<<

. 83
( 132 .)



>>

Figure 6.122 Message integrity check

28 bits 4 bits

RRC HFN RRC SN


Figure 6.123 Composition of count-I

for each RRC signalling message. Once the RRC SN cycles, the HFN number is
incremented.
• FRESH: a random number generated by the RNC and passed to the UE in the security
mode command. The FRESH value is valid for the duration of the signalling connection.
• Direction: indicates if this signalling message is from UE to RNC (0) or from RNC
to UE (1). This protects against use of the downlink authentication ¬eld to attempt to
validate an uplink message.

The UE or RNC uses the same mechanism on any received messages to generate an
expected message authentication code for integrity (XMAC-I), which is then compared to
the received MAC-I to validate the message. Any messages received that fail the integrity
check will be rejected.



6.21.4 Con¬dentiality
As was seen, encryption of data carried in a given radio bearer is performed at two possible
points in the radio link protocol stack. For RLC acknowledged and unacknowledged
modes, it is performed at the RLC layer, and for RLC transparent mode, at the MAC
layer. UMTS performs encryption using a stream cipher, where the encryption algorithm
generates a keystream which is added bit per bit to the plain text to generate the cipher
text. Con¬dentiality protection may be applied to both data and signalling messages. The
operation of the algorithm is shown in Figure 6.124.
The ¬elds in the algorithm are:

• Count-C: this is a 32-bit ciphering counter, similar to the Count-I for the integrity
check. However, for encryption there are three different formats depending on which
400 UNIVERSAL MOBILE TELECOMMUNICATIONS SYSTEM


Count-C Direction Count-C Direction

Bearer Length Bearer Length



f8 f8
CK CK



Keystream Keystream


Plaintext Ciphertext Plaintext

UE/RNC RNC/UE

Figure 6.124 UMTS encryption algorithm

RLC mode is being used. All formats use the START value to initialize the most sig-
ni¬cant bits of the HFN, with the remaining bits ¬lled with 0. For RLC transparent
mode, the MAC-d HFN is 24 bits and the lower 8 bits are taken from the connection
frame number (CFN) (see Figure 6.125(a)). For RLC unacknowledged and acknowl-
edged mode, the RLC HFN is 25 bits and 20 bits, with the lower bits comprised of the
RLC sequence number, 7 bits for unacknowledged mode and 12 bits for acknowledged
mode (Figure 6.125(b) and (c)).
• Bearer: this is a 5-bit identi¬er of the radio bearer being encrypted, so as to avoid
identical keystreams for different radio bearers from the same user.
• Direction: again, this is a 1-bit ¬eld which indicates if this signalling message is from
UE to RNC (0) or from RNC to UE (1).
• Length: since data is presented to the RLC layer in blocks, the generated keystream
must match the data block length. This is a 16-bit ¬eld which indicates the required
length of the keystream block to be generated.

The counters provide an anti-replay service, where a message cannot be captured and
reused by a potential intruder at a later time. However, the communication is still vulnerable

24 bits 8 bits

MAC-d HFN CFN
(a)

25 bits 7 bits

RLC HFN RLC SN
(b)

20 bits 12 bits

RLC HFN RLC SN
(c)


Figure 6.125 Composition of Count-C
6.22 UMTS CALL LIFE CYCLE 401



UE RNC


RRC Counter Check

RRC Counter Check
Response


Figure 6.126 Counter check procedure

to a ˜man-in-the-middle™ attack, where an intruder imposes itself on a legitimate connection,
posing as either the UE or network. To minimize the risk from this, the RNC can at any stage
request the UE to inform it of its current counter value, to verify that the UE has received
the same amount of data during the RRC connection as the RNC has sent. If the counter
at the UE does not match the one at the RNC, the RNC may release the RRC connection.
The procedure uses RRC signalling, as shown in Figure 6.126. The counter check message
contains the 25 most signi¬cant bits of the Count-C for each radio bearer. If all is well, then
the UE sends a counter check response to acknowledge this. If there were differences, then
the UE will respond with the different counter values it has. This procedure is available for
RLC-UM and RLC-AM modes only.


