CIS 6930 - Cellular and Mobile Network Security: CDMA/UMTS Air - - PowerPoint PPT Presentation

cis 6930 cellular and mobile network security cdma umts
SMART_READER_LITE
LIVE PREVIEW

CIS 6930 - Cellular and Mobile Network Security: CDMA/UMTS Air - - PowerPoint PPT Presentation

Jan 20, 2023 109 likes •341 views

CIS 6930 - Cellular and Mobile Network Security: CDMA/UMTS Air Interface Professor Patrick Traynor 10/11/2018 Florida Institute for Cybersecurity (FICS) Research UMTS and CDMA 3G technology - major change from GSM (TDMA) Based on

slide-1
SLIDE 1

Florida Institute for Cybersecurity (FICS) Research

CIS 6930 - Cellular and Mobile Network Security: CDMA/UMTS Air Interface

Professor Patrick Traynor 10/11/2018

slide-2
SLIDE 2

Florida Institute for Cybersecurity (FICS) Research

UMTS and CDMA

  • 3G technology - major change from GSM (TDMA)
  • Based on techniques originally employed by Verizon (IS-95)
  • Signal is encoded so that it can be recovered from “noise” (other signals)

2

slide-3
SLIDE 3

Florida Institute for Cybersecurity (FICS) Research

New Considerations

  • Technology differences
  • Power control
  • Frequency re-use & handoffs
  • Number of users
  • Modulation (Phase Shift Keying)
  • Traffic differences
  • What is the primary difference between 2G and 3G?

3

slide-4
SLIDE 4

Florida Institute for Cybersecurity (FICS) Research

Code Division Multiple Access

  • used in several wireless broadcast channels (cellular, satellite, etc) standards
  • unique “code” assigned to each user; i.e., code set partitioning
  • all users share same frequency, but each user has own “chipping” sequence (i.e., code) to encode data
  • encoded signal = (original data) X (chipping sequence)
  • decoding: inner-product of encoded signal and chipping sequence
  • allows multiple users to “coexist” and transmit simultaneously with minimal interference (if codes are

“orthogonal”)

  • What does it mean for two vectors to be orthogonal?

4

slide-5
SLIDE 5

Florida Institute for Cybersecurity (FICS) Research

CDMA Encode/Decode

5

slot 1 slot 0

Zi,m= di.cm

d0 = 1 1 1 1 1 1
  • 1
  • 1
  • 1
  • 1
1 1 1 1
  • 1
  • 1
  • 1
  • 1
1 1 1 1
  • 1
  • 1
  • 1
  • slot 0

channel

  • utput

slot 1 channel

  • utput

channel output Zi,m

sender

code data bits

slot 1 slot 0

d1 = -1 d0 = 1

slot 0 channel

  • utput

slot 1 channel

  • utput

receiver

code received input Di = Σ Zi,m.cm

m=1 M

M

d1 = -1 1 1 1 1 1
  • 1
  • 1
  • 1
  • 1
1 1 1 1
  • 1
  • 1
  • 1
  • 1
1 1 1 1
  • 1
  • 1
  • 1
  • 1
1 1 1 1
  • 1
  • 1
  • 1
  • 1
1 1 1 1
  • 1
  • 1
  • 1
slide-6
SLIDE 6

Florida Institute for Cybersecurity (FICS) Research

CDMA: two-sender interface

6

slide-7
SLIDE 7

Florida Institute for Cybersecurity (FICS) Research

CDMA Benefits

  • Higher capacity
  • interference limited = high efficiency
  • uses voice activity detection to reduce transmission bandwidth
  • Improved quality
  • soft handoff
  • CDMA has frequency, spatial, and time diversity to adapt to errors
  • Ease of deployment
  • no frequency planning; frequency reuse = 1
  • Increased talk time
  • power control ensures that the UE transmits at optimum power, resulting in longer battery life.

7

slide-8
SLIDE 8

Florida Institute for Cybersecurity (FICS) Research

CDMA Privacy

  • Given that all signals look like noise unless you have the despreading

sequence, what sort of privacy does CDMA offer?

  • Ideally, you should get a 2N search space...
  • Zhang et al. show that the IS-95 long code of 42 bits can be cracked by

capturing 42 frames and solving 42 linear equations

  • Break takes approximately 840 ms.
  • What is the security implication?

8

slide-9
SLIDE 9

Florida Institute for Cybersecurity (FICS) Research

Universal Mobile Telecommunications System: UMTS

  • Specifications:
  • Frequencies: 700, 850, 900, 1700, 1900, 2100 MHz (5 MHz channels)

worldwide; FDD

  • Chipping codes: up to 512 bits
  • Power control: up to1500x per second
  • Time division: 10 ms frames, 1 frame = 15 time slots
  • Borrows extensively from GSM protocols
  • Major changes:
  • CDMA Technology: Channel structure/handoffs/power control
  • Security -- increased use of cryptographic constructions
  • Data infrastructure

9

slide-10
SLIDE 10

Florida Institute for Cybersecurity (FICS) Research

Entities: New names, old faces

  • UE = User Equipment
  • Node-B
  • RNC = Radio Network Controller

10

BTS BSC BTS BTS MS UE RNC Node-B Node-B Node-B

slide-11
SLIDE 11

Florida Institute for Cybersecurity (FICS) Research

Channels: Old & New

11

GSM BCCH PCH AGCH SDCCH TCH RACH SCH CCCH UMTS BCCH PCH AICH DCCH DTCH RACH SCH CCCH

slide-12
SLIDE 12

Florida Institute for Cybersecurity (FICS) Research

Channel Types

  • Logical: defines a logical task or use in the network
  • Transport: defines the way logical data is prepared
  • Physical: defines the actual channel (i.e. chipping code) used to transmit data

12

slide-13
SLIDE 13

Florida Institute for Cybersecurity (FICS) Research

Logical Channels

  • Broadcast Control Channel (BCCH): Provides

common information about the cell to UEs.

