CDMA Works

8/12/2019 CDMA Works

1/46

50

CHAPTER NO. 6

MULTIPLE ACCESS TECHNIQUES FOR MOBILE COMMUNICATION

Frequency Division Multiple Access (FDMA)

Time Division Multiple Access (TDMA)

Code Division Multiple Access (CDMA)

These multiple access systemshave very different approachesto the bandwidth problem.

6.1: FREQUENCY DIVISION MULTIPLE ACCESS (FDMA)

Each FDMAsubscriber is assigned a specific frequency channel (Fig. 6.1). No one

else in the same cell or a neighboring cell can use the frequency channelwhile it is

assigned to a user. This reduces interference, but severely limits the number of users.

FIG. NO. 6.1 FREQUENCY DIVISION MULTIPLE ACCESS (FDMA)


2/46

51

Frequency-division multiplexing (FDM) advantage of the fact that the useful bandwidthof

the mediumexceeds the required bandwidthof a given signal

6.2: TIME DIVISION MULTIPLE ACCESS (TDMA)

TDMA users share a common frequency channel (Fig. 6.2), but use the channelfor

only a very short time. They are each givena time slotand only allowed to transmit during

that time slot. When all available time slotsin a given frequency are used, the next user

must be assigned a time sloton another frequency. These time slicesare so smallthat the

human ear does not perceive the time slicing

FIG. NO. 6.2: TIME DIVISION MULTIPLE ACCESS (TDMA)

Time-division multiplexing (TDM)takes advantage of the fact that the achievable bit rate

of the medium exceedsthe required data rateof a digital signal

6.3: CODE DIVISION MULTIPLE ACCESS (CDMA)

Code-Division Multiple Access (CDMA) is one of the most important concepts to

any cellular telephone systemis that of multiple access.A large number of usersshare acommon pool of radio channels and any user can gain access to any channel. In other

words CDMAis a form of multiplexing, which allows numerous signalsto occupy a single

transmission channel, optimizing the use of available bandwidth. Though CDMAs

application in cellular telephone is relatively new, but it is not a new technology. CDMA

has been used in many military applications, such as anti-jamming (because of the spread


3/46

52

signal In March 1992,the TIA (Telecommunications Industry Association)established the

TR-45.5 subcommitteewith the charter of developing a spread spectrum digital cellular

standard. In July of 1993, the TIAgave its approval for the CDMA Technologystandard .A

CDMA call starts with a standard rate of 9.6 Kbps. This is then spread to a transmitted rate of

about 1.23 Mbps. The CDMA channel is nominal 1.23 MHz Wide CDMA is compatible

with other cellular technologies

CDMA users share a common frequency channel (Fig 6.3). All users are on the

same frequency at the same time.However, each pair of usersis assigned a special code

that reduces interference while increasing privacy.

FIG. NO. 6.3: CODE DIVISION MULTIPLE ACCESS (CDMA)

2 MB s3GCDMA 200064 Kps - 140 Kps2.5GCDMA (IS-95B)

56 Kps2GGSM34 Kps1GAMPS

Data transmission capacityGenerationCellulartechnolo


4/46


5/46

54

vocoder uses its full ratewhen a person is talking very fast. It uses the 1/8

ratewhen the person is silent or nearly so.

FIG. NO. 6.5: GENERATING AN A/D COMPRESSED SIGNAL

(III) ENCODING AND INTERLEAVING

Encoders and interleavers are built into the BTS and the phones. The

purpose of the encoding and interleaving is to build redundancy into the

signal so that information lostin transmission can be recovered.The type of

encodingdone at this stage is called "convolutional encoding." A simplified

encoding schemeis shown here. A digital messageconsists of four bits (A,

B, C, D) of vocoded data. Each bit is repeated three times.These encoded

bits are called symbols. The decoder at the receiver uses a majority logic

rule. Thus, if an error occurs, the redundancy can help recover the lost

information.

EXAMPLE:

BURST ERROR: A burst error is a type of error in received digital

telephonesignals. Burst errorsoccur in clumpsof adjacent symbols. These

errors are caused by fading and interference. Encoding and interleaving

reduce the effects of burst errors. Interleaving is a simple but powerful

method of reducing the effects of burst errors and recovering lost bits. In the


6/46

55

exampleshown in the Fig. 6.6,the symbolsfrom each group are interleaved

(or scrambled) in a pattern that the receiver knows.De-interleaving at the

receiver unscrambles the bits, spreading any burst errorsthat occur during

transmission.

FIG. NO. 6.6: ENCODING AND INTERLEAVING

(IV) CHANNELIZING

The encoded voice datais further encoded to separate it from other encoded

voice data. The encoded symbolsare then spreadover the entire bandwidth

of the CDMA channel. This processis called channelization.

The receiverknows the code and uses it to recoverthe voice data.

KINDS OF CODES: CDMA uses two important types of codes to

channelize users.

(a) Walsh codeschannelize users on the forward link (BTS to mobile).

Walsh codes provide a means to uniquely identify each user on the

forward link. Walsh codes have a unique mathematical property,

that is, they are "orthogonal." In other words, Walsh codes are

uniqueenough that a receiver applying the same Walsh codecan only

recover the voice data. All other signals are discarded as

background noise.


7/46

56

(a)Pseudorandom Noise (PN) codes channelize users on the reverse link

(mobile to BTS). Pseudorandom Noise (PN) codes uniquely identify

userson the reverse link. A PN codeis one that appears to be random,

but isn't. The PN codes used in CDMA yield about 4.4 trillion

combinations of code. This is a key reasonwhy CDMA is so secure.

(IV) CONVERSION OF DIGITAL TO RADIO FREQUENCY (RF) SIGNAL

The BTScombines channelized data from all calls into one signal. It then

converts the digital signal to a Radio Frequency (RF) signal for

transmission.

6.5: CODE CHANNELS USED IN CDMA

A code channel is a stream of data designated for a specific use or person. This

channelmay be voice data or overhead control data. Channelsare separated by codes.The

forward and reverse linksuse different types of channels.

(I) FORWARD LINK CHANNELS:uses four typesof channelsto transmit voice

and control datato the mobile. The types of forward linkchannels are:

i. Pilot

ii. Sync

iii. Paging

iv. Traffic

FIG. NO. 6.7: FORWARD LINK CHANNELS


8/46

57

(i) PILOT CHANNELThe BTS constantly transmits the pilot channel. The mobile uses the pilot signal

to acquire the system. It then uses the pilot signal to monitor and adjust the power

needed in order to transmit back to the BTS.

FIG. NO. 6.8: PILOT CHANNEL

(ii) SYNC CHANNEL

The BTS constantly transmits over the sync channelso the mobilecan synchronize with

the BTS.It provides the mobilewith the system time and the identification number of

the cell site.The mobile ignores the sync channelafter it is synchronized.

