original bits. Other receivers which do not know the code will only get small ripples (noise).
RANGE OF CDMAThe range of the CDMA network is 25Km approx.
FEATURES OF CDMA
1) LARGER CAPACITYPotentially larger capacity (more users can communicate simultaneously)
In CDMA, users are separated by different codes. The number of available codes in CDMA far exceeds the number of channels in TDMA/FDMA. Thus it has a potential to handle a large number of users.
In reality the capacity is restricted by the interference (noise) generated by users. Increasing the number of users will gradually reduce the quality (larger noise). If users don’t use the medium all the time (e.g., they are just reading e-mail), CDMA will allow much more users to communicate simultaneously. In other words, CDMA will use the resource (the radio spectrum) more efficiently
Frequency
Baseband signal
Frequency
Interference baseband signals
Spreading signal
Frequency
Despread signal
26
2) ROBUST AGAINST FADINGProvides larger spread spectrum, thus more robust against noise bursts and multipath frequency selective fading
GSM bandwidth = 200 kHz
IS-95 bandwidth = 1.25 MHz
W-CDMA (3G) bandwidth = 10MHz
RAKE receiver in CDMA makes use of multipath signals.
3) BETTER POWER CONTROLCDMA’s capacity is determined by the total noise generated by users.
Power control is essential because if there were no power controls the MS that were very close to the BS would generate very strong signal and thus very large interference.
Good power control reduces the power emitted by an MS that is close to the BS. Thus the noise levels generated by all MSs will be comparable.
This in turn reduces power consumption of an MS, and low power consumption is an important feature for mobile devices.
Advantages of CDMA Cellular
Frequency diversity – frequency-dependent transmission impairments have less effect on signal
Multipath resistance – chipping codes used for CDMA exhibit low cross correlation and low autocorrelation
27
Privacy – privacy is inherent since spread spectrum is obtained by use of noise-like signals Graceful degradation – system only gradually degrades as more users access the system.
BTS in Mobile CommunicationA GSM network is made up of three subsystems:
The Network and Switching Subsystem (NSS) – comprising an MSC and associated registers.
The Base Station subsystem (BSS) – comprising a BSC and several BTSes
The [Operations support system]- for maintenance of the network
Though the term BTS can be applicable to any of the wireless communication standards, it is generally and commonly associated with mobile communication technologies like GSM and CDMA. In this regard, a BTS forms part of the base station subsystem (BSS) developments for system management. It may also have equipment for encrypting and decrypting communications, spectrum filtering tools (band pass filters) etc. antennas may also be considered as components of BTS in general sense as they facilitate the functioning of BTS. Typically a BTS will have several transceivers (TRXs) which allow it to serve several different frequencies and different sectors of the cell (in the case of sectaries base stations). A BTS is controlled by a parent base station controller via the base station control function (BCF). The BCF is implemented as a discrete unit or even incorporated in a TRX in compact base stations. The BCF provides an operations and maintenance (O&M) connection to the network management system (NMS), and manages operational states of each TRX, as well as software handling and alarm collection. The basic structure and functions of the BTS remains the same regardless of the wireless technologies.
28
General ArchitectureA BTS in general has the following units:
Transceiver (TRX)Quite widely referred to as the driver receiver (DRX). Basically does transmission and reception of signals. Also does sending and reception of signals to/from higher network entities (like the base station controller in mobile telephony)
Power amplifier (PA)Amplifies the signal from DRX for transmission through antenna; may be integrated with DRX.
CombinerCombines feeds from several DRXs so that they could be sent out through a single antenna. Allows for a reduction in the number of antenna used.
29
DuplexerFor separating sending and receiving signals to/from antenna. Does sending and receiving signals through the same antenna ports (cables to antenna).
AntennaThis is also considered a part of the BTS.
Alarm extension systemCollects working status alarms of various units in the BTS and extends them to operations and maintenance (O&M) monitoring stations.
Control functionControl and manages the various units of BTS including any software. On-the-spot configurations, status changes, software upgrades, etc. are done through the control function.
Baseband receiver unit (BBxx)Frequency hopping, signal DSP, etc.
GSM (Global Systems for Mobile)
30
History of Cellular Mobile Radio and GSM
(Global Systems for Mobile)
. Early 1980’s there was analog technologies: Advanced Mobile Phone Services (AMPS) in North America. Total Access Communication System (TACS) in the UK. Nordic Mobile Telephone (NMT) in Nordic countries.
Each country developed its own system which caused problems:
System worked only within the boundaries of each country. Mobile equipment manufacturers markets were limited by the operating
system.
Solution was GSM, which is digital technology and was developed by CEPT (Conference of European Posts and Telecommunications)
GSM differs from its predecessor technologies in that both signaling and speech channels are digital, and thus GSM is considered as a second generation(2G) mobile phone system.
One of the key feature of the GSM service is the Subscriber Identity Module.
