Architecture and General Principles, Week 1

Video 1: Visible Elements of a Mobl Net and Sub-Nets (UE, SIM Card, Antennas and eNB, EPC,
eUTRAN)
Video 2: The Cellular Concept
Video 3: Equipment of the Core of the Net
Routing Data (SGW, PGW)
Video 4: Ctrl Equipment in the Core of the Net (HSS, MME)
Video 5: Synthesis of the Architecture and
Interfaces (S1, S5/S8, S6a, S11, X2)
Video 6: Organization of the Course
Video 7: Serv'cs and Various Generations
MOD 1.1 : Elements: (of) Mobl-Net & Sub-Nets
(UE & SIM-Card; Antennas & eNB; EPC& eUTRAN)
 Q?: Element(s) @ Mobl Net? → (Visible & Other)

BASE STN
Antenna: Radiate device, transform high freq. altern current into
JeNB
EM waves.
A
• Base stn: set of transceivers
•B.Stn equiped w/t antennas
•UE (Term) comm. w/t B. Stn via rad. trans.
·:Transcievers: Enable rad, trans, between & Net
(Baseband equip)
MOBILE NET
•
Group of B. Stn
• B. Str(s) connent to IP Net
K.
-
IP
Net
Router
Access & Core Net
IP
Net
CUTRAN.
(uni. terr. RAN)
Router
EPC
(Core net)
www.
www
Server
Server
po 1
MOD 1.2

The Case of a Rural Zone

The Case of a Suburban Zone

The Case of an Urban Zone

MOD 1.3 :

PWG (Packet Gate Way). pg2

UE
We Node B
A
Le Nude B
mobility
•www.can't
manage
•Data packets routed via PGW
• PGW: route data to terminal; term data to www
SGW
IP
Net..
Intermediary GW
•(When term/UE change loc, from one eNB to another CNB)
(To avoid rerouting at PGW level)
• Need Regional/ Serving GW (SGW)
SGW
IP Network
of Mob. Net. Oper.
SGW
PGW
PGW Internet
(www
HO
Server
•SGW-serve geograph. zone
•SGW enable: > Collect date sent by VE (Term) va
multiple eNB's
> Data distrib; from serverseNBs
where UE loc.
Pg. 2.

Contrl Equip @Core (HSS, MME)

NB: Net access entrl.
HSS
Subscriber DB
•HSS Home Subser- server
SG W
IP Net
SGWI
HSS WB (HSS): Sub(s), profiles; imprecise loc;
security
PG W
MME (Mobility Mgmt fintity)
SGW MME
HSS
www.
V
Signaling: Exching info+mgnt net access; track VE mouvent.
SCW MME
•UE attch to net @ on
Net attchent
6MME
server
PGW www.
server
Transfr (Prof. & Sec Data)
MME-HSS
Pg. 3
MME Funct
•Comm. wit set of B. Stn (s)
HSS; MME
HSS
(Prof. & Sec info)
•Store P&S info
•Mgmt entrl r/t: net access, sec,
mob.
• Maint, aware of UE loc in MME zone
Select PGW & SGW @ UE attch to Net →→→ connect to www
•Involved in handover (hand off)

Logical & Simplified

Router
Raster
H
Router
*S5 SGW
S6a
*S11 SGW
SIMME
• Sign. reg.
E
•Sign. mgs
Rayler
•Sigh.
Router b
1/2
SGW
IP
Net.
IP
Net
SGL
• Equip intercomm even if not difrec connect.
TP Net.
-Comm via
(JP Ne
Interfaces Between Equip of Net. Core
*SGI PGW
www
*S1-V >>
• Trans, user data; No Sign
IP Net
PGW
Transport user date & singal msg.
MME
IMME
MME
ASS
PGW
[MME]
ASS
HSS
www.
www.
**2 =>>
[P
Nel
*Uu/ >>>
Radio
•Trans user
(IP
Net
K
•Trans user date, & sign
56w
dete, & sign.
Pg.s