FIG. NO. 6.9: SYNC CHANNEL


9/46

58

(III) PAGING CHANNEL

CDMAuses up to seven paging channels. The paging channeltransmits overhead

informationsuch as commands and pages to the mobile. The paging channelalso

sends commands and traffic channel assignment during call set-up. The mobile

ignores the paging channelafter a traffic channelis established.

FIG. NO. 6.10: PAGING CHANNEL

(IV) FORWARD LINK TRAFFIC CHANNEL

CDMAuses between fifty-five and sixty-one forward traffic channelsto send both

voice and overhead control data during a call. Once the call is completed, the

mobile tunes back in to the paging channelfor commands and pages.

FIG. NO. 6.11: TRAFFIC CHANNEL


10/46

59

(II) REVERSE LINK CHANNELS:uses two typesof channelsto transmit voice and

control datato BTS.The types of reverse linkchannels are:

i. Access

ii. Traffic

FIG. NO. 6.12: REVERSE LINK CHANNELS

(i) ACCESS CHANNEL

The mobile uses the access channel when not assigned to a traffic channel. The

mobileuses the access channelto:

Register with the network

Originate calls

Respond to pages and commands from the base station

Transmit overhead messages to the base station

FIG. NO. 6.13: ACCESS CHANNEL


11/46

60

(II) REVERSE LINK TRAFFIC CHANNEL

The reverse traffic channel is only usedwhen there is a call. The reverse traffic

channel transmits voice data to the BTS. It also transmits the overhead control

information during the call.

FIG. NO. 6.14: REVERSE LINK TRAFFIC CHANNNEL

6.6: CALL PROCESSING STAGES IN CDMA

There are four stagesor modes in CDMA call processing(Fig. 6.15):

Initialization mode Idle mode Access mode Traffic mode.

(I) INITIALIZATION MODE: During initialization, the mobileacquires the system

via the Pilot code channelsynchronizes with the system via the Sync code channel

(II) IDLE MODE: The mobile is not involved in a call during idle mode, but it must

stay in communication with the base station. The mobile and the base station

communicate over the access and paging code channels. The mobile obtains

overhead information via the paging code channel.


12/46

61

FIG. NO. 6.15: CALL PROCESSING STAGES IN CDMA

(III) ACCESS MODE: The mobile accesses the network via the Access code

channelduring call origination. The Access channel and Paging channel carry

the required call set-up communicationbetween the mobile phone and the BTS

until a traffic channel is established.

(IV) TRAFFIC MODE:During a land to mobile (LTM)call: The mobile receivesa

page on the paging channel. The mobile respondson the access channel. The

traffic channelis established and maintained throughout the call.

During a mobile to land call (MTL):The callis placed using the Access channel.

The base station responds on the paging channel. The traffic channel is

established and maintained throughout the call.

Call processing (messages): During the call overhead messaging continues on

the traffic channelin a limited fashion. This messaginguses "Dim and Burst"

or "Blank and Burst" signaling, which replaces part of the voice traffic with

system messages. The user does not detect this signaling, however, due to the

strong datarecovery schemes inherent to CDMA.


13/46

62

FIG. NO. 6.16: MOBILE CALL PROCESSING

6.7: FEATURES OF CDMA

CDMA has several unique features that make it a cost-effective, high quality

wireless solution. The following features are unique to CDMA technology:

(a) Universal frequency reuse

(b)Fast and accurate power control

(c)Different types of handoff(a)FREQUENCY REUSE: The frequency spectrum is a limited resource.

Therefore, wireless telephony, like radio, must reuse frequency assignments.

Each BTS in a CDMA network can use all available frequencies. Adjacent

cells can transmit at the same frequency because users are separated by code

channels, not frequency channels. This feature of CDMA, called "frequency

reuse of one,"eliminates the need for frequency planning


14/46

63

FIG. NO. 6.17: POWER CONTROL

(b)POWER CONTROL: Power controlis a CDMA featurethat enables mobiles

to adjust the powerat which they transmit.This ensures that the base station

receives all signals at the appropriate power. The CDMA network

independently controls the powerat which each mobile transmits. Both forward

and reverse linksuse power control techniques.

Reverse link power control: Reverse link power control consists of two

processes:

Open loop power control: Open loop is the mobile's estimateof the

power at which it should transmit. The open loop estimate is based

on the strength of the pilot signal the mobile receives. As the pilot

signal gets weaker or stronger, the mobile adjusts its transmission

strength upwards or downwards. Open loop is used any time the

mobile transmits.

Closed loop power control: In closed loop, the BTS sends a command

to the mobile to increase or decrease the strength at which it is

transmitting. The BTSdetermines this command based on the quality

of the signal it receives from the mobile. Closed loop is only used

during a call. Closed loopcommands are sent on the forward traffic

channel.


15/46

64

(C) HANDOFF IN CDMA: Handoff is the process of transferring a call from one

cell to another.This is necessary to continue the call as the phone travels.

CDMAis uniquein how it handles handoff.

TYPES OF CDMA HANDOFF: CDMA has three primary types of

handoff:

i. SOFT

ii. HARD

iii. IDLE

(i) SOFT HANDOFF

A soft handoff establishes a connection with the new BTS prior to breaking the

connection with the old one. This is possible because CDMA cells use the same

frequency and because the mobile uses a rake receiver.

FIG. NO. 6.18: SOFT HANDOFF

Variations of the soft handoff: There are two variations of soft handoffs involving

handoffs between sectors within a BTS:

Softer

Soft-softer

The softer handoff: occurs between two sectors of the same BTS. The BTS decodesand

combines the voice signal from each sectorand forwards thecombined voice frameto the


16/46

65

BSC.The soft-softer handoff is combination handoff involving multiple cells and multiple

sectors within one of the cells.

FIG. NO. 6.19: SOFTER HANDOFF

(ii) HARD HANDOFF

A hard handoffrequires the mobileto break the connectionwith the old BTS prior

to making the connection with the new one. CDMA phones use a hard handoff

when moving from a CDMA systemto an analog systembecause soft handoffs are

not possible in analog systems. A Pilot Beacon Unit (PBU)at the analog cell site

alerts the phone that it is reaching the edge of CDMA coverage. The phone

switchesfrom digital to analogmode as during the hard handoff.

Hard handoffmay also be used when moving to a different:

- RF channel- MTSO- Carrier- Market

(iii) IDLE HANDOFF

An idle handoffoccurs when the phone is in idle mode. The mobile will detect a

pilot signal that is stronger than the current pilot. The mobileis always searching

for the pilotsfrom any neighboring BTS. When it finds a stronger signal, the mobile

simply begins attending to the new pilot.


17/46

66

6.8: ADVANTAGES OF CDMA

CDMA technologyhas numerous advantagesincluding:

i. COVERAGE

ii. CAPACITY

iii. CLARITY

iv. COST

v. COMPATIBILITY

vi. CUSTOMER SATISFACTION

(i) COVERAGE

CDMA's featuresresult in coveragethat is between 1.7 and 3 timesthat of TDMA.

