SlideShare a Scribd company logo

Mobile Networks Architecture and Security (2G to 5G)

Hamidreza Bolhasani
Hamidreza Bolhasani

Mobile Networks Architecture and Security (2G to 5G) + Mobile Networks History 2G/3G/4G/LTE/5G + CS/PS/EPC/5GC Core Network Elements Overview + Mobile Networks Basic Scenarios + Mobile Network Security + Authentication / Ciphering

Technology
1 of 87
Download to read offline
Mobile Network Architecture & Security (From 2G to 5G) Dr. Ali Soleymani, Assistant Professor at Iranians University, ali.soleymani@iranian.ac.ir Dr. Hamidreza Bolhasani, PhD Candidate at SRB-IAU Branch, hamidreza.bolhasani@srbiau.ac.ir 27th International Computer Conference, Computer Society of Iran (CSICC 2022)
Global System for Mobiles (GSM) ◼ Cellular Network or Mobile Network is a communication network where the last link is wireless. The network is distributed over land areas called cells, each served by at least one fixed-location transceiver, known as a cell or base station.
2G / 3G Overview GSM /GPRS BSS BTS BSC NodeB RNC PCU UTRAN SCP SMS SCE PSTN ISDN Internet, Intranet MSC/VLR GMSC HLR/AUC SGSN CG BG GGSN GPRS Other PLMN IPBB
2G Radio ◼ BTS (Base Station Transceiver) BTS is a piece of equipment that facilitates wireless communication between user equipment (UE) and a network. UEs are devices like mobile phones (handsets), WLL phones, computers with wireless Internet connectivity. ◼ BSC (Base Station Controller) BSC is a critical mobile network component that controls one or more base transceiver stations (BTS), also known as base stations or cell sites. Key BSC functions include radio network management (such as radio frequency control), BTS handover management and call setup. It also carries transcoding of speech channels.
3G Radio ◼ NodeB NodeB is a term used in UMTS equivalent to the BTS (base transceiver station) description used in GSM. ◼ RNC (Radio Network Controller) RNC is a governing element in the UMTS radio access network (UTRAN) and is responsible for controlling the NodeBs that are connected to it. The RNC carries out radio resource management, some of the mobility management functions and is the point where encryption is done before user data is sent to and from the mobile.
Terminologies - IMSI MCC MNC MSIN 3 digits 2/3 digits Not more than 15 digits IMSI (International Mobile Subscriber Identity) NMSI MCC:Mobile Country Code MNC:Mobile Network Code MSIN:Mobile Station Identification Number NMSI:National Mobile Station Identity
TMSI  TMSI: Temporary Mobile Subscriber Identity  In order to ensure subscriber identity confidentiality, the VLR (Visiting Location Register) and SGSN (Serving GPRS Support Node) may allocate TMSI to visiting mobile subscribers.
IMEI TAC FAC spare 6 digits 2 digits 15 digits IMEI (International Mobile Equipment Identity) TAC:Type Approval Code FAC:Final Assembly Code SNR:Serial Number spare:Standby bit Example:490547403767335 SNR 6 digits 1 digits
MSISDN CC NDC SN National ( Significant ) Mobile Number MSISDN:Mobile Station International ISDN number CC: Country Code, China Country Code is 86 NDC:National Destination Code SN: Subscriber Number
LAI / GCI / SAI Location Area Identity MCC MNC LAC Cell Global Identity MCC MNC LAC CI Service Area Identity MCC MNC LAC SAC
TAI / TAC Tracking Area Identity MCC MNC TAC
Intra-cell Handover 13 BTS BTS Intra-Cell Handover
Inter-Cell Intra-BSC Handover 14 BSC BTS BTS
Inter-BSC Intra-MSC Handover 15 MSC VLR BSC B T S BSC B T S B T S B T S B T S B T S B T S B T S B T S
Inter-BSC Inter-MSC Handover 16 MSC1 VLR MSC2 VLR BSC B T S BSC B T S B T S B T S B T S B T S B T S B T S B T S
2G / 3G Core Network (CN) ◼ Core Network is split into CS domain and PS domain. CS domain is based on original GSM network. PS domain is based on original GPRS network. ◼ CS domain: used to provide Circuit-switched service. Network mode can support TDM, ATM and IP. Physical entities include switching equipment (such as MSC/VLR, GMSCs, HSS), and inter-working equipment (IWF). ◼ PS domain: used to provide Packet-switched service. Network mode is IP. Physical entities include SGSN, GGSN, CG , BG etc.
2G / 3G Core Network (CN) ◼ Function entity shared by CS domain and PS :  MSC Server: Control layer, to realize MM (Mobility Management), CM (Call Control), MGC (Media Gateway Control).  MGW: Bearer layer, to realize the exchange of voice and media flow, and provide all kinds sources, such as TC, EC, play announcement and receive DTMF.  SG: To realize signaling transfer from MTP (SS7 transmission layer) to SCTP/IP (SIGTRAN).
2G / 3G Core Network (CN)  HLR/HSS: To realize mobile subscriber management and location information management.  VLR: To deal with all kinds of data information of current mobile subscriber.  AUC: To store authentication information of mobile subscriber.  EIR: To store IMEI data of mobile subscriber.  SMS: Short Message Center.
Scenario #1 Location Update / Authentication MS BSS MSC VLR HLR/AUC Locating updating request(IMSI) Um BSSAP MAP MAP A B D Locating updating request Update location area (IMSI) Send parameters(IMSI) Authentication parameters (RAND/SRES/Kc,IMSI) Authenticate Authentication request Authentication response Authentication response Update location Inserte subscriber data Subscriber data insertion ack. cancel location cancel location ack. PVLR Update location ack. (HLR?) Set cyphering mode Forward new TMSI Update location area ack. CYPHER MODE COMMAND CYPHER MODE COMPLETE Location updating accepte TMSI reallocation complete TMSI acknowledge CLEAR COMMAND CLEAR COMPLETE imsi/tmsi,old lai,current lai/gci
Scenario #2 Call Flow (1/2) Um A B D A Um MSa BSSa MSC VLR HLR BSSb MSb channel request RACH SDCCH CM service request (CKSN,IMSI/TMSI) CM service req.) CM service req.) Send parameters (IMSI/TMSI) Authentication para. (IMSI,RAND/SRES/Kc) Authenticate (RAND,CKSNn) Authentication request(RAND,CKSNn) Authentication response(SRES) Authen. res.(SRES) Set cyphering mode Access req. accepted (IMSI/MSISDN) CM service accept CIPHER MODE COMMAND(Kc) CIPHER MODE COMPLETE Setup ( MSISDN) Send info. for o/g call setup Complete Call Call proceeding ASSIGNMENT REQUEST ASSIGNMENT COMPLETE Send routing info req. (MSISDN, supplyment service info ) Provide roaming number req(IMSI) Provide roaming number Ind Send Routing infomation acknowledge send info.for i/c call setup page MS(LAI) PAGING(LAI,IMSI) Page response Page response(LAI,GCI)
