Part II

Global System for Mobile Communication (GSM)

Muhammad Ali Raza Anjum

The Network Switching Subsystem

The NSS plays the central part in every mobile network. While the BSS provides the radio access for the MS, the various network elements within the NSS assume responsibility for the complete set of control and database functions required to set up call connections using one or more of these features:
encryption, authentication, and roaming.

The Network Switching Subsystem

To satisfy those tasks, the NSS consists of the following:
MSC (mobile switching center); HLR (home location register)/authentication center (AuC); VLR (visitor location register); EIR (equipment identity register).

The subsystems are interconnected directly or indirectly via the worldwide SS7 network. The network topology of the NSS is more flexible than the hierarchical structure of the BSS. Several MSCs may, for example, use one common VLR; The use of an EIR is optional, and the required number of subscribers determines the required number of HLRs.

The Network Switching Subsystem

Figure 1 The NSS.

The Network Switching Subsystem

Figure on previous slide provides an overview of the interfaces between the different network elements in the NSS. Note that most interfaces are virtual, that is, they are defined as reference points for signaling between the network elements.

Home Location Register and Authentication Center

Every PLMN requires access to at least one HLR as a permanent store of data. The concept is illustrated in Figure on next slide. The HLR can best be regarded as a large database with access times that must be kept as short as possible. The faster the response from the database, the faster the call can be connected. Such a database is capable of managing data for literally hundreds of thousands subscribers.

Home Location Register and Authentication Center

Figure 2 Only the SIM and the HLR know the value of Ki.

Home Location Register and Authentication Center

Within the HLR, subscriber-specific parameters are maintained, such as the parameter Ki, which is part of security handling. It is never transmitted on any interface and is known only to the HLR and the SIM, as shown in Figure 2 on last slide. Each subscriber is assigned to one specific HLR, which acts as a fixed reference point and where information on the current location of the user is stored. To reduce the load on the HLR, the VLR was introduced to support the HLR by handling many of the subscriberrelated queries (e.g., localization and approval of features).

Home Location Register and Authentication Center

Because of the central function of the HLR and the sensitivity of the stored data, it is essential that every effort is taken to prevent outages of the HLR or the loss of subscriber data. The AuC is always implemented as an integral part of the HLR. The reason for this is that although GSM mentions the interface between the AuC and the HLR and has even assigned it a name, the H-interface, it was never specified in sufficient detail to be a standalone entity. The only major function assigned to the AuC is to calculate and provide the authentication-triplets,

Home Location Register and Authentication Center

That is, the signed response (SRES), the random number (RAND), and Kc. For each subscriber, up to five such triplets can be calculated at a time and sent to the HLR. The HLR, in turn, forwards the triplets to the VLR, which uses them as input parameters for authentication and ciphering. Here is the process:

Home Location Register and Authentication Center

Ciphering [GSM 03.20] Used in GSM to encrypt data on the Air-interface between the mobile station and the BTS. Encryption applies only to the Air interface. Therefore, tapping of a call still is possible on the terrestrial part of the connection. Precondition for ciphering is successful authentication. The process of authentication and activation of ciphering is performed in the following steps:

Home Location Register and Authentication Center

o For each mobile station, the VLR stores up to five different authentication triplets.Such a triplet consists of SRES,RAND, and Kc, and was originally calculated and provided by the HLR/AuC. At first, the MS is sending a connection request to the network (e.g., LOC_UPD_REQ). Among others, this request contains the ciphering key sequence number (CKSN) and the mobile station classmark,which indicates what ciphering algorithms (A5/X) are available in the mobile station.

Home Location Register and Authentication Center

The NSS (more precisely, the VLR) examines the CKSN and decides whether authentication is necessary (see CKSN). Particularly to establish a second connection while another connection already exists (e.g.,for a multiparty call), it is obvious that authentication is not required a second time during the same network access. A message is sent to the MS in case authentication is necessary. This DTAP message (AUTH_REQ) contains the random number, RAND, received from the HLR/AuC. The MSmore precisely, the SIMuses the RAND and the value Ki as well as the algorithm A3 to calculate SRES (authentication procedure)

Home Location Register and Authentication Center

The MS sends the result of this calculation, the SRES, to the VLR.The VLR compares the SRES that the MS has sent with the one that the HLR/AuC had sent earlier.The authentication is successful if both values are identical. Immediately after calculating SRES, the MS uses RAND and Ki to calculate the ciphering key Kc via the algorithm A8. To activate ciphering, the VLR sends the value Kc that the AuC has calculated and a reference to the chosen A5/X algorithm via the MSC and the BSC to the BTS.

Home Location Register and Authentication Center

Figure 3 Calculation of SRES from Ki and RAND by use of A3.

Home Location Register and Authentication Center

Figure 4 Calculation of Kc from Ki and RAND by use of A8.

Home Location Register and Authentication Center

The BTS retrieves the cipher key Kc and the information about the required ciphering algorithm from the ENCR_CMD message and only forwards the information about the A5/X algorithm in a CIPH_MOD_CMD message to the MS. That message triggers the MS to enable ciphering of all outgoing data and deciphering of all incoming information. The MS confirms the change to ciphering mode by sending a CIPH_MOD_COM message. The algorithm A5/X uses the current value of the frame number (FN) at the time tx together with the cipher key Kc as input parameters.The output of this operation are the so-called ciphering sequences,each 114 bits long, whereby one is needed for ciphering and the other one for deciphering.

