Secure End-to-End Communication over GSM and
PSTN Networks
Saad Islam, Fatima Ajmal, Salman Ali, Jawad Zahid and Adnan Rashdi
College of Signals
National University of Sciences and Technology, Pakistan
saadislam, fatima, salmanali, adnanrashdi@ieee.org
Abstract—GSM (Global System for Mobiles) is the most widely
spread mobile communication system in the world. An important
objective in mobile communication systems is secure speech
communication. GSM suffers from various security weaknesses.
The GSM voice traffic is secure outside the core network but it
has no security over the core network. This system can be made
thoroughly secure by encrypting the speech which is to be
transmitted on the GSM voice channel. In this paper we have
demonstrated a real-time prototype of an end-to-end secure
communication system developed in MATLAB Simulink. Our
technique comprises of encryption of the speech before entering
the GSM handset which adds security and confidentiality to our
communication. The encryption algorithm is private to the
communicating GSM subscribers and even the service providing
company will not judge what was said. This is amazing because
now the GSM channel will become exclusively concealed and
confidential to the two subscribers so that even the company
people cannot listen to them.
Keywords-GSM, security, Simulink, QAM
I.INTRODUCTION
With the advent of wireless communication technology,
mobile communication has become more convenient than ever.
However, because of the openness of wireless communication,
how to prevent the privacy between the communicating parties
is becoming a very important issue. Due to the fact that unlike
a fixed phone, which offers some level of physical security (i.e.
physical access is needed to the phone line for listening in),
with a radio link, anyone with a receiver is able to passively
monitor the airwaves [1]. Security is a major issue in
communication systems. By secure communication we mean
“A condition that results from the establishment and
maintenance of protective measures that ensures a state of
inviolability from hostile acts or influences”. Jammers, hackers
and intruders are an importunate threat to the privacy of a
communication system.
Although the security architecture of GSM is intended to
prevent unauthorized network access, disallow subscriber
impersonation, protect confidentiality, and provide privacy [2].
The biggest drawback of GSM system is that the GSM voice
channel between the two communicating parties doesn’t
provide traffic confidentiality. GSM tried to harden the
interception by using several techniques such as frequency
978-1-4244-3355-1/09/$25.00©2009 IEEE
hopping; the real-time interception of the exchanged
information is completely practical. While GSM was
anticipated to be a secure wireless system and considered the
user authentication and over-the-air encryption, it is completely
vulnerable to several attacks. The conversation of the GSM
subscribers is susceptible to security attacks like replay attack,
interleaving attack and man-in-the-middle attack [3].
This paper outlines the provision of encrypted
communication over second generation mobile networks and
the landline connections. The requirements of users for such
encryption, and mechanisms to provide it are considered. An
entirely new approach to encryption has been proposed. Use of
stream ciphers is the most commonly used technique in mobile
communication, which requires the voice data to be in binary
form [4]. The technique presented in this paper is unique as it
provides encryption directly on symbols without going on to
the bit level. This technique is much simpler than other GSM
ciphering techniques and thus a more robust and efficient
system is achieved.
We have used Simulink as the simulation tool for
implementing our system. Simulink is a software package that
enables modeling, simulation, and analysis of a wide range of
real time systems [5]. Simulink provides an environment where
the physical system can be modeled as a block diagram. For
modeling, Simulink provides a graphical user interface (GUI)
for building models using click-and-drag mouse operation and
keyboard for editing block parameters. Simulating a dynamic
system is a two-step process with Simulink i.e. creation of a
block diagram and the command to Simulink to simulate the
system represented by the model from a specified start time to
a specified stop time. Simulations are interactive, so parameters
can be changed on the fly results viewed right away [6]. Real-
time execution was the essential attraction in using Simulink.
Following sections discuss the proposed scheme in detail.
Section II describes our proposed encryption technique;
Section III describes the hardware platform which we have
utilized for testing our technique, introduction and evaluation
of the simulation tool used for development of our algorithm is
given in Section IV. Finally Section V and VI close the paper
with comments on our success in achieving security for both
mobile and fixed-line communication.
323
 II.PROPOSED ENCRYPTION TECHNIQUE
The most taxing part of our work was to develop an
encryption algorithm fulfilling the above mentioned criteria.
Our basic goal was to randomize the speech so that it becomes
un-understandable. The speech input we get from the
microphone is 8-bit quantized i.e. it has 256 levels. Our
encryption block first modulates the quantized speech with
Binary-Coded QAM modulation and then demodulates this
modulated speech via a user-defined QAM scheme. This
modulation-demodulation resulted in an extremely random
signal still possessing a speech-like waveform. This algorithm
changes the mapping of symbols as a result the level of all the
symbols is changed and the resulting speech signal is
encrypted. Fig.1 depicts the subsystem of our encryption
algorithm.

Figure 2 (b) 16-QAM User-Defined Scheme

Figure 1. Subsystem Implementing Encryption
For simplicity let’s say the speech signal has 16
quantization levels. Our technique will encrypt this speech by a
16-QAM Binary-Coded modulator along with a User-Defined
QAM demodulator.
This will change the levels of all the samples of the input
speech depending upon the user defined scheme. The user
defined scheme determines how the quantization levels will be
changed and mapped to other levels. To incorporate maximum
difference between the original and the encrypted level of the
sample, Level 0 should be mapped to Level 8, 1 to 9, 2 to 10
and so on as shown in Fig.2.
Function block parameters of Rectangular QAM
Demodulator (User-Defined) are shown in Fig. 3. The
constellation mapping is defined as a vector [128:255 0:127]
which shows our User-Defined modulation scheme for 256-
QAM system.

