elbowshelmetNetworking and Communications

Oct 30, 2013 (4 years and 8 months ago)



Study of GSM



GSM (Global System for Mobile communications) is an open, digital cellular technology used
for transmitting mobile voice and data services.

GSM supports voice calls and data transfer
speeds of up to 9.6 kbps, together with
the transmission of SMS (Short Message Service).

operates in the 900MHz and 1.8GHz bands in Europe and the 1.9GHz and 850MHz bands in the
US. GSM services are also transmitted via 850MHz spectrum in Australia, Canada and many
Latin American countries.
The use of harmonised spectrum across most of the globe, combined
with GSM’s international roaming capability, allows travellers to access the same mobile
services at home and abroad. GSM enables individuals to be reached via the same mobile
number in up t
o 219 countries.

Terrestrial GSM networks now cover more than 90% of the
world’s population. GSM satellite roaming has also extended service access to areas where
terrestrial coverage is not available.

GSM Architecture

network can be divided into t

main parts:

he Base Station Subsystem (BSS)

The Networ
k and Switching Subsystem (NSS)

The Operat
ion and Support Subsystem (OSS)

Radio Station Subsystem

The RSS provides the interface between the ME and the NSS. It is in charge of the transmission

reception. It may be divided into two parts:

Base Station Controller (BSC):

It controls a group of BTSs and manages their radio
ressources. A BSC is principally in charge of handoffs, frequency hopping, exchange
functions and power control over each manag
ed BTSs.

Base Transceiver Station (BTS) or Base Station:

t maps to transceivers and antennas
used in each cell of the network. It is usually placed in the center of a cell. Its transmitting
power defines the size of a cell. Each BTS has between 1
16 trans
ceivers depending on
the density of users in the cell.

Mobile Station

A Mobile Station consists of two main elements:


The Subscriber Identity Module (SIM):

It is protected by a four
digit Personal
Identification Number (PIN). In order to identify the subsc
riber to the system, the
SIM card contains amongst others a unique International Mobile Subscriber
Identity (IMSI). User mobility is provided through maping the subscriber to the
SIM card rather than the terminal as we done in past cellular systems.



equipment/terminal (ME)

The actual device used for communication.


GSM Architecture

The Networ
k and Switching Subsystem (NSS)

Its main role is to manage the communications between the mobile users and other users, such as
mobile users, ISDN users,
fixed telephony users, etc. It also includes data bases needed in order
to store information about the subscribers and to manage their mobility. The different
components of the NSS are described below.


the central component of the NSS. The MSC perform
s the switching functions of
the network. It also provides connection to other networks.


A gateway that interconnects two networks: the cellular network and the PSTN.
It is in charge of routing calls from the fixed network towards a GSM user. The GMS
C is
often implemented in the same machines as the MSC.


The HLR stores information of the

belonging to the coverage area of a
MSC; it also stores the current location of these subscribers and the services to which
they have access. The loc
ation of the subscriber maps to the SS7 address of the Visitor
Location Register (VLR) associated to the MN.


contains information from a subscriber's HLR necessary to provide the subscribed
services to visiting users. When a subscriber enters the cove
ring area of a new MSC, the
VLR associated to this MSC will request information about the new subscriber to its
corresponding HLR. The VLR will then have enough data to assure the subscribed
services without needing to ask the HLR each time a communication

is established. The
VLR is always implemented together with a MSC; thus, the area under control of the
MSC is also the area under control of the VLR.

GSM Interworking Uni
t (GIWU):

The GIWU provides an
interface to various
networks for data communications.

During these communications, the transmission of
speech and data can be alternated.

Operation and Support Subsystem (OSS)

It is connected to components of the NSS and the BSC, in order to control and monitor the GSM
system. It is also in charge of control
ling the traffic load of the BSS. It must be noted that as the
number of BS increases with the scaling of the subscriber population some of the maintenance
tasks are transferred t
o the BTS, allowing savings in
the cost of ownership of the system.

ation Center (AuC):

It serves security purposes; it provides the parameters
needed for authentication and encryption functions. These parameters allow verification
of the subscriber's identity.

Equipment Identity Register (EIR):

EIR stores security
ve information about the
mobile equipments. It maintains a list of all valid terminals as identified by their
International Mobile Equipment Identity (IMEI). The EIR allows then to forbid calls
from stolen or unauthorized terminals (e.g, a terminal which d
oes not respect the
specifications concerning the output RF power).

