The motivation for security in cellular telecommunications systems are to secure conversations and signalling data from interception as well as the Advance Mobile Phone System (AMPS) and Total Access Communication System (TACS), it is a relatively simple matter for the radio hobbyist to intercept a potentially embarrassing cellular telephone conversion with a police scanner. A well-publicized case involved a potentially embarrassing cellular telephone conversion with a member of the British royal family being recorded and released to the media. Another security consideration with cellular telecommunications systems involves identification credentials such as the Electronic Serial Number (ESN), which are transmitted "in the clear", in analog systems. With more complicated equipment, it is possible to receive the ESN and use it to commit cellular telephone fraud by "cloning" another cellular phone and placing calls with it. Estimates for cellular fraud in the U. S. in 1993 are as high as $500 million. The procedure wherein the Mobile Station (MS) registers its location with the system is also vulnerable to interception and permits the subscriber's location to be monitored even when a call is not in progress, as evidence by the recent highly publicized police pursuit of a famous U. S. athlete.
The security and authentication mechanisms incorporated in GSM make it the most secure mobile communication standard currently available, particularly in comparison to the analog systems described above. Part of the enhanced security of GSM is due to the dace that it is a digital system utilizing a speech coding algorithm, Gaussian Minimum Shift Keying (GMSK) digital modulation, slow frequency hopping, and Time Division Multiple Access (TDMA) time slot architecture. To intercept and reconstruct this signal would require more highly specialized and expensive equipment than a police scanner to perform the reception synchronization, and decoding of the signal. In addition, the authentication and encryption capabilities discussed in this paper ensure the security of GSM cellular telephone conversion and subscribe identification credentials against even the determined eavesdropper.
Overview of GSM
GSM (Global System for Mobile communications) is the Pan-European standard for digital cellular communications. The Global System for Mobile was established in 1982 within the European Conference of Post and Telecommunication Administrations (CEPT). A Further important step in the history of GSM as a standard for a digital mobile cellular communications was the signing of a GSM Memorandum of Understanding (MoU) in 1987 in which 18 nations committed themselves to implement cellular networks based on the GSM specifications. In 1991 the first GSM based networks commenced operations. GSM provides enhanced features over older analog-based systems, which are summarized below:
The subscriber has the advantage of a Pan-European system allowing him to communicate from everywhere and to be called in any area served by a GSM cellular network using the same assigned telephone number, even outside his home location. The calling party does not need to be informed about the called person's location because the GSM networks are responsible for the location tasks. With his personal chip card he can use a telephone in a rental car, for example, even outside his home location. This mobility feature is preferred by many business people who constantly need to be in touch with their headquarters.
High Capacity and Optimal Spectrum Allocation
The former analog-based cellular networks had to combat capacity problems, particularly in metropolitan areas. Through a more efficient utilization of the assigned frequency bandwidth and smaller cell sizes, the GSM System is capable of serving a greater number of subscribers. The optimal use of the available spectrum is achieved through the application Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), efficient half-rate and full-rate speech coding, and the Gaussian Minimum Shift Keying (GMSK) modulation scheme.
The security methods standardized for the GSM System make it the most secure cellular telecommunications standard currently available. Although the confidentiality of a call and anonymity of the GSM subscriber is only guaranteed on the radio channel, this is a major step in achieving end-to- end security. The subscriber's anonymity is ensured through the use of temporary identification numbers. The confidentiality of the communication itself on the radio link is performed by the application of encryption algorithms and frequency hopping which could only be realized using digital systems and signalling.
The list of services available to GSM subscribers typically includes the following: voice communication, facsimile, voice mail, short message transmission, data transmission and supplemental services such as call forwarding.
GSM Radio Channel
The GSM standard specifies the frequency bands of 890 to 915 MHz for the uplink band, and 935 to 960 MHz for the downlink band, with each band divided up into 200 kHz channels. Other features of the radio channel interface include adaptive time alignment, GMSK modulation, discontinuous transmission and reception, and slow frequency hopping. Adaptive time alignment enables the MS to correct its transmit timeslot for propagation delay. GMSK modulation provides the spectral efficiency and low out-of-band interference required in the GSM system. Discontinuous transmission and reception refers to the MS powering down during idle periods and serves the dual purpose of reducing co-channel interference and extending the portable unit's battery life. Slow frequency hopping is an additional feature of the GSM radio channel interface which helps to counter the effects of Rayleigh fading and co-channel interference.
TDMA Frame Structures, Channel Types, and Burst Types
The 200 kHz channels in each band are further subdivided into 577 ms timeslots, with 8 timeslots comprising a TDMA frame of 4.6 ms. Either 26 or 51 TDMA frames are grouped into multiframes (120 or 235 ms), depending on whether the channel is for traffic or control data. Either 51 or 26 of the multiframes (again depending on the channel type) make up one superframe (6.12 s). A hyperframe is composed of 2048 superframes, for a total duration of 3 hours, 28 minutes, 53 seconds, and 760 ms. The TDMA frame structure has an associated 22-bit sequence number which uniquely identifies a TDMA frame within a given hyperframe. Figure 1 illustrates the various TDMA frame structures.