SUPI, SUCI, and the end of 25 years of identity leakage
“The most private thing you own is not your messages. It is the fact of where you are — and your identity is the key to it.”
— WHY SUCI EXISTS
For a quarter of a century, mobile networks had a dirty secret: your permanent identity regularly crossed the air in cleartext, and anyone with a fake base station could harvest it. 5G is the generation that finally fixed this — with public-key cryptography on the SIM card. This chapter dissects the 5G identity family, the SUCI concealment machinery, and the hardware root of trust beneath it all.
🎯 Learning objectives
Name every identity in the 5G family — SUPI, SUCI, 5G-GUTI, PEI — and when each appears on the air.
Explain SUCI concealment: ECIES, the home network public key, and protection schemes (Profile A, Profile B, null).
Trace de-concealment at the SIDF and why only the home network can do it.
Describe 5G-GUTI reallocation discipline and what breaks without it.
Explain the UICC/USIM hardware root of trust and the ME/USIM responsibility split.
Numbering, addressing and identification (SUPI/SUCI/GUTI formats)
Rel-18/19 edition
TS 23.501
System architecture (identity usage)
Rel-19, v19.6.0
TS 31.102
USIM application characteristics
Rel-18 edition
Checked June 2026 — verify against the latest 3GPP version.
4.1 The 5G Identity Family
5G gives a subscriber and a device a small family of identifiers, each with a precise privacy job:
SUPI (Subscription Permanent Identifier) — the real, permanent subscription identity. The 5G successor of the IMSI. Never sent in cleartext over the air.
SUCI (Subscription Concealed Identifier) — the SUPI, encrypted with the home network’s public key. The only form in which a permanent identity may cross the radio.
5G-GUTI (Globally Unique Temporary Identifier) — a temporary alias assigned by the AMF, used for everyday signaling and paging.
PEI (Permanent Equipment Identifier, usually the IMEI) — identifies the device, not the subscription; requested only after security is established.
FIGURE 4.1The 5G Identity Family Tree
Purpose: the cast of characters for Part 2. If you remember one thing: cleartext SUPI on the radio is always a misconfiguration or an attack.
SUPI formats
Two formats exist (TS 23.003): the IMSI-based SUPI (MCC + MNC + MSIN — the classic 15-digit structure, used by public operators) and the NAI-based SUPI (Network Access Identifier, e.g. [email protected] — used by private networks/SNPN with non-IMSI credentials).
FIGURE 4.2SUPI Formats — IMSI-Based and NAI-Based
Purpose: what exactly gets hidden. Routing information stays visible by design; the personal part is encrypted.
4.2 The Problem SUCI Had to Solve
Recall Chapter 1’s IMSI catcher: a fake cell sends an unauthenticated Identity Request, and a 4G phone obediently answers with its IMSI — because at first contact, no security context exists yet. That is the chicken-and-egg of mobile identity: the network must learn who you are before it can authenticate you, but anything sent before authentication is readable and spoofable.
5G’s answer is elegant: asymmetric cryptography. The UE carries the home operator’s public key. It encrypts its identity so that only the home operator’s private key — held in the SIDF, deep in the home core — can recover it. The fake base station receives a blob that is different every time (fresh ephemeral key per concealment) and useless for tracking.
FIGURE 4.3The Identity Harvest — 4G vs 5G at First Contact
Purpose: the before/after that justifies all the machinery below. Note the freshness property — even the same subscriber produces a different SUCI every time.
4.3 SUCI Structure and the Concealment Pipeline
A SUCI is not just an encrypted IMSI — it is a structured object that tells the home network how to decrypt it:
FIGURE 4.4SUCI Structure — Fields and Scheme Output
Purpose: SUCI as a routable envelope. Clear fields say where to send it; the scheme output hides who it is.
ECIES: how the encryption works
The protection schemes use ECIES (Elliptic Curve Integrated Encryption Scheme) — a standard hybrid construction. TS 33.501 Annex C defines two profiles:
Profile
Curve
Crypto suite
Notes
Profile A
Curve25519 (X25519)
AES-128-CTR + HMAC-SHA-256
modern Montgomery curve
Profile B
secp256r1 (P-256)
AES-128-CTR + HMAC-SHA-256
NIST curve, common in HSMs
null
—
none — SUPI passes visible
emergency / test only
FIGURE 4.5ECIES Concealment Inside the UE — Step by Step
Purpose: the six steps your SIM (or ME) executes before any registration. The ephemeral key in step ① is the unsung hero — it makes every SUCI a one-time pseudonym.
