This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations .(February 2009) |
The Um interface is the air interface for the GSM mobile telephone standard. It is the interface between the mobile station (MS) and the Base transceiver station (BTS). It is called Um because it is the mobile analog to the U interface of ISDN. Um is defined in the GSM 04.xx and 05.xx series of specifications. Um can also support GPRS packet-oriented communication.
The layers of GSM are initially defined in GSM 04.01 Section 7 and roughly follow the OSI model. Um is defined in the lower three layers of the model.
The Um physical layer is defined in the GSM 05.xx series of specifications, with the introduction and overview in GSM 05.01. For most channels, Um L1 transmits and receives 184-bit control frames or 260-bit vocoder frames over the radio interface in 148-bit bursts with one burst per timeslot. There are three sublayers:
Um on the physical channel has 26 TDMA frames each frame consisting of 114 info bits each. The length of 26 TDMA frame also called Multi-frame is 120 ms apart.
GSM uses GMSK or 8PSK modulation with 1 bit per symbol which produces a 13/48 MHz (270.833 kHz or 270.833 K symbols/second) symbol rate and a channel spacing of 200 kHz. Since adjacent channels overlap, the standard does not allow adjacent channels to be used in the same cell. The standard defines several bands ranging from 400 MHz to 1990 MHz. Uplink and downlink bands are generally separated by 45 or 50 MHz (at the low-frequency end of the GSM spectrum) and 85 or 90 MHz (at the high-frequency end of the GSM spectrum). Uplink/downlink channel pairs are identified by an index called the Within the BTS, these ARFCNs are given arbitrary carrier indexes C0..Cn-1, with C0 designated as a Beacon Channel and always operated at constant power.
GSM has physical and logical channels. The logical channel is time-multiplexed into 8 timeslots, with each timeslot lasting for 0.577ms and having 156.25 symbol periods. These 8 timeslots form a frame of 1,250 symbol periods. Channels are defined by the number and position of their corresponding burst period. The capacity associated with a single timeslot on a single ARFCN is called a physical channel (PCH) and referred to as "CnTm" where n is a carrier index and m is a timeslot index (0-7).
Each timeslot is occupied by a radio burst with a guard interval, two payload fields, tail bits, and a midamble (or training sequence). The lengths of these fields vary with the burst type but the total burst length is 156.25 symbol periods. The most commonly used burst is the Normal Burst (NB). The fields of the NB are:
3 | 57 | 1 | 26 | 1 | 57 | 3 | 8.25 |
---|---|---|---|---|---|---|---|
Tail bits | Payload | Stealing bit | Midamble | Stealing bit | Payload | Tail bits | Guard period |
There are several other burst formats, though. Bursts that require higher processing gain for signal acquisition have longer midambles. The random access burst (RACH) has an extended guard period to allow it to be transmitted with incomplete timing acquisition. Burst formats are described in GSM 05.02 Section 5.2.
Each physical channel is time-multiplexed into multiple logical channels according to the rules of GSM 05.02. One logical channel constitute of 8 burst periods (or physical channels) which is called a Frame. Traffic channel multiplexing follows a 26-frame (0.12 second) cycle called a "multiframe". Control channels follow a 51-frame multiframe cycle. The C0T0 physical channel carries the SCH, which encodes the timing state of the BTS to facilitate synchronization to the TDMA pattern.
GSM timing is driven by the serving BTS through the SCH and FCCH. All clocks in the handset, including the symbol clock and local oscillator, are slaved to signals received from the BTS, as described in GSM 05.10. BTSs in the GSM network can be asynchronous and all timing requirements in the GSM standard can be derived from a stratum-3 OCXO.
The coding sublayer provides forward error correction. As a general rule, each GSM channel uses a block parity code (usually a Fire code), a rate-1/2, 4th-order convolutional code and a 4-burst or 8-burst interleaver. Notable exceptions are the synchronization channel (SCH) and random access channel (RACH) that use single-burst transmissions and thus have no interleavers. For speech channels, vocoder bits are sorted into importance classes with different degrees of encoding protection applied to each class (GSM 05.03).
