Techlteworld

Learn Share Grow

Techlteworld

Learn Share Grow

LTE-5G-ORAN

5G Identifiers SUPI and SUCI

techlteworld
Advertisements

In 5G networks, managing a subscriber’s identity is a delicate balancing act between robust authentication and stringent user privacy. To achieve this, 5G architecture moves beyond the legacy identifiers of 4G and introduces a sophisticated system built around the Subscription Permanent Identifier (SUPI) and its encrypted counterpart, the Subscription Concealed Identifier (SUCI).

These identifiers work in concert with temporary IDs like the 5G-GUTI to create a layered defence that protects a user’s long-term identity from being intercepted. This article breaks down what SUPI and SUCI are, how they are generated, and how they function in the end-to-end 5G registration process.

What is SUPI (Subscription Permanent Identifier)?

The SUPI is the 5G system’s primary, permanent identifier that uniquely represents a subscriber in their home network. It is the direct successor to the IMSI (International Mobile Subscriber Identity) used in 2G/3G/4G. The SUPI is securely stored in the subscriber’s USIM (or eSIM) and in the Unified Data Management (UDM) function of the home network’s core.

A SUPI is typically structured like an IMSI:

The critical security principle in 5G is that the SUPI should never be transmitted in plaintext over the air. Exposing it would make subscribers vulnerable to tracking and other attacks, like “IMSI catching” in legacy networks. This is where SUCI becomes essential.

What is SUCI (Subscription Concealed Identifier)?

The SUCI is a privacy-protecting version of the SUPI. It is not a fixed identifier but is generated on-demand by the UE to send to the network during initial registration. Its sole purpose is to hide the subscriber’s permanent identity (SUPI) from eavesdroppers.

  • SUCI Type (Value 0–7): Defines the format/type of the concealed identifier.
  • Home Network Identifier: Contains MCC + MNC (depends on SUPI type) to identify the home operator.
  • Routing Indicator (1–4 Digits): Assists in directing messages within the operator’s network.
  • Protection Scheme (Value 0–15): Indicates which encryption/concealment method (e.g., ECIES) is used.
  • Home Network Public Key ID (Value 0–255): Identifies the public key used for encrypting the MSIN.
  • Protection Scheme Output: Holds the encrypted MSIN (ciphertext + MAC), output varies by scheme used.

How a SUCI is Constructed

The UE creates a SUCI by encrypting the sensitive part of the SUPI (the MSIN) using public-key cryptography. This process relies on the Elliptic Curve Integrated Encryption Scheme (ECIES).

  • Key Provisioning: The home network operator securely provisions its public key onto the subscriber’s USIM. The corresponding private key is kept secret within the operator’s core network (specifically, in the SIDF).
  • Encryption: The UE takes the MSIN portion of the SUPI and encrypts it using the home network’s public key.
  • Assembly: The resulting ciphertext is combined with other, non-sensitive information needed for routing.

Because only the home network possesses the private key, only it can decrypt the SUCI and reveal the original SUPI.

Other 5G Identifiers

To situate SUPI and SUCI in context, here are a few related identifiers used in 5G networks:

  • 5G-GUTI (5G Globally Unique Temporary Identity): A temporary identifier assigned by the AMF after registration. It consists of GUAMI (Globally Unique AMF ID) + 5G-TMSI. The UE uses the 5G-GUTI in subsequent messaging rather than SUCI or SUPI.
  • PEI (Permanent Equipment Identifier): This identifies the device (UE) rather than the subscriber (e.g. the IMEI). The UE may present it to the network when required.
  • GPSI (Generic Public Subscription Identifier): This is a public identifier (such as MSISDN) that can be used for addressing in data networks external to 3GPP. The 5G system maintains mappings between the GPSI and the SUPI.
  • AMF Name, DNN (Data Network Name), Internal-Group Identifier, etc.

These identifiers serve roles in mobility management, session establishment, routing, and slicing, but SUPI/SUCI remain the core identity pair for subscriber-level security and privacy.

The End-to-End Identity Flow in 5G

The interplay between SUPI, SUCI, and the temporary identifier (5G-GUTI) is best understood through the initial network registration flow.

  • Registration Request: The UE powers on and needs to register. It constructs a SUCI and sends it in a Registration Request message to the network.
  • Forwarding by RAN: The 5G gNB forwards this request to the AMF, the core network node responsible for registration.
  • Routing to Home Network: The AMF inspects the plaintext MCC and MNC in the SUCI to identify the user’s home network. It cannot decrypt the SUCI itself. It forwards the SUCI to the home network’s UDM
  • De-concealing SUCI: The SIDF (Subscription Identifier De-Concealing Function) within the UDM uses its private key to decrypt the SUCI, securely revealing the user’s permanent SUPI.
  • Authentication Data: The UDM, now knowing the SUPI, retrieves the subscriber’s authentication data and sends it back to the AMF.
  • Authentication: The AMF initiates the authentication procedure with the UE.
  • Assigning a Temporary ID: Upon successful authentication, the AMF generates a temporary, non-predictable identifier called the 5G-GUTI and sends it to the UE in the Registration Accept message.
  • Future Communication: For all subsequent interactions (e.g., establishing a data session, mobility updates), the UE uses the 5G-GUTI. This avoids the need to repeatedly generate and transmit the SUCI, enhancing both privacy and efficiency.

The Role of 5G-GUTI (Globally Unique Temporary Identifier)


Once the secure initial registration using SUCI is complete, the network assigns the UE a 5G-GUTI. This is the primary temporary identifier used for most subsequent communication, from mobility updates to service requests. Its purpose is to ensure subscriber privacy and network efficiency.
By using a temporary ID, the network avoids repeatedly asking the UE for its SUCI, which would be computationally intensive. Furthermore, the 5G-GUTI can be frequently reallocated by the network, making it extremely difficult for an outside party to track a user’s activity over time.
 

Structure of the 5G-GUTI


The 5G-GUTI is an 80-bit identifier with a hierarchical structure that allows the network to uniquely identify the user and the specific AMF serving them. As shown in the diagram, the 5G-GUTI is composed of two main parts:

  • GUAMI (Globally Unique AMF Identifier) – 48 bits: This part uniquely identifies the serving AMF.
  • It is constructed from:
    • PLMN ID (24 bits): Contains the MCC (Mobile Country Code) and MNC (Mobile Network Code) to identify the specific operator’s network.
    • AMF Identifier (24 bits): A unique ID for the AMF within the PLMN, composed of an AMF Region ID (8 bits), AMF Set ID (10 bits), and AMF Pointer (6 bits, shown as the second AMF Set ID in the diagram) which pinpoints a specific AMF within a set.
  • 5G-TMSI (5G Temporary Mobile Subscription Identifier) – 32 bits: This is the temporary, randomized identifier for the user within the context of the serving AMF. It is the part that changes most frequently to ensure unlinkability.

Benefits

  • Protection Against IMSI Catching: SUCI effectively neutralizes passive eavesdropping and active attacks designed to capture permanent subscriber identities.
  • Home Network Control: Since only the home network can decrypt the SUCI, identity exposure to visited networks or rogue base stations is prevented.
  • Unlinkability: The frequent reallocation of the 5G-GUTI makes it difficult for an attacker to track a subscriber’s activity over time.

Limitations and Challenges

  • Home Network Exposure: The SUCI still reveals the user’s home network (MCC/MNC) in plaintext, which could be a source of information for an attacker.
  • The “Null Scheme” Risk: The 5G standard allows for a “null” protection scheme where the SUPI is not encrypted. If misconfigured by an operator, this completely negates the privacy benefits.
  • Roaming Complexity: When roaming, a visited network must successfully forward the SUCI to the home network. Incompatibilities in supported protection schemes could lead to security downgrades.
  • Key Management: Operators must securely manage the cryptographic keys used for SUCI, including provisioning, rotation, and updates.

The introduction of SUPI and SUCI is a cornerstone of improving subscriber privacy in 5G. SUPI acts as the permanent identity tied to a subscriber, while SUCI is how that identity is concealed when transmitted over the radio interface. Together with temporary identifiers like 5G-GUTI, they form a layered identity architecture designed for secure, privacy-preserving, mobile operation.

However, the design is not without challenges: leaks via identifier lengths, misconfigurations, roaming interactions, and the computational burden of encryption all must be managed carefully. Researchers continue to explore enhancements (e.g. better padding schemes, zero-knowledge proofs, alternative concealment methods) to strengthen identity privacy further.

References

  • 3GPP TS 23.501 – System Architecture for the 5G System (Identifiers defined).
  • 3GPP TS 23.502 – 5G Procedures including registration and GUTI reallocation.
  • 3GPP TS 33.501 – 5G Security architecture with SUPI/SUCI protection.
  • Ericsson Blog – Privacy concerns from identifier length variations.
  • Arxiv (Nori, 2021) – Research on SUCI anonymity and concealment limits.

Leave a ReplyCancel reply

Discover more from Techlteworld

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%