Synth of Architect & Interfaces ($1, 55/8, S11, X2)

SGW
SGW
KAKA
Router
Router
MME
SGW
IP
Net
X-
SGW
Physical us Logic Interface.
•Equip intercomm even if not phys. connect
•All net equip has protocol stack from IP family
MME
HSS
MME HES
Router
PGW
PGW
[PGW+
www.
www.
• "Nodes" (S/PGW; MME ; HSS) interconnect to IP Net
•IP Net Interconnect. routers
Retransmitt via succesive hops.
PS.6

Interfaces Between Net Core Equip

51
1P. I
Net
S1-V
156a
$5
MME
SGW
HSS
LPGW
www.

Interconn Net
SGW
MME
IP Net 1
Intercon Net
IP Net 2
MME
DGW
HSS
Country B
Country F
PS.8

Interconn Net CONT'D

gur
31-0
SIMME MME
SGW
58 56a
PGW
Country B
HSS
Country F
PS 9.

Other Equip & Interfaces

$13.
IMME]__$10_-_-[MME!
UE
4
SI-MME 5.11
6-J-AMB-54-0 SGW-SPGW
W X2
AeNB
---3
S1-V
41
XENO X2
Ve
DUE
S-MINE
KONB-- JEY
AeNB.
NB:
*EIR Equip. 1 Registr DE DB stolen; S13 w/ MMF
*PCRF → Policy Charging Rules fune serv'c qual mynst; Gx w/4 PGW
Core Net & Interfaces Diagram.
IMME
-MIME
THISS
$11
HISS
‫ے ملک کے‬
[SGW).
EIR
$8(RM)
Gx
PORF
[PGW-SG₁
PS 10

2.1 Terminal ON
• SIM & IMSI (Internat. Mob. Sub ID)
IMSI
MCC
MNC
(Mab. Country (Mob. Met
Code)
9-10 digts 27 15 date mad
MSIN
(Mob. Sob.
ID#)
Oper.
Net
X.
•Attchon't Pres, @ power on +
• IP allocated.
.VE. indicate type of servic
• Specify APN → which PGW to use
Atch Regist
d
2. MME Check for sub. Profile;
MIME verify w/ HSS
3. HSS search profite transfer
profile to MME, Send APN to
MME,
4. MME sent APN to SGW+PGW
PGW
5.PGW allocat IP, send to
SGWMME VE
POW
K
1
1. PPower on UE listen to beacon Atch Reg. (IMSI).
channel. VE find Net →
@
Atch Req'st
Public
Access
IP
Prof.
Access
APN which PGW to use

SGW
1
1
IMSI, MME ID
Server
PGW 14SS
Sub, Profile (APN connect
APNAPNY
1
te
I
Mapametad

Wk 2.1 Sec. Mech

Authenticate: Fraud use of net
•ex: tamper w/ VE to show someone else's IMSI
•Net verify @ UE assess; that subscription valid &
that SIM issued by OP.
Encrypt: Liten to ² (info transmitted to UE)
w/t Reciever @ freq = to B. Sta
Integ: Mad. mag.
• transciever ching IP allocated to VE @ attch
proc'dr.; via superposing signal transmit. by B.Stn
Temp ID: Track/bc. VE
•IMSI is the IDentifier
•listen to exching @ Rad. loand & detect IMSI →→→
know which sub. nearby
•Avoid trans. IMSI
•@activate servie, UE ID →
- use temp ID *breg. renew

Wk. 2.2 Authentication & Authorization

* Net verify UE ID
NB: Verify that IMSI has not been modified.
@atch UE prov'd valid ID
128 Bit secret key
@
IMSI K
Stered in SIM & HSS
IMSI
Catch, UE send IMSI to HSS.
RAND
2
• HSS send Random # to UE..
RES
HSS
¹3-
•Beth UE & HSS use "Cryptograph of" to calc. RES & XRES
Cryptograph f
RAND&K128 bits ; RES→ 32 to 128 Bils
•1-way algorithm
12,8
12,8
RES/XRES = f(RAND, K
32-128

ES, XAUTN
QN Valid

WK 2.2 CONT'D Auth.