  • Paging Control Channel (PCCH): Provides

information about incoming calls and how to listen for them.

  • Dedicated Control Channel (DCCH): A two-

way assigned channel that carries control information to and from a single UE.

  • Common Control Channel (CCCH): A two-

way shared channel that carries control information.

  • Dedicated Traffic Channel (DTCH): A two-

way assigned channel that carries traffic to and from a single UE.

13

slide-14
SLIDE 14

Florida Institute for Cybersecurity (FICS) Research

Transport Channels

  • Dedicated Transport Channel (DCH): carries data to and from a specific UE
  • Broadcast Channel (BCH): Broadcasts network and cell information
  • Forward Access Channel (FACH): Carries control information to UEs for shared channels.
  • Random Access Channel (RACH): Carries channel requests to the network from the UE.
  • Paging Channel (PCH): Carries incoming call alerts.
  • Uplink Common Packet Channel (CPCH): 


Carries packet data to the network.

  • Downlink Shared Channel (DSCH): Carries 


packet data to the UE.

14

slide-15
SLIDE 15

Florida Institute for Cybersecurity (FICS) Research

Physical Channels: Signaling

  • Forward (to UE):
  • Primary Common Control Physical Channel (PCCPCH): Carries the BCH
  • Secondary Common Control Physical Channel (SCCPCH): Carries the FACH and the PCH
  • Synchronization Channel (SCH): Synchronizes time with the network
  • Common Pilot Channel (CPICH): Informs the user of the Primary Scrambling Code (PSC)
  • Acquisition Indicator Channel (AICH): Used to carry dedicated channel assignments to UEs
  • Paging Indication Channel (PICH): Provides the UE with information about how pages are sent. This

informs the UE how often to wake up and listen for pages.

  • Reverse (to Node-B):
  • Physical Random Access Channel (PRACH): Carries the RACH

15

slide-16
SLIDE 16

Florida Institute for Cybersecurity (FICS) Research

Physical Channels: Traffic

  • Bi-Directional:
  • Dedicated Physical Data Channel (DPDCH): Carries a DCH
  • Dedicated Physical Control Channel (DPCCH): Carries control information (e.g., identifiers, power

control)

  • Forward (to UE):
  • Physical Downlink Shared Channel (PDSCH): carries packet data to a UE.
  • CPCH Status Indication Channel (CSICH): Indicates the status of the CPCH
  • Collision Detection/Channel Assignment Indication Channel 


(CD/CA-ICH): Indicates if data sent over the CPCH has been successfully received or if a collision

  • ccurred.
  • Reverse (to Node-B):
  • Physical Common Packet Channel (PCPCH): Carries the CPCH

16

slide-17
SLIDE 17

Florida Institute for Cybersecurity (FICS) Research

How a connection is made

  • SCH
  • CPICH
  • PCCPCH

17

Synchronize Time (SCH) Acquire cell information (PCCPCH) Acquire PSC (CPICH)

Node-B UE

slide-18
SLIDE 18

Florida Institute for Cybersecurity (FICS) Research

How a call is sent/received

  • DPDCH (DCCH & DTCH) + DPCCH

18

Node-B UE

Page sent over PCH (SCCPCH) Page response over RACH (PRACH)

Chipping & scrambling code assigned (AICH)

Authentication over DCCH (DPDCH + DPCCH) Call connect over DTCH (DPDCH + DPCCH)

slide-19
SLIDE 19

Florida Institute for Cybersecurity (FICS) Research

Mappings

  • Source: http://www.authorstream.com/Presentation/3627946-387767-wcdma-air-interface-fundamentals-science-technology-ppt-powerpoint/

19

slide-20
SLIDE 20

Florida Institute for Cybersecurity (FICS) Research

Spreading Codes

  • Orthogonal Variable Spreading Factor (OVSF) vs scrambling codes
  • OVSF codes are typical chipping/spreading codes
  • Scrambling codes can be multiplied into OSVF codes to provide more

user channels

  • Long vs. short codes
  • Uplink: code lengths up to 256 (+ 16.8 M scrambling codes)
  • Downlink: code lengths up to 512
  • Why are these numbers different?

20

slide-21
SLIDE 21

Florida Institute for Cybersecurity (FICS) Research

Power Control

  • CDMA provides optimal performance when all signals are received at

approximately the same strength.

  • When a DTCH is assigned, the Node-B sends reports of the RSS (received

signal strength) to the UE, alerting it at what power to transmit.

  • Power control commands sent up to 1500 times per second

21

slide-22
SLIDE 22

Florida Institute for Cybersecurity (FICS) Research

Handoffs

  • 4 types: hard, soft, softer, network (2G 3G)
  • Soft handoff overview:
  • Frequency reuse = 1
  • UE will receive signal from multiple 


Node-Bs.

  • Extract signals of old and new tower


simultaneously using different chipping 
 codes.

  • Remain connected to old Node-B until re-registered with new Node-B

22