You are on page 1of 38

CS 8803 - Cellular and

Mobile Network Security:


GSM - In Detail
Professor Patrick Traynor
9/27/12
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12

Cellular Telecommunications

Architecture
Background
Air Interfaces
Network Protocols
Application: Messaging
Research

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

GSM

The Global System for Mobile Communications (GSM) is the


de facto standard for wireless communications with well
over 5 billion users.

As a comparison, there are approximately 1.5 billion Internet users.

The architectures of other network are similar, so knowing


how to speak GSM will get you a long way in this space.

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

Wireless Signaling and Control in GSM

Common Control Channel

Structure

Broadcast Channels

Channel Access from Mobile

Procedures and Messages for Call Control

Traffic Channel

Structure Handoffs

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

GSM Control Functions

Read System Parameters


Register
Receive and Originate Calls
Manage Handoffs

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

GSM Structure
Traffic Channel (per user in a call)

Common Control Channel (CCCH)


TCH (13 KBps)

Common Control Channel (CCCH)

Used for control information: registration, paging, call origination/termination.

Traffic Channel (TCH)

Information transfer

in-call control (fast/slow associated control channels)

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

GSM TDMA Frames

TDMA Frame:

Slot 0

Slot 1

Slot 2

Slot 3

Frame 0 Frame 1 Frame 2

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

Slot 4

Slot 5

...

Slot 6

Slot 7

Frame 50

Frame: 4.615 msec

51 Multiframe:
235.365 msec

From Frames to Channels


26 Multiframe:
120.00 ms

0
1
2
3
4
5
6
7

Frame:
4.615ms

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

GSM CCCH

Reverse
(MS BS)

Forward
(BS
MS)

Forward
(BS
MS)

Forward
(BS
MS)

Forward
(BS
MS)

Random Access
Control Channel
(RACH)

Paging and
Access Grant
Channel (PAGCH)

Broadcast
Control
Channel
(BCCH)

Synchronization
Channel
(SCH)

Frequency
Correction
Channel
(FCCH)

PCH
AGCH

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

GSM CCCH Structure

TDMA Frame:
Slot 0

Slot 1

Slot 2

Slot 3

Slot 4

Frame 0 Frame 1 Frame 2

Slot 5
...

Slot 6

Slot 7

51 Multiframe:
235.365 msec

Frame 50

Uplink: Channel Name (Frame #)


FCCH (0) SCH (1) BCCH (2-5) PAGCH (6-9)
FCCH (10) SCH (11)

Frame: 4.615 msec

Downlink
RACH (0)

...

RACH (50)

PAGCH (12-19)

FCCH (20) SCH (21)

PAGCH (22-29)
PAGCH (11)
FCCH (30) SCH (31)
PAGCH (32-39)
FCCH (40) SCH (41)

PAGCH (42-49)

I (50)

CCCH/RACH always uses Slot 0 of each frame; other seven slots for TCH
TCH: 26 multi-frame repeats every 120 msec (13th and 16th frames are used by
Slow Associated Control Channel (SACCH) or is idle

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

10

GSM: BCCH

Broadcast to all users on the CCCH

Key parameters (contained in RR SYSTEM INFORMATION MESSAGES):

No addressing
Used to acquire system parameters, so mobile may operate
with the system.

RACH control parameters


cell channel descriptions (frequencies)
neighbor cells (frequencies)
cell id
Location Area ID (LAI)
Control Channel description

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

11

GSM: FCCH and SCH

Keeps system synchronization

What do you mean, synchronization?

Broadcasts Basestation ID

Why is this useful information?

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

12

GSM: Mobile Channel Access Procedures (RACH)

MS Communicates with BS over RACH

Only initially and must compete for this shared resource.

Feedback provided with AGCH

Points the user to a dedicated channel for real exchanges.

Functions:

Responses to paging messages

Location update (registration)

Call Origination

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

13

GSM: Paging Channel (PCH)

Used to send pages to mobile devices.

