Lecutre7

GSM Security and Addressing

Authentication• Stop unauthorised access to telecom services via cloning

of a valid user identifier• GSM anticipated this and defined an authentication

procedure• A user is challenged to provide proof of the claimed

identity• User accesses network and provides the user identifier• Network sends a random number (RAND) to the MS• Which together with Ki provide a response (SRES)

Ciphering

• MS sends a connection request to the network

• Among others, this request contains – Ciphering key sequence number (CKSN) – Mobile station class mark

• Mobile station class mark indicates the available ciphering algorithms (A5/X) in the mobile station

Ciphering• VLR examines the CKSN and decides whether authentication is necessary • Authentication not required a second time during the same network access • Multiparty call- an example of second connection while another connection already

exists• A message sent to the MS in case authentication is necessary• Message contains the random number, RAND• SIM uses the RAND, value Ki and algorithm A3 to calculate SRES• MS sends SRES to the VLR• VLR compares this SRES with the one earlier sent by HLR/AuC • Auth successful if both values are identical• Immed after SRES, the MS calculates ciphering key Kc using RAND, Ki and algorithm

A8• To activate ciphering, the VLR sends

– Value Kc that the AuC has calculated – A reference to the chosen A5/X algorithm

• Via the MSC and the BSC to the BTS

Calculation of SRES & Kc

Ciphering• BTS retrieves from the ENCR_CMD message

– Kc – Info about the required ciphering algorithm

• BTS only forwards info about the A5/X algorithm in a CIPH_MOD_CMD message to the MS• Which triggers MS to enable

– Ciphering of all outgoing data and – Deciphering of all incoming information

• MS confirms the change to ciphering mode by sending a CIPH_MOD_COM message• A5/X uses the current value of the frame number (FN) at the time and Kc as input parameters• Output of this operation are ciphering sequences, each 114 bits long, one is needed for ciphering and

the other one for deciphering• First ciphering sequence and the 114 bits of “useful data” of a burst are XORed

– To provide encrypted 114 bits that are actually sent over the Air-interface• Ciphering sequences altered with every frame number• Which in turn changes the encryption with every frame number• Deciphering takes place exactly the same way but in the opposite direction

Ciphering

De-ciphering

Authentication

= ?

NSS

RAND = RANDom numberSRES = Signed RESponseKc = Ciphering KeyKi = Identification Key

RAND

Kc

RAND (128 bits)SIM card

G S M

Global GSM MobilityCardThe Smart Card to use

A8

A3

Ki Ki

A3

A8

MS

AUC (A3 and A8)

(RAND, SRES, Kc)

SRES

SRESm (32 bits)

SRESm

CIPHERMODE

Ki (128 bits) Ki (128 bits)

A3

A8

A3

A8

BSS

OK

RadioInterface

Kc

A3

Ki RAND

SRESm

Purpose:Avoid logging of lost, stolen orforgery SIM-Cards.

5

Triplets3

AUC (A3 and A8)

(RAND, SRES, Kc)

HLR

MSC

BTS

BSS

BSC

RAND4

SRESm6

1

1

4 6

4RAND

6SRESm

Authentication

7CipheringCommand7

CIPHERMODE

3

2

VLRSRESm = SRES ?

SR

ES

m

6

74

RA

ND

Ciphereddata

MS BTS

Radiointerface

Frame Number(22 bits)

Kc (64 bits)

+

Kc (64 bits)

Ciphering

+

+

+

: exclusive-or+

A5 A5

Frame Number(22 bits)

Block (114 bits)

Data to transmit

Received data Data to transmit

Received data

Block (114 bits)

Block (114 bits)

Block (114 bits)

BTS

BSS

BSC

VLR

(Rand, SRES, Kc)

A5

KcTDMA#

+

A8

Ki Rand

Kc

MSCKc

Kc2

Ciphereddata 5

CIPHERING

SET CIPHER MODE(Kc)

1

3CIPHER MODE COMMAND

4CIPHER MODE COMPLETE

CIPHER MODE COMPLETE6

Purpose: avoid communication to be tapped.

