Difference between revisions of "GSM Concepts"
|Line 4:||Line 4:|
In this section we shall
In this section we shall basic notions about the GSM network, it's key components, and what is the role of YateBTS. After that in the following sections of this chapter we shall discuss in more depth some elements and the relevant interfaces that communicate directly to YateBTS.
Revision as of 15:00, 10 February 2014
- 1 GSM Concepts
- 2 Fundamental Um Transactions
- 3 Um security features
- 4 Network and Switching Subsystem
- 5 GPRS
GSM Network architecture
In this section we shall present basic notions about the GSM network, it's key components, and what is the role of YateBTS. After that in the following sections of this chapter we shall discuss in more depth some elements and the relevant interfaces that communicate directly to YateBTS.
GSM frequency bands
GSM frequency bands or frequency ranges are the cellular frequencies designated by the ITU for the operation of GSM mobile phones.
The name of the systems of the frequency bands are as follows:
- P-GSM, Standard or Primary GSM-900 Band - E-GSM, Extended GSM-900 Band (includes Standard GSM-900 band) - R-GSM, Railways GSM-900 Band (includes Standard and Extended GSM-900 band) - T-GSM, Trunking-GSM
There are fourteen bands defined in 3GPP TS 45.005
A MS comprises all user equipment and software needed for communication with a mobile network.
The term refers to the global system connected to the mobile network, i.e. a mobile phone or mobile computer connected using a mobile broadband adapter. This is the terminology of 2G systems like GSM.
In GSM, a mobile station consists of four main components:
- Mobile termination (MT) - offers common functions of a such as: radio Transmission and handover, speech encoding and decoding, Error detection and correction, signalling and access to the SIM. The IMEI code is attached to the MT. It is equivalent to the network termination of an ISDN access. - item Terminal equipment (TE) - is any device connected to the MS offering services to the user. It does not contain any functions specific to GSM. - Terminal adapter (TA) - Provides access to the MT as if it was an ISDN network termination with extended capabilities. Communication between the TE and MT over the TA takes place using AT commands. - Subscriber identity module (SIM) - is a removable subscriber identification token storing the IMSI a unique key shared with the mobile network operator and other data.
In a mobile phone, the MT, TA and TE are enclosed in the same case. However, the MT and TE functions are often performed by distinct processors. The application processor serves as a TE, while the baseband processor serves as a MT, communication between both takes place over a bus using AT commands, which serves as a TA.
The UM interface
The Um interface is the air interface for the GSM mobile telephone standard. It is the interface between the mobile station (MS) and the Base transceiver station (BTS). It is called Um because it is the mobile analog to the U interface of ISDN. Um is defined in the GSM 04.xx and 05.xx series of specifications. Um can also support GPRS packet-oriented communication. The layers of GSM are initially defined in GSM 04.01 Section 7 and roughly follow the OSI model. Um is defined in the lower three layers of the model.
Um Logical Channels
Um logical channel types are outlined in GSM 04.03. Broadly speaking, non-GPRS Um logical channels fall into three categories:
- traffic channels - dedicated control channels - non-dedicated(common) control channels
The following diagram shows the main channel categories.
These point-to-point channels correspond to the ISDN B channel and are referred to as Bm channels.Traffic channels use 8-burst(Break) diagonal interleaving with a new block starting on every fourth burst and any given burst containing bits from two different traffic frames.This interleaving pattern makes the TCH robust against single-burst fades since the loss of a single burst destroys only 1/8 of the frame's channel bits. The coding of a traffic channel is dependent on the traffic or vocoder type employed, with most coders capable of overcoming single-burst losses. All traffic channels use a 26-multiframe TDMA structure.
Full-rate channels (TCH/F)
A GSM full rate channel uses 24 frames out of a 26-multiframe. The channel bit rate of a full-rate GSM channel is 22.7 kbit/s, although the actual payload data rate is 9.6-14 kbit/s, depending on the channel coding. This channel is normally used with the GSM 06.10 Full Rate, GSM 06.60 Enhanced Full Rate or GSM 06.90 Adaptive Multi-Rate speech codec. It can also be used for fax and Circuit Switched Data.
