Article written by John Scourias, with comments in maroon by Tom Farley

Pages: Table of Contents (1) (2) (3) (3A) (4) (5) (5A) (6) (7) (8) (9) (10) (11) (12) (13) (14)

Mobility management

The Mobility Management layer (MM) is built on top of the RR layer (radio resources), and handles the functions that arise from the mobility of the subscriber, as well as the authentication and security aspects. Location management is concerned with the procedures that enable the system to know the current location of a powered-on mobile station so that incoming call routing can be completed.

5.2.1. Location updating

A powered-on mobile is informed of an incoming call by a paging message sent over the PAGCH channel of a cell. One extreme would be to page every cell in the network for each call, which is obviously a waste of radio bandwidth. The other extreme would be for the mobile to notify the system, via location updating messages, of its current location at the individual cell level. This would require paging messages to be sent to exactly one cell, but would be very wasteful due to the large number of location updating messages. A compromise solution used in GSM is to group cells into location areas. Updating messages are required when moving between location areas, and mobile stations are paged in the cells of their current location area.

In conventional cellular location messages are sent to the exact cell a mobile is in.

To review, the VLR Data Base, or Visited or Visitor Location Register, contains all the data needed to communicate with the mobile switch. Levine says this data includes:

• Equipment identity and authentication-related data
• Last known Location Area (LA)
• Power Class and other physical attributes of the mobile or handset
• List of special services available to this
  subscriber
• More data entered while engaged in a Call
• Current cell
• Encryption keys
  

The location updating procedures, and subsequent call routing, use the MSC and two location registers: the Home Location Register (HLR) and the Visitor Location Register (VLR). When a mobile station is switched on in a new location area, or it moves to a new location area or different operator's PLMN, it must register with the network to indicate its current location. In the normal case, a location update message is sent to the new MSC/VLR, which records the location area information, and then sends the location information to the subscriber's HLR. The information sent to the HLR is normally the SS7 address of the new VLR, although it may be a routing number. The reason a routing number is not normally assigned, even though it would reduce signalling, is that there is only a limited number of routing numbers available in the new MSC/VLR and they are allocated on demand for incoming calls. If the subscriber is entitled to service, the HLR sends a subset of the subscriber information, needed for call control, to the new MSC/VLR, and sends a message to the old MSC/VLR to cancel the old registration.

All of these abbreviations are covered on this page.

For reliability reasons, GSM also has a periodic location updating procedure. If an HLR or MSC/VLR fails, to have each mobile register simultaneously to bring the database up to date would cause overloading. Therefore, the database is updated as location updating events occur. The enabling of periodic updating, and the time period between periodic updates, is controlled by the operator, and is a trade-off between signalling traffic and speed of recovery. If a mobile does not register after the updating time period, it is deregistered.

SIM: Subscriber identify module.	ME: Mobile equipment.	BTS: Base transceiver station.
BSC: Base station controller.	HLR: Home location register.	VLR: Visitor location register.
MSC: Mobile services switching center.	EIR: Equipment identity register.	AuC: Authentication Center.
UM: Represents the radio link.
Abis: Represents the interface between the base stations and base station controllers.
"A": The interface between the base station subsystem and the network subsystem.
PSTN and PSPDN: Public switched telephone network and packet switched public data network.

Figure 1. General architecture of a GSM network

A procedure related to location updating is the IMSI (International Mobile Subscriber Identity) attach and detach. A detach lets the network know that the mobile station is unreachable, and avoids having to needlessly allocate channels and send paging messages. An attach is similar to a location update, and informs the system that the mobile is reachable again. The activation of IMSI attach/detach is up to the operator on an individual cell basis.

