um interface lesson

7/29/2019 Um Interface Lesson

http://slidepdf.com/reader/full/um-interface-lesson 1/12

Um Interface

From Wikipedia, the free encyclopedia

The Um Interface is the air interface for the GSM mobile telephone standard. It is the interface between the

mobile station (MS) and the Base transceiver station (BTS). It is called Um because it is the mobile analog tothe U interface of ISDN. Um is defined in the GSM 04.xx and 05.xx series of specifications. Um can also

support GPRS packet-oriented communication.

Contents

1 Um layers

1.1 Physical Layer (L1)

1.1.1 Radiomodem

1.1.2 Multiplexing and timing

1.1.3 Coding

1.2 Data Link Layer (L2)

1.3 Network Layer (L3)

2 Um logical channels

2.1 Traffic channels (TCH)

2.1.1 Full-rate channels (TCH/F)

2.1.2 Half-rate channels (TCH/H)

2.2 Dedicated Control Channels (DCCHs)

2.2.1 Standalone Dedicated Control Channel (SDCCH)2.2.2 Fast Associated Control Channel (FACCH)

2.2.3 Slow Associated Control Channel (SACCH)

2.3 Non-Dedicated Control Channels (NDCCHs)

2.3.1 Broadcast Control Channel (BCCH)

2.3.2 Synchronization Channel (SCH)

2.3.3 Frequency Correction Channel (FCCH)

2.3.4 Common Control Channel (CCCH)

2.3.5 Random Access Channel (RACH)

2.4 Allowed channel combinations

3 Fundamental Um Transactions

3.1 Radio Channel Establishment

3.2 Location updating

3.3 Mobile-Originating Call (MOC) establishment

3.4 Mobile-Terminating Call (MTC) establishment

3.5 Call clearing

4 SMS Transfer on Um

4.1 Mobile-Originated SMS (MO-SMS)

4.2 Mobile-Terminated SMS (MT-SMS)

5 Um Security Features5.1 Authentication of Subscribers

5.2 Um Encryption

5.3 Anonymization of Subscribers

Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface

12 9/24/2009 2:58 PM



6 See also

7 Further reading

8 External links

Um layers

The layers of GSM are initially defined in GSM 04.01 Section 7 and roughly follow the OSI model. Um is

defined in the lower three layers of the model.

Physical Layer (L1)

Main article: Physical Layer

The Um physical layer is defined in the GSM 05.xx series of specifications, with the introduction and

overview in GSM 05.01. For most channels, Um L1 transmits and receives 184-bit control frames or 260-bit

vocoder frames over the radio interface in 148-bit bursts with one burst per timeslot. There are three

sublayers:

Radiomodem. This is the actual radio transceiver, defined in largely in GSM 05.04 and 05.05.1.

Multiplexing and Timing. GSM uses TDMA to subdivide each radio channel into as many as 16 traffic

channels or as many as 64 control channels. The multiplexing patterns are defined in GSM 05.02.

2.

Coding. This sublayer is defined on GSM 05.03.3.

Radiomodem

GSM uses GMSK or EDGE modulation with a 13/48 MHz (270.833 kHz) symbol rate and a channel spacing

of 200 kHz. Since adjacent channels overlap, the standard does not allow adjacent channels to be used in thesame cell. The standard defines several bands ranging from 400 MHz to 1990 MHz. Uplink and downlink

bands are generally separated by 45 or 50 MHz. Uplink/downlink channel pairs are identified by an index

called the ARFCN. Within the BTS, these ARFCNs are given arbitrary carrier indexes C0..Cn-1, with C0

designated as a Beacon Channel and always operated at constant power.

The channel is time-multiplexed into 8 timeslots, each with a duration of 156.25 symbol periods. These 8

timeslots form a frame of 1,250 symbol periods. The capacity associated with a single timeslot on a single

ARFCN is called a physical channel (PCH) and referred to as "CnTm" where n is a carrier index and m is a

timeslot index (0-7).

