CS 8803 - Cellular and Mobile Network Security: CDMA/UMTS Air Interface

CS 8803 - Cellular and Mobile Network Security: CDMA/UMTS Air Interface Hank Carter Professor Patrick Traynor 10/4/2012

UMTS and CDMA 3G technology - major change from GSM (TDMA) Based on techniques originally employed by Verizon (IS-95) Signal is encoded so that it can be recovered from noise (other signals) 2

New Considerations Technology differences Power control Frequency re-use & handoffs Number of users Modulation (Phase Shift Keying) Traffic differences What is the primary difference between 2G and 3G? 3

Code Division Multiple Access used in several wireless broadcast channels (cellular, satellite, etc) standards unique code assigned to each user; i.e., code set partitioning all users share same frequency, but each user has own chipping sequence (i.e., code) to encode data encoded signal = (original data) X (chipping sequence) decoding: inner-product of encoded signal and chipping sequence allows multiple users to coexist and transmit simultaneously with minimal interference (if codes are orthogonal ) What does it mean for two vectors to be orthogonal? 4

CDMA Encode/Decode channel output Z i,m data bits d 1 = -1 d 0 = 1 Z i,m = d i. cm -1-1 -1 1-1 1 1 1 1 1 1 1 1-1- 1-1- sender code 1 1 1 1 1-1- 1-1- 1 1 1 1 1-1- 1-1- slot 1 channel output slot 0 channel output slot 1 slot 0 M D i = Σ Z i,m. cm m=1 received input -1-1 -1 1-1 1 1 1 1 1 1 1 1-1- 1-1- M d 1 = -1 d 0 = 1 code 1 1 1 1 1-1- 1-1- 1 1 1 1 1-1- 1-1- slot 1 channel output slot 0 channel output receiver slot 1 slot 0 5

CDMA: two-sender interface 6

CDMA Benefits Higher capacity interference limited = high efficiency uses voice activity detection to reduce transmission bandwidth Improved quality soft handoff CDMA has frequency, spatial, and time diversity to adapt to errors Ease of deployment no frequency planning; frequency reuse = 1 Increased talk time power control ensures that the UE transmits at optimum power, resulting in longer battery life. 7

CDMA Privacy Given that all signals look like noise unless you have the despreading sequence, what sort of privacy does CDMA offer? 8

Universal Mobile Telecommunications System: UMTS Specifications: Frequencies: 700, 850, 900, 1700, 1900, 2100 MHz (5 MHz channels) worldwide; FDD Chipping codes: up to 512 bits Power control: up to1500x per second Time division: 10 ms frames, 1 frame = 15 time slots Borrows extensively from GSM protocols Major changes: CDMA Technology: Channel structure/handoffs/power control Security -- increased use of cryptographic constructions Data infrastructure 9

Entities: New names, old faces BSC RNC MS UE BTS Node-B BTS Node-B BTS Node-B UE = User Equipment Node-B RNC = Radio Network Controller 10

Channels: Old & New GSM BCCH PCH AGCH SDCCH TCH RACH SCH CCCH UMTS BCCH PCH AICH DCCH DTCH RACH SCH CCCH 11

Channel Types Logical: defines a logical task or use in the network Transport: defines the way logical data is prepared Physical: defines the actual channel (i.e. chipping code) used to transmit data 12

Logical Channels Broadcast Control Channel (BCCH): Provides common information about the cell to UEs. Paging Control Channel (PCCH): Provides information about incoming calls and how to listen for them. Dedicated Control Channel (DCCH): A two-way assigned channel that carries control information to and from a single UE. Common Control Channel (CCCH): A two-way shared channel that carries control information. Dedicated Traffic Channel (DTCH): A two-way assigned channel that carries traffic to and from a single UE. 13

Transport Channels Dedicated Transport Channel (DCH): carries data to and from a specific UE Broadcast Channel (BCH): Broadcasts network and cell information Forward Access Channel (FACH): Carries control information to UEs for shared channels. Random Access Channel (RACH): Carries channel requests to the network from the UE. Paging Channel (PCH): Carries incoming call alerts. Uplink Common Packet Channel (CPCH): Carries packet data to the network. Downlink Shared Channel (DSCH): Carries packet data to the UE. 14

Physical Channels: Signaling Forward (to UE): Primary Common Control Physical Channel (PCCPCH): Carries the BCH Secondary Common Control Physical Channel (SCCPCH): Carries the FACH and the PCH Synchronization Channel (SCH): Synchronizes time with the network Common Pilot Channel (CPICH): Informs the user of the Primary Scrambling Code (PSC) Acquisition Indicator Channel (AICH): Used to carry dedicated channel assignments to UEs Paging Indication Channel (PICH): Provides the UE with information about how pages are sent. This informs the UE how often to wake up and listen for pages. Reverse (to Node-B): Physical Random Access Channel (PRACH): Carries the RACH 15

Physical Channels: Traffic Bi-Directional: Dedicated Physical Data Channel (DPDCH): Carries a DCH Dedicated Physical Control Channel (DPCCH): Carries control information (e.g., identifiers, power control) Forward (to UE): Physical Downlink Shared Channel (PDSCH): carries packet data to a UE. CPCH Status Indication Channel (CSICH): Indicates the status of the CPCH Collision Detection/Channel Assignment Indication Channel (CD/CA-ICH): Indicates if data sent over the CPCH has been successfully received or if a collision occurred. Reverse (to Node-B): Physical Common Packet Channel (PCPCH): Carries the CPCH 16

How a connection is made Synchronize Time (SCH) Acquire PSC (CPICH) Acquire cell information (PCCPCH) Node-B UE 17

How a call is sent/received Page sent over PCH (SCCPCH) Page response over RACH (PRACH) Chipping & scrambling code assigned (AICH) Authentication over DCCH (DPDCH + DPCCH) Call connect over DTCH (DPDCH + DPCCH) Node-B UE 18

Mappings Source: http://www.authorstream.com/presentation/3627946-387767-wcdma-air-interface-fundamentals-sciencetechnology-ppt-powerpoint/ 19

Spreading Codes Orthogonal Variable Spreading Factor (OVSF) vs scrambling codes OVSF codes are typical chipping/spreading codes Scrambling codes can be multiplied into OSVF codes to provide more user channels Long vs. short codes Uplink: code lengths up to 256 (+ 16.8 M scrambling codes) Downlink: code lengths up to 512 Why are these numbers different? 20

Power Control CDMA provides optimal performance when all signals are received at approximately the same strength. When a DTCH is assigned, the Node-B sends reports of the RSS (received signal strength) to the UE, alerting it at what power to transmit. Power control commands sent up to 1500 times per second 21

Handoffs 4 types: hard, soft, softer, network (2G 3G) Soft handoff overview: Frequency reuse = 1 UE will receive signal from multiple Node-Bs. Extract signals of old and new tower simultaneously using different chipping codes. Remain connected to old Node-B until re-registered with new Node-B 22