advanced security and mobile networks
TRANSCRIPT
W.Buchanan (1)
Uni
t 9: M
obile
Net
wor
ks
Advanced Security and Mobile Networks
W.Buchanan (2)
Uni
t 9: M
obile
Net
wor
ks
GSM/3G TechnologyThe most important mobile network
Software Security
W.Buchanan (3)
Uni
t 9: M
obile
Net
wor
ks
• First generation (1G). First generation mobile phones (1G) had very low transmission rates (typically just a few KB/s),
• Second generation (2G and 2.5G). These are devices improved this to give several hundred KB/s.
• Third generation (3G). These devices give almost workstation network bandwidths (several MBps), which allows for full multimedia transmissions.
Mobile phone technology
W.Buchanan (4)
Uni
t 9: M
obile
Net
wor
ks
GSMnetworkGSM
network
GSMgatewayGSM
gateway
Internet
POTS(Plain Old TelephoneSystem)
POTS(Plain Old TelephoneSystem)
W.Buchanan (5)
Uni
t 9: M
obile
Net
wor
ks
3
2
1
2
1
2
1
3
2
3
1
3
If we wish to setupradio transmittershow many differentradio frequencies dowe need?
W.Buchanan (6)
Uni
t 9: M
obile
Net
wor
ks
3
2
1
2
1
2
1
3
2
Mobile device will continually scan for other frequencies, even when it connects to one (in this case, frequency 3).
Sometimes there mustbe a handover between two cells, if a user moves from one to another, and is still in a call.
3
1
3
W.Buchanan (7)
Uni
t 9: M
obile
Net
wor
ks
GSM-900(900MHz)
GSM-1800(1.8GHz, non-US)Known as DCS
GSM-1900(1.9GHz, US)Known as PCS
Dual-bandphones
GSM uses a mixtureOf TDMA (Time-DivisionMultiple Access) and FDMA(Frequency-Division MultipleAccess)
3G - 1.9-2.1GHz
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7
Control Call 3 Call 1
Channel 1 500ms
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7
Control Call 2
Channel 2
02 - GSM-900, GSM-1800 TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7
T-Mobile Control Call 4: GSM-1800Orange: GSM-900Vodaphone Channel 3.. 124 (for GSM-900): GSM-900, GSM-18003: UMTS (3G) NetworkSitefinder:
W.Buchanan (8)
Uni
t 9: M
obile
Net
wor
ks
Time slot62.5 ms
Call 1
Speech burst is compressed and insertedinto the time slot
Mobile phone networks use RPE/LTP (Regular Pulse Excitation/Long Term Prediction) - which reduces the normal rate from 64kbpsto between 7 and 13 kbps.
W.Buchanan (9)
Uni
t 9: M
obile
Net
wor
ks
24.8 MHz
GSM-900(900MHz)
GSM-900(900MHz)
1 2 124
200 kHz
MUX
Control
TS0 TS1
Call 3
TS2 TS3 TS4 TS5
Call 1
TS6 TS7
Control
TS0 TS1
Call 3
TS2 TS3 TS4 TS5
Call 1
TS6 TS7
Call 1
Call 3
DEMUX
Call 1
Call 3
A specific timeslotis reserved for the callon a specific channel
W.Buchanan (10)
Uni
t 9: M
obile
Net
wor
ks
GSM-900(900MHz)
GSM-900(900MHz)Each time slot allows 9.6kbps
MUX
Control
TS0 TS1
Call 3
TS2 TS3 TS4 TS5
Call 1
TS6 TS7
Control
TS0 TS1
Call 3
TS2 TS3 TS4 TS5
Call 1
TS6 TS7
Call 1
Call 3
DEMUX
Call 1
Call 3
A specific timeslotis reserved for the callon a specific channel
W.Buchanan (11)
Uni
t 9: M
obile
Net
wor
ks
More than one slot can bereserved (such as 38.4kbps for4 slots)
High-Speed CircuitSwitched Data (HSCSD)
High-Speed CircuitSwitched Data (HSCSD)
MUX
Control
TS0 TS1 TS2 TS3 TS4 TS5
Call 1
TS6 TS7Control
TS0 TS1
Call 3
TS2 TS3 TS4 TS5
Call 1
TS6 TS7
Call 1
Call 3
DEMUX
Call 1
Call 3
A specific timeslotis reserved for the callon a specific channel
W.Buchanan (12)
Uni
t 9: M
obile
Net
wor
ks
General Packet RadioSwitch (GPRS) - usesPacket switching rather than Circuit switching
General Packet RadioSwitch (GPRS) - usesPacket switching rather than Circuit switching
Up to 8 time slots can be reservedfor the data packets (~100kbps)
MUX
Control
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7Control
TS0 TS1
Call 3
TS2 TS3 TS4 TS5
Call 1
TS6 TS7
Call 1
Call 3
DEMUX
Call 1
Call 3
A specific timeslotis reserved for the callon a specific channel
W.Buchanan (13)
Uni
t 9: M
obile
Net
wor
ks
Mobile Phone Cells/MastsThere’s one near you! Hopefully
Software Security
W.Buchanan (14)
Uni
t 9: M
obile
Net
wor
ks
From a uni-directional mast theradio power radiates outwards, evenly
Power transmitted is typically defined in dbW:20dBW is 100 W25dbW is 316 W30dBW is 1kW (Power of a microwave oven)
Power Transmitted
W.Buchanan (15)
Uni
t 9: M
obile
Net
wor
ks
Antenna Mast on Blackford Hill
Blackford Hill in Edinburgh is an excellent area for radio communications.