Figure 2 (a) 16-QAM Binary-Coded Scheme

Figure 3 Function block parameters of Rectangular QAM Demodulator

324

III.HARDWARE PLATFORM
Our hardware platform comprised of two Personal
Computers, each consisting of two Sound playback and
Recording Devices, SoundMAX Digital Audio and Creative
Sound Blaster PCI. Each PC was connected to headphones and
a GSM handset (NOKIA 1100) as shown in Fig.4.
IV.SIMULATION ENVIRONMENT
As discussed above MATLAB 7.4.0.287 (R2007a)
Simulink 6.6 was used for real-time simulation of the desired
secure communication system. We developed a model
incorporating security for full-duplex communication i.e.
model for a transceiver. The same model in Fig.7 was used at
both the terminals executing encryption and decryption on
transmit and receive paths respectively.

Figure 4. Hardware platform for Real-time experimentation

We established interface between the GSM mobile station

and the PC via hands free cable of the GSM handset. This Simulink has various libraries of blocks pertaining to
interfacing was achieved by modifying the hands free cable Figure 7. Simulink Model at Transmit and Receive Terminals
such that the microphone and speaker of the cable were
specific tasks or operations performed by those blocks. In our
replaced by the audio
model we used the ‘From Wave Device’ and ‘To Wave
mic-speaker pins. The
Device’ blocks from the Signal Processing Blockset [7]. The
modification was made
‘From Wave Device’ block reads audio data samples from a
in such a way that the
standard Windows audio device in real time while the ‘To
GSM handset can
Wave Device’ block writes data samples to a standard
communicate with the
Windows audio device in real time. The Encryption algorithm
PC via the sound card.
block encrypts the speech coming from the microphone and
Fig.5 shows the modified
sends it to the GSM device for transmission. Conversely the
hands free cable.
Decryption algorithm block does the decryption of the received
speech from the GSM device and sends it to the headphones.
Figure 5. Hands free Cable for
interfacing PC with GSM handset A major consideration while designing the encryption block
was that this process must be reversible. An irreversible cipher
would destroy the information forever and its retrieval will be
The interface was configured such that the speaker pin of impossible. Thus we aimed to devise such a technique that
the handset is connected to the microphone port of the sound enables the receiver terminal to extract the original information
card and the microphone pin of the handset to the speaker port back which is concealed by the transmitting terminal. As we
of the sound card. Moreover, headphones were connected are applying our encryption algorithm on the voice signal
enabling the speech input and output to and from the subscriber before it enters into the microphone of the GSM handset, it was
at each end. necessary that our encrypted signal must be speech-like. So,
our proposed algorithm tackles this issue.
For PSTN connection a cable was developed in the same
manner as the hands free cable by modification of the PSTN
cable as shown in Fig.6. In this case the cradle of the PSTN
telephone set served the purpose of headphones for audio
input/output. The same cable was used for connecting the PC
with:
a. Cradle
b. Telephone set

Figure 6. PSTN Cable

325
 V.RESULTS
Results and comparison of original versus encrypted speech
signal with 16 quantization levels is presented in this section.
(a) Unencrypted Speech Waveform
(b) Encrypted Waveform (Speech-like)
It is clear from the above figures that the encrypted
Figure 8. Comparison of Speech Waveforms before and after
Encryption
waveform differs drastically from the original unencrypted
speech. Originally we had to use a 256-QAM modulator as the
microphone quantizes the speech signal to 256 levels. Here,
following a similar approach mapping to introduce maximum
difference was achieved by exchanging Level 0 with Level 128
and so on.
The beauty of this innovative algorithm is that it completely
distorts the human speech after encryption yet the decryption
block successfully recovers the original signal back. When we
listened to the encrypted speech it was totally meaningless and
incomprehensible. This perplexing waveform was to be
transmitted on the channel and when heard at the receiving
terminal without employing decryption it conveyed nothing. As
a result we were successful in realizing a secure and protected
GSM channel.
VI.CONCLUSION
In this paper a novel mechanism is proposed for secure
communication over GSM as well as PSTN networks. A new
encryption technique is devised to provide surefire security.
The technique is implemented in Real-time in Simulink
enabling two standard GSM mobile phones communicate in
full-duplex mode while maintaining end-to-end security. This
encryption technique has demonstrated excellent results on
GSM-GSM, PSTN-PSTN as well as GSM-PSTN calls. The
proposed idea ensures confidentiality and the GSM channel is
made secure and private to the communicating parties. In this
way all kinds of man-in-the-middle attacks are made totally
impossible.
REFERENCES
[1] “Security in the GSM System” By Jeremy Quirke
[2] Mohsen Tooran and Ali Asghar Beheshti Shirazi, “Solutions to the GSM
Security Weaknesses” The Second International Conference on Next
Generation Mobile Applications, Services, and Technologies
[3] C. Lo and Y. Chen, “Secure communication mechanisms for GSM
networks,” IEEE Transactions on Consumer Electronics, Vol. 45, No. 4,
pp. 1074-1079, November 1999.
[4] David G. W. Birch and Ian J. Shaw, “Mobile communications security-
private or public”, IEE, June 1994
[5] Simulink - Simulation and Model-Based Design
http://www.mathworks.com/products/simulink/
[6] Asad Azemi and Edwin Engin Yaz, “Utilizing SIMULINK and
MATLAB in a Graduate Nonlinear Systems Analysis Course”
[7] Signal Processing Blockset 6.8
http://www.mathworks.com/products/sigprocblockset/
326