Each timeslot is occupied by a radio burst with a guard interval, two payload fields, tail bits, and a midamble

(or training sequence). The lengths of these fields vary with the burst type but the total burst length is 156.25

symbol periods. The most commonly used burst is the Normal Burst (NB). The fields of the NB are:

8.25 3 57 1 26 1 57 3

Guard

period

Tail

bitsPayload

Stealing

bitMidamble

Stealing

bitPayload

Tail

bits

Guard period8.25-symbols at the start of the burst

Midamble

26-bits for equalizer training at the center of the burst


12 9/24/2009 2:58 PM



"Stealing bits"

each side of the midamble, used to distinguish control and traffic payloads

Payload

two 57-bit fields, symmetric about the burst

Tail bits

3-bit field, at each end of the burst

There are several other burst formats, though. Bursts that require higher processing gain for signal

acquisition have longer midambles. The random access burst (RACH) has an extended guard period to allow

it to be transmitted with incomplete timing acquisition. Burst formats are described in GSM 05.02 Section

5.2.

Multiplexing and timing

Each physical channel is time-multiplexed into multiple logical channels according to the rules of GSM

05.02. Traffic channel multiplexing follows a 26-frame (0.12 second) cycle called a "multiframe". Control

channels follow a 51-frame multiframe cycle. The C0T0 physical channel carries the SCH, which encodes

the timing state of the BTS to facilitate synchronization to the TDMA pattern.

GSM timing is driven by the serving BTS through the SCH and FCCH. All clocks in the handset, including

the symbol clock and local oscillator, are slaved to signals received from the BTS, as described in GSM

05.10. BTSs in the GSM network can be asynchronous and all timing requirements in the GSM standard can

be derived from a stratum-3 OCXO.

Coding

The coding sublayer provides forward error correction. As a general rule, each GSM channel uses a block

parity code (usually a Fire code), a rate-1/2, 4th-order convolutional code and a 4-burst or 8-burst

interleaver. Notable exceptions are the synchronization channel (SCH) and random access channel (RACH)that use single-burst transmissions and thus have no interleavers. For speech channels, vocoder bits are

sorted into importance classes with different degrees of encoding protection applied to each class (GSM

05.03).

Both 260-bit vocoder frames and 184-bit L2 control frames are coded into 456 bit L1 frames. On channels

with 4-burst interleaving (BCCH, CCCH, SDCCH, SACCH), these 456 bits are interleaved in to 4 radio

bursts with 114 payload bits per burst. On channels with 8-burst interleaving (TCH, FACCH), these 456 bits

are interleaved over 8 radio bursts so that each radio burst carries 57 bits from the current L1 frame and 57

bits from the previous L1 frame. Interleaving algorithms for the most common traffic and control channels

are described in GSM 05.03 Sections 3.1.3, 3.2.3 and 4.1.4.

Data Link Layer (L2)

Main article: Data Link Layer

The Um data link layer is defined in GSM 04.05 and 04.06. It is called LAPDm and is the mobile analog to

LAPD. Like LAPD, LAPDm is derived from HDLC, but with these simplifications:

LAPDm frames are always 184 bits, with segmentation for larger messages.

LAPDm allows no more than one outstanding unacknowledged I-frame (GSM 04.06 Sections 5.8.4

and 6).LAPDm does not support extended header formats (GSM 04.06 Section 3).

LAPDm supports only the SABM, DISC, DM, UI and UA U-Frames (GSM 04.06 Sections 3.4, 3.8.1).

LAPDm supports the RR and REJ S-Frames (GSM 04.06 3.4, 3.8.1), but not RNR (GSM 04.06

Sections 3.8.7 and 6).


12 9/24/2009 2:58 PM



LAPDm has just one internal timer, T200 (GSM 04.06 5.8).

LAPDm supports only one terminal endpoint, whose TEI is implied.

The BTS is always able to enter asynchronous balanced mode when requested.

