CS8601-Mobile Computing Department of CSE

UNIT II MOBILE TELECOMMUNICATION SYSTEM 9

Introduction to Cellular Systems - GSM – Services & Architecture – Protocols –
Connection Establishment – Frequency Allocation – Routing – Mobility Management –
Security – GPRS- UMTS – Architecture – Handover – Security

Introduction to Cellular systems

Cellular systems for mobile communication implement SDM. Base station covers a certain
transmission area (cell) Mobile stations communicate only via the base station.
Advantages of cell structures:
 higher capacity, higher number of users
 less transmission power
 more robust, decentralized
 base station deals with interference, transmission area etc. locally
Problems:
 fixed network needed for the base stations
 handover (changing from one cell to another) necessary
 interference with other cells
Cell sizes from some 100 m in cities to, e.g., 35 km on the country side (GSM) - even less for
higher frequencies.

Frequency Planning
To avoid interference between transmitters using the same frequencies, frequencies have to
be distributed.

St. Joseph’s College of Engineering Page 1

CS8601-Mobile Computing Department of CSE
Frequency Planning

3 Cell Cluster 7 Cell Cluster 3 Cell cluster with 3 sector antennas

GSM Services
GSM offers three basic types of services:

 Telephony services or teleservices

 Data services or bearer services
 Supplementary services

Teleservices
The abilities of a Bearer Service are used by a Teleservice to transport data. These services
are further transited in the following ways:

a. Voice Calls
The most basic Teleservice supported by GSM is telephony. This includes full-rate speech
at 13 kbps and emergency calls, where the nearest emergency-service provider is notified
by dialing three digits.

b. Videotext and Facsimile

Another group of teleservices includes Videotext access, Teletext transmission, Facsimile
alternate speech and Facsimile Group 3, Automatic Facsimile Group, 3 etc.

c. Short Text Messages

Short Messaging Service (SMS) service is a text messaging service that allows sending and

St. Joseph’s College of Engineering Page 2

CS8601-Mobile Computing Department of CSE
receiving text messages on your GSM mobile phone. In addition to simple text messages,
other text data including news, sports, financial, language, and location-based data can
also be transmitted.

Bearer Services
 Telecommunication services to transfer data between access points
 Specification of services up to the terminal interface (OSI layers 1-3)
 Different data rates for voice and data (original standard)
1. data service (circuit switched)
synchronous: 2.4, 4.8 or 9.6 kbit/s
asynchronous: 300 - 1200 bit/s
2. data service (packet switched)
synchronous: 2.4, 4.8 or 9.6 kbit/s
asynchronous: 300 - 9600 bit/s
Data services or Bearer Services are used through a GSM phone to receive and send data
is the essential building block leading to widespread mobile Internet access and mobile
data transfer. GSM currently has a data transfer rate of 9.6k. New developments that will
push up data transfer rates for GSM users are HSCSD (high speed circuit switched data)
and GPRS (general packet radio service) are now available.

Supplementary Services
Supplementary services are additional services that are provided in addition to
teleservices and bearer services. These services include caller identification, call
forwarding, call waiting, multi-party conversations, and barring of outgoing
(international) calls, among others. A brief description of supplementary services is given
here:
 Conferencing : It allows a mobile subscriber to establish a multiparty conversation,
i.e., a simultaneous conversation between three or more subscribers to setup a
conference call. This service is only applicable to normal telephony.
 Call Waiting : This service notifies a mobile subscriber of an incoming call during a
conversation. The subscriber can answer, reject, or ignore the incoming call.
 Call Hold : This service allows a subscriber to put an incoming call on hold and
resume after a while. The call hold service is applicable to normal telephony.
 Call Forwarding : Call Forwarding is used to divert calls from the original recipient
to another number. It is normally set up by the subscriber himself. It can be used by
the subscriber to divert calls from the Mobile Station when the subscriber is not
available, and so to ensure that calls are not lost.
 Call Barring : Call Barring is useful to restrict certain types of outgoing calls such as
ISD or stop incoming calls from undesired numbers. Call barring is a flexible
service that enables the subscriber to conditionally bar calls.
 Closed User Groups (CUGs) : This service is meant for groups of subscribers who
wish to call only each other and no one else.

St. Joseph’s College of Engineering Page 3

CS8601-Mobile Computing Department of CSE
 Unstructured supplementary services data (USSD) : This allows operator-defined
individual services.
GSM Architecture
Three subsystems :
 Radio sub system (RSS),
 Network and switching subsystem (NSS)
 Operation subsystem (OSS)

Radio subsystem
It comprises all radio specific entities
Base transceiver station (BTS): A BTS comprises all radio equipment, i.e.,
antennas, signal processing, amplifiers necessary for radio transmission. A BTS
is usually placed in the center of a cell. Its transmitting power defines the size of
a cell.
Base station controller (BSC): The BSC basically manages the BTSs. The BSC
also multiplexes the radio channels onto the fixed network connections at the
A interface.
Mobile station (MS): The MS comprises all user equipment and software
needed for communication in GSM. It consists of user independent hard and
software and of the subscriber identity module (SIM). SIM card contains many
identifiers and tables such as card-type, serial number, a list of subscribed
services, a personal identity number (PIN), a PIN unblocking key (PUK), an
authentication key and the international mobile subscriber identity (IMSI).

