GSM Comes to North America (Summer, 1997) ----------------------------------------- By Phiber Optik In this article, I will describe various aspects of GSM, the newly implemented Global System for Mobile communications. Groovy? Then let's begin! Just what is this GSM, anyway? GSM started out in Europe as Groupe Special Mobile in 1982. Established by the European Conference of Post and Telecommunication Administrators (CEPT), it was to be the new standard for digital cellular. A newer, better network for mobile communications was needed. In comparison to the many nations' incompatible cellular systems, GSM would provide a standard for easy roaming, efficient use of available bandwidth, and privacy through encryption. By the mid-1980s, well over a dozen countries were committed to GSM, and in 1989, responsibility for GSM was transferred to the European Telecommunications Standards Institute (ETSI). In the early 1990s, the first public GSM network was put into place. As you can probably imagine, it wasn't easy getting everyone to agree on the encryption aspect, specifically the encryption used to deter eavesdropping. While the French and British spook agencies wanted "adequate" encryption, the Germans argued for something much stronger, being that they bordered what was, at the time, the Eastern Bloc. A compromise was arrived at, the result being the "secret" A5 encryption algorithm. Two versions were drafted, A5/1 for Europe, specifically the members of CEPT, and A5/2 for export. (If you were a particularly nasty nation, the encryption would be totally disabled.) Anyway, we'll get into the security features of GSM later in this article, so remain calm. GSM comes to America In the '90s, the industry began buzzing about Personal Communications Services, or PCS. PCS boasted, among other things, small communications gadgets crammed with neato-keen features to do all sorts of things. Or that's what they hoped. The FCC allocated the 1900 MHz band of the EM spectrum for PCS, and auctioned off frequencies. (I often wondered if I could purchase that part of the EM spectrum known as "blue," or maybe "green;" think of the royalties.) Anyway, certain members of the telecommunications industry recognized GSM as a great technology with which to build upon the PCS idea. The first GSM-based PCS networks were designed, implemented, and tested in the mid- 90s, and by 1995 the first taste of GSM was available to the American public. Or at least, to those who lived in the larger cities where GSM was first being implemented. Now, one obvious problem arose that has yet to be resolved. GSM abroad uses the 900 MHz band. Europe's version of PCS, known as DCS1800 or PCN, uses the 1800 MHz band. Due to the FCC's forward thinking, our GSM/PCS network is totally incompatible with the rest of the world's, simply because of the frequency. GSM phone manufacturers are scrambling to create hybrid phones that work both here and abroad, but are wrestling with the problem of combining all the needed circuitry while keeping the size and cost of the phone at a minimum. So, for the time being, we are restricted to SIM card "roaming," which is using your SIM in a foreign phone, one of the neat features of GSM. So let's get into the technology, shall we? SIM sala bim! At the core of GSM's security model is the SIM card, which is the Subscriber Identity Module. The SIM card can be found as either a full, credit-card-size smartcard, or a smaller card no bigger than the actual IC carrier. The former slides and stays in a slit in the handset, the latter in a small latched socket under the battery of the handset. The smaller SIMs can be popped into a credit card-sized "carrier," so it can be used with handsets that take the larger size SIMs. The idea is that a subscriber could insert his/her SIM card into anyone's GSM phone, and use the network, subject to the criterion stored on the SIM card itself. What's on the SIM card that makes it so special? The SIM card is actually a small "tamper-proof" microcontroller that is capable of performing one or two one-way-hash functions. It stores the subscriber's unique secret key (Ki) and IMSI (International Mobile Subscriber Identity) number, the subscriber s MSISDN (Mobile Station Integrated Services Digital Network number, which in English, is the subscriber's phone number), has some EEPROM for storing a PIN to lock the SIM, the preferred language for the handset's menus, a speed dialing directory, station-tostation (SMS) text messages, etc. The IMSI, like the secret key (Ki), is unique; its purpose is to identify the subscriber to the network. It has the following format: MCC-MNC-MSIN, where MCC is the 2- or 3-digit Mobile Country Code (typically the same as