Both 260-bit vocoder frames and 184-bit L2 control frames are coded into 456 bit L1 frames. On channels with 4-burst interleaving (BCCH, CCCH, SDCCH, SACCH), these 456 bits are interleaved into 4 radio bursts with 114 payload bits per burst. On channels with 8-burst interleaving (TCH, FACCH), these 456 bits are interleaved over 8 radio bursts so that each radio burst carries 57 bits from the current L1 frame and 57 bits from the previous L1 frame. Interleaving algorithms for the most common traffic and control channels are described in GSM 05.03 Sections 3.1.3, 3.2.3 and 4.1.4.
The Um data link layer, LAPDm, is defined in GSM 04.05 and 04.06. LAPDm is the mobile analog to ISDN's LAPD.
The Um network layer is defined in GSM 04.07 and 04.08 and has three sublayers. A subscriber terminal must establish a connection in each sublayer before accessing the next higher sublayer.
The access order is RR, MM, CC. The release order is the reverse of that. Note that none of these sublayers terminate in the BTS itself. The standard GSM BTS operates only in layers 1 and 2.
Um logical channel types are outlined in GSM 04.03. Broadly speaking, non-GPRS Um logical channels fall into three categories: traffic channels, dedicated control channels and non-dedicated control channels.
These point-to-point channels correspond to the ISDN B channel and are referred to as Bm channels. Traffic channels use 8-burst(Break) diagonal interleaving with a new block starting on every fourth burst and any given burst containing bits from two different traffic frames. This interleaving pattern makes the TCH robust against single-burst fades since the loss of a single burst destroys only 1/8 of the frame's channel bits. The coding of a traffic channel is dependent on the traffic or vocoder type employed, with most coders capable of overcoming single-burst losses. All traffic channels use a 26-multiframe TDMA structure.
A GSM full rate channel uses 24 frames out of a 26-multiframe. The channel bit rate of a full-rate GSM channel is 22.7 kbit/s, although the actual payload data rate is 9.6-14 kbit/s, depending on the channel coding. This channel is normally used with the GSM 06.10 Full Rate, GSM 06.60 Enhanced Full Rate or GSM 06.90 Adaptive Multi-Rate speech codec. It can also be used for fax and Circuit Switched Data.
A GSM half rate channel uses 12 frames out of a 26-multiframe. The channel bit rate of a half-rate GSM channel is 11.4 kbit/s, although the actual data capacity is 4.8-7 kbit/s, depending on the channel coding. This channel is normally used with the GSM 06.20 Half Rate or GSM 06.90 Adaptive Multi-Rate speech codec.
These point-to-point channels correspond to the ISDN D channel and are referred to as Dm channels.
The SDCCH is used for most short transactions, including initial call setup step, registration and SMS transfer. It has a payload data rate of 0.8 kbit/s. Up to eight SDCCHs can be time-multiplexed onto a single physical channel. The SDCCH uses 4-burst block interleaving in a 51-multiframe.
The FACCH is always paired with a traffic channel. The FACCH is a blank-and-burst channel that operates by stealing bursts from its associated traffic channel. Bursts that carry FACCH data are distinguished from traffic bursts by stealing bits at each end of the midamble. The FACCH is used for in-call signaling, including call disconnect, handover and the later stages of call setup. It has a payload data rate of 9.2 kbit/s when paired with a full-rate channel (FACCH/F) and 4.6 kbit/s when paired with a half-rate channel (FACCH/H). The FACCH uses the same interleaving and multiframe structure as its host TCH.
Every SDCCH or FACCH also has an associated SACCH. Its normal function is to carry system information messages 5 and 6 on the downlink, carry receiver measurement reports on the uplink and to perform closed-loop power and timing control. Closed loop timing and power control are performed with a physical header at the start of each L1 frame. This 16-bit physical header carries actual power and timing advance settings in the uplink and ordered power and timing values in the downlink. The SACCH can also be used for in-call delivery of SMS. It has a payload data rate of 0.2-0.4 kbit/s, depending on the channel with which it is associated. The SACCH uses 4-burst block interleaving and the same multiframe type as its host TCH or SDCCH.
These are unicast and broadcast channels that do not have analogs in ISDN. These channels are used almost exclusively for radio resource management. The AGCH and RACH together form the medium access mechanism for Um.