St. Joseph’s College of Engineering Page 4

CS8601-Mobile Computing Department of CSE
The MS stores dynamic information such as the cipher key and the location
information consisting of a temporary mobile subscribers identity (TMSI) and
the location area identification (LAI).
Base station subsystem (BSS): A GSM network comprises many BSSs, each
controlled by a base station controller (BSC).
A interface is based on circuit-switched PCM whereas the O interface uses the
signaling system no.7 (SS7) based on X.25 carrying management data to/from the
RSS.
Network and switching subsystem: It consists of the following switches and
database
Mobile services switches center (MSC): MSCs are high-performance digital
ISDN switches. An MSC manages several BSCs in a geographical region. It can
also connect to public data network.
Gateway MSC (GMSC) is the interface between the mobile cellular network and
the PSTN. It is in charge of routing calls from the fixed network towards a GSM
user and vice versa.
Home location register (HLR): The HLR is the most important Database in a
GSM system as its stores all user-relevant information. This comprises static
information, such as the mobile subscriber ISDN number (MSISDN). It contains
Dynamic information like the current location area (LA) of the MS, the mobile
subscriber roaming number (MSRN), the current VLR and MSC.
Visitor location register (VLR): The VLR associated to each MSC is a dynamic
database which stores all important information needed for the MS users currently
in the LA associated to the MSC. VLR is similar to a cache, whereas HLR is the
persistent storage. The VLR contains selected administrative information borrowed
from the HLR, necessary for call control and provisioning. When a MS enters
the covering area of a new MSC, the VLR associated with this MSC will request
information from its corresponding HLR in the home network, so subscribers use
services without referring to the HLR.

Operation subsystem
It contains the necessary functions for network operation and maintenance. It is
also in charge of controlling the traffic load of the BSS.
Operation and maintenance center (OMC) : The OMC monitors and controls all
other network entities via the O interface (SS7 with X.25). OMCs use the concept of
telecommunication management network (TMN) as standardized by the ITU-T.
Authentication centre (AuC): is responsible for the authentication of a
subscriber. This is a protected database and stores a copy of the secret key
stored in each sub scriber's SIM card. These data help to verify the user's
identity.

St. Joseph’s College of Engineering Page 5

CS8601-Mobile Computing Department of CSE
Equipment identity register (EIR): The EIR is a database for all IMEIs, i.e., it stores
all device identification registered for this network. The EIR has a blacklist of stolen
(or locked) devices. The EIR also contains a list of malfunctioning devices
Radio interface
The Um interface is a kind of radio interface. It is responsible for
the communication between the mobile station and the BTS and provides the
interworking link between the mobile station and GSM system. Its physical connection is
achieved via the radio waves
GSM TDMA/FDMA

GSM Channel are divided into two types:

1. physical channels and

2. logical channels.

The Physical channels are determined by the timeslot, whereas the logical channels are
determined by the information carried within the physical channel.
The logical channels are further divided into
1.Traffic channels
2.Control(signaling) channels.

St. Joseph’s College of Engineering Page 6

CS8601-Mobile Computing Department of CSE

Traffic channels (TCHs):

 Traffic channels are intended to carry encoded speech and user data.Two types of
TCH
1.Full rate traffic channels at data rate of 22.8 Kb/s (TCH/F)
2.Half rate traffic channels at a data rate of 11.4 Kb/s (TCH/H)
 Speech channels are defined for both full rate and half rate traffic channels.
 Data channels support a variety of data rates (2.4, 4.8 and 9.6 Kb/s) on both half and

full rate traffic channels. The 9.6 Kb/s data rate is only for full rate application.
 The traffic channels(TCH) support two types of information rates Full rate (TCH/F)
and Half rate (TCH/H)
 When transmitted as full rate, the user data is occupied within TS per frame. When
transmitted as half rate, the user data is occupied into the same time slot but sent in
alternate frames.
 The 26th frame contains idle bits if full rate TCHs are used and contains SACCH
data if half rate TCHS are used
Full Rate TCH for data and speech channels:-
A. Full - rate Speech Channel )TCH/Fs): At 16 kbps the full rate speech channel is
digitized. The full rate speech channel caries 55.8kbps after adding the GSM channel
coding to the digitized speech.
B. Full-rate Data Channel for 9600 bps (TCH/F9.6): The full rate traffic data channel
contains raw data that is transmitted at 9.6 kbps. After the application of additional
forward error correction coding with the GSM standards, 9600 kbps is transferred at
22.8 kbps.

St. Joseph’s College of Engineering Page 7

CS8601-Mobile Computing Department of CSE
C. Full-rate Data Channel for 4500 bps(TCH/F4.8): The full rate traffic date channel
contains data that is transmitted at 4.8 Kbps. After the application of additional
forward error correction coding with GSM standards, the 4.8 kbps is transferred at
22.8 kbps.
D. Full Rate Data Channel for 2400 bps (TCH/F2.4): The full rate traffic data
channel contains raw data that is transmitted at 2.4 kbps. After the application of
additional forward error correction coding with GSM standards, the 2.4 kbps data is
transferred at 22.8 kbps.
Half Rate TCH for data and speech channels:
A. Half Rate Speech Channels (TCH/HS): The half rate speech channel can carry
digitized speech that is sampled at a rate half that of full rate channel. GSM
anticipates the availability of speech coders. It can digitize speech at about 6.5 kbps.
After adding GSM channel coding to the digitized speech, the half rate Speech
channel will carry 11.4 kbps.
B. Half Rate Data Channel for 4800 bps (TCH/H4.8): The half rate traffic data
channel carries raw data that is sent at 4800 bps. After the application of forward
error correction using GSM standards, 4800 bps data is sent at 11.4 kbps.
C Half Rate Data Channel for 2400 kbps (TCH/H 2.4): The half rate traffic data
channel carries raw user data that is sent at 2400 bps. After application of additional
forward error correction using GSM standards, 2400 bps data is sent to 11.4 bps.
Control Channel (CCH):
Control channels carry signaling information between an MS and a BTS.

