Transcript Document 7226370

2. Conventional networks
2.3 Cellular networks
• Overview
• Network capacity
• Security: the Lin-Harn protocol
• Billing
Prof. JP Hubaux
1
The Public Switched Telephone Network
(reminder)
Transit
switch
Transit
switch
Long distance network
Transit
switch
Local
switch
Local
switch
Incoming
call
Outgoing
call
- Transfer mode: circuit switching
- all the network (except part of the access
network) is digital
- each voice channel is usually 64kb/s
2
Trunk Dimensioning in the Telephone
Network (reminder)
Trunk with N channels;
each channel carries a traffic of 
Virtually
infinite
sources
B: blocking probability (*)
A: offered traffic
A   calls/s * E  X  seconds/call (Erlang),
where X represents the duration of calls
Output utilization:
Erlang formula:
B
1  Bg
A
b

AN
N ! i  0
N
F
AI
G
J
i
!
HK
i
N
Assumptions:
• Loss system: calls are dropped if they cannot be immediately accepted
• The sources are independent from each other
• The time between call arrivals is drawn from an exponential distribution
(*): the blocking probability is defined as the probability of an incoming call
to be rejected, because all N channels are already occupied.
3
Principle of the basic call (reminder)
Calling
terminal
Called
terminal
Network
Off-hook
Resource allocation
Dial tone
Dialing
Translation + routing
Alert signal
Ring indication
Off hook
Remove ring indication
Bi-directional channel
Conversation
On hook
On hook signal
Billing
4
Basic architecture of a cellular network
Server
(e.g., Home Location
Register)
Mobile
station
Base
station
Mobile
switching
center
Cellular network
External
Network
5
Registration
Term. Nr: 079/4154678
Tuning on the strongest signal
6
Service Request
079/4154678
079/8132627
079/4154678
079/8132627
7
Paging broadcast
079/8132627?
079/8132627?
079/8132627?
079/8132627?
Note: paging makes sense only over a small area
8
Response
079/8132627
079/8132627
9
Channel Assignment
Channel
47
Channel
47
Channel
68
Channel
68
10
Conversation
11
Handover (or Handoff)
12
Message Sequence Chart
Caller
Base
Station
Base
Station
Switch
Periodic registration
Service request
Paging broadcast
Tune to Ch.47
Ring indication
Stop ring indication
Callee
Periodic registration
Service request
Page request
Page request
Paging broadcast
Assign Ch. 47
Paging response
Paging response
Assign Ch. 68
Tune to Ch. 68
Alert tone
Ring indication
Stop ring indication
User response
User response
13
Peculiarities of Personal Communication
Systems (PCS)


Mobility
User location ==> periodic registration and/or paging
Moving form a cell to another ==> handoff procedures
Moving from one network to another ==> roaming
Ether
Multiple users per cell ==> access technology (FDMA,
TDMA, CDMA)
Channel impairments ==> coding, error detection,
retransmission, forward error correction
 Bandwidth ==> channel reuse, signal compression, efficient
modulation and coding
Privacy and security ==> encryption

Energy
Limited autonomy ==> power control, discontinuous
transmission
14
Services offered by current PCS






Telephony services (including voice mail, call
transfer,…)
Short message services
Voiceband data and fax
Packet switched data (e.g., GSM/GPRS, CDPD)
Closed user groups
Telemetry
15
Relevant service features (user perspective)


