LAPDm can never be in a recevier-not-ready condition (GSM 04.06 Section 3.8.7).

LAPDm supports only two SAPs: SAP3 for SMS and SAP0 for everything else (GSM 04.06 Sections

3.3.3 and 6).

In SAP0, asynchronous balanced mode is always initiated by the MS (GSM 04.06 Sections 5.4.1.1 and

6).

Another important difference between LAPDm and LAPD is the establishment resolution procedure of

GSM 04.06 Section 5.4.1.4, wherein the MS sends an L3 message in the information field of the SABM

frame which is then echoed back by the BTS in the corresponding UA frame.

Network Layer (L3)

Main article: Network Layer

Um L3 is defined in GSM 04.07 and 04.08 and has three sublayers. A subscriber terminal must establish a

connection in each sublayer before accessing the next higher sublayer.

Radio Resource (RR). This sublayer manages the assignment and release of logical channels on the

radio link. It is normally terminated in the BSC.

1.

Mobility Management (MM). This sublayer authenticates users and tracks their movements from cell

to cell. It is normally terminated in the VLR or HLR.

2.

Call Control (CC). This sublayer connects telephone calls and is taken directly from ITU-T Q.931.

GSM 04.08 Annex E provides a table of corresponding paragraphs in GSM 04.08 and ITU-T Q.931

along with a summary of differences between the two. The CC sublayer is terminated in the MSC.

3.

The access order is RR, MM, CC. The release order is the reverse of that. Note that none of these sublayers

terminate in the BTS itself. The standard GSM BTS operates only in layers 1 and 2.

Um logical channels

Um logical channel types are outlined in GSM 04.03. Broadly speaking, non-GRPS Um logical channels fall

into three categories: traffic channels, dedicated control channels and non-dedicated control channels.

Traffic channels (TCH)

These point-to-point channels correspond to the ISDN B channel and are referred to as Bm channels.

Traffic channels use 8-burst diagonal interleaving with a new block starting on every fourth burst and any

given burst containing bits from two different traffic frames. This interleaving pattern makes the TCH robust

against single-burst fades since the loss of a single burst destroys only 1/8 of the frame's channel bits. The

coding of a traffic channel is dependent on the traffic or vocoder type employed, with most coders capable

of overcoming single-burst losses. All traffic channels use a 26-multiframe TDMA structure.

Full-rate channels (TCH/F)

A GSM full rate channel uses 24 frames out of a 26-multiframe. The channel bit rate of a full-rate GSM

channel is 22.7 kbit/s, although the actual payload data rate is 9.6-14 kbit/s, depending on the channel

coding. This channel is normally used with the GSM 06.10 Full Rate, GSM 06.60 Enhanced Full Rate or GSM 06.90 Adaptive Multi-Rate speech codec. It can also be used for fax and Circuit Switched Data.

Half-rate channels (TCH/H)


12 9/24/2009 2:58 PM



A GSM half rate channel uses 12 frames out of a 26-multiframe. The channel bit rate of a half-rate GSM

channel is 11.4 kbit/s, although the actual data capacity is 4.8-7 kbit/s, depending on the channel coding.

This channel is normally used with the GSM 06.20 Half Rate or GSM 06.90 Adaptive Multi-Rate speech

codec.

Dedicated Control Channels (DCCHs)

These point-to-point channels correspond to the ISDN D channel and are referred to as Dm channels.

Standalone Dedicated Control Channel (SDCCH)

The SDCCH is used for most short transactions, including initial call setup step, registration and SMS

transfer. It has a payload data rate of 0.8 kbit/s. Up to eight SDCCHs can be time-multiplexed onto a single

physical channel. The SDCCH uses 4-burst block interleaving in a 51-multiframe.