Broadcast control channel:

 Broadcast control channels are transmitted in downlink direction only i.e. only transmitted
by BTS.
 The broadcast channels are used to broadcast synchronization and general network
information to all the MSs within a cell.
It has three types:
a. FREQUENCY CORRECTION CHANNEL (FCCH):
 Used for the frequency correction / synchronization of a mobile station.
 The repeated (every 10 sec) transmission of Frequency Bursts is called FCCH.

b. SYNCHRONISATION CHANNEL (SCH):

 Allows the mobile station to synchronize time wise with the BTS.
 Repeated broadcast (every 10 frames) of Synchronization Bursts is called (SCH).

c. BROADCAST CONTROL CHANNEL (BCH):

 The BROADCAST CONTROL CHANNEL (BCCH) is used to broadcast control information
to every MS within a cell.

St. Joseph’s College of Engineering Page 8

CS8601-Mobile Computing Department of CSE
 This information includes details of the control channel configuration used at the BTS, a list
of the BCCH carrier frequencies used at the neighboring BTSs and a number of parameters
that are used by the MS when accessing the BTS.

Common Control Channel:

The common control channels are used by an MS during the paging and access
procedures. Common control channels are of three types.

1.(PCH) PAGING CHANNEL:

Within certain time intervals the MS will listen to the Paging channel, PCH, to see if the
network wants to get in contact with the MS.
The reason could be an incoming call or an incoming Short Message.

2.(RACH) RANDOM ACCESS CHANNEL:

 If listening to the PCH, the MS will realize it is being paged.

 The MS answers, requesting a signaling channel, on the Random Access channel,
RACH.
 RACH can also be used if the MS wants to get in contact with the network, e/g.
when setting up a mobile originated call.
3.(AGCH) ACCESS GRANTED CHANNEL:

 The access grant channel (AGCH) is carried data which instructs the mobile to
operate in a particular physical channel (Time slot or ARFCN).
 It uses normal burst.
Dedicated Control Channels (DCCHs):

 Signaling information is carried between an MS and a BTS using associated and

dedicated control channels during or not during a call, They are of three types:
A. (SDCCH) STAND ALONE DEDICATED CONTROL CHANNEL:
 Non-urgent information, e.g. transmitter power control, is transmitted using the
slow associated control channel (SACCH).
 On the uplink MS sends averaged measurements on own base station (signal
strength and quality) and neighboring base stations (signal strength).
 On the downlink the MS receives system information, which transmitting power
and what timing advance to use. It is transmitted at 13thFrame of TCH. As seen,
SACCH is transmitted on both up-and downlink, point-to-point.
 It uses normal burst.
B. (SAACH)SLOW ASSOCIATED CONTROL CHANNEL:
 In some situations, signaling information must flow between a network and an MS
when a call is not in progress, e.g. during a location update.
 This could be accommodated by allocating either a full-rate or half-rate TCH and by
using either the SACCH or FACCH to carry the information.
C. (FACCH) FAST ASSOCIATED CONTROL CHANNEL:
 More urgent information, e.g. a handover command, is sent using time slots that are
'stolen' from the traffic channel.

St. Joseph’s College of Engineering Page 9

CS8601-Mobile Computing Department of CSE
 If, suddenly, during the conversation a handover must be performed the Fast
Associated Control channel, FACCH, is used.
 FACCH works in stealing mode, meaning that one 2. ms segment of speech is
exchanged for signaling information necessary for the handover.

PROTOCOL ARCHITECTURE OF GSM /Network Aspects of GSM

MS and MSC have five Protocol Layers whereas the BTS and BSC have only first three
Layers

LAYER 1 (PHYSICAL LAYER ) :-

It performs Radio specific functions ,Modulations, Encryption / Decryption of Data
, Channel Coding and Error Deduction / Correction, Voice Activity Deduction(VAD)
Radio specific functions are Creation of burst, Multiplexing of burst into a TDMA
frame, synchronization with the BTS.
Synchronization includes correction of individual path delay between an MS and the BTS.
Difference in Round Trip Time is an issue. An MS close to the BTS have very short RTT. It
requires Large Guard spaces. To reduce the Guard space adjustment is done via the
variable Timing Advance, where a burst can be shifted upto 63 bit Times earlier, with
each bit having a duration of 3ms.Physical layer at Um uses (GMSK) Gaussian Minimum
Shift Keying for Digital Modulation. Encryption is performed between MS and BTS over
the air interface.Channel Coding make use of different Forward Error Correction
Schemes(FEC) to add redundancy to the user data and to correct selected data.Voice
Activity Detection transmits voice data only when there is a voice signal. During Periods
of silence, the physical layer generates the Comfort Noise to fake a connection, but no
actual transmission takes place.

St. Joseph’s College of Engineering Page 10

CS8601-Mobile Computing Department of CSE
LAYER 2: LAPDM ( Link Access procedure for D-channel) protocol has been defined at
the Um interface for layer 2. It is the version of HDLC and it is a light weight LAPD as it
does not need synchronization flags or checksum for error deduction. LAPDm has to
obey the frame structure, recurrence pattern defined for Um interface. It provides
Reliable data transfer over connection , Re-sequencing of data frames ,Flow control
,Segmentation and reassembly of data ,Acknowledged / Unacknowledged data transfer

LAYER 3:NETWORK LAYER : It Comprises many sub layers, lowest sub layer is
Radio Resource Management(Rr). The main task of RR include Setup, Maintenance
and Release of Radio channels RR directly access the physical layer for Radio
information Offers a reliable connection to the next higher layer
RR’ : RR‘ is a part of this layer that is implemented in the BTS, and the rest is in the
BSC. The function of RR‘ are supported by the BSC via the BTS management (BTSM) .

