Weebly
[pic]
Introduction:
Firstly, we choose this project because the increasing in necessity of digital communication systems in our life, due to the large applications of it, however this subject is wide extension , so we take the one of successive parts of its to be as our project ,this successive parts is the digital mobile communication systems and we choose the two systems of its to make the comparison between them.
At the beginning of the 1980s the first second generation network started operation in Europe, this network was based on the GSM (Global System for Mobile communication) technology, it had the capability to carry higher quality of voice calls, basic messaging service (SMS) and very low speed data connectivity. this was accomplished with noticeable reduction on per subscriber cost. later on this technology has evolved to accommodate higher speed of data reaching up to 384 kbit/s with the introduction of EDGE technology by the late 90s of the last century. this development was also achieved by other technologies in other parts of the world (CDMA, DAMPS).
Second generation 2G cellular telecom networks were commercially launched on the GSM standard in Finland by (now part of Elisa Oyj) in 1991. Three primary benefits of 2G networks over their predecessors were that phone conversations were digitally encrypted, 2G systems were significantly more efficient on the spectrum allowing for far greater mobile phone penetration levels; and 2G introduced data services for mobile, starting with SMS text messages.
After 2G was launched, the previous mobile telephone systems were retrospectively dubbed 1G. While radio signals on 1G networks are analog, and on 2G networks are digital, both systems use digital signaling to connect the radio towers (which listen to the handsets) to the rest of the telephone system.
in 1990, Qualcomm, Inc. proposed a spread-spectrum digital cellular system based on code-division multiple-access (CDMA) technology, which in 1993 became the second North American digital cellular standard, known as the IS-95 system.
After this period by small studies have started to develop a faster and higher quality network to support better services like video calling, video streaming, mobile gaming and fast internet browsing. this has resulted in the introduction of the 3rd generation mobile telecommunication standard (UMTS) using this service internet connection speed can reach up to 14.4 Mbit/s by implementing HSPA improvement. This can offer broadband services for mobile users allowing them to be always connected while on the move.
3G is the third generation of telecommunication hardware standards and general technology for mobile networking, superseding 2.5G. It is based on the International Telecommunication Union (ITU) family of standards under the IMT-2000.
3G networks enable network operators to offer users a wider range of more
advanced services while achieving greater network capacity through improved spectral efficiency. Services include wide-area wireless voice telephony, video calls, and broadband wireless data, all in a mobile environment. Additional features also include HSPA data transmission capabilities able to deliver data rates up to 14.4Mbit/s on the downlink and 5.8 Mbit/s on the uplink.
Unlike IEEE 802.11 networks, which are commonly called Wi Fi or WLAN networks, 3G networks are wide-area cellular telephone networks that evolved to incorporate high-speed Internet access and video telephony. IEEE 802.11 networks are short range, high-bandwidth networks primarily developed for data.
The next evolution that is expected to be released soon is the 4th generation which is based on LTE (Long Term Evolution) and WiMax technologies that are promising an internet speed that reaches 233 Mbit/s for mobile users.
4G, an abbreviation for Fourth-Generation, is a term used to describe the next complete evolution in wireless communications. A 4G system will be a complete replacement for current networks and be able to provide a comprehensive and secure IP solution where voice, data, and streamed multimedia can be given to users on an "Anytime, Anywhere" basis, and at much higher data rates than previous generations.
❖ The Main Term concepts in Mobile communications
➢ Registration This is the process in Idle mode in which an MS informs a network that it is attached.
➢ Roaming When an MS moves around a network in idle mode, it is referred to as roaming.
➢ International Roaming When an MS in Idle mode moves into a network which is not it's home network, it is referred to as international roaming.
➢ Location Updating An MS roaming around the network must inform the network when it enters a new LA. This is called location updating, this achieved in Idle mode.
➢ Paging This is the process whereby a network Inform the MS in Idle mode about The Incoming Call.
➢ Handover This is the process in which control of a call is passed from one cell to another while the MS in Active mode moves between cells.
➢ Duplex Distance it's the distance between uplink and downlink frequency.
➢ Carrier Separation it is the distance between adjacent frequencies on either uplink or downlink.
➢ Burst it the Information in time slot.
➢ Grade Of Service it is the percentage of total number of unsuccessful calls in the Network.
1. Cellular Network Architecture:
[pic]
Figure 1.1 The Cellular Network Architecture
The Cellular network can be divided into four main parts:
➢ Network components of the Radio Subsystem (RSS)
➢ The Network and Switching Subsystem (SSS).
➢ The Operation and Support Subsystem (OSS).
Note :The MS and BSS can be combine under the name of RSS.
1.1 Radio Subsystem (RSS):
It consists of the Three basic components:
1.1.1 The Mobile Station (MS):
It is the mobile device which carried by hand , it has transmitter and receiver, a
Mobile Station consists of two main elements:
1.1.1.1 The Subscriber Identity Module (SIM):
is a smart card with memory and processor that identifies the terminal, By inserting the SIM card into the terminal, the user can have access to all the subscribed services, Without the SIM card, the terminal is not operational.
it contains the user's subscription information and phone book.
Alternatively, the user can also change operators while retaining the handset simply by changing the SIM.
Each SIM card stores a unique International Mobile Subscriber Identity (IMSI), IMSI is usually 15 digits long, but can be shorter.
The next important items of data associated with the SIM are the Mobile Subscriber Integrated Service Digital Network(MSISDN), which are a telephone numbers used by mobile phones to make and receive calls and SMS.
1.1.1.2 Mobile equipment/terminal (ME):
A mobile telephone - figure (1.3) - has a number of
facilities. The most common are:
• Alphanumeric display
• Memory for many abbreviated numbers
• Signal strength indicator
• Battery indicator
• Electronic lock
There are different types of terminals distinguished
principally by their power and application:
➢ The fixed terminals are the ones installed in cars. Their maximum allowed output power is 20 W.
➢ Vehicle mounted terminals can be installed in vehicles. Their maximum allowed output power is 8W.
➢ The handhelds terminals have experienced the biggest success thanks to their weight and volume, which are continuously decreasing. These terminals can emit up to 2 W. The evolution of technologies allows decreasing the maximum allowed power to 0.8 Watt.
[pic]
Figure 1.3 Ranges for different types of MSs
1.1.2 The base station subsystem (BSS)
The BSS provides the interface (handling traffic and signaling ) between the ME and the NSS, It is in charge of the transmission and reception. It may be divided into three parts:
1.1.2.1 The base Transceiver Station (BTS)
the base transceiver station, or BTS, contains the equipment for transmitting and receiving radio signals (transceivers), antennas, and equipment for encrypting and decrypting communications with base station controller(BSC).
BTS is a plain transceiver which receives information from the MS (mobile station) through the Um (air interface) and then converts it to a TDM ("PCM") based interface, and sends it towards the BSC.
The BTSs are covers maximum area of 8km, in the the places where the people not congested, each BTS covered angle of 1200 and so, to covered 3600, we require 3 BTS, The language between different component of GSM is Signaling System number7 (SS7).
[pic]
Types of BTS
➢ macrocell BTS
It is the BTS that covered the wide area called cell, it places above the highest building, it covers area more than microcell BTS.
➢ microcell BTS
this BTS covers space congested with people like a Mall, streets.
It is hanging in building wall, lighting pier(pole).
➢ nanocell BTS
A nanocell is wireless communication system, covering a small area ,such as between the building.
➢ Picocell BTS
this BTS is wireless communication system typical covering a small area, such as in-
building (offices, building stairs train stations, etc.).
➢ Femtocell BTS
In telecommunications, a femtocell originally known as an Access Point Base Stations a small cellular base station, typically designed for use in home or small business(in WIFI, system interconnections).