Subscriber Identity Module (SIM) Commonly known as SIM card Detachable smart card containing user’s subscription information and phone
book Allows the user to retain information after switching the handset SIM locking
The Goals of GSM Improved spectrum efficiency International roaming
31
Low-cost mobile sets and base stations High-quality speech Compatibility with ISDN and another telephone company services Support for new services QoS
GSM carrier frequencies
GSM freq. bands used for the 2G Most of the GSM networks are operating at the 900 MHz and 1800 MHz
freq. band. For Canada and United states uses 850 MHz and 1900 MHz
If these freq. bands are used for the Preceding technology then sometimes other freq. bands 400 MHz and 450 MHz are used rarely.
UMTS freq. bands for the 3G Radio Spectrum Frequencies designated for the operation of the
Universal Mobile Telecommunications System (UMTS) / High-Speed
Downlink Packet Access (HSDPA) / High-Speed Uplink Packet Access (HSUPA) / HSPA+ / system for mobile phones.
most of the 3G networks operates at the freq. band of 2100 MHz
GSM service security Designed to authenticate the subscriber a pre-shared key and challenge-
response. Pre-shared key:- It is a shared secret which was previously shared
between the two parties using some secure channel before it needs to be used. Such system almost always uses symmetric key cryptographic algorithms. The secret or key are determined by the system which uses it. Some system uses it in a particular format. It can be a password like ‘bret13i’, or a passphrase like ‘ldaho hung gear id gene’, or a hexadecimal string. The secret is used by all systems involved in the cryptographic processes used to secure the traffic between the systems.
Challenge-response authentication:- It is a family of protocols in which one party presents a question (“challenge”) and another party must provide a valid answer (“response”) to be authenticated.
32
The simplest example of the challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password.
The development of the UMTS introduces an optional Universal Subscriber Identity Module (USIM), that uses a longer authentication key
to give greater security, as well as mutually authenticating the network and the user – whereas GSM only authenticates the user to the network(and not vice versa). GSM uses several cryptographic algorithms for security. The A5/1 and
A5/2 stream ciphers are used for ensuring over-the-air voice privacy. A5/1 is a stronger algorithm used within Europe and the United
States; A5/2 is weaker and used in other countries Serious Weakness found in both Algorithms
It is possible to break A5/2 in real time with a ciphertext-only attack, and in February 2008, Pico Computing, Inc revealed its ability and plans to commercialize FPGAs that allow A5/1 to be broken with a rainbow-table attack.
Finally, On 28 December 2009 German computer engineer Karsten Nohi announced that he had cracked the A5/1 cipher.According to him, he developed a number of rainbow-tables (Static values which reduces the time needed to carry out an attack) and have found new sources for known plaintext attacks. He also said that it is possible to build “a full GSM interceptor… from open source components” but that they had not done so because of legal concerns
In 2010, threatpost.com reported that “A Group of cryptographers has developed a new attack that has broken Kasumi, the encryption algorithm used to secure traffic on 3G GSM wireless networks. The technique enables them to recover a full key by using tactic known as related-key attack, but experts say it is not the end of the world Kasumi. Kasumi is the name for the A5/3 algorithm, used to secure most 3G traffic.
GSM Cell Structure . The Power level of a transmitter within a single cell must be limited to reduce
the interference with the neighboring cells.
33
Neighboring cells cannot share the same channels
34
Different size of patterns: 4,7,12,21 cells in one cluster
35
36
. Base Station Control (BSC) Translates the 13-kbps voice to the standard 64-kbps channel (used by
PSDN or ISDN) Frequency hopping Time and frequency synchronization Power management
37
Time delay measurement
. The Transcoder and adaption unit (TRAU) (13Kbps speech or data + 3Kbps additional synchronizing data)*4=64Kbps
(TRAU Standard rate)
PSTN (Public Switched Telephone Network) It is also referred to as the Plain Old Telephone Service(POTS) It is the network of world’s Public Switched Telephone Network It consists of telephone lines, fiberoptic cables, microwave transmission
links, cellular networks, communications satellites, and undersea telephone cables.
38
Base Station Subsystem(BSS) = BTS + BSC
39
Mobile Switching Center (MSC) The central component of the Network Subsystem (30 + 2)*64Kbps = 2,048Mbps(E1) or better to the other network
interfaces(PSDN,ISDN) Billing Location registration Gateway to SMS Synchronizing BSS Handover management
GSM Architecture 3 broad parts Subcribers carries MOBILE STATION BSS controls the radio link with the mobile station NETWORK SUBSYSTEM, which main part is MSC
40
Equipment Identity Register (EIR) Authentication Center (AuC) SMS Serving Center (SMS SC) Gateway MSC (GMSC) Charge Back Center (CBC) Operations and Support Subsystem (OSS) Transcoder and Adaption Unit (TRAU)
The Registers Completing the NSS Home Location Register (HLR) contains all information of each subscriber
of each subscriber registered in the corresponding GSM network
41
Visitor location Register (VLR) contains selected information from the HLR, which is necessary for call control and provision of the subscribed services, for each mobile currently located in the geographical area controlled by the VLR
NSS = HLR + VLR + MSC Equipment Identity Register (EIR) contains a list of all valid mobile
equipment on the network Authentication Center (AUC) stores a copy of the secret key stored in each
subscribers SIM card EIR and AUC are used for security and authentication purposes
42
43
44