Scenario #2 Call Flow (2/2) Um A B D A Um MSa BSSa MSC VLR HLR BSSb MSb Process access req. Send para. (IMSI/TMSI) Authen. para. (IMSI,RAND/SRES/Kc) Authenticate (RAND,CKSNn) Authentication request(RAND,CKSNn) Authentication(SRES) Authentication response(SRES) Set cyphering mode Access request accepted Complete call CIPHER MODE COMMAND(Kc) CIPHER MODE COMPLETE Setup (calling MSISDN) Call confirmed ASSIGNMENT REQUEST ASSIGNMENT COMPLETE Alerting Connect Connect acknowledge Alerting Connect Connect acknowledge
GPRS Network Structure ⚫ What is GPRS?  General Packet Radio Service ⚫ Why GPRS?  In order to provide the data service out the scope of the fixed network ⚫ GPRS network classification  GSM GPRS  UMTS GPRS ⚫ GPRS network background  GSM GPRS network reuse the existed GSM network  UMTS GPRS network just change the RAN side
GPRS Network Structure FR EIR HLR SMS-GMSC SMS-IWMSC MSC/VLR BSS UTRAN SGSN SGSN GGSN BG CG TE PDN SS7 ATM DDN ISDN Ethernet.etc GPRS Backbone Gs Gd Gr Gf Gc Gb Iu Um Um Gp Gi Gn Gn ATM Ga SCP GMLC Ge Lg Ga ⚫ Some Abbreviation  GPRS: General Packet Radio Service  BSS: Base Station Subsystem  UTRAN: UMTS Terrestrial Radio Access Network  SGSN: Service GPRS Support Node  GGSN: Gateway GPRS Support Node  CG: Charging Gateway  BG: Bordering Gateway  PDN: Packet Data Network
GPRS Network Structure ⚫ Important Entity Function __ SGSN  Mobility management − The mobility management functions are used to keep track of the current location of an MS within the PLMN or within another PLMN.  Session management − Session Management (SM) function manages the PDP context of MS.  Routing and transfer − SGSN performs routing and forwarding of service data between MS and GGSN.  Charging − SGSN can generate, store, convert and send CDRs.  Lawful Interception  NTP
GPRS Network Structure ⚫ Important Entity Function __ GGSN Session management − Session Management (SM) function manages the PDP context of MS. Routing and transfer − GGSN performs routing and forwarding of service data between MS and internet. Charging − GGSN can generate, store, convert and send CDRs. Dynamic IP allocation Service management − Manage APN
4G/LTE
4G/LTE
4G/LTE Attach
5G – Primitives
5G – Near Future
2G → 5G Roadmap
Towards → 5G
2G → 5G Roadmap
5G Motivations
5G IMT-2020
5G – Primitives
5G – Network Architecture
5G – Interoperable Network
5GC – Interoperable Network
5GNR – New Radio
5G Spectrum – mmWave
5G Network Slicing
5G Network Slicing
5G Network Slicing
5G Network Slicing
5G & AR / VR
5G & AR / VR
5G & Artificial Intelligence (AI)
5G & Artificial Intelligence (AI)
5G & V2X / Connected Cars
5G & Health
5G & Health
5G & Health
BSC RAND generator IMSI Ki A3 A8 AUC Triplets req. Triplets sent (Sent via HLR) Kc SRES RAND Triplet Kc SIM MS Ki A3 A8 RAND Kc SRES A5 A5 MSC VLR Authentication! IMSI SRES Kc RAND Call Establishment Request Authentication Request (RAND) Ciphering Command (Kc) Ciph. Command ( ) Ciphering Complete Ciphering Complete Ciphered Traffic and Signalling Traffic and Signalling Authentication Response (SRES) Ciphering OK! AUC Authentication Centre Ki Subscriber Authentication Key (128 Bit) Kc Ciphering Key (64 Bit) RAND Random number (128 Bit) SRES Signed Response (32 Bit) GSM Security
A3 Algorithm (Compress Function: COMP128) • Input: • 128-bit RAND random number • 128-bit Ki private key • Output: • 32-bit RES/SRES Authentication
A8 Algorithm (Compress Function: COMP128) • Input: • 128-bit RAND random number • 128-bit Ki private key • Output: • 64-bit Kc Cipher Key Key Generation
A5 Algorithms • A5/0 : used by countries under UN Sanctions, comes with no encryption. • A5/1 : LFSR-based stream cipher, 64-bit key, broken, the strongest version and is used in Europe and America • A5/2 : LFSR-based stream cipher, 64-bit key, broken, (prohibited to use), a weaker version used mainly in Asia. • A5/3 : KASUMI in OFB mode, 64-bit key • A5/4 : same as A5/3, 128-bit key Ciphering
A5/1 Algorithm Ciphering The best published attacks to it require 240 and 245 steps which makes it vulnerable to hardware-based attacks of organizations but not to software based attacks. Its main weakness is that its key is the output of the A8 algorithm which has already been cracked. The actual size of its key is not 64 but 54, because the last 10 bits are set to 0, which makes it much weaker. Keystream
A5/2 Algorithm Ciphering
A5/3 Algorithm Ciphering KASUMI applies a 64-bit block with a 128-bit key. The process of KASUMI has eight rounds of Feistel Ciphers. Each round require 32-bit input corresponding with 32-bit output.
RNC RAND generator IMSI K Algorithms AUC Quintets req. Quintets sent (Sent via HLR) RAND Quintet CK IK USIM UE K Algo- rithms Ciphering and Integrity Algorithms MSC /SGSN Authentication! Call/Session Establishment Request Authentication Request (RAND, AUTN) Sec Mode Command (CK,IK) Security Mode Command ( ) Sec Mode Complete Security Mode Complete Traffic : Ciphering Signalling: Ciphering & Integrity Authentication Response (RES) Ciphering OK! AKA Authentication and Key Agreement AUC Authentication Centre CK Ciphering Key (128 Bit) IK Integrity Key (128 Bit) K Subscriber Authentication Key (128 Bit) RAND Random number (128 Bit) XRES Expected Response (32-128 Bit) CK XRES AUTN IK IMSI XRES CK RAND IK AUTN RAND CK IK RES AUTN Ciphering and Integrity Algorithms Authentication: AUTN=AUTN Traffic and Signalling CK IK UMTS Security
UMTS Security • UMTS uses a set of function f1 to f9 for security purposes. Derivation functions f1 to f5 are not standardized. There are more than 16 algorithms. Some example integrity and ciphering algorithms: • MILENAGE based on AES (3GPP TS 35.206) • TUAK based on SHA3 (3GPP TS 35.231) • KASUMI in OFB mode-Similar to A5/3 (3GPP TS 35.201) • SNOW 3G (3GPP TS 35.216)
Function Description Input Parameters Output Parameters F0 The random challenge generating function RAND RAND F1 The network authentication function AMF, K, RAND MAC-A (AuC side) /XMAC-A (UE side) F2 The user authentication function K, RAND RES (UE side) /XRES (AuC side) F3 The cipher key derivation function K, RAND CK F4 The integrity key derivation function K, RAND IK F5 The anonymity key derivation function K, RAND AK F8 The confidentiality key stream generating function Count-C, Bearer, Direction, Length, CK <Keystream block> F9 The integrity stamp generating function IK, FRESH, Direction, Count-I, Message MAC-I (UE side) /XMAC-I (RNC side) Authentication
SNOW 3G
LTE Security Key Hierarchy