Handover
[pic]
Figure 1.6 Types of Handover
The Handover can be achieved in Four ways :
➢ Inter Cell: change in frequency within same BTS,BSC and MSC.
➢ Inter BTS: is moving from one BTS to another within same BSC and MSC.
➢ Inter BSC: when user moving from one BSC to other within same MSC.
➢ Inter MSC: finally for user movement from one MSC to other, which means that the cell, BTS, BSC and MSC all of them are change.
1.1.2.2 The base station Controller (BSC)
The BSC controls a group of BTS and manages their radio Resources, it is a Brain of BSS, a BSC is principally in charge of handovers, frequency hopping, exchange functions and control of the radio frequency power levels of the BTSs.
[pic] [pic]
Figure 1.6 Base Station Controller (BSC)
1.1.2.3 Tran coder and Rate Adapter Unit (TRAU )
Provides:
➢ data encoding and decoding.
➢ Data compression and decompression.
1.1.3 Radio Interface (UM)
It is Interface between MS(Mobile Station) and BSS(Base Station Subsystem). There are two ways of transmission:
➢ Uplink : for transmission from ME to BTS through Um, the frequencies range of 890-915MHZ are allocated for this link.
➢ Downlink : for transmission from BTS to ME through Um, and the range of frequencies here are 935-960MHZ.
[pic]
Figure 1.7 transmission Methods
1.2. Switching Subsystem (SSS)
is the component of a GSM system that carries out switching functions and manages the communications between mobile phones and the Public Switched Telephone Network (PSTN), It allows mobile phones to communicate with each other and telephones in the wider telecommunications network.
The architecture closely resembles a telephone exchange, but there are additional functions which are needed because the phones are not fixed in one
Management and are described in more detail below.
The Network Switching Subsystem, also referred to as the GSM core network, usually refers to the circuit-switched core network.
1.2.1 Mobile switching center (MSC)
The mobile switching center (MSC) it is It is the central component of the SSS, it can be called the Heart of GSM network.
The MSC performs the switching functions of the network, It also provides connection to other networks voice calls and SMS as well as other services (such as conference calls, FAX and circuit switched data).
The MSC sets up and releases the end-to-end connection, handles mobility and hand-over requirements.
It perform many functions like:
➢ Registration: check if the mobile is recorded.
➢ Authentication: verify if the mobile is allowed to use Network.
➢ Location Updating: it refresh the user location.
➢ Handovers: data Delivery Between The BTS. and provides the Forwarding or Converting of a Call For Roaming Subscriber.
➢ Connection and Communication to Other Networks
1.2.2 Gateway Mobile switching center (GMSC)
is a node used to interconnect between networks, The GMSC is the interface between the mobile cellular network and the PSTN , ISDN, cellular network or other network, The GMSC is often implemented in the same machines as the MSC.
1.2.3 Home Location Register (HLR)
The HLR is the permanently database or register that stores information of the subscribers belonging to the covering area of a MSC, It also stores the current location of these subscribers and the services to which they have access.
1.2.4 Visitor Location Register (VLR)
The VLR contains temporarily information from a subscriber's HLR necessary in order to provide the subscribed services to visiting users, When a subscriber enters the covering area of a new MSC, the VLR associated to this MSC will request information about the new subscriber to its corresponding HLR.
The VLR will then have enough information in order to assure the subscribed services without needing to ask the HLR each time a communication is established.
The VLR is always implemented together with a MSC; so the area under control of the MSC is also the area under control of the VLR.
VLR is continuous in providing the information about the location of MS while the MS receiver doesn't change its location ,until the change is occurred, the MSC asks HLR about location.
1.2.5 Authentication Centre (AUC)
The Authentication Centre (AUC) is a device, usually located in the HLR of a GSM system, to authenticate each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on), Once the
authentication is successful, the HLR is allowed to manage the SIM and services described above.
An encryption key is also generated that is subsequently used to encrypt all wireless communications (voice, SMS, etc.) between the mobile phone and the GSM core network.
1.2.6 The Equipment Identity Register (EIR)
The EIR is also used for security purposes, it is a database that contains information about the identity of the mobile equipment that prevents calls from stolen, unauthorized or defective mobile stations.
More particularly, it contains a list of all valid terminals, A terminal is identified by its International Mobile Equipment Identity (IMEI), It is usually found printed inside the battery compartment of the phone or can be displayed by pressing *#06# then call button in most type of mobile.
So, The EIR used to forbid calls from stolen or unauthorized terminals, The equipment identity register is often integrated to the Home Location Register.
In theory all data about all stolen mobile phones should be distributed to all EIRs in the world through a Central EIR.
The EIR data does not have to change in real time, which means that this function can be less distributed than the function of the HLR.
This register contains Three Parts:
1. White list this List comprise the all Devices that Permit to uses the network.
2. Black List this List contains the devices that prevents from uses the network (like stolen mobile).
3.Gray List this List contains the devices that to Be Under The Testing.
1.3 The Operation and Support Subsystem (OSS)
are computer systems used by telecommunications service providers, The OSS is connected to the different components of the NSS and to the BSC, in order to control and monitor the GSM system, It is also in charge of controlling the traffic load of the BSS, It supporting processes such as
➢ Planning
➢ Monitoring
➢ Maintaining
To monitor the network components and, if necessary, control and adjust their performance, the GSM network needs the Operation and Maintenance Center (OMC),The implementation of OMC is called the operation and support system (OSS).
1.3.1 The Operation and Maintenance Center (OMC)
The OMC provides remote monitoring of the network performance and permits remote re-configuration and fault management activity as well as alarm and event monitoring, It also responsible for :
➢ error management.
➢ configuration management.
➢ performance management.
➢ administration management.
➢ remote access to different network components.
➢ Security management.
1.3.2 Network Management Centre (NMC)
The NMC offers the ability to provide hierarchical regionalized network management of a
complete GSM system.
It is responsible for operations and maintenance at the network level, supported by the OMCs which are responsible for regional network management.
[pic]
Conclusions:
➢ The number and Type of base Transceiver stations required in the cell are
depend on the number of Subscribers in that cell.
➢ if there aren't enough number of BTS, the network will be congested.
➢ the microwave is related to BTS to provide the communications between the
BTS and BSC, the communication language all components except MS and
BTS is the signaling system number 7(SS7).
➢ The the Subscribers are roaming, Therefore area can be change, so the
Process of Handover is require.
➢ Because the subscribers are always change their locations, so the network
Is require for Location Updating process (HLR).
➢ For secure transmission the data must be coded and encrypted by the network
➢ Optimization involves monitoring, verifying and improving the performance of
the radio network. Optimization tasks become more and more difficult as time
passes.
➢ all operation must be maintained by MSC.
➢ due to the wirelessly communications the Power control is more important.
[pic]
2. Global System for Mobile (GSM900):
Originally GSM referred to the European working party set up to establish a new standard. The system developed became the Global System for Mobile.
Telecommunications (GSM).A digital system offered considerable advantages in terms of capacity and security and introduced new possibilities for data traffic.
The aim of a GSM system is to make best use of the available frequencies (spectrum) to provide:
• Coverage – getting a usable radio signal to all areas in the network
• Capacity – handling the call traffic generated by the subscribers
• Quality – low interference, few calls dropped etc.
GSM Advantages
➢ 1.Greater variety of handsets
➢ 2. Lower priced handsets
➢ More widely used.
➢ 4.Automatic roaming.
