Wednesday, 9 November 2011

Security in UMTS

UMTS being such a massive cellular network and that too wireless, security in UMTS becomes an important aspect. There can be some kind of attack by intruders which may bring down the entire network. One can jam channels which may result deny access for legitimate users. An unwanted and unauthorized user access the network and use services for free. An attacker may eavesdrop and intercept confidential calls results into leaking of confidential information and he may change the contents of data.

Security in UMTS is mainly consists of the below four components:
1. User Identity Confidentiality
2. Authentication
3. Integrity Protection
4. Ciphering

1. User Identity Confidentiality
The UMTS network does not disclose the identity of the subscriber and for the same network allocates temporary identifier TMSI or P-TMSI to UEs. TMSI (Temporary Mobile Subscriber Identity) applies to CS domain and P-TMSI to PS domain.
TMSI is unique within location area (LA) and hence to make the identifier unique globally, TMSI is used in combination with LAI. Similary, P-TMSI is unique within routing area (RA) and hence to make it unique globally P-TMSI is used in combination with RAI.


2. Authentication
In UMTS, authentication is bi-directional i.e. here UE authenticates network and network authenticates UE.
It is based on secret key known to both network and UE.
The home network on the request generates security information known as Authentication Vectors (AVs) and supplies to the serving network. Next, the serving network select one of the AV and sends two of the elements of the selected AV, RAND (a random number) and AUTN (authentication token) to the UE. UE checks that AUTN is valid and a counter within the AUTN is in the correct range and this way authenticates the network. UE then computes a RES (response) using an algorithm within the USIM. UE sends this RES to the CN and CN compared this with the XRES (expected response) received from home network. If both same, UE is successfully authenticated.

3. Integrity Protection
Integrity protection is applied to access stratum messages to detect whether the messages have been corrupted or not. With this procedure the integrity of the message is maintained. In this, with the help of certain inputs and an algorithm, MAC-I is calculated and attached with the message. The receiver calculate the expected MAC-I and compare both MAC-I. If the received MAC-I is same as calculated MAC-I, received message  is not modified.
All RRC message are integrity protected except few which are listed below:
RRC CONNECTION REQUEST
RRC CONNECTION SETUP
RRC CONNECTION COMPLETE
RRC CONNECTION REJECT
RRC CONNECTION RELEASE
PAGING TYPE1
PUSCH CAPACITY REQUEST
HANDOVER TO UTRAN COMPLETE
PHYSICAL SHARED CHANNEL ALLOCATION
SYSTEM INFORMATION
SYSTEM INFORMATION CHANGE INDICATION


IK = Integrity key(128 bits)
COUNT-I = RRC HFN(28 bits) + RRC Sequence Number(4 bits)
FRESH = A 32 bits network generated random value
DIRECTION = the direction of the message either uplink or downlink
MESSAGE = message to be integrity protected

4. Ciphering
Ciphering used to provide data confidentiality so that an attacker (man in the middle) could not read the message. Ciphering is done either at RLC or MAC. For TM RLC, it is done at MAC and for the rest, it is done at RLC.
CK = Ciphering key(128 bits)
COUNT-C = 32 bits counter. It can take any of one of the three based on RLC mode.
                       For TM: COUNT-C = MAC-D HFN(25 bits) + CFN(7 bits)
                       For UM: COUNT-C = RLC HFN(25 bits) + SN(7 bits)
                       For AM: COUNT-C = RLC HFN(20bits) + SN(12 bits)
BEARER = RB identifier(4 bits)
LENGTH = length of the required key-stream (16 bits)
DIRECTION = whether its uplink or downlink for the message to be ciphered (1 bit - 0 for uplink and 1 for            downlink)


>>The 20 MSB of both counter is initialized to a value called START. START values defined individually both for CS and PS domain and these are stored in USIM. UE first share this to network in the RRC CONNECTION SETUP COMPLETE message.
>>For the SRBs, the START value of latest configured CN domain is applicable.

Monday, 7 November 2011

System Information Block (SIB)

SIB's are system information that is transmitted from UTRAN to UE.

>>The set of channels used in transmitting SIBs:
BCCH (logical channel) --> BCH (transport channel) --> PCCPCH (physical channel)
and
BCCH (logical channel) --> FACH (transport channel) --> SCCPCH (physical chaanel)

>>System Information is the first set of information UE needs to decode and read information received from UTRAN to know about the system and hence the PCCPCH is transmitted with constant data rate and TF so that UE can easily decode the System informations.