•VE NOT com. w/t HSS direct. MME play role in authent.
X
IMSI
XAUTN= AUTN
BAND
AUTN Authint Token,
AUTN = g(RAND, K, SQN)
INST
RAND, AUTN (+SQN)
MME
SQN=SQN+1
•Every neat time new auth. vector
·SQN incrimented
IMSI
SQN> Seg'ne #
BAND, XRES...
LAUTY
Auth. vector
RES XRES
HSS
MOME
BAND, ARES, AUTN+SQN)
RES XRES
HSS
SQN=SQN+1

WK 2.2 CONT'D Auth pg4

·Prot'cl exching, between VE & MME hidden from HSS
-HSS NOT direc.com w/ VE
itss recieve auth'nt regist.
• respond w/t auth. vect's.
Country Fa
Country B
IMSI
MME Auth Vect'r
•wt/o giving HSS access to secr't key, MME auth'nt VE
HSS
MME
Auth'nt Summary
•Base on scrt cryptograph f, rand #
Scri stored @ SIM & HSS
never trans, over net
•SIM & HSS ⇒ same calc.
•Auth'nt valid @ RES = XRES
-Mutual Auth'nt → Authint: VE by net
: Net by UE

Wk 2.3 Cipher & Decipher pg5

*Listen to com.
NB: Cipher aka encrypt.
· Math eq.
XOR (exclusive)
• Between clear txt & seginc gen'rt by sender
• Works bit to bit → bit from seg'ne output
•Ciph, sq'ne diffrin't every time
XOR =
ex: -1 0 1 0 1
:18111
00
NB: If bits same=0; 1 @ 1 = 0
1 1 10
Clear tat (data 2 trans)
...Packet N+1]
[Parket N]
Length L
• 1Sq'ne No 1 Sq'nc N
Cipher Sanc
Packet N
AMME
Packet N
Sa'nc N
101 10
Ciphered Data
Packet N
Length
10
Clear tat (data recier'd)
Packet N

Wk 2.3 Cipher CONT'D pg6

NB: Ciph. sq'nc diffrint every t.
•Start algorithm (based on few import parameters) →
Gen'rt sq'ne adapted to data ciph,
•Start @ basic ciph. K (relat. stable)
·Kene (shared K)→ basis 4' ∞ # of ciph. sq'nc.
·Ciph. i calc. from RAND
4
• #cach pckt; integr. pckt # & amount data to ciph. input paran
of algo (to calc ciph sonc); Direc. indic. (^/ link) & bearer #.
• Ciph algo exec. @ VE & ENB
RAND, Sert key K
Calc
(shared Kes)
Key KeneCiph, Algo
So'ng NT
Pekt N
Pahrt, Deared, Direc, Pekt size
RAND, Scr't K
• IS₂inc N-I]
N-11
Pekt NJ
Pckt size Direc. 12
Pekt Bearer
Ciph. Algo]
[Sainc NI [Sainc
N-11...
N+1]

Wk. 2.3 Ciph. Cont D. pg7

Ciph. Algo
MME
gmaling
Ciph Algo(s)
0 Null
1 Snow 3G @ 3G
2 AES
arintr(3) Pekt Bar
↓
dyta eaching
$1.Wr
1.ME
Reg Ciph
Algo.
4
Pekt size
Direc 798 8:45
----
=> Only @ testing
51-U
Most secur.
XPT D
(Pckt)
MME
SIL
SGW
SGW
HSS
55/58
PGW
Pckt @ PGW CNB; @eNB ciph b4' send via rad link
Kene @ Auth, phase (between UE & eNB).
HSS
Cyph (Encr.) Summary
·Kene gen'rta (f) K (scrt K) & RAND (from auth.)
SC;
PGW
Pekt recept. UE decyph; Next pckt → 12+1; same shared scr't
but new cyph sqinc.
· Cyph sq'nc spec. to ea. pckt; gen'rtd w/t Kene & parttr(s)
•Cyph bs'd on XOR.
• Cyph & Decyph → same oper.
AEU COOLS