➢ SIM card
GSM Disadvantages
➢ 1.GSM has a fixed maximum cell site range of 35 km
➢ 2. Pulse nature of TDMA transmission used in 2G interferes with some electronics
2.1 GSM Frequency Allocation:
|System |Band |Uplink (MHz) |Downlink (MHz) |
| | | | | |
| | | |Mobile Station |Base Station |
| | | |(up link) |(down link) |
|A(10MHz) |Valid |1-311 |825.030-834.330 |870.030-879.330 |
|B(10MHz) |Valid |356-644 |835.680-844.320 |880.680-889.320 |
|A’(1.5MHz) |Valid |689-694 |845.670-845.820 |890.670-890.820 |
|B’(2.5MHz) |Valid |739-777 |847.170-848.310 |892.170-893.310 |
The transmit frequency point for Base Station is computed by: F=870+N*0.03
where N: CDMA Channel Number
3.3 Techniques Used In CDMA
3.3.1 CDMA Spread Spectrum Technique
• Spread spectrum systems have been developed since the mid-1950s,Spread spectrum communication is a means of transmission in which the data sequence occupies a bandwidth in excess of the minimum bandwidth necessary to send it.
• The Spreading is done by combining the data signal with a code (code division multiple access) which is independent of the transmitted data message.
• It spreads the message signal to a relatively wide bandwidth by using a unique code and a system modulates signals by giving a code that has
• low correlation among subscriber channels, and a called party can restore them just by using the code.
• being identical to the one that a calling party used.
• These techniques are used for a variety of reasons, including the establishment of secure communications, increasing resistance to natural interference and jamming, to prevent detection, and to limit the power flux density on satellite downlinks.
• A number of advantages are:
• Low power spectral density. As the signal is spread over a large frequency-band, the Power Spectral Density is getting very small, so other communications systems do not suffer from this kind of communications. However the Gaussian Noise level is increasing.
• Interference limited operation. In all situations the whole frequency-spectrum is used.
• Privacy due to unknown random codes. The applied codes are - in principle - unknown to a hostile user. This means that it is hardly possible to detect the message of another user.
• Applying spread spectrum implies the reduction of multi-path effects.
• Random access possibilities. Users can start their transmission at any arbitrary time.
• Good anti-jam performance.
[pic]
Fig. 2.1 spread spectrum composite
[pic]
As shown in the figure Each user has its own spreading code. The identical code is used in both transformations on each end of the radio channel for spreading and dispreading.
The ratio between the transmission bandwidth and the original bandwidth is called the processing gain (Gp), also known as the spreading factor. Note that this ratio simply means how many chips are used to spread one data symbol.
Walsh Code
Walsh Code is a group of spreading codes having good autocorrelation properties and poor cross correlation properties. Walsh Codes Are orthogonal to each other ,i.e Correlation is zero between code Walsh codes , they are the backbone of CDMA systems and are used to develop the individual channels in CDMA. For IS-95, here are 64 codes available. Code 0 is used as the pilot and code 32 is used for synchronization. Codes 1 through 7 are used for control channels, and the remaining codes are available for traffic channels. Codes 2 through 7 are also available for traffic channels if they are not needed. For cdma2000, there exists a multitude of Walsh codes that vary in length to accommodate the different data rates and Spreading Factors of the different Radio Configurations.
[pic]
The short PN code
enables each MS to distinguish BTS in the forward channel, while it is used for increasing gains in the reverse channel. The short PN code consists of 15 bits, It consists of two PN Sequences, I and Q, each 32,768 chips long
The long PN code
Used for spreading and scrambling , it can be used for encryption and power control bit in the forward channel. In the reverse channel, it is used for distinguishing MS at BTS by inserting the subscriber number (ESN) of a MS. the long PN code consists of 42 bits
There are two types of CDMA spread spectrum:
1.Frequency-Hopping spread spectrum
2.Direct Sequence Spread Spectrum
3.3.1.1 Frequency-Hopping Spread Spectrum
Frequency-hopping spread spectrum (FHSS) is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.
A disadvantage of Frequency-Hopping as opposed to Direct-Sequence is that obtaining a high processing-gain is hard. There is need for a frequency-synthesizer able perform fast-hopping over the carrier-frequencies. The faster the "hopping-rate'' is, the higher the processing gain, also Does not have the same degree of jamming resistance asDS/SS.
On the other hand, Frequency-Hopping is less effected by the Near-Far effect than Direct-Sequence. Frequency-Hopping sequences have only a limited number of "hits'' with each other.
Each user’s narrowband signal hops among discrete frequencies, and the receiver follows in sequence
FH/SS are of two types:-
• Slow Frequency Hopping (SFH) :- In slow frequency hopping the symbol rate of the input signal is an integer multiple of the frequency hopping rate. That is several symbol are transmitted on each frequency hop.
• Fast Frequency Hopping (FFH) :- In fast frequency hopping the frequency hopping rate is an integer multiple of the input symbol rate . That is the carrier frequency will change or hop
several times during the transmission of the one symbol. CDMA Frequency-Hopping Spread Spectrum (FHSS) is not currently used in wireless systems, although used by the military.
[pic][pic]
Fig. 2.2 frequency hopping spread spectrum
3.3.1.2 Direct Sequence Spread Spectrum
is a modulation technique. As with other spread spectrum technologies, the transmitted signal takes up more bandwidth than the information signal that is being modulated. The name 'spread spectrum' comes from the fact that the carrier signals occur over the full bandwidth (spectrum) of a device's transmitting frequency.
[pic]
Figure: User signal and code are multiplied to generate the coded transmit signal
Direct Sequence Spread Spectrum is based on the multiplying of the baseband signal data with broadband spreading code.
In this method, phase modulation or a derivative of phase modulation is used. The scrambling process is achieved by mixing the actual data with the output of a PN coder. The resultant scrambled data is then modulated in a binary phase shift key (BPSK) or quadrature phase shift key (QPSK) modulator. The output of the BPSK modulator is then transmitted.
[pic]
Figure 2: Scrambler System using BPSK Modulation
The figure below shows the processes that take place in a direct sequence spread spectrum system
[pic]
Figure 3: Direct Sequence Spread Spectrum
Source: Grahame Smillie (1999). Analogue and Digital Communication Techniques
The example given above, the PN code is generator is running at a higher clock frequency than that used for the data. The resultant scrambled data is now transmitted at a much higher rate than that of the data. When a logic high is applied to the BPSK modulator the carrier undergoes a phase change of 180 degrees. When a logic low is applied to the BPSK modulator the carrier undergoes a 0 degree phase change. The carrier frequency containing the phase change information is received by the distant receiver. This signal is then descrambled by a descrambler that relies on a PN code generator producing PN code identical to that at the transmitter . The signal is then converted back into logic levels to produce the original data
[pic]
Fig.2.3: Direct sequence spread spectrum
DS-CDMA systems offer several advantages in cellular environments including
easy frequency planning, high immunity against interference if a high processing gain
is used, and flexible data rate adaptation.
Besides these advantages, DS-CDMA suffers from several problems in multiuser wireless
communications systems with limited available bandwidth
3.3.1.2.1 Forward Channel
Forward channels are the frequencies the cell towers use to talk to your cellular telephone.
A Forward Channel in CDMA is identified by:
• Its CDMA RF carrier Frequency.
• The unique Short Code PN Offset of the sector.
• The unique Walsh Code of the user.
• In the forward, each bit from the encoder output corresponds to a Walsh code. That is to say each symbol is spread into 64 chips.
[pic]
Fig.2.7 Spread spectrum in downlink using Walsh code for users and short code for sectors
3.3.1.2.2 Reverse Channel
Reverse channels are the frequencies your cellular telephone uses to talk to the cell towers.
A Reverse Channel is identified by:
• Its CDMA RF carrier Frequency.
• The unique Long Code PN Offset of the individual handset.
[pic]
Fig. 2.8 uplink spread spectrum using long code
[pic]
Fig.2.13 forward traffic channel of IS-95 system
The advantages of spread spectrum modulation are as follows:
➢ Multiple access capability. Because all users have different spreading codes, which do not ideally cross-correlate too much, several users can coexist in the same frequency band.