FIGURE 4.6The Home Network Public Key — Provisioning and Trust
Purpose: the asymmetry that makes roaming privacy work. A visited network can route your SUCI but can never open it.
4.4 De-concealment at the SIDF
When the registration reaches the home network, the SIDF (Subscription Identifier De-concealing Function, co-located with UDM) reverses the pipeline: ECDH with its private key and the UE’s ephemeral public key → same shared secret → verify MAC → decrypt → SUPI. Authentication then proceeds against the real subscription, and crucially — the AUSF later binds the recovered SUPI to the authentication result, so a UE cannot register with someone else’s concealed identity.
FIGURE 4.7SIDF De-concealment — Message Sequence
Purpose: who learns what, when. The visited AMF routes a blob; the identity materializes only inside the home core, and only as authentication succeeds.
When is SUCI actually sent?
Rarely — and that is the design. The UE sends a SUCI only when it has no valid 5G-GUTI: first-ever registration, after a USIM swap, when the network cannot resolve the GUTI it presented, or after explicit identity re-request (which in 5G is only honored for SUCI, never cleartext SUPI). Everyday traffic runs on the GUTI.
FIGURE 4.8When SUCI Is Sent — the Identity Decision Flow
Purpose: identity traffic discipline. SUCI is the exception, GUTI is the rule — and cleartext SUPI is never an option.
4.5 5G-GUTI: the Everyday Alias
The 5G-GUTI is the workhorse identity: assigned by the AMF over protected NAS, used for service requests, paging, and re-registration. Its structure embeds which AMF holds your context (so any gNB can route you back) plus the 5G-TMSI, your short temporary number.
Privacy depends on reallocation discipline — TS 33.501 requires a fresh GUTI after key events. A GUTI that never changes becomes a de-facto permanent identifier and resurrects the tracking problem SUCI solved.
FIGURE 4.95G-GUTI Structure and Reallocation Discipline
Purpose: structure plus discipline. Chapter 19 shows real attacks on networks that assigned GUTIs and kept them for days.
4.6 The UICC/USIM: Hardware Root of Trust
Everything above rests on the UICC — a tamper-resistant smart card (or embedded eUICC/iUICC) running the USIM application. It stores K and the home public key, executes MILENAGE/TUAK and (typically) the ECIES concealment, and enforces PIN/ADM access control. The ME/USIM split means: malware in the phone OS can abuse the USIM as an oracle while present, but cannot extract K and clone the subscription.
FIGURE 4.10The Hardware Root of Trust — Layers and Risk Gradient
Purpose: the inverse gradient that drives UE security design — the most attacked layers hold the least valuable secrets.
FIGURE 4.11USIM vs ME — Who Computes What
Purpose: the responsibility contract. Auditors: ask your USIM vendor where SUCI is computed and which profile is provisioned — both are configuration, not defaults.
4.7 The Null Scheme: the Hole You Must Close
The null protection scheme sends the SUPI essentially visible inside a SUCI wrapper. 3GPP keeps it for two legitimate cases: unauthenticated emergency calls and operator/lab configurations where concealment is not provisioned. The operational reality: null-scheme left enabled after integration testing is one of the most common 5G privacy failures in live networks (it featured in Chapter 1’s real example, and Chapter 26 builds a KPI to catch it).
FIGURE 4.12Null-Scheme Risk — Legitimate Uses vs the Classic Failure
Purpose: null scheme exists for reasons — and stays enabled by accident. One Wireshark capture of a Registration Request settles whether your network is exposed.
4.8 The Practical Operator View
Provision home network keys before launch, with key IDs and a rotation plan. Key rotation uses the key ID field — UEs can hold multiple keys.
Decide and document USIM-based vs ME-based SUCI computation; align USIM procurement with it.
Pick a routing indicator plan — it shards subscribers across UDM/SIDF instances; privacy nuance: very rare routing indicator values can themselves narrow identity.
Enforce GUTI reallocation per trigger list and verify it in traces — vendor defaults vary.
Watch null-scheme and identity-request rates as standing KPIs.
Common misconfiguration risks
Null scheme live in production (the classic).
Home public key provisioned but scheme enforcement off — UEs silently fall back.
GUTI reallocation set to a long timer “to reduce signaling.”
