CS 8803 - Cellular and Mobile Network Security: GSM - In Detail Professor Patrick Traynor 9/27/12
Cellular Telecommunications Architecture Background Air Interfaces Network Protocols Application: Messaging Research 2
GSM The Global System for Mobile Communications (GSM) is the de facto standard for wireless communications with well over 5 billion users. As a comparison, there are approximately 1.5 billion Internet users. The architectures of other network are similar, so knowing how to speak GSM will get you a long way in this space. 3
Wireless Signaling and Control in GSM Common Control Channel Structure Broadcast Channels Channel Access from Mobile Procedures and Messages for Call Control Traffic Channel Structure Handoffs 4
GSM Control Functions Read System Parameters Register Receive and Originate Calls Manage Handoffs 5
GSM Structure Traffic Channel (per user in a call) Common Control Channel (CCCH) TCH (13 KBps) Common Control Channel (CCCH) Used for control information: registration, paging, call origination/termination. Traffic Channel (TCH) Information transfer in-call control (fast/slow associated control channels) 6
GSM TDMA Frames TDMA Frame: Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msec Frame 0 Frame 1 Frame 2... Frame 50 51 Multiframe: 235.365 msec 7
From Frames to Channels 26 Multiframe: 120.00 ms 0 1 2 3 4 5 6 7 }Frame: 4.615ms 8
GSM CCCH Reverse (MS BS) Forward (BS MS) Forward (BS MS) Forward (BS MS) Forward (BS MS) Random Access Control Channel (RACH) Paging and Access Grant Channel (PAGCH) PCH Broadcast Control Channel (BCCH) Synchronization Channel (SCH) Frequency Correction Channel (FCCH) AGCH 9
GSM CCCH Structure TDMA Frame: Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msec Frame 0 Frame 1 Frame 2... Frame 50 51 Multiframe: 235.365 msec Uplink: Channel Name (Frame #) FCCH (0) SCH (1) BCCH (2-5) PAGCH (6-9) Downlink RACH (0)... RACH (50) FCCH (10) SCH (11) PAGCH (12-19) FCCH (20) SCH (21) PAGCH (22-29) PAGCH (11) FCCH (30) SCH (31) PAGCH (32-39) FCCH (40) SCH (41) PAGCH (42-49) I (50) CCCH/RACH always uses Slot 0 of each frame; other seven slots for TCH TCH: 26 multi-frame repeats every 120 msec (13th and 16th frames are used by Slow Associated Control Channel (SACCH) or is idle 10
GSM: BCCH Broadcast to all users on the CCCH No addressing Used to acquire system parameters, so mobile may operate with the system. Key parameters (contained in RR SYSTEM INFORMATION MESSAGES): RACH control parameters cell channel descriptions (frequencies) neighbor cells (frequencies) cell id Location Area ID (LAI) Control Channel description 11
GSM: FCCH and SCH Keeps system synchronization What do you mean, synchronization? Broadcasts Basestation ID Why is this useful information? 12
GSM: Mobile Channel Access Procedures (RACH) MS Communicates with BS over RACH Only initially and must compete for this shared resource. Feedback provided with AGCH Points the user to a dedicated channel for real exchanges. Functions: Responses to paging messages Location update (registration) Call Origination 13
GSM: Paging Channel (PCH) Used to send pages to mobile devices. Notifications of incoming services (e.g., voice, data, SMS) Done at regular intervals Mobiles belong to a paging class Allows the device to sleep, conserve power More than 1 mobile paged at a time. 14
GSM: RACH and Slotted ALOHA (Layer 2) Assumptions all frames same size time is divided into equal size slots, time to transmit 1 frame nodes start to transmit frames only at beginning of slots Operation when node obtains fresh frame, it transmits in next slot no collision, node successfully transmitted the frame if collision, node retransmits frame in each subsequent slot with prob. p until success clocks are synchronized if 2 or more nodes transmit in slot, all nodes detect collision 15
GSM: More Slotted ALOHA Pros single active node can continuously transmit at full rate of channel highly decentralized: only slots in nodes need to be in sync simple Cons collisions, wasting slots idle slots nodes may be able to detect collision in less than time to transmit packet clock synchronization 16
GSM: Slotted ALOHA Efficiency Efficiency is the long-run fraction of successful slots when there are many nodes, each with many frames to send Suppose N nodes with many frames to send, each transmits in slot with probability p prob that node 1 has success in a slot = p(1-p) N-1 prob that any node has a success = Np(1-p) N-1 For max efficiency with N nodes, find p* that maximizes Np(1-p) N-1 For many nodes, take limit of Np*(1-p*) N-1 as N goes to infinity, gives 1/e =.37 At best: channel has maximum throughput of 37%! 17
GSM: RACH Procedures (Layer 2) Mobile sends assignment request with information Basestation sends back assignment with information echoed Creates Radio Resource (RR) connection Standalone Dedicated Control Channel May be a physical channel May be a traffic channel in signaling-only mode May eventually be bandwidth stolen from TCH (associated control channel). 18