GSM Protocol stack


Protocol Architecture for

Above figure
shows the architecture of protocols used within the GSM system, with

protocols, interfaces as well as the en

Again the main area of focus is in the Um interface, this is because the other interfaces occur
between entities in a fixed network. The physical layer, Layer 1 handles all the radio specific
functions. This
layer includes the creation of bursts according to the five different formats, the
multiplexing of bursts into TDMA frames,

with the BTS, detection of the idle
channels and the measurement of the channel quality on the downlink. At Um, the
physical layer
uses GSMK (Gaussian Shift Minimum Keying) for the digital modulation and performs
encryption/decryption of data This means that encryption is not performed end
end, but only
between MS and BTS over the air interface.


lso includes the correction of the individual path delay between the MS
and the BTS, all MSs within a cell can use the same BTS and hence must be

to the
BTS. This is due to the fact that the BTS generated the time
structure of the frames and s
lots etc.
This can be problematic since in this context there are different RTTs (Round Trip Time).
Therefore the BTS sends the current RTT to MS, which then adjusts its access time so that all
bursts reach the BTS within their limits.

The physical layer
has several main tasks that comprise the channel coding, error
detection/correction; this is directly combined with the coding mechanisms. FEC (Forward Error
Correction) is used extensively in the coding channel, FEC adds redundancy to the user data,
allowing for the detection and correction of selected errors. The power of the FEC scheme
depends on the amount of redundancy, coding algorithm, and any further interleaving of data to

the effects of burst errors. Whats

more the FEC is the reason
that error
detection/correction occurs in the physical layer. This differs to the ISO/OSI reference model
where it occurs in layer two. The GSM physical layer tries to correct errors, however it does not
deliver erroneous data to the higher layers.

GSM logical channels use different coding schemes with different correction capabilities, for
example speech channels need the additional coding of voice data after analogue to digital
conversion. This is in order to reach a data rate of 22.8 kbit/s (using

the 13 kbit/s from the voice
codec plus redundancy, CRC bits,
and interleaving
. When GSM was envisaged it was assumed
that voice would be the main service so the physical also contains special functions, for instance
VAD (Voice Activity Detection), which
transmits voice data only when there is a voice signal.
In the duration between voice activity, the physical layer generates a comfort noise to fake a
connection, however no actual transmission takes place.


between the entities within the GSM net
work requires the use

of the higher layers
. For
this, the LAPDm (Link Access Procedure for the D
Channel) protocol has been defined at the
Um interface for layer two. LAPDm is a lightweight version of LAPD, in that it does not require


or check summing for error detection, these are not needed as these
functions are already performed in the physical layer of the GSM network. LAPDm, however
offers reliable data transfer over connections, re
sequencing of data frames and flow control. Due

to the fact that there is no buffering between layer one and two, the LAPDm has to obey the
frame structures, recurrence patterns etc defined for the reassembly of data and
acknowledged/unacknowledged data transfer.

Layer three in the GSM network
is made
up of several sublayers,

the lowest sublayer is the RR
(Radio Resource Management). Only part of this layer the RR', is implemented in the BTS, the
remainder of the RR is situated in the BSC. The BSC via the BTSM (Base Transceiver Station
Management) are r
esponsible for the functions of the RR'. The RR' has the function of setting up,
maintenance and release of the radio channels. Also the RR' has direct access to the physical
layer for radio information and offers a reliable connection to next higher layer

Radio Resource Management (RR) is a protocol to create, maintain and delete radio link
channels. RR´ defines a subset of RR. This protocol is also responsible for measuring the
channel quality measurement, radio field strength and synchronization control
, handover
and data ciphering. A RR message contains a protocol discriminator for protocol
identification, a transaction ID, and a message type. The data itself is carried in an
Information Element (IE) of fixed or variable length (here, an additional Leng
th Indicator
(IE) is necessary).

Mobility Management (MM) is a protocol for supporting Terminal Equipment (TE)
mobility. MM procedures need a pre
established RR connection consisting of a logical
channel and a LAPDm connection. Signaling is carried out bet
ween the MS and the
MSC, thus it is transparent to the BSS. There are three MM procedure categories:


Common procedures like TMSI reallocation, authentication, identity requests, and
IMSI detachments can always be carried out independently of each other.


