SUCI / SUPI Analyzer

Q: What is the difference between SUPI and SUCI?

SUPI is the permanent 5G identity (usually IMSI). SUCI is the concealed version sent over the air, where the MSIN is encrypted with the home network public key; the network de-conceals it back to the SUPI.

Q: What are ECIES Profile A and Profile B?

Profile A and Profile B are the two SUCI protection schemes (TS 33.501 Annex C). Profile A uses Curve25519 (X25519); Profile B uses NIST P-256. Both are ECIES (ephemeral ECDH + AES + MAC).

Q: What is the Routing Indicator in a SUCI?

The Routing Indicator is a 1-4 digit USIM-provisioned value that, with the home network ID, routes the authentication request to the correct UDM/AUSF in the home network.

Q: Is the MCC/MNC encrypted in a SUCI?

No. Only the MSIN is encrypted. The SUPI type, MCC, MNC, routing indicator, scheme ID and key ID stay in the clear for routing.

SUCI string

Hyphen form: suci-<supiType>-<MCC>-<MNC>-<routing>-<scheme>-<hnKeyId>-<output>. Scheme 0 = null (output is the MSIN); 1 = Profile A; 2 = Profile B.

How it worksSUPI, SUCI and concealment

The SUPI (Subscription Permanent Identifier) is the 5G subscriber identity — usually an IMSI (MCC + MNC + MSIN). To stop IMSI catchers, the UE never sends the SUPI in the clear: it sends a SUCI (Subscription Concealed Identifier), in which only the MSIN is encrypted with the home network's public key using ECIES.

SUCI = SUPI Type | Home Network ID (MCC+MNC) | Routing Indicator | Protection Scheme ID | HN Public Key ID | Scheme Output

Scheme 0 = null → output is the MSIN (plain)
Scheme 1 = Profile A → ECIES with Curve25519 (X25519)
Scheme 2 = Profile B → ECIES with NIST P-256 (secp256r1)

Scheme Output (A/B) = eph. public key ‖ ciphertext ‖ MAC tag

The MCC/MNC and Routing Indicator stay in the clear so the visited network can route the SUCI to the right home network and AUSF/UDM, which then de-conceals it back to the SUPI using its private key. Routing Indicator (1–4 digits) is provisioned on the USIM and steers to a specific UDM/AUSF set.

FAQFrequently asked questions

What is the difference between SUPI and SUCI?

SUPI is the permanent 5G subscriber identity (usually an IMSI). SUCI is the privacy-protected version sent over the air, where only the MSIN part is encrypted with the home network's public key (ECIES). The network de-conceals the SUCI back to the SUPI.

What are ECIES Profile A and Profile B?

They are the two SUCI protection schemes in TS 33.501 Annex C. Profile A uses Curve25519 (X25519) and Profile B uses NIST P-256 (secp256r1). Both are ECIES — an ephemeral ECDH key agreement plus AES and a MAC.

What is the Routing Indicator in a SUCI?

A 1–4 digit value provisioned on the USIM that, together with the home network ID, lets the serving network route the authentication request to the correct UDM/AUSF instance in the home network.

Is the MCC/MNC encrypted in a SUCI?

No. The SUPI type, MCC, MNC, routing indicator, scheme ID and key ID are all in the clear so the visited network can route to the home network. Only the MSIN (the subscriber-unique part) is encrypted.

How it worksSUPI, SUCI and concealment

FAQFrequently asked questions

RelatedMore engineering tools