Professional Documents
Culture Documents
Um Interface GSM
Um Interface GSM
Um interface
The Um interface is the air interface for the GSM mobile telephone standard. It is the interface between the mobile
station (MS) and the Base transceiver station (BTS). It is called Um because it is the mobile analog to the U interface
of ISDN. Um is defined in the GSM 04.xx and 05.xx series of specifications. Um can also support GPRS
packet-oriented communication.
Um layers
The layers of GSM are initially defined in GSM 04.01 Section 7 and roughly follow the OSI model. Um is defined in
the lower three layers of the model.
Radiomodem
GSM uses GMSK or 8PSK modulation with a 13/48 MHz (270.833 kHz) symbol rate and a channel spacing of
200 kHz. Since adjacent channels overlap, the standard does not allow adjacent channels to be used in the same cell.
The standard defines several bands ranging from 400 MHz to 1990 MHz. Uplink and downlink bands are generally
separated by 45 or 50 MHz. Uplink/downlink channel pairs are identified by an index called the ARFCN. Within the
BTS, these ARFCNs are given arbitrary carrier indexes C0..Cn-1, with C0 designated as a Beacon Channel and
always operated at constant power.
The channel is time-multiplexed into 8 timeslots, each with a duration of 156.25 symbol periods. These 8 timeslots
form a frame of 1,250 symbol periods. The capacity associated with a single timeslot on a single ARFCN is called a
physical channel (PCH) and referred to as "CnTm" where n is a carrier index and m is a timeslot index (0-7).
Each timeslot is occupied by a radio burst with a guard interval, two payload fields, tail bits, and a midamble (or
training sequence). The lengths of these fields vary with the burst type but the total burst length is 156.25 symbol
periods. The most commonly used burst is the Normal Burst (NB). The fields of the NB are:
3 57 1 26 1 57 3 8.25
Tail bits Payload Stealing bit Midamble Stealing bit Payload Tail bits Guard period
Midamble
26-bits for equalizer training at the center of the burst
"Stealing bits"
each side of the midamble, used to distinguish control and traffic payloads
Payload
two 57-bit fields, symmetric about the burst
Tail bits
Um interface 2
Coding
The coding sublayer provides forward error correction. As a general rule, each GSM channel uses a block parity
code (usually a Fire code), a rate-1/2, 4th-order convolutional code and a 4-burst or 8-burst interleaver. Notable
exceptions are the synchronization channel (SCH) and random access channel (RACH) that use single-burst
transmissions and thus have no interleavers. For speech channels, vocoder bits are sorted into importance classes
with different degrees of encoding protection applied to each class (GSM 05.03).
Both 260-bit vocoder frames and 184-bit L2 control frames are coded into 456 bit L1 frames. On channels with
4-burst interleaving (BCCH, CCCH, SDCCH, SACCH), these 456 bits are interleaved in to 4 radio bursts with 114
payload bits per burst. On channels with 8-burst interleaving (TCH, FACCH), these 456 bits are interleaved over 8
radio bursts so that each radio burst carries 57 bits from the current L1 frame and 57 bits from the previous L1 frame.
Interleaving algorithms for the most common traffic and control channels are described in GSM 05.03 Sections
3.1.3, 3.2.3 and 4.1.4.
The access order is RR, MM, CC. The release order is the reverse of that. Note that none of these sublayers terminate
in the BTS itself. The standard GSM BTS operates only in layers 1 and 2.
Um logical channels
Um logical channel types are outlined in GSM 04.03. Broadly speaking, non-GPRS Um logical channels fall into
three categories: traffic channels, dedicated control channels and non-dedicated control channels.
• Combination I: TCH/F + FACCH/F + SACCH. This combination is used for full rate traffic. It can be used
anywhere but C0T0.
• Combination II: TCH/H + FACCH/H + SACCH. This combination is used for half rate traffic when only one
channel is needed. It can be used anywhere but C0T0.
• Combination III: 2 TCH/H + 2 FACCH/H + 2 SACCH. This combination is used for half rate traffic. It can be
used anywhere but C0T0.
• Combination IV: FCCH + SCH + BCCH + CCCH. This is the standard C0T0 combination for medium and large
cells. It can be used only on C0T0.
• Combination V: FCCH + SCH + BCCH + CCCH + 4 SDCCH + 2 SACCH.