Terminal characteristics (weight, size, robustness, price)
Battery life / autonomy
Modes of operation of the terminal (as a cellular phone, a cordless phone, with
a satellite,…)
Service price
Range of services
Coverage area (of the home network + roaming agreements)
User environment while roaming
User interface: ease of use, programmability
Call blocking (service denial)
Call dropping
Setup time
Transmission quality (error rate, signal to distortion ratio, delay)
Maximum speed of the terminal
Authentication technique
Privacy
Confidentiality
Secure billing
Radiated power
16
Operator perspective








conversations
Spectrum efficiency
E
cells  MHz
Cell radius
Infrastructure cost
Deployment timing and adaptability
Roaming agreements
Resistance to fraud
Non repudiability of bills
…
17
Air interface
Messages
Logical
channels
Messages
Packets
Messages
Logical
channels
Bits
Radio link
Radio link
Terminal
Base Station
Structure, content
Packet structure, error detection/retransmission
Topology: one to one
one to many (e.g., synch signals)
many to one (e.g., service request)
Multiple access (e.g., CDMA, TDMA, FDMA)
Duplex (e.g., Frequency Division Duplex - FDD)
Modulation, source coding, channel coding,
interleaving, diversity reception, channel equalization
18
User Tracking: Geographic-based Strategy
Location area 1 (ID = 1)
Location area 2 (ID = 2)
5. Inform the HLR
of the new LA ID
of the end user
1. Change LA
2. Receive the ID of the LA
3. Compare with
stored ID
4. If different, update
and ask for registration
• All base stations within the same LA periodically broadcast the ID of the LA
• Each user compares its last LA ID with the current ID, and transmits a registration message whenever
the ID is different
• When there is an incoming call directed to a user, all the cells within its current LA are paged
19
Cellular networks
• The area to be covered is
tesselated in a (usually large)
number of cells
• There is usually one antenna
per cell
• A mobile communicates with
one (or sometimes two) antennas
• Antennas are controlled by
Mobile Switching Centers
(MSC)
• Cells are usually represented
by hexagons, although the
real shape can be quite variable
• In all systems, cells interfere with
each other
• To increase the capacity of the
network, the usual technique
consists in increasing the number of cells
20
Frequency reuse
F4
F4
F3
• Cells with the same name
use the same set of
frequencies
F3
F5
F6
F7
• In this example, the cluster size N = 7
• In order to tesselate, the geometry of
hexagons is such that N can only have
values which satisfy:
N = i2 + ij + j2 with i = 1, 2,… and j = 1, 2,…
F1
F2
F1
F2
F5
F6
F7
F4
F3
F5
F1
F2
F6
F7
• Channel assignment strategies:
• fixed: each cell is allocated a predetermined set of voice channels
• dynamic: each time a call request is made, the serving base station
21
requests a channel from the MSC
Handover: principle
Received
signal
level
Level at point B
Level at which handover is made
(call properly transferred to BS2)
time
A
BS1
B
BS2
22
Decibels (reminder)
The decibel is used to express a power ratio:
P 
B  10.log10  
 P0 
where P0 is the reference power level and P is the power level
at the considered point of the system.
Example: if the transmission power P0 is 10W and the received power P
is 0.1W, the loss is 10 log10 (1/100)   20dB.
A decibel (dB) expresses a ratio. An absolute value can be expressed in
decibels relative to 1 Watt (dBW) or (more frequently) in decibels relative
to 1 mW (dBm).
 P 
The latter is expressed by: P  10.log10 

1
mW


23
Handover strategies

The handover power level must be carefully chosen:

Dwell time: time during which a call is maintained in the same
cell (hence without handover)
Mobile Assisted Handover (MAHO): every mobile measures the
power from surrounding base stations and report these
measurements to the serving base station. A handover is
initiated if the power of the signal received from another station
exceeds the one of the serving one by a certain threshold for a
certain amount of time.
Inter-system handover: when changing network
Prioritising handovers over new calls; 2 methods:






If too small: risk of superfluous handovers
If too high: risk of losing the call due to weak signal conditions
Guard channels (spare channels in each cell)
Queuing of handover requests
Coping with stations moving at very different speeds (e.g., cars
vs pedestrians): umbrella cells
Typical values for GSM handover: threshold between 0 and 6
dB, execution time of around 1 to 2 seconds
24
Soft handover: in the case of CDMA
Interference and system capacity