Orange/Hutchison
T-Mobilemast
W.Buchanan (16)
Uni
t 9: M
obile
Net
wor
ks
Operator VodafoneOperator Site Ref. 221Antenna Height 22 m Frequency 900 MHz Transmitter Power 24.68 dBW Maximum power 32 dBW Type GSM
Operator HutchisonOperator Site Ref. EH0071Antenna Height 23 m Frequency 2100 MHz Transmitter Power 25.5 dBW Maximum power 32 dBW Type UMTS
Operator T-MOBILEOperator Site Ref. 97636Antenna Height 30 m Frequency 1800 MHz Transmitter Power 26 dBW Maximum power 32 dBW Type GSM
20dBW is 100 W30dBW is 1kW
W.Buchanan (17)
Uni
t 9: M
obile
Net
wor
ks
Orange mast
O2 mast
Glenlockhart Hill (near Craiglockhart Campus) in Edinburgh is also another excellent area for radio communications.
W.Buchanan (18)
Uni
t 9: M
obile
Net
wor
ks
Operator MMO2Operator Site Ref. 16853Antenna Height 23 m Frequency 900 MHz Transmitter Power 20 dBW Maximum power 32 dBW Type GSM
Operator OrangeOperator Site Ref. LOT0106Antenna Height 25 m Frequency 1800 MHz Transmitter Power 23.7 dBW Maximum power 32 dBW Type GSM
W.Buchanan (19)
Uni
t 9: M
obile
Net
wor
ks
Antenna Mast at Tynecastle Stadium
Tynecastle Stadium offers alocal high-point around Gorgie.
W.Buchanan (20)
Uni
t 9: M
obile
Net
wor
ks
Operator VodafoneOperator Site Ref. 31301Antenna Height 29 m Frequency 900 MHz Transmitter Power 24.15 dBW Maximum power 32 dBW Type GSM
Operator OrangeOperator Site Ref. LOT0053Antenna Height 32 m Frequency 1800 MHz Transmitter Power 22.5 dBW Maximum power 32 dBW Type GSM
Operator HutchisonOperator Site Ref. EH0009
Antenna Height 28 m Frequency 2100 MHz Transmitter Power 26.2 dBW
Maximum power 32 dBW Type UMTS
Antenna Mast at Tynecastle Stadium
W.Buchanan (21)
Uni
t 9: M
obile
Net
wor
ks3G Mast on Blackford Avenue
Power supply and electronics
3G antennaPico cell
3G antenna on Blackford Avenue
Operator HutchisonOperator Site Ref. EH0074Antenna Height 13 m Frequency 2100 MHz Transmitter Power 26.2 dBW Maximum power 32 dBW Type UMTS
Operator MMO2Operator Site Ref. 11578Antenna Height 22 m Frequency 900 MHz Transmitter Power 25 dBW Maximum licensed power 32 dBW Type GSM
W.Buchanan (22)
Uni
t 9: M
obile
Net
wor
ks
3G Mast on Comiston Road
Power supply and electronics
Pico cell
3G antenna
3G antenna on Comiston Road
Operator Hutchison Operator Site Ref. EH0073Antenna Height 11 m Frequency 2100 MHz Transmitter Power 26.2 dBW Maximum power 32 dBW Type UMTS
W.Buchanan (23)
Uni
t 9: M
obile
Net
wor
ks
Operator HutchisonOperator Site Ref. EH0076Antenna Height 13 mFrequency 2100 MHz Transmitter Power 26.2 dBW Maximum power 32 dBW Type UMTS
W.Buchanan (24)
Uni
t 9: M
obile
Net
wor
ks
Ref:http://www.webmap.o2.co.uk/
Cell Name Greenbank CSR 016853Type 900 MACRO
Cell Name: Edinburgh DalryCSR: 017947Type: 900 MACRO
Cell Name: Murrayfield StadiumCSR: 005966Typ: 900 PICO
Cell name: Morningside NorthCSR: 015493Type: 900 MACRO
Cell name: Merchiston SouthCSR: 011586Type: 900 MACRO