Notifications of incoming services (e.g., voice, data, SMS)

Done at regular intervals

Mobiles belong to a paging class

Allows the device to sleep, conserve power

More than 1 mobile paged at a time.

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

14

GSM: RACH and Slotted ALOHA (Layer 2)


Assumptions

all frames same size

nodes start to transmit


frames only at beginning of
slots

clocks are synchronized

time is divided into equal


size slots, time to transmit 1
frame

Operation

when node obtains fresh frame,
it transmits in next slot

no collision, node successfully
transmitted the frame

if collision, node retransmits
frame in each subsequent slot
with prob. p until success

if 2 or more nodes transmit


in slot, all nodes detect
collision

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

15

GSM: More Slotted ALOHA

Pros

single active node can


continuously transmit at
full rate of channel
highly decentralized: only
slots in nodes need to
be in sync
simple

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

Cons

collisions, wasting slots

idle slots

nodes may be able to
detect collision in less than
time to transmit packet

clock synchronization
16

GSM: Slotted ALOHA Efficiency


Efficiency is the long-run
fraction of successful slots
when there are many nodes, each
with many frames to send

Suppose N nodes with


many frames to send,
each transmits in slot
with probability p

prob that node 1 has


success in a slot
= p(1-p)N-1

prob that any node has a


success = Np(1-p)N-1

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12


For max efficiency with N
nodes, find p* that
maximizes
Np(1-p)N-1

For many nodes, take limit
of Np*(1-p*)N-1 as N goes
to infinity, gives 1/e = .37

At best: channel
has maximum
throughput of
37%!
17

GSM: RACH Procedures (Layer 2)

Mobile

sends assignment request with information

Basestation

sends back assignment with information echoed

Creates Radio Resource (RR) connection

Standalone Dedicated Control Channel

May be a physical channel

May be a traffic channel in signaling-only mode

May eventually be bandwidth stolen from TCH (associated control


channel).

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

18

Basic Flow on Air Interface


Alert phone of incoming activity
Request dedicated signaling channel
Signal
Release signaling channel

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

19

GSM Signaling

Signaling in GSM occurs over the Radio Interface Layer


3 (RIL-3).

Technically layer 3, but debatable from OSI perspective as


application-esque things happen here.

Control messages are handled by protocol control


processes and include Call Control (CC), Mobility
Management (MM), Radio Resource management (RR),
Short Messaging Service management (SMS) and
Supplementary Services management (SS).

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

20

Time Out: Privacy?

With all of this signaling going over well-known


channels, isnt there a risk of user tracking/profiling?

Think about the PCH... what is transmitted here?

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

21

GSM Registration

Types

Power up and down

Location Area changes (mobility)

Periodic

User Privacy

Mobile device may transmit real address: International Mobile


Subscriber Identity (IMSI)

Get back temporary id (TMSI)

Unique to a local area

Subsequent registrations use TMSI

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

22

GSM: Registration, High Level

Get SDCCH
RR connection established

Authenticate
Cipher
UpdateLocation
Release RR connection

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

23

GSM Registration: Gory Details

Get SDCCH
RR connection established
LOC UPD RQST
Authentication Request (RAND)
Authentication Response (SRES)
Cipher Mode
Cipher Mode Complete
LOC UPD ACC (TMSI Assigned)
TMSI RE-ALLOC Complete

Release RR connection

More details on this authentication procedure soon...