5.2.2. Authentication and security

Since the radio medium can be accessed by anyone, authentication of users to prove that they are who they claim to be, is a very important element of a mobile network. Authentication involves two functional entities, the SIM card in the mobile, and the Authentication Center (AuC). Each subscriber is given a secret key, one copy of which is stored in the SIM card and the other in the AuC. During authentication, the AuC generates a random number that it sends to the mobile. Both the mobile and the AuC then use the random number, in conjuction with the subscriber's secret key and a ciphering algorithm called A3, to generate a signed response (SRES) that is sent back to the AuC. If the number sent by the mobile is the same as the one calculated by the AuC, the subscriber is authenticated [16].

The same initial random number and subscriber key are also used to compute the ciphering key using an algorithm called A8. This ciphering key, together with the TDMA frame number, use the A5 algorithm to create a 114 bit sequence that is XORed with the 114 bits of a burst (the two 57 bit blocks). Enciphering is an option for the fairly paranoid, since the signal is already coded, interleaved, and transmitted in a TDMA manner, thus providing protection from all but the most persistent and dedicated eavesdroppers.

The AC or AUC is the Authentication Center, a secured database handling authentication and encryption keys. Authentication verifies a mobile customer with a complex challenge and reply routine. The network sends a randomly generated number to the mobile. The mobile then performs a calculation against it with a number it has stored and sends the result back. Only if the switch gets the number it expects does the call proceed. The AC stores all data needed to authenticate a call and to then encrypt both voice traffic and signaling messages.

The diagram and extended quote (in blue) below is from Professor Levine's excellent .pdf file on cellular and GSM. It shows just how complicated encryption is but in the file he explains it quite well. Please download this 100 page .pdf file to learn more about GSM than I will ever know or be able to write about. Also, any wireless book Levine has written should get your careful consideration. (Note: you may have to read the document with Acrobat Reader 4.0 and not the latest version. 5.0 does not seem to be backward compatible with this file.)

Another level of security is performed on the mobile equipment itself, as opposed to the mobile subscriber. As mentioned earlier, each GSM terminal is identified by a unique International Mobile Equipment Identity (IMEI) number. A list of IMEIs in the network is stored in the Equipment Identity Register (EIR). The status returned in response to an IMEI query to the EIR is one of the following:

• White-listed: The terminal is allowed to connect to the network.
• Grey-listed:The terminal is under observation from the network for possible problems.
• Black-listed: The terminal has either been reported stolen, or is not type approved (the correct type of terminal for a GSM network). The terminal is not allowed to connect to the network.

 

Link to Levine's GSM/PCS .pdf file

PCS-1900 authentication involves a two-way transaction. The base station transmits a random "challenge" number RAND (different value on each occasion when a call is to be connected or an authentication is to be performed for another reason) to the mobile set.

The mobile set performs a calculation using that number and an internal secret number and returns over the radio link the result of the computation SRES. The base system also knows what the correct result will be, and can reject the connection if the mobile cannot respond with the correct number. The algorithm used for the calculation is not published, but even if it is known to a criminal, the criminal cannot get the right answer without also knowing the internal secret number Ki as well.

Even if the entire radio link transaction is copied by a criminal, it will not permit imitation of the valid set, because the base system begins the next authentication with a different challenge value. This transaction also generates some other secret numbers which are used in subseqent transmissions for encryption of the data. Therefore, nobody can determine which TMSI was assigned to the MS, aside from not being able to "read" the coded speech or call processing data.

This process has proved to be technologically unbreachable in Europe, and there is no technological fraud similar to the major problem with analog cellular. There is still non-technological fraud, such as customers presenting false identity to get service but never paying their bill (subscription fraud).

The mathematical processes involved in DES and Lucifer encryption consist of two repeated operations. One is the permutation or rearrangement of the data bits. The other operation involves XOR (ring sum or modulo 2 sum) of the data bits with an encryption mask or key value. These operations are repeated a number of times (rounds) to thoroughly scramble the data, but they can be reversed by a person who knows both the algorithm and the secret key value.

Next page --->

Pages: Table of Contents (1) (2) (3) (3A) (4) (5) (5A) (6) (7) (8) (9) (10) (11) (12) (13) (14)