6.22 UMTS CALL LIFE CYCLE
The previous sections have detailed the necessary signalling protocols throughout the
network to establish, maintain and release connections between the UE and the core
network. It is useful to combine these in describing the life cycle of a UMTS call.
Consider that a user arrives in a cell and switches on their mobile device. Section 6.9
detailed the initial synchronization procedures required prior to establishing a signalling
connection. Following these procedures, the following sequence of events is assumed:

1. User performs a location update to the circuit core.
2. User receives a phone call.
3. During call progress, the user moves to another cell.
4. After hanging up, the user proceeds to check their email.

The basic steps to ful¬l these four tasks are as shown in Figure 6.127.
The following subsections go through these four signalling procedures as a means of
demonstrating how all of the signalling protocols tie together.


6.22.1 Signalling connection establishment
This is the ¬rst signalling process a UE will perform when it wishes to connect to the
network. This is referred to as establishing an RRC connection, and in this example, the
establishment of a dedicated transport channel for signalling is shown (see Figure 6.128).
402 UNIVERSAL MOBILE TELECOMMUNICATIONS SYSTEM



UE SRNC CN


signalling connection establishment
1
location update

user paging

signalling connection establishment
2
connection establishment to circuit core


information transfer + handover procedures
3
connection release



connection establishment to packet core

information transfer 4

connection release


Figure 6.127 Basic UMTS call life cycle


1. The UE initiates the establishment of an RRC connection by sending the RRC
connection request message. This message is sent on the common control channel,
transported on the RACH/PRACH (Figure 6.129). The parameters included in this
initial connection are the initial UE identity, typically the IMSI or TMSI/P-TMSI,
and the establishment cause, which indicates why the UE is requesting a connection.
The cause here is registration, since it will perform a location update next.
2. This request is carried transparently by the BTS. The SRNC receives the request,
and will perform an admission control procedure to decide whether the request
should be serviced, and if so, which type of transport channel to establish. In this
case, the SRNC has chosen to use a DCH for this RRC connection. It will also
allocate a RNTI and the required radio resources for the RRC connection. To
establish the bearer for this connection, the SRNC will issue the NBAP radio link
setup request message to the BTS. The parameters included will be the cell ID,
transport format set, transport format combination set, frequency channel, uplink
scrambling code and downlink channelization code to be used, and power control
information.
3. The BTS will allocate the requested resources, and is therefore ready to begin
uplink physical reception. It will then respond to the SRNC with the NBAP radio
link setup response message. The parameters in this will include the transport layer
6.22 UMTS CALL LIFE CYCLE 403



UE BTS SRNC


RRC Connection Request
RRC RRC 1

Radio Link Setup Request
NBAP NBAP 2
BTS ready to Rx Radio Link Setup Response
NBAP NBAP 3

ERQ
A2SIG A2SIG 4
ECF
A2SIG A2SIG 5
BTS ready to Tx Downlink Synchronisation
DCH-FP DCH-FP 6
Uplink Synchronisation
DCH-FP DCH-FP 7

RRC Connection Setup
RRC RRC 8
L1 synchronisation (UE begins Tx)
9
Radio Link Restore Indication
NBAP NBAP

RRC Connection Setup Complete
RRC RRC 10



Figure 6.128 RRC connection establishment


RRC Connection Request

CCCH logical

RACH transport

PRACH physical


Figure 6.129 RRC connection request layers


addressing information (AAL2 address, AAL2 binding identity), which are required
for the Iub data transport bearer (AAL2 connection) setup. This is only being
established for signalling at this point and not for data transfer.
4. Once the BTS has responded, the SRNC then uses AAL2 signalling (ALCAP) to
establish an Iub data transport bearer. It will use the AAL2 address to contact the
BTS transport layer entity, and this establish request (ERQ) will contain the AAL2
binding identity to tie the Iub data transport bearer to the DCH.
5. The BTS will acknowledge the setup request with the establish con¬rm
(ECF) command.
6. The RNC will send the downlink synchronization message, which contains the
connection frame number.
7. The BTS responds with the connection frame number, and timing information
through the uplink synchronization. The BTS will start downlink transmission at
this point.
404 UNIVERSAL MOBILE TELECOMMUNICATIONS SYSTEM


8. The SRNC will send the RRC connection setup message to the UE on the CCCH.
This will include the following parameters: initial UE identity, allocated U-RNTI,
capability update requirement, transport format set, transport format combination
set, frequency, DL scrambling code (FDD only), and power control information.
9. Once the BTS has detected the UE at the physical layer (L1 synchronization) it will
report this to the SRNC with the radio link restore indication message.

<<

. 83
( 132 .)



>>