Possible sources of interference:
Another mobile in the same cell
A call in progress in a neighboring cell
Other base stations operating in the same frequency band
Any noncellular system which inadvertently leaks energy
into the frequency band

Consequences of interferences:
On data channel: crosstalk (voice), erroneous data (data
transmission)
On control channel: missed calls, dropped calls

2 major types of system-generated interference:
Co-channel interference (same frequency), see hereafter
Adjacent channel interference (adjacent frequency)
25
Co-channel interference (1/4)
Co-channel reuse ratio:
D
Q   3N
R
Signal-to-interference ratio (SIR):
S
S
 i
0
I
 Ii
i 1
where S is the desired signal power from the desired base station, I i
is the interference power caused by the ith interfering co-channel
base station and i0 is the number of co-channel interfering cells.
Average received power Pr at a distance d from the transmitting antenna:
d 
Pr  P0  
 d0 
or

d 
Pr (dBm)  P0 (dBm)  10 log  
 d0 
where P0 is the power received at a small distance d 0 from the
transmitting antenna, and  is the path loss exponent.
26
Co-channel interference (2/4)
If the transmit power of each base station is equal and  is the same
throughout the coverage area:
S
R 
 i0
I

D
 i
i 1
Considering only the first layer of interfering cells
(and assuming their centers are all at distance D
of the considered base station):

S ( D R)


I
i0



3N
i0
27
Co-channel interference (3/4)
D+R
D
R
D-R
D+R
A
D
D-R
First tier of co-channel cells for a cluster size of N=7
Note: the marked distances are approximations
28
Co-channel interference (4/4)
Approximation of the signal-to-interference ratio at point A:
S
R 

I 2( D  R )   2 D   2( D  R ) 
Thus:
S
1

I 2(Q  1)   2Q   2(Q  1) 
Numerical example:
If N  7 and   4, then Q  4.6 and S / I  49.56  17.8 dB
29
Capacity of cellular networks (1/2)
We consider the downlink channel interference.
Assume the mobile to be located at the edge of the cell,
and consider only the interference of the 6 closest cells.
We want C/I to be greater than a given minimum  C / I min
Then we need:

S
R
1 R 
 i0
  
I
6 D

 Di

C
 
 I  min
i 1
As Q  D / R, we get:
1/ 
 C 
Q   6  
  I min 
30
Capacity of cellular networks (2/2)
Radio capacity of a cellular network:
Bt
m
radio channels/cell
Bc N
where Bt is the total allocated spectrum for the system
and Bc is the channel bandwidth.
As Q= 3N, we get:
Bt
Bt
m

2 /
Q2
 6 C 
Bc
Bc   / 2   
3
 3  I min 
Techniques to improve capacity:
• Cell splitting
• Sectoring
31
Capacity of cellular CDMA


The capacity of CDMA is interference limited, while it
is bandwidth limited in TDMA and FDMA.
Techniques to reduce interference:
Multisectorized antennas
Discontinuous transmission mode (takes advantage of the
intermittent nature of speech); duty factor typically between
3/8 and ½.

Power control: for a single cell, all uplink signals
should be received approximately with the same
power at the base station
32
Capacity of cellular CDMA: single cell case (1/2)
N: number of users
S: power of the signal received at the base station from a single user
S
1

( N  1) S N  1
Energy-to-noise ratio:
SNR 
Eb
S/R
W /R


N 0 ( N  1)( S / W ) N  1
where R is the bitrate and W is the available bandwidth.
Taking the thermal noise  into account:
Eb
W /R

N 0 ( N  1)  ( / S )
Thus the number of users that can access the system is:
N  1
W /R
-  /S
Eb / N 0
33
Capacity of cellular CDMA: single cell case (2/2)
With antenna sectorization, N 0 becomes N 0´ , with N 0´  N 0
For example, with 3 antennas covering 120o each:
1
N  N0
3
 : duty cycle of voice
´
0
N s : number of users per sector
Eb
W /R