The BCCH carries a repeating pattern of system information messages that describe the identity, configuration and available features of the BTS. BCCH brings the measurement reports it bring the information about LAI And CGI BCCH frequency are fixed in BTS
The SCH transmits a Base station identity code and the current value of the TDMA clock. SCH repeats on every 1st, 11th, 21st, 31st and 41st frames of the 51 frame multi frame. So there are 5 SCH frames in a 51 frame multiframe.
The FCCH generates a tone on the radio channel that is used by the mobile station to discipline its local oscillator. FCCH will repeat on every 0th, 10th, 20th, 30th and 40th frames of the 51 frame multiframe. So there are 5 FCCH frames in a 51 frame multiframe.
The PCH carries service notifications (pages) to specific mobiles sent by the network. A mobile station that is camped to a BTS monitors the PCH for these notifications sent by the network.
The AGCH carries BTS responses to channel requests sent by mobile stations via the Random Access Channel.
The RACH is the uplink counterpart to the AGCH. The RACH is a shared channel on which the mobile stations transmit random access bursts to request channel assignments from the BTS.
The multiplexing rules of GSM 05.02 allow only certain combinations of logical channels to share a physical channel. The allowed combinations for single-slot systems are listed in GSM 05.02 Section 6.4.1. Additionally, only certain of these combinations are allowed on certain timeslots or carriers and only certain sets of combinations can coexist in a given BTS. These restrictions are intended to exclude non-sensical BTS configurations and are described in GSM 05.02 Section 6.5.
The most common combinations are:
Basic speech service in GSM requires five transactions: radio channel establishment, location update, mobile-originating call establishment, mobile-terminating call establishment and call clearing. All of these transactions are described in GSM 04.08 Sections 3-7.
Unlike ISDN's U channel, Um channels are not hard-wired, so the Um interface requires a mechanism for establishing and assigning a dedicated channel prior to any other transaction. The Um radio resource establishment procedure is defined in GSM 04.08 Section 3.3 and this is the basic medium access procedure for Um. This procedure uses the CCCH (PCH and AGCH) as a unicast downlink and the RACH as a shared uplink. In the simplest form, the steps of the transaction are:
Note that there is a small but non-zero probability that two MSs send identical RACH bursts at the same time in step 2. If these RACH bursts arrive at the BTS with comparable power, the resulting sum of radio signals will not be demodulable and both MSs will move to step 4. However, if there is a sufficient difference in power, the BTS will see and answer the more powerful RACH burst. Both MSs will receive and respond to the resulting channel assignment in step 3. To ensure recovery from this condition, Um uses a "contention resolution procedure" in L2, described in GSM 04.06 5.4.1.4 in which the first L3 message frame from the MS, which always contains some form of mobile ID, is echoed back to the MS for verification.
The location updating procedure is defined in GSM 04.08 Sections 4.4.1 and 7.3.1. This procedure normally is performed when the MS powers up or enters a new Location area but may also be performed at other times as described in the specifications. In its minimal form, the steps of the transaction are:
There are many possible elaborations on this transaction, including:
This is the transaction for an outgoing call from the MS, defined in GSM 04.08 Sections 5.2.1 and 7.3.2 but taken largely from ISDN Q.931. In its simplest form, the steps of the transaction are:
The TCH+FACCH assignment can occur at any time during the transaction, depending on the configuration of the network. There are three common approaches:
This is the transaction for an incoming call to the MS, defined in GSM 04.08 Sections 5.2.2 and 7.3.3, but taken largely from ISDN Q.931.
As in the MOC, the TCH+FACCH assignment can happen at any time, with the three common techniques being early, late and very early assignment.
The transaction for clearing a call is defined in GSM 04.08 Sections 5.4 and 7.3.4. This transaction is the same whether initiated by the MS or the network, the only difference being a reversal of roles. This transaction is taken from Q.931.
GSM 04.11 and 03.40 define SMS in five layers:
As a general rule, every message transferred in L(n) requires both a transfer and an acknowledgment on L(n-1). Only L1-L4 are visible on Um.