Fast Associated Control Channel (FACCH)

The FACCH is always paired with a traffic channel. The FACCH is a blank-and-burst channel that operates by stealing bursts from its associated traffic channel. Bursts that carry FACCH data are distinguished from

traffic bursts by stealing bits at each end of the midamble. The FACCH is used for in-call signaling,

including call disconnect, handover and the later stages of call setup. It has a payload data rate of 9.2 kbit/s

when paired with a full-rate channel (FACCH/F) and 4.6 kbit/s when paired with a half-rate channel

(FACCH/H). The FACCH uses the same interleaving and multiframe structure as its host TCH.

Slow Associated Control Channel (SACCH)

Every SDCCH or FACCH also has an associated SACCH. Its normal function is to carry system information

messages 5 and 6 on the downlink, carry receiver measurement reports on the uplink and to performclosed-loop power and timing control. Closed loop timing and power control are performed with a physical

header at the start of each L1 frame. This 16-bit physical header carries actual power and timing advance

settings in the uplink and ordered power and timing values in the downlink. The SACCH can also be used for

in-call delivery of SMS. It has a payload data rate of 0.2-0.4 kbit/s, depending on the channel with which it is

associated. The SACCH uses 4-burst block interleaving and the same multiframe type as its host TCH or

SDCCH.

Non-Dedicated Control Channels (NDCCHs)

These are unicast and broadcast channels that do not have analogs in ISDN. These channels are used almost

exclusively for radio resource management. The CCCH and RACH together form the medium access

mechanism for Um.

Broadcast Control Channel (BCCH)

The BCCH carries a repeating pattern of system information messages that describe the identity,

configuration and available features of the BTS. BCCH brings the measurement reports it bring the

information about LAI And CGI BCCH frequency are fixed in BTS

Synchronization Channel (SCH)

The SCH transmits a Base station identity code and the current value of the TDMA clock.

Frequency Correction Channel (FCCH)


12 9/24/2009 2:58 PM



The FCCH generates a tone on the radio channel that is used by the mobile station to discipline its local

oscillator.

Common Control Channel (CCCH)

The CCCH is a downlink unicast channel that carries paging requests and channel assignment messages

(specifically, immediate assignment messages). The CCCH is subdivided into the paging channel (PCH) and

access grant channel (AGCH). A mobile station that is camped to a BTS monitors the PCH for servicenotifications from the network. The CCCH is the GSM predecessor to the Common Control Physical

Channel in UMTS.

Random Access Channel (RACH)

The RACH is the uplink counterpart to the CCCH. The RACH is a shared channel on which the mobile

stations transmit random access bursts to request channel assignments from the BTS.

Allowed channel combinations

The multiplexing rules of GSM 05.02 allow only certain combinations of logical channels to share a physical

channel. The allowed combinations for single-slot systems are listed in GSM 05.02 Section 6.4.1.

Additionally, only certain of these combinations are allowed on certain timeslots or carriers and only certain

sets of combinations can coexist in a given BTS. These restrictions are intended to exclude non-sensical BTS

configurations and are described in GSM 05.02 Section 6.5.

The most common combinations are:

Combination I: TCH/F + FACCH/F + SACCH. This combination is used for full rate traffic. It can be

used anywhere but C0T0.

Combination II: TCH/H + FACCH/H + SACCH. This combination is used for half rate traffic whenonly one channel is needed. It can be used anywhere but C0T0.

Combination III: 2 TCH/H + 2 FACCH/H + 2 SACCH. This combination is used for half rate traffic.

It can be used anywhere but C0T0.

Combination IV: FCCH + SCH + BCCH + CCCH. This is the standard C0T0 combination for

medium and large cells. It can be used only on C0T0.

Combination V: FCCH + SCH + BCCH + CCCH + 4 SDCCH + 4 SACCH. This is the typical C0T0

combination for small cells, which allows the BTS to trade unnecessary CCCH capacity for a pool of 4

SDCCHs. It can be used only on C0T0.

Combination VI: BCCH + CCCH. This combination is used to provide additional CCCH capacity in

large cells. It can be used on C0T2, C0T4 or C0T6.

Combination VII: 8 SDCCH + 8 SACCH. This combination is used to provide additional SDCCH

capacity in medium and large cells. It can be used anywhere but C0T0.