Half-rate channels (TCH/H)
A GSM half rate channel uses 12 frames out of a 26-multiframe. The channel bit rate of a half-rate GSM channel is 11.4 kbit/s, although the actual data capacity is 4.8-7 kbit/s, depending on the channel coding. This channel is normally used with the GSM 06.20 Half Rate or GSM 06.90 Adaptive Multi-Rate speech codec.
Dedicated Control Channels (DCCHs)
These point-to-point channels correspond to the ISDN D channel and are referred to as Dm channels.\\
Standalone Dedicated Control Channel (SDCCH)
The SDCCH is used for most short transactions, including initial call setup, registration and SMS transfer. It has a payload data rate of 0.8 kbit/s. Up to eight SDCCHs can be time-multiplexed onto a single physical channel. The SDCCH uses 4-burst block interleaving in a 51-multiframe.\\
Fast Associated Control Channel (FACCH)
The FACCH is always paired with a traffic channel. The FACCH is a blank-and-burst channel that operates by stealing bursts from its associated traffic channel. Bursts that carry FACCH data are distinguished from traffic bursts by stealing bits at each end of the midamble. The FACCH is used for in-call signaling, including call disconnect, handover and the later stages of call setup. It has a payload data rate of 9.2 kbit/s when paired with a full-rate channel (FACCH/F) and 4.6 kbit/s when paired with a half-rate channel (FACCH/H). The FACCH uses the same interleaving and multiframe structure as its host TCH.\\
Slow Associated Control Channel (SACCH)
Every SDCCH or FACCH also has an associated SACCH. Its normal function is to carry system information messages 5 and 6 on the downlink, carry receiver measurement reports on the uplink and to perform closed-loop power and timing control. Closed loop timing and power control are performed with a physical header at the start of each L1 frame. This 16-bit physical header carries actual power and timing advance settings in the uplink and ordered power and timing values in the downlink. The SACCH can also be used for in-call delivery of SMS. It has a payload data rate of 0.2-0.4 kbit/s, depending on the channel with which it is associated. The SACCH uses 4-burst block interleaving and the same multiframe type as its host TCH or SDCCH.
Common Control Channels (CCCHs)
These are unicast and broadcast channels that do not have analogs in ISDN. These channels are used almost exclusively for radio resource management. The AGCH and RACH together form the medium access mechanism for Um.
Broadcast Control Channel (BCCH)
The BCCH carries a repeating pattern of system information messages that describe the identity, configuration and available features of the BTS. BCCH brings the measurement reports it bring the information about LAI And CGI BCCH frequency are fixed in BTS.
Synchronization Channel (SCH)
The SCH transmits a Base station identity code and the current value of the TDMA clock. SCH repeats on every 1st, 11th, 21st, 31st and 41st frames of the 51 frame multi frame. So there are 5 SCH frames in a 51 frame multiframe.
Frequency Correction Channel (FCCH)
The FCCH generates a tone on the radio channel that is used by the mobile station to discipline its local oscillator. FCCH will repeat on every 0th, 10th, 20th, 30th and 40th frames of the 51 frame multiframe. So there are 5 FCCH frames in a 51 frame multiframe.
Paging Channel (PCH)
The PCH carries service notifications (pages) to specific mobiles sent by the network. A mobile station that is camped to a BTS monitors the PCH for these notifications sent by the network.
Access Grant Channel (AGCH)
The AGCH carries BTS responses to channel requests sent by mobile stations via the Random Access Channel.
Random Access Channel (RACH)
The RACH is the uplink counterpart to the AGCH. The RACH is a shared channel on which the mobile stations transmit random access bursts to request channel assignments from the BTS.
Allowed channel combinations
The multiplexing rules of GSM 05.02 allow only certain items of logical channels to share a physical channel. The allowed items for single-slot systems are listed in GSM 05.02 Section 6.4.1. Additionally, only certain of these items are allowed on certain timeslots or carriers and only certain sets of items can coexist in a given BTS. These restrictions are intended to exclude non-sensical BTS configurations and are described in GSM 05.02 Section 6.5.
