GSM

Global System for Mobile
Communications (GSM)
Nguyen Thi Mai Trang
LIP6/PHARE
Thi-Mai-Trang.Nguyen@lip6.fr
UPMC/PUF - M2 Networks - PTEL
Outline

Principles of cellular networks

GSM architecture
Security management
Location management
Radio interface
Logical channels
Network planning
Mobile networks
First generation

Second generation

In the early 1990s

Digital air interface
Ex: GSM in Europe and over the world, DCS (Digital Communication System) which is the GSM
standard deployed in the 1800 MHz band, IS-136, IS-95, GSM PCS 1900 in the US
GPRS function
Third generation

In the late 1970s

Analog air interface
Ex: AMPS (Advanced Mobile Phone Service) in the US, Radiocom 2000 in France, NMT 900 in
the Nordic countries, TACS in England, NETZ C in Germany
In the early 2000s

Multimedia applications and Internet access
Ex: UMTS
3G+ and 4G

3G+: High speed data services

4G: Multi-homed terminal
Cell
Cell is a geographical area covered by an

antenna in the center
Cell size
Depend on the frequencies and the power

level used

The more the frequency is high, the more the cell

is small
The more the power level is high, the more the
cell is big
Different cell sizes
meters
tens of meters
hundreds of meters
tens of kilometers
hundreds of kilometers
Cellular networks
The network is organized in cells which are

partially overlapping to cover the area that the
operator want to provide services
cells
Handover

The change of cell of a mobile

The handover procedure ensures the
continuity of the ongoing communication
Cell 2
Cell 1
Handover zone
Frequency reuse

The reuse of the same frequency in disjoint cells allows a

coverage in large scale
A k-cell reuse pattern is defined as the smallest group of cells
containing a set of channels which are used only once
F2
K=3
F3
F2
F3
F3
F1
F1
F2
F2
F2
F3
F3
Air interface

Terminals communicate with the central antenna via

the air interface
Use frequency bands specific to each country

In Europe: GSM 900 MHz DCS 1800 MHz

In the US: DCS 1900 MHz
Air interface specification

Modulation techniques, encoding scheme and multiple

access mechanism, frequency bands, bit rates, power
levels
10
Multiple access procedures

Air interface is responsible for frequency bands

sharing between users
Multiple access procedure prevents the collisions

FDMA (Frequency Division Multiple Access) used in the

first generation
TDMA (Time Division Multiple Access) used in GSM
CDMA (Code Division Multiple Access) used in UMTS
11
FDMA
The frequency band f is divided into n

channels allowing n mobiles to transmit
simultaneously
frequency
Channel
time
12
TDMA
The time is divided into time slots who are

affected to different mobiles
frequency
Totality of bandwidth
time
13
CDMA
The mobiles in a cell share the same radio channel by using a code
assigned by the system which determines the frequencies and the power
levels used
Allow the reuse of the same frequencies in adjacent cells
frequency
Simultaneous transmissions
over the whole band but with
different codes between clients
time
14
GSM architecture (1)

Um
AuC
Authentication Center
Abis
BTS
VLR
MSC
HLR
Home Location Register
BSC
RTC
GMSC
Gateway MSC
VLR
MSC
Visitor Location Register
Mobile service Switching Center
BTS
BTS
BSC
Base Station Controller
MSC VLR
Base Transceiver Station
Radio Sub-System
Network Sub-System
15
GSM architecture (2)

Radio Sub-System

BTS (Base Transceiver Station)

BSC (Base Station Controller)
Network Sub-System

MSC (Mobile service Switching Center)

Two databases

HLR (Home Location Register)

VLR (Visitor Location Register)
AuC (Authentication Center)
Mobile terminal
SIM (Subscriber Identity Module)

16
Radio sub-system

Air interface transmission and radio resource managmemnt

Base station (BTS)
Responsible for radio transmission

Modulation, demodulation, equalization, error recovery

TDMA multiplexing, frequency hopping, encryption, radio
measurements
Base station controller (BSC)

Radio resource management

Channel allocation
Analyze the measurements realized by the BTSs to control the power of
the mobiles or the BTSs
Handover decision
17
Network Sub-System (1)

Mobile switching center (MSC)