[(5x1)+(5x1)+(1x4)+(3x4)+(4x4)+(2x4)+1idle=51frame multiframe] This is the typical C0T0 combination for
small cells, which allows the BTS to trade unnecessary CCCH capacity for a pool of 4 SDCCHs. It can be used
only on C0T0.
• Combination VI: BCCH + CCCH. This combination is used to provide additional CCCH capacity in large cells.
It can be used on C0T2, C0T4 or C0T6.
• Combination VII: 8 SDCCH + 4 SACCH.[(8x4)+(4x4)+3idle=51frame multiframe] This combination is used to
provide additional SDCCH capacity in medium and large cells. It can be used anywhere but C0T0.
Fundamental Um Transactions
Basic speech service in GSM requires five transactions: radio channel establishment, location update,
mobile-originating call establishment, mobile-terminating call establishment and call clearing. All of these
transactions are described in GSM 04.08 Sections 3-7.
Note that there is a small but non-zero probability that two MSs send identical RACH bursts at the same time in step
2. If these RACH bursts arrive at the BTS with comparable power, the resulting sum of radio signals will not be
demodulable and both MSs will move to step 4. However, if there is a sufficient difference in power, the BTS will
see and answer the more powerful RACH burst. Both MSs will receive and respond to the resulting channel
assignment in step 3. To insure recovery from this condition, Um uses a "contention resolution procedure" in L2,
described in GSM 04.06 5.4.1.4 in which the first L3 message frame from the MS, which always contains some form
of mobile ID, is echoed back to the MS for verification.
Location updating
The location updating procedure is defined in GSM 04.08 Sections 4.4.1 and 7.3.1. This procedure normally is
performed when the MS powers up or enters a new Location area but may also be performed at other times as
described in the specifications. In its minimal form, the steps of the transaction are:
1. The MS and BTS perform the radio channel establishment procedure.
2. On the newly established dedicated channel, the MS sends the MM Location Updating Request message
containing either an IMSI or TMSI. The message also implies connection establishment in the MM sublayer.
3. The network verifies the mobile identity in the HLR or VLR and responds with the MM Location Updating
Accept message.
4. The network closes the Dm channel by sending the RR Channel Release message.
There are many possible elaborations on this transaction, including:
• authentication
• ciphering
• TMSI assignment
• queries for other identity types
• location updating reject
• Early Assignment. The network assigns the TCH+FACCH after sending CC Call Proceeding and completes call
setup on the FACCH. This allows the use of in-band patterns (like the ringing or busy patterns) generated by the
network. This is the example shown.
• Late Assignment. The network does not assign the TCH+FACCH until after alerting has started. This forces the
MS itself to generate the patterns locally since the TCH does not yet exist to carry the sound.
• Very Early Assignment. The network makes an immediate assignment to the TCH+FACCH in the initial RR
establishment and performs the entire transaction on the FACCH. The SDCCH is not used. Because immediate
assignment starts the FACCH in a signaling-only mode, the network must send the RR Channel Mode Modify
message at some point to enable the TCH part of the channel.
mobile call
Call clearing
The transaction for clearing a call is defined in GSM 04.08 Sections 5.4 and 7.3.4. This transaction is the same
whether initiated by the MS or the network, the only difference being a reversal of roles. This transaction is taken
from Q.931.
1. Party A sends the CC Disconnect message.
2. Party B responds with the CC Release message.
3. Party A responds with the CC Release Complete message.
4. The network releases the RR connection with the RR Channel Release message. This always comes from the
network, regardless of which party initiated the clearing procedure.
Um interface 8
SMS Transfer on Um
GSM 04.11 and 03.40 define SMS in five layers:
1. L1 is taken from the Dm channel type used, either SDCCH or SACCH. This layer terminates in the BSC.
2. L2 is normally LAPDm, although GPRS-attached devices may use Logical link control (LLC, GSM 04.64). In
LAPDm SMS uses SAP3. This layer terminates in the BTS.
3. L3, the connection layer, defined in GSM 04.11 Section 5. This layer terminates in the MSC.
4. L4, the relay layer, defined in GSM 04.11 Section 6. This layer terminates in the MSC.
5. L5, the transfer layer, defined in GSM 03.40. This layer terminates in the SMSC.
As a general rule, every message transferred in L(n) requires both a transfer and an acknowledgment on L(n-1). Only
L1-L4 are visible on Um.
