8/9/2019 Gs March It Ecure
1/46
GSM Architecture
8/9/2019 Gs March It Ecure
2/46
2
GSM
Various subsystems1. Network Subsystem includes the equipments
and functions related to end-to-end call.
2. Radio Subsystem includes the equipments andfunctions related to the management of theconnections on the radio path.
3. Operations and Maintenance subsystemincludes the operation and maintenance of GSMequipment for the radio and network interface.
8/9/2019 Gs March It Ecure
3/46
3
Network Architecture
BT
S
MSC VLR
HLR
PSTNISDN
Data
Networks
Air interface
OSS
B
T
S
B
T
S
MSC VLR
BSC
BSC
8/9/2019 Gs March It Ecure
4/46
4
GSM
Network Structure
GSM Service Area
PLMN Service Area MSC Service Area
Location Area Cells
8/9/2019 Gs March It Ecure
5/46
5
GSMPLMN Service Area
V
MSC
MSC
MSC
MSC
VLR
VLR
VLR
I II
IVIII
I
8/9/2019 Gs March It Ecure
6/46
6
GSMMSC Service Area
MSC
VLRLA1
LA2
LA3
LA6
LA4 LA5
8/9/2019 Gs March It Ecure
7/46
7
GSMCells
MSC
VLRLA1
LA2
LA3
LA6
LA4 LA5
C1C2 C3
C6 C5C4
C=CELL
8/9/2019 Gs March It Ecure
8/46
8
GSMRelation between areas in GSM
Location AreaCell
Area served by a BTS
Location AreaMSC Service AreaPLMN Service Area
GSM Service Area
8/9/2019 Gs March It Ecure
9/46
9
GSM
LA Coding
MCC
LAI
LACMNC
3 digit 3 digit 2 Octets
8/9/2019 Gs March It Ecure
10/46
10
GSM
Functions of Mobile Station Voice and data transmission
Frequency and time synchronization
Monitoring of power and signal qualityof the surrounding cells
Provision of location updates even
during inactive state
Equalization of multi path distortions
8/9/2019 Gs March It Ecure
11/46
11
GSMMobile Station
Portable, vehicle mounted, hand held MS identified by unique IMEI
Shall display at least last ten received, dialledand missed calls
Minimum talk time of 1hr 30 min. andstandby time of 80 hrs
160 characters long SMS
8/9/2019 Gs March It Ecure
12/46
12
GSM
Mobile Station - Power LevelsPower
Class
Max. Peak
Power
Tolerance (dB)
Normal Extreme
1 20W
(43 dBm)
+/- 2 +/- 2.5
2 8W
(39 dBm)
+/- 2 +/- 2.5
3 5W
(37 dBm)
+/- 2 +/- 2.5
4 2W
(33 dBm)
+/- 2 +/- 2.5
5 0.8W
(29 dBm)
+/- 2 +/- 2.5
8/9/2019 Gs March It Ecure
13/46
13
GSM
SIM Card
SIM Module
Unique Subscribers ID IMSI and ISDN PIN
Key Ki, Kc and A3,A5 and A8 algorithms
SIM has CPU, ROM, RAM and EPROM
8/9/2019 Gs March It Ecure
14/46
14
GSM
Mobile Identification Numbers IMEI
MSISDN
IMSI
TMSI
MSRN
8/9/2019 Gs March It Ecure
15/46
15
GSM
MSISDN Mobile Subscribers ISDN Number
The MSISDN is registered in the
telephone directory and used by the
calling party for dialing.
CC NDC SN
1 to 3 digits Variable Variable
MSISDN : not more than 15 digits
N(S)N
8/9/2019 Gs March It Ecure
16/46
16
GSM
IMSI International mobile subscribers
Identity
The IMSI is an unique identity which is usedinternationally and used within the network toidentify the mobile subscribers.
The IMSI is stored on the subscriber identitymodule (SIM), the HLR, VLR and ACdatabase.
8/9/2019 Gs March It Ecure
17/46
17
GSM
IMSI
MCC MNC MSIN
3 digits 3 digits Not more than 9 digits
NMSI
IMSI : Not more than 15 digits
8/9/2019 Gs March It Ecure
18/46
18
GSM
TMSI Temporary Mobile subscribers
Identity The TMSI is an identity whichguarantees the integrity of the mobilesubscribers on the radio interface.