Power control helps the network dynamically expand the coverage area. Coding

and interleavingprovide the ability to cover a larger areafor the same amount of

available powerused in other systems.

(II) CAPACITY

CDMA capacity is ten to twenty times that of analog systems, and it's up to four

times that of TDMA.

Reasons for this include:

CDMA's universal frequency reuse

CDMA users are separated by codes, not frequencies

Power controlminimizes interference, resulting in maximized capacity.

CDMA's soft handoffalso helps increase capacity. This is because a soft handoffrequires

less power.

FIG. NO. 6.20: ADVANTAGES OF CDMA


18/46

67

(iii) CLARITY

Often CDMA systems can achieve "wire line" clarity because of CDMA's strong

digital processing.Specifically:

The rake receiverreduces errors

The variable rate vocoder reduces the amount of data transmitted per

person, reducing interference.

The soft handoffalso reduces powerrequirements and interference.

Power controlreduces errorsby keeping power at an optimal level.

CDMA's wide band signal reduces fading. Encoding and interleaving reduce

errors that result from fading.

(iv) COSTCDMA'sbetter coverage and capacityresult in cost benefits:

Increased coverage per BTSmeans fewer are needed to cover a given area.

This reduces infrastructure costsfor the providers.

Increased capacityincreases the service provider's revenue potential.

A CDMA cost per subscriber has steadily declined since 1995 for both

cellular and PCS applications.

FIG. NO. 6.21: COST OF CDMA


19/46

68

(v) COMPATIBILITY

CDMA phonesare usually dual mode. This means they can work in both CDMAs

systems and analog cellular systems. Some CDMA phonesare dual band as well

as dual mode. They can work in CDMA mode in the PCS band, CDMA mode in

the cellular band, or analog mode in an analog cellular network.

(vi) CUSTOMER SATISFACTION

CDMA results in greater customer satisfactionbecause CDMA provides better:

Voice quality

Longer battery life due to reduced power requirements

No cross-talk because of CDMA's unique coding

Privacy--again, because of coding

FIG. NO. 6.22 CDMA CUSTOMER SATISFACTION6.8: ARCHITECTURE OF THE CDMA NETWORK

A CDMA networkis composed of several functional entities, whose functions and

interfacesare specified. The CDMA networkcan be divided into three broad parts. The

Mobile Stationis carried by the subscriber.The Base Station Subsystemcontrols the radio

link with the Mobile Station. The Network Subsystem, the main part of which is the

Mobile services Switching Center (MSC), performs the switching of calls between the

mobile users, and between mobile and fixed network users. The MSC also handles the

mobility management operations. Not shown is the Operations and Maintenance Center,

which oversees the proper operation and setup of the network. The Mobile Station and the

Base Station Subsystem communicate across the Um interface, also known as the air interface


20/46

69

or radio link. The Base Station Subsystem communicates with the Mobile services Switching

Center across the A interface.

FIG. NO. 6.23 GENERAL ARCHITECTURE OF A CDMA NETWORK

(I) MOBILE STATION

The mobile station (MS)consists of the mobile equipment. The mobile equipment

is uniquely identifiedby the International Mobile Equipment Identity (IMEI).

FIG. NO. 6.24: MOBILE EQUIPMENTS

(II) BASE STATION SUBSYSTEM

The Base Station Subsystemis composed of two parts:

(a) The Base Transceiver Station (BTS)

(b) The Base Station Controller (BSC).


21/46

70

These communicate across the standardized Abis interface, allowing operation between

components made by different suppliers.

FIG. NO. 6.25: BASE STATION SUBSYSTEM

(a) The Base Transceiver Station (BTS)houses the radio transceiversthat define a

cell and handles the radio-link protocolswith the Mobile Station. In a large urban area,

there will potentially be a large number of BTSsdeployed, thus the requirements for a BTS

are ruggedness, reliability, portability, and minimum cost.

The base station is under direction of a base station controller so traffic gets sent

there first. The base station controllergathers the callsfrom many base stationsand passes

them on to a mobile telephone switch. From that switch come and go the calls from the

regular telephone network.

(b) The Base Station Controller (BSC) manages the radio resources for one or

more BTSs. It handles radio-channel setup, frequency hopping, and handovers, as

described below. The BSC is the connection between the mobile station and the Mobile

service Switching Center (MSC). Another difference between conventional cellular and

CDMA is the base station controller. It's an intermediate step between the base station

transceiver and the mobile switch. This a better approach for high-density cellular

networks. As If every base station talked directly to the MSC, trafficwould become too

congested. To ensure quality communications via traffic management, the wireless

infrastructure network uses Base Station Controllers as a way to segment the network

and control congestion. The resultis that MSCs route their circuits to BSCs which in turn

are responsible for connectivity and routingof calls for 50 to 100 wireless base stations."


22/46

71

FIG. NO. 6.26: BASE STATION CONTROLLER

BSC functions includes:

Performs vocoding of the voice signal

Routes calls to the MTSO

Handles call control processes

Maintains a database of subscribers

Maintains records of calls for billingThe voice coders or vocoders are built into the handsets a cellular carrier

distributes. They're the circuitrythat turns speech into digital. The carrier specifies which

ratethey want traffic compressed,either a great deal or just a little. The cellular systemis

designed this way, with handset vocodersworking in league with the equipment of the base

station subsystem.

(III) THE MOBILE SWITCHING CENTER

The central component of the Network Subsystem is the Mobile services

Switching Center (MSC).

FIG. NO. 6.27: THE MOBILE SWITCHING CENTER


23/46

72

It acts like a normal switching node of the PSTN or ISDN, and additionally

provides all the functionalityneeded to handle a mobile subscriber, such as registration,

authentication, location updating, handovers, and call routing to a roaming subscriber .

These services are provided in conjunction with several functional entities, which together

form the Network Subsystem. The MSC provides the connection to the fixed networks

(such as the PSTN or ISDN). Signaling between functional entities in the Network

Subsystem uses Signaling System Number 7 (SS7),used for trunk signalingin ISDNand

widely used in current public networks.

(IV) HOME LOCATION REGISTER (HLR) & VISITED LOCATION REGISTER (VLR)

The Home Location Register (HLR) and Visitor Location Register (VLR), together

with the MSC, provide the call routing and roaming capabilities. The HLR contains all the

administrative information of each subscriber registered in the network, along with the

current location of the mobile. The location of the mobile is typically in the form of the

signaling address of the VLR associated with the mobile station. The Visitor Location

Register (VLR) contains selected administrative informationfrom the HLR,necessary for

call controland provision of the subscribed services, for each mobile currently locatedin

the geographical areacontrolled by the VLR. Most often these twodirectoriesare located

in the same place. The HLR and VLRare big databasesmaintained on computerscalled

servers, often UNIX workstations. To operate its nationwide cellular system, iDEN,

Motorola uses over 60 HLRs nationwide.