land-line country code), MNC is the 2-digit Mobile Network Code, indicating your home GSM provider, and MSIN is the Mobile Station Identification Number, often the same as the MSISDN number. The MCC-MNC together are called the network code, and uniquely identify a GSM provider. Some examples are 310-16 for Omnipoint, 310-15 for BellSouth Mobility, etc. (Why did we get 310 as our country code and not 001? That's probably payback for having country code 1 on the wired telephone network!) You may notice the ISDN acronym in MSISDN; as you'll see, some of GSM's internal protocols were based on ISDN standards. It's hoped that GSM will be gatewayed to land-line ISDN, but I digress. Provided the SIM was ever used on its home GSM network, a temporary IMSI known as the TMSI is issued by the switch and stored on the SIM. Whenever the SIM is interrogated by the network as to "who" it is, it uses the TMSI instead of its IMSI to protect the identity of the owner over the air. A TMSI can be reissued at some interval, decided by the GSM provider. The secret key (Ki) is considered a shared secret; it's locked away in the SIM, only to be used by the hashing functions. Not you, and not even your phone knows what this number is. The mobile switch that authenticates you and completes your call knows what it is. It has a database containing all the valid Kis, called the AUC, the AUthentication Center database. The AUC also contains some other things, but we'll get to that shortly. The two hashing functions in the SIM are implementation specific, and are called A3 and A8, the authentication algorithm and the ciphering key generating algorithm, respectively. Oftentimes, the recommended "official" A3/A8 COMP128 algorithms are used, which are approved by the GSM Standardizations Group. (Just to satisfy your curiosity, the aforementioned A5 algorithm is implemented in the handset's firmware, and not on the SIM card.) The PIN is only used to lock the SIM, so when placed in a phone and powered up, the user must enter the correct PIN in order to make or receive calls. If the PIN is entered incorrectly some predetermined number of times, the SIM is blocked from use, and only the Personal Unblocking Key (PUK, available from the GSM provider) can unblock the SIM and restore it to usefulness. If the PUK is incorrectly entered too many times, the SIM card is rendered useless. Understand, all billing stems from the SIM, the handset is simply an extension of the medium, nothing more. OK, so what about this handset? A GSM phone typically has all the normal touch-tone keys, and in addition, some mechanism to navigate a simple menu of options to configure the phone and use its features. Arrow keys for scrolling, YES and NO buttons for making choices, etc. The menu is viewed on a small, multiline, LCD display. There are commonly undocumented keypad sequences for displaying information about the phone's firmware revision, and IMEI, among other things. The IMEI, or International Mobile Equipment Identity, is a unique ID for your phone. It has the following format: TAC-FAC-SN-X. The TAC is a 6-digit Type Approval Code, the FAC is a 2-digit Final Assembly Code, the SN is a 6-digit Serial Number, and X is a reserved "supplementary" digit. IMEIs are stored in the EIR (Equipment Identity Register) database. The IMEI is to the handset what the IMSI is to the SIM card. In this manner, someone attempting to use the network can be revoked by having an invalid SIM card, or an unregistered or stolen phone, or both. It should be noted that many GSM phones have neat features like firmware debuggers and call progress dumpers built in, accessible with a computer and a specially built serial cable. Enough, Phiber, now tell me about the switch! OK, OK. The two most common GSM switches are the Ericsson AXE MSC, based on the AXE 10, and the Nortel DMS-MSC, based on the DMS SuperNode. MSC stands for Mobile Switching Center, which is what the switch is called in GSM lingo. The MSC is part of the network subsystem, and accesses four main databases: the Home Location Register (HLR), the Visitor Location Register (VLR), the Equipment Identity Register (EIR), and the Authentication Center (AUC). The VLR is commonly integrated with the MSC (e.g. the DMS-MSC), leaving the HLR, AUC, and EIR as a separate physical entity (e.g. the DMS-HLR). There is at least one HLR on every GSM network, and commonly multiple MSCs. The MSCs talk to other nodes on the GSM network using Signaling System No. 7 (SS7). Smaller GSM networks, which only serve a particular metropolitan area, may only have a couple of MSCs, which would talk directly to the PSTN (e.g. NYNEX, Bell Atlantic) using SS7. Larger GSM networks, which serve entire countries, make