The VLR assigns a TMSI to each mobilesubscribers entering the VLR area.
8/9/2019 Gs March It Ecure
19/46
19
GSM
MSRNMobile Station Roaming
Number
The MSRN is used in the GMSC to set up aconnection to the visited MSC/VLR.
8/9/2019 Gs March It Ecure
20/46
20
GSM
IMEI International Mobile Equipment
Identity
The IMEI is an unique code allocated to eachmobile equipment. It is checked in the EIR.
IMEI check
y
White Listy Grey List
y Black List
8/9/2019 Gs March It Ecure
21/46
21
RADIO SUB SYSTEM (RSS)RADIO SUB SYSTEM (RSS)
n BTS n BTS
BSC
BSC
BSC
MSC/VLR
RSS
8/9/2019 Gs March It Ecure
22/46
22
GSMFUNCTION OF BTS -I
Encodes, encrypts, multiplexes, modulatesand feeds the RF signals to the antenna
Transcoding and rate adaption Functionality
Time and frequency synchronisation signalstransmission.
11 power classes from .01 watts (Micro cell)to 320 watts (Umbrella cell)
8/9/2019 Gs March It Ecure
23/46
23
GSMFUNCTION OF BTS -II
Frequency hopping
Random access detection
Uplink radio channel measurements
BTS mainly consists of a set of transceivers(TRX). Can accommodate 1 to 7 TRX perSector
8/9/2019 Gs March It Ecure
24/46
24
GSMFUNCTIONS OF BSC-I
It is connected to BTS and offloadsMSC
Radio resource management
Inter-cell handover
Reallocation of frequencies
Power control
8/9/2019 Gs March It Ecure
25/46
25
GSMFUNCTIONS OF BSC-II
Time delay measurement of the receivedsignals from MS with respect to BTS clock.
Performs traffic concentration to reduce thenumber of lines from BSC to MSC.
Provide interface TCP/IP X.25 to the OMS
8/9/2019 Gs March It Ecure
26/46
26
GSMFUNCTIONS OF BSC-III
BSC performs call processing
TRAU are generally located at the site of MSC.
BSC- BTS configurations as per requirement.
Data from OMC and can be down loaded to
BSC
8/9/2019 Gs March It Ecure
27/46
27
GSM
MSC-BSS Configurations
BTSBTS
BTS
BTS BTS
BTS
A-bis
BSC
BSS
Configuration -6 Multi - cell site =multi--BTS site
Many single
cell sites
BSS
MSC
BTS
A
A
A
Single - cell site
Configuration -1
Multi - cell site (sector Cells
Configuration -5
MCC: Mobile Switching Centre
BSS: Base Station System
BSC: Base Station Controller
BTS: Base Transceiver Station
A-bis
8/9/2019 Gs March It Ecure
28/46
28
Network and Switching
Subsystem (NSS)
MSC
(PSTN)
VLR
HLR AUC
EIR
D
C
SS7 Signalling
Traffic Path
F
(BSS)
A
E
Other
MSC
8/9/2019 Gs March It Ecure
29/46
29
GSMMSC ( MOBILE SWITCHING CENTRE)
Manages communication between GSM &
other network
Call setup functions, basic switching are done
MSC takes into account the RR allocation in
addition to normal exchange functions
MSC does gateway function while its customersroams to other network by using HLR /VLR
8/9/2019 Gs March It Ecure
30/46
30
GSM
MSC Functions - I Paging, specifically call handling
Location updation
Handover management
Billing for all subscribers based in its area
Reallocation of frequencies to BTSs in its area
to meet heavy demands
8/9/2019 Gs March It Ecure
31/46
31
GSM
MSC Functions - II Echo canceller operation control
Signaling interface to databases like HLR, VLR.
Gateway to SMS between SMS centers andsubscribers
Handle interworking function while working asGMSC
8/9/2019 Gs March It Ecure
32/46
32
GSMVISITOR LOCATION REGISTER (VLR)-I
It controls those mobiles roaming in its area.
VLR reduces the number of queries to HLR
One VLR may be incharge of one or more LA.
VLR is updated by HLR on entry of MS its area.
VLR assigns TMSI which keeps on changing.
