Académique Documents
Professionnel Documents
Culture Documents
Yes GSM, Bluetooth, WCDMA, Wireless LAN, 802.XX, Satellite.. Wow many ..
GSM Security
1G
2G
2.5G
3G
4G
Analog
Digital
Circuit-switching
Packet-switching
1G Systems
Goal: To develop a working system that could provide basic voice service Time frame: 1970-1990 Technology: FDMA/FDD Example Systems: Advanced Mobile Phone System (AMPS-USA) Total Access Communication System (TACS-UK) Nordic Mobile Telephone (NMT-Europe) Incompatible analog systems
2G Systems
Goal: Digital voice service with improved quality and also provide better data services Time Frame: 1990- 2000 Technology: TDMA/TDD, CDMA Example Systems: Global System for Mobile (GSM-Europe) IS-136(TDMA) IS-95 (CDMA)
2.5G Systems
Goal: To provide better data rates and wider range of data services and also act as a transition to 3G Time frame: 2000-2002 Systems: IS-95B High Speed Circuit Switched Data (HSCSD) General Packet Radio Service (GPRS) Enhanced Data rates for GSM Evolution (EDGE)
3G Systems
Goal: High speed wireless data access and unified universal standard Time frame: 2002 Two competing standards One based on GSM, IS-136 and PDC known as 3GPP Other based on IS-95 named 3GPP2 Completely move from circuit switching to packet switching Enhanced data rates of 2-20Mbps
10
4G Systems
Future systems Goal: High mobility, High data rate, IP based network Hybrid network that can interoperate with other networks
11
Briefly on 1G
12
AMPS
1G system developed by Bell Labs Analog system used FDMA/FDD 40Mhz of spectrum 842 channels rate: 10kbps
13
AMPS: Architecture
BTS
BTS
MTSO (MSC)
BTS
BTS MTSO: Mobile Telecommunication Switching Office Also known as MSC (Mobile Switching Center) BTS: Base Transceiver Station
14
BTS
BTS
15
16
Subscriber unit transmits an origination message on the RCC Origination message contains MIN Electronic Serial Number Station Class Mark Destination phone number If BTS receives it correctly then it is passed on to MSC MSC validates the information and connects the call
17
GSM: Architecture
GSM system consists of three interconnected sub-systems Base station Subsystem Mobile station (MS) Base Transceiver Station (BTS) Base Station Controllers (BSC) Network Switching Subsystem (NSS) Mobile Switching Center (MSC) Home Location Register (HLR) Visitor Location Register (VLR) Authentication center (AUC) Operation Support Subsystem Operation Maintenance Centers
18
GSM: Architecture
Mobile Stations
Network Management
OMC
BTS
Exchange System
VLR
BTS BSC MSC HLR BTS EIR AUC
19
GSM
BTS BTS
BTS
BTS BTS BTS
BSC
BSC BTS BTS Base Station Subsystem The BTS provides last mile connection to the MS and communication is between the BTS and MS BSCs connect the MS to the NSS Handover between BTS within same BSC is handled by the BSC
20
GSM
Network Switching Subsystem BTS BTS BTS BSC HLR VLR AUC
BTS
MSC BTS BTS BSC BTS BTS Base Station Subsystem Operation Support Subsystem
21
Public Networks
OSS
22
The MS consists of the physical equipment, such as the radio transceiver, display and digital signal processors, and the SIM card. It provides the air interface to the user in GSM networks. As such, other services are also provided, which include:
23
GSM network areas: In a GSM network, the following areas are defined: Cell: Cell is the basic service area: one BTS covers one cell. Each cell is given a Cell Global Identity (CGI), a number that uniquely identifies the cell.