LAYER 4: MOBILITY MANAGEMENT(MM): It contains functions for

 Registration ,Authentication ,Identification
 Location Updating and Provision of a Temporary Mobile Subscriber
 a reliable connection to the next higher layer

LAYER 5:CALL MANAGEMENT LAYER(CM) CM layer consist of 3 entities

 Short Message Service: SMS allows Message transfer using control channels SDCCH
and SACCH.
 Call Control (CC) : CC is used by higher layers for Call Establishment, Call
Clearing, Change of call parameter.CC layer provides functions to send in-
band tones , called
 Dual Tone Multiple Frequency (DTMF) over the GSM control. These tones are
used for remote control of answering machines ,entry of PINs for Electronic
Banking
 Supplementary Services (SS): These services offer various enhancements for the
standard telephone services. Typical services are User Identification ,Call
redirection, Forwarding of ongoing calls ,Closed user groups and Multiparty
Communication.

CALL ROUTING IN GSM

Steps in call routing of GSM :
 Digitizer and source coding: The user speech is digitized at 8 KHz sampling rate.
The encoder compresses these 160 samples into 260-bits GSM frames resulting in
one second of speech com- pressed into 1625 bytes and achieving a rate of 13
Kbits/sec.
 Channel coding: It introduces redundancy info with data for error detection
and correction.
 Interleaving: This step rearranges a group of bits in a particular way. This is to
improve the performance of the error-correction mechanisms. The interleaving
decreases the possibility of losing whole bursts during the transmission, by
dispersing the errors.

St. Joseph’s College of Engineering Page 11

CS8601-Mobile Computing Department of CSE
 Ciphering: Encrypts blocks of user data using a symmetric key shared by MS and the
BTS.
 Burst formatting: Adds some binary information to the ciphered block. This
additional information is used synchronization and equalization of the received data.
 Modulation: Gaussian Minimum Shift Keying (GMSK) is used to convert the binary
data into analog signal to fit the frequency and time requirements for the multiple
access rules. This signal is then radiated as radio wave over the a i r .
 Multipath and equalization: At the GSM frequency bands, radio waves reflect from
buildings, cars, hills, etc. So many reflected signals, which corrupt the information,
with different phases are received. An equalizer is can extract the ‘right’ signal
from the received signal. In order to extract the ‘right’ signal, the received signal is
passed through the inverse filter.
 Synchronization:. Frequency synchronization is necessary for frequency match in
FDMA. Time synchronization is necessary to identify the frame boundary and the
bits within the frame (in TDMA).When a mobile station moves further away, the
burst transmitted by this mobile may overlap with the timeslot of the adjacent
timeslot. To avoid such collisions, the Timing Advance technique is used. In this
technique, the frame is advanced in time so that this offsets the delay due to greater
distance. Using this technique and the triangulation of the intersection cell sites, the
location of a mobile station can be determined from within the network.

MOBILE TERMINATED CALL: (MTC)

The situation in which a station calls a mobile station (the calling station could be outside
the GSM network or another mobile station).
A user dials the phone number of a GSM subscriber PSTN forward the call setup to the
GMSC identifies the HLR for the subscriber and signals the call setup to the HLR
HLR requests an MSRN mobile station roaming number from the current VLR 5.& 6.After
receiving the MSRN(5) the HLR forwards the MSC responsible for the MS the GMSC
(6).7. The GMSC can now forward the call setup request to the MSC indicated.
From this point on, MSC is responsible for all further steps.
8& 9 MSC requests the current status of the MS from the VLR (8),reply (9)
MSC initiates paging in all cells for location area, LA, 10
All BTSs of all BSSs transmit this paging signal to the MSC (11).
13 If the MS answers (12 & 13), the VLR has to perform the security check
15 to 17 The VLR then signals to the MSC to setup a connection (15 – 17).

MOBILE ORIGINATED CALL

St. Joseph’s College of Engineering Page 12

CS8601-Mobile Computing Department of CSE

MOC simpler than MTC

The MS transmits the requests for a new connection (1). The BSS forwards the
request to the MSC (2).
The MSC then checks whether the user is allowed to setup a call with the
requested service (3 & 4) and checks the availability of the resources through the
GSM network and in to the PSTN.
MTC/MOC

St. Joseph’s College of Engineering Page 13

CS8601-Mobile Computing Department of CSE

MOBILITY MANAGEMENT / ROAMING

The Mobility Management (MM) function handles the functions that arise
from the mobility of the subscriber: especially the roaming, the location
management, and the authentication of the subscriber.
Location management is concerned with the procedures that enable the system
to know the current location of a powered-on mobile station so that the
incoming call routing can be completed.
When a mobile station is switched on in a new location area the subscriber
must register with the new network to indicate its current location.
 The first location update procedure is called the IMSI attach procedure
where the MS indicates its IMSI to the network.
 When a mobile station is powered off, it performs an IMSI detach
procedure in order to tell the network that it is no longer connected.
Normally, a location update message is sent to the new MSC/VLR, and then
sends it to HLR.
 If the mobile station is authenticated and authorized in the new
MSC/VLR, the subscriber's HLR cancels the registration of the mobile
station with the old MSC/VLR. The information sent to the HLR is
normally the SS7 address of the new VLR. HLR sends a subset of the
subscriber information needed for call control to the new MSC/VLR, and
cancels the old registration.