use of Gateway MSCs, or GMSCs, which may need to gain access to other parts of the GSM network over an SS7 capable PSTN, because it would be impractical to have the entire GSM network directly and privately interconnected. The MSC/VLR and HLR together handle roaming and call routing; the HLR also stores all valid IMSIs and MSISDNs, while the EIR stores all the valid IMEIs. This leaves the AUC, which stores all the valid Kis, generates pseudo-random numbers, and performs the A3 and A8 hashes for the network subsystem. What's up with those flat, funky new antennas on the fronts of buildings? Your handset and SIM make up the "mobile station." It talks to these antennas, which are hooked up to a Base Transceiver Station (BTS) commonly located either on the roof or in the basements of these buildings. BTSs are analogous to "cells," and are grouped together into "location areas," which are given location area identifiers (LAIs). These clusters of BTSs are linked to Base Station Controllers (BSCs), typically located in yet other buildings. The BSCs talk directly to the switch (MSC) over leased lines. Coding and multiplexing in brief: from the handset back to the switch So now we have your phone sampling your voice at 13 kbps using the GSM protocol, the samples get packetized using a modified LAPD (a la ISDN) protocol known as LAPDm (Link Access Protocol for the D-channel, modified), and these packets are multiplexed into time slots (known as "burst periods"), eight of which make up a TDMA (Time Division Multiple Access) frame. The TDMA frames are bundled together into 26-frame multiframes, which are then modulated onto one of 124 carrier frequencies using GMSK (Gaussian-filtered Minimum Shift Keying). These 124 carriers, spaced 200 kHz apart, are the result of dividing up either 30 MHz or 10 MHz of bandwidth using FDMA (Frequency Division Multiple Access) in the 1,900 MHz PCS band. The bandwidth sizes are granted by the FCC based on the service area requirements of the GSM company (i.e., metropolitan versus suburban, etc.), and are lettered A through F, largest to smallest. A, B, and C-blocks are 30 MHz, and D, E, and F-blocks are 10 MHz. One or more carrier frequencies are assigned to each BTS. The wireless path between your phone and the nearest BTS is referred to as a Um link. Your phone converses with BTSs using FDMA/TDMA over this link. The BSCs talk to the BTSs they control over what is termed an Abis link, and talk to the switch (MSC) over an A link using the same Message Transfer Part (MTP) packets as defined by SS7. The highest layer of an SS7 MTP (akin to the "Application" layer in the OSI model) is known as the TCAP, for Transaction Capabilities Application Part. In GSM nomenclature, the TCAP contains the MAP, for Mobile Application Part, which can be rather complex. The MAPs contain the actual messages sent between the BSC and the MSC, and between the MSC and all other entities of the network subsystem. Authentication and Encryption The part you ve been waiting for! Here s how it all works. The identity of a subscriber is authenticated to use the network using a challenge-response procedure, based on the security of a shared secret. As mentioned earlier, the shared secret is the subscriber s unique Ki, which is stored in the SIM card on the subscriber side, and in the AUC on the switch side. The AUC starts by choosing a 128-bit pseudo-random number (RAND) and hashes it with the subscriber s Ki, using the A3 algorithm, to form SRES ("signed response"), a 32-bit digital signature of Ki. Next, it uses the same RAND and hashes Ki using the A8 algorithm to form Kc, a 64-bit digital signature of Ki used as the ciphering key for A5. The process of generating RAND, SRES, and Kc is called "generating a triplet." This triplet is then cached by the HLR, and can be regenerated at some interval determined by the GSM provider. When a subscriber needs to be authenticated, his SIM tells the local MSC/VLR his TMSI, which the MSC/VLR uses to locate his HLR, which communicates back the subscriber's triplet, which is cached by the MSC/VLR. The RAND is sent to the subscriber's SIM by the MSC/VLR, and the SIM computes SRES and Kc. SRES is sent by the SIM to the MSC/VLR, which compares it to the SRES it has cached. If they match, the subscriber is authenticated! Now that the subscriber is authenticated, communication over the GSM network can begin. But first, a brief description of A5 is in order.... A5 is a stream cipher consisting of three clock-controlled linear feedback shift registers (LFSRs). Kc is used to initialize the three LFSRs, then the 22-bit TDMA frame number is fed into A5, whatever the frame number happened to be at that moment. The output is two 114-bit