24
The international mobile station equipment identity (IMEI) uniquely identifies a mobile station internationally. It is a kind of serial number. The IMEI is allocated by the equipment manufacturer and registered by the network operator and registered by the network operator who stores it in the EIR. By means of
25
Mobile Subscriber ISDN Number ( MSISDN): The real telephone number of a mobile station is the mobile subscriber ISDN number (MSISDN). It is assigned to the subscriber (his or her SIM, respectively), such that a mobile station set can have several MSISDNs depending on the SIM. Mobile Station Roaming Number ( MSRN): The Mobile Station Roaming Number ( MSRN)
26
Temporary Mobile Subscriber Identity (TMSI): The VLR, which is responsible for the current location of a subscriber, can assign a temporary mobile subscriber identity (TMSI) which has only local significance in the area handled by the VLR. It is stored on the network side only in the VLR and is not passed to the HLR.
27
When a mobile subscriber makes a call to a PSTN telephone subscriber, the following sequence of events takes place: The MSC/VLR receives the message of a call request. The MSC/VLR checks if the mobile station is authorized to access the network. If so, the mobile
28
The BSC allocates the traffic channel and passes the information to the mobile station. The called party answers the call and the conversation takes place.
The mobile station keeps on taking measurements of the radio channels in the present cell and neighboring cells and passes the information to the BSC. The BSC decides if
29
When a PSTN subscriber calls a mobile station, the sequence of events is as follows:
The Gateway MSC receives the call and queries the HLR for the information needed to route the call to the serving MSC/VLR. The GMSC routes the call to the MSC/VLR. The MSC checks the VLR for the location area
30
32
Encryption Implementation
A cell phone call placed on a GSM network goes through two steps.
Any mobile device must first be authenticated before any data transmission can begin. Following successful authentication, a private key, Kc, is generated for data exchange. Authentication is done through a challenge and response mechanism.
33
The base station initially sends out a random 128-bit number, r, to the mobile device. Using A3 encryption, with inputs Ki from the SIM and the random number r, a 32-bit encrypted number SRES is generated. The mobile device then sends the SRES generated number back to the network for validation. The network itself knows the mobile devices Ki and can thus compare the value it generated to the value the mobile device generated. Authentication is successful if both numbers are identical.
34
Security in GSM
Principles Only authenticated users are allowed to access the network No user data or voice communication is transmitted in clear text The subscriber identity module (SIM) card is a vital part of GSM security. It stores International Mobile Subscriber Identity (IMSI) Ciphering Key Generating Algorithm (A8) Authentication Algorithm (A3) Personal Identification Number Individual Subscriber Authentication Key (Ki)
35
SIM Anatomy
Subscriber Identification Module (SIM) Smart Card a single chip computer containing OS, File System, Applications Protected by PIN Owned by operator (i.e. trusted) SIM applications can be written with SIM Toolkit
36
SIM Anatomy
37
Microprocessor Card
Typical specification 8 bit CPU 16 K ROM 256 bytes RAM 4K EEPROM Cost: $5-50
Smart Card Technology Based on ISO 7816 defining Card size, contact layout, electrical characteristics I/O Protocols: byte/block based File Structure
38
Security in GSM
Mobile station contains A5 algorithm and IMEI The network stores A3, A5, A8 algorithms The Authentication Center stores IMSI Temporary Mobile Subscriber Identity (TMSI) Individual Subscriber Authentication Key (Ki)
39
Network
Authentication Response (SRES)
RAND is 128 bit random sequence SRES is signed response generated for authentication
RAND (challenge)
A3 Algorithm Ki (128 bit) A8 Algorithm
Transmitted back to base station Kc used for encryption of user data and 41 signaling data
42
43
USER
Ki From SIM r 128-Bit from Network
NETWORK
Ki Known r 128-Bit from Network
A3
SRES 32-Bit
A3
SRES 32-Bit
44
A8 Key Generation
If authentication is successful, a connection is made and a new key, Kc, is generated to be shared by the user and network. The key is User and Network generated by applying an A8 algorithm on values Ki and the random value r. By doing this, a private key Kc will be generated for later use when transferring information. A8
Ki From SIM r From network Kc Private Key for both user and network
45
With a private key Kc generated, information can be exchanged between two parties. GSM voice ciphers by using the A5 algorithm with User and Network inputs Kc, which is known by both parties, and Communication the incoming data. At that point data encryption and decryption is completed.
Kc Kc DATA
A5
CIPHERED DATA
A5
46
48
49