The most common combinations are:
- TCH/F + FACCH/F + SACCH - This combination is used for full rate traffic. It can be used anywhere but C0T0. - TCH/H + FACCH/H + SACCH - This combination is used for half rate traffic when only one channel is needed. It can be used anywhere but C0T0. - 2 TCH/H + 2 FACCH/H + 2 SACCH - This combination is used for half rate traffic. It can be used anywhere but C0T0. - FCCH + SCH + BCCH + CCCH - This is the standard C0T0 combination for medium and large cells. It can be used only on C0T0. - FCCH + SCH + BCCH + CCCH + 4 SDCCH + 2 SACCH -
This is the typical C0T0 combination for small cells, which allows the BTS to trade unnecessary CCCH capacity for a pool of 4 SDCCHs. (5x1)+(5x1)+(1x4)+(3x4)+(4x4)+(2x4)+1idle= 51 frame multiframe. It can be used only on C0T0.
- BCCH + CCCH - This combination is used to provide additional CCCH capacity in large cells. It can be used on C0T2, C0T4 or C0T6. - 8 SDCCH + 4 SACCH.[(8x4)+(4x4)+3idle=51frame multiframe] - This combination is used to provide additional SDCCH capacity in medium and large cells. It can be used anywhere but C0T0.
YateBTS supports the I, IV, and VI channel combinations
A typical subset configuration of the logical channel is presented in the following diagram.
Fundamental Um Transactions
Basic speech service in GSM requires five transactions:
- radio channel establishment - location update - mobile-originating call establishment - mobile-terminating call establishment - call clearing
All of these transactions are described in GSM 04.08 Sections 3-7.
Radio channel establishment
Unlike ISDN's U channel, Um channels are not hard-wired, so the Um interface requires a mechanism for establishing and assigning a dedicated channel prior to any other transaction. The Um radio resource establishment procedure is defined in GSM 04.08 Section 3.3 and this is the basic medium access procedure for Um. This procedure uses the CCCH (PCH and AGCH) as a unicast downlink and the RACH as a shared uplink.
In the simplest form, the steps of the transaction are:
- Paging. The network sends a RR Paging Request message (GSM 04.08 Sections 9.1.22-9.1.23) over the PCH, using the subscriber's IMSI or TMSI as an address. GSM does not allow paging by IMEI (GSM 04.08 Section 10.5.1.4). This paging step occurs only for a transaction initiated by the network. - Random Access. The mobile station sends a burst on the RACH. This burst encodes an 8-bit transaction tag and the BSIC of the serving BTS. A variable number of most-significant bits in the tag encode the reason for the access request, with the remaining bits chosen randomly. In L3, this tag is presented as the RR Channel Request message (GSM 04.08 9.1.8). The mobile also records the TDMA clock state at the time the RACH burst is transmitted. In cases where the transaction is initiated by the MS, this is first step. - Assignment. On the AGCH, the network sends the RR Immediate Assignment message (GSM 04.08 Section 9.1.18) for a dedicated channel, usually an SDCCH. This message is addressed to the MS by inclusion of the 8-bit tag from the corresponding RACH burst and a time-stamp indicating the TDMA clock state when the RACH burst was received. If no dedicated channel is available for assignment, the BTS can instead respond with the RR Immediate Assignment Reject message, which is similarly addressed and contains a hold-off time for the next access attempt. Emergency callers receiving the reject message are not subject to the hold-off and may retry immediately. - Retry. If the RACH burst of step 2 is not answered with an assignment or assignment reject in step 3 within a given timeout period ,usually on the order of 0.5 second, the handset will repeat step 2 after a small random delay. This cycle may be repeated 6-8 times before the MS aborts the access attempt.
Note that there is a small but non-zero probability that two MSs send identical RACH bursts at the same time in step 2.If these RACH bursts arrive at the BTS with comparable power, the resulting sum of radio signals will not be demodulable and both MSs will move to step 4. However, if there is a sufficient difference in power, the BTS will see and answer the more powerful RACH burst. Both MSs will receive and respond to the resulting channel assignment in step 3. To ensure recovery from this condition, Um uses a "contention resolution procedure" in L2, described in GSM 04.06 18.104.22.168 in which the first L3 message frame from the MS, which always contains some form of mobile ID, is echoed back to the MS for verification.