The transaction steps for MO-SMS are defined in GSM 04.11 Sections 5, 6 and Annex B. In the simplest case, error-free delivery outside of an established call, the transaction sequence is:
The transaction steps for MT-SMS are defined in GSM 04.11 Sections 5, 6 and Annex B. In the simplest case, error-free delivery outside of an established call, the transaction sequence is:
GSM 02.09 defines the following security features on Um:
Um also supports frequency hopping (GSM 05.01 Section 6), which is not specifically intended as a security feature but has the practical effect of adding significant complexity to passive interception of the Um link.
Authentication and encryption both rely on a secret key, Ki, that is unique to the subscriber. Copies of Ki are held in the SIM and in the Authentication Center (AuC), a component of the HLR. Ki is never transmitted across Um. An important and well-known shortcoming of GSM security is that it does not provide a means for subscribers to authenticate the network. This oversight allows for false basestation attacks, such as those implemented in an IMSI catcher.
The Um authentication procedure is detailed in GSM 04.08 Section 4.3.2 and GSM 03.20 Section 3.3.1 and summarized here:
Note that this transaction always occurs in the clear, since the ciphering key is not established until after the transaction is started.
GSM encryption, called "ciphering" in the specifications, is implemented on the channel bits of the radio bursts, at a very low level in L1, after forward error correction coding is applied. This is another significant security shortcoming in GSM because:
A typical GSM transaction also includes LAPDm idle frames and SACCH system information messages at predictable times, affording a Known plaintext attack.
The GSM ciphering algorithm is called A5. There are four variants of A5 in GSM, only first three of which are widely deployed:
Ciphering is a radio resource function and managed with messages in the radio resource sublayer of L3, but ciphering is tied to authentication because the ciphering key Kc is generated in that process. Ciphering is initiated with the RR Ciphering Mode Command message, which indicates the A5 variant to be used. The MS starts ciphering and responds with the RR Ciphering Mode Complete message in ciphertext.
The network is expected to deny service to any MS that does not support either A5/1 or A5/2 (GSM 02.09 Section 3.3.3). Support of both A5/1 and A5/2 in the MS was mandatory in GSM Phase 2 (GSM 02.07 Section 2) until A5/2 was depreciated by the GSMA in 2006.
The TMSI is a 32-bit temporary mobile subscriber identity that can be used to avoid sending the IMSI in the clear on Um. The TMSI is assigned by the BSC and is only meaningful within specific network. The TMSI is assigned by the network with the MM TMSI Reallocation Command, a message that is normally not sent until after ciphering is started, so as to hide the TMSI/IMSI relationship. Once the TMSI is established, it can be used to anonymize future transactions. Note that the subscriber identity must be established before authentication or encryption, so the first transaction in a new network must be initiated by transmitting the IMSI in the clear.
Digital Enhanced Cordless Telecommunications (DECT) is a cordless telephony standard maintained by ETSI. It originated in Europe, where it is the common standard, replacing earlier standards, such as CT1 and CT2. Since the DECT-2020 standard onwards, it also includes IoT communication.
The Global System for Mobile Communications (GSM) is a standard developed by the European Telecommunications Standards Institute (ETSI) to describe the protocols for second-generation (2G) digital cellular networks used by mobile devices such as mobile phones and tablets. GSM is also a trade mark owned by the GSM Association. "GSM" may also refer to the voice codec initially used in GSM.
General Packet Radio Service (GPRS), also called 2.5G, is a mobile data standard on the 2G cellular communication network's global system for mobile communications (GSM). Networks and mobile devices with GPRS started to roll out around the year 2001. At the time of introduction it offered for the first time seamless mobile data transmission using packet data for an "always-on" connection, providing improved Internet access for web, email, WAP services, and Multimedia Messaging Service (MMS).
Chaffing and winnowing is a cryptographic technique to achieve confidentiality without using encryption when sending data over an insecure channel. The name is derived from agriculture: after grain has been harvested and threshed, it remains mixed together with inedible fibrous chaff. The chaff and grain are then separated by winnowing, and the chaff is discarded. The cryptographic technique was conceived by Ron Rivest and published in an on-line article on 18 March 1998. Although it bears similarities to both traditional encryption and steganography, it cannot be classified under either category.
