CIS 6930 - Cellular and Mobile Network Security: Cellular Networking - - PowerPoint PPT Presentation

cis 6930 cellular and mobile network security cellular
SMART_READER_LITE
LIVE PREVIEW

CIS 6930 - Cellular and Mobile Network Security: Cellular Networking - - PowerPoint PPT Presentation

Apr 03, 2023 712 likes •1.13k views

CIS 6930 - Cellular and Mobile Network Security: Cellular Networking Professor Patrick Traynor 9/18/2018 Florida Institute for Cybersecurity (FICS) Research The Big Picture Details create the big picture. -Sanford I. Weill Florida Institute

slide-1
SLIDE 1

Florida Institute for Cybersecurity (FICS) Research

CIS 6930 - Cellular and Mobile Network Security: Cellular Networking

Professor Patrick Traynor 9/18/2018

slide-2
SLIDE 2

Florida Institute for Cybersecurity (FICS) Research

The Big Picture

Details create the big picture. -Sanford I. Weill

2

slide-3
SLIDE 3

Florida Institute for Cybersecurity (FICS) Research

Overview

  • Evolution
  • Architecture
  • Air Interfaces
  • Network Protocols
  • Application: Messaging

3

slide-4
SLIDE 4

Florida Institute for Cybersecurity (FICS) Research

Cellular Systems

  • Wireless Access
  • TDMA (IS-136, GSM)
  • CDMA (IS-95, CDMA2000)
  • WCDMA (UMTS)
  • Connection oriented networks for voice
  • PSTN (ISDN)
  • Packet overlay networks for data
  • General Packet Radio Service (GPRS) - GSM and UMTS
  • Enhanced Version Data “Optimized” (EVDO) - CDMA
  • Rebranded from “Data Only”
  • Signaling protocols
  • Signaling system number 7 (SS7) for voice and GPRS
  • IETF protocols for EVDO

4

slide-5
SLIDE 5

Florida Institute for Cybersecurity (FICS) Research

Wireless Standards Evolution to 4G

5

1G Analog AMPS TACS 2G

IS-95-A/
 cdmaOne

IS-136 TDMA GSM GSM GPRS HSCSD 2.5G

IS-95-B/
 cdmaOne

WiMAX

2.75G GSM EDGE 3G Existing Spectrum 700 MHz

CDMA2000 1xRTT (1.25 MHz)

4G

CDMA2000 1xEVDO (1.25 MHz) CDMA2000 3x (5 MHz)

LTE

(1.4, 3, 5, 10, 15, 20 MHz)

WCDMA

(UMTS)

slide-6
SLIDE 6

Florida Institute for Cybersecurity (FICS) Research

Wireless Network

HLR MSC AuC HLR VLR

Reference Architecture

  • MS: Mobile Subscriber/Station
  • BTS: Base Transceiver Station
  • BSC: Base Station Controller
  • MSC: Mobile Switching Center
  • HLR: Home Location Register
  • AuC: Authentication Center
  • VLR: Visitor’s Location Register

6

BTS BSC BTS BTS BSC BSC

MSC VLR MSC

PSTN/ISDN

MS

slide-7
SLIDE 7

Florida Institute for Cybersecurity (FICS) Research

VLR MSC MSC

Basic Network Architecture

  • Gateway MSC receives incoming calls for phones.
  • Serving MSC assigned based on location
  • HLR: Permanent registry for service profiles, pointer to

VLR

  • VLR: Temporary repository for profile information, pointer to SMSC.

7

MS

VLR

Network

BS BS BS

SMSC

HLR

GMSC

slide-8
SLIDE 8

Florida Institute for Cybersecurity (FICS) Research

Cellular Services

  • Automatic call delivery
  • find a user, deliver a call
  • IN-type services
  • e.g., call forwarding
  • Messaging
  • short message service
  • Connection oriented user data transfer
  • voice, fax, circuit-switched data
  • Packet Data
  • General Packet Radio Service (GPRS) - GSM and UMTS
  • Enhanced Version Data “Optimized” (EVDO) - CDMA

8

slide-9
SLIDE 9

Florida Institute for Cybersecurity (FICS) Research

High Level Call Flow

  • Mobile User Registers
  • Power up/down
  • Movement
  • Periodic
  • Call recipient located
  • Call routed to gateway or home MSC
  • Gateway MSC searches for called mobile (via HLRs and VLRs)
  • Mobile user is paged (determines current base station)
  • Call delivered
  • Uses standard SS7 procedures

9

slide-10
SLIDE 10

Florida Institute for Cybersecurity (FICS) Research

Delivering a Call

10

MSC

MS

VLR

Network

BS BS BS

SMS

HLR

GMSC

  • 1. 404-894-2000
  • 2. 404-894-2000

maps to HLR X

  • 3. How do I deliver call

to User 222?

