GSM

Fundamental concepts
 Outline
 GSM-Introduction

 Cellular system generations ( Review)

 Fundamental concepts-
 Cell/cluster, frequency re-use, handover,
roaming, multiple access schemes,
 control channel, cellular services, etc

 Architecture- network components,

 setting up and receiving calls.

 Channels

 Security
What is GSM?
 Global System for Mobile
(GSM) communication is a
cellular standard developed
to cater for voice services
and data delivery using
digital modulation.
 A bit of history
 Developed by Group Spéciale Mobile
(founded 1982) which was an initiative of
CEPT ( Conference of European Post and
Telecommunication ).
 Aim: to replace the incompatible analog
system.
 Presently GSM standardization resides with
special mobile group under ETSI (
European Telecommunication Standards
Institute ).
• Full set of specifications phase-I became
available in 1990.
 Under ETSI, GSM is named as “ Global
System for Mobile communication “
 Today many providers all over the world use
GSM (more than 135 countries in Asia,
Africa, Europe, Australia, America)
 Cellular systems generations
 1G (first generation) – voice-oriented systems
based on analog technology; ex.: Advanced
Mobile Phone Systems (AMPS) .
 2G (second generation) - voice-oriented
systems based on digital technology; more
efficient and used less spectrum than 1G; ex.:
Global System for Mobile (GSM)
 3G (third generation) – high-speed voice-
oriented systems integrated with data services;
ex.: General Packet Radio Service (GPRS),
Code Division Multiple Access (CDMA)
 4G (fourth generation) –based on Internet
protocol networks and provide voice, data and
multimedia service to subscribers.
 LTE
  Geographic region
Cellular subdivided into Radio
system Cells.
 Base Station provides
radio connectivity to
Mobile Station within
cell.
 Handover to
neighbouring base
station when necessary.
 Base Stations
connected by some
Networking
infrastructure
 Network Cells
 The entire network coverage area is divided into cells
based on the principle of frequency reuse.

 A Cell = basic geographical unit of a cellular network;

 is the area around an antenna where a specific
frequency range is used;
 is represented graphically as a hexagonal shape, but
in reality it is irregular in shape.

 when a subscriber moves to another cell, the antenna of

the new cell takes over the signal transmission
(Handover or handoff).
 a Cluster is a group of adjacent cells, usually 7 cells;
 no frequency reuse is done within a cluster
 the frequency spectrum is divided into sub-bands and each sub-
band is used within one cell of the cluster
 in heavy traffic zones cells are smaller, while in isolated zones cells
are larger
 Frequency reuse
 Frequency reuse is a method used by service
providers to improve the efficiency of a cellular
network and to serve millions of subscribers
using a limited radio spectrum.
 is based on the fact that after a distance a radio
wave gets attenuated and the signal falls bellow a
point where it can no longer be used or cause any
interference.
 An antenna transmitting in a specific frequency
range will have only a limited coverage area.
 beyond this coverage area, that frequency can be
reused by another transmitter.
Network cells (ctd)
 Types of cells
 macrocell – their coverage is large
(aprox. 6 miles in diameter);
 used in remote areas, high-power
transmitters and receivers are used.
 microcell – their coverage is small
(half a mile in diameter) and are used in
urban zones;
 low-powered transmitters and receivers are
used to avoid interference with cells in
another clusters.

 picocell – covers areas such as building

or a tunnel.
 Other cellular concepts
 Handover = moving a call from one
zone to another zone due to subscriber’s
mobility.
 Roaming = allowing the subscriber to
send/receive calls outside the service
provider’s coverage area.
 The control channel
 this channel is used by a cellular phone to
indicate its presence before a
frequency/time slot/code is allocated to
him.
 Basic Structure

Multiple
Access

Downli
nk Hando
ver
Uplink

Mobile Station Base Station

Cells
Different
Frequenci
es or
Codes
 Multiple Access

USER 1,
ARFCN1

GSM is a USER 2,
combination of ARFCN1
FDMA and TDMA USER 1 USER 2 .... USER 8

ARFCN1
TDMA supports: USER 8,
ARFCN1
Up to 8 full rate USER 6 USER 7 USER 8 USER 1
users
ARFCN2
Up to 16 half rate
users USER 9,
ARFCN2

