Wireless networks Philippe Jacquet INRIA Ecole Polytechnique France
GSM network • « 1 km in the air, 1000 km in wires » • BTS: Base station Transceiver System • BSC: Base Station Controller • MSC: Mobile Switching Center • VLR: Visitor Location Register • HLR: Home Location Register VLR HLR MSC BTS BSC mobile Fixed networks
Wireless interface • Uplink frequencies, downlink frequencies • Each frequency divided in eight periodic slots (channels) • One signalisation channel +seven voice channels.
Wireless interface • Frequency organisation Burst=packet Middample: training sequence
Security in GSM • Authentification: high level security • Impossibility of account parameter highjacking is contractual • Encryption: low level security • Possibility of eavedropping by government agencies
SIM chip: contains all security • Subscriber Identity Module • Subscriber identifier IMSI • PIN code • Key Ki for authentification • last dialed numbers and areas
Security GSM Algorithms • Algorithme A3 for authentification based on Ki key. • Ki 128 bits deposited in SIM, is known by operator • Algorithm A8 to create an encryption Kc key • Algorithm A5 for voice encryption from Kc.
on mobile terminal • At request the network sends a 128 bits random number RAND. • SRES=A3(RAND,Ki) 32 bits • Ki impossible to get from SRES and RAND • Kc=A8(RAND,Ki) 64 bits • Ki impossible to get from Kc and RAND • code=A5(Kc,info) • Kc easy to get from clear 64 bits on air • breakable in less than 2 minutes on regular PC.
Authentification • Operateur sends a number RAND • Operator and mobile terminal separately computes SRES • Mobile sends SRES to operator • If both SRES are identical, then user is authentified
authentification SIM VLR Ki RAND Ki SRES=A3(RAND,Ki) SRES=A3(RAND,Ki) accepté SRES test =
Encryption • Mobile and operator compute Kc. • Encrypt and decipher infos with same algorithm A5. • Add each data 114 bits block with pseudo-random 114 bits • Pseudo-random bits computed with Kc and info block number (algorithme A5). • Brute force attack costs 240
Data in voice: GPRS • General Packet Radio System • Enable GSM modem for internet connection • Use idle slots on frequencies pour send and receive data • Charged on per volume basis (voice charged per duration) • Require a protocol stack and a security level and « IP ».
Additional elements in GSM for GPRS internet • SGSN (Serving GPRS Support node) • GGSN (Gateway GPRS Support node) • Un tunnel protocol GTP • Specific authentification procedures SGSN VLR GGSN HLR MSC BTS BSC mobile Réseau fixe
Authentification • First: GSM authentification • Second: GPRS authentification • Creation of a network identitier for IP
Encryption • Regular wireless encryption • Unreliable but needs radio vicinity to break • Require IP encryption • SSH (Secure Shell)
Ipsec protocol IPsec Authentification Header transport mode IPsec Encapsulating Security Payload (ESP) IPsec ESP-tunnel mode
UMTS and CDMA • UMTS is the next generation mobile phone • 3G, (GSM=2G) • Based on CDMA/TDMA Frame=10ms Frame=12 slots of 0.666 ms each
UMTS and CDMA • Slots are periodic • Many users can use the same slot • Sharing via code division frequencies codes GSM UMTS
Code Division Multiple Access • Equivalent to digital fourier transform Fast code Separates transmitters Slow symbol Contains info
Code Division Multiple Access • Basic hypothesis • Data extraction
Code Division Multiple Access • Advantages • Many codes can be given to a single user • Flexibility of use • More bandwidth occupation • Drawback: • Sensitive to near-far effect • Must equalize power
CDMA in Wifi • User modulate datas on a code • No Code division • Allow to fight inter-symbol fading
Wave propagation • Signal attenuation with distance • P0 nominal power • Isotropic medium • =2 in vaccum
Wave propagation • Antenna variation • Distance Fading • Non isotropic medium • Rayleigh fading: is gaussian
Wave propagation • Inter-symbol fading • diffraction on obstacles creates delayed echos Emitted Signal echos Received Signal
Wave propagation • Inter-symbol fading • Attenuation is now a convolution • T: most delayed echo • Average fading is distance fading:
Inter-symbol fading • The typical echo delay T increases with distance • Depends on medium • in vaccum • in 1D homogenous medium • in 2D homogenous medium • with ½<h<1in « fractal » medium • Effect of inter-symbol fading • Does not affect significantly Shannon capacity limit • But: complicates the decoding when T is comparable to inter-symbol time (1/W)
Inter-symbol fading • Example of fractal medium : urban area
Complexity of signal processing • Signal processing • First level signal decoding • Mainly digital • Equalization • Reverse the convolution fading • With noise
Complexity of signal processing • Equalization • Emission of a known training sequence x(t), received y(t) • Knowledge of both x(t) and y(t) gives (t) and -1(t) in theory. • Discretized sampling with frequency =1/
Complexity of signal processing • Resolution of a linear system • Of dimension • Resolution takes operations • Must be repeated every time fading changes: • If , then the processing computing power is
Complexity of signal processing • In general a wireless interface is calibrated for • A minimal SNR and a fixed capacity I • A maximal signal processing power • Therefore for a limit range R • There exists a minimal nominal power P0.
Complexity of signal processing • Diagram Capacity-Range Hiperlan1&2 IEEE802.11a-g Capacity in bit/s Wifi B IEEE 802.11 UMTS pico-cell UMTS micro-cell bluetooth GSM UMTS range in m
Error suppression • Error Detection via check sum • Message=binary polynomial • Check sum is the rest of division of message polynomial by a known polynomial of degree 32. • The check sum is then 32 bits • The receiver compare with transmitted check sum (failed error detection probability 2-32) message Check sum
Error suppression • Two kinds of error suppression • Forward Error Correction (FEC) • Automatic Repeat Query (ARQ)
Error suppression • FEQ: forward error correction • Addition of extra bits to message to help correction of corrupted blocks. E.g. sum of all blocks. • Detection of corrupted blocks via local check sums. • Matrix n(n+r) has all n n sub-matrices reversible • Encoding rate = n/(n+r) 1 (0) (0) Encoded Message = Message 1
Error suppression • Data interleaving to spread error burts
Error suppression • ARQ: Automatic Repeat Query • The receiver acknowledge correctly received blocks • Emitter repeats non acked blocks 1 2 3 4 5 6 7 8 ACK: 1,2,5,7 3 4 6 8 ACK: 4,8 3 6 ACK: 3,6 3 6 ACK: 3,6