St. Joseph’s College of Engineering Page 14

CS8601-Mobile Computing Department of CSE
 The routing procedure begins with the GMSC querying the called
subscriber's HLR for an MSRN. The HLR typically stores only the SS7
address of the subscriber's current VLR. The VLR temporarily allocates an
MSRN from its pool for the call.
 This MSRN is returned to the HLR and back to the GMSC, which can then
route the call to the new MSC. At the new MSC, the IMSI corresponding to
the MSRN is looked up, and the mobile is paged in its current location area.
HLR is referred for incoming call; whereas VLR is referred for outgoing call.
Roaming is of two types : These are,
Horizontal Roaming: Horizontal Roaming is between two networks from
same family. For example, GSM to GSM roaming or GSM to UMTS
roaming.
Vertical Roaming: Vertical Roaming is between two networks from different
families. For example, GSM to CDMA roaming or GPRS to WiFi roaming.
Seamless roaming is Vertical Roaming without disruption of session.

HANDOVER
When the user moves away from a tower, the radio signal strength or the power of
the signal keeps reducing. This can result in change of the channel or cell. This
procedure of changing the resources is called handover. This procedure is
called `handoff' in North America.

Two reasons for Handover

The mobile station moves out of range of a BTS or a certain antenna of a BTS
respectively. The received signal level decreases continuously The error rate may
grow due to interference,
(MSC, BSC) may decide do Handover may due to load balancing.

The following figure shows four possible handover scenarios in GSM:

1. Intra – cell Handover: When transmission at a certain frequency is impossible the
BSC could then decide to change the carrier frequency.
2. Inter-cell, intra – BSC handover: The mobile station moves from one cell, to
another but stays within the control of the same BSC. The BSC then performs a
handover, assigns a new radio channel in the new cell and releases the old one.
3. Inter – BSC, intra –MSC handover: As a BSC only controls a limited number of
cells; GSM also has to perform handovers between cells controlled by different
BSCs. This handover then has to be controlled by the MSC.
4. Inter MSC Handover:A handover could be required between two cells belonging
to different MSCs. Now both MSCs perform the handover together.

St. Joseph’s College of Engineering Page 15

CS8601-Mobile Computing Department of CSE

Handover Procedure

GSM SECURITY & AUTHENTICATION

GSM offers several security services using confidential information stored in the
AUC(Authentication Centre) and individual SIM(Subscriber Identity Module)
Important security services are
 Authentication & Access Control: It does Authentication of valid user for
the SIM. The user need a secrete PIN to access the SIM. Subscriber authentication
is based on challenge response scheme
 Confidentiality : User related data is encrypted. BTS and MS apply encryption to
voice, data, and signaling. This confidentiality exists only between MS and BTS
and not end-to-end
 Anonymity :To provide user anonymity, all data is encrypted before
transmission, and user identifiers

St. Joseph’s College of Engineering Page 16

CS8601-Mobile Computing Department of CSE
which would reveal an identity are not used over the air. GSM
transmits a temporary identifier(TMSI),which is newly assigned by the VLR
after each location update.

ALGORITHMS USED
 A3 : For Authentication A5 : For EncryptionA8 : For Generation of a Cipher key
AUTHENTICATION: Any subscriber must be authenticated before using service from
GSM network. It is done at AUC
 Authentication is based on
 SIM-which stores the individual authentication key Ki ,User
identification IMSI and A3 – an algorithm used for authentication

 Authentication uses a CHALLENGE – RESPONSE METHOD

 The access control AC generates a random number RAND as challenge
 SIM with MS answer with SRES (signature response)as response
 The AUC performs the basic generation of random values RAND, signed
responses SRES, and cipher keys Kc for each IMSI, and then forwards this
information to the HLR,
 The current VLR requests the appropriate values for RAND, SRES, and Kc,
from the HLR for Authentication the VLR sends the random values RAND
to SIM
 Both sides, network and subscriber module ,perform the same operation with

St. Joseph’s College of Engineering Page 17

CS8601-Mobile Computing Department of CSE
RAND and the key Ki called A3

 The MS sends back the SRES generated by the SIM, the VLR can now compare
both values. If they are the same, the VLR accept the subscriber, otherwise the
subscriber is rejected.

DATA ENCRYPTION
 Encryption is done to ensure privacy and is done by applying the cipher key Kc. Kc
is generated using the individual key Ki and a random value by applying the
algorithm A8.
 The SIM in the MS and the network both calculate the same Kc, based on the
random value RAND. The key Kc itself is not transmitted over the air interface.MS
and BTS can now encrypt and decrypt data using the algorithm A5 and the cipher
key Kc.
 Kc should be a 64 bits key which is not very strong but at least a
good protection against simple eavesdropping.

GPRS Architecture and interfaces

GPRS uses the GSM architecture for voice. Its network nodes are called GPRS support
nodes (GSN). GSNs are responsible for the delivery and routing of data packets
between the mobile stations and PDN.

St. Joseph’s College of Engineering Page 18

CS8601-Mobile Computing Department of CSE

Serving GPRS Support Node (SGSN): (lllr to MSC) SGSN's tasks include packet
switching, routing, mobility management, logical link management, authentication and
charging. The location register of the SGSN stores location information (e.g., current
cell, current VLR). SGSN sends queries to HLR to obtain profile data of GPRS
subscribers. It is connected to the base station system with Frame Relay.
Gateway GPRS Support Node (GGSN): GGSN acts as an interface between the GPRS
backbone network and the external packet data networks. (lllr to that of a router in a
LAN). GGSN maintains routing information to tunnel the PDUs to the SGSNs. It
converts the GPRS packets coming from SGSN into appropriate packet data protocol
(PDP) format. So, GGSN stores the current SGSN address of the user and his or her
profile in its location register. It also does authentication and charging functions
related to data transfer.