>>For BCH, TTI is fixed as 20ms and fixed transport block size of 246 bits.

>>The radio interface are based on the 10 ms radio frames and each frames are counted by SFN from 0 to 4095 i.e total length of 4096. This SFN is the basis of scheduling of different SIBs. And, hence the complete System information is divided into 20 ms BCH transport blocks. Then, this 20 ms second BCH transport block is transmitted in two radio frames i.e in two SFN.

>>SIB contains one MIB (Master Information Block), two SB (Scheduling blocks) and many SIBs (System Information Blocks).

>> In general, SIBs are too large and the BCH transport blocks are of  fixed size hence Segmentation and Concatenation of the SIBs is required. This is done at RRC layer.

>> The different types of Segments are:
1. First Segment -  Indicates that this is the first segment of segmented SIBs.
2. Subsequent Segment - Indicates that this is the subsequent segment of segmented SIBs.
3. Last Segment - Indicates that this is the last segment of segmented SIBs.
4. Complete - Indicates that this is the complete SIBs i.e no segmentation.

>>SISs are of different types and that too large in size, SIB scheduling becomes a very important aspect. Below are the parameters used in SIBs scheduling:
SEG_COUNT : Defines the number of segments (1,...,16)
SIB_REP : Defines the SIB repetition period (after how many radio frames it will be repeated (4,8,16,...,4096))
SIB_POS : Defines the SIB position within SFN (multiple of 2)
SIB_OFF : Defines the offset for the next segment of segmented SIBs (multiple of 2)

>> For the MIB, some of the parameters are fixed. SIB_REP=8 frames, SIB_POS=0.

>>Different types of SIBs are:
SIB1 : The system information block type 1 contains NAS system information as well as UE timers and counters to be used in idle mode and in connected mode.
SIB2 : The system information block type 2 contains the URA identity.
SIB3 : The system information block type 3 contains parameters for cell selection and re-selection.
SIB4 : The system information block type 4 contains parameters for cell selection and re-selection to be used in connected mode.
SIB5 : The system information block type 5 contains parameters for the configuration of the common physical channels in the cell.
SIB6 : The system information block type 6 contains parameters for the configuration of the common and shared physical channels to be used in connected mode.
SIB7 : The system information block type 7 contains the fast changing parameters UL interference and Dynamic persistence level.            
SIB8 : The system information block type 8 contains static CPCH information to be used in the cell.
SIB9 : The system information block type 9 contains CPCH information to be used in the cell.
SIB10 : The system information block type 10 contains information to be used by UEs having their DCH controlled by a DRAC procedure.
SIB11 : The system information block type 11 contains measurement control information to be used in the cell.
SIB12 : The system information block type 12 contains measurement control information to be used in connected mode.
SIB13 : The system information block type 13 contains ANSI-41 system information.
SIB14 : Only for TDD
SIB15 : The system information block type 15 contains information useful for UE-based or UE-assisted positioning methods.
SIB16 : The system information block type 16 contains radio bearer, transport channel and physical channel parameters to be stored by UE in idle and connected mode for use during handover to UTRAN.
SIB17 : Only for TDD
SIB18 : The System Information Block type 18 contains PLMN identities of neighbouring cells to be considered in idle mode as well as in connected mode.         


Sunday, 30 October 2011

Femtocells

Femtocells are small cellular network used in homes, offices etc.

In the beginning, there were many debates and thoughts on femtocell:
  • Is it really required?
  • Will it be commercially successful?
  • As femtocell will use the same frequency bandwidth as MACRO then how it deals the interference issue with MACRO.
Advantages of femtocell:
  • It improves coverage. Generally, in the basement of the building or in the cell edge area, MACRO network coverage is not so good. In such places, femtocell creates it's own small cellular network and provides good network coverage.
  • Being in high coverage area, UE requires less power to transmit and hence saves battery power which is very important in the world of smart phones where so many background services runs.
  • Less deployment cost comparing MACRO deployment.
  • Decreases the MACRO load. With more number of femtocells, the MACRO can serve more number of users at a given point of time.
Femtocells have it's own advantages from the both operators and users perspective. Consequently, many telecom biggies invested huge money to develop and deploy the femtocells and it's equally adopted by users happily in many countries.