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

24

GSM: Call Termination (Receive a Call)

Channel Request
Channel Assignment
RR connection
established

Get SDCCH

Page Request (TMSI)

SABM(Page Response)
UA(Page Response)

Authentication and Ciphering


SETUP
Call Confirmed
Alert
Assignment Command
Assignment Complete
Connect
Connect ACK

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

25

GSM: Call Origination

Channel Assignment
RR connection
established

Get SDCCH

Channel Request

SABM(CM Service Req - Call Orig)


UA(CM Service Request - Call Orig)

Authentication and Ciphering


SETUP
Call Proceeding
Alert

RR connection
release
Georgia Tech Information Security Center (GTISC)
Wednesday, September 26, 12

Assignment Command
Assignment Complete
Connect
Connect ACK
26

GSM: Mobile Assisted Handoff (MAHO)


MSC

Old BS

New BS
Measurement Report
Measurement Report
Measurement Report
Measurement Report

Handoff Order

Handoff Access
Handoff Access
Handoff Complete

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

27

Measuring Mobility-Generated Load

How do we estimate the traffic load caused by handoffs?

Rate of boundary crossings = vL

Simplest mobility model - assume conservation of flow and


random movements at constant velosity.

= density of users, v = velocity and L is perimeter

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

28

Practice

VLR

Calculate the load at the VLR per second if each mobile


creates an Update LA and creates a Reg Cancel.
Assume:

L = 80 miles
=150 users/mi2
v = 45 miles/hour

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

29

Example

Boundary crossing rate:

Load on VLR from mobility is 144 operations/sec:

150

1 hour
3600 secs
= 48 crossings/sec

45

80

updates (3): Update LA, Reg Cancel, Auth Info

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

30

Example, cont

Assume 3 calls/user/hour (1.5 in, 1.5 out on average)

for each incoming call there is one database query (MSRN)

= 150 users/mi2, L = 80 miles

each area contains 150 x (80/4)2 = 60,000 users


= 25 calls/second

Total Load

25 queries/second (call related)

144 updates/second (mobility related)

Conclusion

mobility substantially dominates the database load

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

31

GSM: Short Messaging Service

Bi-directional
Acknowledged Service
Store-and-Forward Service
140 octets/160 characters (concatenation possible)
Uses SDCCH signaling channel
Two services - cell broadcast and point to point

Cell broadcast exists in the standards only at this time.

Three types - user specific, ME-specific, SIM-specific

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

32

GSM: SMS Examples - Mobile Termination

Page
Page Response
SMS Delivery

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

33

GSM: SMS Examples - Mobile Termination

Page
Page Response
CP-Data (RP-Data (SMS Delivery))
CP-ACK
CP-Data (RP-ACK)
CP-ACK

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

34

Other Air Interfaces

IS-54/IS-136/D-AMPS

digital, TDMA

IS-95

digital, CDMA

CDMA2000

3G

UMTS

W-CDMA

3G

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

35

IS-54/IS-136

First North American standards


Converted traffic channels (IS-54) and control channels
(IS-136) to digital.

Phones could gracefully degrade to AMPS if neither of these


networks were available.

IS-54 was the first to consider security.

Used the Cellular Message Encryption Algorithm (CMEA) to


protect the control channel and Cellular Authentication,
Voice Privacy and Encryption (CAVE) to protect voice.

Both algorithms later shown to be weak.

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

36

IS-95

Code Division Multiple Access (CDMA) Transmission


Similar call processing to GSM and IS-136
1.23 MHz carriers, each with 65 sub-code channels
Operates in similar bands as AMPS/IS-136

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

37

Network Architecture: IS-95/CDMA2000

BS

BSC
RNC/
PCF

RNC/PCF

Performs frame-selection/power control


Terminates Radio Link Protocol w/ mobiles
Performs packet and burst control functions

PDSN

terminates PPP with clients


provides FA support for MIP-enabled Clients

AAA

Provides Authentication, Authorization and


Accounting for Data users

Georgia Tech Information Security Center (GTISC)


Wednesday, September 26, 12

HLR
AAA

PSTN

PDSN

BS

VLR
MSC

HA

Internet

BSC

Coordinates handoff for voice users


performs frame-selection/power control

MSC

call control and mobility management


interfaces to the PSTN for voice users

AAA

provides location management and AAA functions for


voice users.
38

You might also like