Cell name: Gorgie EastCSR: 018669Type: 900 MACRO
MM O2 network around Edinburgh
W.Buchanan (25)
Uni
t 9: M
obile
Net
wor
ks
Cell name:MurrayfieldCSR: 009182Cell type: 900 MACRO
1800 MACRO
Cell name: Blackford Hill
CSR: 011578Cell type: 900 MACRO
1800 MACRO
Ref:http://www.webmap.o2.co.uk/
MM O2 network around Edinburgh
W.Buchanan (26)
Uni
t 9: M
obile
Net
wor
ks
Mobile-phone basedLocation Services
The next big thing?
Software Security
W.Buchanan (27)
Uni
t 9: M
obile
Net
wor
ks
Trackinggovernmentemployees
Emergencyservicetracking
TrackingServicePersonnel
Inventorytracking
Location-trackingservicesTransport
tracking
Location-tracking services
W.Buchanan (28)
Uni
t 9: M
obile
Net
wor
ks
Cupa-Now?
Curlup-n-Dye
Computer-Hack
Thirsty? BuyA nice latté
When not try a newwireless card?
You need a Haircut!
Location-based advertising
These technologies are based on ‘push’ serviceswhere information is pushed to the user, rather thanthem requesting it.
Location-based Advertising
W.Buchanan (29)
Uni
t 9: M
obile
Net
wor
ks
Parking Travel costsRoad Tolls
Location-based sales
Location-based Sales
W.Buchanan (30)
Uni
t 9: M
obile
Net
wor
ks
• GPS (Global Positioning System), • Cell-ID (Cell Identity), • AOA (Angle of Arrival), • TOA (Time-of-arrival), • OTD (Observed Time Difference), • A-GPS (Assisted – Global Positioning System), • E-OTD (Enhanced - Observed Time Difference).
Methods used for Location-finding in Mobile Phones
W.Buchanan (31)
Uni
t 9: M
obile
Net
wor
ksHandset Network
Position CalcFunction
Assistance
Handset-basedmode
Position (x,y) Position (x,y)
Assistance
Handset-assistedmode
Measurement
Position CalcFunction
Position (x,y)Handset-based or Handset-assisted
W.Buchanan (32)
Uni
t 9: M
obile
Net
wor
ks
Many accurate location finding services are basedon triangulation
I am r1 away from a1, b1I am r2 away from a2, b2I am r3 away from a3, b3
By drawing circles, wecan find the position
a3,b3
r1
a1,b1 r2
a2,b2
r3
Triangulation
W.Buchanan (33)
Uni
t 9: M
obile
Net
wor
ks
(6,8) (14,8)
For example… if I am 5 metresaway from each of these points.Where am I?(10,0)
Triangulation
W.Buchanan (34)
Uni
t 9: M
obile
Net
wor
ks
(6,8) (14,8)
5
5 53
4
This point should be (10,5)
(10,0)
Triangulation
W.Buchanan (35)
Uni
t 9: M
obile
Net
wor
ks
Triangulation
It is extremely accurate, but it also has limited coverage in urban areas, especially within buildings or near obstructions.
As an alternative, mobile phone-based location-finding is an inexpensive method for location-finding, as it has wide-scale coverage, along with inexpensive handsets
Global Positioning System (GPS)
W.Buchanan (36)
Uni
t 9: M
obile
Net
wor
ks
Mast-baseddetermines nearestmast
Mast
Mastcells
Cell-ID (with omni-directional cells)
W.Buchanan (37)
Uni
t 9: M
obile
Net
wor
ks
Cell-ID (with sectored cells)
The accuracy dependson the density of mast.