Femtocell in future:
Being a home based cellular system, it can improve the home security, personal safety, and help integrating smart phones with other home appliances like TV, AC, Laptops, Media Players etc.
When children phone (registered users) comes in the coverage area of home femtocell, the parents can be informed by SMS. 
Also, they can be integrated for a registered user that which appliances need to ON when it's in the coverage of femtocell i.e when registers users phone latch on the home based femtocell network, it can automatically ON appliances like lights, AC etc.

But, it's not all rosy picture for femtocells in future. Femtocells have to compete with Wi-Fi networks.
To understand this, let's do comparative analysis of both the femtocells and Wi-Fi network.
Femtocell vs Wi-Fi
  1. From the operators perspective, femtocells are more preferred as it's easy to integrate with the existing network whereas Wi-Fi has lesser inter-working with the existing network and there are concerns of handset choices etc.
  2. Femtocells has additional cost of box over Wi-Fi and here Wi-Fi has advantage over femtocells.
  3. Femtocells can only be used in its home location only whereas a Wi-Fi enabled phone can use any of the Wi-Fi network (access provided).
Hence, femtocells promotors have to work on idea and proposals so that additional cost of the box can be covered and also provides an attractive propositions for it's users.

Femtocell in INDIA:
With growing demand of high capacity and coverage and increase in the number of mobile users in India too, it's quite possible that we may see femtocell soon in India.
http://indiatelecomnews.com/?p=1292

HARQ Procedure

Automatic Repeat Request (ARQ) is a re-transmission protocol in which the receiver checks for errors in the received data and if an error is detected then the receiver discard the data and requests a re-transmission from the sender.
Hybrid ARQ (HARQ) is re-transmission protocol in which the receiver checks for errors in the received data and if an error is detected then the receiver buffers and requests a re-transmission from the sender. A HARQ receiver then combine the buffered data with the re-transmitted data prior to channel decoding and error detection. Hence, even if the re-transmitted data is partially received in error, after combining with buffered data may be error free and no further re-transmission required.
Parallel HARQ processes used to avoid impact on throughput. When one HARQ process waits for the ACK, the second HARQ process can transmit in subsequent TTI. These parallel processes are known as Stop and Wait processes because they stop and wait for ACK from the receiver before sending any further data.
3GPP allows maximum 8 parallel HARQ processes to be configured for an individual UE.

HARQ in HSDPA:
  • The number of parallel HARQ processes at any point is dynamic and changes according to rate TTI are scheduled.
  • It can use maximum of 8 processes.
  • The HS-SCCH is used to inform the UE that which of the HARQ process is being used at any point of time. 
HARQ in HSUPA:
  • The number of parallel HARQ processes are fixed. 
  • A HSUPA connection using a 10 ms TTI always uses 4 parallel HARQ processes whereas a connection using 2 ms TTI always use 8 parallel HARQ processes.
  • It is not required to inform NodeB that which HARQ process is used at any point of time. The HARQ processes are allocated to consecutive TTI in a cyclic fashion.

Saturday, 29 October 2011

UTRAN Initiated Security Mode Procedure

In GSM, Integrity is not there. But in UMTS, Integrity is mandatory.

In case of Inter System Handover, when an UE comes from GSM to UMTS system, UTRAN should trigger the Security Mode Procedure to start integrity. This is solely UTRAN initiated procedure and not triggered by Core Network. The integrity key and algorithm used are the one which was received in Handover Request message. The Security Mode Command message should not include the ciphering info as this is to start integrity.

If ciphering was enabled on the GSM, then UE enabled ciphering immediately after receiving Handover To Utran Command message and consequently the next message Handover To Utran Complete sent by UE will be ciphered.

UMTS Introduction

UMTS stands for "Universal Mobile Telecommunications System".

The 3rd Generation Partnership Project (3GPP) has been responsible for generating the technical specifications which defines the UMTS protocols and performance requiremnts.

Based on time to time requirements from both Operators and Users, the technical specifications continue to evolve e.g. from only circuit switched call to normal packet switched call to hsdpa call to hsupa call and so on.

With increasing requirements like high data rate, high throughput, multiple services at a time, everyone talking and putting continuous efforts to achieve them.

UMTS high level architecture: