5G Network Identity SUPI/SUCI

5G Network Identity SUPI/SUCI

By in 5G Core, 5GSecurity
prasanna sahu
Latest posts by prasanna sahu (see all)

Introduction

In 5G in order to protect UE permanent Identity (SUPI- Subscription Permanent Identifier )  UE never transmit SUPI as it is. UE conceal(encrypt) SUPI using encryption scheme to create SUCI(Subscription Concealed Identifier), before sending it to core network.

Concealing can be done in USIM or ME(Mobile Equipment) depending on the indication configured in USIM by operator. If no indicator present, ME does the concealing.
In core network only UDM has authority to de-conceal the SUCI. 

Identity flow between UE and Network

Decoding of SUCI

SUPI Type: consisting in a value in the range 0 to 7. It identifies the type of the SUPI concealed in the SUCI. The following values are defined

–  0: IMSI
–  1: Network Specific Identifier
–  2 to 7: spare values for future use.

Home Network Identifier: identifying the home network of the subscriber.

When the SUPI Type is an IMSI, the Home Network Identifier is composed of two parts:
–  Mobile Country Code (MCC), consisting of three decimal digits.
–  Mobile Network Code (MNC), consisting of two or three decimal digits.
When the SUPI type is a Network Specific Identifier, the Home Network Identifier consists of a string of characters with a variable length representing a domain name. Ex. abc@xyz.com

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Protection Scheme Identifier: consisting in a value in the range of 0 to 15 and represented in 4 bits.

  • null-scheme         0x0;
  • Profile <A>         0x1;
  • Profile <B>         0x2.

Home Network Public Key Identifier: consisting in a value in the range 0 to 255. It represents a public key provisioned by the HPLMN and it is used to identify the key used for SUPI protection. In case of null-scheme being used, this data field shall be set to the value 0;

Scheme Output: consisting of a string of characters with a variable length or hexadecimal digits, dependent on the used protection scheme.

  • Null Scheme – For null scheme no encryption happens and scheme output field is replaced by MSIN(value after taking out MCC and MNC from IMSI) value of IMSI as it is.
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile A – In this case scheme out put is further divided in two  parts:
    1. ECC ephemeral public key 64 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length 
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile B – In this case scheme out put is further divided in two  parts
    1. ECC ephemeral public key 66 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length

Note: Detailed into Elliptic Curve Integrated Encryption Scheme(ECIES) will be discussed in another Blog.

prasanna sahu

Telecom Professional

11 Comments

Alexandre CROGUENNEC Posted on4:03 pm - October 21, 2019

Hello Prasanna Sahu,
Thanks for this very clear explanation, which is much more accessible to someone trying to understand the difference between SUCI and SUPI than the thousands of pages of the ETSI 5G standard 🙂 !
Unless I miss a point, I believe there is a small typo in the key size mentionned in your text, vs the information provided in TS133.501 Rel 16, Annex C.
To my understanding, Profile A, public key size is 256 bits (64 4-bit hexadecimal digits), and Profile B is 264bits (66 4-bit hexadecimal digits).
I leave it to you to check and eventually correct the text above the 2 images, if you believe that makes sense.
Best regards,
Alex

Joby Posted on4:35 pm - November 4, 2019

“Note: Detailed into Elliptic Curve Integrated Encryption Scheme(ECIES) will be discussed in another Blog”

Did you ever write another blog on this, Prasanna?

shasha Posted on8:24 am - January 2, 2020

how ip packet of app will know about UE?

    prasanna Posted on5:30 pm - January 3, 2020

    Hi Sha,
    UE IP address is either public Ip or NATed IP. so when UE is registered to the Network, UDM acts as a GW to UE. in case of NATTING it translate the public IP to UE ip based on the application port number, in this case always UE need to initiate a request(same as office network/home router network). in case of public IP UE can communicate with outside application directly without address translation.

Raja Posted on12:21 pm - January 28, 2020

How to deconceale SUCI to SUPI in UDM?

    prasanna Posted on12:32 pm - February 12, 2020

    Hi Raja,
    Concealing/deconcealing are done based on the algorithm and shared key. That means both UDM and UE SIM has algorithm and shared key provisioned. when you buy a simcard from store, they will provision your sim with appropriate algorithm and shared key which is provisioned in UDM for that SIM. so now SIM and UDM they can conceal/de-conceal the SUPI based on the pre-agreed algorithm and keys.

    Thanks

Pinak Posted on11:58 am - February 12, 2020

After a lot of search, got the perfect explaination

Shri Ganesh Posted on12:54 pm - March 31, 2020

how the existing 4g sim can be updated thorugh OTA with required files to support 5g

Rajnish Tripathi Posted on8:30 am - July 31, 2020

Can we derive home network public key using suci data ?

Vijay Anand Posted on11:53 am - September 21, 2020

Any one having idea about 5G USIM technical specifications requirements for 5G USIM main parameter… what type of software, hardware, product required to configure the 5G USIM?

Vaibhav Doshi Posted on5:54 am - October 30, 2020

What are the possible scenarios wherein SUCI de-concealment can fail at UDM (SIDF)? Also, how operator can troubleshoot SUCI de-concealment issue as SUPI is not derived?

Comments are closed.

Comments are closed.