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
Interim Standard 95 (IS-95) was the first digital cellular technology that used code-division multiple access (CDMA). It was developed by Qualcomm and later adopted as a standard by the Telecommunications Industry Association in TIA/EIA/IS-95 release published in 1995. The proprietary name for IS-95 is cdmaOne.
Roaming is a wireless telecommunication term typically used with mobile devices, such as mobile phones. It refers to a mobile phone being used outside the range of its native network and connecting to another available cell network.
Terrestrial Trunked Radio, a European standard for a trunked radio system, is a professional mobile radio and two-way transceiver specification. TETRA was specifically designed for use by government agencies, emergency services, for public safety networks, rail transport staff for train radios, transport services and the military. TETRA is the European version of trunked radio, similar to Project 25.
Mobility management is one of the major functions of a GSM or a UMTS network that allows mobile phones to work. The aim of mobility management is to track where the subscribers are, allowing calls, SMS and other mobile phone services to be delivered to them.
Network switching subsystem (NSS) is the component of a GSM system that carries out call out and mobility management functions for mobile phones roaming on the network of base stations. It is owned and deployed by mobile phone operators and allows mobile devices to communicate with each other and telephones in the wider public switched telephone network (PSTN). The architecture contains specific features and functions which are needed because the phones are not fixed in one location.
The base station subsystem (BSS) is the section of a traditional cellular telephone network which is responsible for handling traffic and signaling between a mobile phone and the network switching subsystem. The BSS carries out transcoding of speech channels, allocation of radio channels to mobile phones, paging, transmission and reception over the air interface and many other tasks related to the radio network.
A random-access channel (RACH) is a shared channel used by wireless terminals to access the mobile network for call set-up and bursty data transmission. Whenever mobile wants to make an MO call it schedules the RACH. RACH is transport-layer channel; the corresponding physical-layer channel is PRACH.
GSM services are a standard collection of applications and features available over the Global System for Mobile Communications (GSM) to mobile phone subscribers all over the world. The GSM standards are defined by the 3GPP collaboration and implemented in hardware and software by equipment manufacturers and mobile phone operators. The common standard makes it possible to use the same phones with different companies' services, or even roam into different countries. GSM is the world's predominant mobile phone standard.
In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.
GSM procedures are sets of steps performed by the GSM network and devices on it in order for the network to function. GSM is a set of standards for cell phone networks established by the European Telecommunications Standards Institute and first used in 1991. Its procedures refers to the steps a GSM network takes to communicate with cell phones and other mobile devices on the network. IMSI attach refers to the procedure used when a mobile device or mobile station joins a GSM network when it turns on and IMSI detach refers to the procedure used to leave or disconnect from a network when the device is turned off.
Synchronization Channel is a downlink only control channel used in GSM cellular telephone systems. It is part of the Um air interface specification. The purpose of the SCH is to allow the mobile station (handset) to quickly identify a nearby cell and synchronize to that BTS's TDMA structures. Each radio burst on the SCH contains:
In radio communication, a control channel is a central channel that controls other constituent radios by handling data streams. It is most often used in the context of a trunked radio system, where the control channel sends various data which coordinates users in talkgroups.
LAPDm in telecommunications is a data link layer protocol used in GSM cellular networks. LAPDm forms Layer 2 of the Um interface between the Base Transceiver Station and Mobile station, which is to say that it is used in the radio link between the cellular network and the subscriber handset.
RxQual is used in GSM and is a part of the Network Measurement Reports (NMR).
GSM radio frequency optimization is the optimization of GSM radio frequencies. GSM networks consist of different cells and each cell transmit signals to and receive signals from the mobile station, for proper working of base station many parameters are defined before functioning the base station such as the coverage area of a cell depends on different factors including the transmitting power of the base station, obstructing buildings in cells, height of the base station and location of base station. Radio Frequency Optimization is a process through which different soft and hard parameters of the Base transceiver stations are changed in order to improve the coverage area and improve quality of signal. Besides that there are various key performance indicators which have to be constantly monitored and necessary changes proposed in order to keep KPIs in agreed limits with the mobile operator.