CS 8803 - Cellular and Mobile Network Security: GSM - In Detail - - PowerPoint PPT Presentation

cs 8803 cellular and mobile network security
SMART_READER_LITE
LIVE PREVIEW

CS 8803 - Cellular and Mobile Network Security: GSM - In Detail - - PowerPoint PPT Presentation

Oct 05, 2022 428 likes •841 views

CS 8803 - Cellular and Mobile Network Security: GSM - In Detail Professor Patrick Traynor 10/2/18 Florida Institute for Cybersecurity (FICS) Research Cellular Telecommunications Architecture Background Air Interfaces Network

slide-1
SLIDE 1

Florida Institute for Cybersecurity (FICS) Research

CS 8803 - Cellular and Mobile Network Security:

GSM - In Detail

Professor Patrick Traynor 10/2/18

slide-2
SLIDE 2

Florida Institute for Cybersecurity (FICS) Research

Cellular Telecommunications

  • Architecture
  • Background
  • Air Interfaces
  • Network Protocols
  • Application: Messaging
  • Research

2

slide-3
SLIDE 3

Florida Institute for Cybersecurity (FICS) Research

GSM

  • The Global System for Mobile Communications (GSM) is the de facto

standard for wireless communications with well over 5 billion users.

  • As a comparison, there are approximately 1.5 billion Internet users.

  • The architectures of other network are similar, so knowing how to “speak

GSM” will get you a long way in this space.


3

slide-4
SLIDE 4

Florida Institute for Cybersecurity (FICS) Research

Wireless Signaling and Control in GSM

  • Common Control Channel
  • Structure
  • Broadcast Channels
  • Channel Access from Mobile
  • Procedures and Messages for Call Control

  • Traffic Channel
  • Structure Handoffs

4

slide-5
SLIDE 5

Florida Institute for Cybersecurity (FICS) Research

GSM Control Functions

  • Read System Parameters
  • Register
  • Receive and Originate Calls
  • Manage Handoffs

5

slide-6
SLIDE 6

Florida Institute for Cybersecurity (FICS) Research

GSM Structure

  • Common Control Channel (CCCH)
  • Used for control information: registration, paging, call origination/termination.
  • Traffic Channel (TCH)
  • Information transfer
  • in-call control (fast/slow associated control channels)

6

Common Control Channel (CCCH)

Traffic Channel (per user in a call) TCH (13 KBps)

slide-7
SLIDE 7

Florida Institute for Cybersecurity (FICS) Research

GSM TDMA Frames

  • TDMA Frame:



 


7

Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msec Frame 0 Frame 1 Frame 2

Frame 50

...

51 Multiframe: 235.365 msec

slide-8
SLIDE 8

Florida Institute for Cybersecurity (FICS) Research

From Frames to Channels

8

1 2 3 4 5 6 7 }

Frame: 4.615ms 26 Multiframe: 120.00 ms

slide-9
SLIDE 9

Florida Institute for Cybersecurity (FICS) Research

GSM CCCH

9

Random Access Control Channel (RACH) Reverse (MS BS) Paging and Access Grant Channel (PAGCH) Forward (BS MS) Broadcast Control Channel (BCCH) Forward (BS MS) Synchronization Channel (SCH) Forward (BS MS) Frequency Correction Channel (FCCH) Forward (BS MS) PCH AGCH

slide-10
SLIDE 10

Florida Institute for Cybersecurity (FICS) Research

GSM CCCH Structure

  • TDMA Frame:



 
 


  • Uplink: Channel Name (Frame #) Downlink



 
 
 
 


  • CCCH/RACH always uses Slot 0 of each frame; other seven slots for TCH
  • TCH: 26 multi-frame repeats every 120 msec (13th and 16th frames are used by Slow Associated Control Channel (SACCH) or is idle

10

Slot 0 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Frame: 4.615 msec Frame 0 Frame 1 Frame 2

Frame 50

...