Fundamental Um Transactions

Basic speech service in GSM requires five transactions: radio channel establishment, location update,

mobile-originating call establishment, mobile-terminating call establishment and call clearing. All of these

transactions are described in GSM 04.08 Sections 3-7.

Radio Channel Establishment

Unlike ISDN's U channel, Um channels are not hard-wired, so the Um interface requires a mechanism for

establishing and assigning a dedicated channel prior to any other transaction. The Um radio resource

establishment procedure is defined in GSM 04.08 Section 3.3 and this is the basic medium access procedure


12 9/24/2009 2:58 PM



for Um. This procedure uses the CCCH (PCH and AGCH) as a unicast downlink and the RACH as a shared

uplink. In the simplest form, the steps of the transaction are:

Paging. The network sends a RR Raging Request message (GSM 04.08 Sections 9.1.22-9.1.23) over

the PCH, using the subscriber's IMSI or TMSI as an address. GSM does not allow paging by IMEI

(GSM 04.08 Section 10.5.1.4). This paging step occurs only if the transaction initiated by the network.

1.

Random Access. The mobile station sends a burst on the RACH. This burst encodes an 8-bit

transaction tag and the BSIC of the serving BTS. A variable number of most-significant bits in the tag

encode the reason for the access request, with the remaining bits chosen randomly. In L3, this tag is

presented as the RR Channel Request message (GSM 04.08 9.1.8). The mobile also records the

TDMA clock state at the time the RACH burst is transmitted. In cases where the transaction is

initiated by the MS, this is first step.

2.

Assignment. On the AGCH, the network sends the RR Immediate Assignment message (GSM 04.08

Section 9.1.18) for a dedicated channel, usually an SDCCH. This message is addressed to the MS by

inclusion of the 8-bit tag from the corresponding RACH burst and a time-stamp indicating the TMDA

clock state when the RACH burst was received. If no dedicated channel is available for assignment,

the BTS can instead respond with the RR Immediate Assignment Reject message, which is similarly

addressed and contains a hold-off time for the next access attempt. Emergency callers receiving the

reject message are not subject to the hold-off and may retry immediately.

3.

Retry. If the RACH burst of step 2 is not answered with an assignment or assignment reject in step 3

within a given timeout period (usually on the order of 0.5 second), the handset will repeat step 2 after

a small random delay. This cycle may be repeated 6-8 times before the MS aborts the access attempt.

4.

Note that there is a small but non-zero probability that two MSs send identical RACH bursts at the same

time in step 2. If these RACH bursts arrive at the BTS with comparable power, the resulting sum of radio

signals will not be demodulable and both MSs will move to step 4. However, if there is a sufficient difference

in power, the BTS will see and answer the more powerful RACH burst. Both MSs will receive and respond

to the resulting channel assignment in step 3. To insure recovery from this condition, Um uses a "contention

resolution procedure" in L2, described in GSM 04.06 5.4.1.4 in which the first L3 message frame from the

MS, which always contains some form of mobile ID, is echoed back to the MS for verification.

Location updating

The location updating procedure is defined in GSM 04.08 Sections 4.4.1 and 7.3.1. This procedure normally

is performed when the MS powers up or enters a new Location area but may also be performed at other

times as described in the specifications. In its minimal form, the steps of the transaction are:

The MS and BTS perform the radio channel establishment procedure.1.

On the newly established dedicated channel, the MS sends the MM Location Updating Request

message containing either an IMSI or TMSI. The message also implies connection establishment in theMM sublayer.

2.

The network verifies the mobile identity in the HLR or VLR and responds with the MM Location

Updating Accept message.

3.

The network closes the Dm channel by sending the RR Channel Release message.4.