The location updating procedure is defined in GSM 04.08 Sections 4.4.1 and 7.3.1. This procedure normally is performed when the MS powers up or enters a new Location area but may also be performed at other times as described in the specifications. In its minimal form, the steps of the transaction are:
- The MS and BTS perform the radio channel establishment procedure. - On the newly established dedicated channel, the MS sends the MM Location Updating Request message containing either an IMSI or TMSI. The message also implies connection establishment in the MM sublayer. - The network verifies the mobile identity in the HLR or VLR and responds with the MM Location Updating Accept message. - The network closes the Dm channel by sending the RR Channel Release message.
There are many possible elaborations on this transaction, including:
- authentication - ciphering - TMSI assignment - queries for other identity types - location updating reject
Mobile-Originating Call (MOC) establishment
This is the transaction for an outgoing call from the MS, defined in GSM 04.08 Sections 5.2.1 and 7.3.2 but taken largely from ISDN Q.931.
In its simplest form, the steps of the transaction are:
- The MS initiates the radio channel establishment procedure and is assigned to a Dm channel, usually an SDCCH. This establishes the connection in the L3 RR sublayer. The first message sent on the new Dm is the MM Connection Mode service Request, sent by the MS. This message contains a subscriber ID (IMSI or TMSI) and a description of the requested service, in this case MOC. - The network verifies the subscriber's provisioning in the HLR and responds with the MM Connection Mode Service Accept message. This establishes the connection in the L3 MM sublayer. (This is a simplification. In most networks MM establishment is performed with authentication and ciphering transactions at this point.) - The MS sends the CC Setup message, which contains the called party number. - Assuming the called party number is valid, network response with the CC Call Proceeding message. - The network sends an RR Assignment message to move the transaction off of the SDCCH and onto a TCH+FACCH. - Once the MS has acquired the timing on the TCH+FACCH, it responds on the new FACCH with the RR Assignment Complete message. From this point on, all control transactions are on the FACCH. - When alerting is verified at the called destination, the network sends the CC Alerting message. - When the called party answers, the network sends the CC Connect message. - The MS response with the CC Connect Acknowledge message. At this point, the call is active.
The TCH+FACCH assignment can occur at any time during the transaction, depending on the configuration of the network.
There are three common approaches:
- Early Assignment. The network assigns the TCH+FACCH after sending CC Call Proceeding and completes call setup on the FACCH. This allows the use of in-band patterns , like the ringing or busy patterns, generated by the network. - Late Assignment. The network does not assign the TCH+FACCH until after alerting has started. This forces the MS itself to generate the patterns locally since the TCH does not yet exist to carry the sound. - Very Early Assignment. The network makes an immediate assignment to the TCH+FACCH in the initial RR establishment and performs the entire transaction on the FACCH. The SDCCH is not used. Because immediate assignment starts the FACCH in a signaling-only mode, the network must send the RR Channel Mode Modify message at some point to enable the TCH part of the channel.
Mobile-Terminating Call (MTC) establishment
This is the transaction for an incoming call to the MS, defined in GSM 04.08 Sections 5.2.2 and 7.3.3, but taken largely from ISDN Q.931.
- The network initiates the radio channel establishment procedure and assigns the MS to a Dm channel, usually an SDCCH. This establishes the connection in the L3 RR sublayer. - The MS sends the first message on the new Dm, which is the RR Paging Response message. This message contains a mobile identity (IMSI or TMSI) and also implies a connection attempt in the MM sublayer. - The network verifies the subscriber in the HLR and verifies that the MS was indeed paged for service. The network can initiate authentication and ciphering at this point, but in the simplest case the network can just send the CC Setup message to initiate Q.931-style call control. - The MS responds with CC Call Confirmed. - The network sends an RR Assignment message to move the transaction off of the SDCCH and onto a TCH+FACCH. - Once the MS has acquired the timing on the TCH+FACCH, it responds on the new FACCH with the RR Assignment Complete message.
From this point on, all control transactions are on the FACCH.
- The MS starts alerting (ringing, etc.) and sends the CC Alerting message to the network. - When the subscriber answers, the MS sends the CC Connect message to the network. - The network response with the CC Connect Acknowledge message. At this point, the call is active.
As in the MOC, the TCH+FACCH assignment can happen at any time, with the three common techniques being early, late and very early assignment.