GSM network elements to be enhanced to support packet data:

Base Station System (BSS): BSS system needs enhancement to recognize and send
packet data. This includes BTS upgrade to allow transportation of user data to the
SGSN. and support packet data transportation between the BTS and the MS
(Mobile Station) over the radio.

Home Location Register (HLR): It needs enhancement to register GPRS user profiles
and respond to queries from GSNs regarding profiles.
Mobile Station (MS): It is different from that of GSM.
SMS nodes: SMS-GMSCs and SMS-IWMSCs are upgraded 1.o support SMS transmission

St. Joseph’s College of Engineering Page 19

CS8601-Mobile Computing Department of CSE
via the SGSN. Optionally, the MSC/VLR can be enhanced for more efficient co-
ordination of GPRS and non-GPRS services and functionality.
Channel Coding: It is used to protect the transmitted data packets against errors.
Reliable coding scheme is used. In this scheme a data rate of 9.05 KBps is achieved
per time slot. Under good channel conditions, no encoding scheme , higher data rate
of 21.4 KBps per time slot.

GPRS PROTOCOL ARCHITECTURE

Signaling Plane
It uses the same protocols as GSM but with extension.
An enhanced MAP (Mobile Application Part) is a mobile network-specific extension
of the Signaling System SS7, used in GSM. It transports the signaling information
related to location updates, routing information and handovers.
The base station system application part (BSSAP) is an enhancement of GSM's BSSAP.
It is used to transfer signaling information between the SGSN and the VLR.

GPRS Backbone (Between GCSN and SGSN)

GTP protocol tunnels the user data packets through the GPRS backbone
with specific routing information. GTP packets carry the user's data
packets from both IP and X.25.
Below GTP, the standard TCP or UM' are used. TCP is used for X.25
UDP for IP data. Ethernet, ISDN, or ATM-based protocols are
lower layer protocols.

BSS-SGSN Interface
 Sub-Network Dependent Convergence Protocol (SNDCP): It is used to
transfer data packets between SGSN and MS. Its functionality includes:
Multiplexing, Segmentation, compression, and decompression of user
data.

 Logical Link Control (LLC): a protocol for GPRS which functions are

St. Joseph’s College of Engineering Page 20

CS8601-Mobile Computing Department of CSE
similar to LAPD.
 Base Station System GPRS Protocol (BSSGP): The BSSGP delivers routing
and QoS-related information between BSS and SGSN.

 Network Service : This layer manages the convergence sublayer that operates
between BSSGP and the Frame Relay Q922 Core by mapping.

Between MS and BSS

Data Link Layer: The data link layer between the MS and the BSS is divided into
three sublayers:
 Logical Link Control (LLC): It provides a reliable logical link between an MS
and its assigned SGSN. Its functionality includes sequence control, in-order
delivery, flow control, detection of errors, and retransmission ARQ, Encryption
acknowledged and unacknowledged data transmission modes. It is an improved
version of the LAPDm.
 Radio Link Control (RLC): It establishes a reliable link between the MS and
BSS. This includes the segmentation and reassembly of LLC frames into RLC data.
 Medium Access Control (MAC): It controls the access attempts of an MS on the
radio channel shared by several VISs. It employs algorithms for contention
resolution, multiuser multiplexing on a packet data traffic channel (PDTCH),
and scheduling and prioritizing based on the negotiated QoS.
Physical Layer : sublayers:
Physical Link Layer (PLL): This layer provides services for information transfer
over a physical channel between the MS and the network. These functions
include data unit framing, data coding, and the detection and correction of
physical medium transmission errors
Physical RF Layer (RFL): This layer performs the modulation of the
physical waveforms based on the sequence of bits received from the Physical
Link layer above. The Physical RF layer also demodulates.

GPRS NETWORK OPERATIONS

Once a GPRS mobile station is powered on, it 'introduces' itself to the network
by sending a ―GPRS attach request

Attachment and Detachment Procedure

MS must register itself with an SGSN of the network (i.e) a logical link between
the MS and the SGSN. The network checks if the MS is authorized to use the
services; if so, it copies the user profile from the HLR to the SGSN, and assigns
a Packet-TMSI to the MS.
Then, MS must apply for an address . This address is called PDP (Packet Data
Protocol) address. For each session, a PDP context is created. It contains the PDP
type, the address assigned, the requested QoS, and the address of the GGSN.

St. Joseph’s College of Engineering Page 21

CS8601-Mobile Computing Department of CSE
This context is stored in the MS, the SGSN and the GGSN. Now the MS is
'visible' to the external PDN.
 User data is transferred through GTP encapsulation and tunneling. User data can be
compressed and encrypted for efficiency and reliability. The allocation of the
PDP address can be static or dynamic. GGSN is responsible for the dynamic
PDP address assignment allocation

PDP context activation procedure

 activate PDP context request,' -MS informs the SGSN about the requested PDP

 context 'create PDP context request' – from SGSN to the GGSN if

authentication is successful.
 GGSN creates a new entry in its PDP context table to route between
SGSN and external PDN.
 create PDP context response' - GGSN returns confirmation to SGSN
with the PDP address
 activate PDP context accept'-SGSN updates its PDP table and confirms the
activation to MS.
The disconnection from the GPRS network is called GPRS detach. All the
resources are released following a GPRS detach. Detach process can be initiated
by the mobile station or by the network.

