3 gsm communication flow

1
4
All rights reserved
After the completion of this course, the trainees should understand the following contents:
GSM security management
All rights reserved
PLMN’s need a higher level of protection than traditional telecommunication networks. Therefore, to protect GSM systems, the following security functions have been defined:
Subscriber authentication: By performing authentication, the network ensures that no unauthorized users can access the network, including those that are attempting to impersonate others.
Radio information ciphering: The information sent between the network and an MS is ciphered. An MS can only decipher information intended for itself.
Mobile equipment identification: Because the subscriber and equipment are separate in GSM, it is necessary to have a separate authentication process for the MS equipment. This ensures, e.g. that a mobile terminal, which has been stolen, is not able to access the network.
Subscriber identity confidentiality: During communication with an MS over a radio link, it is desirable that the real identity (IMSI) of the MS is not always transmitted. Instead a temporary identity (TMSI) can be used. This helps to avoid subscription fraud.
The AUC and EIR are involved in the first three of the above features, while the last is handled by MSC/VLRs.
GSM Security Management
Authentication may be executed during setup, location updating and supplementary services. Authentication is done by AUC.
The primary function of an AUC is to provide information, which is then used by an MSC/VLR to perform subscriber authentication and to, establish ciphering procedures on the radio link between the network and MS’s. The information provided is called a triplet and consists of:
A non predictable RANDom number (RAND)
A signed RESponse (SRES)
A ciphering key (Kc)
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
At subscription time, each subscriber is assigned a subscriber authentication Key (Ki). Ki is stored in the AUC along with the subscriber’s IMSI. Both are used in the process of providing a triplet. The same Ki and IMSI are also stored in the SIM. In an AUC the following steps are carried out to produce one triplet:
1. A non-predictable random number, RAND, is generated.
2. RAND and Ki are used to calculate SRES and Kc, using two different algorithms, A3 and A8 respectively.
3. RAND, SRES and Kc are delivered together to the HLR as a triplet.
RAND -Random number
The MSC/VLR transmits the RAND to the MS.
2. The MS computes the signature SRES using RAND and the subscriber authentication key (Kii) through the A3 algorithm.
3. The MS computes the Kc by using Ki and RAND through A8 algorithm. Kc will thereafter be used for ciphering and deciphering in MS.
4. The signature SRES is sent back to MSC/VLR, which performs authentication, by checking whether, the SRES from the MS and the SRES from the AUC match. If so, the subscriber is permitted to use the network. If not, the subscriber is barred from network access.
Authentication Procedure
Each registration
MSC/VLR
1. RAND
3. SRES
2. MS calculates SRES using RAND + Ki (SIM-card) through A3 and Kc using RAND+Ki through A8.
4. Compare SRES received from MS with SRES in triplet. If they are equal access is granted.
Confidentiality means that user information and signaling exchanged between BTS’s and MS’s is not disclosed to unauthorized individuals, entities or processes.
A ciphering sequence is produced using Kc and the TDMA frame number as inputs in the encryption algorithm A5. The purpose of this is to ensure privacy concerning user information(speech and data) as well as user related signaling elements.
In order to test the ciphering procedure some sample of information must be used. For this purpose the actual ciphering mode command (M) is used.
1. M and Kc are sent from the MSC/VLR to the BTS.
2. M is forwarded to the MS.
3. M is encrypted using Kc (calculated earlier with SRES in the authentication procedure) and the TDMA frame number which are fed through the encryption algorithm, A5.
4. The encrypted message is sent to the BTS.
5. Encrypted M is decrypted in the BTS using Kc, the TDMA frame number and the decryption algorithm, A5.
6. If the decryption of M was successful, the ciphering mode completed message is sent to the MSC. All information over the air interface is ciphered from this point on.
Ciphering Procedure
If yes
M Ciphering Mode Command
M’ Ciphering Mode Complete
Kc Ciphering key
VLR Visitor Location Register
2 Authenticate
Authentication Request
2 Authenticate
2 Authenticate
2 Authenticate
(TMSI)
The Temporary Mobile Subscriber Identity (TMSI) is a temporary IMSI number made known to an MS at registration. It is used to protect the subscriber’s identity on the air interface. The TMSI has local significance only (that is, within the MSC/VLR area) and is changed at time intervals or when certain events occur such as location updating. Every operator can chose TMSI structure, but should not consist of more than 8 digits.
All rights reserved
The equipment identification procedure uses the identity of the equipment itself (IMEI) to ensure that the MS terminal equipment is valid.
1. The MSC/VLR requests the IMEI from the MS.
2. MS sends IMEI to MSC.
3. MSC/VLR sends IMEI to EIR.
4. On reception of IMEI, the EIR examines three lists:
A white list containing all number series of all equipment identities that have been allocated in the different participating GSM countries.
A black list containing all equipment identities that has been barred.
A gray list (on operator level) containing faulty or non -approved mobile equipment.
5. The result is sent to MSC/VLR, which then decides whether or not to allow network access for the terminal equipment.
MSC/VLR
GSM Basic Call Sequence
The process for calling MS and called MS are two independent flow. The calling party begins with channel request and ends with TCH assignment competition. In general, the calling party includes following several stages: access process, authentication and ciphering process, TCH assignment process. So, we take the sequence from mobile to land as example, in this sequence, we mainly devote to the calling party.
<
<
<
GSM Basic Call Sequence
For the called party, the flow for the called party begins when MSC sends paging command to the called party, ends when two party start talk. In general, this call flow includes several stages: access process, authentication and ciphering process, TCH assignment process, talk process, release process.
Call Setup
Call Setup
5 Page
Paging Request
Land to Mobile Sequence
Land to Mobile Sequence
Ringing stops at land phone
Subscriber picks up
Normal Location Update
Reads the LAI broadcast on the BCCH.
Compares with the last stored LAI and if it is different does a location update.
Normal Location Update
IMSI Attach
Saves the network from paging a MS which is not active in the system.
When MS is turned off or SIM is removed the MS sends a detach signal to the Network. It is marked as detached.
When the MS is powered again it reads the current LAI and if it is same does a location update type IMSI attach.
Attach/detach flag is broadcast on the BCCH sys info.
Periodic Location Update
Many times the MS enters non-coverage zone.
The MS will keep on paging the MS thus wasting precious resources.
To avoid this the MS has to inform the MSC about its current LAI in a set period of time.
This time ranges from 0 to 255 deci-hours.
Periodic location timer value is broadcast on BCCH sys info messages.
Location Update
Intra-VLR Location Update Sequence
Inter-VLR Location Update Sequence
HLR
Only sent to HLR if this is the first time the MS has Location Updated in this VLR
<SDCCH>
HLR
HLR
TMSI>
<SDCCH>
<TMSI>
HLR
SDCCH>
HLR
SDCCH>
HLR
<
<
<
MO SMS Transfer
MT SMS Transfer
MS
Servicing
MSC
VLR
HLR
Gateway
MSC
SC
MS
Servicing
MSC
VLR
HLR
Gateway
MSC
SC
3. Location Update Sequence

3 gsm communication flow

Documents