IMEI• Mobile station equipment identity• Not mandatory for the network operator to query

the IMEI• Purpose of the IMEI is to prevent passive theft

protection• EIR maintains information on stolen mobile

equipment in a “black list,” which makes stolen mobile equipment useless

IMEIIMEI comprises following:• A 24-bit-long type approval code

(TAC) – Before any mobile equipment is

brought into service, it undergoes a test to show that it complies with safety regulations and functionality requirements

– Process called type approval, and the requirements are specified by GSM

• An 8-bit-long final assembly code (FAC) identifies the manufacturing facility

• A 24-bit-long serial number• A spare field, currently not used

Type ApprovalCode

TAC FAC SNR SP

Final AssemblyCode

Serial number (SPare)

TYPE

APPROVED

MOBILE IDENTIFICATION

IMEISV• IMEI plus a software

version number (SVN)• Which can be

modified by the manufacturer in case of a software update

IMSI

International mobile subscriber identity• An identifier for a GSM subscriber• Part of the subscriber data stored on (SIM) card• Uniquely identifies one subscription worldwide • Structure similar to the ISDN number, defined in

ITU-T Recommendation E.164

IMSI• 15-digit number and is

composed of :• Mobile country code (MCC), • Mobile network code (MNC)• Mobile subscriber identification

number (MSIN)• MSIN of the IMSI not used as

the subscriber’s telephone number

• To make tracking more difficult, IMSI used only as an identifier when the temporary mobile subscriber identity (TMSI) not available, e.g., for initial system connections

MCC & MNC

Mobile country code• A three-digit identifier • Uniquely identifies a country (not a PLMN)Mobile network code• A two-digit identifier • Used (like the 3-bit-long NCC) to uniquely

identify a PLMN

IMSI Attach/Detach• IMSI detach informs network that

– An MS will go into an inactive state – And is no longer available for incoming calls– For example, due to power down or because the SIM is removed

• MS sends an IMSI_DET_IND message to the network each time it is powered down• VLR keeps track of this state• This approach saves radio resources and processing time• Call processing can switch to secondary call treatment

– without first sending a PAGING message and then waiting for expiration of respective timers

• Secondary call treatment means initiating– Call forwarding– Voice mail, or – Telling caller that the subscriber currently not reachable

• Complementary to IMSI detach is IMSI attach• It indicates to network that a mobile station is active again• IMSI attach is related to periodic location updating• The location updating procedure is utilized to perform IMSI attach

IMSI Attach

MSCBTS

BSS

BSC

VLR

3

4

5

4

6

1 CHANNELREQUEST

2IMMEDIATEASSIGNMENT

LOCATION UPDATINGREQUEST (IMSI Attach)

3

5LOCATION UPDATINGACCEPT (LAC, TMSI)

4AuthenticationProcedure

IMSI Detach

MSC

BTS

BSS

BSC

VLR

1 CHANNELREQUEST

2IMMEDIATEASSIGNMENT

IMSI DETach INDication

3

4CHANNELRELEASE

IMSI DETach INDication

3

TMSI• Temporary mobile subscriber identity• Identifies a mobile subscriber, like the IMSI• 4-byte-long• Unlike the IMSI, TMSI has only temporary significance• VLR assigns a TMSI upon location registration for confidentiality • So not required to transfer the IMSI over the Air-interface frequently• TMSI can take any value, except FF FF FF FFhex• This value reserved in case SIM does not contain a valid TMSI

MSISDNMobile subscriber ISDN• Dir No of a mobile subscriber• Example: 49 171 5205787 is the

directory number of a subscriber to the D1 network in Germany

• Country code (CC) identifies a country or region (e.g., 49 for Germany, 1 for the United States);

• National destination code (NDC) identifies the PLMN (e.g., 171 for the operator D1)

• Subscriber number (SN) is a unique identifier within the PLMN

MSRN• Mobile station roaming number• A temporary identifier used for mobile

terminating calls– To route a call from the gateway MSC to

the serving MSC/VLR• VLR assigns MSRN to a mobile• MSRN used solely to route an incoming

call and contains no information to identify the caller or the called party

• Contains following codes: • Country code (CC) is the prefix of a

country• National destination code (NDC) identifies

the PLMN (e.g., 172 is the D2 operator of• Germany);• Temporary subscriber number (temp. SN)

assigned by the serving MSC/VLR of the called subscriber

NDCNational destination code• Part of an ISDN number as defined by ITU-T in

Recommendation E.164• Typically, the NDC addresses an area• May also be used to address a service, just as the