There are many possible elaborations on this transaction, including:

authentication

ciphering

TMSI assignment

queries for other identity typeslocation updating reject

Mobile-Originating Call (MOC) establishment


12 9/24/2009 2:58 PM



This is the transaction for an outgoing call from the MS, defined in GSM 04.08 Sections 5.2.1 and 7.3.2 but

taken largely from ISDN Q.931. In the its simplest form, the steps of the transaction are:

The MS initiates the radio channel establishment procedure and is assigned to a Dm channel, usually

an SDCCH. This establishes the connection in the L3 RR sublayer.

1.

The first message sent on the new Dm is the MM Connection Mode service Request, sent by the MS.

This message contains a subscriber ID (IMSI or TMSI) and a description of the requested service, in

this case MOC.

2.

The network verifies the subscriber's provisioning in the HLR and responds with the MM Connection

Mode Service Accept message. This establishes the connection in the L3 MM sublayer. (This is a

simplification. In most networks MM establishment is performed with authentication and ciphering

transactions at this point.)

3.

The MS sends the CC Setup message, which contains the called party number.4.

Assuming the called party number is valid, network response with the CC Call Proceeding message.5.

The network sends an RR Assignment message to move the transaction off of the SDCCH and onto a

TCH+FACCH.

6.

Once the MS has acquired the timing on the TCH+FACCH, it responds on the new FACCH with the

RR Assignment Complete message. From this point on, all control transactions are on the FACCH.

7.

When alerting is verified at the called destination, the network sends the CC Alerting message.8.When the called party answers, the network sends the CC Connect message.9.

The MS response with the CC Connect Acknowledge message. At this point, the call is active.10.

The TCH+FACCH assignment can occur at any time during the transaction, depending on the configuration

of the network. There are three common approaches:

Early Assignment. The network assigns the TCH+FACCH after sending CC Call Proceeding and

completes call setup on the FACCH. This allows the use of in-band patterns (like the ringing or busy

patterns) generated by the network. This is the example shown.

Late Assignment. The network does not assign the TCH+FACCH until after alerting has started. This

forces the MS itself to generate the patterns locally since the TCH does not yet exist to carry thesound.

Very Early Assignment. The network makes an immediate assignment to the TCH+FACCH in the

initial RR establishment and performs the entire transaction on the FACCH. The SDCCH is not used.

Because immediate assignment starts the FACCH in a signaling-only mode, the network must send the

RR Channel Mode Modify message at some point to enable the TCH part of the channel.

Mobile-Terminating Call (MTC) establishment

This is the transaction for an incoming call to the MS, defined in GSM 04.08 Sections 5.2.2 and 7.3.3, but

taken largely from ISDN Q.931.

The network initiates the radio channel establishment procedure and assigns the MS to a Dm channel,

usually an SDCCH. This establishes the connection in the L3 RR sublayer.

1.

The MS sends the first message on the new Dm, which is the RR Paging Response message. This

message contains a mobile identity (IMSI or TMSI) and also implies a connection attempt in the MM

sublayer.

2.

The network verifies the subscriber in the HLR and verifies that the MS was indeed paged for service.

The network can initiate authentication and ciphering at this point, but in the simplest case the

network can just send the CC Setup message to initiate Q.931-style call control.

3.

The MS responds with CC Call Confirmed.4.

The network sends an RR Assignment message to move the transaction off of the SDCCH and onto aTCH+FACCH.

5.

Once the MS has acquired the timing on the TCH+FACCH, it responds on the new FACCH with the

RR Assignment Complete message. From this point on, all control transactions are on the FACCH.

6.

The MS starts alerting (ringing, etc.) and sends the CC Alerting message to the network.7.


12 9/24/2009 2:58 PM



When the subscriber answers, the MS sends the CC Connect message to the network.8.

The network response with the CC Connect Acknowledge message. At this point, the call is active.9.

As in the MOC, the TCH+FACCH assignment can happen at any time, with the three common techniques

being early, late and very early assignment.

Call clearing

The transaction for clearing a call is defined in GSM 04.08 Sections 5.4 and 7.3.4. This transaction is the

same whether initiated by the MS or the network, the only difference being a reversal of roles. This

transaction is taken from Q.931.