USER 10,
ARFCN2

USER 16,
ARFCN2
BTS
 Multiple access schemes

Frequency Division Time Division Multiple Code Division Multiple

Multiple Access Access Access
- each subscriber is - each subscriber is - each subscriber is
assigned a unique assigned a time slot to assigned a code which is
frequency; used in both send/receive a data burst; used to multiply the signal
analog and digital is used in digital systems. sent or received by the
systems. subscriber
 Cellular services
i. Voice Communication-
i. Mobile telephony
ii. Emergency calling
ii. Short Messaging Service (SMS)
i. up to 160 character alphanumeric data transmission to/from the
mobile terminal

iii. Multimedia Messaging Service

(MMS)
iv. Global Positioning System (GPS)
v. Wireless Application Protocol (WAP)
– to access the Internet
 Electronic mail
 Cellular services ctd
- Supplementary Services

• Call Waiting- Notification of an incoming call while on the

handset
• Call Hold- Put a caller on hold to take another call
• Call Barring- All calls, outgoing calls, or incoming calls
• Call Forwarding- Calls can be sent to various numbers
defined by the user
• Multi Party Call Conferencing - Link multiple calls
together
• CLIP – Caller line identification presentation
• CLIR – Caller line identification restriction
• CUG – Closed user group
 Cellular network
components (1)
 Mobile Station (MS)
Mobile Equipment (ME)
Subscriber Identity Module (SIM)
 Base Station Subsystem (BSS)
Base Transceiver Station (BTS)
Base Station Controller (BSC)
 Network Switching Subsystem(NSS)
Mobile Switching Center (MSC)
Home Location Register (HLR)
Visitor Location Register (VLR)
Authentication Center (AUC)
Equipment Identity Register (EIR)
Cellular network components

MSC - Mobile
Switching Center

BSC -Basic Station

Controller

BTS - Base Transceiver

Station

MS -Mobile Station
or Mobile
Subscriber Unit
Cellular network components
(2)
 BTS (Base Transceiver Station) – main component
of a cell and it connects the subscribers to the
cellular network; for transmission/reception of
information it uses several antennas spread across
the cell.

 BSC (Basic Station Controller) – it is an interface

between BTSs and it is linked to BTSs by cable or
microwave links; it routes calls between BTSs; it is
also connected to the MSC.

 MSC (Mobile Switching Center) – the coordinator

of a cellular network, it is connected to several
BSCs, it routes calls between BSCs; links the
cellular network with other networks like PSTN
through fiber optics, microwave or copper cable.
The Mobile Station is made
up of two entities:
1. Mobile Equipment (ME)
2. Subscriber Identity Module (SIM)
Components of a Cellular Phone
(MSU – Mobile Subscriber Unit)

 radio transceiver – low power radio

transmitter and receiver Power level : 0.8W – 20
W
 antenna, usually located inside the phone.

 control circuitry – formats the data sent to and

from the BTS; controls signal transmission and
reception.
 man-machine interface – consists of a keypad
and a display; is managed by the control circuitry.
 Subscriber Identity Module (SIM) – integrated
circuit card that stores the identity information of
subscriber.
 battery, the power unit of the phone.
 Inside the Mobile phone-
control circuitry
 Block diagram
of Mobile
phone :
 Microprocesso
r,
 Flash memory
 Mobile phone
also has
Antenna,
 Liquid Crystal
Display(LCD)
,
 Keyboard,
Microphone,
Speaker
 and Battery.
Block diagram of BB
GSM Call
Setup
 HLR
BSC

VMS EIR
Voicemail

PrePaid MSC SMSC

IN INTERNET

MSC BSC

PSTN PSTN PABX

Fixed NetworkInternational
 Setting up a call process
 when powered on, the phone does not have a
frequency/time slot/code assigned to it yet; so it scans for
the control channel of the BTS and picks the strongest
signal.

 then it sends a message (including its identification

number) to the BTS to indicate its presence.

 the BTS sends an acknowledgement message back to the

cell phone.

 the phone then registers with the BTS and informs the
BTS of its exact location.

 after the phone is registered to the BTS, the BTS assigns a

channel to the phone and the phone is ready to receive or
make calls
 Making a call - process
 the subscriber dials the receiver’s number and
sends it to the BTS.
 the BTS sends to its BSC the ID, location and
number of the caller and also the number of the
receiver.
 the BSC forwards this information to its MSC
 the MSC routes the call to the receiver’s MSC
which is then sent to the receiver’s BSC and
then to its BTS.
 the communication with the receiver’s cell
phone is established.
 Receiving a call - process
 when the receiver’ phone is in an idle state it
listens for the control channel of its BTS
 if there is an incoming call the BSC and BTS
sends a message to the cells in the area where
the receiver’s phone is located.
 the phone monitors its message and compares
the number from the message with its own.
 if the numbers matches, the cell phone sends
an acknowledgement to the BTS.
 after authentication, the communication is
established between the caller and the receiver.
 GSM characteristics