51 Multiframe: 235.365 msec

FCCH (0) SCH (1) BCCH (2-5) PAGCH (6-9) FCCH (10) SCH (11) PAGCH (12-19) FCCH (20) SCH (21) PAGCH (11) PAGCH (22-29) FCCH (30) SCH (31) PAGCH (32-39) FCCH (40) SCH (41) PAGCH (42-49) I (50) RACH (0) ... RACH (50)

slide-11
SLIDE 11

Florida Institute for Cybersecurity (FICS) Research

GSM: BCCH

  • Broadcast to all users on the CCCH
  • No addressing
  • Used to acquire system parameters, so mobile may operate with the system.
  • Key parameters (contained in RR SYSTEM INFORMATION MESSAGES):
  • RACH control parameters
  • cell channel descriptions (frequencies)
  • neighbor cells (frequencies)
  • cell id
  • Location Area ID (LAI)
  • Control Channel description

11

slide-12
SLIDE 12

Florida Institute for Cybersecurity (FICS) Research

GSM: FCCH and SCH

  • Keeps system synchronization
  • What do you mean, synchronization?
  • Broadcasts Basestation ID
  • Why is this useful information?

12

slide-13
SLIDE 13

Florida Institute for Cybersecurity (FICS) Research

GSM: Mobile Channel Access Procedures (RACH)

  • MS Communicates with BS over RACH
  • Only initially and must compete for this shared resource.
  • Feedback provided with AGCH
  • Points the user to a dedicated channel for real exchanges.
  • Functions:
  • Responses to paging messages
  • Location update (registration)
  • Call Origination

13

slide-14
SLIDE 14

Florida Institute for Cybersecurity (FICS) Research

GSM: Paging Channel (PCH)

  • Used to send pages to mobile devices.
  • Notifications of incoming services (e.g., voice, data, SMS)
  • Done at regular intervals
  • Mobiles belong to a paging class
  • Allows the device to sleep, conserve power
  • More than 1 mobile paged at a time.

14

slide-15
SLIDE 15

Florida Institute for Cybersecurity (FICS) Research

GSM: RACH and Slotted ALOHA (Layer 2)

  • Slotted ALOHA

15

Assumptions

  • all frames same size
  • time is divided into equal size

slots, time to transmit 1 frame

  • nodes start to transmit

frames only at beginning of slots

  • clocks are synchronized
  • if 2 or more nodes transmit in

slot, all nodes detect collision

Operation

  • when node obtains fresh frame,

it transmits in next slot

  • no collision, node successfully

transmitted the frame

  • if collision, node retransmits

frame in each subsequent slot with prob. p until success

slide-16
SLIDE 16

Florida Institute for Cybersecurity (FICS) Research

GSM: More Slotted ALOHA

Pros

  • single active node can continuously transmit at full rate of channel
  • highly decentralized: only slots in nodes need to be in sync
  • simple

16

Cons

  • collisions, wasting slots
  • idle slots
  • nodes may be able to detect

collision in less than time to transmit packet

  • clock synchronization
slide-17
SLIDE 17

Florida Institute for Cybersecurity (FICS) Research

GSM: Slotted ALOHA Efficiency

  • Suppose N nodes with many frames to send,

each transmits in slot with probability p

  • prob that node 1 has success in a slot 


= p(1-p)N-1

  • prob that any node has a success = Np(1-p)N-1

17

  • For max efficiency with N

nodes, find p* that maximizes 
 Np(1-p)N-1

  • For many nodes, take

limit of Np*(1-p*)N-1 as N goes to infinity, gives 1/e = .37 Efficiency is the long-run 
 fraction of successful slots 
 when there are many nodes, each with many frames to send At best: channel has maximum throughput of 37%!

slide-18
SLIDE 18

Florida Institute for Cybersecurity (FICS) Research

GSM: RACH Procedures (Layer 2)

  • Mobile
  • sends assignment request with information
  • Basestation
  • sends back assignment with information echoed
  • Creates Radio Resource (RR) connection
  • “Standalone Dedicated Control Channel”
  • May be a physical channel
  • May be a traffic channel in signaling-only mode
  • May eventually be bandwidth stolen from TCH (associated control channel).