Switching matrix
Call establishment between a mobile and another MSC
MSC level handover execution
Mobility management (VLR look-up for outgoing call,
transfer of location information)
Gateway for the calls towards fixed users
18
Network Sub-System (2)

Two databases for subscriber management

Home Location Register (HLR)

Visitor Location Register (VLR)

Database containing information of the subscribers of an operator

Subscriber information: subscriber identity (IMSI), telephone number
(NSISDN), service profile (supplementary services, international call
authorization), the number of VLR where the mobile is registered
Database containing information of the users present in a geographical
area managed by the VLR
User information: IMSI, MSISDN as in the HLR, and in addition the
TMSI
Authentication center (AuC) associated with the HLR

Contain the secret key of each subscriber for the authentication and
the encryption of the communications
19
Mobile terminal

A smart card (SIM card) containing the subscriber identity

Subscriber identity authentication is realized between the
SIM card and the authentication center (AuC)
SIM card
IMSI
(International Mobile Subscriber Identity)
Ex: 208 01 314159
User
MSISDN
(Mobile Station ISDN Number)
Ex: 33 6 07 62 17 73
Terminal
IMEI
(International Mobile Equipment Identity)
20
10
Addressing
IMSI
TMSI
Temporary identity used to identify the mobile in the exchange over

the air interface
MSISDN
Permanent identity of the subscriber which is only used internally the

network
The telephone number of the subscriber
MSRN
A number assigned for the call establishment with a fixed network
21
IMSI
Each subscriber has an international identity, the IMSI

MCC (Mobile Country Code)

MNC (Mobile Network Code)

Home country code of the subscriber

Ex: 208 for France
Home network code of the subscriber
Ex: 01 for France Tlcom, 10 for SFR
MSIN (Mobile Subscriber Identification Number)

Subscriber number inside the home network

Two first digits (H1 H2) indicate the HLR within the network
22
11
TMSI

Temporary Mobile Subscriber Identity

Locally assigned to the mobile within the area managed by
the current VLR
Only known at the MS-MSC/VLR levels, not by the HLR
Used to identify the mobile during the call establishment
For each change of VLR, a new TMSI must be assigned
The structure of TMSI depends on the operator (encoded over
4 bytes)
The use of TMSI is optional (depends on the operator)
23
MSISDN

Mobile Station ISDN Number

Follow the international numbering plan E.164
CC (Country Code)

Indicate the country of the home network of the subscriber

Ex: 33 for France
NDC (National Destination Code)
SN (Subscriber Number)

Indicate a particular network within the country

Free to assigned by the operator
24
12
Identity exchanges
25
IMEI
International Mobile Equipment Identity

<= 15 digits
Uniquely reference to a terminal equipment
TAC (Type Approval Code)
FAC (Final Assembly Code)
SNR (Serial Number)
Spare (SP)

Provided by the constructor when the device type is approved

Identify the factory where the terminal is made
Freely assigned by the constructor
Reserved
26
13
Subscriber identity confidentiality

Limit the transmission of the IMSI over the air interface

Use TMSI
The mapping TMSI - IMSI is managed at the VLR level
TMSI is sent to the mobile in the encrypted mode
Radio interface
Encryption procedure
of
save
release
of
27
Authentication and encryption (1)

Elements

Two keys: authentication key Ki, encryption key Kc

Three algorithms: A3, A5, A8
Random number RAND
Principles

Each subscriber has a key Ki stored in the SIM card together with the IMSI,
and in the AuC of the network operator
For encryption

For authentication
The encryption key Kc is generated by the A8 algorithm from the Ki key and the
random number RAND
The A5 algorithm uses the Kc key for data encryption
The A3 algorithm generates a number SRES from the Ki key and the random
number RAND
The set of three values (RAND, SRES, Kc) forms a triplet
28
14
Authentication and encryption (2)

Mobile Terminal
Authentication Center
AuC
Ki
HLR
SIM Card
Ki
Challenge (RAND)
RAND
A3
A8
RES
Kc
RAND
Response (RES)
RES
Kc
Non
X
Oui
Authenticated
Kc
Kc
A5
A8
RES = RES : ?
Ki: Authentification key

Kc: Encryption key
Encryption/
Decryption
A3
Encypted communication
A5
Encryption/
Decryption
29
Subscriber identity authentication