(V) EQUIPMENT IDENTITY REGISTER (EIR)

The other two registers are used for authentication and security purposes. The

Equipment Identity Register (EIR) is a database that contains a list of all valid mobile

equipment on the network, where each mobile station is identified by its International

Mobile Equipment Identity (IMEI).An IMEI ismarked as invalid if it has been reported

stolen or isnot type approved.

(Vi) THE INTERFACESCellular radio'smost cryptic termsbelong to these names: A, Um, Abis, and Ater.

A telecom interfacemeans many things. It can be a mechanical or electrical linkconnecting

equipment together. Or a boundary between systems, such as between the base station

system and the network subsystem. Interfaces are standardized methods for passing


24/46

73

information back and forth. The transmission media isn't important. Whether copper or

fiber optic cable or microwave radio, an interface insists that signals go back and forthin

the same way, in the same format. With this approach different equipment from any

manufacturerwill work together.

A-bis " is a French term meaning 'the second A Interface. In most cases the

actual span or physical connectionis made on an E1 line. But regardless of the material

used, the transmission media, it is the signaling protocolthat is most important.

Although the interface is unlabeled, the mobile switch communicates with the

telephone network using Signaling System Seven, an internationally agreed upon

standard. More specifically, it uses ISUP over SS7. "ISUP defines the protocol and

procedures used to set-up, manage, and release trunk circuits that carry voice and data calls

over the public switched telephone network (PSTN). ISUP is used for both ISDN and

non-ISDN calls."

6.9: COMPARISON OF MULTIPLE ACCESS SYSTEMS

The table summarizes in Fig.6.28 shows some of the technical aspects of the multiple

access technologies. The technologyused determines the channel's capacity. TDMAtriples

the capacity of FDMA, but CDMA capacitycan be up to seven times that of TDMA.

FIG. NO. 6.28: COMPARISON OF MULTIPLE ACCESS SYSTEMS

********


25/46

CDMA Tutorial

Copyright 2002 Charan Langton www.complextoreal.com

1

Code Division Multiple Access (CDMA)

The Concept of signal spreading and its uses in communications

Lets take a stright forward binary signal of symbol rate 2.

Figure 1 A binary information signal

To modulate this signal, we would multiply this sequence with a sinusoid and itsspectrum would look like as In figure 2. The main lobe of its spectrum is 2 Hz wide. The

larger the symbol rate the larger the bandwidth of the signal.

Figure 2 Spectrum of a binary signal of rate 2 bps

Now we take an another binary sequence of data rate 8 times larger than of sequence

shown in Fig. 1.

Page 1 / 18


26/46

CDMA Tutorial


2

Figure 3 A new binary sequence which will be used to modulate the information

sequence

Instead of modulating with a sinusoid, we will modulate the sequence 1 with this new

binary sequence which we will call the code sequence for sequence 1. The resultingsignal looks like Fig. 4.

Since the bit rate is larger now, we can guess that the spectrum of this sequence will have

a larger main lobe.

Figure 4 Each bit of sequence 1 is replaced by the code sequence

The spectrum of this signal has now spread over a larger bandwidth. The main lobebandwidth is 16 Hz instead of 2 Hz it was before spreading. The process of multiplying

the information sequence with the code sequence has caused the information sequence to

inherit the spectrum of the code sequence (also called the spreading sequence).

Figure 5 The spectrum of the spread signal is as wide as the code sequence

The spectrum has spread from 2 Hz to 16 Hz, by a factor of 8. This number is called the

the spreading factor or the processing gain (in dBs) of the system. This process can also

Page 2 / 18


27/46

CDMA Tutorial


3

be called a form of binary modulation. Both the Data signal and the modulating sequence

in this case are binary signals.

If original signal is x(t) of power Ps, and the code sequence is given by g(t), the resultant

modulated signal is

)()(2)( tgtdPts s=

The multiplication of the data sequence with the spreading sequence is the firstmodulation. Then the signal is multiplied by the carrier which is the second modulation.

The carrier here is analog.

)2sin()()(2)( tftgtdPts cs =

On the receive side, we multiply this signal again with the carrier. What we get is this.

)2(sin)()(2)( 2 tftgtdPtrcv cs =

By the trigonometric identity

)4cos(1)2(sin 2 tftf cc =

we get

Where the underlined part is the double frequency extraneous term, which we filter outand we are left with just the signal.

)()(2)( tgtdPtrcv s=

Now we multiply this remaining signal with g(t), the code sequence and we get

)()()(2)( tgtgtdPtrcv s=

Now from having used a very special kind of sequence, we say that correlatation of g(t)

with itself (only when perfectly aligned) is a certain scalar number which can beremoved, and we get the original signal back.

)(2)( tdPtrcv s=

( ) 2 ( ) ( )(1 cos(4 ))s c

rcv t P d t g t f t =

Page 3 / 18


28/46

CDMA Tutorial


4

In CDMA we do modulation twice. First with a binary sequence g(t), the properties of

which we will discuss below and then by a carrier. The binary sequence modulationahead of the carrier modulation accomplishes two functions, 1. It spread the signal and 2.

It introduces a form of encryption because the same sequence is needed at the receiver to

demodulate the signal.

In IS-95 and CDMA 2000 we do this three times, once with a code called Walsh, then

with a code called Short Code and then with one called Long code.

Properties of spreading codes

Multiplication with the code sequence which is of a higher bit rate, results in a much

wider spectrum. The ratio of the code rate to the information bit rate is called both the

spreading factorand the processing gainof the CDMA system. In IS-95, the chipping

rate is 1.2288 and the spreading factor is 64. Processing gain is usually given in dBs.

To distinguish the information bit rate from the code rate, we call the code rate, chipping

rate. In effect, we take each data bit and convert it into k chips, which is the codesequence. We call it the chipping rate because the code sequence applied to each bit is as

you can imagine it chipping the original bit into many smaller bits.

For CDMA spreading code, we need a random sequence that passes certain quality

criterion for randomness. These criterion are

1. The number of runs of 0s and 1s is equal. We want equal number of two 0s and1s, a length of three 0s and 1s and four 0s and 1s etc. This property gives us aperfectly random sequence.

2. There are equal number of runs of 0s and 1s. This ensures that the sequence isbalanced.

3. The periodic autocorrelation function (ACF) is nearly two valued with peaks at 0shift and is zero elsewhere. This allows us to encrypt the signal effectively and

using the ACF peak to demodulate quicklt.

Binary sequences that can meet these properties are called optimal binary sequences, or

pseudo-random sequences. There are many classes of sequences that mostly meet these

requirements, with m-sequences the only ones that meet all three requirements strictly.These sequences can be created using a shift-registers with feedback-taps. By using a

single shift-register, maximum length sequences can be created and called often by

their shorter name of m-sequence, where m stands for maximum.

m-sequences and the Linear Feed Shift-Register

Page 4 / 18


29/46

CDMA Tutorial


5

1 2 3

3 stage LFSR generating m-sequence of period 7., using taps 1 and 3.