18

slide-19
SLIDE 19

Florida Institute for Cybersecurity (FICS) Research

Basic Flow on Air Interface

19

Alert phone of incoming activity Request dedicated signaling channel Signal Release signaling channel

slide-20
SLIDE 20

Florida Institute for Cybersecurity (FICS) Research

GSM Signaling

  • Signaling in GSM occurs over the Radio Interface Layer 3 (RIL-3).
  • Technically layer 3, but debatable from OSI perspective as application-

esque things happen here.


  • Control messages are handled by protocol control processes and include

Call Control (CC), Mobility Management (MM), Radio Resource management (RR), Short Messaging Service management (SMS) and Supplementary Services management (SS).

20

slide-21
SLIDE 21

Florida Institute for Cybersecurity (FICS) Research

GSM Signaling (cont)

  • CC
  • Call establishment, in-call signaling, tone signaling
  • MM (uses RR)
  • common: temporary ID maintenance (TMSI), authentication, 


de-registration

  • RR
  • Paging, handoffs, cipher mode
  • SMS
  • Text Messages
  • SS
  • Call waiting, call forwarding, group call

21

slide-22
SLIDE 22

Florida Institute for Cybersecurity (FICS) Research

Time Out: Privacy?

  • With all of this signaling going over well-known channels, isn’t there a risk
  • f user tracking/profiling?
  • Think about the PCH... what is transmitted here?


22

slide-23
SLIDE 23

Florida Institute for Cybersecurity (FICS) Research

GSM Registration

  • Types
  • Power up and down
  • Location Area changes (mobility)
  • Periodic
  • User Privacy
  • Mobile device may transmit real address: International Mobile Subscriber Identity

(IMSI)

  • Get back temporary id (TMSI)
  • Unique to a local area
  • Subsequent registrations use TMSI

23

slide-24
SLIDE 24

Florida Institute for Cybersecurity (FICS) Research

GSM: Registration, High Level

24

Get SDCCH

RR connection established

Authenticate Cipher UpdateLocation Release RR connection

slide-25
SLIDE 25

Florida Institute for Cybersecurity (FICS) Research

GSM Registration: Gory Details

  • More details on this “authentication” procedure soon...

25

Get SDCCH

RR connection established

Release RR connection

LOC UPD RQST Authentication Request (RAND) Authentication Response (SRES) Cipher Mode Cipher Mode Complete LOC UPD ACC (TMSI Assigned) TMSI RE-ALLOC Complete

slide-26
SLIDE 26

Florida Institute for Cybersecurity (FICS) Research

GSM: Call Termination (Receive a Call)

26

Authentication and Ciphering

Channel Request Page Request (TMSI) Channel Assignment Get SDCCH SABM(Page Response) UA(Page Response) SETUP Call Confirmed Assignment Command Alert Assignment Complete RR connection established Connect Connect ACK

slide-27
SLIDE 27

Florida Institute for Cybersecurity (FICS) Research

GSM: Call Origination

27

Authentication and Ciphering

Channel Request Channel Assignment Get SDCCH SABM(CM Service Req - Call Orig) UA(CM Service Request - Call Orig) SETUP Call Proceeding Assignment Command Alert Assignment Complete RR connection established Connect Connect ACK RR connection release

slide-28
SLIDE 28

Florida Institute for Cybersecurity (FICS) Research

GSM: Mobile Assisted Handoff (MAHO)

28

MSC Old BS New BS

Measurement Report Measurement Report Measurement Report Measurement Report

Handoff Order Handoff Access Handoff Complete Handoff Access

slide-29
SLIDE 29

Florida Institute for Cybersecurity (FICS) Research

Measuring Mobility-Generated Load

  • How do we estimate the traffic load caused by handoffs?
  • Simplest mobility model - assume conservation of flow and random

movements at constant velocity.

  • Rate of boundary crossings =
  • = density of users, v = velocity and L is perimeter

29

ρvL π

ρ

slide-30
SLIDE 30

Florida Institute for Cybersecurity (FICS) Research

Practice

  • Calculate the load at the VLR per second if each mobile creates an

Update LA and creates a Reg Cancel.

