Wireless Cellular Security

Arvind, an old colleague recently spoke in ACM, Bangalore on the topic of Security. Here is his presentation:

Securing Wireless Cellular Systems

View more documents from ACMBangalore.

There are lots of interesting Questions and Answers. One interesting one is:

Does number portability mean that data within an AuC is compromised?

Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.
That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.

You can read all Q&A's here.

I wrote a tutorial on UMTS security many years back. Its available here.

Testing UMTS protocols

Testing UMTS by Dan Fox, Anritsu

Its nearly three years since I wrote an FAQ on UMTS Testing. So when I got my hands on this book the other day, I so wanted to read it. It would be a while before I manage to go through the book in detail but my initial impression is that this book looks quite good.

Since the book deals with Protocol Testing, the testing has been grouped into three categories:

1. Integration Testing
2. Conformance Testing
3. Interoperability Testing

There is a chapter explaining each of these. The Conformance testing is of interest to me as I have been involved directly and indirectly with this for quite some years now. The book explains the process, standards required and submission of tests to GCF/PTCRB.

For those whom testing does not hold much charm, they can gain greater understanding of the concepts by reading Part II of the book. One thing I really liked in this book is that the diagrams explain the concepts very well. Rather than copying them straight from the 3GPP specifications, they have been improved and re-done by the author. Basic things like 'Dynamic TFCI selection' and 'Layer 2 transport channel processing flow for the 12.2 kbps RMC' are explained clearly using the diagrams.

There is just the right amount of detail in the chapters for Physical Layer, Layer 2 (MAC, RLC, PDCP) and Layer 3 (RRC, NAS). Further chapters show message flow sequence charts explaining things like 'setting up of speech call' and 'location updating procedure'. I have some basic sequence diagrams for message flow in the Tutorial section but the ones in the book are comparatively more detailed.

The book mainly covers UMTS, with an introduction to HSPA. It would be worthwhile to have the next edition covering LTE in detail. The main reason being that there are lots of changes in the case of LTE. The Air Interface has changed, the channels are different. The NAS messages and entities are different. UMTS (and HSPA) use TTCN-2 for testing but LTE uses TTCN-3. UMTS does not use MIMO (MIMO available for HSPA from Release 7 onwards) but LTE would generally always use MIMO.

Overall, this seems to be a useful book and I am looking forward to reading it in detail.

Orthogonality and non orthogonality

Multiple access (MA) is a basic function in wireless cellular systems. Generally speaking, MA techniques can be classified into orthogonal and non-orthogonal approaches. In orthogonal approaches, signals from different users are orthogonal to each other, i.e., their cross correlation is zero, which can be achieved by time division multiple-access (TDMA), frequency-division multiple-access (FDMA) and orthogonal-frequency division multiple-access (OFDMA). Non-orthogonal schemes allow non-zero cross correlation among the signals from different users, such as in random waveform code-division multiple-access (CDMA), trellis-coded multiple-access (TCMA) and interleave-division multiple-access (IDMA).

First and second generation cellular systems are dominated by orthogonal MA approaches. The main advantage of these approaches is the avoidance of intra-cell interference. However, careful cell planning is necessary in these systems to curtail cross-cell interference. In particular, sufficient distance must exist between re-used channels, resulting in reduced cellular spectral efficiency.

Non-orthogonal CDMA techniques have been adopted in second and third generation cellular systems (e.g. CDMA2000 and uplink WCDMA). Compared with its orthogonal counterparts, CDMA is more robust against fading and cross-cell interference, but is prone to intracell interference. Due to its spread-spectrum nature, CDMA is inconvenient for data services (e.g., wireless local area networks (WLANs) and 3GPP high speed uplink/downlink packet access (HSUPA/HSDPA) standard) that require high single-user rates.

Communication services can be classified into delay sensitive and insensitive ones. A typical example of a delay-insensitive service is email. Typical examples of delay-sensitive services include speech and video applications. For delay insensitive services, rate constraints are relatively relaxed for individual users and maximizing the throughput by orthogonal methods is a common strategy. The maximum throughput can be achieved by a one-user transmission policy, where only the user with the largest channel gain is allowed to transmit. This implies time domain orthogonality as adopted in many WLANs. For delay-sensitive services, on the other hand, each user must transmit a certain amount of information within a certain period and maximizing the throughput is no longer an appropriate strategy. Rate constraints must be considered in this case.

CDMA is the most well known non-orthogonal technique. The main advantages of CDMA are its robustness against fading and cross-cell interference, and its flexibility in asynchronous transmission environments.

An uplink data transfer mechanism in the HSUPA is provided by physical HSUPA channels, such as an Enhanced Dedicated Physical Data Channel (E-DPDCH), implemented on top of Wideband Code Division Multiple Access (WCDMA) uplink physical data channels such as a Dedicated Physical Control Channel (DPCCH) and a Dedicated Physical Data Channel (DPDCH), thus sharing radio resources, such as power resources, with the WCDMA uplink physical data channels. The sharing of the radio resources results in inflexibility in radio resource allocation to the physical HSUPA channels and the WCDMA physical data channels. In CDMA, which is a non-orthogonal multiple access scheme, the signals from different users within the same cell interfere with one another. This type of interference is known as the intra-cell interference. In addition, the base station also receives the interference from the users transmitting in neighbouring cells. This is known as the inter-cell interference.

Uplink power control is typically intended to control the received signal power from the active user equipments (UEs) to the base as well as the rise-over-thermal (RoT), which is a measure of the total interference (intra- and inter-cell) relative to the thermal noise. In systems such as HSUPA, fast power control is required due to the fast fluctuation in multi-user (intra-cell) interference. This fast fluctuation will otherwise result in the well-known near-far problem. Moreover, as uplink transmission in an HSUPA system is not orthogonal, the signal from each transmitting UE is subject to interference from another transmitting UE. If the signal strength of UEs varies substantially, a stronger UE (for example, a UE in favourable channel conditions experiencing a power boost due to constructive short term channel fading such as Rayleigh fading) may completely overwhelm the signal of a weaker UE (with signal experiencing attenuation due to short term fading). To mitigate this problem, fast power control has been considered previously in the art where fast power control commands are transmitted from a base station to each UE to set the power of uplink transmission.

When an orthogonal multiple access scheme such as Single-Carrier Frequency Division Multiple Access (SC-FDMA), which includes interleaved and localized Frequency Division Multiple Access (FDMA) or Orthogonal Frequency Division Multiple Access (OFDMA), is used, multi-user interference is not present for low mobility and small for moderate mobility. This is the case for the next generation UMTS i.e. LTE system. LTE system employs SC-FDMA in uplink and OFDMA in downlink. As a result in the case of LTE, the fluctuation in the total interference only comes from inter-cell interference and thermal noise which tends to be slower. While fast power control can be utilized, it can be argued that its advantage is minimal. Hence, only slow power control is needed for orthogonal multiple access schemes.