  • 4. How do I deliver call

to User 222?

  • 5. 999-xxx
  • 6. 999-xxx
  • 7. 999-xxx
  • 8. Call to 999-xxx
  • 9. Page
  • 10. Call
slide-11
SLIDE 11

Florida Institute for Cybersecurity (FICS) Research

Protocols of Note

11

MSC

MS

VLR

PSTN/ISDN

BS BS BS

MSC

HLR

SS7 Mobility Management Protocols GSM-MAP, ANSI41-MAP Air Interfaces GSM, IS136, IS-95, UMTS

slide-12
SLIDE 12

Florida Institute for Cybersecurity (FICS) Research

Mobile Registration - High Level

12

Old SMSC Old VLR HLR VLR MSC BS Update Location Cancel Location OK

slide-13
SLIDE 13

Florida Institute for Cybersecurity (FICS) Research

Mobile Call Delivery - High Level

13

Gateway MSC HLR VLR MSC BS Call Request Request Routing Info Routing Number SS7 Call Delivery Call Request Page Connect

slide-14
SLIDE 14

Florida Institute for Cybersecurity (FICS) Research

Security Moment - Location Granularity

  • Commonly heard assertion: “The phone company knows exactly where all
  • f their customers are located at every moment.”

  • Virtually all phones are equipped with some type of GPS resolution.

  • Is this true?
  • What are the security implications?
  • What services could be enabled?

14

slide-15
SLIDE 15

Florida Institute for Cybersecurity (FICS) Research

Hierarchy of Location Information

15

VLR HLR

GMSC SMSC

Paging

MSC

VLR

MSC

Phone Number Registration Registration Temporary Routing #

slide-16
SLIDE 16

Florida Institute for Cybersecurity (FICS) Research

E911

  • Enhanced 911 (E911) transmits your GPS location to the nearest Public Safety

Answering Point (PSAP).

  • This is how you always get the nearest 911 call center, regardless of where

you are traveling in North America.

  • But what about the “Location On” vs. “E911 Only” options available on most

phones?

  • “Location On” does not allow the phone company to constantly track you.

It instead allows services within the network to use your GPS data when you initiate them (e.g., Verizon Navigator, Family Locator).

  • The phone company simply can not keep track 

  • f all the changes in location information at 


every moment!

16

slide-17
SLIDE 17

Florida Institute for Cybersecurity (FICS) Research

Voice Path

  • This is under the assumption that the underlying network


supports digital voice.

  • What does that mean?

17

MS

VLR

PSTN/ISDN

BS

MSC

HLR

Coded Voice Full rate voice (64 Kbps)

slide-18
SLIDE 18

Florida Institute for Cybersecurity (FICS) Research

Analog vs Digital

  • Phone systems are generally classified as either analog or digital.
  • What exactly does that mean?

  • This is all about how data is represented and delivered through the network.

  • Analog is the translation of voice/sound into electrical impulses.
  • Pure waveform representations of sounds.

  • Digital is an approximation of this waveform,


represented in 0s and 1s.

18

slide-19
SLIDE 19

Florida Institute for Cybersecurity (FICS) Research

Analog vs Digital - Tradeoffs

  • Analog
  • Inexpensive - think cheap home phones
  • Bandwidth constrained - very limited amount of data can be sent.
  • Security thoughts?
  • Noise - every link introduces noise, reduces clarity.
  • Digital
  • Expensive - relatively speaking
  • Improved voice clarity - signal arrives exactly as approximated.
  • What about quality?
  • Higher bandwidth - compression of data.

19

slide-20
SLIDE 20

Florida Institute for Cybersecurity (FICS) Research

Voice Encoding - GSM-FR/PCM/G.711

  • Pulse Code Modulation (PCM) is the basis for GSM Full-Rate (GSM-FR)

voice encoding.

  • 8 kHz samples (64 kbps) reduced to 13.2 kbps using Regular Pulse

Excitation - Long Term Prediction (RPE-LTP).

  • Converted back to 64 kbps at MSC prior to Release 4.
  • Changes in the core towards “TrFO” for all IP

.

20

... ...

20 msec RTP-LTP Encoder 160 Samples 260-bit frame

...

