Upload File

gsm in detail

38
Georgia Tech Information Security Center (GTISC) CS 8803 - Cellular and Mobile Network Security: GSM - In Detail Professor Patrick Traynor 9/27/12 Wednesday, September 26, 12

Upload: mahdin1889

Post on 17-Aug-2015

228 views

Category:

Documents


1 download

Report

Tags:

DESCRIPTION

GSM in detail

TRANSCRIPT

Georgia Tech Information Security Center (GTISC)CS 8803 - Cellular and Mobile Network Security:GSM - In DetailProfessor Patrick Traynor9/27/12Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)Cellular TelecommunicationsArchitectureBackgroundAir InterfacesNetwork ProtocolsApplication: MessagingResearch2Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSMThe Global System for Mobile Communications (GSM) is the de facto standard for wireless communications with well over 5 billion users.!As a comparison, there are approximately 1.5 billion Internet users.The architectures of other network are similar, so knowing how to speak GSM will get you a long way in this space.3Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)Wireless Signaling and Control in GSMCommon Control Channel!Structure!Broadcast Channels!Channel Access from Mobile!Procedures and Messages for Call ControlTrafc Channel!Structure Handoffs4Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM Control FunctionsRead System ParametersRegisterReceive and Originate CallsManage Handoffs5Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM StructureCommon Control Channel (CCCH)! Used for control information: registration, paging, call origination/termination.Trafc Channel (TCH)!Information transfer!in-call control (fast/slow associated control channels)6Common Control Channel (CCCH)Trafc Channel (per user in a call)TCH (13 KBps)Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM TDMA FramesTDMA Frame:7Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msecFrame 0 Frame 1 Frame 2 Frame 50 ...51 Multiframe:235.365 msecWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)From Frames to Channels801234567}Frame:4.615ms26 Multiframe:120.00 msWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM CCCH9Random Access Control Channel(RACH)Reverse(MS BS)Paging andAccess Grant Channel (PAGCH)Forward(BS MS)BroadcastControlChannel(BCCH)Forward(BS MS)SynchronizationChannel(SCH)Forward(BS MS)FrequencyCorrectionChannel(FCCH)Forward(BS MS)PCHAGCHWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM CCCH StructureTDMA Frame:Uplink: Channel Name (Frame #) Downlink! CCCH/RACH always uses Slot 0 of each frame; other seven slots for TCH! TCH: 26 multi-frame repeats every 120 msec (13th and 16th frames are used by Slow Associated Control Channel (SACCH) or is idle10Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msecFrame 0 Frame 1 Frame 2 Frame 50 ...51 Multiframe:235.365 msecFCCH (0) SCH (1) BCCH (2-5) PAGCH (6-9)FCCH (10) SCH (11) PAGCH (12-19)FCCH (20) SCH (21)PAGCH (11)PAGCH (22-29)FCCH (30) SCH (31) PAGCH (32-39)FCCH (40) SCH (41) PAGCH (42-49) I (50)RACH (0) ... RACH (50)Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: BCCHBroadcast to all users on the CCCHNo addressingUsed to acquire system parameters, so mobile may operate with the system.Key parameters (contained in RR SYSTEM INFORMATION MESSAGES):!RACH control parameters!cell channel descriptions (frequencies)!neighbor cells (frequencies)!cell id!Location Area ID (LAI)!Control Channel description11Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: FCCH and SCHKeeps system synchronization!What do you mean, synchronization?Broadcasts Basestation ID!Why is this useful information?12Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: Mobile Channel Access Procedures (RACH)MS Communicates with BS over RACH!Only initially and must compete for this shared resource.Feedback provided with AGCH!Points the user to a dedicated channel for real exchanges.Functions:!Responses to paging messages!Location update (registration)!Call Origination13Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: Paging Channel (PCH)Used to send pages to mobile devices.!Notications of incoming services (e.g., voice, data, SMS)Done at regular intervals!Mobiles belong to a paging class!Allows the device to sleep, conserve power More than 1 mobile paged at a time.14Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: RACH and Slotted ALOHA (Layer 2)15Assumptionsall frames same sizetime is divided into equal size slots, time to transmit 1 framenodes start to transmit frames only at beginning of slotsclocks are synchronizedif 2 or more nodes transmit in slot, all nodes detect collisionOperationwhen node obtains fresh frame, it transmits in next slotno collision, node successfully transmitted the frameif collision, node retransmits frame in each subsequent slot with prob. p until successWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: More Slotted ALOHA16Prossingle active node can continuously transmit at full rate of channelhighly decentralized: only slots in nodes need to be in syncsimpleConscollisions, wasting slotsidle slotsnodes may be able to detect collision in less than time to transmit packetclock synchronizationWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: Slotted ALOHA EfciencySuppose N nodes with many frames to send, each transmits in slot with probability pprob that node 1 has success in a slot = p(1-p)N-1prob that any node has a success = Np(1-p)N-117For max efciency with N nodes, nd p* that maximizes Np(1-p)N-1For many nodes, take limit of Np*(1-p*)N-1 as N goes to innity, gives 1/e = .37Efciency is the long-run fraction of successful slots when there are many nodes, each with many frames to sendAt best: channelhas maximum throughput of 37%!Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: RACH Procedures (Layer 2)Mobile!sends assignment request with informationBasestation!sends back assignment with information echoed Creates Radio Resource (RR) connection!Standalone Dedicated Control Channel!May be a physical channel!May be a trafc channel in signaling-only mode!May eventually be bandwidth stolen from TCH (associated control channel).18Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)Basic Flow on Air Interface19Alert phone of incoming activityRequest dedicated signaling channelSignalRelease signaling channelWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM SignalingSignaling in GSM occurs over the Radio Interface Layer 3 (RIL-3).!Technically layer 3, but debatable from OSI perspective as application-esque things happen here.Control messages are handled by protocol control processes and include Call Control (CC), Mobility Management (MM), Radio Resource management (RR), Short Messaging Service management (SMS) and Supplementary Services management (SS).20Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)Time Out: Privacy?With all of this signaling going over well-known channels, isnt there a risk of user tracking/proling?!Think about the PCH... what is transmitted here?21Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM RegistrationTypes!Power up and down!Location Area changes (mobility)!PeriodicUser Privacy!Mobile device may transmit real address: International Mobile Subscriber Identity (IMSI)!Get back temporary id (TMSI)Unique to a local area!Subsequent registrations use TMSI22Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: Registration, High Level23Get SDCCHRR connection establishedAuthenticateCipherUpdateLocationRelease RR connectionWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM Registration: Gory Details24Get SDCCHRR connection establishedRelease RR connectionLOC UPD RQSTAuthentication Request (RAND)Authentication Response (SRES)Cipher ModeCipher Mode CompleteLOC UPD ACC (TMSI Assigned)TMSI RE-ALLOC CompleteMore details on this authentication procedure soon...Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: Call Termination (Receive a Call)25Authentication and CipheringChannel RequestPage Request (TMSI)Channel AssignmentGet SDCCHSABM(Page Response)UA(Page Response)SETUPCall ConrmedAssignment CommandAlertAssignment CompleteRR connectionestablishedConnectConnect ACKWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: Call Origination26Authentication and CipheringChannel RequestChannel AssignmentGet SDCCHSABM(CM Service Req - Call Orig)UA(CM Service Request - Call Orig)SETUPCall ProceedingAssignment CommandAlertAssignment CompleteRR connectionestablishedConnectConnect ACKRR connectionreleaseWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: Mobile Assisted Handoff (MAHO)27MSC Old BS New BSMeasurement ReportMeasurement ReportMeasurement ReportMeasurement ReportHandoff OrderHandoff AccessHandoff CompleteHandoff AccessWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)Measuring Mobility-Generated LoadHow do we estimate the trafc load caused by handoffs?Simplest mobility model - assume conservation of ow and random movements at constant velosity.Rate of boundary crossings = != density of users, v = velocity and L is perimeter28vLWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)PracticeCalculate the load at the VLR per second if each mobile creates an Update LA and creates a Reg Cancel.Assume:!L = 80 miles! =150 users/mi2!v = 45 miles/hour29VLRWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)ExampleBoundary crossing rate:Load on VLR from mobility is 144 operations/sec:!updates (3): Update LA, Reg Cancel, Auth Info30150 45 801 hour3600 secs= 48 crossings/secWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)Example, contAssume 3 calls/user/hour (1.5 in, 1.5 out on average)!for each incoming call there is one database query (MSRN)= 150 users/mi2, L = 80 miles!each area contains 150 x (80/4)2 = 60,000 users! =25 calls/secondTotal Load!25 queries/second (call related)!144 updates/second (mobility related)Conclusion!mobility substantially dominates the database load31Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: Short Messaging ServiceBi-directionalAcknowledged ServiceStore-and-Forward Service140 octets/160 characters (concatenation possible)Uses SDCCH signaling channelTwo services - cell broadcast and point to point!Cell broadcast exists in the standards only at this time.Three types - user specic, ME-specic, SIM-specic32Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: SMS Examples - Mobile Termination33Page ResponsePageSMS DeliveryWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)GSM: SMS Examples - Mobile Termination34Page ResponsePageCP-Data (RP-Data (SMS Delivery))CP-ACKCP-Data (RP-ACK)CP-ACKWednesday, September 26, 12Georgia Tech Information Security Center (GTISC)Other Air InterfacesIS-54/IS-136/D-AMPS! digital, TDMAIS-95! digital, CDMACDMA2000! 3GUMTS! W-CDMA! 3G35Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)IS-54/IS-136First North American standardsConverted trafc channels (IS-54) and control channels (IS-136) to digital.!Phones could gracefully degrade to AMPS if neither of these networks were available.IS-54 was the rst to consider security.!Used the Cellular Message Encryption Algorithm (CMEA) to protect the control channel and Cellular Authentication, Voice Privacy and Encryption (CAVE) to protect voice.!Both algorithms later shown to be weak.36Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)IS-95Code Division Multiple Access (CDMA) TransmissionSimilar call processing to GSM and IS-1361.23 MHz carriers, each with 65 sub-code channelsOperates in similar bands as AMPS/IS-13637Wednesday, September 26, 12Georgia Tech Information Security Center (GTISC)Network Architecture: IS-95/CDMA2000RNC/PCF! Performs frame-selection/power control! Terminates Radio Link Protocol w/ mobiles! Performs packet and burst control functionsPDSN! terminates PPP with clients! provides FA support for MIP-enabled ClientsAAA! Provides Authentication, Authorization and Accounting for Data users38BSMSC BSCBSAAAHLRVLRRNC/PCFPDSNHAPSTNInternetBSC! Coordinates handoff for voice users! performs frame-selection/power controlMSC! call control and mobility management! interfaces to the PSTN for voice usersAAA! provides location management and AAA functions for voice users.Wednesday, September 26, 12