values, one for the transmit channel, and one for the receive channel. Each "channel," frozen in time (burst period), consists of two significant sets of 57-bit data, for a total of 114-bits. The 114-bit transmit burst period is exclusive ORed (XORed) with one of the two outputs of A5, and the 114-bit receive burst period is XORed with the other output of A5. OK, so now, provided that all over-the-air communications between the subscriber and the BTS (cell) are to be encrypted, a start ciphering message is sent to both the BTS and the handset. This message also indicates whether to use A5/1 or A5/2. The Kc that the MSC/VLR got from the subscriber's HLR is passed to the BTS, which feeds it into its A5 engine, and the Kc generated by the SIM is used to initialize the handset's A5 engine. Since the authentication stage was successful, the BTS's Kc and the SIM's Kc would be identical. Encryption proceeds as I laid out in the A5 description. In this manner, all voice and data traffic in the form of TDMA frames is encrypted between the handset and the BTS. How often Kc is rechosen is implementation specific. It could be multiple times during the lifetime of a call, or only once during call setup, or for every nth call. In addition to the initial A3 authentication, the subscriber s handset could also be subjected to a test. The handset's IMEI is looked up in the EIR database, and would either be permitted or denied from using the GSM network, e.g., if the phone was reported stolen. Handoffs and Roaming As you may well know, the links used for a call are not static for the duration of that call. Handoffs (also called "handovers") typically occur for load balancing during idle points of conversation, or because the mobile user is in transit. Internally, the handoff would be between time slots in the same cell (BTS), between BTSs connected to the same BSC, between BSCs connected to the same switch (MSC), or between BTSs ultimately controlled by different switches. Roaming, or "location updating," is accomplished by the MSC/VLR and HLR. Location updating is a function of the GSM network that is performed for both home subscribers as well as subscribers from other GSM networks who are roaming partners. When a phone is turned on or is moved to a new location area, it registers its location information (LAI) and TMSI with the local MSC/VLR. The MSC/VLR deduces the subscriber's HLR from the TMSI, and sends it the subscriber's current LAI and TMSI, along with its own SS7 address. If this TMSI checks out with the HLR, the HLR sends some subscriber information that would be needed for call control (such as the triplet) to this new MSC/VLR. It also notifies any previously registered MSC/VLR to cancel its registration of the subscriber, who has relocated. Call routing I'll describe call routing using an incoming call from the PSTN as an example. On a large national GSM network, the first hop into a GSM network is the GMSC (Gateway Mobile Switching Center). The GMSC receives the terminating subscriber s phone number (MSISDN) from the neighboring PSTN switch over SS7. The GMSC has a table which contains the SS7 address (point code) of the HLRs for all MSISDNs on the network. The GMSC queries the proper HLR for a Mobile Station Roaming Number (MSRN). The HLR looks up the SS7 address of the MSC/VLR that the terminating subscriber is currently local to and, using the SS7 capable PSTN to bridge the distance, asks this MSC/VLR to give it a temporary MSRN. This MSRN is allocated from a pool of reserved, valid PSTN phone numbers which are used by the GSM network to "alias" MSISDNs to. This aliasing is only valid for the duration of the call. The MSRN is returned, via the HLR, to the GMSC, which can now use this temporary MSRN phone number to route over the PSTN to the proper MSC/VLR and ultimately to the terminating mobile subscriber. On a smaller GSM network, the process is much simpler. An MSC/VLR is often the first and only hop between the PSTN and the mobile subscriber. The MSC/VLR simply asks the HLR for the IMSI that corresponds to the incoming MSISDN, matches the IMSI to its TMSI, and uses it to ring the proper subscriber s handset. And there you have it. Consider it a primer on GSM. I know a little technical for a primer. Well, what did you expect? This should prove ample information to satisfy your neurons for a while. If this article is well received and if I have time in the future, I may cover other topics such as custom calling features, billing, and assorted stuff. If you're looking for the GSM provider in your area, or even if there is one, look no further than the web sites of Omnipoint, Sprint Spectrum, Bell South Mobility, and Pacific Bell Mobile, to name a few. See ya!