 Previous standard in cellular

communication were restrictive then
 GSM – global digital standard for cellular
phones that offer roaming facility.
 GSM operate in frequency bands: 900MHz,
1800 MHz, 1900 MHz.
 GSM provides voice and data services.
 GSM system support SIM cards
 Subscriber Identity Module (SIM)
card

 SIM – a memory card (integrated circuit)

holding identity information, phone book
etc.
 GSM system support SIM cards
 other systems, like CDMA do not
support SIM cards, but have something
similar called Re-Usable Identification
Module (RUIM)
International Mobile Equipment
Identity (IMEI) key

 IMEI – a unique 15 digit number

identifying each phone, is incorporated in
the cellular phone by the manufacturer.
 IMEI eg.: 994456245689001
 when a phone tries to access a network,
the service provider verifies its IMEI with
a database of stolen phone numbers; if it
is found in the database, the service
provider denies the connection.
 the IMEI is located on a white
sticker/label under the battery, but it can
also be displayed by typing *#06# on
the phone.
 International Mobile Subscriber
Identity (IMSI) key
 Smart card contains the International Mobile
Subscriber Identity (IMSI)
 IMSI – a 15-digit unique number provided by
the service provider and incorporated in the
SIM card which identifies the subscriber.
 IMSI enables a service provider to link a phone
number with a subscriber.
 first 3 digits of the IMSI are the country code
 Allows user to send and receive calls and
receive other subscribed services
 Protected by a password or PIN
 Can be moved from phone to phone – contains
key information to activate the phone
 Temporary Mobile Subscriber
Identity (TMSI) key

 TMSI – is a temporary number, shorter than the

IMSI, assigned by the service provider to the
phone on a temporary basis.
 TMSI key identifies the phone and its owner in
the cell it is located; when the phone moves to a
different cell it gets a new TMSI key
 as TMSI keys are shorter than IMSI keys they are
more efficient to send.
 TMSI key are used for securing GSM networks
GSM architecture
 Base Station Subsystem (BSS)
• Base Station Subsystem is composed of two parts that
communicate across the standardized Abis interface
(allows operation between components made by
different suppliers)
• Base Transceiver Station (BTS)
• Base Station Controller (BSC)
Um: The air interface between the mobile equipment
and the BTS
 BTS (Base Transceiver
Station)

 BTS (Base Transceiver Station) – main

component of a cell and it connects the
subscribers to the cellular network; for
Typical BTS
transmission/reception of information it installation
uses several antennas spread across the
cell.
 Encodes, encrypts, multiplexes,
modulates and feeds the RF signals to the
antenna.
 Frequency hopping
 Communicates with Mobile station and
BSC
 Consists of Transceivers (TRX) units

BTS antenna sy
 BSC (Basic Station
Controller)

 BSC (Basic Station Controller) –BSC plays a

role of a small digital exchange.
 it is an interface between BTSs and it is linked Typical BSC
to BTSs by cable or microwave links; it routes
calls between BTSs; it is also connected to the
MSC.
 Manages Radio resources for BTS
 Assigns Frequency and time slots for all MS’s in its
area
 Handles call set up
 Transcoding and rate adaptation functionality
 Handover for each MS
 Radio Power control
 It communicates with MSC and BTS
Network Switching
Subsystem(NSS)
Mobile Switching Center (MSC)
 Heart of the network
 Manages communication between GSM and other networks
 Call setup function and basic switching
 Call routing
 Billing information and collection
 Mobility management
- Registration
- Location Updating
- Inter BSS and inter MSC call handoff
 MSC does gateway function while its customer roams to other
network by using HLR/VLR.
 HLR, VLR and EIR registers
 Home Location Register (HLR) - is a database maintained by the service
provider containing permanent data about each subscriber (i.e. location,
IMSI,MSISDN, activity status, account status, prepaid/postpaid, call
forwarding preference, caller identification preference, roaming restrictions,
supplementary services (generally one per GSM network operator) .