N´0 ( N s  1)  ( / S )
If the number of users is large and noise is neglected:


1 W / R 

Ns  1  
E
 b 
 N 0´ 
34
Capacity of cellular CDMA: multiple cells case (1/3)
B0 controls the transmit power of each of its own in-cell users,
but not the power of users in neighboring cells.
Frequency reuse factor on the uplink:
N0
f 
N 0   U i N ai
i
where N 0 is the total interference power received from the
B6
B5
B1
B0
B2
B4
B3
N -1 in-cell users, U i is the number of users in the ith adjacent
cell, and N ai is the average interference power for a user
located in the ith adjacent cell.
Average received power from users in an adjacent cell:
N ai   N ij / U i
j
where N ij is the power received at the base station of
interest from the the jth user in the ith cell.
35
Capacity of cellular CDMA: multiple cells case (2/3)
Concentric circular geometry
M1 : number of wedgeshaped cells of the first
surrounding layer of cells
Adjacent cell
q1
3R
A1 : area of the first
surrounding layer
2R-d0
2R+d0
R
d0
A1 = M1 A
To let all cells have the
same size A, we must have:
M1 = 8
q1 = 450
By recursion, for the ith layer:
Ai = i8A
qi = p/4i
Considered
cell
2d0
First
surrounding
layer
36
Capacity of cellular CDMA: multiple cells case (3/3)
For the inner sublayer:
3R
2R+d0
2R-d0
d '  d 2 sin 2 q  d cos q  2 Ri  d 0
d0
for (2i  1) R  d  (2i ) R  d 0
2

for (2i ) R  d 0  d  (2i  1) R
d
d’
Inner
sublayer

2
For the outer sublayer:

R
q

d '  d 2 sin 2 q  2 Ri  d 0  d cos q
Interference power at B0 from the jth subscriber of the ith cell :
P0,i , j (r ,q , d 0 )  P0 (d '/ d 0 ) (d 0 / d )
In practice, the frequency reuse efficiency f for CDMA
Outer
sublayer
is in the order of 0.3 to 0.7 (as a comparison, in the case
of FDMA with cluster size = 7, f = 1/7).
37
Roaming: principle
Home network
Visited network
Roaming agreement
Subscriber
database
(IDs,
keys,
bills,…)
Subscriber
database
(IDs,
keys,
bills,…)
User
38
Roaming: architecture
PSTN + Data Network
Home
Location
Register
Service
logic
Service
logic
Home
Network
Visiting
Location
Register
Visited
Network
Base
Station
Base
Station
39
Security of cellular networks
• Eavesdropping, traffic analysis
• Maskerade as:
- Mobile station (e.g. for fraudulent usage)
- Base station
• Denial of service
Mobile station
• Misuse of a stolen terminal
• Tamper with the crypto information
(e.g., cloning)
• Repudiation of service usage
• Unauthorized access to data
• Threats to integrity
• Denial of service
• Repudiation
• Unauthorized access to services
Base station/
Foreign network
Home network
• Unveiling crypto information of the user
• Unveiling identity/location of the user
40
The Lin Harn protocol



Purpose: provide security in case of roaming mobile
users
Protect the mobile user, the visited network and the
home network
In particular:
Protect the identity of the mobile user
Avoid unveiling cryptographic material to the visited
network, which it could use (or an attacker could use)
against the will of the mobile user.
41
The Lin Harn protocol: requirements

Security requirements
Caller ID confidentiality: the identity of the user should be
hidden, including to the visited network
Non-repudiation of service (e.g., the mobile user should not
be able to deny the usage of service)
Shared secret key between the mobile and the visited
network, renewed for each session