1 2 3

Another 3 stage LFSR generating m-sequence of period 7, using taps 2 and 3

Figure 6 The structure of linear feedback registers (LFSR) from which m-sequences

can be created

msequences are created using linear feedback registers (LFSR). Figure 6 shows a

three register LFSR with two different tap connection arrangements. The tap connections

are based on primitive polynomials on the order of the number of registers and unless thepolynomial is irreducible, the sequence will not be a m-sequence and will not have the

desired properties.

Each configuration of N registers produces one sequence of length 2N

. If taps are

changed, a new sequence is produced of the same length. There are only a limitednumber of m-sequences of a particular size.

The cross correlation between an m-sequences and noise is low which is very useful in

filtering out noise at the receiver. The cross correlation between any two different m-

sequences is also low and is useful in providing both encryption and spreading. The lowamount of cross-correlation is used by the receiver to discriminate among user signals

generated by different m-sequences.

Think of m-sequence as a code applied to each message. Each letter (bit) of the message

is changed by the code sequence. The spreading quality of the sequence is an added

dimensionality and benefit in CDMA systems.

Gold sequences

Combining two m-sequences creates Gold codes. These codes are used in asynchronousCDMA systems.

Page 5 / 18


30/46

CDMA Tutorial


6

Gold sequences are an important class of sequences that allow construction of long

sequences with three valued Auto Correlation Function ACFs. Gold sequences areconstructed from pairs of preferred m-sequences by modulo-2 addition of two maximal

sequences of the same length.

Goldsequences are in useful in non-orthogonal CDMA. (CDMA 2000 is mostly anorthogonal CDMA system) Gold sequences have only three cross-correlation peaks,which tend to get less important as the length of the code increases. They also have a

single auto-correlation peak at zero, just like ordinary PN sequences.

The use of Gold sequences permits the transmission to be asynchronous. The receiver cansynchronize using the auto-correlation property of the Gold sequence.

.

1 2 3

1 2 3

EX-OR

Figure 7 Generating Gold codes by combining two preferred pairs of m-sequences

More codes

IS-95 and IS-2000 use two particular codes that are really m-sequences but have special

names and uses. These are called long codesand short codes.

Long code

The Long Codes are 242

bits (created from a LFSR of 42 registers) long and run at 1.2288

Mb/s. The time it takes to recycle this length of code at this speed is 41.2 days. It is used

to both spread the signal and to encrypt it. A cyclically shifted version of the long code isgenerated by the cell phone during call setup. The shift is called the Long Code Mask

and is unique to each phone call. CDMA networks have a security protocol called CAVE

that requires a 64-bit authentication key, called A-key and the unique ESN (ElectronicSerial Number, assigned to mobile based on the phone number). The network uses both

of these to create a random number that is then used to create a mask for the long codeused to encrypt and spread each phone call. This number, the long code mask is not fixed

but changes each time a connection is created.

Page 6 / 18


31/46

CDMA Tutorial


7

There is a Public long code and a Private long code. The Public long code is used by themobile to communicate with the base during the call setup phase. The private long code

is one generated for each call then abandoned after the call is completed.

Short code

The short code used in CDMA system is based on a m-sequence (created from a LFSR of

15 registers) of length 215

1 = 32,767 codes. These codes are used for synchronization in

the forward and reverse links and for cell/base station identification in the forward link

The short code repeats every 26.666 milliseconds. The sequences repeat exactly 75 times

in every 2 seconds. We want this sequence to be fairly short because during call setup,the mobile is looking for a short code and needs to be able find it fairly quickly. Two

seconds is the maximum time that a mobile will need to find a base station, if one is

present because in 2 seconds the mobile has checked each of the allowed base stations inits database against the network signal it is receiving.

Each base station is assigned one of these codes. Since short code is only one sequence,

how do we assign it to all the stations? We cyclically shift it. Each station gets the samesequence but it is shifted.

From properties of the m-sequences, the shifted version of a m-sequences has a verysmall cross correlation and so each shifted code is an independent code. For CDMA this

shift is 512 chips for each adjacent station. Different cells and cell sectors all use the

same short code, but use different phases or shifts, which is how the mobiledifferentiates one base station from another. The phase shift is known as the PN Offset.

The moment when the Short code wraps around and begins again is called a PNRoll.If I call the word please a short code, then I can assign, leasep to one user, easeplto another and so on. The shift by one letter would be my PN Offset. So if I say your ID

is 3, then you would use the code aseple.

A mobile is assigned a short code PN offset by the base station to which it is transmitting.The mobile adds the short code at the specified PN offset to its traffic message, so that

the base station in the region knows that the particular message is meant for it and not to

the adjacent base station. This is essentially the way the primary base station is identifiedin a phone call. The base station maintains a list of nearby base stations and during

handoff, the mobile is notified of the change in the short code.

There are actually two short codes per base station. One for each I and Q channels to beused in the quadrature spreading and despreading of CDMA signals.

Walsh codes

In addition to the above two codes, another special code, called Walsh is also used in

CDMA. Walsh codes do not have the properties of m-sequences regarding cross

correlation.. IS-95 uses 64 Walsh codes and these allow the creation of 64 channels from

Page 7 / 18


32/46

CDMA Tutorial


8

the base station. In other words, a base station can talk to a maximum of 64 (this number

is actually only 54 because some codes are used for pilot and synch channels) mobiles atthe same time. CDMA 2000 used 256 of these codes.

Walsh codes are created out of Haddamardmatrices and Transform. Haddamard is the

matrix type from which Walsh created these codes. Walsh codes have just oneoutstanding quality. In a family of Walsh codes, all codes are orthogonal to each other

and are used to create channelization within the 1.25 MHz band.

Here are first four Hadamard matrices. The code length is the size of the matrix. Each

row is one Walsh code of size N. The first matrix gives us two codes; 00, 01. The second

matrix gives: 0000, 0101, 0011, 0110 and so on.

=

10

001H

=

0110

1100

1010

0000

2H

=

10010110

00111100

01011010

11110000

01100110

1100110010101010

00000000

3H

In general each higher level of Hadamard matrix is generated from the previous by the

Hadamard transform

=+

NN

NN

NHH

HHH 1

Where NH is the inverse of NH .

Page 8 / 18


33/46

CDMA Tutorial


9

Their main purpose of Walsh codes in CDMA is to provide orthogonality among all the

users in a cell. Each user traffic channel is assigned a different Walsh code by the basestation. IS-95 has capability to use 64 codes, whereas CDMA 2000 can use up to 256

such codes. Walsh code 0 (which is itself all 0s) is reserved for pilot channels, 1 to 7 for

synch and paging channels and rest for traffic channels. They are also used to create an

orthogonal modulation on the forward link and are used for modulation and spreading onthe reverse channel.