Air Interface in GSM

concentric cells in GSm

Authentication in Gsm

Signal Processing in GSM Physical and Logical channels in ...kaszubow/Biography/Lecture6.pdf · Lecture overview Signal Processing in GSM Physical and Logical channels in GSM Call

Security in GSM and GPRS - csg.uzh.ch fileSecurity in GSM and GPRS Seite 5 GSM Architektur • Spezifizierte Sicherheitsmassnahmen – Personal Identification Number PIN – International

The GSM-AUTO is a wireless gsm remote control …gsm-auto.com.cn/download/GSM-WEEKLY-MANUAL-20141126.pdf · GSM-WEEKLY Features Quad band - will work anywhere in the world Secure

Performance study of GSM handover traffic in a GPRS/GSM …€¦  · Web view · 2002-08-27Performance evaluation of GSM handover traffic in a GPRS/GSM network. Juan Ventura Agustina,

GSM alarm system EAS - Elbro€¦ · EAS/Z918/GSM 2 II. Insert GSM SIM CardII. Insert GSM SIM Card EAS/Z918/GSM Control Panel features built-in GSM communication facility to make

Atoll 310 GSM UMTS LTE ACP Introduction Detail

Mitosis in detail

Modulation Techniques in GSM

Welding in Detail

Securitatea in Retelele GSM

MMS in Detail

Signalling in GSM Network

SMS Call Flow GSM SMSC Call Flow SMSCG Detail

Numbering plan in GSM

Data Services in GSM

Modulo GSM ABS-GSM - Dodic Elettronica · Modulo GSM ABS-GSM ABS-GSM GSM Modulo Módulo GSM ABS-GSM Módulo GSM ABS-GSM Module GSM ABS-GSM Manuale Installatore Installer Manual Manual

IMF- In Detail

Proposal Manager Manual - University Advancement...1. DO’s report PROPOSALS to GSM using: a. LOG FORM (See Log Form Detail) b. Copy of presented PROPOSAL (if there is one) 2. GSM

Access Methods in GSM - pudn.comread.pudn.com/downloads161/ebook/733562/GSM/GSM_chap5.pdf · Access Methods in GSM 1. ... RF data TDMA structure in GSM, frames and multiframes

Security in GSM networks -- Seguridad en redes GSM -- SPSI -- ETSIIT-UGR

In Detail - Building Skins (in Detail (Englisch)) PDF

Cryptography in GSM

003 In Detail

Taraweeh in Detail

Cluster in Detail

The Future Use of Morden Hall - WordPress.com · Fireplace Detail in Cornice and Door Detail in Ceiling Detail in G01 Ceiling Detail in Main Stairwell Fireplace Detail in 108 Wall

Kpi Analysis in Gsm

Ossicluloplasty in detail

Industry experience with GSM-R project in Switzerland ... Nokia Siemens GSM-R Bay Networks Server Tasks ... Industry experience with GSM-R project in Switzerland Wolfgang Wenzel GSM

1 Global System for Mobiles GSM 2 TOPICS GSM CONCEPTS GSM SYSTEM ARCHITECTURE IDENTITIES USED IN GSM GSM CHANNELS GSM RADIO LINK MOBILITY MANAGEMENT

Report: GSM Network in a Box - H-BRSmc-lab.inf.h-brs.de/projects/obsolet-gsm/GSM.pdf · Report: GSM Network in a Box June 19, 2015 ... (GSM) ... ABIS/IP Gb/IP GSM Network in a Box

call trace in GSM