Home Location Register and Authentication Center

The first ciphering sequence and the 114 bits of useful data of a burst are XORed to provide the encrypted 114 bits that are actually sent over the Airinterface. Note that the ciphering sequences are altered with every frame number, which in turn changes the encryption with every frame number. Deciphering takes place exactly the same way but in the opposite direction

Home Location Register and Authentication Center

Figure 5 Functionality of ciphering of data.

Home Location Register and Authentication Center

Figure 6 Functionality of deciphering of data.

Visitor Location Register

The VLR, like the HLR, is a database But its function differs from that of the HLR While the HLR is responsible for more static functions, the VLR provides dynamic subscriber data management. Consider the example of a roaming subscriber. As the subscriber moves from one location to another, data are passed between the VLR of the location the subscriber is leaving (old VLR) to the VLR of the location being entered (new VLR). In this scenario, the old VLR hands over the related data to the new VLR. There are times when the new VLR has to request the subscribers HLR for additional data.

Visitor Location Register

This question then arises: Does the HLR in GSM assume responsibility for the management of those subscribers currently in its geographic area? The answer is NO. Even if the subscriber happens to be in the home area, the VLR of that area handles the dynamic data. This illustrates another difference between the HLR and the VLR. The VLR is assigned a limited geographical area, while the HLR deals with tasks that are independent of a subscribers location.

Visitor Location Register

The term HLR area has no significance in GSM, unless it refers to the whole PLMN. Typically, but not necessarily, a VLR is linked with a single MSC. The GSM standard allows, as Figure on next slide illustrates, the association of one VLR with several MSCs. The initial intentions were to specify the MSC and the VLR as independent network elements. However, when the first GSM systems were put into service in 1991, numerous deficiencies in the protocol between the MSC and the VLR forced the manufacturers to implement proprietary solutions.

Visitor Location Register

Figure 7 The NSS hierarchy.

Visitor Location Register

That is the reason the interface between the MSC and the VLR, the B-interface, is not mentioned in the specifications of GSM Phase 2. GSM Recommendation 09.02 now provides only some basic guidelines on how to use that interface. Table on next slide lists the most important data contained in the HLR and the VLR.

Visitor Location Register

Visitor Location Register

The Mobile-Services Switching Center

From a technical perspective, the MSC is just an ordinary Integrated Services Digital Network (ISDN) exchange with some modifications specifically required to handle the mobile application. That allows suppliers of GSM systems to offer their switches, familiar in many public telephone networks, as MSCs. SIEMENS with its EWSD technology and ALCATEL with the S12 and the E10 are well-known examples that benefit from such synergy. The modifications of exchanges required for the provision of mobile service affect, in particular, the assignment of user channels toward the BSS, for which the MSC is responsible, and the functionality to perform and control inter-MSC handover.

The Mobile-Services Switching Center

That defines two of the main tasks of the MSC. We have to add the interworking function (IWF), which is needed for speech and nonspeech connections to external networks. The IWF is responsible for protocol conversion between CC and the ISDN user part (ISUP), as well as for rate adaptation for data services.

Gateway MSC
An MSC with an interface to other networks is called a gateway MSC. Figure on next slide shows a PLMN with gateway MSCs interfacing other networks. Network operators may opt to equip all of their MSCs with gateway functionality or only a few. Any MSC that does not possess gateway functionality has to route calls to external networks via a gateway MSC. The gateway MSC has some additional tasks during the establishment of a mobile terminating call from an external network. The call has to enter the PLMN via a gateway MSC, which queries the HLR and then forwards the call to the MSC where the called party is currently located.

Gateway MSC

Figure 8 The functionality of the gateway MSC.

The Relationship Between MSC and VLR

The sum of the MSC areas determines the geographic area of a PLMN. Looking at it another way, the PLMN can be considered as the total area covered by the BSSs connected to the MSCs. Since each MSC has its own VLR, a PLMN also could be described as the sum of all VLR areas. Note that a VLR may serve several MSCs, but one MSC always uses only one VLR. Figure on next slide illustrates this situation. That relationship, particularly the geographic interdependency, allows for the integration of the VLR into the MSC.

The Relationship Between MSC and VLR

All manufacturers of GSM systems selected that option, since the specification of the B-interface was not entirely available on time. In GSM Phase 2, the B-interface is no longer an open interface (as outlined above). It is expected that this trend will continue. A network operator still has the freedom to operate additional MSCs with a remote VLR, but that is somewhat restrictive in that all the MSCs must be supplied by the same manufacturer.

The Relationship Between MSC and VLR

Figure 9 Geographic relationship between the MSC and the VLR.

Equipment Identity Register

The separation of the subscriber identity from the identifier of the MS (described in last slides) also bears a potential pitfall for GSM subscribers. Because it is possible to operate any GSM MS with any valid GSM SIM, an opportunity exists for a black market in stolen equipment. To combat that, the EIR was introduced to identify, track, and bar such equipment from being used in the network. Each GSM phone has a unique identifier, its IMEI, which cannot be altered without destroying the phone.

Equipment Identity Register

The IMEI contains a serial number and a type identifier. Like the HLR or the VLR, the EIR basically consists of a database It maintains three lists:
the white list contains all the approved types of mobile stations; the black list contains those IMEIs known to be stolen or to be barred for technical reasons; and the gray list allows tracing of the related mobile stations.

The prices for mobile equipment have fallen dramatically due to the great success of GSM Consequently, the theft rate is low.

Equipment Identity Register

Figure 10 Contents of the EIR.

Equipment Identity Register

Several GSM operators have decided not to install the EIR or, at least, to postpone such installation for a while. If the EIR is installed, there is no specification on when the EIR should be interrogated. The EIR may be queried at any time during call setup or location update.

That is ALL for today!!!

I value your patience & timeTHANK YOU VERY MUCH