Basic Flow on Air Interface Alert phone of incoming activity Request dedicated signaling channel Signal Release signaling channel 19
GSM Signaling Signaling in GSM occurs over the Radio Interface Layer 3 (RIL-3). Technically layer 3, but debatable from OSI perspective as application-esque things happen here. Control messages are handled by protocol control processes and include Call Control (CC), Mobility Management (MM), Radio Resource management (RR), Short Messaging Service management (SMS) and Supplementary Services management (SS). 20
Time Out: Privacy? With all of this signaling going over well-known channels, isn t there a risk of user tracking/profiling? Think about the PCH... what is transmitted here? 21
GSM Registration Types Power up and down Location Area changes (mobility) Periodic User Privacy Mobile device may transmit real address: International Mobile Subscriber Identity (IMSI) Get back temporary id (TMSI) Unique to a local area Subsequent registrations use TMSI 22
GSM: Registration, High Level Get SDCCH RR connection established Authenticate Cipher UpdateLocation Release RR connection 23
GSM Registration: Gory Details Get SDCCH RR connection established LOC UPD RQST Authentication Request (RAND) Authentication Response (SRES) Cipher Mode Cipher Mode Complete LOC UPD ACC (TMSI Assigned) TMSI RE-ALLOC Complete Release RR connection More details on this authentication procedure soon... 24
GSM: Call Termination (Receive a Call) RR connection established Page Request (TMSI) Channel Request Channel Assignment SABM(Page Response) UA(Page Response) Authentication and Ciphering SETUP Call Confirmed Alert Assignment Command Assignment Complete Connect Connect ACK Get SDCCH 25
GSM: Call Origination RR connection established RR connection release Channel Request Channel Assignment SABM(CM Service Req - Call Orig) UA(CM Service Request - Call Orig) Authentication and Ciphering SETUP Call Proceeding Alert Assignment Command Assignment Complete Connect Connect ACK Get SDCCH 26
GSM: Mobile Assisted Handoff (MAHO) MSC Old BS New BS Measurement Report Measurement Report Measurement Report Measurement Report Handoff Order Handoff Access Handoff Access Handoff Complete 27
Measuring Mobility-Generated Load How do we estimate the traffic load caused by handoffs? Simplest mobility model - assume conservation of flow and random movements at constant velosity. Rate of boundary crossings = vl = density of users, v = velocity and L is perimeter 28
Practice VLR Calculate the load at the VLR per second if each mobile creates an Update LA and creates a Reg Cancel. Assume: L = 80 miles =150 users/mi 2 v = 45 miles/hour 29
Example Boundary crossing rate: 150 45 80 1 hour 3600 secs = 48 crossings/sec Load on VLR from mobility is 144 operations/sec: updates (3): Update LA, Reg Cancel, Auth Info 30
Example, cont Assume 3 calls/user/hour (1.5 in, 1.5 out on average) for each incoming call there is one database query (MSRN) = 150 users/mi 2, L = 80 miles each area contains 150 x (80/4) 2 = 60,000 users = 25 calls/second Total Load 25 queries/second (call related) 144 updates/second (mobility related) Conclusion mobility substantially dominates the database load 31
GSM: Short Messaging Service Bi-directional Acknowledged Service Store-and-Forward Service 140 octets/160 characters (concatenation possible) Uses SDCCH signaling channel Two services - cell broadcast and point to point Cell broadcast exists in the standards only at this time. Three types - user specific, ME-specific, SIM-specific 32
GSM: SMS Examples - Mobile Termination Page Page Response SMS Delivery 33
GSM: SMS Examples - Mobile Termination Page Page Response CP-Data (RP-Data (SMS Delivery)) CP-ACK CP-Data (RP-ACK) CP-ACK 34
Other Air Interfaces IS-54/IS-136/D-AMPS digital, TDMA IS-95 digital, CDMA CDMA2000 3G UMTS W-CDMA 3G 35
IS-54/IS-136 First North American standards Converted traffic channels (IS-54) and control channels (IS-136) to digital. Phones could gracefully degrade to AMPS if neither of these networks were available. IS-54 was the first to consider security. Used the Cellular Message Encryption Algorithm (CMEA) to protect the control channel and Cellular Authentication, Voice Privacy and Encryption (CAVE) to protect voice. Both algorithms later shown to be weak. 36
IS-95 Code Division Multiple Access (CDMA) Transmission Similar call processing to GSM and IS-136 1.23 MHz carriers, each with 65 sub-code channels Operates in similar bands as AMPS/IS-136 37
Network Architecture: IS-95/CDMA2000 BS BSC RNC/ PCF VLR MSC PDSN PSTN HLR AAA BS RNC/PCF Performs frame-selection/power control Terminates Radio Link Protocol w/ mobiles Performs packet and burst control functions PDSN terminates PPP with clients provides FA support for MIP-enabled Clients AAA Provides Authentication, Authorization and Accounting for Data users HA BSC Coordinates handoff for voice users Internet performs frame-selection/power control MSC call control and mobility management interfaces to the PSTN for voice users AAA provides location management and AAA functions for voice users. 38