Party A sends the CC Disconnect message.1.

Party B responds with the CC Release message.2.

Party A responds with the CC Release Complete message.3.

The network releases the RR connection with the RR Channel Release message. This always comes

from the network, regardless of which party initiated the clearing procedure.

4.

SMS Transfer on Um

GSM 04.11 and 03.40 define SMS in five layers:

L1 is taken from the Dm channel type used, either SDCCH or SACCH. This layer terminates in the

BSC.

1.

L2 is normally LAPDm, although GPRS-attached devices may use Logical link control (LLC, GSM

04.64). In LAPDm SMS uses SAP3. This layer terminates in the BSC.

2.

L3, the connection layer, defined in GSM 04.11 Section 5. This layer terminates in the MSC.3.

L4, the relay layer, defined in GSM 04.11 Section 6. This layer terminates in the MSC.4.

L5, the transfer layer, defined in GSM 03.40. This layer terminates in the SMSC.5.

As a general rule, every message transferred in L(n) requires both a transfer and an acknowledgment on

L(n-1). Only L1-L4 are visible on Um.

Mobile-Originated SMS (MO-SMS)

The transaction steps for MO-SMS are defined in GSM 04.11 Sections 5, 6 and Annex B. In the simplest

case, error-free delivery outside of an established call, the transaction sequence is:

The MS establishes an SDCCH using the standard RR establishment procedure.1.

The MS sends a CM Service Request,2.The MS initiates multiframe mode in SAP3 with the normal LAPDm SABM procedure.3.

The MS sends a CP-DATA message (L3, GSM 04.11 Section 7.2.1), which carries an RP-DATA

message (L4, GMS 04.11 Section 7.3.1) in its RPDU.

4.

The network responds with a CP-ACK message (L3, GSM 04.11 Section 7.2.2).5.

The network delivers the RDPU to the MSC.6.

The MSC responds with an RP-ACK message (L4, GSM 04.11 Section 7.3.3).7.

The network sends a CP-DATA message to the MS, carrying the RP-ACK payload in its RPDU.8.

The MS responds with a CP-ACK message.9.

The network releases the SDCCH with the RR Channel Release message. This implies a closure of the

MM sublayer and triggers the release of L2 and L1.

10.

Mobile-Terminated SMS (MT-SMS)

The transaction steps for MT-SMS are defined in GSM 04.11 Sections 5, 6 and Annex B. In the simplest


12 9/24/2009 2:58 PM



case, error-free delivery outside of an established call, the transaction sequence is:

The network pages the MS with the standard paging procedure.1.

The MS establishes an SDCCH using the standard RR paging response procedure, which implies a CC

sublayer connection.

2.

The network initiates multiframe mode in SAP3.3.

The network sends the RP-DATA message as the RPDU in a CP-DATA message.4.

The MS responds with the CP-ACK message.5.

The MS processes the RPDU.6.

The MS sends a CP-DATA message to the network containing an RP-ACK message in the RPDU.7.

The network responds with a CP-ACK message.8.

The network releases the SDCCH with the RR Channel Release message. This implies a closure of the

MM sublayer and triggers the release of L2 and L1.

9.

Um Security Features

GSM 02.09 defines the following security features on Um:

authentication of subscribers by the network,encryption on the channel,

anonymization of transactions (at least partially)

Um also supports frequency hopping (GSM 05.01 Section 6), which is not specifically intended as a security

feature but has the practical effect of adding significant complexity to passive interception of the Um link.

Authentication and encryption both rely on a secret key, Ki, that is unique to the subscriber. Copies of Ki

are held in the SIM and in the Authentication Center (AuC), a component of the HLR. Ki is never

transmitted across Um. An important and well-know shortcoming of GSM security is that it does not provide

a means for subscribers to authenticate the network. This oversight allows for false basestation attacks,such as those implemented in an IMSI catcher.