➢ Protection against multipath interference. Multipath interference is a result of reflections and diffractions in the signal path. The various component signals may be interference to each other. A spread spectrum CDMA signal can resist the multipath interference if the spreading codes used have good autocorrelation properties.
➢ Good jamming resistance. Because the power spectral density of the signal is so low and resembles background noise, it is difficult to detect and jam on purpose. Therefore, CDMA communication systems are popular with the military.
➢ Privacy. An intruder cannot recover the original signal unless he knows the right spreading code and is synchronized to it.
➢ Narrowband interference resistance. A wideband signal can resist narrowband interference especially well. While the demodulation process will dispread the original signal, it will also spread the interfering signal at the same time (see Figure 2.9 . Thus the interference is spread over a wide spectrum. Demodulation will be successful if the spread interference is weak enough in the narrow dispread signal bandwidth.
➢ Security: without knowing the spreading code, it is (nearly) impossible to recover the transmitted data.
[pic]
3.4 CDMA Modulation:
2.3.1 BPSK DS-SS
Binary phase shift keying (BPSK) system is considered the simplest form of phase shift keying (PSK) .The modulated signal has two states, given by:
M1 (t) =A sin (Wct)
M2 (t) = - A sin (Wct)
The concept is simple whenever the transmitter wants to send a +1, it will transmit a positive cosinusoid; whenever the transmitter wants to send a 0, it will transmit a negative cosinusoid. If the transmitted information is 1, the modulated signal has a phase of 0 degree. If the transmitted information is 0, then the modulated signal has a phase of 180 degrees.
A simple block diagram of a BPSK DS-SS system is shown in Figure. The BPSK modulated data, is spread after multiplication by a pseudorandom (PN) sequence with a bandwidth much greater than the information signal.
Fig. 2.10 BPSK DS-SS modulator and output signal of modulator
3.4.1 QPSK (Quadrature phase shift keying)
Quadrature phase shift keying (QPSK) modulation is used in CDMA IS-95 systems as forward link modulation. QPSK in which four different phase angles are used. Sometimes called quadriphase or quaternary phase shift keying The modulated signal is:
[pic]
This yields the four phases π/4, 3π/4, 5π/4 and 7π/4 as needed.
This results in a two-dimensional signal space with unit basis functions
[pic]
[pic]
The first basis function is used as the in-phase component of the signal and the second as the quadrature component of the signal.
Hence, the signal constellation consists of the signal-space 4 points
[pic]
The factors of 1/2 indicate that the total power is split equally between the two carriers.
[pic]
In Figure we see that the data waveform Dn(t) is multiplied by the Walsh function Wn(t) (this means split into the in-phase and quadrature-phase components), and then the resultant product Dn(t) Wn(t) (i.e separately modulated onto two orthogonal basis functions. )is fed to the upper branch as well as the lower branch. CI(t) represents the PN sequence for the upper branch and CQ(t), the PN sequence for the lower branch. Because of the fact that Wn(t), CI(t), and CQ(t) represent respective sequences running at the same rate, the resultant sequences are also random sequences with polarity f 1 for each transmission symbol.
Note that Dn(t) represents coded and interleaved information symbols of duration Ts
[pic]
, whereas Wn(t), Cz(t), and CQ(t) represent "chip" symbols of duration T,. We therefore have the two symbol rates
Rs = 1/T, for the coded-symbol rate (7.32d)
RC = 1/Tc for the PN and Walsh chip rates (7.32e)
The FIR filter, shapes the symbol pulse to be modulated by the in-phase carrier (cos wot) for the upper branch, and by the quadrature carrier (sin wot) for the lower branch of Figure 7.27. The in-phase carrier-modulated branch is the I channel and the quadrature carrier-modulated branch is the Q channel.
It is clear from Figure 7.27 that the QPSK modulated symbol represents two information symbols, consisting of I- and Q-channel "information symbols." The reason for summing I and Q channel waveforms is that it is simply the most convenient and economic way of transmitting the symbol sequence information of each channel (I and Q), by means of a single carrier. To see this, let us ignore the effect of the FIR spectral shaping filters and
express the QPSK modulated waveform as follows: Because I(t) and Q(t) assume the two possible values of f 1, we may use indexes i and j to indicate that Ii(t) and Qj(t) assume the value +I for i = j = 1 and the value -1 for . . z = j = -1. We then have
[pic]
and A, is an appropriate amplification factor for channel n. Therefore, there are four possible symbol pair patterns6 {Ai, Bj) or {ai, b j ) of The phase transitions corresponding to the symbol pair patterns are shown in Figure 7.28. We observe from Figure 7.28 that a given symbol pair can make a transition to all other possible pairs, including the same symbol pair pattern. For example, the symbol pair pattern (Ii, Qj) = (ai, bj) = (0, 0) can change to any of ((0, O), (0, I), (1, O), (1,l)) at the next symbol interval.
When a phase transition takes place by crossing the origin, the transmission wave shows a large variation in amplitude; other transitions may or may not involve a change in amplitude. Thus the QPSK waveform in general is a non constant amplitude waveform. Non constant amplitude induces amplitude-to phase conversion distortion if the transmission characteristic is not perfectly linear.
For the forward link, the transmission characteristic can be designed to be linear, using a linear amplifier, thereby tolerating the amplitude variations due to the QPSK modulation.
[pic]
Figure 7.28 Signal constellation of QPSK modulation and carrier phase transitions with respect to symbol pair transitions.
QPSK systems can be implemented in a number of ways. An illustration of the major components of the transmitter and receiver structure are shown below.
Conceptual transmitter structure for QPSK is previously discussed.
[pic]
[pic]
In Receiver structure for QPSK. The matched filters can be replaced with correlators. Each detection device uses a reference threshold value to determine whether a 1 or 0 is detected.
[pic]
Constellation diagram for QPSK with Gray coding. Each adjacent symbol only differs by one bit.
QPSK signal in the time domain:
The modulated signal is shown below for a short segment of a random binary data-stream. The two carrier waves are a cosine wave and a sine wave, as indicated by the signal-space analysis above. Here, the odd-numbered bits have been assigned to the in-phase component and the even-numbered bits to the quadrature component (taking the first bit as number 1). The total signal — the sum of the two components — is shown at the bottom. Jumps in phase can be seen as the PSK changes the phase on each component at the start of each bit-period. The topmost waveform alone matches the description given for BPSK above.
[pic]
Timing diagram for QPSK. The binary data stream is shown beneath the time axis. The two signal components with their bit assignments are shown the top and the total, combined signal at the bottom. Note the abrupt changes in phase at some of the bit-period boundaries.
The binary data that is conveyed by this waveform is: 1 1 0 0 0 1 1 0.
▪ The odd bits, highlighted here, contribute to the in-phase component: 1 1 0 0 0 1 1 0
▪ The even bits, highlighted here, contribute to the quadrature-phase component: 1 1 0 0 0 1 1 0
3.4.2 Offset QPSK (OQPSK)
To ease RF linearity requirements in the reverse link, CDMA IS95 delays the Q data by one-half chip and thereby prevents simultaneous transitions of both orthogonal data streams (i.e the Q channel symbol is one-half symbol delayed with respect to the I-channel data
Symbol), This is known as Offset Quadrature Phase Shift Keying (OQPSK) .If the two bit streams I and Q are offset by a 1/2 bit interval, then the amplitude fluctuations are minimized so, the phase transitions never exceed ±900, and this fact is illustrated in Figure 7.30, in which the QPSK waveform shows 180' carrier phase changes, whereas the OQPSK waveform shows only 90' carrier phase changes.