Implementation requirements
Limited computing power of the mobile station  time-
consuming public key cryptographic techniques should be
avoided
Validation delay  the number of interactions between the
mobile station, the visited network and the home network
should be limited
42
The Lin Harn protocol: mobile station
registration
Base station B
(visited network)
Mobile M
Home
Network H
Initial shared key KMH
NB
EPK H ( M , EKMH ( N B ), N M ), N B , H
EPK H ( M , EKMH ( N B ), N M ), N B , H
k0  h2( K MH , h1( EKMH ( N B ), N M )), i  1,..., m
ri  h1( K MH , ki 1 )
ki  h2(ki 1 , ri )
ci  h3(ri )
k0 , N M , c1 ,..., cm
Eko ( M t , N M , PK B )
Allocate a temporary
identity Mt to M
43
Computation of the parameters
KMH
EKMH(NB)
NM
r1
h1
h2
h1
k0
h2
k1
h3
c1
h1
r2
h2
k2
h3
c2
rm
h1
h3
h2
km
h1, h2: one-way keyed hash function
h3 : one-way hash function
ci
: session key of the ith session
44
cm
The Lin Harn Protocol: Mobile Station
Origination Protocol
Base station B
(visited network)
Mobile M
• Compute ri= h1(KMH, ki-1)
EPK B ( M t , ri )
Eki ( ri )
• Check that h3(ri)=ci
• Set the session key to ci
• Compute ki= h2(ki-1, ri)
• Check that h3(ri)=ci
• Set the session key to ci
This protocol is activated for each
call request made by the mobile
45
The Lin Harn Protocol: analysis

Security
The subscriber can prove itself by presenting the ri’s to the
visited network; knowing the checking values ci’s, the visited
network can verify the legitimacy of the subscriber
The identity of the mobile user is protected
Security parameters of the mobile user (stored at the visited
network) are protected
Non-repudiation: by demonstrating the possession of the
ri’s, the visited network can prove that the service has been
used

Performance
Small number of exchanged messages
The computational effort on the mobile side can be limited;
e.g., encryption with the public keys PKH and PKB can be
based on the low-exponent of the RSA algorithm: 3.
46
Billing in mobile networks
Example Scenario
1. Technical view:
Information
server
Backbone network
2. Business view:
Service provision
Payment
Information
Service Provider
Trust
Backbone Network
Operator
User
Access Network
Operator
47
Business model
>1B
potential
users
Privacy?
Authentication?
Payment and billing?
User customization?
National regulations?
Disputes (bankrupts,
order or usage repudiations,…)?
1M+
connectivity
and information
service
providers
48
The customer care
Cellular network operators
Customer
care
agency
Long distance network operators
Satellite network operators
Information service providers
User
49
Requirements
Customer care agency
R7: Future-proof
mechanism
R6: accurate and
non repudiable bill
R1: Free choice of
the customer
care agency
R3: Agreement on tariff at session setup
R4: Very small amounts supported
R5: Continuous information about cost
User
R2: Protection of user’s
privacy (anonymity)
Service provider
50
Facts and problems

Facts
growing number of mobile users (> 1 billion in the near future)
growing number of service providers (~ millions in the near future)
• basic communication services (connectivity)
• value-added services (information services)