Authentication of Subscribers

The Um authentication procedure is detailed in GSM 04.08 Section 4.3.2 and GSM 03.20 Section 3.3.1 and

summarized here:

The network generates a 128 bit random value, RAND.1.

The network sends RAND to the MS in the MM Authentication Request message.2.

The MS forms a 32-bit hash value called SRES by encrypting RAND with an algorithm called A3,

using Ki as a key. SRES = A3(RAND,Ki). The network performs an identical SRES calculation.

3.

The MS sends back its SRES value in the RR Authentication Response message.4.

The network compares its calculated SRES value to the value returned by the MS. If they match, the

MS is authenticated.

5.

Both the MS and the network also compute a 64-bit ciphering key, Kc, from RAND and Ki using the

A8 algorithm. Kc = A8(RAND,Ki). Both parties save this value for later use when ciphering is

enabled.

6.

Note that this transaction always occurs in the clear, since the ciphering key is not established until after the

transaction is started.

Um Encryption

GSM encryption, called "ciphering" in the specifications, is implemented on the channel bits of the radio

bursts, at a very low level in L1, after forward error correction coding is applied. This is another significant


f 12 9/24/2009 2:58 PM



security shortcoming in GSM because:

the intentional redundancy of the convolutional coder reduces the Unicity distance of the encoded

data and

the parity word can be used to verify correct decryption.

A typical GSM transaction also includes LAPDm idle frames at predictable times, affording a Known

plaintext attack.

The GSM ciphering algorithm is called A5. There are four variants of A5 in GSM, only first three of which

are widely deployed:

A5/0—no ciphering at all

A5/1 -- strong(er) ciphering, intended for use in North America and Europe

A5/2 -- weak ciphering, intended for use in other parts of the world

A5/3 -- even stronger ciphering with open design

Ciphering is a radio resource function and managed with messages in the radio resource sublayer of L3, but

ciphering is tied to authentication because the ciphering key Kc is generated in that process. Ciphering is

initiated with the RR Ciphering Mode Command message, which indicates the A5 variant to be used. The

MS starts ciphering and responds with the RR Ciphering Mode Complete message in ciphertext.

The network is expected to deny service to any MS that does not support either A5/1 or A5/2 (GMS 02.09

Section 3.3.3). Support of A5/1 and A5/2 in the MS is mandatory (GSM 02.07 Section 2).

Anonymization of Subscribers

The TMSI is a 32-bit temporary mobile subscriber identity that can be used to avoid sending the IMSI in the

clear on Um. The TMSI is assigned by the BSC and is only meaningful within specific location area. The

TMSI is assigned by the network with the MM TMSI Reallocation Command, a message that is normally notsent until after ciphering is started, so as to hide the TMSI/IMSI relationship. Once the TMSI is established,

it can be used to anonymize future transactions until the MS moves to another location area. Note that the

subscriber identity must be established before authentication or encryption, so the first transaction in a new

location area must be initiated by transmitting the IMSI in the clear.

See also

OpenBTS

Further reading

M. Boulmalf, S. Akhtar. Performance Evaluation of Operational GSM's Air-Interface (Um)

(http://www.scs.org/getDoc.cfm?id=2090) . UAE University. pp. 4. http://www.scs.org

/getDoc.cfm?id=2090.

External links

3GPP - The current standardization body for GSM with free standards available

(http://www.3gpp.org) .General Packet Radio Service GPRS: Architecture, Protocols, and Air Interface

(http://www.comsoc.org/livepubs/surveys/public/3q99issue/bettstetter.html) .

The GSM Software Project (http://wiki.thc.org/gsm) .

GSM Tutorials (http://www.gsmfordummies.com/index.html) .


f 12 9/24/2009 2:58 PM



This page was last modified on 22 September 2009 at 03:34.

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may

apply. See Terms of Use for details.

Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.

Retrieved from "http://en.wikipedia.org/wiki/Um_Interface"

Categories: Global System for Mobile communications


um interface lesson

Documents