Specific procedures are mutually exclusive.

A specific procedure like a lo
update and an IMSI attachment cannot be executed as long as another one is being
executed. Specific procedures are also mutually exclusive to MM


Mobility manageme
nt procedures create, maintain and tear down MM
connections. MM connections are created upon requests from the higher Call
Management (CM) sublayer. Each CM instance is assigned its own MM

Call Management (CM) is a protocol containing three sub


Call Control (CC) creates, maintains and deletes calls. Several parallel calls can
be established. Thus for each call, one CC instance is created in the MS, and
another one in the MSC. CC instances communicate with each other via dedicated
MM in
stances they own.


The Short Message Service (SMS) is divided into the SMS Control Layer (SMS
CL) and the SMS Relay Layer (SMS
RL). These layers need previously
established MM, RR and LAPDm connections.


Supplementary Services (SS) provide an entry point t
o access the GSM
supplementary services. Applications from upper layers may enter the CM via the
Service Access Points (SAP) MNCC
SAP or
bypass the CM by directly entering the MMREG
SAP of MM.

Signaling Connection Control Part (SCCP
) is a SS7 protocol for establishing and
maintaining identifiable control connections. At the A
interface, SCCP offers connection
oriented and connectionless transport services.

Base Station System Application Part (BSSAP) is a signaling protocol at the A
BSSAP uses services offered by the SCCP and is further divided into three sub


The Direct Transfer Application Part (DTAP) offers services for signaling
between the MS and the MSC (CM,MM). DTAP signals only use connection
oriented SCCP ser


The Base Station System Management Application Part (BSSMAP) transports
signals concerning a single MS, physical channels of the radio link as well as
global commands for the BSC resource management between an MSC and an
BSC. BSSMAP procedures use
connection oriented and connectionless SCCP


The Base Station System Operation and Maintenance Application Part
(BSSOMAP) transports network management messages from the OMC over the
MSC to a BSC.

Mobile Application Part (MAP) is the GSM specifi
c enhancement of SS7 for


management of roaming functions like location registration/updating, IMSI
attach/detach and handover


subscriber management


IMEI management


authentication and identification



MAP has special interfaces to other GSM network node

Localization and calling

One of the main features of GSM system is the automatic, worldwide

of it's users.
The GSM system always knows where a user is currently located, and the same phone number is
valid worldwide. To have this ability the

GSM system performs periodic location updates, even
if the user does not use the MS, provided that the MS is still logged on to the GSM network and
is not completely switched off. The HLR contains information about the current location, and the
VLR that i
s currently responsible for the MS informs the HLR about the location of the MS
when it changes. Changing VLRs with uninterrupted availability of all services is also called
roaming. Roaming can take place within the context of one GSM service provider or
two providers in one country, however this does not normally happen but also between different
service providers in different countries, known as international roaming.

To locate an MS and to address the MS, several numbers are needed:

(Mobile Stat
ion International ISDN Number):

The only important number
for the user of GSM is the phone number, due to the fact that the phone number is only
associated with the SIM, rather than a certain MS. The MSISDN follows the E.164, this
standard is a
lso used in fixed ISDN networks.

IMSI (Internatio
nal Mobile Subscriber Identity):

GSM uses the IMSI for internal
unique identification of a subscriber.

TMSI (Temporary Mobile Sub
scriber Identity):

To disguise the IMSI that would give
the exact identity of
the user which is signaling over the radio air interface, GSM uses the
4 byte TMSI for local subscriber identification. The TMSI is selected by the VLR and
only has temporary validity within the location area of the VLR. In addition to that the
VLR will ch
ange the TMSI periodically.

MSRN (Mobile Statio
n [Subscriber] Roaming Number:

This is another temporary
address that disguises the identity and location of the subscriber. The VLR generates this
address upon request from the MSC and the address is also sto
red in the HLR. The
MSRN is comprised of the current VCC (Visitor Country Code), the VNDC (Visitor
National Destination Code) and the identification of the current MSC together with the
subscriber number, hence the MSRN is essential to help the HLR to find

a subscriber for
an incoming call.

All the numbers described above are needed to find a user within the GSM system, and to
maintain the connection with a mobile station. The following scenarios below shows a MTC
(Mobile Terminate Call) and a MOC (Mobile O
riginated Call).