Orthogonal means that cross correlation between Walsh codes is zero when aligned.However, the auto-correlation of Walsh-Hadamard codewords does not have good

characteristics. It can have more than one peak and this makes it difficult for the receiver

to detect the beginning of the codeword without an external synchronization. The partialsequence cross correlation can also be non-zero and un-synchronized users can interfere

with each other particularly as the multipath environment will differentially delay the

sequences. This is why Walsh-Hadamard codes are only used in synchronous CDMA and

only by the base station which can maintain orthogonality between signals for its users.

User 1

Walsh

code No.

WS 1 Mask 1 BS 1 SC

Long

code

Short

code

User 2

WS 2 Mask 2 BS 1 SC

User 3

WS 3 Mask 3 BS 1 SC

User 1

Walsh

code No.

WS 1Mask 1BS2 SC

Long

code

Short

code

User 2

WS 2Mask 2BS 1 SC

User 3

WS 3Mask 3BS 3 SC

Base

Station 1

Base Station

2

Base Station

3

Channel with

distortions

Channel with

distortions

Figure 8 Relationship codes used in CDMA

The above is simplified look at the use of these codes. Assume there are three users in

one cell. Each is trying to talk to someone else. User 1 wants to talk to someone who is

outside its cell and is in cell 2. User 3 wants to talk to someone in cell 3.

Lets take User 1. Its data is first covered by a channel Wash code, which is any Walsh

code from 8 to 63. It is assigned to the user by the base station 1 in whose cell the mobile

is located. The Base Station has also assigned different Walsh codes to users 2 and 3. Allthree of these are different are assigned by base station 1 and are orthogonal to eachother. This keeps the data apart at the base station. Now based on the random number

assigned by the BS, the mobile generates a long code mask (which is just the starting

point of the long code sequence and is a scalar number). It now multiplies the signal by

Page 9 / 18


34/46

CDMA Tutorial


10

this long code starting at the mask ID. Now it multiplies it by the short code of the base

station to whom it is directing the signal.

When the base station receives this signal, it can read the long code and see that the

message needs to be routed to base station 2. So it strips off 1st short code and adds on

the short code of base station 2 which is then broadcast by the BS 1 to BS 2 or sent bylandlines. BS2 then broadcasts this signal along to all mobiles in its cell. The users who is

located in this cell, now does the reverse. It multiplies the signal by the BS 2 short code

(it knows nothing about BS 1 where the message generated) then it multiplies the signalby the same long code as the generating mobile. How? During the call paging, the mobile

was given the same random number from which it creates the same long code mask.

After that it multiplies it by the Walsh code sequence (also relayed during call setup).

So thats about it with some additional bells and whistles, which we shall get to shortly.

Channel waveform properties

The communications between the mobile and the base station takes place using specific

channels. Figure below shows the architecture of these channels.

The forward channel (from base station to mobile) is made up of the following channels:

Pilot channel (always uses Walsh code W0) (Beacon Signals)Paging channel(s) (use Walsh codes W1-W7)

Sync channel (always uses Walsh code W32)

Traffic channels (use Walsh codes W8-W31 and W33-W63)

The reverse channel (from mobile to base station) is made up of the following channels:

Access channelTraffic channel

Figure 9 Forward channel

Forward Channel description

Page 10 / 18


35/46

CDMA Tutorial


11

A base station can communicate on up to 64 channels. It has one pilot signal, one synch

channel and 8 paging channels. The remaining are used for traffic with individualmobiles.

Walsh 0

Long

Code

1 to 64

DecimatorPaging channel

mask

Convolutional

Encoder

r = 1/2

Symbol

Repetition

Interleaver

Walsh 32

All 0'sPilot Channel

Synch data

at 1.2 kb/s

Sync Channel

4.8 kb/s

Convolutional

Encoderr = 1/2

Symbol

Repetition

Interleaver

Walsh 1-7

Paginga mobile

Paging Channel

19.2 kb/s

LongCode

1 to 64Decimator

Traffic Channelmask

Convolutional

Encoder

r = 1/2

Symbol

Repetition

InterleaverData

mobile

PowerControl Bits

MUX

Walsh x

Base Station

Short Code forI channel

Base Station

Short Code forQ channel

LPF

LPF

Cos(t)

Sin(

t)

Traffic Channel

I

Q

Figure 10 Forward channel is the transmission of all traffic from the base station within

its cell. All data is sent simultaneously.

Page 11 / 18


36/46

CDMA Tutorial


12

Pilot Channel

Lets start with how the base station establishes contact with the mobiles within its cell. It

is continually transmitting an all zero signal, which is covered by a Walsh code 0, a all

0s code. So what we have here is a one very long bit of all zeros. For this reason, thepilot channel has very good SNR making it easy for mobiles to find it. This all zero signal

is then multiplied by the base stations short code, which if you recall is the same short

code that all base station use, but each with different PN offset. Pilot PN Offsets arealways assigned to stations in multiples of 64 chips, giving a total of 512 possible

assignments. The 9-bit number that identifies the pilot phase assignment is called the

Pilot Offset.

This signal is real so it only goes out on the I channel, and is up-converted to the carrier

frequency which in the US is 845 MHz.

On the receive side, the mobile picks up this signal and notes the base station that istransmitting it. Here is a question, if the short code is cyclical, how does the receiver

know what the phase offset is. Do not all the signals from all the other nearby basestations look the same? Yes, and the mobile at this point does not know which base

station it is talking to, only that it has found the network. To determine of all the possible

base station and there can 256 of them, each using a 512 chip shifted short code, thenetwork uses the GPS signal and timing.

The zero offset base station aligns its pilot transmission with every even second time tickof GPS. So lets say that your mobile is in the cell belonging to a base station with PN

offset ID of 10. That means that is will start its transmission 10 x 512 chip = 5120 chipsafter every even second time tick. So when the mobile wakes up and looks at it time, it

knows exactly where each base station short code should be. Then all it has to do is to do

a correlation of the bits it is seeing with each of the 256 possible sequences. Of course, it

tries the base station where it was last but if it has been moved then theoretical it willhave to go through all 256 correlations to figure out where it is. But it does do it and at

the end of the process, it knows exactly which of the base stations it is hearing.

100101110 100101110 100101110 100101110 100101110 100101110

100101110 100101110 100101110 100101110 100101110 100101110

100101110 100101110 100101110 100101110 100101110 100101110

100101110100101110 100101110 100101110 100101110 100101110

100101110 100101110 100101110 100101110 100101110 100101110

100101110100101110 100101110 100101110 100101110 100101110

Page 12 / 18


37/46

CDMA Tutorial


13

Figure 11 The mobile looks for the code that aligns with GPS timing. It picks off the

code received at this time, does a correlation with stored data and knows which basestation it has found.

Synch Channel

The Synch channel information includes the pilot offset of the pilot the mobile has

acquired. This information allows the mobile to know where to search for the pilots in the

neighbor list. It also includes system time, the time of day, based on Global PositioningSatellite (GPS) time. The system time is used to synchronize system functions. For

instance, the PN generators on the reverse link use zero offset relative to the even

numbered seconds in GPS time. However, the mobiles only know system time at the basestations plus an uncertainty due to the propagation delay from its base station to the

mobile's location. The state of the long code generator at system time is also sent to the

mobile in the Synchronization message. This allows the mobile to initialize and run its

long code generator very closely in time synchronism with the long code generators in

the base stations. The Synchronization message also notifies the mobile of the pagingchannel data rate, which may be either 4800 or 9600 bits/sec. The data rate of this

channel is always 1200 bps.