UMTS(Universal Mobile Telecommunication System)

St. Joseph’s College of Engineering Page 22

CS8601-Mobile Computing Department of CSE

UMTS Architecture
The public land mobile network (PLMN) described in UMTS Rel. '99 incorporates three
major categories of network elements:
 GSM phase 1/2 core network elements—Mobile services switching center (MSC),
visitor location register (VLR), home location register (HLR), authentication center
(AuC), and equipment identity register (EIR)
 GPRS network elements—Serving GPRS support node (SGSN) and gateway GPRS
support node (GGSN)
 UMTS-specific network elements—User equipment (UE) and UMTS terrestrial radio
access network (UTRAN) elements
UMTS system uses the same core network as the GPRS and uses entirely new radio
interface. ... The mobile terminal in UMTS is called User Equipment (UE). The UE is
connected to Node-B over high speed Uu (up to 2 Mbps) Interface. The UMTS core
network is based on the GSM/GPRS network topology. It provides the switching, routing,
transport, and database functions for user traffic. The core network contains circuit-
switched elements such as the MSC, VLR, and gateway MSC (GMSC). It also contains the
packet-switched elements SGSN and GGSN. The EIR, HLR, and AuC support both circuit-
and packet-switched data.
The Asynchronous Transfer Mode (ATM) is the data transmission method used within the
UMTS core network. ATM Adaptation Layer type 2 (AAL2) handles circuit-switched
connections. Packet connection protocol AAL5 is used for data delivery.

General Packet Radio System

The General Packet Radio System (GPRS) facilitates the transition from phase1/2 GSM
networks to 3G UMTS networks. The GPRS supplements GSM networks by enabling
packet switching and allowing direct access to external packet data networks (PDNs). Data
transmission rates above the 64 kbps limit of integrated services digital network (ISDN) are
a requirement for the enhanced services supported by UMTS networks. The GPRS
optimizes the core network for the transition to higher data rates. Therefore, the GPRS is a

St. Joseph’s College of Engineering Page 23

CS8601-Mobile Computing Department of CSE
prerequisite for the introduction of the UMTS.

UMTS Architecture

UMTS Terrestrial Radio Access Network

The major difference between GSM/GPRS networks and UMTS networks is in the
air interface transmission. Time division multiple access (TDMA) and freqency division
multiple access (FDMA) are used in GSM/GPRS networks. The air interface access method
for UMTS networks is wide-band code division multiple access (WCDMA), which has two
basic modes of operation: frequency division duplex (FDD) and time division duplex
(TDD). This new air interface access method requires a new radio access network (RAN)
called the UTMS terrestrial RAN (UTRAN). The core network requires minor
modifications to accommodate the UTRAN.
Two new network elements are introduced in the UTRAN: the radio network controller
(RNC) and Node B. The UTRAN contains multiple radio network systems (RNSs), and
each RNS is controlled by an RNC. The RNC connects to one or more Node B elements.
Each Node B can provide service to multiple cells.
The RNC in UMTS networks provides functions equivalent to the base station controller
(BSC) functions in GSM/GPRS networks. Node B in UMTS networks is equivalent to the
base transceiver station (BTS) in GSM/GPRS networks. In this way, the UMTS extends

St. Joseph’s College of Engineering Page 24

CS8601-Mobile Computing Department of CSE
existing GSM and GPRS networks, protecting the investment of mobile wireless operators.
It enables new services over existing interfaces such as A, Gb, and Abis, and new interfaces
that include the UTRAN interface between Node B and the RNC (Iub) and the UTRAN
interface between two RNCs (Iur).
The network elements of the UTRAN are shown below:

UTRAN Architecture

St. Joseph’s College of Engineering Page 25

CS8601-Mobile Computing Department of CSE
UTRAN Functions
Admission control
Congestion control
System information broadcasting
Radio channel encryption
Handover
SRNS moving
Radio network configuration
Channel quality measurements
Macro diversity
Radio carrier control
Radio resource control
Data transmission over the radio interface
Outer loop power control (FDD and TDD)
Channel coding
Access control

Radio Network Controller

The radio network controller (RNC) performs functions that are equivalent to the base
station controller (BSC) functions in GSM/GPRS networks. The RNC provides centralized
control of the Node B elements in its covering area. It handles protocol exchanges between
UTRAN interfaces (Iu, Iur, and Iub). Because the interfaces are ATM-based, the RNC
performs switching of ATM cells between the interfaces. Circuit-switched and packet-
switched data from the Iu-CS and Iu-PS interfaces are multiplexed together for
transmission over the Iur, Iub, and Uu interfaces to and from the user equipment (UE). The
RNC provides centralized operation and maintenance of the radio network system (RNS)
including access to an operations support system (OSS).
The RNC uses the Iur interface. There is no equivalent to manage radio resources in
GSM/GPRS networks. In GSM/GPRS networks, radio resource management is performed
in the core network. In UMTS networks, this function is distributed to the RNC, freeing the
core network for other functions. A single serving RNC manages serving control functions
such as connection to the UE, congestion control, and handover procedures. The functions
of the RNC include:
 Radio resource control
 Admission control
 Channel allocation
 Power control settings
 Handover control
 Macro diversity
 Ciphering
 Segmentation and reassembly
 Broadcast signaling
 Open loop power control

St. Joseph’s College of Engineering Page 26

CS8601-Mobile Computing Department of CSE

Node B

Node B is the radio transmission/reception unit for communication between radio cells.
Each Node B unit can provide service for one or more cells. A Node B unit can be
physically located with an existing GSM base transceiver station (BTS) to reduce costs of
UMTS implementation. Node B connects to the user equipment (UE) over the Uu radio
interface using wide-band code division multiple access (WCDMA). A single Node B unit
can support both frequency division duplex (FDD) and time division duplex (TDD) modes.
The Iub interface provides the connection between Node B and the RNC using
asynchronous transfer mode (ATM). Node B is the ATM termination point.
The main function of Node B is conversion of data on the Uu radio interface. This function
includes error correction and rate adaptation on the air interface. Node B monitors the
quality and strength of the connection and calculates the frame error rate, transmitting this
information to the RNC for processing. The functions of Node B include:
 Air interface transmission and reception
 Modulation and demodulation
 CDMA physical channel coding
 Micro diversity
 Error handling
 Closed loop power control
Node B also enables the UE to adjust its power using a technique called downlink
transmission power control. Predefined values for power control are derived from RNC
power control parameters.