Allow the verification of the identity sent by the mobile

(IMSI or TMSI)
For each location update, call establishment, service
activation/deactivation
radio interface
network
no
yes
Subscriber
authenticated
Subscriber
forbidden
30
15
Data confidentiality
Kc key establishment
radio interface
network

Encryption/decryption algorithm is implemented in the BTS

Encryption activation is realized on request of the MSC
31
Triplet

The network using the triplets to authenticate and activate the encryption
dont need to know the A3 and A8 algorithms
The triplets are calculated by the AuC and sent to the MSC/VLR
Each operator can have their own A3 and A8 algorithms
Subscriber is always authenticated by the algorithms of their home
network
Generate
de 1 to n
Store the vectors

32
16
Global view of security
33
Location management
The system has to know at any time the

location of each mobile in order to be able to
join it
The mobile must stay active (i.e. standby
mode), even if there is not communication, in
order to signal the system about its movement
34
17
Location Area Identification

Location area is a group of cells

Each location area is identified by a LAI (Location Area Identification)
address

MCC: country code (as in IMSI)

MNC: network code (as in IMSI)
LAC (Location Area Code) (<= 2 bytes): assigned by the operator
cell
Location area boundary
35
Location management (1)

A VLR can manage several location areas

A location area cannot include cells belonging to different
VLRs
Only the VLR knows the current location area of the
managed mobiles
The HLR knows the identity of the current VLR of each
subscriber and dont know its location area
The location update is initiated by the mobiles upon a change
of location area
Its possible to have a periodical location update with the
period controlled by the network
36
18
Location management (2)
search
by
37
IMSI Attach/Detach procedure

To avoid un-useful search of turned off mobiles, a parameter

in the MSC/VLR indicates that whether the mobile is
reachable
When a mobile is turned on, the IMSI Attach procedure reattach this mobile to its location area
If the VLR contains the information of the mobile, no
message is sent to the HLR equivalent to an update
without change of VLR
When the mobile is switching off, or when the VLR is not in
contact with a mobile during a certain period, the network can
detach itself from the mobile
38
19
Paging procedure
To search a subscriber for an incoming call, the

MSC broadcasts a paging message containing the
TMSI (or the IMSI in the absence of TMSI) of the
callee in the cells belonging to its location area
The mobile responds to the paging message, realizes
the authentication and encryption
The call establishment duration is about 8 seconds
39
Air interface
Frequency bands

Uplink: 890 915 MHz

Downlink: 935 960 MHz
Frequency bands are divided into channels of 200

KHz

In a channel, the signals are modulated and transmitted

around a carrier frequency at the center of the channel
In GSM 900
124 carriers available for each downlink or uplink frequency

band
40
20
TDMA in GSM
Each carrier is divided into time slots

In the same carrier, 8 slots are grouped to form a

TDMA frame

Tslot = (75/130)10-3 (s) = 0,5769 ms
TTDMA = 8 * Tslot = 4,6152 ms
Each user uses one time slot per TDMA frame

A physical channel is constituted by the periodical
repartition of a time slot in TDMA frames
41
TDMA frame
0 1
Slot (~577 s)
2 3
4 5
6 7
TDMA frame (4,6152 ms)
A full-rate simplex physical channel without frequency hopping

A half-rate simplex physical channel without frequency hopping
42
21
Duplexing
A duplex physical channel corresponds to two

simplex physical channels
fu(i) = fd(i) - Wduplex

The downlink frequencies in GSM 900

fd(i): downlink frequency

fu(i): uplink frequency
Wduplex is the duplex interval (45 MHz in GSM)
fd = 935 + (0,2 * n)
, 1 n 124
A mobile sends and receives at different moments with

the interval of three slots
43
Duplex physical channel

frequency
Duplex interval
fd
Downlink
0 1
2 3
4 5
6 7
Uplink
fu
0 1
2 3
4 5
6 7
time
44
22
Voice transmission (1)
45
Voice transmission (2)

Analog voice frame
Speech coding
Unprotected voice
Channel coding
Protected voice
Interleaving
TDMA frame
Voice frame
TDMA frame
Duration of a voice frame
46
23
Speech coding
Full-rate

13 Kbps
Voice is sampled at 8 kHz to form 20 ms frames
The codec RPE-LTP (Regular Pulse Excitation Long
Term Prediction) transforms the 20 ms voice segments
into 260 bits blocks
Half-rate
5,6 Kbps
47
Full-rate voice coding
48
24
Channel coding (1)