Wk 2.4 Integ. Ctrl pg8

* Can 1' mod. msg(s)
NB:
w/t ca. data frame → + code (bytes of info)
• Cryptograph Hash Func → cate code
· Size of output data always sare d/or depend on input
@Rad link sender + MAC 2' usefil data @ca frame
• MAC 32 bits
-@Recieve recale MAC from data & compare to MAC frame.
-MAC₂+ = MAC
integ.
Protect from Mod
Length L
Pekt N
Cale.
cryptograph
hash func.
6
MACM Auth. Code)
32 s
Pakt N MAC
L+32
AMME
Pakt N MAC
cale.
MAC
NB:
•Integ. ctrl 4' sign. msg (s) ex: @ hangover
•Not activated for user deta
-If
necess. activate intes end-to-end → VE app & server app
•Reciev'r & Send'esame hash func.
•Same Kint negot. @auth. phase →
•→gen. @ RAND & Ksecr.

Wk 2.4 Integ CONT D pg9

Pekt #
Dear.
Sign. Msg & Direc
• Integ. Algo]
MAC
RAND, Keer
(K
Pokt N
>4
Only 4' sign. mog> MME VE
•Pakt N MACT
NB:
•Reciev. & Send Same hash fune; sane Kint
• Kint => negot. @auth
gen @ RAND & Kseer.
•Sign msg > UE=NB & VEeNBMME
1

Wk 2.4 CONT'D Integ. pg10

integ. Algo
MME
0
Null
1
Snow
2 AES
Intes, & Ciph
Length L
Pokt N
Ciph.
Pekt. N Ciphr'd
si-nne
MAC
32 bits
S1-V
311
Pekt N Cphrd MAC
L+ 32 Bits
Integ. Ctrl. Summary
. Only
• MAC ed
sign. msg.
SGW
V DE
HSS
www.
Pekt. N
PGW
MME
Pak N Gip MAC
cale
MAC
NB:
•Send'r ciph's then + MAC; Reciev'r opposite verify MAC= then deciphr
to ea. msg.
•Compied by 2th snd's & rec'ur
•W/t Integ'rtd K genrt'd →→ w/t Kseer; w/t RAND
• MAC = MAC ⇒ Integ
56:

WK 2.5 Key Hierarchy pg11

*How are k's distrib.?
IMSI
@
SEM
NB:
Integ. Ngo
Ener. Also B
3rd
SD of visit. net (mcc/MINC)

IMSTⓇ

Oper/Country B
MME
RASME
MME
ASME
Oper/Country C
MME
si-v
cyph. user data between UE & NB
4' cyph. Sign. data →
4 cyph msg. → between UE & MME
Sfa
HSS
MSS (MCC/MNC)
SGW $6/18 PGW
54:
RASME (Acess Secur. Mynd Entity)
MB: HSS ASME from IMSI
HSS delegate MIME to * rest of ®'s; MME use @ASME to rest of 's
HSS trust Mis that contacted it yst
HSS #ASM @ take into accnt. Net ID (Net asking 4') (visiting net
Net ID defrid by MCC/MNC pair)

Autoriz, another Net. to use ⓇASME

Wk 2.5 CONTD Key Hier pg12

RENB

IMSIⓇ

8.
AMSI
RASME
PENB
Enc = Cyph
NB: SIM also
MCC/MNC
PENB
PRACENC
PRACEN
PASME & PeNB used to
's.
MAS- Non Access Stratum; RRC sign UE ENB; UP (User Plane)
PNASENG & BASEnt-Between UE & MIVE; @CNB-s 41 protect sign, msg
between UE & eve
PNAS Int
NASIN
HSS
PRIME
MME
UPEN
MCC/MNC
RASME
HSS