IMSI detach and attach operation
8/9/2019 Gs March It Ecure
33/46
33
GSMData in VLR IMSI & TMSI
MSISDN
MSRN.
Location Area
Supplementary service parameters
MS category Authentication Key
8/9/2019 Gs March It Ecure
34/46
34
GSM
Home Location Register(HLR)-I
Reference store for subscribers parameters,numbers, authentication & Encryption values.
Current subscriber status and associated VLR.
Both VLR and HLR can be implemented in the
same equipment in an MSC.
one PLMN may contain one or several HLR.
8/9/2019 Gs March It Ecure
35/46
35
GSMHome Location Register(HLR)-II
Permanent data in HLR Data stored is changed only by man-machine.
IMSI, MS-ISDN number.
Category of MS ( whether pay phone or not )
Roaming restriction ( allowed or not ).
Supplementary services like call forwarding
8/9/2019 Gs March It Ecure
36/46
36
GSMHome Location Register(HLR)-III Temporary data in HLR The data changes from call to call & is dynamic
MSRN
RAND /SRES and Kc
VLR address , MSC address.
Messages waiting data used for SMS
8/9/2019 Gs March It Ecure
37/46
37
GSMAUTHENTICATION CENTRE (AUC )-I
AUC is a separate entity and physicallyincluded in HLR
Protect against intruders in air interface
Authentication (Ki) and ciphering (Kc)key are stored in this data base.
Keys change randomly with each call
Keys are never transmitted to MS on air
Only calculated response are sent.
8/9/2019 Gs March It Ecure
38/46
38
AUTHENTICATION & ENCRIPTION AUC
Database
Generation
of Random
Number
RANDRAND
IMSI1
IMSI3
IMSI2
ki1ki2
ki3
RANDSRESKc
Algorithm forCiphering
A8
Algorithm for
Authentication
A3
Kc
64 bits
SRES32 bits
HLR
8/9/2019 Gs March It Ecure
39/46
39
GSMEQUIPMENT IDENTITY REGISTER ( EIR )
This data base stores IMEI for all registeredmobile equipments and is unique to every ME.
Only one EIR per PLMN.
White list : IMEI, assigned to valid ME.
Black list : IMEI reported stolen Gray list : IMEI having problems like faulty
software, wrong make of equipment etc.
8/9/2019 Gs March It Ecure
40/46
40
The centralized operation of the various units inthe system and functions needed to maintain thesubsystems.
Dynamic monitoring and controlling of thenetwork
Separate OMC-S and OMC-R for NSS and RSS
Operations and Maintenance Centre
OMC
Operations and Maintenance Centre
OMC
8/9/2019 Gs March It Ecure
41/46
41
functions
-O&M data function
-Configuration management
--Fault report and alarm handling
-Performance supervision/management
-Storage of system software and data
-Support GUI for operation and Maintenance
Functions Of OMCFunctions Of OMC
8/9/2019 Gs March It Ecure
42/46
42
GSM
Security Management Four basic security services provided
by GSM
Anonymity : TMSI Assignment
Authentication
Encryption: PIN
8/9/2019 Gs March It Ecure
43/46
43
GSM
Encryption Process
Encryption
ProcessKEY
Plain Text
Cipher-text
GSM
8/9/2019 Gs March It Ecure
44/46
44
GSMGeneric Authentication
Process
A3 A3
Ki KiRAND
RAND
CompareSRES
SRES
Response
IMSIIMSI
Yes/No
Radio Path
8/9/2019 Gs March It Ecure
45/46
45
AUTHENTICATION & ENCRIPTION AUC
Database
Generation
of Random
Number
RANDRAND
IMSI1
IMSI3
IMSI2ki1ki2
ki3
RANDSRESKc
Algorithm forCiphering
A8
Algorithm for
Authentication
A3
Kc
64 bits
SRES32 bits
HLR
8/9/2019 Gs March It Ecure
46/46
46
AUTHENTICATION & ENCRIPTION
HLRSRES=
SRESc
A3Sim
Card
Key Pad
A8
Store
Kc
AccessGranted
RAND
Yes
MSC/VLRRAND Ki
SRESc
(128)
SRES
(32)
Kc
Cipher
Key Transfer Kc to
BTS
no
Top Related