The 260 bits of voice dont have the same

importance

Class I.a 50 bits very sensible to errors

Class I.b 132 bits sensible to errors
Class II 78 bits less sensible to errors
49
Channel coding (2)

bits
bits
50
class I.a bits
CRC
53
132
Class I.b
4
tail bits
189 bits
Convolutional code
378 bits
78 bits of class II
+
456 bits
50
25
Interleaving (1)
Interleaving is used to make the error positions

random especially when the errors in wireless
networks are usually bursty
The encoded symbols are permuted before their
transmission to make the error correction at the
receiver easier
Interleaving consist in

Mixing the bits of a bloc

Distributing the symbols over a set of bursts
51
Interleaving (2)
Reading
Writing
b0
b1
b2
b3
b4
b5
b6
b7
b8
b9
b10
b11
b12
b13
b14
b15
..
57
8 half-blocs
b440
b441
b442
b443
b444
b445
b446
b447
b448
b449
b450
b451
b452
b453
b454
b455
A0
A1
A2
A3
A4
A5
A6
A7
52
26
Interleaving (3)
B0 B1 B2 B3 B4 B5 B6 B7
A0 A1 A2 A3 A4 A5 A6 A7
C0 C1 C2 C3 C4 C5 C6 C7
Burst (odd bit : A0 even bits: B4)
58 bits
3 bits
58 bits
26 bits
3 bits 8,25 bits
53
Burst structure
TDMA frame
0 1
3 bits
58 bits
2 3
4 5
6 7
26 bits
58 bits
3 bits 8,25 bits
Training sequence
Coded data
54
27
Logical channels (1)

Over physical channels, logical channels are

defined for different purposes

User data transmission

Control functions

The mobile can use the best base station

Establish a communication
Monitor a communication
Realize the handovers
55
Logical channels (2)
56
28
Multiframe

A multiframe is a succession of a given slot

The time interval between two slots of a multiframe
is of 4,615 ms
TDMA frame
multiframe
57
Multiframe, superframe and hyperframe (1)

Two structures of multiframe have been defined

Multiframe of 26 frames
Duration of 235,8 ms
Superframe

Duration of 120 ms
Multiframe of 51 frames
To have a commun structure for the two types of multiframe

Composed of [26 multiframes at 51] or [51 multiframes at 26]
Hyperframe

Composed of 2048 superframes

Duration of 3h 28min 53s 760ms
Each TDMA frame is located in the hyperframe by a counter FN
(Frame Number) which is periodically transmitted by the BTS
58
29
Multiframe, superframe and hyperframe (2)
multiframe
multiframe
superframe
hyperframe
59
TCH-SACCH multiplexing (1)
Duration of 26 TDMA frames
60
30
TCH-SACCH multiplexing (2)

1 voice bloc is of 20 ms

260 bits to send in 8 demi-bursts (4 bursts)

1 burst of voice every 5 ms is required
A multiframe at 26 lasts 120 ms

6 voice blocs (24 bursts) to send

The mobile has 26 slots
2 slots are availables

1 slot for the SACCH channel

1 slot of pause (the mobile listens and analyzes the beacons of
the neighbor cells)
61
SACCH

Slow Associated Control Channel

Control physical parameters of the link

Measure the round trip delay

Control the power level of the terminal
Control the link quality
Analyze the measurements made over the
neighbor base stations
62
31
FACCH

Fast Associated Control Channel

The low data rate of the SACCH (380 bps) channel
is not sufficient to handover execution
The TCH channel is temporarily stolen for signaling
Even data bits
Even data bits
Normal burst
Data bits (TCH or FACCH)
Sequence
Data bits (TCH or FACCH)
Odd data bits

Odd data bits
63
Beacon channel (1)

Each base station has a beacon channel

Allow the mobiles to be in permanent contact
with the best base station
Play an important role to realize roaming and
handover
64
32
Beacon channel (2)

Corresponds to a particular frequency, one of

the frequencies allocated to the base station
A neighbor mobile periodically measures the
signal level over this channel
Allow a mobile to determine whether it is in
the coverage of a base station, near or far
from the base station
65
Beacon channel (3)