Ciphering + Integrity check CK IK AK RES XMAC K f1 f2 f3 f4 f5 USIM AUTENTICATION REQUEST RAND, AUTN AUTHENTICATION RESPONSE RES MME HSS UE Calculate AUTN from MAC and AK Derive KASME from CK, IK Check RES against XRES UE authorised! Derive IKNAS and CKNAS Derive IKNAS and CKNAS eNB CK IK AK XRES MAC RAND IMSI → K f1 f2 f3 f4 f5 RAND NAS security (UE – MME) - NW authorises UE (RES) - UE authorises NW (MAC) - Integrity check of sign, (IKNAS) - Ciphering of sign, (CKNAS) Authentication Vector Store received Authentication Vector(s)*) AUTH DATA RESPONSE RAND, AUTN, XRES, KASME AUTN MAC Check MAC against XMAC NW authorised! Derive KASME from CK, IK LTE Security NAS SECURITY MODE COMPLETE NAS SECURITY MODE COMMAND UE sec capabilities, selected NAS algo:s Derive KeNB KeNB, permitted algorithms Ordered algorithms Derive IKCP, CKCP, CKUP Select algorithms Derive KeNB K CK, IK Never leaves Home Domain KASME IKNAS CKNAS Only used in NAS KeNB CKUP CKCP IKCP Only used in AS Derive IKCP, CKCP, CKUP AS security (UE – eNB) - Integrity check of sign, (IKCP) - Ciphering of sign. (CKCP) - Ciphering of traffic (CKUP) Ciphering + Integrity check It is FFS if NAS Security Mode Command is a stand-alone procedure, or can be combined with other messages. NAS MESSAGE UE security capabilities AUTH DATA REQUEST IMSI, SN id, nw type
LTE Security Key Function Length or Size Derived From Basic Description K Master Base Key for GSM/UMTS/EPS 128 - Secret key stored permanently in USIM and AuC (CK,IK) Cipher key and Integrity Key 128 'K' Key Pair of Keys derived in AuC and USIM during AKA run. KASME MME (ASME) Base / Intermediate Key 256 CK,IK Intermediate key derived in HSS/UE from (CK,IK) using AKA. K-eNB eNB Base Key 256 KASME , KeNB* Intermediate Key derived in MME/UE from KASME when UE transits to ECM CONNECTED STATE or by UE and target eNB from KeNB*during handover KeNB* eNB handover transition Key 256 KeNB(H) , NH(V) Intermediate Key derived in source eNB and UE during handover when performing horizontal ( KeNB) or vertical Key(NH) derivation. Used at target eNB to derive KeNB NH Next Hop 256 KeNB Intermediate key derived in MME and UE used to provide forward security and forwarded to eNB via S1-MME interface. KNASint Integrity key for NAS signalling 256 (128 LSB) KASME Integrity key for protection of NAS data derived in MME/UE KNASenc Encryption Key for NAS signalling 256(128 LSB) KASME Encryption key for protection of NAS data derived in MME and UE KUPenc Encryption key for user plane (DRB) 256(128 LSB) KeNB Encryption key for protection of user plane data derived in eNB and UE KRRCint Integrity key for RRC signalling(SRB) 256(128 LSB) KeNB Integrity key for protection of RRC data derived in eNB and UE KRRCenc Encryption key for RRC 256(128 LSB) KeNB Encryption key for protection of RRC data derived in eNB and UE
IP IP eNB SGW PGW IP IP TEID 1 TEID 1 EPS bearer = radio bearer + S1 tunnel + S5 tunnel EPS bearer = radio bearer + S1 tunnel EPS bearer = Radio Bearer EPS bearer Original IP packet from user…. …encapsulated in another IP packet. Encapsulation and Tunneling
eNB SGW PGW Security Domains Security Domain Security Domains are networks that are managed by a single administrative authority. Within a security domain the same level of security and usage of security services will be typical. Typically, a network operated by a single network operator or a single transit operator will constitute one security domain although an operator may at will subsection its network into separate sub-networks. Security Domain A Security Domain B Security Domain C
5G Security Framework UDM (Unified Data Management) Similar to the HSS on a 4G network, stores subscriber root keys and authentication-related subscription data, and generates 5G authentication parameters and vectors. AUSF (Authentication Server Function) - Derives a key.- Provides the network authentication function if the EAP -AKA‘ authentication method is used or provides the home network authentication function if the 5G AKA authentication method is used. AMF (Access & Mobility Management Function) - Derives lower-layer NAS and AS keys. - Provides the service network authentication function if the 5G AKA authentication method is used.
5G Security To solve the problem of IMSI disclosure on 4G networks, IMSIs on 5G networks are encrypted and transmitted over air interfaces for subscriber privacy protection, as shown in the following figure. IMSI Encryption (SUPI -> SUCI) During initial registration, a UE uses the public key of the home network to encrypt non-routing information in the subscription permanent identifier (SUPI) and converts the SUPI into a subscription concealed identifier (SUCI). The routing information is still transmitted in plaintext, and is used to address the home network. After obtaining the SUCI, the core network uses the private key to decrypt the SUCI into an SUPI. UE Base station Core network Registration request (SUCI) SUPI SUCI SUCI SUPI Encryption Decryption Obtaining fails. IMSI Catcher Allocates the 5G-GUTI to the UE after the registration succeeds. Registration request (SUCI)
Auth Resp RES* 5G Authentication & Key Agreement (AKA) UDM AUSF Calculate HXRES* Calculate KSEAF (anchor key) AMF SIDF ARPF SEAF Nausf_UEAuthentication_Auth Req. RES* Nudm_UEAuthentication_ _ResultConfirmation Resp. Nudm_UEAuthentication_ _ResultConfirmation Req. Nausf_UEAuthentication_Auth Resp. NAS message Auth Req RAND, AUTN Nausf_UEAuthentication_Auth Req. SUCI/SUPI, SN Name... Nausf_UEAuthentication_Auth Resp. SUPI, 5G AV: RAND, AUTN, HXRES*, KSEAF KgNB Nudm_UEAuthentication_Get Req. SUCI/SUPI, SN Name... Nudm_UEAuthentication_Get Resp. SUPI, 5G-AKA usage flag, 5G HE AV: RAND, AUTN, XRES*, KAUSF HPLMN VPLMN K K 128 or 256 bits Store UE Authentication status KSEAF → KAMF → KNAS & KgNB RES* → HXRES* Check if HRES* = HXRES* → UE authenticated Check if RES* = XRES* → UE authenticated SUCI → SUPI Decide auth method : EAP-AKA' / 5G-AKA Calculate 5G HE AV K, RAND RES*, KAUSF KAMF KNAS, KgNB KSEAF Calculate response & keys: AUTN: Authentication Token AV: Authentication Vector RAND: Random number RES: Response XRES: Expected Response ARPF Authentication credential Repository and Processing Function HE Home Environment SEAF Security Anchor Function SIDF Subscriber Identity De-concealing Function
Key Hierarchy Generation 33.501 KgNB, NH KRRCenc KAUSF K KAUSF KAMF KN3IWF KNASint KNASenc KRRCint KUPenc KUPint CK’, IK’ KSEAF CK, IK ME N3IWF ME gNB ME ME ME USIM AMF SEAF AUSF ME ARPF ARPF 5G AKA EAP-AKA’ K used for primary authentication KAUSF serving nw specific Horizontal key derivation KAMF changes at AMF change EAP Extensible Authentication Protocol NH Next Hop NH = ”Fresh” param Source: 33.501 6.2.1-1
Comparing Network Feature 2G 3G 4G 5G Mutual Authentication No Yes Yes Yes Integrity Check No Yes Yes Yes Ciphering Key 64 bit 128 bit 128 bit 256 bit IMSI Ciphering No No No Yes
• 3GPP • ETSI • ITU-T • Hexout References