A
[pic]
[pic] [pic]
OQPSK modulator & constellation diagram 7.30 Difference of the the maximum carrier phase
transitions between QPSK & OQPSK
2.3.4 Power Spectral Density (PSD)
A conceptual spectral diagram of BPSK- DSSS signal format is shown in Figure 2-17, where we only show the envelope of the PSD function of BPSK-modulated DSSS signal for illustration clarity. The main lobe bandwidth (null-to-null) of the signal shown is usually equal to twice the clock rate of the code sequence used as a spreading modulation signal. Each of the side lobes has a null-to-null bandwidth that is equal to the clock rate; that is, if the code sequence being used as modulating waveform has a 5 Mcps (Mega chip per second) operating rate, the main lobe of the null-to-null bandwidth will be 10 MHz and each side lobe will be 5 MHz wide.
This is exactly the case in Figure shown. On the other hand, in the time domain the BPSK-modulated DSSS carrier looks like the signal shown in Figure below, where the carrier is sent with zero phase shifts when the code sequence is a +1, and a 180 degree phase shift when the code sequence is a −1.
[pic]
Fig.2.17 illustration of power spectral density functions for BPSK DSSS signal
The PSD function for the spreading sequence Tc(f) has also been drawn together with the PSD function of data sequence Td(f ) for easy comparison in Fig2.18 , where it is assumed that T = 4Tc for illustration clarity. Obviously, the bandwidth of spreading sequence is equal to 1 /Tc Hz.
[pic]
Fig2.18 PSD functions for spreading sequence and data signal
The power spectral density of an unfiltered M-PSK signal occupies a bandwidth which is a function of the symbol rate Rs = (1/Ts). Thus, for a given transmitter symbol, the power spectrum for any M-PSK signal remains the same regardless of the number M of symbol levels used. This implies that BPSK, QPSK and 8-PSK signals each have the same spectral shape if Ts remains the same in each case.
2.3.5 Spectral Efficiency
For M-array PSK scheme each transmitted symbol represents Log2M bits. Hence, at a fixed input bit rate, as the value of M increases, the transmitter symbol rate decreases; which means that there is in increase in spectral efficiency for larger M. Thus, if for any digital modulation the spectral efficiency ηs, (i.e. the ratio of the input data rate Rb and the allocated channel bandwidth B) is given by
[pic]
The 8-PSK spectral efficiency will be three times as great as that for BPSK (0.8 b/s/Hz in linear Amplifier & with BER= 104). However, this will be achieved at the expense of the error probability.
Note: the spectral efficiency of the linearly amplified QPSK is 1.6 b/s/Hz. whereas for nonlinearly amplified (power efficiency of RF amplifier) is 0.36 b/s/Hz.
3.6 CDMA Security:
CDMA security
2.3.1 Introduction [6]
Since the birth of the cellular industry, security has been a major concern for both service providers and subscribers. Service providers are primarily concerned with security to prevent fraudulent operations such as cloning or subscription fraud, while subscribers are mainly concerned with privacy issues. In 1996, fraudulent activities through cloning and other means cost operators some US$750 million in lost revenues in the United States alone. Fraud is still a problem today, and IDC estimates that in 2000, operators lost more than US$180M in revenues from fraud.Technical fraud, such as cloning, is decreasing in the United States, while subscription fraud is on the rise1. In this paper, we will limit our discussions to technical fraud only. With the advent of second-generation digital technology platforms like TDMA/CDMA-IS-41, operators were able to enhance their network security by using improved encryption algorithms and other means. The noise-like signature of a CDMA signal over the air interface makes eavesdropping very difficult. This is due to the CDMA “Long Code,” a 42-bit PN (Pseudo-Random Noise of length 242-1) sequence, which is used to scramble voice and data transmissions. This paper discusses how CDMA 2000 1xRTT implements three major features of mobile security: authentication, data protection, and anonymity.
Service providers and mobile handset manufacturers are working in conjunction to overcome this challenge by introducing authentication and encryption on the networks.
Here is a look at authentication and encryption for CDMA networks.
• Authentication: A process by which the system identifies authorized users for particular services within the system. It provides assurance to the system that the user is genuine.
• Cryptography: This is the science of encryption and decryption and is based on mathematical algorithms.
With the advent of computers and faster processing techniques, cryptography underwent major changes and most of today's cryptographic techniques are patented with electronic security firms or have been developed at educational institutions.
• Encryption: This is the conversion of message from its original form to an unrecognizable encrypted form. Decryption is the re-conversion of encrypted message to its original form.
In principle, encryption and decryption remains the same as practiced by our ancestors-changing the characteristics of a message so that only the genuine receiver is able to decrypt.
[pic]
2.3.2 Security – CDMA Networks [15]
The security protocols with CDMA-IS-41 networks are among the best in the industry. By design, CDMA technology makes eavesdropping very difficult, whether intentional or accidental. Unique to CDMA systems, is the 42-bit PN (Pseudo-Random Noise) Sequence called “Long Code” to scramble voice and data. On the forward link (network to mobile), data is scrambled at a rate of 19.2 Kilo symbols per second (Ksps) and on the reverse link, data is scrambled at a rate of 1.2288 Mega chips per second (Mcps). CDMA network security protocols rely on a 64-bit authentication key (A-Key) and the Electronic Serial Number (ESN) of the mobile.
[pic]
Fig2.6 the authentication by CAVE
A random binary number called RANDSSD, which is generated in the HLR/AC, also plays a role in the authentication procedures. The A-Key is programmed into the mobile and is stored in the Authentication Center (AC) of the network.
In addition to authentication, the A-Key is used to generate the sub-keys for voice privacy and message encryption. CDMA uses the standardized CAVE (Cellular Authentication and Voice Encryption) algorithm to generate a 128-bit sub-key called the “Shared Secret Data” (SSD). The A-Key, the ESN and the network-supplied RANDSSD are the inputs to the CAVE that generates SSD. The SSD has two parts: SSD_A (64 bit), for creating authentication signatures and SSD_B (64 bit), for generating keys to encrypt voice and signaling messages. The SSD can be shared with roaming service providers to allow local authentication. A fresh SSD can be generated when a mobile returns to the home network or roams to a different system.
2.3.3 Authentication [6]
In CDMA networks, the mobile uses the SSD_A and the broadcast RAND* as inputs to the CAVE algorithm to generate an 18-bit authentication signature (AUTH_SIGNATURE), and sends it to the base station. This signature is then used by the base station to verify that the subscriber is legitimate. Both Global Challenge (where all mobiles are challenged with same random number) and Unique Challenge (where a specific RAND is used for each requesting
mobile) procedures are available to the operators for authentication. The Global Challenge method allows very rapid authentication. Also, both the mobile and the network track the Call History Count (a 6-bit counter). This provides a way to detect cloning, as the operator gets alerted if there is a mismatch.The A-Key is re-programmable, but both the mobile and the network Authentication Center
2.3.4 Basic of authentication : [6]
1. A- key (authentication Key)
2.ESN-MIN-MDN:
2.3.4.1 A- key (authentication Key):
the A-key or authentication key is a 64 bit permanent number stored in the permanent memory of the mobile. Preprogrammed and stored security on the mobile phone during factory settings. Known only to the mobile and its associated HLR/AC. Is used to generate the SSD (share secret data)- the intermediate keys.
2.3.4.2. ESN-MIN-MDN:
ESN (electronic serial number)
The ESN is the 32 bit electronic serial number of the mobile phone. The ESN is pre-programmed by the phone manufacturer during factory setting.
The ESN is unique to each mobile on the network and is used in conjunction with the mobile number to identity the mobile on the network .
MIN (mobile identification number) The MIN is the 10 digit number which is assigned by the service providers to a mobile phone in the network . the MIN is unique each mobile on the network and is used in conjunction with the ESN to identify the mobile on the network.