20 msec RTP-LTP Decoder 160 Samples Sender Receiver

...

slide-21
SLIDE 21

Florida Institute for Cybersecurity (FICS) Research

Air Interface Functions

  • Control
  • read system parameters
  • authenticate
  • update location
  • receive and originate calls
  • manage handoffs
  • Dedicated traffic
  • voice, data
  • Shared Traffic
  • Messaging, data, signaling

21

slide-22
SLIDE 22

Florida Institute for Cybersecurity (FICS) Research

Wireless Access Basics

  • Frequency Division Multiple Access (FDMA):
  • Analog cellular - 1G

  • Time Division Multiple Access (TDMA):
  • IS-54, IS-136, FSM - 2G
  • GPRS - 2.5G

  • Code Division Multiple Access (CDMA):
  • IS-95 (cdmaOne) - 2G
  • IS-2000 (CDMA2000), WCDMA - 3G

22

slide-23
SLIDE 23

Florida Institute for Cybersecurity (FICS) Research

FDD/TDD modes for Forward/Reverse Channels

  • Frequency Division Duplex (FDD)
  • Two distinct bands of frequency for each user (forward and reverse).
  • Frequency separation between forward and reverse constant for all channels.
  • Reverse channel typically lower frequency than forward channel (so that the

mobile device can transmit at lower power).

  • Time Division Duplex (TDD)
  • Each duplex channel has a forward timeslot and reverse timesolt for bidirectional

communication.

  • Simplifies subscriber equipment.
  • Rigid timing required for time-slotting.

23

slide-24
SLIDE 24

Florida Institute for Cybersecurity (FICS) Research

Background - AMPS

  • Advanced Mobile Phone System
  • Analog Channels
  • Frequency Modulation (FM)
  • 1 channel per carrier (1 conversation)

24

fc

slide-25
SLIDE 25

Florida Institute for Cybersecurity (FICS) Research

Background - TDMA

  • Combination of FDMA and TDMA
  • System operated within certain frequency bands
  • Within system bands:
  • many carrier frequencies are defined
  • each carrier is divided into timeslots
  • a channel is defined by a set of time slots on a carrier frequency
  • Forward (downlink) and Reverse (uplink) channels use different carriers.
  • Information is digitally coded.

25

slide-26
SLIDE 26

Florida Institute for Cybersecurity (FICS) Research

TDMA Overview

  • Co-channel Interference
  • Inter-symbol Interference
  • Capacity limited by

number of carriers, slots.

26

T D M A FDMA System Bandwidth One Carrier/ Channel One Slot One User

slide-27
SLIDE 27

Florida Institute for Cybersecurity (FICS) Research

TDMA

  • Single carrier frequency is shared by several users.
  • Data transmission occurs in bursts, resulting in lower battery consumption.
  • High synchronization overhead is necessary because of burst

transmissions.

  • Discontinuous transmission also make handoffs simpler since the mobile

device can listen to other base stations during idle time slots

  • Due to high transmission rates, inter-symbol 


interference is common and needs equalization.

27

slide-28
SLIDE 28

Florida Institute for Cybersecurity (FICS) Research

GSM - Air Interface

  • Let’s get into the details of the most widely used air interface...
  • The GSM Air Interface supports:
  • Call origination and termination
  • Registration (location update and authentication)
  • SMS
  • Mobile assisted handoff
  • User confidentiality
  • Data confidentiality
  • Sleep mode

28

slide-29
SLIDE 29

Florida Institute for Cybersecurity (FICS) Research

GSM Spectrum

  • 50 MHz
  • Uplink and downlink split bandwidth and use different frequencies
  • Reverse channel (uplink)
  • 890-915 MHz
  • Forward channel (downlink)
  • 935-960 MHz
  • Carriers spread at 200 KHz
  • Why is this?

29

slide-30
SLIDE 30

Florida Institute for Cybersecurity (FICS) Research

Frequency Assignments

  • FDMA/TDMA systems
  • Take advantage of frequency attenuation
  • Key: Split spectrum into set of frequencies (channels) and reuse frequencies in

distant cells. Requires careful frequency planning.

  • Fixed vs. Dynamic allocation
  • Channels are typically assigned to cells in a fixed manner.
  • Fixed assignment is simple to implement as base stations are independently and

statically assigned their channels.

  • Dynamic channel assignment based on load is possible but is more complicated

and requires real-time coordination between different base stations.

30

slide-31
SLIDE 31

Florida Institute for Cybersecurity (FICS) Research

  • Cells typically modeled as hexagonal
  • Circles result in overlaps, square/triangle possible but result in larger

approximation.

  • Each color represents a different set of carriers.
  • Reuse factor F=3 shown
  • For hexagonal cells:
  • To find co-channel cell, go i steps in one direction, turn 


60° counter-clockwise and go j steps.