Recommended

2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
High-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5GHigh-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5G3G4G
 
Packet core network basics
Packet core network basicsPacket core network basics
Packet core network basicsMustafa Golam
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
Simplified Call Flow Signaling: 2G/3G Voice Call
Simplified Call Flow Signaling: 2G/3G Voice CallSimplified Call Flow Signaling: 2G/3G Voice Call
Simplified Call Flow Signaling: 2G/3G Voice Call3G4G
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Networkyusufd
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdfAbubakar416712
 

Recommended

2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
High-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5GHigh-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5G3G4G
 
Packet core network basics
Packet core network basicsPacket core network basics
Packet core network basicsMustafa Golam
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
Simplified Call Flow Signaling: 2G/3G Voice Call
Simplified Call Flow Signaling: 2G/3G Voice CallSimplified Call Flow Signaling: 2G/3G Voice Call
Simplified Call Flow Signaling: 2G/3G Voice Call3G4G
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Networkyusufd
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdf3GPP_Overall_Architecture_and_Specifications.pdf
3GPP_Overall_Architecture_and_Specifications.pdfAbubakar416712
 
2 g data call flow
2 g data call flow2 g data call flow
2 g data call flowAlfred Ongere
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBJustin MA (馬嘉昌)
 
3 g call flow
3 g call flow3 g call flow
3 g call flowAshish Aggarwal
 
GSM CALL FLOW
GSM CALL FLOWGSM CALL FLOW
GSM CALL FLOWSugamTripathi1
 
Call flow
Call flowCall flow
Call flowTelebeansolutions
 
Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksNaveen Kumar
 
Radio network overview
Radio network overviewRadio network overview
Radio network overviewMd Mustafizur Rahman
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRANStephanie Galloway-Williams
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basicsKarel Berkovec
 
CS-Core Mobile Network (General)
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)Hamidreza Bolhasani
 
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5GAdvanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5G3G4G
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM ConceptTempus Telcosys
 
LTE Call Processing and Handover
LTE Call Processing and HandoverLTE Call Processing and Handover
LTE Call Processing and HandoverSitha Sok
 
LTE - Long Term Evolution
LTE - Long Term EvolutionLTE - Long Term Evolution
LTE - Long Term EvolutionArief Gunawan
 
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...Vikas Shokeen
 
Cell tower, BTS & antennas
Cell tower, BTS & antennasCell tower, BTS & antennas
Cell tower, BTS & antennasnimay1
 
GSM
GSMGSM
GSMMukesh Chinta
 
5g-Air-Interface-pptx.pptx
5g-Air-Interface-pptx.pptx5g-Air-Interface-pptx.pptx
5g-Air-Interface-pptx.pptxMurali Munagapati
 
5G Network Overview
5G Network Overview 5G Network Overview
5G Network OverviewHamidreza Bolhasani
 
VoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVikas Shokeen
 
Switching systems lecture7
Switching systems lecture7Switching systems lecture7
Switching systems lecture7Jumaan Ally Mohamed
 
GSM
GSMGSM
GSMJAI MCA-STUDENT
 

More Related Content

What's hot

Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksNaveen Kumar
 
CS-Core Mobile Network (General)
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)Hamidreza Bolhasani
 
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5GAdvanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5G3G4G
 
LTE Call Processing and Handover
LTE Call Processing and HandoverLTE Call Processing and Handover
LTE Call Processing and HandoverSitha Sok
 
LTE - Long Term Evolution
LTE - Long Term EvolutionLTE - Long Term Evolution
LTE - Long Term EvolutionArief Gunawan
 
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...Vikas Shokeen
 
Cell tower, BTS & antennas
Cell tower, BTS & antennasCell tower, BTS & antennas
Cell tower, BTS & antennasnimay1
 
VoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVikas Shokeen
 

What's hot (20)

2 g data call flow
2 g data call flow2 g data call flow
2 g data call flow
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFB
 
3 g call flow
3 g call flow3 g call flow
3 g call flow
 
GSM CALL FLOW
GSM CALL FLOWGSM CALL FLOW
GSM CALL FLOW
 
Call flow
Call flowCall flow
Call flow
 
Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) Networks
 
Radio network overview
Radio network overviewRadio network overview
Radio network overview
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRAN
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
 
CS-Core Mobile Network (General)
CS-Core Mobile Network (General)CS-Core Mobile Network (General)
CS-Core Mobile Network (General)
 
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5GAdvanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM Concept
 
LTE Call Processing and Handover
LTE Call Processing and HandoverLTE Call Processing and Handover
LTE Call Processing and Handover
 
LTE - Long Term Evolution
LTE - Long Term EvolutionLTE - Long Term Evolution
LTE - Long Term Evolution
 
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
volte call flow - SIP IMS Call Flow - MO and MT Call - Volte Mobile originati...
 
Cell tower, BTS & antennas
Cell tower, BTS & antennasCell tower, BTS & antennas
Cell tower, BTS & antennas
 
GSM
GSMGSM
GSM
 
5g-Air-Interface-pptx.pptx
5g-Air-Interface-pptx.pptx5g-Air-Interface-pptx.pptx
5g-Air-Interface-pptx.pptx
 
5G Network Overview
5G Network Overview 5G Network Overview
5G Network Overview
 
VoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack Explained
 

Similar to Mobile Networks Architecture and Security (2G to 5G)

fdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptfdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptHazemElabed2
 
bsnl presentation on gsm
bsnl presentation on gsm bsnl presentation on gsm
bsnl presentation on gsm Kapil Masatker
 
02 gsm hscsd_gprs
02 gsm hscsd_gprs02 gsm hscsd_gprs
02 gsm hscsd_gprsChyon Ju
 
Securing Wireless Cellular Systems
Securing Wireless Cellular SystemsSecuring Wireless Cellular Systems
Securing Wireless Cellular SystemsACMBangalore
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm networkAzri Randy
 
Gsm Overview
Gsm OverviewGsm Overview
Gsm Overviewtijeel
 
2G...All about second generation of cellular networks.
2G...All about second generation of cellular networks.2G...All about second generation of cellular networks.
2G...All about second generation of cellular networks.Muhammad Ahad
 
Gsm training
Gsm trainingGsm training
Gsm traininggernaz55
 

Similar to Mobile Networks Architecture and Security (2G to 5G) (20)

Switching systems lecture7
Switching systems lecture7Switching systems lecture7
Switching systems lecture7
 
GSM
GSMGSM
GSM
 
Basic of teleom gsm
Basic of teleom gsmBasic of teleom gsm
Basic of teleom gsm
 
fdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.pptfdocuments.net_gsm-call-flows-5584455b2833e.ppt
fdocuments.net_gsm-call-flows-5584455b2833e.ppt
 