MDN (mobile directory number) The MDN is the 10 digit dilatable number assigned by the service provider to a mobile phone on its network, This number is usually known to the customers and to the outside world as the mobile number. the MDN may be the same as the MIN (it depend on how the service provider provisions this pair on its network)
The MDN and MIN may be the same and it is the prerogative of a service provider to provision this pair of numbers. As a best practice, most CDMA service providers maintain a different pair set associated with an ESN number in their database.
To facilitate authentication on the network there is a special master key, referred to as the A-key or authentication key, which is a 64-bit number stored in the permanent memory of a mobile. This is pre-programmed at factory settings by the mobile manufacturer and should never be violated.
• Cloning: The cloning of a mobile refers to a malicious procedure whereby a rogue intruder programs and assigns an unauthorized pair of MIN/ESN combination on a cloned mobile thereby fooling the network into believing that the cloned mobile is a genuine mobile.
• Tumbling: On the other hand, tumbling is process where the rogue intruder keeps changing the pair of MIN/ESN at regular intervals on the mobile, to avoid detection.
To halt the above malpractices, most CDMA service providers have built-in authentication and encryption systems that are already a part of the CDMA 1x RTT specifications. The authentication and encryption system is elaborated in the accompanying figure.
The authentication and encryption systems is divided into three sections, namely: SSD generation/update, authentication, and encryption/ decryption.
2.3.5Global challenge [6]
1- allows only valid subscriber to access the network resources.
2- all MS challenge with same random number
3- VLR can authenticate MS if SDD is shared
4- subsequence action is based on policy in effect (i.e. unique challenge)
Global challenge is performed when ever:
1-registration: when the mobile dose autonomous registration.
2- origination: when the mobile station originates a call .
3- terminations: when the mobile station responds with page message .
4- mobile station data: when it sends a data burst message I.e. SMS.
[pic]
Fig 2.8 global challenge
2.3.6 unique challenge [6]
signal MS challenged with selected random number( unique) VLR can initiate if SSD is shared (only report failure to AC) can executed on the traffic channel used for call saves control channel resources By design, all CDMA phones use a unique PN (Pseudo-random Noise) code for spreading the signal, which makes it difficult for the signal to be intercepted.
[pic]
Fig 2.9 unique challenge:
2.3.7 The inherent security of the CDMA air interface [7]
Code Division Multiple Access (CDMA) technology is an advance wide area wireless technology for voice and high speed internet access supporting high mobility speeds. CDMA is inherently secure and has advantages to first generation analog and Time Division Multiple Access (TDMA) system . CDMA originated from military application and cryptography and to data there has never been a report of high-jacking or eavesdropping on a CDMA call in a
commercially deployed network .the inherent security of CDMA 's air interface comes from a combination of encryption and spread spectrum technology ,which are used simultaneously to void any gaps in security .
first the CDMA signals of all calls are transmitted or spread over the entire bandwidth rather than being tied to a specific time or element in the system. this result in the signal of all calls tacking on white noise a noise-like appearance that work as disguise making the signal of any one call difficult to distinguish and detect from background noise
CDMA ENCRYPTION
3.3.1 Authentication and Encryption in CDMA system [13]
Executive summary
Mobile usage has virtually penetrated every aspect of our daily lives from the traditional voice communication to short message services (SMS), multimedia messaging services (MMS), ring tones, camera phones, games and a vast array of applications. In fact with the advent of 3G technologies most Service Providers are promising even more attractive
features and applications. Most mobile phone manufacturers are making the mobile even more and more feature rich.
One of the key areas which has been addressed by both the Service Provider and the Mobile manufacturers is in the area of Authentication and Encryption in Mobile technology. This White Paper is an attempt to address the concept of Authentication and Encryption in CDMA systems and the usage of this feature in today’s mobile telephony environment.
3.3.1.2 The Authentication model [6]
An Authentication model is best represented by Figure 1 shown below. As soon as the User
desires some service from the Serving System a random number is thrown at it from the
Serving System as a Challenge to authenticate itself. The User uses this random number and
performs a cryptographic algorithm on it using a Secret Key which is known at both ends. The same process is carried out at the Serving System using the same cryptographic algorithm and Secret key. The resultant output from the User side is given to the Serving System as a Response. The Serving System compares the Response with its own computation. If the two match the User is either permitted access to Services or is denied entry.
[pic]
Fig 3.9 cryptographic algorithm
In CDMA systems as we shall see in subsequent sections the process of Authentication is to
identify and provide service to a genuine mobile on the network and deny access to a cloned
version of it.
3.3.1.3 Authentication and Encryption in CDMA system [13]
At the heart of the Authentication model in CDMA is the Authentication key or A-key which is like a master key to the system. The A-key is a 64 bit number stored in the permanent section of the memory and is usually pre-programmed at factory settings. The A-key as we shall see in further sections is used to generate intermediate keys and session keys within the system. The model represented below represents the complete Authentication and Encryption systems in CDMA networks and will be the focus of our study from now.
[pic]
Fig 1.10 authentication and Encryption
For better understanding this system can be divided into three sections namely SSD (Shared
Secret Data) Generation / Updation, Authentication and finally Encryption. The CDMA
networks make use of a cryptographic algorithm known as CAVE or Cellular Authentication
and Voice Encryption which is used in various stages of the procedure.
On the initiation of a SSD generation/update the Home Location Register/Authentication Centre (HLR/AC) sends out a Random number RANDSSD (56 bits) as a challenge. The mobile takes this RANDSSD value along with the ESN and A-key to generate the SSD pairs namely SSD_A and SSD_B both 64 bits long.
The above is followed by a procedure known as Global Challenge. In this process the SSD_A is further fed into the CAVE algorithm along with ESN and MIN and a random number known as RAND (32 bits) which is now generated by the MSC. The result computed as Authentication Signature (AUTHR) (18 bits) is sent back by the mobile to the network. The network too would have calculated its own version of AUTHR which it uses to compare the result.
The network Base Station permits access to the mobile if the Authentication Signatures
Match and denies access if they do not. In the event of a mismatch the network may also
initiate a SSD update to generate a new pair of SSD_A and SSD_B and also in some cases
initiate a Unique Challenge to the mobile. Here it sends out a Unique Random number
RANDU (24 bits) to a particular mobile and receives a unique Authentication Signature
(AUTHU) (18 bits) from that mobile.
The Authentication Procedure is invoked during Registration, Origination, PageResponse or Data Burst Message.
How is Authentication Invoked [15]
When a mobile is trying to Register onto the network by sending a Registration message on the Access Channel
[pic]
When a Mobile attempts to Originate a call by sending an Origination message on the Access Channel
[pic]
When a Mobile is trying to Terminate a call by sending a Page Response message
on the Access Channel
[pic]
When a Mobile attempts to send a Data Burst message on the Access Channel
[pic]3.3.4 Spreading Codes [15]
1- It is desired that each user’s transmitted signal appears noise like and random. Strictly
speaking, the signals should appear as Gaussian noise
2- Such signals must be constructed from a finite number of randomly preselected stored
parameters; to be realizable
3- The same signal must be generated at the receiver in perfect synchronization
4- We limit complexity by specifying only one bit per sample i.e. a binary sequence
IS-95 CDMA
1 Direct Sequence Spread Spectrum Signaling on Reverse and Forward Links
2 Each channel occupies 1.25 MHz
Reverse CH : 847.74 MHz
Forward CH : 892.74 MHz
1-Fixed chip rate 1.2288 Mcps
3.3.4 Spreading Codes in IS-95 []15]
1 Orthogonal Walsh Codes
– To separate channels from one another on forward link
– Used for 64-ary orthogonal modulation on reverse link.
2 PN Codes
– Decimated version of long PN codes for scrambling on forward link
Long PN codes to identify users on reverse link
Short PN codes have different code phases for different base stations
Reverse Link Modulation
-The signal is spread by the short PN code modulation (since it is clocked at the same rate)
-Zero offset code phases of the short PN code are used for all mobiles
-The long code PN sequence has a user distinct phase offset.