Paging

Frequency Reuse

31

Paging

i2 + (i ∗ j) + j2; i ≥ 1; j ≥ 1

slide-32
SLIDE 32

Florida Institute for Cybersecurity (FICS) Research

Example Capacity Calculation

  • Assume system can use all frequencies
  • System-bandwidth = 50 MHz
  • System uses FDD => bandwidth = 25 MHz
  • Carriers spaced at 200 KHz
  • System capacity depends on re-use factors and cell size.

32

Ncarr =

Bsys Bcarrier

Ncarr = 125

slide-33
SLIDE 33

Florida Institute for Cybersecurity (FICS) Research

Cell Capacity

  • F = 7, Ncell = 17
  • 8 channels per carrier (TDMA)
  • 136 channels/cell (Acell)
  • Each cell has a capacity of 136 simultaneous voice calls
  • F=3
  • Ncell = 41
  • 8 channels per carrier
  • 328 channels/cell

33

Ncarr = 125 Ncell = Ncarr/F

slide-34
SLIDE 34

Florida Institute for Cybersecurity (FICS) Research

System Capacity

  • Network size = Z square miles
  • Cell size = C square miles
  • cells/network = Z/C
  • Channels/network, Anet
  • Z = 1000, C = 10, F = 7, Anet = 13,600
  • Z = 1000, C = 10, F = 3, Anet = 32,800
  • Z = 1000, C = 25, F = 7, Anet = 5,440
  • System capacity has a linear inverse relationship with cell size and frequency reuse

patterns under ideal conditions

34

Anet = Acell ∗ Z

C

slide-35
SLIDE 35

Florida Institute for Cybersecurity (FICS) Research

Capacity and Blocking

  • Cellular systems rely on trunking to accommodate a large number of users

with a limited number of channels.

  • Trunking exploits statistical multiplexing of large numbers of users

(calls).

  • Think about lines at the bank.
  • System is engineered with enough channels to handle the peak hour
  • ffered load at the given maximum blocking rate.
  • Typically, blocking for new calls is maintained at below 1%.
  • To calculate blocking, we need to apply some queuing theory.

35

slide-36
SLIDE 36

Florida Institute for Cybersecurity (FICS) Research

Performance: Blocking

  • A is the offered load 


in Erlangs:

36

1 2 ...

λ λ

λ

λ

µ 2µ

3µ Nµ

λ/µ

1 2 N . . . λ µ µ µ

  • Models input (call rate) of λ,

N trunks, holding time of μ-1

pn = pB =

An n!

n

  • i=0

Ai i! pn = pB =

ρn n!

n

  • i=0

ρi i!

slide-37
SLIDE 37

Florida Institute for Cybersecurity (FICS) Research

Cell Capacity Planning

  • Based on spectrum allocation and frequency reuse patterns, calculate

number of channels available per cell.


  • Based on user density, calling and holding patterns, calculate load per cell in

Erlangs.


  • Use Erlang B formula to calculate blocking given the load and number of

channels.

37

slide-38
SLIDE 38

Florida Institute for Cybersecurity (FICS) Research

Practice Problem

  • Consider a system with 8 MHz total bandwidth and carrier frequencies of

160 kHz. Each carrier supports 3 voice channels using TDMA. If the frequency reuse factor F=7, and the network covers 1,000 mi2, determine the blocking probability on the air interface for cell size of 1.0 mi2 assuming that users make/receive a combined 3 calls/hour, calls last an average of 2.5 minutes and there are 10 users/mi2.

38

slide-39
SLIDE 39

Florida Institute for Cybersecurity (FICS) Research

Work Through It!

  • 10 carriers/3 (reuse) = 3 carriers/cell
  • 3 carriers

39

Load : ρ = λ

µ

8MHz total BW = 4MHz in each direction for full duplex

4∗106 160∗103 = 25 carriers 7 reuse

= 3 carriers cell

3 carriers

cell ∗ 3 channels carrier = 9 channels cell

= 10 users mi

2

∗ Areacell ∗ 3 calls hour ∗

1 hour 60 mins ∗ 2.5 mins

call = 1.25 ∗ Areacell = A Use Erlang-B with N = 9, A = 1.25

slide-40
SLIDE 40

Florida Institute for Cybersecurity (FICS) Research

Last Part

  • The probability of being struck by lightning = 3.57 * 10-6.
  • ...meaning that you are almost twice as likely to be struck by lightning

than to get a busy signal in this network...

40

pn = pB =

An n!

n

  • i=0

Ai i! pn = pB =

1.259 9! 1.250 0!

+ 1.251

1!

+···+ 1.259

9!

pn = pB = 5.88 ∗ 10−6