Gsm Network
Gsm NetworkGsm Network
Gsm Network
 
bsnl presentation on gsm
bsnl presentation on gsm bsnl presentation on gsm
bsnl presentation on gsm
 
GSM Network
GSM NetworkGSM Network
GSM Network
 
Gsm (2)
Gsm (2)Gsm (2)
Gsm (2)
 
02 gsm hscsd_gprs
02 gsm hscsd_gprs02 gsm hscsd_gprs
02 gsm hscsd_gprs
 
Securing Wireless Cellular Systems
Securing Wireless Cellular SystemsSecuring Wireless Cellular Systems
Securing Wireless Cellular Systems
 
Gsm architecture
Gsm architectureGsm architecture
Gsm architecture
 
GSM.ppt
GSM.pptGSM.ppt
GSM.ppt
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm network
 
Rk 3 gsm network @guddu
Rk 3 gsm network @gudduRk 3 gsm network @guddu
Rk 3 gsm network @guddu
 
gsm operation
gsm operationgsm operation
gsm operation
 
Gsm Overview
Gsm OverviewGsm Overview
Gsm Overview
 
2G...All about second generation of cellular networks.
2G...All about second generation of cellular networks.2G...All about second generation of cellular networks.
2G...All about second generation of cellular networks.
 
Gsm
GsmGsm
Gsm
 
Gsm training
Gsm trainingGsm training
Gsm training
 
GSM Architecture.ppt
GSM Architecture.ppt GSM Architecture.ppt
GSM Architecture.ppt
 

More from Hamidreza Bolhasani

Introduction to Research Methodology
Introduction to Research MethodologyIntroduction to Research Methodology
Introduction to Research MethodologyHamidreza Bolhasani
 
Internet of Things (IoT) and Artificial Intelligence (AI) role in Medical and...
Internet of Things (IoT) and Artificial Intelligence (AI) role in Medical and...Internet of Things (IoT) and Artificial Intelligence (AI) role in Medical and...
Internet of Things (IoT) and Artificial Intelligence (AI) role in Medical and...Hamidreza Bolhasani
 
An Overview on the role of Artificial Intelligence (AI) and Deep Neural Netwo...
An Overview on the role of Artificial Intelligence (AI) and Deep Neural Netwo...An Overview on the role of Artificial Intelligence (AI) and Deep Neural Netwo...
An Overview on the role of Artificial Intelligence (AI) and Deep Neural Netwo...Hamidreza Bolhasani
 
NFV +SDN (Network Function Virtualization)
NFV +SDN (Network Function Virtualization)NFV +SDN (Network Function Virtualization)
NFV +SDN (Network Function Virtualization)Hamidreza Bolhasani
 
5G New Services - Opportunities and Challenges
5G New Services - Opportunities and Challenges5G New Services - Opportunities and Challenges
5G New Services - Opportunities and ChallengesHamidreza Bolhasani
 
5G + AI Applications in Healthcare and Medical Sciences
5G + AI Applications in Healthcare and Medical Sciences5G + AI Applications in Healthcare and Medical Sciences
5G + AI Applications in Healthcare and Medical SciencesHamidreza Bolhasani
 
Neural Networks Hardware Accelerators (An Introduction)
Neural Networks Hardware Accelerators (An Introduction)Neural Networks Hardware Accelerators (An Introduction)
Neural Networks Hardware Accelerators (An Introduction)Hamidreza Bolhasani
 
Machine Learning in R - Part 1: Correlation and Regression (Basics)
Machine Learning in R - Part 1: Correlation and Regression (Basics)Machine Learning in R - Part 1: Correlation and Regression (Basics)
Machine Learning in R - Part 1: Correlation and Regression (Basics)Hamidreza Bolhasani
 
An Introduction to Quantum Computers Architecture
An Introduction to Quantum Computers ArchitectureAn Introduction to Quantum Computers Architecture
An Introduction to Quantum Computers ArchitectureHamidreza Bolhasani
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Hamidreza Bolhasani
 
High-Tech Telecommunication (4G/LTE) overview with focus on new services
High-Tech Telecommunication (4G/LTE) overview with focus on new servicesHigh-Tech Telecommunication (4G/LTE) overview with focus on new services
High-Tech Telecommunication (4G/LTE) overview with focus on new servicesHamidreza Bolhasani
 

More from Hamidreza Bolhasani (12)

Introduction to Research Methodology
Introduction to Research MethodologyIntroduction to Research Methodology
Introduction to Research Methodology
 
Internet of Things (IoT) and Artificial Intelligence (AI) role in Medical and...
Internet of Things (IoT) and Artificial Intelligence (AI) role in Medical and...Internet of Things (IoT) and Artificial Intelligence (AI) role in Medical and...
Internet of Things (IoT) and Artificial Intelligence (AI) role in Medical and...
 
An Overview on the role of Artificial Intelligence (AI) and Deep Neural Netwo...
An Overview on the role of Artificial Intelligence (AI) and Deep Neural Netwo...An Overview on the role of Artificial Intelligence (AI) and Deep Neural Netwo...
An Overview on the role of Artificial Intelligence (AI) and Deep Neural Netwo...
 
NFV +SDN (Network Function Virtualization)
NFV +SDN (Network Function Virtualization)NFV +SDN (Network Function Virtualization)
NFV +SDN (Network Function Virtualization)
 
5G New Services - Opportunities and Challenges
5G New Services - Opportunities and Challenges5G New Services - Opportunities and Challenges
5G New Services - Opportunities and Challenges
 
5G + AI Applications in Healthcare and Medical Sciences
5G + AI Applications in Healthcare and Medical Sciences5G + AI Applications in Healthcare and Medical Sciences
5G + AI Applications in Healthcare and Medical Sciences
 
Neural Networks Hardware Accelerators (An Introduction)
Neural Networks Hardware Accelerators (An Introduction)Neural Networks Hardware Accelerators (An Introduction)
Neural Networks Hardware Accelerators (An Introduction)
 
Machine Learning in R - Part 1: Correlation and Regression (Basics)
Machine Learning in R - Part 1: Correlation and Regression (Basics)Machine Learning in R - Part 1: Correlation and Regression (Basics)
Machine Learning in R - Part 1: Correlation and Regression (Basics)
 
An Introduction to Quantum Computers Architecture
An Introduction to Quantum Computers ArchitectureAn Introduction to Quantum Computers Architecture
An Introduction to Quantum Computers Architecture
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)
 
IMS + VoLTE Overview
IMS + VoLTE OverviewIMS + VoLTE Overview
IMS + VoLTE Overview
 
High-Tech Telecommunication (4G/LTE) overview with focus on new services
High-Tech Telecommunication (4G/LTE) overview with focus on new servicesHigh-Tech Telecommunication (4G/LTE) overview with focus on new services
High-Tech Telecommunication (4G/LTE) overview with focus on new services
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Mobile Networks Architecture and Security (2G to 5G)

