GSM core network

The GSM Core network is the heart of a GSM system, the most common mobile phone system in the world. It is owned and deployed by mobile phone operators and allows mobile phones to communicate with each other and telephones in the wider telecommunications network. The architecture closely resembles a fixed telephone network, but there are additional functions which are needed because the phones are not fixed in one location, but move around instead or roam. Each of these functions handle different aspects of mobility management and are described in more detail below.

The GSM core network (also known as the Network and Switching Subsystem or NSS) usually refers to the circuit switched core network, used for traditional GSM services such as voice calls, SMS and circuit switched data calls.

There is also an overlay architecture on the GSM core network to provide packet switched services and is known as the GPRS core network. This allows mobile phones to have access to services such as WAP, MMS, internet access and video messaging.

All mobile phones manufactured today have both circuit and packet based services, so most operators have a GPRS network in addition to the standard GSM core network.

Contents

1 Home Location Register (HLR) 1.1 Description 1.2 Other GSM Core Network Elements connected to the HLR 1.3 Procedures implemented 2 Authentication Centre (AUC) 2.1 Description 2.2 Other GSM Core Network Elements connected to the AUC 2.3 Procedures implemented 3 Visitors Location Register (VLR) 3.1 Description 3.2 Other GSM Core Network Elements connected to the VLR 3.3 Procedures implemented 4 Mobile services Switching Centre (MSC) 4.1 Description 4.1.1 GMSC 4.1.2 Visited MSC 4.1.3 Other MSC terms 4.2 Other GSM Core Network Elements connected to the MSC 4.3 Procedures implemented 5 EIR 6 Other support functions 6.1 SMSC 6.2 MMSC 6.3 Lawful interception functions 7 See also 8 External links

Home Location Register (HLR)

Description

The Home Location Register or HLR is a central database that contains details of each mobile phone subscriber that is authorised to use the GSM core network.

More precisely, the HLR stores details of every SIM card issued by the mobile phone operator. Each SIM has a unique identifier called an IMSI which is one of the primary keys to each HLR record.

The next important items of data associated with the SIM are the telephone numbers used to make and receive calls to the mobile phone, known as MSISDNs. The main MSISDN is the number used for making and receiving voice calls and SMS, but it is possible for a SIM to have other secondary MSISDNs associated with it for fax and data calls. Each MSISDN is also a primary key to the HLR record.

Examples of other data stored in the HLR in a SIM record is:

• GSM services that the subscriber has requested or been given
• GPRS settings to allow the subscriber to access packet services
• Current Location of subscriber (VLR and SGSN)
• Call divert settings applicable for each associated MSISDN.

The HLR data is stored for as long as a subscriber remains with the mobile phone operator.

Other GSM Core Network Elements connected to the HLR

The HLR connects to the following elements:

• the Gateway MSC (G-MSC) for handling incoming calls
• The VLR for handling requests from mobile phones to attach to the network
• The SMSC for handling incoming SMS
• The voice mail system for delivering notifications to the mobile phone that a message is waiting

Procedures implemented

The main function of the HLR is to manage the fact that SIMs and phones move around a lot. The following procedures are implemented to deal with this:

• send the subscriber data to a VLR or SGSN when a subscriber first roams there.
• broker between the GMSC or SMSC and the subscriber's current VLR in order to allow incoming calls or text messages to be delivered.
• remove subscriber data from the previous VLR when a subscriber has roamed away from it.

Authentication Centre (AUC)

Description

The Authentication Centre or AUC is a function to authenticate each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). Once the authentication is successful, the HLR is allowed to manage the SIM and services described above. An encryption key is also generated that is subsequently used to encrypt all wireless communications (voice, SMS etc) between the mobile phone and the GSM core network.

If the authentication fails, then no services are possible from that particular combination of SIM card and mobile phone operator attempted. There is an additional form of identification check performed on the serial number of the mobile phone described in the EIR section below, but this is not relevant to the AUC processing.

Proper implementation of security in and around the AUC is a key part of an operator's strategy to avoid SIM cloning.

The AUC does not engage directly in the authentication process, but instead generates data known as triplets for the MSC to use during the procedure. The security of the process depends upon a shared secret between the AUC and the SIM called the Ki. The Ki is securely burned into the SIM during manufacture and is also securely replicated onto the AUC. This Ki is never transmitted between the AUC and SIM, but is combined with the IMSI to produce a challenge/response for identification purposes and an encryption key for use in over the air communications.

Other GSM Core Network Elements connected to the AUC

The AUC connects to the following elements:

• the VLR which requests a new batch of triplet data for an IMSI after the previous data have been used. This ensures that same keys and challenge responses are not used twice for a particular mobile.

Procedures implemented

The AUC stores the following data for each IMSI:

• the Ki
• Algorithm id (the standard algorithms are called A3 or A8, but an operator may choose a proprietary one).

When the MSC asks the AUC for a new set of triplets for a particular IMSI, the AUC first generates a random number known as RAND. This RAND is then combined with the Ki to produce two numbers as follows:

• The Ki and RAND are fed into the A3/A8 (or other operator proprietary algorithm) and a number known as Signed RESponse or SRES is calculated.

• The Ki and RAND are fed into a standard A5 algorithm and a number called the Kc is calculated.

The numbers (RAND, SRES, KC) form the triplet sent back to the MSC. When a particular IMSI requests access to the GSM core network, the MSC sends the RAND part of the triplet to the SIM. The SIM then feeds this number and the Ki (which is burned onto the SIM) into the A3/A8/proprietary algorithm as appropriate and an SRES is calculated and sent back to the MSC. If this SRES matches with the SRES in the triplet (which it should if it is a valid SIM), then the mobile is allowed to attach and proceed with GSM services.