MTC (Mobile Terminate Call)


The PSTN subscriber dials the MS’s telephone number (MSISDN), the MSISDN is
analyzed in the PSTN, which identifies that this is a call to a mobile network subscriber.
A connection is established to the MS’s home

GMSC. The PSTN sends an Initial
Address message (IAM) to the GMSC.


The GMSC analyzes the MSISDN to find out which HLR, the MS is registered in, and
queries the HLR for information about how to route the call to the serving MSC/VLR.
The HLR looks up the MS
ISDN and determines the IMSI and the SS7 address for the
MSC/VLR that is servicing the MS. The HLR also checks if the service, “call forwarding
to C
number” is activated, if so, the call is rerouted by the GMSC to that number.


The HLR then contacts the ser
vicing MSC/VLR and asks it to assign a MSRN to the call.

Mobile Station Routing Number].


The MSC/VLR returns an MSRN via HLR to the GMSC.


MTC (Mobile Terminate Call)


The GMSC sends an Initial Addressing message (IAM) to the servicing MSC/VLR

uses the MSRN to route the call to the MSC/VLR. Once the servicing MSC/VLR
receives the call, the MSRN can be released and may be made available for reassignment.


The MSC/VLR then orders all of its BSCs and BTSs to page the MS. Since the
MSC/VLR does
not know exactly which BSC and BTS the MS is monitoring, the page
will be sent out across the entire Location Area(LA).


When the MS detects the paging message to the BTS’s in the desired LA. The BTS’s
transmit the message over the air interface using PCH.

To page the MS, the network uses
an IMSI or TMSI valid only in the current MSC/VLR service area.


When the MS detects the paging message, it sends a request on RACH for a SDCCH.


The BSC provides a SDCCH, using AGCH.


SDCCH is used for the call set
up proced
ures. Over SDCCH all signaling preceding a
call takes place. This includes: Marking the MS as “active” in the VLR. Authentication
procedure (Start ciphering, Equipment identification).


The MSC/VLR instructs the BSC/TRC to allocate an idle TCH. The BTS and
MS are
told to tune to the TCH. The mobile phone rings. If the subscriber answers, the
connection is established.

MOC (Mobile Originated Call)


MOC (Mobile Originated Call)

It is much simpler to perform a mobile originated call(
MOC) compared to a MTC. The MS
transmits a request for new connection(1), the BSS forwards this request to MSC(2). The MSC
then checks if this user is allowed to set up a call with re
quested service(3 and 4) and checks if
the availability of resources
through the GSM network and into the PSTN. If all resources are
available, the MSC sets up a connection between the MS and fixed network.

In addition to the steps mentioned above, other messages are exchanged between MS and BTS as
shown in following figure


ther messages are exchanged between MS and BTS

GSM Handover

Handover is the procedure that transfers an ongoing call from onecell to another as the user’s
moves through the coverage area of cellular system. The purpose of the handover procedure i
t to
preserve ongoing calls when the mobile station moving from one cell to another. In GSM
measurements reports to perform the handover, which is made by the serving BSC which has no
direct knowledge of the radio quality. These measurements reports contai
n the radio signal
quality of the downlink from the BTS to MSC of the call and up to five neighboring cells. The
serving BTS measures the uplink from the MSC to BTS radio signal quality of the call and
forward in the measurements reports. The information i
n the measurements reports the BSC is
able to decide whether a handover to another cell is needed. These

measurements reports are
periodically transmitted from the MSC to BSC on the SACCH channel assigned to each
communication for every connection.
Handover initiation is the process of deciding when a
request to a handover. Handover is based on received signal strength (RSS)

from the current base
station and the neighboring base station.

There are different categories of GSM handover which involves
different parts of the GSM
network. Changing cells within the same BTS is not complicated as the changing of the cell
belonging to different MSC. There are mainly two reasons for this kind of handover. The mobile
station moves out of the range station or t
he antenna of BTS respectively. Secondly the wire
infrastructure the MSC or the BSC may decide that the traffic in one cell is too high and move
some to other cells with lower load. These are the main reasons that initiate different kinds of
handover. Foll
owing are the different kinds of handover and their details.