The transaction for clearing a call is defined in GSM 04.08 Sections 5.4 and 7.3.4. This transaction is the same whether initiated by the MS or the network, the only difference being a reversal of roles. This transaction is taken from Q.931.
- Party A sends the CC Disconnect message. - Party B responds with the CC Release message. - Party A responds with the CC Release Complete message. - The network releases the RR connection with the RR Channel Release message. This always comes from the network, regardless of which party initiated the clearing procedure.
SMS transfer on Um
GSM 04.11 and 03.40 define SMS in five layers
- L1 is taken from the Dm channel type used, either SDCCH or SACCH. This layer terminates in the BSC. - L2 is normally LAPDm, although GPRS-attached devices may use Logical link control (LLC, GSM 04.64). In LAPDm SMS uses SAP3. This layer terminates in the BTS. - L3, the connection layer, defined in GSM 04.11 Section 5. This layer terminates in the MSC. - L4, the relay layer, defined in GSM 04.11 Section 6. This layer terminates in the MSC. - L5, the transfer layer, defined in GSM 03.40. This layer terminates in the SMSC.
As a general rule, every message transferred in L(n) requires both a transfer and an acknowledgment on L(n-1). Only L1-L4 are visible on Um.
Mobile-Originated SMS (MO-SMS)
The transaction steps for MO-SMS are defined in GSM 04.11 Sections 5, 6 and Annex B. In the simplest case, error-free delivery outside of an established call, the transaction sequence is:
- The MS establishes an SDCCH using the standard RR establishment procedure. - The MS sends a CM Service Request, - The MS initiates multiframe mode in SAP3 with the normal LAPDm SABM procedure. - The MS sends a CP-DATA message (L3, GSM 04.11 Section 7.2.1), which carries an RP-DATA message (L4, GSM 04.11 Section 7.3.1) in its RPDU. - The network responds with a CP-ACK message (L3, GSM 04.11 Section 7.2.2). - The network delivers the RPDU to the MSC. - The MSC responds with an RP-ACK message (L4, GSM 04.11 Section 7.3.3). - The network sends a CP-DATA message to the MS, carrying the RP-ACK payload in its RPDU. - The MS responds with a CP-ACK message. - The network releases the SDCCH with the RR Channel Release message. This implies a closure of the MM sublayer and triggers the release of L2 and L1.
Mobile-Terminated SMS (MT-SMS)
The transaction steps for MT-SMS are defined in GSM 04.11 Sections 5, 6 and Annex B.
In the simplest case, error-free delivery outside of an established call, the transaction sequence is:
- The network pages the MS with the standard paging procedure. - The MS establishes an SDCCH using the standard RR paging response procedure, which implies a CC sublayer connection. - The network initiates multiframe mode in SAP3. - The network sends the RP-DATA message as the RPDU in a CP-DATA message. - The MS responds with the CP-ACK message. - The MS processes the RPDU. - The MS sends a CP-DATA message to the network containing an RP-ACK message in the RPDU. - The network responds with a CP-ACK message. - The network releases the SDCCH with the RR Channel Release message. This implies a closure of the MM sublayer and triggers the release of L2 and L1.
Um security features
GSM 02.09 defines the following security features on Um:
- authentication of subscribers by the network, - encryption on the channel, - anonymization of transactions (at least partially)
Um also supports frequency hopping (GSM 05.01 Section 6), which is not specifically intended as a security feature but has the practical effect of adding significant complexity to passive interception of the Um link. Authentication and encryption both rely on a secret key, Ki, that is unique to the subscriber. Copies of Ki are held in the SIM and in the Authentication Center (AuC), a component of the HLR. Ki is never transmitted across Um. An important and well-known shortcoming of GSM security is that it does not provide a means for subscribers to authenticate the network. This oversight allows for false basestation attacks, such as those implemented in an IMSI catcher.
Authentication of subscribers
The Um authentication procedure is detailed in GSM 04.08 Section 4.3.2 and GSM 03.20 Section 3.3.1 and summarized here:
- The network generates a 128 bit random value, RAND. - The network sends RAND to the MS in the MM Authentication Request message. - The MS forms a 32-bit hash value called SRES by encrypting RAND with an algorithm called A3, using Ki as a key. SRES = A3(RAND,Ki). The network performs an identical SRES calculation. - The MS sends back its SRES value in the RR Authentication Response message. - The network compares its calculated SRES value to the value returned by the MS. If they match, the MS is authenticated. - Both the MS and the network also compute a 64-bit ciphering key, Kc, from RAND and Ki using the A8 algorithm. Kc = A8(RAND,Ki). Both parties save this value for later use when ciphering is enabled.