@ASME (@VE); ⓇASME@@№s

remainder of
@MME

Wk 2.5 Key Hier Contid pg13

NBI Use Cryptograph hash func. ex: SHA-2
RAND
Oper ID
-* of auth's (SON)!
of msg(1) MME FUE
PRRCENC
IMSI
RASME
PARCInt
NAS ENC
NASInt
PUPENC

Mod 2.6 Temp ID pg. 14

Can saml track my mouvmint
8
AUTN=XAUTN
MSI
K
RAND, AUTN
RES
TMSI
oper, policy
MME
Temp ID →TMSI
Alloc. @ener.
Attackr can NOT link @ TMCI
TMSI Used as ID @ all furth'r comm.
Change @ UE mour cell/MME
Renewed @
oper.
IMSI
RES=XRES
-RAND; XRES; AUTN; KASME
TMSI GIMSI
NB:. IMSIunique permn'nt ID fier
•B'4 ea comm. UE auth to Net.
→not activ. @ 1″ exching
• Cyph
•If IMSI used all At for ID casy track mouv. →
• Solution mech. limit use IMSI @minimum.
.
• @1st auth UE has to use, IMSI
once auth→ & ener, tad link ⇒Net alloc. Temp ID:
=>Temp ID used all At therenafter.
HSS
chooses + freg.

MOD 2.6 TMSI CONT'D pg15

MME
(old)
GUTT
(New)
MME
•MME (new) can →→
•This avoid cont'ct HSS.
GUTIMME (old)
GUTI
Ctrimsg
integ
IMSI, Sec'r entit
NB: Proceed's func. @UE mouv.
·@VE@new MME →→
•→new MME reciev. Auth, regist..
• By look @ GUTI => find (old) 'MME => MME (old) that assigned TMSI
TEMP ID REVIEW
• Necess'ry 2 prevint
•TMSI --> Temp Mob. Subscr. ID
-Alloc. 2 VE
•Vact Cyph & Integ. w/o going through full Auth.
cyck.
- Chos'n by MME that ctr! VE
- Trans'fr aft'r ciph, action
-Can freg. update
HSS
hack'r from track VE loc.
• GUTI => Glob. Unique Temp ID
-Nec'ss'ry 2' recovt => IMSI @VE@ change MME

Mod. 2.6 TMSI CONT'D

MCC
rub Count
GUTI
NB: Short ID
• Same valve
•4 bytes w/t loc. signif. 4' MIME
can to used @ 2¹ MME (3)
•Larg'r struct needed →→ 4⁰ global signif.
B
W
80 bits

तेस ्

GUTI → Glob'l Unique Temp. VE ID

Enable Net loc. MME (that alloc TMSI)
GUTI: Contain → TIMSI & unique MME ID ->
• Unique MME ID; MCC MNC
Molo. Court, Cade
GUTI; (msg clear tat
MNC MME
Mob. vet.
Group ID
MAE
Camp. ID
Mob. Net sode
MME
‫ز‬
GUTE INST
(secur. contrat)
Che Integ.rsg.

ⒸAUTHed

MME
Code
MME
Code
- MME (Can) → Vact Cyph @Rad. link
(mfisk (s) CNB
32 bits

मिइंड

TMSI
4' 2' diffrint UE (3)
NB: VE make Net attch regist @ Attch → snd 1st msg. - use GUTI as ID' fr
•MME find IMSI
from GUTI e secur. context => Auth
After Auth. →MME can => Active: Cyph @rad link; Config K(s) • CVB
•Protect every trans msg. thereafter
• KSS NOT. contacted @ this proceed's.