•From a few metres•To many km’s in rural
areas.
Around Edinburgh theaccuracy would be reasonable,in the Borders, not so good.
W.Buchanan (38)
Uni
t 9: M
obile
Net
wor
ks
Signal strengthis measured againsta known propagationpatternOrThe time taken forthe signals to arrive aremeasured
Enhanced Cell-ID
W.Buchanan (39)
Uni
t 9: M
obile
Net
wor
ks
Measurement oftime delay
Mast
Mastcells
TOA (Time of Arrival)
W.Buchanan (40)
Uni
t 9: M
obile
Net
wor
ks
Measurement ofangle
Angle-of-Arrival (AOA)
W.Buchanan (41)
Uni
t 9: M
obile
Net
wor
ks
A-GPS is also a time-based technique in which the handset measures the arrival time of signals transmitted from three or more GPS satellites. In general, the information decoded by the GPS receiver from thesatellites is transmitted to the handset through the radio network, bringing improvements for the time-to-first-fix (which is the initial time for the first location measurement) and battery life – as the handset no longer needs to search for and decode the signals from each available satellite. Removing the need to decode the satellite signals also enables detection and TOA estimation, which allows it to provide position estimates under foliage, within cars, in most outside environments, and many indoor environments.
Assisted-GPS (A-GPS)
W.Buchanan (42)
Uni
t 9: M
obile
Net
wor
ks
TOA works by the handset bouncing a signal back off the base stations, or vice-versa. Since radio waves travel at the speed of light (c), the distance (d) between the handset and base station can be estimated from the transmission delay, that is, half the time delay between transmitting and receiving the signal. This, however, locates the handset as being on a circle with a radius d, with the base station at the centre of the circle. If the estimate is made from three base stations, there will be three circles that intersect at the handset, as shown in the figure.
TDOA technique is time-based and quite similar to TOA. It works by either measuring the relative arrival time in the handset of signals transmitted from three base stations at the same time; or measuring relative arrival time transmitted by the handset at three base stations. The difference of arrival time defines a hyperbola, with the loci at the two base stations. As three base stations are used, there are three sets of time differences which creates three hyperbolic equations that define a single solution.
Time-of-Arrival (TOA)/Time Difference of Arrival (TDOA)
W.Buchanan (43)
Uni
t 9: M
obile
Net
wor
ks
Mobile-phone basedLocation Experiment
Borders, Scotland?
W.Buchanan (44)
Uni
t 9: M
obile
Net
wor
ks
Name: AncrumID: 002747Type: 900 MACRO
Name: EildonID: 008393Type: 900 MACRO
Name: DalcoveID: 004121Type: 900 MACRO
W.Buchanan (45)
Uni
t 9: M
obile
Net
wor
ks
The radio interface in GSM uses a combination between frequency (FDMA) and time (TDMA) multiplexing. The frequency division in GSM 900 allocates 125 frequencies in each direction for GSM. The basic parameters are:
• Uplink frequencies are between 890 and 915MHz.• Downlink frequencies are between 935 and 960MHz. • Carrier frequencies are separated with 200 kHz on each side. These frequencies
are allocated in pairs, so that each uplink/downlink pair is separated with exactly 45 MHz. Each of the carrier frequencies are divided into eight logical channels, usingTDMA, and a TDMA frame contains one time-frame from each of the eight channels, and lasts 4.615 ms.
• Time-frames from each channel lasts 0.577 ms. • Total bit-rate for all eight channels is 270.833 kbps, whereas the bit-rate for each
channel is 22.8 kbps.
Experimental Details
W.Buchanan (46)
Uni
t 9: M
obile
Net
wor
ks
Practical Example of Cells
Example ofmasts in the Scottish Borders. It can be seen that each mast is identifiedwith a different Cell-ID. TheseHave a differentbroadcast frequency and channel (BCCH).No two adjacent cells have the same BCCH.
W.Buchanan (47)
Uni
t 9: M
obile
Net
wor
ks
ConclusionsAfter the success of SMS, the network providers are lookingfor another big revenue generator that does not requiretoo much bandwidth. Location-services could provide this.
The key things that must be overcome are:
- Accuracy.- Compatibility.- Security. Users must subscribe to the services, asthey will not trusts ones which allow other users totrack them without their knowledge.
- Distrust. Currently many users distrust mobile phones.- Integration with applications.