 Visitor Location Register (VLR) – database that stores temporary data

about a subscriber; it updates whenever a new MS enters its area, it is kept in
the MSC of the area the subscriber is located in; when the subscriber moves
to a new area the new MSC requests this VLR from the HLR of the old MSC.
Reduces number of queries to HLR
Summary
 HLR – database of all users + current location. One
per network
 VLR – database of users + roamers in some
geographic area. Caches the HLR
 EIR – database of valid equipment
 AuC – Database of users’ secret keys
 AUC
AUC is a separate entity and physically included in HLR
Protect against intruders in air interface
Authentication (Ki) and ciphering (Kc) key are stored in this data
base.
Keys change randomly with each call
Keys are never transmitted to MS on air Only calculated response
are sent.
 Equipment Identity Register (EIR)

 Equipment Identity Register (EIR) – database

located in the MSC. It contains information
identifying cell phones using the IMEI (International
Mobile Equipment Identity).
 Made up of three sub-classes: The White List, The
Black List and the Gray List.
 White list – approved mobile types
 Black list – barred mobile types
 Gray list – tracked mobile types
 Authentication Center (AuC)

 1st level security mechanism for a GSM cellular

network
 is a database that stores the list of authorized
subscribers of a GSM network.
 it is linked to the MSC and checks the identity of each
user trying to connect to protect against intruders in
air interface.
 also provides encryption parameters to secure
a call made in the network using authentication
keys and algorithms ( RAND, SRES, Kc).
 GSM Mobile Switching
Center (MSC)
 is a switching center of the GSM network; coordinates
BSCs linked to it
 GSM Access Scheme and
Channel Structure

 GSM uses FDMA and TDMA to transmit voice and

data.
 the uplink channel between the cell phone and the BTS
uses FDMA and a specific frequency band.
 the downlink channel between the BTS and the cell
phone uses a different frequency band and the TDMA
technique.
 there is sufficient frequency separation between the
uplink freq. band and the downlink freq. band to avoid
interference.
 each uplink and downlink frequency bands is further
split up as Control Channel (used to set up and manage
calls) and Traffic Channel (used to carry voice) .
 GSM uplink/downlink frequency
bands used

GSM Uplink/B Downlink/

Freque TS BTS
ncy Transmit Receive
band
900 MHz 935-960 890-915
MHz MHz
1800 1805-1880 1710-1785
MHz MHz MHz
1900 1930-1990 1850-1910
MHz MHz MHz
 GSM uplink/downlink
frequency bands
 uplink and downlink take place in different time slots
using TDMA.
 uplink and downlink channels have a bandwidth of 25
MHz
 these channels are further split up in a 124 carrier
frequencies (1 control channel and the rest as traffic
channels); each carrier frequency is spaced 200 KHz
apart to avoid interference.
 these carrier frequencies are further divided by time
using TDMA and each time slot lasts for 0.577 ms.

 GSM uses TDMA and FDMA to let everybody talk.

 FDMA: 25MHz freq. is divided into 124 carrier
frequencies. Each base station gets few of those.
 TDMA: Each carrier frequency is divided into bursts
[0.577 ms]. 8 bursts are a frame.
  Logical
channels built
up of physical
channels
25 MHz  Control
124 carriers channels
 Traffic
channels
Burst Time slot 1 577
period µs

 Logical
Time slot 2 =Physical
channel
…..

channels
divided
TDMA
frame
between:
= 4.615
ms
 Dedicated
Time slot 8 channels
 Common
channels
 GSM Control Channel
 GSM Control Channel is used to communicate
management data (setting up calls, location) between
BTS and the cell phone within a GSM cell.
 only data is exchanged through the control channel (no
voice).
 a specific frequency from the frequency band allocated
to a cell and a specific time slot are allocated for the
control channel (beacon frequency); a single control
channel for a cell.
 GSM control channels can have the following types:
 broadcast channel
 common control channel
 dedicated control channel
 Broadcast Channel
 Broadcast Channel is used for the initial
synchronization between the cell phone
and the BTS
 is composed of:
 Frequency Correction Channel (FCCH) – is
composed of a sequence of 148 zeros
transmitted by the BTS
 Synchronization Channel (SCH) – follows the
FCCH and contains BTS identification and
location information
 Broadcast Control Channel (BCCH) –
contains the frequency allocation information
used by cell phones to adjust their frequency
to that of the network; is continuously
broadcasted by the BTS.
 Common Control Channels

 type of control chan. used for call initiation

 is composed of:
 Paging Channel (PCH) – the BTS uses this channel to inform
the cell phone about an incoming call; the cell phone
periodically monitors this channel
 Random Access Channel (RACH) – is an uplink channel used by
the cell phone to initiate a call; the cell phone uses this channel
only when required; if 2 phones try to access the RACH at the
same time, they cause interference and will wait a random time
before they try again; once a cell phone correctly accesses the
RACH, BTS send an acknowledgement.
 Access Grant Channel (AGCH) – channel used to set up a call;
once the cell phone has used PCH or RACH to receive or
initiate a call, it uses AGCH to communicate to the BTS.
 Dedicated Control Channels