Paging Channel

Now the mobile flashes the name of the network on its screen and is ready to receive and

make calls. Your paging channel may now be full of data. It may include a ring tone or a

voicemail received message. The data on the paging channel sent by the base station,includes mobileElectronic Serial Identification Number (ESIN), and is covered by a

long code. How does the mobile figure out what this long code is? At the paging level,the system uses a public long code. This is because it is not talking to a specific mobile, it

is paging and needs to reach all mobiles. When the correct mobile responds, a new

private long code will be assigned at that time before the call will be connected. The

mobile while scanning the paging channel recognizes its phone number and responds byringing. When you pick up the call, an access message goes back to the base station.

The mobile using Qualcomm CDMA generatse a 18-bit code. The mobile sends thisauthentication sequence to the base station during the sync part of the messaging

protocol. The base station checks the authentication code before allowing call setup. It

then issues a random number to the mobile, which the mobile uses in the CAVEalgorithm to generate a call specific long code mask. At the same time, the base station,

will also do exactly that. The two now have the same long code with which to cover the

messages.

Traffic Channel

The base station can transmit traffic data to as many as 54 mobiles at the same time. Itkeeps these channel separate by using Walsh codes. This is a code division multiplexing

rather than a frequency based channelization. Walsh codes are used only by the base

Page 13 / 18


38/46

CDMA Tutorial


14

station and in this fashion, it is a synchronous CDMAon the forward link, whereas on

the return link it is asynchronous CDMA, because there is no attempted separationbetween the various users. But the use of m-sequences for spreading, the quality of

orthogonality although not perfect is very very good.

The traffic channel construct starts with baseband data at 4.8 kbps. It is thenconvolutionally encoded at rate of , so the data rate now doubles to 9.6 kbps. Symbol

repetition is used to get the data rate up to 19.2 kbps. All information rates are sub-

multiples of this rate. Data is then interleaved. The interleaving does not change the datarate, only that the bits are reordered to provide protection against burst errors. Now at

this point, we multiply the resulting data sequences with the long code, which starts at the

point determined by the private random number generated by both the base station andthe mobile jointly. This start point is call-based and changes every time. Mobiles do not

have a fixed long code assigned to them. Reverse CDMA Channel can have up to 242

-1

logical channels or the total number of calls that can be served are 17179869184.

Now the data is multiplied by a specific Walsh codes which is the nth call that the basestation is involved in. Mobile already knows this number from the paging channel.

The base station then combines all its traffic channels (each covered by a different Walsh

code) and all paging channels (just 8) and the one pilot channel and one synch channel

adds them up, does serial to parallel conversion to I and Q channels. Each is then coveredby a I and a Q short code and is QPSK modulated up to carrier frequencies and then

transmitted in the cell.

Reverse Channels

In IS-95, there are just two channels on which the mobile transmits, and even that never

simultaneously. It is either on the access channel or it is transmitting traffic. The channel

structure is similar but simpler to the forward channel, with the addition of 64-ary

modulation.

Page 14 / 18


39/46

CDMA Tutorial


15

Convolutional

Encoder

r = 1/3

Symbol

Repetition

InterleaverData

mobile

64-ary

Modulation

Traffic Channel

Burst

randomizer

Convolutional

Encoder

r = 1/3

Symbol

Repetition

Interleaver64-ary

Modulation

Access Channel

A

T

Long Code Traffic Mask

From Base Station

Access Channel

Traffic Channel

Long Code

Generator Base Station

Short Code for

Q channel

LPF

LPF

Sin(t)

I

QHalf

Sym

delay

Cos(t)

Base Station

Short Code for

I channel

Access Channel

Traffic Channel

Figure 12 Reverse Channel - from mobile to base station communication

64-ary modulation

This block takes a group of six incoming bits (which makes 26= 64 different bit

sequences of 6 bits) and assigns a particular Walsh code to each. We know that each

Walsh code sequence is orthogonal to all the others so in this way, a form of spreadinghas been forced on the arbitrarily created symbols of 6 bits. And this spreading also

forces the symbols to be orthogonal. It is not really a modulation but is more of a

spreading function because we still have not up converted this signal to the carrier

frequency. After this, a randomization function is employed to make sure we do not gettoo many 0s or 1s in a row. This is because certain Walsh codes have a lot of

consecutive 0s.

Next comes multiplication with the long code starting at a particular private start point.

Then comes serial to parallel conversion, and application of baseband filtering which can

be a Gaussian or a root cosine shaping.

Then the Q channel (or I, it makes no difference) is delayed by half a symbol, as shown

below. The reason this is done is to turn this into an offset QPSK modulated signal. The

Page 15 / 18


40/46

CDMA Tutorial


16

offset modulated signal has a lower non-linearity susceptibility and is better suitable to

being transmitted by a class C amplifier such as may be used in a CDMA cell phone.

From there, each I and Q channel is multiplied by the rf carrier, (a sine and a cosine of

frequency fc) and off the signal goes to the base station.

On the demodulation side, the most notable item is the Rake receiver. Due to the

presence of multipath, Rake receivers which allow maximal combining of delayed and

attenuated signal, make the whole thing work within reasonable power requirements.Without Rake receivers, your cell phone would not be as small as it is.

Power control

Assume that there is only one user of the system. The carrier power

C = SNR = Eb/Tb= R Eb

If we define the transmit power equal to W and signal bandwidth equal to B, then the

Interference power at the receiver is equal to

I = W N0

Now we can write

0

0

/

/

b bR E E NC

I W N W R= =

The quantity W/R is the processing gain of the system. Now lets call M the number ofusers in this system. The total interference power is equal to

( 1)I C M=

Substituting this in the above equation, we get,

1

( 1) 1

C C

I C M M= =

and with one more substitution we get

0

0

/ 1

/ 1

11

/

b

b

E NC

I W R M

WM M

R E N

= =

=

Page 16 / 18


41/46

CDMA Tutorial


17

So we conclude that the system capacity is a direct function of the processing gain for a

given Eb/N0. What you may not have noticed is that we made an assumption that allusers have similar power level so the interferences are additive. No one user overwhelms

all the others. If the power levels of all users are not equal then the system capacity is

compromised and the C/I expression above is not valid.

The CDMA systems manage the power levels of all mobiles so that the power level of

each mobile is below a certain required level and is about the same whether the mobile is

very close to the base station or far at the edge of the cell. Multipath and fading alsoattenuate power levels so the system maintains a power control loop.