Information
Specific form of signal

System information
Allow the mobiles to detect the presence of a base station and

synchronize in terms of time and frequency
Network identity and access characteristics
Mobile terminal
Turned on
Seeking the beacon channel of the best BTS
Standby
Monitor in permanence the beacon channels of the current and neighbor
cells to change the cell if necessary
Under communication
Periodically listen to beacon channels of neighbor cells to realize a

handover if necessary
66
33
RACH AGCH PCH

Random Access CHannel

Access Grant CHannel

When the mobile want to make an control operation with the network
(location update, call request, etc.), it must inform the network by
sending a request over the RACH channel
When the network receive a request, it allocate a dedicated signalling
channel by sending an allocation message over the AGCH channel
containing the carrier number and the slot number
Paging CHannel
When the network wants to communicate with a mobile (for a call, an

authentication, etc.), it broadcasts the identity of the mobile over a set
of cells using the PCH channel
67
Network planning
Blocking probability
N: the number of servers

A: the traffic generated by the clients
Erlang-B table
68
34
Example (1)
For an area with a population of 10 000

subscribers having each a traffic of 25 mE. 24
frequencies are available and allocated to cells
following a reuse pattern with K=12. The
acceptable blocking ratio is fixed to 2%.
Determine the number of cells to cover the
area
69
Example (2)
Pattern K = 12
The number of frequencies per cell

24/12 = 2
70
35
Example (3)
The number of TCH per cell

(2 * 8) 2 = 14
Each cell can support at most 14 simultaneous

communications
With the blocking ratio of 2%, the traffic that
can go through a cell is 8,2 Erlang
71
Example (4)
Each cell can serve

8,2 / 0,025 = 328 subscribers
The number of cells necessary for the

considered area is
10 000/328 = 30 cells
72
36
References
Rseaux GSM, Xavier Lagrange, Philippe

Godlewski, Sami Tabbane, Hermes Science,
2000
Les rseaux, Guy Pujolle, 2008
73
37

GSM

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GSM

Uploaded by

Copyright:

Available Formats

Global System for Mobile

UPMC/PUF - M2 Networks - PTEL

Principles of cellular networks

In the early 1990s

In the late 1970s

In the early 2000s

3G+: High speed data services

UPMC/PUF - M2 Networks - PTEL

Cell is a geographical area covered by an

UPMC/PUF - M2 Networks - PTEL

Depend on the frequencies and the power

The more the frequency is high, the more the cell

UPMC/PUF - M2 Networks - PTEL

Different cell sizes

The network is organized in cells which are

UPMC/PUF - M2 Networks - PTEL

The change of cell of a mobile

The reuse of the same frequency in disjoint cells allows a

UPMC/PUF - M2 Networks - PTEL

Terminals communicate with the central antenna via

In Europe: GSM 900 MHz DCS 1800 MHz

Air interface specification

Modulation techniques, encoding scheme and multiple

UPMC/PUF - M2 Networks - PTEL

Multiple access procedures

Air interface is responsible for frequency bands

FDMA (Frequency Division Multiple Access) used in the

UPMC/PUF - M2 Networks - PTEL

The frequency band f is divided into n

The time is divided into time slots who are

GSM architecture (1)

Home Location Register

Base Transceiver Station

UPMC/PUF - M2 Networks - PTEL

GSM architecture (2)

BTS (Base Transceiver Station)

MSC (Mobile service Switching Center)

HLR (Home Location Register)

AuC (Authentication Center)

SIM (Subscriber Identity Module)

Air interface transmission and radio resource managmemnt

Responsible for radio transmission

Modulation, demodulation, equalization, error recovery

Base station controller (BSC)

Radio resource management

UPMC/PUF - M2 Networks - PTEL

Network Sub-System (1)

Mobile switching center (MSC)

UPMC/PUF - M2 Networks - PTEL

Network Sub-System (2)

Two databases for subscriber management

Home Location Register (HLR)

Visitor Location Register (VLR)

Database containing information of the subscribers of an operator

Authentication center (AuC) associated with the HLR

UPMC/PUF - M2 Networks - PTEL

A smart card (SIM card) containing the subscriber identity

Temporary identity used to identify the mobile in the exchange over

Permanent identity of the subscriber which is only used internally the

The telephone number of the subscriber

A number assigned for the call establishment with a fixed network

UPMC/PUF - M2 Networks - PTEL

Each subscriber has an international identity, the IMSI