3.3.6 Characteristics Of The Different Algorithms in CDMA
3.3.6.1 The cellular authentication and voice Encryption (CAVE) [12]
The cellular authentication and voice encryption (CAVE) security system used in ANSI-41 net words supporting analog, TDMA and CDMA systems is much more compels. The wireless device's private key is shared only by the wireless device and the home system, but the serving system is sent SSD, a secondary key (i.e. one that is derived from the primary key), rather than just a list of challenge response pairs. This enables the serving system to securely authenticate the wireless device any number of times without the overhead of further communication with the home system. This flexibility and efficiency does, however, require the same algorithm (CAVE) be used by all system. If a major loss of keys occurred it would be possible to update the valid wireless devices with a new SSD over the radio interface, but a serious breach of the CAVE algorithm would not be easily rectified
CAVE id use
1. To generate A-Key Checksum.
2. To generate the SSD
3. To generate the CMEA Key an VPM
3.3.6.2 Cellular Message Encryption Algorithm (CMEA) key (64 bit) [12]
The CMEA key is used with the (ECMEA) algorithm for protection of digital data exchanged between the mobile station and the base station. Note that CMEA is not used to protect voice communications. Instead, it is intended to protect sensitive control data, such as the digits dialed by the cell phone user. A successful break of dialed (all KTMF
tones) by the remote endpoint and alphanumeric personal pages received by the cell phone user. Finally, compromise of the control channel contents could lead to any congenital data the user types on the keypad: calling card PIN numbers may be an especially widespread concern, and credit card numbers, bank account numbers, and voicemail PIN numbers are also at risk.
A description of CMEA
We describe the CMEA speci_cation fully here for reference. CMEA is a byte oriented variable-width block cipher with a 64 bit key. Block sizes may be any number of bytes; with the block size potentially varying without any key changes.
CMEA is quite simple, and appears to be optimized for 7-bit microprocessors with severe resource limitations. CMEA consists of three layers. Performs one non-linear, un keyed operation if tended to make changes propagate in the opposite direction. One can think of the second step as (roughly speaking) XORing the right half of the block from left to right; in fact, it is the inverse of the first layer.
[pic]
Fig 3.15 the CMEA key
3. SSD
The SSD is an intermediate key, which generates further session keys. The initial value of the SSD by default is 0. On initiation of an SSD generation, the network sends a RANDSSD (a 56-bit random number generated at the network AC-authentication centre) to the mobile. The mobile and the network inputs this RANDSSD along with the ESN and A-key to the CAVE algorithm to generate a pair of SSD A (64 bits) and SSD B (64 bits). The SSD A is further used for authentication and SSD B is used for generation of session keys for scrambling and encrypting voice, data, and signaling messages.
Even during the power off condition of a mobile, SSD pairs are maintained and are re-used until the network performs another SSD update, which it usually does on a periodic basis or whenever the service provider feels that security of the network has been comprised by a particular mobile.
Remember! The ESN and A-Key are unique to a mobile and therefore should never be comprised.
The SSD is calculated simultaneously by both MS and AC, it can be shared with the VLR
[pic]
Fig 3.13 SSD update
3.3.6.4 The data key (32 bit) and the ORYX algorithm [12]
A separate data key, and an encryption algorithm called ORYX, is used by the mobile and the network to encrypt data traffic on the CDMA channels.
ORYX is a simple stream cipher based on binary linear feedback shift registers (LFSRs) that has been proposed for use in North American digital cellular systems to protect cellular data transmissions. The cipher ORYX is used as a key stream generator. The output of the generator is a random-looking sequence of bytes. Encryption is performed by XORing the key steam bytes with the data bytes to form cipher text. Decryption is performed by XORing the key steam bytes with the cipher text to recover the plaintext. Hence known plaintext-cipher text pairs can be used to recover segments of the key steam. In this paper, the security of ORYX is examined with respect to a known plaintext attack conducted under the assume piton that the cryptanalyst knows the complete LFSRs. For this attack, we assume that the
compete structure of the cipher, including the LFSR feedback functions, is known to the cryptanalyst.
The key is only the initial states of the three 32 bit LFSRs: a total key size of 96 bits. there is a complicated key schedule which decreases the total key space to something easily searchable using brute-force techniques; this reduces the key size to 32 bits for export. However, ORYX is apparently intended to be strong Algorithm when used with a better key schedule that provides a full 96 bits of entropy. The attack proposed in this paper makes no use of the key schedule and is Applicable to ORYX whichever key schedule is use. Show the figure
[pic]
Fig 3.16 the data key
3.3.6.5 Private long mask (PLM) [12]
CDMA system is the 42-bit PN (pseudo Random Noise) Sequence called "long code" to scramble voice and data .
On forward link (network to mobile) , data is scrambled at a rate 19-2 KSPS ( kilo symbols per second ) and on the reverse link, data is scrambled at a rate 1.2288 MCPS(mega chips per second).
[pic]
Fig 3.17 the PLM
3.3.8 Conclusion
A CDMA receiver has to be coded with the correct 64 bit code to be receive a channel of CDMA traffic and without This code , or with the wrong code ,the received signal is noise ,A brute force attack to find correct code is not feasible . The code is exchanged between the
sender and receiver at the handshake , which happens over an encrypted channel. IN spite of the difficulty in 'tuning ' into CDMA transmission , the data (or voice ) transmission is further encrypted . This double layer of ciphering makes CDMA security possibly quit strong All cellular networks however vulnerable to location finding by triangulation or directional antennas .that is , an attacker can find the location of mobile station with the use of the radio monitoring equipment , This dose not compromise the privacy of the data , but the privacy of the operators location , In our simulation we faced some difficulties in 3rd G security because it is new system and it is not applied more and encryption and functions content still secrecy, We also found the algorithms in GSM as not complex as algorithms in
CDMA . in the end our advice to who wants to extend in this filed to concentrate in the algorithms and function and their functionalities in the new system like CDMA .
[pic]
Simulation:
4.2 CDMA Simulation
4.2.1 Spread spectrum simulation
The characteristic of Spread Spectrum is that bandwidth of the transmitted signal W is much greater than the original message bandwidth (or the signaling rate R).
Transmission bandwidth is independent of the message.
Applied code is known both to the transmitter and receiver.
The larger the processing gain SS system the larger the Interference and noise immunity.
The processing gain equal:
[pic]
Fig.4.13 block diagram of spread spectrum signal by using PN code
As shown in the figure the data is first modulated by the main modulation (QPSK) , after that it is modulated or spread by using spreading code (i.e PN sequence).
Narrowband signal (source signal)
In CDMA the narrowband signal has
Rb= 9.6Kbps then
Tb=0.0001 s (bit time Tb=1/Rb)
[pic]
Fig.4.14 baseband signal (narrowband)
Spread spectrum signal
The original data is multiplied with a spreading sequence Code which typically has a much larger bandwidth than the original signal.
In CDMA system the data after spreading has a bit rate equal to
RC=1.2288 Mcps then
Tc=6.25*10-6 s (chip time Tc=1/Rc)
-As shown in the figure the narrowband signal is spreading over a wideband frequency, the result of this spreading reduces the power density of the signal by spreading its power over a wideband frequency, this leads to reduce the effect of interference at the receiver.
[pic]
Fig.4.15 Spread spectrum signal
The effectiveness of spreading spectrum process is measure by the factor called processing gain which equal to Gp= W/B = Tb/Tc where W is the bandwidth of spreading signal and the B is the band width of the source signal.
Gp= (1.2288*106)/ (9.6*103) =128
3. QPSK Modulation
This type of modulation used in CDMA IS-95 in the forward link.