Handovers in GSM


cell BTS Handover:

The terms intra
cell and intra BTS handover are used both for frequency change. There is
a slight between them but usually they are considered th
e same. The term intra
handover in not real as it deals with the frequency change of a going call. The frequency
change occur when the quality of the communication link degrading and the
measurements of the neighboring cells better than the current ce
ll. In this situation the
BSC which controls the BTS serving the MSC order the MSC and BTS to switch to
another frequency which offers better communication link for the call. The
communication link degradation is caused by the interference as the neighbori
ng cell
using the same frequencies and its better to try another channel. In the intra BTS
handover cell involved are synchronized.


BSC Handover:

The intra
BSC handover is performed when the MSC changes the BTS but not the BSC.
The intra

BSC handover is entirely carried out by the BSC, but the MSC is notified
when the handover has taken place. If the targeted cell is in different location area then
the MSC needs to perform the location updates procedure after the call. In the intra
dover both synchronized and non synchronized handover are possible.


MSC Handover:

In the intra
MSC handover when the BSC decides that handover is required but the
targeted cell is controlled by different BSC then it needs assistance form the connec
MSC. In comparison to the pervious handover discussed the MSC mandatory for this
kind of handover. Responsibilities of the MSC do not include processing the
measurements of the BTS or MSC but to conclude the handover. This kind of handover
can be other

MSC or Inter
MSC. In the intra
MSC handover the targeted cell is
allocate in different BSC connected by the same MSC. The MSC contacts the targeted
BSC for allocation of the required resources and inform the BSC when they are ready.
After the succes
sful resources allocation the MSC instructed to access the new channel
and the call is transferred to the new BSC.


MSC Handover:

The inter
MSC handover is performed when the two cells belonging to different MSC in
the same system. In the
MSC handover the targeted cell is connected is connected t
different MSC

than the one cu
rrently serving the call MSC.

GSM Security

The security methods standardized for the GSM System make it the most secure cellular
telecommunications standard
currently available. Although the confidentiality of a call and
anonymity of the GSM subscriber is only guaranteed on the radio channel, this is a major step in
achieving end

end security.

The subscriber's anonymity is ensured through the use of tempor
ary identification numbers. The
confidentiality of the communication itself on the radio link is performed by the application of
encryption algorithms and frequency hopping which could only be realized using digital systems
and signaling.

Mobile Station Au

The GSM network authenticates the identity of the subscriber through the use of a
response mechanism. A 128
bit random number (RAND) is sent to the MS.
The MS computes the 32
bit signed response (SRES) based on the encryption of the

random number (RAND) with the authentication algorithm (A3) using the individual
subscriber authentication key (Ki). Upon receiving the signed response (SRES) from the
subscriber, the GSM network repeats the calculation to verify the identity of the

The calculation of the signed response is processed within the SIM. This provides
enhanced security, because the confidential subscriber information such as the IMSI or
the individual subscriber authentication key (Ki) is never released from the SIM

the authentication process.

Signaling and Data Confidentiality:

The SIM contains the ciphering key generating algorithm (A8) which is used to produce
the 64
bit ciphering key (Kc). The ciphering key is computed by applying the same
random number (R
AND) used in the authentication process to the ciphering key
generating algorithm (A8) with the individual subscriber authentication key (Ki). As will
be shown in later sections, the ciphering key (Kc) is used to encrypt and decrypt the data
between the MS

and BS.

An additional level of security is provided by having the means to change the ciphering
key, making the system more resistant to eavesdropping. The ciphering key may be
changed at regular intervals as required by network design and security consid
erations. In
a similar manner to the authentication process, the computation of the ciphering key (Kc)
takes place internally within the SIM. Therefore sensitive information such as the
individual subscriber authentication key (Ki) is never revealed by the


Encrypted voice and data communications between the MS and the network is
accomplished through use of the ciphering algorithm A5. Encrypted communication is
initiated by a ciphering mode request command from the GSM network. Upon receipt of
this comm
and, the mobile station begins encryption and decryption of data using the
ciphering algorithm (A5) and the ciphering key (Kc).

Subscriber Identity Confidentiality:

To ensure subscriber identity confidentiality, the Temporary Mobile Subscriber Identity
SI) is used. The TMSI is sent to the mobile station after the authentication and
encryption procedures have taken place. The mobile station responds by confirming
reception of the TMSI. The TMSI is valid in the location area in which it was issued. For
munications outside the location area, the Location Area Identification (LAI) is
necessary in addition to the TMSI.


Hence we studied GSM model, its architecture, protocol stack, calling and
localization and security.