2. • Evolution of Cellular Networks
• Architectures
– AMPS
– GSM
• Security Mechanisms in GSM
Cellular Networks: Agenda
3. Origin of Wireless Communications
• Wireless communications gained popularity in
1930’s
– Mainly used for public safety by police and other
government organizations
– Not connected to the PSTN (Public Switching
Telephone Networks)
• First public mobile telephone service started in
1946 in United States
– Using a single high power transmitter and large tower
to cover an area of 50 km
4. Concept of Cellular Networks
• A single high power
transmitter services one
larger area multiple low
power transmitters service
multiple smaller areas
(Cells)
• Frequency can be reused
by cells far away from each
other improve usage
• A set of cells that do not
share frequency form a
cluster
• The cluster is then
replicated throughout the
desired communication
area
5. Evolution of Cellular Networks
1G 2G 3G 4G2.5G
Analog Digital
Circuit-switching Packet-switching
6. 1G Systems
• Goal: To develop a working system that could
provide basic voice service
• Time frame: 1970-1990
• Technology: FDMA/FDD
• Example Systems:
– Advanced Mobile Phone System (AMPS-USA)
– Total Access Communication System (TACS-UK)
– Nordic Mobile Telephone (NMT-Europe)
• Incompatible analog systems
7. 2G Systems
• Goal: Digital voice service with improved quality
and also provide better data services
• Time Frame: 1990- 2000
• Technology: TDMA/TDD, CDMA
• Example Systems:
– Global System for Mobile (GSM-Europe)
– IS-136(TDMA)
– IS-95 (CDMA)
8. • Goal: To provide better data rates and wider
range of data services and also act as a
transition to 3G
• Time frame: 2000-2002
• Systems:
– IS-95B
– High Speed Circuit Switched Data (HSCSD)
– General Packet Radio Service (GPRS)
– Enhanced Data rates for GSM Evolution (EDGE)
2.5G Systems
9. • Goal: High speed wireless data access and
unified universal standard
• Time frame: 2002-
• Two competing standards
– One based on GSM, IS-136 and PDC known as
3GPP
– Other based on IS-95 named 3GPP2
• Completely move from circuit switching to
packet switching
• Enhanced data rates of 2-20Mbps
3G Systems
10.
11. • Future systems
• Goal:
– High mobility, High data rate, IP based
network
– Hybrid network that can interoperate with
other networks
4G Systems
12. AMPS
• 1G system developed by Bell Labs
• Analog system used FDMA/FDD
• 40Mhz of spectrum
• 842 channels
• rate: 10kbps
15. • Call arrives at MSC via the PSTN
• MSC then sends out a paging message via all
BTS on the FCC (Forward Control Channel).
• The paging message contains subscriber’s
Mobile Identification Number (MIN)
• The mobile unit responds with an
acknowledgement on the RCC (Reverse
Control Channel)
• MSC directs BS to assign FVC (Forward Voice
Channel) and RVC (Reverse Voice Channel)
AMPS: Conventional Telephone Cell Phone
16. • Subscriber unit transmits an origination
message on the RCC
• Origination message contains
– MIN
– Electronic Serial Number
– Station Class Mark
– Destination phone number
• If BTS receives it correctly then it is passed on to
MSC
• MSC validates the information and connects the
call
AMPS: Cell phone initializes a call
17. • GSM system consists of three interconnected sub-
systems
– Base station Subsystem
• Mobile station (MS)
• Base Transceiver Station (BTS)
• Base Station Controllers (BSC)
– Network Switching Subsystem (NSS)
• Mobile Switching Center (MSC)
• Home Location Register (HLR)
• Visitor Location Register (VLR)
• Authentication center (AUC)
– Operation Support Subsystem
• Operation Maintenance Centers
GSM: Architecture
20. • Principles
– Only authenticated users are allowed to access the
network
– No user data or voice communication is transmitted in
“clear text”
• The subscriber identity module (SIM) card is a
vital part of GSM security. It stores
– International Mobile Subscriber Identity (IMSI)
– Ciphering Key Generating Algorithm (A8)
– Authentication Algorithm (A3)
– Personal Identification Number
– Individual Subscriber Authentication Key (Ki)
Security in GSM
21. • Mobile station contains
– A5 algorithm and IMEI
• The network stores
– A3, A5, A8 algorithms
• The Authentication Center stores
– IMSI
– Temporary Mobile Subscriber Identity (TMSI)
– Individual Subscriber Authentication Key (Ki)
Security in GSM
22. Channel Establishment
Identity (TMSI or IMSI)
Authentication Request (RAND) Run Authentication
Algorithm (RAND)
Response
(SRES,Kc)
Authentication Response (SRES)
•RAND is 128 bit random
sequence
•SRES is signed response
generated for
authentication
Security in GSM: Authentication
Network
Mobile
Station
SIM
23. At the Network end
At the Mobile user end in the SIM
A3 Algorithm
RAND (challenge)
Ki (128 bit)
Transmitted to mobile
A3 Algorithm
RAND (challenge)
Ki (128 bit)
A8 Algorithm
Kc used for encryption
of user data and
signaling data
Proper authentication
completed if result is zero
Transmitted
back to base
station
Authentication based on RAND
24. • Ki is known only to the operator who programs
the SIM card and is tied to IMSI
• IMSI should be transmitted as less as possible.
• Only TMSI is used for authentication
• TMSI is periodically updated
Security in GSM: Authentication
25. • GSM uses symmetric cryptography
– Data is encrypted using an algorithm which is seeded
by the ciphering key Kc
• Kc is known only to base station and mobile
phone and is frequently changed
• The A5 algorithm is used for ciphering the data
• Along with Kc the algorithm is ‘seeded’ by the
value based on the TDMA frame
• Internal state of the algorithm is flushed after a
burst
Security in GSM: Data Encryption
26. A5 algorithm
Kc (from A8 algorithm)
Count
(from TDMA frame)
User Data
Xor
Encoded
message
Security in GSM: Authentication
27. • Why Mobile IP?
• Basic Principle of Mobile IP
• Route Optimization
Mobile IP: Agenda
28. • Internet hosts/interfaces are identified by IP address
– Domain name service (DNS) translates host name to IP
address
– IP address identifies host/interface and locates its network
IP Addressing
Gateway
Host 1 MH
129.168.105.126 129.168.105.124
ISU: 129.168.*.*
Internet
Host 2
Gateway
130.203.4.112
PSU:
130.203.*.*
29. • A host move to another network requires different
network address
– But this would change the host’s identity
– How can others still reach the moving host? How can on-
going connections to the moving host be not interrupted?
• Applications
– GPRS (2.5G), 3G cellular networks
– Mission-critical applications
• IP devices held by police, ambulance, coast guards are always
connected when moving
– Moving offices, …
Problems
30. CH
MH
Home network
MH
CHMH = mobile host CH = correspondent host
Home network Foreign network
Foreign network
How to direct packets to moving hosts transparently?
Routing for Mobile Host
31. • An analogy: what do you do when moving from one
apartment to another?
– Leave a forwarding address with your old post-office!
– The old post-office forwards mails to your new post-
office, which then forwards them to you
• Mobile IP:
– Two other entities – home agent (old post-office), foreign
agent (new post-office)
– Mobile host registers with home agent the new location
– Home agent captures packets meant for mobile host, and
forwards it to the foreign agent, which then delivers it to
the mobile host
Mobile IP: Basic Idea