Note that this transaction always occurs in the clear, since the ciphering key is not established until after the transaction is started.
GSM encryption, called "ciphering" in the specifications, is implemented on the channel bits of the radio bursts, at a very low level in L1, after forward error correction coding is applied. This is another significant security shortcoming in GSM because:
- the intentional redundancy of the convolutional coder reduces the Unicity distance of the encoded data and - the parity word can be used for verifying correct decryption.
A typical GSM transaction also includes LAPDm idle frames and SACCH system information messages at predictable times, affording a Known plaintext attack. The GSM ciphering algorithm is called A5.
There are four variants of A5 in GSM, only first three of which are widely deployed:
- A5/0: no ciphering at all - A5/1: strong(er) ciphering, intended for use in North America and Europe - A5/2: weak ciphering, intended for use in other parts of the world, but now deprecated by the GSMA - A5/3: even stronger ciphering with open design
Ciphering is a radio resource function and managed with messages in the radio resource sublayer of L3, but ciphering is tied to authentication because the ciphering key Kc is generated in that process. Ciphering is initiated with the RR Ciphering Mode Command message, which indicates the A5 variant to be used. The MS starts ciphering and responds with the RR Ciphering Mode Complete message in ciphertext. The network is expected to deny service to any MS that does not support either A5/1 or A5/2 (GSM 02.09 Section 3.3.3). Support of both A5/1 and A5/2 in the MS was mandatory in GSM Phase 2 (GSM 02.07 Section 2) until A5/2 was depreciated by the GSMA in 2006.
Anonymization of subscribers
The TMSI is a 32-bit temporary mobile subscriber identity that can be used to avoid sending the IMSI in the clear on Um. The TMSI is assigned by the BSC and is only meaningful within specific network. The TMSI is assigned by the network with the MM TMSI Reallocation Command, a message that is normally not sent until after ciphering is started, so as to hide the TMSI/IMSI relationship. Once the TMSI is established, it can be used to anonymize future transactions. Note that the subscriber identity must be established before authentication or encryption, so the first transaction in a new network must be initiated by transmitting the IMSI in the clear.
Network and Switching Subsystem
Mobile Switching Center (MSC) and the Visitor Location Register (VLR)
The mobile switching center (MSC) is the primary service delivery node for GSM, responsible for routing voice calls and SMS. The MSC sets up and releases the end-to-end connection, handles mobility and hand-over requirements during the call and takes care of charging and real time pre-paid account monitoring. In the GSM mobile phone system, in contrast with earlier analogue services, fax and data information is sent directly digitally encoded to the MSC. Only at the MSC is this re-coded into an "analogue" signal.
There are various different names for MSCs in different contexts which reflects their complex role in the network, all of these terms though could refer to the same MSC, but doing different things at different times.
The Gateway MSC (G-MSC) is the MSC that determines which visited MSC the subscriber who is being called is currently located at. It also interfaces with the PSTN. All mobile to mobile calls and PSTN to mobile calls are routed through a G-MSC. The term is only valid in the context of one call since any MSC may provide both the gateway function and the Visited MSC function, however, some manufacturers design dedicated high capacity MSCs which do not have any BSSs connected to them. These MSCs will then be the Gateway MSC for many of the calls they handle. The visitor location is a database of the subscribers who have roamed into the jurisdiction of the MSC (Mobile Switching Center) which it serves. Each main base station in the network is served by exactly one VLR, hence a subscriber cannot be present in more than one VLR at a time.
The data stored in the VLR has either been received from the HLR, or collected from the MS (Mobile station). In practice, for performance reasons, most vendors integrate the VLR directly to the V-MSC and, where this is not done, the VLR is very tightly linked with the MSC via a proprietary interface. Whenever an MSC detects a new MS in its network, in addition to creating a new record in the VLR, it also updates the HLR of the mobile subscriber, apprising it of the new location of that MS. If VLR data is corrupted it can lead to serious issues with text messaging and call services.