  • 1. Mobile Network Architecture & Security (From 2G to 5G) Dr. Ali Soleymani, Assistant Professor at Iranians University, ali.soleymani@iranian.ac.ir Dr. Hamidreza Bolhasani, PhD Candidate at SRB-IAU Branch, hamidreza.bolhasani@srbiau.ac.ir 27th International Computer Conference, Computer Society of Iran (CSICC 2022)
  • 2.
  • 3. Global System for Mobiles (GSM) ◼ Cellular Network or Mobile Network is a communication network where the last link is wireless. The network is distributed over land areas called cells, each served by at least one fixed-location transceiver, known as a cell or base station.
  • 4. 2G / 3G Overview GSM /GPRS BSS BTS BSC NodeB RNC PCU UTRAN SCP SMS SCE PSTN ISDN Internet, Intranet MSC/VLR GMSC HLR/AUC SGSN CG BG GGSN GPRS Other PLMN IPBB
  • 5. 2G Radio ◼ BTS (Base Station Transceiver) BTS is a piece of equipment that facilitates wireless communication between user equipment (UE) and a network. UEs are devices like mobile phones (handsets), WLL phones, computers with wireless Internet connectivity. ◼ BSC (Base Station Controller) BSC is a critical mobile network component that controls one or more base transceiver stations (BTS), also known as base stations or cell sites. Key BSC functions include radio network management (such as radio frequency control), BTS handover management and call setup. It also carries transcoding of speech channels.
  • 6. 3G Radio ◼ NodeB NodeB is a term used in UMTS equivalent to the BTS (base transceiver station) description used in GSM. ◼ RNC (Radio Network Controller) RNC is a governing element in the UMTS radio access network (UTRAN) and is responsible for controlling the NodeBs that are connected to it. The RNC carries out radio resource management, some of the mobility management functions and is the point where encryption is done before user data is sent to and from the mobile.
  • 7. Terminologies - IMSI MCC MNC MSIN 3 digits 2/3 digits Not more than 15 digits IMSI (International Mobile Subscriber Identity) NMSI MCC:Mobile Country Code MNC:Mobile Network Code MSIN:Mobile Station Identification Number NMSI:National Mobile Station Identity
  • 8. TMSI  TMSI: Temporary Mobile Subscriber Identity  In order to ensure subscriber identity confidentiality, the VLR (Visiting Location Register) and SGSN (Serving GPRS Support Node) may allocate TMSI to visiting mobile subscribers.
  • 9. IMEI TAC FAC spare 6 digits 2 digits 15 digits IMEI (International Mobile Equipment Identity) TAC:Type Approval Code FAC:Final Assembly Code SNR:Serial Number spare:Standby bit Example:490547403767335 SNR 6 digits 1 digits
  • 10. MSISDN CC NDC SN National ( Significant ) Mobile Number MSISDN:Mobile Station International ISDN number CC: Country Code, China Country Code is 86 NDC:National Destination Code SN: Subscriber Number
  • 11. LAI / GCI / SAI Location Area Identity MCC MNC LAC Cell Global Identity MCC MNC LAC CI Service Area Identity MCC MNC LAC SAC
  • 12. TAI / TAC Tracking Area Identity MCC MNC TAC
  • 17. 2G / 3G Core Network (CN) ◼ Core Network is split into CS domain and PS domain. CS domain is based on original GSM network. PS domain is based on original GPRS network. ◼ CS domain: used to provide Circuit-switched service. Network mode can support TDM, ATM and IP. Physical entities include switching equipment (such as MSC/VLR, GMSCs, HSS), and inter-working equipment (IWF). ◼ PS domain: used to provide Packet-switched service. Network mode is IP. Physical entities include SGSN, GGSN, CG , BG etc.
  • 18. 2G / 3G Core Network (CN) ◼ Function entity shared by CS domain and PS :  MSC Server: Control layer, to realize MM (Mobility Management), CM (Call Control), MGC (Media Gateway Control).  MGW: Bearer layer, to realize the exchange of voice and media flow, and provide all kinds sources, such as TC, EC, play announcement and receive DTMF.  SG: To realize signaling transfer from MTP (SS7 transmission layer) to SCTP/IP (SIGTRAN).
  • 19. 2G / 3G Core Network (CN)  HLR/HSS: To realize mobile subscriber management and location information management.  VLR: To deal with all kinds of data information of current mobile subscriber.  AUC: To store authentication information of mobile subscriber.  EIR: To store IMEI data of mobile subscriber.  SMS: Short Message Center.
  • 20. Scenario #1 Location Update / Authentication MS BSS MSC VLR HLR/AUC Locating updating request(IMSI) Um BSSAP MAP MAP A B D Locating updating request Update location area (IMSI) Send parameters(IMSI) Authentication parameters (RAND/SRES/Kc,IMSI) Authenticate Authentication request Authentication response Authentication response Update location Inserte subscriber data Subscriber data insertion ack. cancel location cancel location ack. PVLR Update location ack. (HLR?) Set cyphering mode Forward new TMSI Update location area ack. CYPHER MODE COMMAND CYPHER MODE COMPLETE Location updating accepte TMSI reallocation complete TMSI acknowledge CLEAR COMMAND CLEAR COMPLETE imsi/tmsi,old lai,current lai/gci
  • 21. Scenario #2 Call Flow (1/2) Um A B D A Um MSa BSSa MSC VLR HLR BSSb MSb channel request RACH SDCCH CM service request (CKSN,IMSI/TMSI) CM service req.) CM service req.) Send parameters (IMSI/TMSI) Authentication para. (IMSI,RAND/SRES/Kc) Authenticate (RAND,CKSNn) Authentication request(RAND,CKSNn) Authentication response(SRES) Authen. res.(SRES) Set cyphering mode Access req. accepted (IMSI/MSISDN) CM service accept CIPHER MODE COMMAND(Kc) CIPHER MODE COMPLETE Setup ( MSISDN) Send info. for o/g call setup Complete Call Call proceeding ASSIGNMENT REQUEST ASSIGNMENT COMPLETE Send routing info req. (MSISDN, supplyment service info ) Provide roaming number req(IMSI) Provide roaming number Ind Send Routing infomation acknowledge send info.for i/c call setup page MS(LAI) PAGING(LAI,IMSI) Page response Page response(LAI,GCI)
  • 22. Scenario #2 Call Flow (2/2) Um A B D A Um MSa BSSa MSC VLR HLR BSSb MSb Process access req. Send para. (IMSI/TMSI) Authen. para. (IMSI,RAND/SRES/Kc) Authenticate (RAND,CKSNn) Authentication request(RAND,CKSNn) Authentication(SRES) Authentication response(SRES) Set cyphering mode Access request accepted Complete call CIPHER MODE COMMAND(Kc) CIPHER MODE COMPLETE Setup (calling MSISDN) Call confirmed ASSIGNMENT REQUEST ASSIGNMENT COMPLETE Alerting Connect Connect acknowledge Alerting Connect Connect acknowledge