IS-95 has a open-loop and a closed loop power management system. The open loop is aquicker way to manage power levels. The forward and reverse links are at different

frequencies so they fade differently and open loop power control allows the mobile to

adjust its power without consulting with the base station. In closed loop power control the

base station measures the power level of the access channel signal sent by the mobile and

then commands with 1 in the synch channel if the power needs to be raised and with 0 ifit is to be reduced by 1 dB at a time. The closed loop power control also uses an outer

loop power control. This method measures the Frame Error Rate (FER)both by themobile and the base station and then adjusts the power according to whether the FER is

acceptable.

CDMA 2000

This is an evolution and extension of capabilities and builds on the IS-95 standard. One

of the big ways in which CDMA 2000 differs from IS-95 is that it includes beamforming. Each base station cell is now divided in three sectors such that frequency is

reused. This increases the gain at the mobile and allows better SNR and a larger number

of users. The other significant way that IS-2000 differs from IS-95 is that it allows

additional forward and reverse channels. Some of these channels are the same as IS-95and others are new. Spreading codes are also changed to allow larger data rates. The 1.25

MHz channel with the 1.2288 mbps spreading rate called 1X can now be 3X 93 x 1.2288

mbs) or 5X (5 x 1.2288 mbps)

Page 17 / 18


42/46

CDMA 1xRTT Security OverView August, 2002

Q U A L C O M M I N C O R P O R A T E D 3

2. Secur ity CDMA NetworksThe security protocols with CDMA-IS-41 networks are among the best in the industry. By

design, CDMA technology makes eavesdropping very difficult, whether intentional or accidental.

Unique to CDMA systems, is the 42-bit PN (Pseudo-Random Noise) Sequence called Long

Code to scramble voice and data. On the forward link (network to mobile), data is scrambled at a

rate of 19.2 Kilo symbols per second (Ksps) and on the reverse link, data is scrambled at a rate of

1.2288 Mega chips per second (Mcps).

CDMA network security protocols rely on a 64-bit authentication key (A-Key) and the

Electronic Serial Number (ESN) of the mobile. A random binary number called RANDSSD,

which is generated in the HLR/AC, also plays a role in the authentication procedures. The A-Key

is programmed into the mobile and is stored in the Authentication Center (AC) of the network. In

addition to authentication, the A-Key is used to generate the sub-keys for voice privacy and

message encryption.

CDMA uses the standardized CAVE (Cellular Authentication and Voice Encryption)

algorithm to generate a 128-bit sub-key called the Shared Secret Data (SSD). The A-Key, the

ESN and the network-supplied RANDSSD are the inputs to the CAVE that generates SSD. The

SSD has two parts: SSD_A (64 bit), for creating authentication signatures and SSD_B (64 bit), for

generating keys to encrypt voice and signaling messages. The SSD can be shared with roaming

service providers to allow local authentication. A fresh SSD can be generated when a mobilereturns to the home network or roams to a different system.

2.1. Authentication

In CDMA networks, the mobile uses the SSD_A and the broadcast RAND *as inputs to the

CAVE algorithm to generate an 18-bit authentication signature (AUTH_SIGNATURE), and sends

it to the base station. This signature is then used by the base station to verify that the subscriber is

legitimate. Both Global Challenge (where all mobiles are challenged with same random number)

and Unique Challenge (where a specific RAND is used for each requesting mobile) procedures are

available to the operators for authentication. The Global Challenge method allows very rapid

authentication. Also, both the mobile and the network track the Call History Count (a 6-bit

counter). This provides a way to detect cloning, as the operator gets alerted if there is a mismatch.

* Broadcast RAND, generated in the MSC, should not be confused with the RANDSSD from the HLR*


43/46



The A-Key is re-programmable, but both the mobile and the network Authentication Center

must be updated. A-Keys may be programmed by one of the following: a) The factory b). The

dealer at the point of sale c) Subscribers via telephone d) OTASP (over the air service

provisioning). OTASP transactions utilize a 512-bit Diffie-Hellman key agreement algorithm,

making them well suited for this function. The A-Key in the mobile can be changed via OTASP,

providing an easy way to quickly cut off service to a cloned mobile or initiate new services to a

legitimate subscriber. Security of the A-Key is the most important component of CDMA system.

2.2. Voice, Signaling, and Data PrivacyThe mobile uses the SSD_B and the CAVE algorithm to generate a Private Long Code Mask

(derived from an intermediate value called Voice Privacy Mask, which was used in legacy TDMA

systems), a Cellular Message Encryption Algorithm (CMEA) key (64 bits), and a Data Key (32

bits). The Private Long Code Mask is utilized in both the mobile and the network to change the

characteristics of a Long code. This modified Long code is used for voice scrambling, which adds

an extra level of privacy over the CDMA air interface. The Private Long Code Mask doesnt

encrypt information, it simply replaces the well-known value used in the encoding of a CDMA

signal with a private value known only to both the mobile and the network. It is therefore

extremely difficult to eavesdrop on conversations without knowing the Private Long Code Mask.

Additionally, the mobile and the network use the CMEA key with the Enhanced CMEA (E-

CMEA) algorithm to encrypt signaling messages sent over the air and to decrypt the information

received. A separate data key, and an encryption algorithm called ORYX, are used by the mobile

and the network to encrypt and decrypt data traffic on the CDMA channels. Figure 3 illustrates

the CDMA authentication and encryption mechanism.

FIGURE 3:


44/46



By design, all CDMA phones use a unique PN (Pseudo-random Noise) code for spreading the

signal, which makes it difficult for the signal to be intercepted.

2.3. AnonymityCDMA systems support the assignment of a Temporary Mobile Station Identifier (TMSI) to a

mobile to represent communications to and from a certain mobile in over the air transmissions.

This feature makes it more difficult to correlate a mobile users transmission to a mobile user.


45/46



3. 3g CDMA 2000 Security

Third Generation technologies add more security protocols, including the use of 128-bit

privacy and authentication keys. For CDMA2000 networks, new algorithms such as Secure

Hashing Algorithm-1 (SHA-1) are being used for hashing and integrity, and the Advanced

Encryption Standard, AES (Rijndael) algorithm for message encryption. The AKA

(Authentication and Key Agreement) protocol will be used for all releases following CDMA2000

Release C. The AKA protocol will also be used in WCDMA-MAP networks, along with the

Kasumi algorithm for encryption and message integrity.


46/46


Appendix : Glossary

AC (AuC) Authentication Center

AES Advanced Encryption Standard

AKA Authentication and Key Agreement

CAVE Cellular Authentication and Voice Encryption

CDMA Code Division Multiple Access

CMEA Cellular Message Encryption Algorithm

ESN Electronic Serial Number

HLR Home Location Register

IDC International Data Corporation

IS Interim Standard

MAP Mobile Applications Part

MSC Mobile Switching Center

OTASP Over The Air Service Provisioning

RAND RANDom challenge

SHA-1 Secure Hash Algorithm -1

SSD Shared Secret Data

TDMA Time Division Multiple Access

TMSI Temporary Mobile Station Identifier

CDMA Works

Documents