UMTS User Equipment

The UMTS user equipment (UE) is the combination of the subscriber's mobile equipment
and the UMTS subscriber identity module (USIM). Similar to the SIM in GSM/GPRS
networks, the USIM is a card that inserts into the mobile equipment and identifies the
subscriber to the core network.
The USIM card has the same physical characteristics as the GSM/GPRS SIM card and
provides the following functions:
 Supports multiple user profiles on the USIM
 Updates USIM information over the air
 Provides security functions
 Provides user authentication
 Supports inclusion of payment methods
 Supports secure downloading of new applications
The UMTS standard places no restrictions on the functions that the UE can provide. Many
of the identity types for UE devices are taken directly from GSM specifications. These
identity types include:

St. Joseph’s College of Engineering Page 27

CS8601-Mobile Computing Department of CSE
 International Mobile Subscriber Identity (IMSI)
 Temporary Mobile Subscriber Identity (TMSI)
 Packet Temporary Mobile Subscriber Identity (P-TMSI)
 Temporary Logical Link Identity (TLLI)
 Mobile station ISDN (MSISDN)
 International Mobile Station Equipment Identity (IMEI)
 International Mobile Station Equipment Identity and Software Number (IMEISV)
The UMTS UE can operate in one of three modes of operation:
 PS/CS mode—The UE is attached to both the packet-switched (PS) and circuit-
switched (CS) domain, and the UE can simultaneously use PS and CS services.
 PS mode—The MS is attached to the PS domain and uses only PS services (but
allows CS-like services such as voice over IP [VoIP]).
 CS mode—The MS is attached to the CS domain and uses only CS services.
Support of Mobility

St. Joseph’s College of Engineering Page 28

CS8601-Mobile Computing Department of CSE
Handover

Handover Types

The above figure shows an overview of several common handover types in a combines
UMTS/GSM network.
i) Intra-node B, intra-RNC:

UE1 moves from one antenna of node B1 to another antenna. This type of
handover is called softer handover. In this case node B1 performs both
combining and splitting of data streams.

St. Joseph’s College of Engineering Page 29

CS8601-Mobile Computing Department of CSE
ii) Inter –node B, Intra-RNC:

UE2 moves from B1 to node B2.Herte RNC1 supports the soft handover
by combining and splitting of data.

iii) Inter-RNC:

 When UE3 moves from Node B2 to node B3 two different types of

hand over can take place.

 The internal inter-RNC handover which is not visible for the CN

(Corresponding Node).RNC1, can act as SRNC1,RNC2 will be the
DRNC(Drift RNC).The CN will communicate via the same
interface Iu all the time.

 As soon as a relocation of the interface Iu takes place the handover

is said to be an external inter-RNC handover.

 Communication is still handled by the same MSC1, but the external

handover.

iv) Inter –MSC:

MS2 takes over and performs a hard handover of the connection.

v) Inter-System:

UE4 moves from a 3G UMTS network into a 2G GSM network. This

handoff is termed as intersystem handoff.

UMTS Security
The security functions of UMTS are based on what was implemented in GSM. Some of the
security functions have been added and some existing have been improved. Encryption
algorithm is stronger and included in base station (NODE-B) to radio network controller
(RNC) interface , the application of authentication algorithms is stricter and subscriber
confidentially is tighter.

The main security elements that are from GSM:

 Authentication of subscribers
 Subscriber identity confidentially
 Subscriber Identity Module (SIM) to be removable from terminal hardware
 Radio interface encryption
Additional UMTS security features:

 Security against using false base stations with mutual authentication

 Encryption extended from air interface only to include Node-B to RNC connection

St. Joseph’s College of Engineering Page 30

CS8601-Mobile Computing Department of CSE
 Security data in the network will be protected in data storages and while
transmitting ciphering keys and authentication data in the system.

Mechanism for upgrading security features.

Core network traffic between RNCs, MSCs and other networks is not ciphered and operators can to
implement protections for their core network transmission links, but that is unlike to happen. MSCs
will have by design a lawful interception capabilities and access to Call Data Records (SDR), so all
switches will have to have security measures against unlawful access.

UMTS specification has five security feature groups:

 Network access security: the set of security features that provide users with secure access to 3G
services, and which in particular protect against attacks on the (radio) access link;

 Network domain security: the set of security features that enable nodes in the provider domain
to securely exchange signalling data, and protect against attacks on the wireline network;

 User domain security: the set of security features that secure access to mobile stations

 Application domain security: the set of security features that enable applications in the user and
in the provider domain to securely exchange messages.

 Visibility and configurability of security: the set of features that enables the user to inform
himself whether a security feature is in operation or not and whether the use and provision of
services should depend on the security feature.

TE: Terminal Equipment

USIM: User Service Identity Module
SN: Serving Network
HN: Home Network
MT: Mobile Termination
AN: Access Network

St. Joseph’s College of Engineering Page 31