  • 23. GPRS Network Structure ⚫ What is GPRS?  General Packet Radio Service ⚫ Why GPRS?  In order to provide the data service out the scope of the fixed network ⚫ GPRS network classification  GSM GPRS  UMTS GPRS ⚫ GPRS network background  GSM GPRS network reuse the existed GSM network  UMTS GPRS network just change the RAN side
  • 24. GPRS Network Structure FR EIR HLR SMS-GMSC SMS-IWMSC MSC/VLR BSS UTRAN SGSN SGSN GGSN BG CG TE PDN SS7 ATM DDN ISDN Ethernet.etc GPRS Backbone Gs Gd Gr Gf Gc Gb Iu Um Um Gp Gi Gn Gn ATM Ga SCP GMLC Ge Lg Ga ⚫ Some Abbreviation  GPRS: General Packet Radio Service  BSS: Base Station Subsystem  UTRAN: UMTS Terrestrial Radio Access Network  SGSN: Service GPRS Support Node  GGSN: Gateway GPRS Support Node  CG: Charging Gateway  BG: Bordering Gateway  PDN: Packet Data Network
  • 25. GPRS Network Structure ⚫ Important Entity Function __ SGSN  Mobility management − The mobility management functions are used to keep track of the current location of an MS within the PLMN or within another PLMN.  Session management − Session Management (SM) function manages the PDP context of MS.  Routing and transfer − SGSN performs routing and forwarding of service data between MS and GGSN.  Charging − SGSN can generate, store, convert and send CDRs.  Lawful Interception  NTP
  • 26. GPRS Network Structure ⚫ Important Entity Function __ GGSN Session management − Session Management (SM) function manages the PDP context of MS. Routing and transfer − GGSN performs routing and forwarding of service data between MS and internet. Charging − GGSN can generate, store, convert and send CDRs. Dynamic IP allocation Service management − Manage APN
  • 30.
  • 31.
  • 32.
  • 34. 5G – Near Future
  • 35. 2G → 5G Roadmap
  • 37. 2G → 5G Roadmap
  • 41. 5G – Network Architecture
  • 44. 5GNR – New Radio
  • 45. 5G Spectrum – mmWave
  • 50.
  • 51. 5G & AR / VR
  • 52.
  • 53. 5G & AR / VR
  • 54.
  • 55.
  • 56. 5G & Artificial Intelligence (AI)
  • 57. 5G & Artificial Intelligence (AI)
  • 58.
  • 59.
  • 60. 5G & V2X / Connected Cars
  • 64.
  • 65. BSC RAND generator IMSI Ki A3 A8 AUC Triplets req. Triplets sent (Sent via HLR) Kc SRES RAND Triplet Kc SIM MS Ki A3 A8 RAND Kc SRES A5 A5 MSC VLR Authentication! IMSI SRES Kc RAND Call Establishment Request Authentication Request (RAND) Ciphering Command (Kc) Ciph. Command ( ) Ciphering Complete Ciphering Complete Ciphered Traffic and Signalling Traffic and Signalling Authentication Response (SRES) Ciphering OK! AUC Authentication Centre Ki Subscriber Authentication Key (128 Bit) Kc Ciphering Key (64 Bit) RAND Random number (128 Bit) SRES Signed Response (32 Bit) GSM Security
  • 66. A3 Algorithm (Compress Function: COMP128) • Input: • 128-bit RAND random number • 128-bit Ki private key • Output: • 32-bit RES/SRES Authentication
  • 67. A8 Algorithm (Compress Function: COMP128) • Input: • 128-bit RAND random number • 128-bit Ki private key • Output: • 64-bit Kc Cipher Key Key Generation
  • 68. A5 Algorithms • A5/0 : used by countries under UN Sanctions, comes with no encryption. • A5/1 : LFSR-based stream cipher, 64-bit key, broken, the strongest version and is used in Europe and America • A5/2 : LFSR-based stream cipher, 64-bit key, broken, (prohibited to use), a weaker version used mainly in Asia. • A5/3 : KASUMI in OFB mode, 64-bit key • A5/4 : same as A5/3, 128-bit key Ciphering
  • 69. A5/1 Algorithm Ciphering The best published attacks to it require 240 and 245 steps which makes it vulnerable to hardware-based attacks of organizations but not to software based attacks. Its main weakness is that its key is the output of the A8 algorithm which has already been cracked. The actual size of its key is not 64 but 54, because the last 10 bits are set to 0, which makes it much weaker. Keystream
  • 71. A5/3 Algorithm Ciphering KASUMI applies a 64-bit block with a 128-bit key. The process of KASUMI has eight rounds of Feistel Ciphers. Each round require 32-bit input corresponding with 32-bit output.
  • 72. RNC RAND generator IMSI K Algorithms AUC Quintets req. Quintets sent (Sent via HLR) RAND Quintet CK IK USIM UE K Algo- rithms Ciphering and Integrity Algorithms MSC /SGSN Authentication! Call/Session Establishment Request Authentication Request (RAND, AUTN) Sec Mode Command (CK,IK) Security Mode Command ( ) Sec Mode Complete Security Mode Complete Traffic : Ciphering Signalling: Ciphering & Integrity Authentication Response (RES) Ciphering OK! AKA Authentication and Key Agreement AUC Authentication Centre CK Ciphering Key (128 Bit) IK Integrity Key (128 Bit) K Subscriber Authentication Key (128 Bit) RAND Random number (128 Bit) XRES Expected Response (32-128 Bit) CK XRES AUTN IK IMSI XRES CK RAND IK AUTN RAND CK IK RES AUTN Ciphering and Integrity Algorithms Authentication: AUTN=AUTN Traffic and Signalling CK IK UMTS Security
  • 73. UMTS Security • UMTS uses a set of function f1 to f9 for security purposes. Derivation functions f1 to f5 are not standardized. There are more than 16 algorithms. Some example integrity and ciphering algorithms: • MILENAGE based on AES (3GPP TS 35.206) • TUAK based on SHA3 (3GPP TS 35.231) • KASUMI in OFB mode-Similar to A5/3 (3GPP TS 35.201) • SNOW 3G (3GPP TS 35.216)
  • 74. Function Description Input Parameters Output Parameters F0 The random challenge generating function RAND RAND F1 The network authentication function AMF, K, RAND MAC-A (AuC side) /XMAC-A (UE side) F2 The user authentication function K, RAND RES (UE side) /XRES (AuC side) F3 The cipher key derivation function K, RAND CK F4 The integrity key derivation function K, RAND IK F5 The anonymity key derivation function K, RAND AK F8 The confidentiality key stream generating function Count-C, Bearer, Direction, Length, CK <Keystream block> F9 The integrity stamp generating function IK, FRESH, Direction, Count-I, Message MAC-I (UE side) /XMAC-I (RNC side) Authentication
  • 76.
  • 77. LTE Security Key Hierarchy