PEI requested before NAS security establishment (legacy habit; 5G forbids it).
One routing indicator for VIP subscribers — a tracking gift.
4.9 Threats and Mitigations
Threat
Vector
Mitigation
Identity harvesting
fake cell identity request
SUCI — only concealed identity ever answered
Linkability / tracking
repeated registrations observed
fresh ephemeral key per SUCI; GUTI reallocation
Home private key theft
UDM/SIDF compromise
HSM custody, key rotation via key IDs, access audit
SUCI replay/tampering
modified blob to SIDF
MAC verification in ECIES; freshness
Downgrade to null scheme
misconfiguration
enforcement policy + null-scheme KPI
SIM cloning
physical/side-channel on UICC
tamper-resistant UICC, MILENAGE/TUAK with operator constants
4.10 Terminology, Example, Checklist
Term
Meaning
SUPI / SUCI
Permanent subscription ID / its concealed over-the-air form
MSIN
The subscriber-specific digits inside an IMSI-based SUPI — the part that gets encrypted
ECIES
Elliptic Curve Integrated Encryption Scheme — the hybrid construction behind SUCI
SIDF
Subscription Identifier De-concealing Function — holds the home private key
5G-GUTI / 5G-TMSI / GUAMI
Temporary identifier / its short UE part / its AMF-identifying part
PEI / IMEI
Permanent Equipment Identifier — the device, not the subscription
UICC / eUICC
The smart card platform (removable / embedded) hosting the USIM
Real network example. A Gulf operator launched 5G SA with SUCI Profile A and a single routing indicator. Months later, their privacy team found VIP government SIMs had been provisioned with a distinct routing indicator “for priority UDM handling” — making every VIP registration recognizable on the air from the clear routing field alone, despite perfect encryption. Fix: VIPs re-personalized onto the common routing indicator; priority handling moved inside the core. Lesson: privacy leaks love metadata.
Capture one live Registration Request: confirm scheme ID is A or B, not null.
Verify home public key IDs on issued USIMs match SIDF-provisioned private keys (rotation readiness).
Confirm where SUCI is computed (USIM vs ME) and that it matches procurement specs.
Trace GUTI values across two registrations of a test UE — they must differ.
Confirm PEI is only requested after NAS SMC in traces.
Review routing-indicator population sizes — no small identifying groups.
★ Chapter Summary
5G identities: SUPI (permanent, never on air in clear), SUCI (asymmetric-encrypted, fresh each time), 5G-GUTI (everyday alias, must rotate), PEI (device, only after security).
SUCI = ECIES with the home network public key: ephemeral ECDH → AES-CTR + HMAC; Profiles A (X25519) and B (P-256); null scheme = emergency/test only.
Only the home SIDF can de-conceal; the visited network routes blobs it cannot read; the AMF learns the SUPI only after successful authentication.
The UICC/USIM is the hardware root of trust: K never leaves it; ME compromise caps at session keys.
Why must the MCC/MNC (or NAI realm) remain readable in a SUCI, and why is that acceptable?
Explain how the ephemeral key pair in ECIES delivers unlinkability. What could link two SUCIs if it were reused?
A roaming subscriber registers in your network. List every entity that sees the SUCI and every entity that sees the SUPI, in order.
Contrast the compromise ceilings of (a) phone OS malware, (b) a stolen UICC without PIN, (c) UDM/SIDF private-key theft.
Your trace shows the same 5G-TMSI paging a UE for six days. What is wrong, what does an attacker gain, and which spec requirement is violated?
Why does 5G refuse to honor a cleartext-SUPI identity request, and what legacy attack does that kill?
Profile A vs Profile B: name the curves and one practical reason an operator might choose B.
Design the alarm: which fields of which message would your KPI inspect to detect null-scheme creep?
🧪 Mini lab — read a SUCI with your own eyes
In the Open5GS + UERANSIM lab (Chapter 33 has full setup): (1) configure the UE profile with SUCI enabled (scheme 1, home key provisioned) and capture the Registration Request in Wireshark — expand the 5GS mobile identity IE and identify scheme ID, home network public key ID, ephemeral public key, and ciphertext. (2) Re-register and diff the two SUCIs — confirm every encrypted byte changed. (3) Now set scheme 0 (null) and capture again — watch your “IMSI” appear, readable. That last capture is the picture to show any manager who asks why SUCI configuration matters.