After successful authentication, the MSC sends the encryption key Kc to the BSC so that all communications can be encrypted and decrypted. Of course, the mobile phone can generate the Kc itself by feeding the same RAND supplied during authentication and the Ki into the A5 algorithm.

The AUC is usually collocated with the HLR, although this is not necessary. Whilst the procedure is secure for most everyday use, it is by no means crack proof. Therefore a new set of security methods was designed for 3G phones.

Visitors Location Register (VLR)

Description

The Visitors Location Register or VLR is a temporary database of the subscribers who have roamed into the particular area which it serves. Each Base Station in the network is served by exactly one VLR, hence a subscriber cannot be present in more than one VLR at a time.

The data stored in the VLR has either been received from the HLR, or collected from the MS. In practice, for performance reasons, most vendors integrate the VLR directly to the V-MSC and, where this is not done, the VLR is very tightly linked with the MSC via a proprietary interface.

Data stored includes:

• IMSI (the subscriber's identity number)
• authentication data
• MSISDN (the subscriber's phone number)
• GSM services that the subscriber is allowed to access
• Access Point (GPRS) subscribed
• the HLR address of the subscriber

Other GSM Core Network Elements connected to the VLR

The VLR connects to the following elements:

• the Visited MSC (V-MSC) to pass data needed by the V-MSC during its procedures, e.g. authentication or call setup.
• The HLR to request data for mobile phones attached to its serving area.
• Other VLRs to transfer temporary data concerning the mobile when they roam into new VLR areas (for example TMSI which is an ephemeral temporary IMSI used in communication).

Procedures implemented

The primary functions of the VLR are:

• to inform the HLR that a subscriber has arrived in the particular area covered by the VLR
• to track where the subscriber is within the VLR area (location area) when no call is ongoing
• to allow or disallow which services the subscriber may use
• to allocate roaming numbers during the processing of incoming calls
• to purge the subscriber record if a subscriber becomes inactive whilst in the area of a VLR. The VLR deletes the subscriber's data after a fixed time period of inactivity and informs the HLR (e.g. when the phone has been switched off and left off or when the subscriber has moved to an area with no coverage for a long time).
• to delete the subscriber record when a subscriber explicitly moves to another, as instructed by the HLR

Mobile services Switching Centre (MSC)

Description

The Mobile services Switching Centre or MSC is a sophisticated telephone exchange which provides circuit-switched calling, mobility management and GSM services to the mobile phones roaming within the area that it serves. This means voice, data and fax services, as well as SMS and call divert.

In the GSM mobile phone system, in contrast with earlier analogue services, fax and data information is sent directly digitally encoded to the MSC. Only at the MSC is this re-coded into an "analogue" signal (although actually this will almost certainly mean sound encoded digitally as PCM signal in a 64k timeslot, known as a DS0 in America).

There are various different names for MSCs in different contexts which reflects their complex role in the network, all of these terms though could refer to the same MSC, but doing different things at different times.

GMSC

The Gateway MSC is the MSC which handles calls arriving from external networks. The term is only valid in the context of one call since any MSC may provide both the gateway function and the Visited MSC function, however, some manufactures design dedicated high capacity MSCs which do not have any BSCs connected to them. These MSCs will then be the Gateway MSC for many of the calls they handle.

Visited MSC

The Visited MSC is the MSC where a customer is currently located. The VLR associated with this MSC will have the subscriber's data in it.

Other MSC terms

The Anchor MSC is the MSC from which a Handover has been initiated. The Target MSC is the MSC toward which a Handover should take place. An MSC Server is a part of the redesigned MSC concept starting from 3GPP Release 5 .

Other GSM Core Network Elements connected to the MSC

The MSC connects to the following elements:

• the Base Station Subsystem which handles the radio communication with 2G and 2.5G mobile phones.
• the UTRAN which handles the radio communication with 3G mobile phones.
• the VLR for obtaining data about the SIM and MSISDN
• other MSCs for procedures such as handover.

Procedures implemented

Tasks of the MSC include

• delivering calls to subscribers as they arrive based on information from the VLR
• connecting outgoing calls to other mobile subscribers or the PSTN.
• delivering SMSs from subscribers to the SMSC and vice versa
• arranging handovers from BSC to BSC
• carrying out handovers from this MSC to another
• supporting supplementary services such as conference calls or call hold.

EIR

The EIR (Equipment Identity Register) is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. In theory all data about all stolen mobile phones should be distributed to all EIRs in the world through a Central EIR. It is clear, however, that there are some countries where this is not in operation. The EIR data does not have to change in real time, which means that this function can be less distributed than the function of the HLR.

Other support functions

Connected more or less directly to the GSM core network are many other functions.

SMSC

The SMSC (Short Message Service Centre) supports the sending of text messages.

MMSC

The MMSC (Multimedia Messaging System Centre) supports the sending of multimedia messages (e.g. Images, Audio, Video and their combinations) to (or from) MMS-enabled Handsets.

Lawful interception functions

According to US law, which has also been copied into many other countries, especially in Europe, all telecommunications equipment must provide facilities for monitoring the calls of selected users. There must be some level of support for this built into any of the different elements. The concept of lawful interception is also known, following the relevant US law, as CALEA.

See also

The GPRS Core Network works in parallel with the rest of the GSM core network.

External links

• the 3GPP, the standardisation body for GSM and UMTS