Problems
lack of trust
• service providers do not trust users
– illegitimate service usage (fraud)
– denial of service usage
• users do not trust service providers
– leaking of information related to service usage (monitoring of
users’ activity)
– incorrect charging
scalability
• on-line cross-domain authentication
51
Customer Care Agency Vs Service Provider
- specialization
- control
- reputation
- separation of
concern
- selects / recommends service
providers for its users
- handles payments on behalf of
its users
- protects user privacy
- prevents / resolves conflicts
- provides personal customization
- etc.
- control
- business
agreements
52
Operating principle
2. generate ticket
Customer care agency
3. ticket
7. payment
1. request
6. ticks
4. ticks
User
5. service
Service provider
off-line
on-line
53
Initial situation
Customer care agency (A)
Knows PKS
Knows PKA
User (U)
Service provider (S)
54
Ticket acquisition
Customer care agency
cn  g ( n ) (c0 )
T  Sig PK 1 ( sn, cn ,  aU mod p, PKU )
A
Ticket
Request (Uid , rnd0 )
Header
EKUA (T , c0 , aU , PKU1 , rnd0 )
c0 : freshly generated random seed
rnd : freshly generated random number
g: one-way function
sn: serial number of the ticket
 and p: publicly known
aU : secret D-H parameter
PK A1 : private key of the agency
PKU1: private key of the user
User
Service provider
55
Ticket usage (setup)
Customer care agency
Ticket
tf : tariff
k: session key
h : one-way hash function
Header
Service provider
 mod p
aS
User
Service request: rnd1 , T  Sig PK 1 ( sn, cn ,  aU mod p, PKU )
A
Tariff proposal: rnd2 , tf , h(tf , k , rnd1 )
k  ( aS )aU mod p
k  ( aU )aS mod p
Commitment to tariff: Sig PK-1 ( sn, tf , rnd 2 )
U
56
Ticket Usage (service provision)
Customer care agency
d: price of the first piece of
service (expressed in ticks)
Ticket
Header
d ticks
User
User
d
cn-d = g(n-d)(c0)
Service provider
cn-d
Ek(service)
g(d)(cn-d) = cn ?
57
Clearance and billing
Customer care agency
Check consistency
With Ticket T
User
Bill (after
aggregation)
Sig PK 1 (Sig PK-1 ( sn, tf , rnd 2 ), cl )
S
U
Payment (after
aggregation)
User
Service provider
58
Trust and scalability

Trust
access to services is based on anonymous tickets
the customer care agency can link tickets to real
identities
the service provider is always authenticated
potential loss due to incorrect charging or to
denial of payment is very low (ticket slicing)

Scalability
no on-line cross-domain authentication
interaction with the customer care agency is
removed from the critical path (off-line)
59
Further advantages


Separation of roles
the customer care role is factored out from service providers
Gradual deployment
at the beginning, the customer care role can be played by
service providers
later, other organizations (e.g., credit card organizations) are
expected to play the customer care role


Efficiency
expensive operations are off-line
mobile users have a stationary agent in the fixed network
Flexibility
very short term relationships between users and service
providers
60
Some (unavoidable?) disadvantages

Centralized solution
the customer care agency can be a
bottleneck and single point of failure; it is
therefore an ideal target to attack
Complex (cryptographic) protocols
 Infrastructure

customer care agencies

Commonly deployed mechanisms
standardized protocols for tickets
61
Conclusion on billing



Problem:
lack of trust, scalability problems in future mobile networks
Solution:
new business role: customer care agency
ticket based access to services
Features:
solves the trust and scalability problems
clear separation of roles
gradual deployment
efficiency and flexibility
requires complex, standardized protocols and infrastructure
centralized solution
62
General conclusion on cellular networks




Huge technical problem
Physical layer barely considered in this course
We have addressed network capacity, security and
billing
System aspects not covered in this chapter:
MAC layer
traffic analysis
network dimensioning
63
References

About cellular networks in general:
S. Tabbane: Handbook of mobile radio networks
Artech House, 2000

About the capacity of cellular networks:
T. Rappaport: Wireless Communications, 2nd edition, Prentice Hall,
2001

About security in cellular networks:
H. Lin, L. Harn: Authentication protocols for personal
communication systems. SIGCOMM’95

About billing:
L. Buttyan and JP Hubaux: Accountable Anonymous Service Usage
in Mobile Communication Systems. Workshop for Electronic
Commerce (WELCOM), Oct. 1999 (available at lcawww.epfl.ch)
M. Peirce and D. O’Mahony: Flexible Real-Time Payment Methods
for Mobile Communications. IEEE Personal Communications, Dec.
1999
64