In this simulation we concentrate on the spectrum of the filtered QPSK and the power spectrum density of this modulation as well as the eye diagram.
The block diagram shown below is for filtered QPSK, the filter used is the raised cosine filter.
[pic]Fig.4.20 QPSK modulation block diagram
The spectrum of the QPSK signal is shown below; as we see the spectrum occupied by the filtered signal is narrower than that of the QPSK modulator output, thus the adjacent channel interference will be reduced due to the reduction in the spectrum occupied.
Fig.4.21 spectrum of QPSK signal before filter and after filter
The power spectral density (PSD) of the QPSK signal is shown below:
[pic]
Fig.4.22 PSD of the QPSK signal
As we see QPSK signal has large PSD due to the large envelop variation (will be shown later) that come from the large phase transition (1800) that occur in this modulation, therefore it will consume more power and needs linear amplifier.
The eye diagram of the QPSK signal before filtering and after the filter is shown in the fig. below
[pic]
Fig.4.23 eye diagram of the QPSK before filter and after the filter
As we can see in the fig. above the ISI of the bits before filter is approximately zero. But after the filter and due to the pulse shaping the amount of the ISI will increase and this is observed from the narrowing of the eye opening.
As compared with the GMSK modulation that used in GSM system QPSK will introduce less error due to ISI.
The theory and simulated Bit Error Rate of the BPSK and QPSK modulation was obtained from the following code:
%% this program calculates BER of BPSK and QPSK modulation schemes
%% the err (error) vector was calculated in another program and
%%we just take the result of the BER.
err=[.2921 .2450 .1970 .1511 .1099 .0739 .0457 .0248 .0121 .0047.0017 3.6e-4 7.8e-5];
snr=10.^ ( [0:0.1:12]./10);
Pbsym=erfc(.707*sqrt(snr)); % symbolBER (Theoretical-QPSK)
Pbbit=0.5*erfc(sqrt(snr)); % bitBER (Theoretical-BPSK)
semilogy([0:12],err,'*',[0:0.1:12],Pbsym,'-',[0:0.1:12],Pbbit,'--');
grid on; xlabel('SNR(dB)'); ylabel('BER');
title('Simulation of symbol and bit BER for QPSK and BPSK');
legend('QPSK Simulated','QPSKsymbol Theoretical','BPSKbit Theoretical');
Fig.4.24 of BPSK and QPSK
The theoretical probability of error for QPSK using distance (signal space) criteria from constellations shows the maximum distance between symbols for BPSK and QPSK to be the same and gives the same probability of error for each which not true. QPSK is approximately 4 dB poorer than BPSK because BPSK has only one possible bit for error where QPSK has 2 bit per symbol that can be in error.
This can be observed from the curve of BER shown above e.g. to get 10-4 BER the SNR for BPSK is approximately 8 dB whereas in case of QPSK the SNR must be 12 dB to achieve the same BER.
4.2.4 Offset QPSK (OQPSK):
This type of modulation is used in the reverse direction (i.e. from mobile into the station)[pic]
Fig.4.25 OQPSK modulation block diagram
The only difference in this modulation is the delay for the Q component, this delay make the maximum phase change limited to 900 so this modulation will produce less envelop variation compared to QPSK as shown below.
Fig.4.26 amplitude variation of QPSK and OQPSK
Due to the less envelope variation in the OQPSK nonlinear amplifier can be adopted which is more power and spectral efficient.
Thus the use of OQPSK in the mobile station will reduce the amount of power consumed since no large phase transition will take place. This is can be observed form the PSD of the OQPSK that is shown below.
[pic]
Fig.4.27 PSD of the OQPSK signal
Note: From point of view of Pe (BER) OQPSK has the same results as QPSK.
[pic]
[pic]
[pic]
[pic]
[pic]
Baseband
[pic]
Spread
[pic]
This is a matlab program to simulate the spread spectrum result. fft is used to view the spectrum of the modulated signal. The spectrum should be same with differenct sample points. In the matlab program, tstep and tstop will dicide the sample points. tstep=1e-9. When tstop changed the width of the spectrum will change too! So, there must be some problem in my program. Please help to find the problem. Thanks a lot.
clear;
Nfft = 2^18; % fft points
% Create a 100MHz signal source
A = 1; % Amplitude of the signal
fc = 100e6; % Carrier frequency
tstep = 1e-9; fs = 1/tstep;
tstop = 1e-4;
t = 0:tstep:tstop-tstep;
vt = A*cos(2*pi*fc*t); % single tone signal source
Y = fft(vt,Nfft);
Pydb = 10*log10(Y.*conj(Y)/Nfft);
% Spread spectrum
Fspread = 30e3; Tspread = 1/Fspread;
Fd = fc*0.0025; % Frequency deviation
Fcss =fc+2*abs(mod(t+Tspread/4,Tspread)/Tspread*2*Fd-Fd)-Fd;
vtss = A*cos(2*pi*Fcss.*t); % Spread signal
Yss = fft(vtss,Nfft);
Pyssdb = 10*log10(Yss.*conj(Yss)/Nfft);
f = fs*(0:Nfft-1)/Nfft;
subplot(2,1,1), plot(f,Pydb,f,Pyssdb);
axis([9e7,11e7,-100,50]), grid;
xlabel('Frequecy (Hz)'), ylabel('Power (dB)');
subplot(2,1,2), plot(t,Fcss);
xlabel('Time (s)'), ylabel('Frequency (Hz)');
grid;
Please change the tstop=1e-4 to tstop=2e-4 and compare the spectrum. [pic]
[pic]
Evaluation of cellular systems
[pic]
Figure 1.9 Evaluation of cellular systems
Development of the Market Share of Mobile Standards
This graphic compares the market shares of the different mobile standards.
[pic]
Cell phone subscribers by technology (left Y axis) and total number of subscribers globally (right Y axis)
4.1 Comparison between Cellular Mobile Systems:
|Feature |NMT |GSM |IS-95 (CDMA one) |CDMA 2000 |UMTS (3GSM) |
|Technology |FDMA |TDMA / FDMA |CDMA |CDMA |W-CDMA |
|Generation |1G |2G |2G |3G |3G |
|Modulation | |GMSK |QPSK & O QPSK | | |
|Digital |No |Yes |Yes |Yes |Yes |
|Year of First Use |1981 |1991 |1995 |2000 / 2002 |2001 |
|Worldwide market |0% |72% |0.6% |12% |12% |
|share[2] | | | | | |
| |Scandinavia |Worldwide, 200+ | |Limited |Worldwide |
| | |countries | | | |
|Roaming | | |Limited | | |
| |Low, Pt=1w | | |Lower |Lower |
| | | | | | |
|Battery life | | |Lower | | |
| | |Very good | | | |
|Handoff |Hard |Hard |Soft |Soft |Soft |
|Breathing |No |No |Yes |Yes |Yes |
|Carrier Spacing |30 kHz |200 KHz |1250 KHz |5 MHz |5 MHz |
|Uplink & Downlink | |UL (890 – 915) |UL (824 – 849) | | |
| | |DL (935 – 960) |DL (869 – 894) | | |
|Frequency Band in MHz | | | | | |
| |800 MHz |800 MHz |800 MHz |2 GHz |2 GHz |
|Bit Rate |9.6 Kbps to 14.4 Kbps |76.8 Kb/s |2.4 or 4.8 or 9.6 Kb/s |614 Kbps |2+ Mbps, up to 384 |
| | | | | |Kbps |
|Channel Frequency Band | |124 |20 | | |
|Switching Method |None |Circuit–Switched |Packet–Switched |Packet Switched |Packet Switched |
|Bandwidth | |25 MHz | |1.25 MHz |5 MHz |
-----------------------
[pic]
Before filter
After filter
For QPSK
For OQPSK
-----------------------
1
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.