Um Security Features
GSM 02.09 defines the following security features on Um:
• authentication of subscribers by the network,
• encryption on the channel,
• anonymization of transactions (at least partially)
Um also supports frequency hopping (GSM 05.01 Section 6), which is not specifically intended as a security feature
but has the practical effect of adding significant complexity to passive interception of the Um link.
Authentication and encryption both rely on a secret key, Ki, that is unique to the subscriber. Copies of Ki are held in
the SIM and in the Authentication Center (AuC), a component of the HLR. Ki is never transmitted across Um. An
important and well-know shortcoming of GSM security is that it does not provide a means for subscribers to
authenticate the network. This oversight allows for false basestation attacks, such as those implemented in an IMSI
catcher.
Authentication of Subscribers
The Um authentication procedure is detailed in GSM 04.08 Section 4.3.2 and GSM 03.20 Section 3.3.1 and
summarized here:
1. The network generates a 128 bit random value, RAND.
2. The network sends RAND to the MS in the MM Authentication Request message.
3. The MS forms a 32-bit hash value called SRES by encrypting RAND with an algorithm called A3, using Ki as a
key. SRES = A3(RAND,Ki). The network performs an identical SRES calculation.
4. The MS sends back its SRES value in the RR Authentication Response message.
5. The network compares its calculated SRES value to the value returned by the MS. If they match, the MS is
authenticated.
6. Both the MS and the network also compute a 64-bit ciphering key, Kc, from RAND and Ki using the A8
algorithm. Kc = A8(RAND,Ki). Both parties save this value for later use when ciphering is enabled.
Note that this transaction always occurs in the clear, since the ciphering key is not established until after the
transaction is started.
Um Encryption
GSM encryption, called "ciphering" in the specifications, is implemented on the channel bits of the radio bursts, at a
very low level in L1, after forward error correction coding is applied. This is another significant security
shortcoming in GSM because:
• the intentional redundancy of the convolutional coder reduces the Unicity distance of the encoded data and
• the parity word can be used for verifying correct decryption.
A typical GSM transaction also includes LAPDm idle frames and SACCH system information messages at
predictable times, affording a Known plaintext attack.
The GSM ciphering algorithm is called A5. There are four variants of A5 in GSM, only first three of which are
widely deployed:
• A5/0—no ciphering at all
• A5/1 -- strong(er) ciphering, intended for use in North America and Europe
• A5/2 -- weak ciphering, intended for use in other parts of the world
• A5/3 -- even stronger ciphering with open design
Ciphering is a radio resource function and managed with messages in the radio resource sublayer of L3, but
ciphering is tied to authentication because the ciphering key Kc is generated in that process. Ciphering is initiated
Um interface 10
with the RR Ciphering Mode Command message, which indicates the A5 variant to be used. The MS starts ciphering
and responds with the RR Ciphering Mode Complete message in ciphertext.
The network is expected to deny service to any MS that does not support either A5/1 or A5/2 (GSM 02.09 Section
3.3.3). Support of both A5/1 and A5/2 in the MS was mandatory in GSM Phase 2 (GSM 02.07 Section 2) until A5/2
was depreciated by the GSMA in 2006.
Anonymization of Subscribers
The TMSI is a 32-bit temporary mobile subscriber identity that can be used to avoid sending the IMSI in the clear on
Um. The TMSI is assigned by the BSC and is only meaningful within specific network. The TMSI is assigned by the
network with the MM TMSI Reallocation Command, a message that is normally not sent until after ciphering is
started, so as to hide the TMSI/IMSI relationship. Once the TMSI is established, it can be used to anonymize future
transactions. Note that the subscriber identity must be established before authentication or encryption, so the first
transaction in a new network must be initiated by transmitting the IMSI in the clear.
Further reading
• M. Boulmalf, S. Akhtar. Performance Evaluation of Operational GSM's Air-Interface (Um). UAE University.
pp. 4.
External links
• 3GPP - The current standardization body for GSM with free standards available [1].
• General Packet Radio Service GPRS: Architecture, Protocols, and Air Interface [2].
References
[1] http:/ / www. 3gpp. org
[2] http:/ / www. comsoc. org/ livepubs/ surveys/ public/ 3q99issue/ bettstetter. html
Article Sources and Contributors 11
License
Creative Commons Attribution-Share Alike 3.0 Unported
http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/