 Dedicated control channel used to manage calls.

 is comprised of:
 Standalone Dedicated Control Channel (SDCCH) – used along
with SACCH to send and receive messages; relays signaling
information.
 Slow Associated Control Channel (SACCH) – on the downlink
BTS broadcasts messages of the beacon frequency of
neighboring cells to the cell phones; on the uplink BTS receives
acknowledgement messages from the cell phone.
 Fast Associated Control Channel (FACCH) – used to transmit
unscheduled urgent messages; FACCH is faster than SACCH as
it can carry 50 messages per second, while SACCH an carry
only 4.
Traffic Channel

 is used to carry voice data.

 based on the TDMA, the traffic (voice channel) is
divided in 8 different time slots numbered from 0
to 7.
 the BTS sends signals to a particular cell phone in a
specific time slot (from those 8 time slots) and the
cell phone replies in a different time slot.
Four basic security services
provided by GSM
 Personal Identification Number (PIN)
 User Authentication
 Anonymity : TMSI Assignment
 Encryption:
Personal Identification
Number (PIN)

 the PIN is stored on the SIM card of the cell phone

 when the cell phone is turned on, the SIM checks
the PIN; in case of 3 consecutive faulty PIN inputs
a PUK (Personal Unblocking Key) is asked for
 in case of 10 faulty PUK inputs, the SIM is locked
and the subscriber must ask a new SIM
 this security measure is within the cell phone and
the service provider is not involved
User Authentication

 a mechanism for encrypting messages in a GSM

network
 the network sends random data to the cell phone
(RAND)
 each cell phone is allocated a secret key (KI)
 using RAND and KI and the A3 encryption
algorithm the cell phone generates a signed result
(SRES) which is then sent to the network.
 a similar process takes place in the network which
generates a signed result specific to the cell phone.
 the network compares its SRES with the SRES
generated by the phone and in case of a match the
cell phone is connected to the network.
TMSI-Key Based Security

 is most used in a GSM cellular network.

 a TMSI key provides a temporary identification to a
cell phone and is provided by the network upon
authentication .
 a TMSI key keeps changing according to the
location of the cell phone this way preventing
unauthorized access to a channel and preventing
intruder from tracing location.
 the mapping between IMSI and TMSI keys is
handled by the VLR.
GSM Applications

 Mobile telephony
 GSM-R
 Telemetry System
- Fleet management
- Automatic meter reading
- Toll Collection
- Remote control and fault reporting of
DG sets
 Value Added Services
General Packed Radio
Data (GPRS)
 GPRS is another new transmission
capability for GSM that is especially
developed to accommodate for high-
bandwidth data traffic
 GPRS will handle rates from 14.4Kbps
using just one TDMA slot, and up to
115Kbps and higher using all eight time
slots
 It introduces packet switching - can
accommodate the data traffic
characteristics
GPRS Network architecture

VLR
PSTN
 New BTS
D
B
type of BSC
HLR
node: C

GPRS
BTS MSC
AUC
Service
Node Gr
(GSN) BSC EIR
BTS

SGSN

A-Bis A
Interface Interface Outside
BTS Gn GGSN Packet
Interface Network

BTS - Base Station

BSC - Base Station Contoller
Um MSC - Mobile Switching Center SGSN - Service GPRS Support Node
Interface VLR - Visitor Location Register
HLR - Home Location Register GGSN - Gateway GPRS Support Node
AUC - Authentification Center
B,C,D,E,F - MAP EIR - Equipment Identity Register
Interfaces
Enhanced Data GSM
Environment (EDGE)
 Packet switched
 Upgrades the modulation scheme
 From GMSK to 8-PSK
 Maximum speed ~59 Kb/sec per time slot, ~473.6 Kb/sec for all 8 time
slots
 Variable data rate – depending on the channel conditions
 Defines several different classes of service and mobile terminals

EDGE enabled
data mobile
Universal Mobile Telephone Service
(UMTS)

 UMTS – 3G cellular service

 Provides data rates up to 2Mb/sec
 Possibly standardized as W-CDMA