NDC 800 addresses free phone service in the United States

• In Germany, the NDCs 171 and 172 used to address the two GSM 900 operators

CKSN• Ciphering key sequence number • References to a ciphering key, Kc• When a particular Kc is stored in the MS and the MSC/VLR, a CKSN is

assigned as well• Allows MS and network a negotiation of the Kc without compromising

security by transmitting the value of Kc over the air• Particularly when an MS tries to establish an additional or subsequent

operation with the network• In such a case, when the MS requests a connection, it sends its last valid

CKSN to the VLR• VLR then decides, based on the CKSN, if ciphering can start immediately or if

another authentication is required • VLR may decide to request another authentication, even if the CKSN matches

the VLR’s entry

LMSI• Local mobile subscriber identity• VLR assigns it to a subscriber on a temporary basis• Purpose is to expedite queries in the VLR• Although no use for the LMSI in the HLR, but it still must

be stored in the HLR• HLR required to send the LMSI whenever data between

the two databases exchanged

CI

• Cell identity

• A 2-byte-long hexadecimal identifier

• CI together with the location area (LAI) uniquely identifies a cell within a PLMN

Location area (LA)• LA comprises at least one but typically several BTSs• Defined for the following purpose:

– An MS that changes the serving cell in the same location area does not need to perform a location update

– When network tries to establish a connection to an MS for a mobile terminating call, PAGING message is sent to only those BTSs that belong to the current location area of the MS

• LA therefore, serves mainly one purpose– Reduction of signalling load

• Every BTS broadcasts the LA via the parameter location area identity (LAI)

Location area Identity (LAI)• Even during an active call, LA

communicated to the MS (particularly important in a handover)

• Shaded, one-digit field is a filler (1111bin) and Extends three-digit MCC to 2 bytes

• Actual location area code (LAC) is four digits long

• LAC is an identifier that can be assigned by the network operator

• All values, except 0000hex and FFFE hex allowed

• Those two values reserved for cases when the LAI on a SIM has been deleted

Registration: The Very First Location Updat

• 1. Channel allocation (Connection request procedure):– MS sends (on RACH) a CHANNEL REQUEST message– Network responds with IMMEDIATE ASSIGNMENT (on dedicated

channel)• 2. MS sends to BSS a LOCATION UPDATING REQUEST

message with IMSI• 3. VLR triggers and monitors the Authentication procedure and can

also activate Ciphering procedure• 4. VLR stores the LA of the MS and informs the HLR which:

– stores VLR identity– downloads the subscriber profile, if the MS is allowed to roam

• 5. VLR may assign a TMSI and sends it to the MS in the LOCATION UPDATING ACCEPT message

• 6. MSC releases the connection

LAI HLR

IMSIVLR id

TMSI

IMSI

TMSI

Release

VLR

IMSITMSILAI

MSC

BTS

BSS

BSC

Registration: the Very First Location Update

2

3

5

1

2

6

1

2

3

5

6

4

3TMSI 5

BSIC• Base station identity code• An identifier for a BTS• Does not uniquely identify a single BTS, since it is reused

several times per PLMN• Purpose of the BSIC is to allow the MS to identify and

distinguish among neighbor cells, even when neighbor cells use the same BCCH frequency

• Since BSIC is broadcast within SCH of a BTS, MS need not even have to establish a connection to a BTS to retrieve the BSIC

BSIC• Consists of the

– Network color code (NCC), which identifies the PLMN

– Base station color code (BCC)

NCC

• Network color code

• 3-bit-long code

• Identifies the PLMN

• Is part of the BSIC and

• Is broadcast in the synchronization channel

BCC• Base station color code• 3-bit-long parameter • Part of the BSIC• Used to distinguish among the eight different

training sequence codes (TSCs) • The BCC is used by the MS (Mobile Station

) to distinguish between cells using the same frequencies, when the MS is deciding on which cell to select and to lock-on to.

PIN• Personal identification number• A four- to eight-digit number• Provides limited protection against unauthorized use. • Can be changed by the user and is stored on the SIM. • Optional and can be disabled• When enabled, the PIN needs to be entered at power up• When the wrong PIN entered three consecutive times, the

SIM is blocked and • Only the PIN unblocking key (PUK) can release the Pin

PUK

• PIN unblocking key

• A 10-digit code stored on the SIM

• Cannot be altered by the user

• Unblocks a SIM that was blocked due to wrong PIN entry three consecutive times

The Abis-Interface

• Interface between the BTS and the BSC• A PCM30 interface, like all the other terrestrial interfaces in GSM• Specified by ITU in the G-series of recommendations• Transmission rate is 2.048 Mbps• Partitioned into 32 channels of 64 Kbps each • GSM compression techniques pack up to 8 GSM traffic channels into a single

64-Kbps channel (for half rate channles) and 4 GSM channles to a single 64-Kbps channels for full rate channels.