  • Assume:
  • L = 80 miles
  • =150 users/mi2
  • v = 45 miles/hour

30

VLR

ρ

slide-31
SLIDE 31

Florida Institute for Cybersecurity (FICS) Research

Example

  • Boundary crossing rate:



 
 


  • Load on VLR from mobility is 144 operations/sec:
  • updates (3): Update LA, Reg Cancel, Auth Info

31

150 × 45 × 80 π × 1 hour 3600 secs = 48 crossings/sec

slide-32
SLIDE 32

Florida Institute for Cybersecurity (FICS) Research

Example, cont

  • Assume 3 calls/user/hour (1.5 in, 1.5 out on average)
  • for each incoming call there is one database query (MSRN)
  • = 150 users/mi2, L = 80 miles
  • each area contains 150 x (80/4)2 = 60,000 users
  • = 25 calls/second
  • Total Load
  • 25 queries/second (call related)
  • 144 updates/second (mobility related)
  • Conclusion
  • mobility substantially dominates the database load

32

ρ

λ

slide-33
SLIDE 33

Florida Institute for Cybersecurity (FICS) Research

GSM: Short Messaging Service

  • Bi-directional
  • Acknowledged Service
  • Store-and-Forward Service
  • 140 octets/160 characters (concatenation possible)
  • Uses SDCCH signaling channel
  • Two services - cell broadcast and point to point
  • Cell broadcast exists in the standards only at this time.
  • Three types - user specific, ME-specific, SIM-specific

33

slide-34
SLIDE 34

Florida Institute for Cybersecurity (FICS) Research

GSM: SMS Examples - Mobile Termination

34

Page Response Page SMS Delivery

slide-35
SLIDE 35

Florida Institute for Cybersecurity (FICS) Research

GSM: SMS Examples - Mobile Termination

35

Page Response Page CP-Data (RP-Data (SMS Delivery)) CP-ACK CP-Data (RP-ACK) CP-ACK

slide-36
SLIDE 36

Florida Institute for Cybersecurity (FICS) Research

Other Air Interfaces

  • IS-54/IS-136/D-AMPS
  • digital, TDMA
  • IS-95
  • digital, CDMA
  • CDMA2000
  • “3G”
  • UMTS
  • W-CDMA
  • “3G”

36

slide-37
SLIDE 37

Florida Institute for Cybersecurity (FICS) Research

IS-54/IS-136

  • First North American standards
  • Converted traffic channels (IS-54) and control channels (IS-136) to digital.
  • Phones could gracefully degrade to AMPS if neither of these networks

were available.

  • IS-54 was the first to consider security.
  • Used the Cellular Message Encryption Algorithm (CMEA) to protect

the control channel and Cellular Authentication, Voice Privacy and Encryption (CAVE) to protect voice.

  • Both algorithms later shown to be weak.

37

slide-38
SLIDE 38

Florida Institute for Cybersecurity (FICS) Research

IS-95

  • Code Division Multiple Access (CDMA) Transmission
  • Similar call processing to GSM and IS-136
  • 1.23 MHz carriers, each with 65 sub-code channels
  • Operates in similar bands as AMPS/IS-136

38

slide-39
SLIDE 39

Florida Institute for Cybersecurity (FICS) Research

Network Architecture: IS-95/CDMA2000

  • RNC/PCF
  • Performs frame-selection/power control
  • Terminates Radio Link Protocol w/ mobiles
  • Performs packet and burst control functions
  • PDSN
  • terminates PPP with clients
  • provides FA support for MIP-enabled Clients
  • AAA
  • Provides Authentication, Authorization and Accounting for Data users

39

BS

MSC

BSC BS

AAA

HLR VLR RNC/ PCF PDSN HA

PSTN Internet

  • BSC
  • Coordinates handoff for voice users
  • performs frame-selection/power control
  • MSC
  • call control and mobility management
  • interfaces to the PSTN for voice users
  • AAA
  • provides location management and AAA functions for

voice users.