Data stored include:
- IMSI (the subscriber's identity number). - Authentication data. - MSISDN (the subscriber's phone number). - GSM services that the subscriber is allowed to access. - access point (GPRS) subscribed. - The HLR address of the subscriber.
Home Location Register
The home location register (HLR) is a central database that contains details of each mobile phone subscriber that is authorized to use the GSM core network. There can be several logical, and physical, HLRs per public land mobile network (PLMN), though one international mobile subscriber identity (IMSI)/MSISDN pair can be associated with only one logical HLR (which can span several physical nodes) at a time. The HLRs store details of every SIM card issued by the mobile phone operator. Each SIM has a unique identifier called an IMSI which is the primary key to each HLR record.
Another important item of data associated with the SIM are the MSISDNs, which are the telephone numbers used by mobile phones to make and receive calls.The primary MSISDN is the number used for making and receiving voice calls and SMS, but it is possible for a SIM to have other secondary MSISDNs associated with it for fax and data calls. Each MSISDN is also a primary key to the HLR record. The HLR data is stored for as long as a subscriber remains with the mobile phone operator.
Examples of other data stored in the HLR against an IMSI record is:
- GSM services that the subscriber has requested or been given. - GPRS settings to allow the subscriber to access packet services. - Current location of subscriber (VLR and serving GPRS support node/SGSN). - Call divert settings applicable for each associated MSISDN.
The HLR is a system which directly receives and processes MAP transactions and messages from elements in the GSM network, for example, the location update messages received as mobile phones roam around.
Equipment Identity Register
The equipment identity register is often integrated to the HLR.The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored.This is designed to allow tracking of stolen mobile phones. In theory all data about all stolen mobile phones should be distributed to all EIRs in the world through a Central EIR.It is clear, however, that there are some countries where this is not in operation.The EIR data does not have to change in real time, which means that this function can be less distributed than the function of the HLR.The EIR is a database that contains information about the identity of the mobile equipment that prevents calls from stolen, unauthorized or defective mobile stations.Some EIR also have the capability to log Handset attempts and store it in a log file.
The authentication centre (AuC) is a function to authenticate each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). Once the authentication is successful, the HLR is allowed to manage the SIM and services described above.An encryption key is also generated that is subsequently used to encrypt all wireless communications (voice, SMS, etc.) between the mobile phone and the GSM core network.
If the authentication fails, then no services are possible from that particular combination of SIM card and mobile phone operator attempted. There is an additional form of identification check performed on the serial number of the mobile phone described in the EIR section below, but this is not relevant to the AuC processing. Proper implementation of security in and around the AuC is a key part of an operator's strategy to avoid SIM cloning.
The AuC does not engage directly in the authentication process, but instead generates data known as triplets for the MSC to use during the procedure.The security of the process depends upon a shared secret between the AuC and the SIM called the Ki. The Ki is securely burned into the SIM during manufacture and is also securely replicated onto the AuC.This Ki is never transmitted between the AuC and SIM, but is combined with the IMSI to produce a challenge/response for identification purposes and an encryption key called Kc for use in over the air communications.
General packet radio service (GPRS) is a packet oriented mobile data service. The core network is based on Internet Protocol (IP) so it can communicate through the internet to any other LAN network or ther Internet Software providers. The GPRS core network allows 2G, 3G and WCDMA mobile networks to transmit IP packets to external networks such as the Internet. From this concept evolved the modern core network o
GPRS extends the GSM Packet circuit switched data capabilities and makes the following services possible:
- SMS messaging and broadcasting - "Always on" internet access - Multimedia messaging service (MMS) - Push to talk over cellular (PoC) - Instant messaging and presence—wireless village - Internet applications for smart devices through wireless application protocol (WAP) - Point-to-point (P2P) service: inter-networking with the Internet (IP) - Point-to-Multipoint (P2M) service: point-to-multipoint multicast and point-to-multipoint group calls
If SMS over GPRS is used, an SMS transmission speed of about 30 SMS messages per minute may be achieved. This is much faster than using the ordinary SMS over GSM, whose SMS transmission speed is about 6 to 10 SMS messages per minute.