  • 78. Ciphering + Integrity check CK IK AK RES XMAC K f1 f2 f3 f4 f5 USIM AUTENTICATION REQUEST RAND, AUTN AUTHENTICATION RESPONSE RES MME HSS UE Calculate AUTN from MAC and AK Derive KASME from CK, IK Check RES against XRES UE authorised! Derive IKNAS and CKNAS Derive IKNAS and CKNAS eNB CK IK AK XRES MAC RAND IMSI → K f1 f2 f3 f4 f5 RAND NAS security (UE – MME) - NW authorises UE (RES) - UE authorises NW (MAC) - Integrity check of sign, (IKNAS) - Ciphering of sign, (CKNAS) Authentication Vector Store received Authentication Vector(s)*) AUTH DATA RESPONSE RAND, AUTN, XRES, KASME AUTN MAC Check MAC against XMAC NW authorised! Derive KASME from CK, IK LTE Security NAS SECURITY MODE COMPLETE NAS SECURITY MODE COMMAND UE sec capabilities, selected NAS algo:s Derive KeNB KeNB, permitted algorithms Ordered algorithms Derive IKCP, CKCP, CKUP Select algorithms Derive KeNB K CK, IK Never leaves Home Domain KASME IKNAS CKNAS Only used in NAS KeNB CKUP CKCP IKCP Only used in AS Derive IKCP, CKCP, CKUP AS security (UE – eNB) - Integrity check of sign, (IKCP) - Ciphering of sign. (CKCP) - Ciphering of traffic (CKUP) Ciphering + Integrity check It is FFS if NAS Security Mode Command is a stand-alone procedure, or can be combined with other messages. NAS MESSAGE UE security capabilities AUTH DATA REQUEST IMSI, SN id, nw type
  • 79. LTE Security Key Function Length or Size Derived From Basic Description K Master Base Key for GSM/UMTS/EPS 128 - Secret key stored permanently in USIM and AuC (CK,IK) Cipher key and Integrity Key 128 'K' Key Pair of Keys derived in AuC and USIM during AKA run. KASME MME (ASME) Base / Intermediate Key 256 CK,IK Intermediate key derived in HSS/UE from (CK,IK) using AKA. K-eNB eNB Base Key 256 KASME , KeNB* Intermediate Key derived in MME/UE from KASME when UE transits to ECM CONNECTED STATE or by UE and target eNB from KeNB*during handover KeNB* eNB handover transition Key 256 KeNB(H) , NH(V) Intermediate Key derived in source eNB and UE during handover when performing horizontal ( KeNB) or vertical Key(NH) derivation. Used at target eNB to derive KeNB NH Next Hop 256 KeNB Intermediate key derived in MME and UE used to provide forward security and forwarded to eNB via S1-MME interface. KNASint Integrity key for NAS signalling 256 (128 LSB) KASME Integrity key for protection of NAS data derived in MME/UE KNASenc Encryption Key for NAS signalling 256(128 LSB) KASME Encryption key for protection of NAS data derived in MME and UE KUPenc Encryption key for user plane (DRB) 256(128 LSB) KeNB Encryption key for protection of user plane data derived in eNB and UE KRRCint Integrity key for RRC signalling(SRB) 256(128 LSB) KeNB Integrity key for protection of RRC data derived in eNB and UE KRRCenc Encryption key for RRC 256(128 LSB) KeNB Encryption key for protection of RRC data derived in eNB and UE
  • 80. IP IP eNB SGW PGW IP IP TEID 1 TEID 1 EPS bearer = radio bearer + S1 tunnel + S5 tunnel EPS bearer = radio bearer + S1 tunnel EPS bearer = Radio Bearer EPS bearer Original IP packet from user…. …encapsulated in another IP packet. Encapsulation and Tunneling
  • 81. eNB SGW PGW Security Domains Security Domain Security Domains are networks that are managed by a single administrative authority. Within a security domain the same level of security and usage of security services will be typical. Typically, a network operated by a single network operator or a single transit operator will constitute one security domain although an operator may at will subsection its network into separate sub-networks. Security Domain A Security Domain B Security Domain C
  • 82. 5G Security Framework UDM (Unified Data Management) Similar to the HSS on a 4G network, stores subscriber root keys and authentication-related subscription data, and generates 5G authentication parameters and vectors. AUSF (Authentication Server Function) - Derives a key.- Provides the network authentication function if the EAP -AKA‘ authentication method is used or provides the home network authentication function if the 5G AKA authentication method is used. AMF (Access & Mobility Management Function) - Derives lower-layer NAS and AS keys. - Provides the service network authentication function if the 5G AKA authentication method is used.
  • 83. 5G Security To solve the problem of IMSI disclosure on 4G networks, IMSIs on 5G networks are encrypted and transmitted over air interfaces for subscriber privacy protection, as shown in the following figure. IMSI Encryption (SUPI -> SUCI) During initial registration, a UE uses the public key of the home network to encrypt non-routing information in the subscription permanent identifier (SUPI) and converts the SUPI into a subscription concealed identifier (SUCI). The routing information is still transmitted in plaintext, and is used to address the home network. After obtaining the SUCI, the core network uses the private key to decrypt the SUCI into an SUPI. UE Base station Core network Registration request (SUCI) SUPI SUCI SUCI SUPI Encryption Decryption Obtaining fails. IMSI Catcher Allocates the 5G-GUTI to the UE after the registration succeeds. Registration request (SUCI)
  • 84. Auth Resp RES* 5G Authentication & Key Agreement (AKA) UDM AUSF Calculate HXRES* Calculate KSEAF (anchor key) AMF SIDF ARPF SEAF Nausf_UEAuthentication_Auth Req. RES* Nudm_UEAuthentication_ _ResultConfirmation Resp. Nudm_UEAuthentication_ _ResultConfirmation Req. Nausf_UEAuthentication_Auth Resp. NAS message Auth Req RAND, AUTN Nausf_UEAuthentication_Auth Req. SUCI/SUPI, SN Name... Nausf_UEAuthentication_Auth Resp. SUPI, 5G AV: RAND, AUTN, HXRES*, KSEAF KgNB Nudm_UEAuthentication_Get Req. SUCI/SUPI, SN Name... Nudm_UEAuthentication_Get Resp. SUPI, 5G-AKA usage flag, 5G HE AV: RAND, AUTN, XRES*, KAUSF HPLMN VPLMN K K 128 or 256 bits Store UE Authentication status KSEAF → KAMF → KNAS & KgNB RES* → HXRES* Check if HRES* = HXRES* → UE authenticated Check if RES* = XRES* → UE authenticated SUCI → SUPI Decide auth method : EAP-AKA' / 5G-AKA Calculate 5G HE AV K, RAND RES*, KAUSF KAMF KNAS, KgNB KSEAF Calculate response & keys: AUTN: Authentication Token AV: Authentication Vector RAND: Random number RES: Response XRES: Expected Response ARPF Authentication credential Repository and Processing Function HE Home Environment SEAF Security Anchor Function SIDF Subscriber Identity De-concealing Function
  • 85. Key Hierarchy Generation 33.501 KgNB, NH KRRCenc KAUSF K KAUSF KAMF KN3IWF KNASint KNASenc KRRCint KUPenc KUPint CK’, IK’ KSEAF CK, IK ME N3IWF ME gNB ME ME ME USIM AMF SEAF AUSF ME ARPF ARPF 5G AKA EAP-AKA’ K used for primary authentication KAUSF serving nw specific Horizontal key derivation KAMF changes at AMF change EAP Extensible Authentication Protocol NH Next Hop NH = ”Fresh” param Source: 33.501 6.2.1-1
  • 86. Comparing Network Feature 2G 3G 4G 5G Mutual Authentication No Yes Yes Yes Integrity Check No Yes Yes Yes Ciphering Key 64 bit 128 bit 128 bit 256 bit IMSI Ciphering No No No Yes
  • 87. • 3GPP • ETSI • ITU-T • Hexout References