• Like B interface GSM never specified the Abis-interface in every detail• Abis-interface regarded as proprietary leading to

– Variations in the Layer 2 protocol between manufacturers– Different channel configurations

• Consequence - normally, a BTS from manufacturer A cannot be used with a BSC from manufacturer B

Channel Configurations

• Two possible channel configurations of the Abis-interface ahead

• Fixed mapping of the air-interface traffic channels (Air0, Air1, …) of a BTS onto a TS of the Abis-interface

• Advantage-possible to determine which Abis TS will be used when a particular air-interface channel is assigned

Star configuration and Serial connection (4x BTSs with twoTRX each)

Alternatives for Connecting the BTS to the BSC

• Line resources on the Abis-interface usually not used efficiently

• As a BTS, typically, has only a few TRXs resulting small traffic volume capability

• Consequently, the line between the BTS and the BSC used only to a fraction of its capacity

• Star configuration- a case of a BTS with four TRXs, in which only 47% of the 2 Mbps actually needed

• Shaded areas mark the unused channels. • For BTS with only one TRX, value goes down to 16%• Such waste of resources has a historical background

Alternatives for Connecting the BTS to the BSC

• GSM specifications allows for a BTS to have up to 16 TRXs• Since a single 2-Mbps link able to support only up to 10 TRXs incl

O&M signaling• So two 2-Mbps links req to connect such a BTS to the BSC• Even fewer resources req on the Abis-interface for a BTS with a

smaller number of TRXs • Remaining resources cannot easily be used• Practically- optimum for a BTS is in the range of one to four TRXs• This compromise reflects parameters :

– Capacity: How many traffic and signalling channels does a BTS need to provide, on average and during busy hours to avoid overload

– Available frequency range: What is the minimum distance between BTSs after which frequencies can be reused

Alternatives for Connecting the BTS to the BSC

• N/W operators worldwide-bad experiences particularly with the latter point• With the Introduction of Digital radio it was assumed that ACI and CCI

impact will reduce • However, the assumption was soon proved wrong as more and more

interference problems b/w BTSs degraded the QoS• Hence, in urban areas use more cells with fewer TRXs and smaller output

power rather fewer cells with more TRXs and high output power• Such a configuration req a larger no of BTSs to cover any given area• Connecting larger no of BTSs to BSCs in turn req a larger no of Abis

interfaces• Serial connection configuration introduced

– Because of above stated trend– High costs of links b/w BTS and BSC – Low efficiency when using such links

BTS Connection in a Serial Configuration

• BTSs connected in a line or a ring topology• Only one BTS, for the line topology or two BTSs,

for the ring topology, physically connected to the BSC

• For network operator, serial approach saves line cost in comparison to star configuration

• Serial connection- more efficient use of when co located or sectored BTSs used

• Disadvantage- a single link failure causes loss of connection to a large number of BTSs

BTS Connection in a Serial & Star Configuration

Signaling on the Abis-Interface

OSI Protocol Stack on the Abis-Interface• Abis-interface utilizes Layers 1 through 3 of the

OSI protocol stack• Layer 1 forms the D-channel• LAPD is in Layer 2• Layer 3 is divided into

– TRX management (TRXM) – Common channel management (CCM)– Radio link management (RLM)– Dedicated channel management (DCM)

OSI Protocol Stack on the Abis Interface

D channel (data) is a telecommunications term which refers to the ISDN channel in which the control and signalling information is carried.

Radio Link Layer Management (RLM): Procedures to establish, modify and release connection of link layer (LAPDm) to MS at the air interface Um.

Dedicated Channel Management (DCM): Procedures to start ciphering, transfer of channel measurement reports of a MS, transmitter power control of MS and BTS e.t.c

Common Channel Management (CCM): Procedure for transferring channel requests from MS (received on RACH), modification of BCCH broadcast information, channel assignment to MS e.t.c

TRX management (TRXM): Procedure for the transfer of measurement of free traffic channels of a TRX to the BSC e.t.c.

Four groups of Layer 3, Traffic management messages