5G SUCI SUPI GUTI

In 5G networks, security and user identity management have been significantly enhanced to protect users' privacy and data. Three important terms related to user identity and their security mechanisms in 5G are SUCI (Subscription Concealed Identifier), SUPI (Subscription Permanent Identifier), and GUTI (Globally Unique Temporary Identifier). Each of these plays a distinct role in the identification and protection of users during communication sessions.

1. SUPI (Subscription Permanent Identifier)

• SUPI is a permanent identifier assigned to a mobile subscriber in the 5G system. It is equivalent to the IMSI (International Mobile Subscriber Identity) in 4G networks, which uniquely identifies the subscriber in the network.

• Format: The SUPI is generally based on the IMSI but can also use other formats depending on the operator's implementation. The SUPI is represented as:

  • Mobile Country Code (MCC) + Mobile Network Code (MNC) + Mobile Subscriber Identifier (MSIN).

Usage:

• The SUPI is used internally within the network, but it is never transmitted directly over the air to ensure user privacy.

• Instead of transmitting the SUPI, the 5G system uses the SUCI to protect the user’s identity during the initial attachment and communication setup with the network.

2. SUCI (Subscription Concealed Identifier)

• SUCI is a privacy-preserving identifier that is derived from the SUPI using encryption. It is used to conceal the SUPI when transmitted over the air between the user’s device (UE) and the network, protecting the user's permanent identity from being exposed to attackers.

How SUCI Works:

• When a user’s device (UE) needs to attach to the network, it encrypts its SUPI using the public key of the mobile network operator (MNO). The encrypted identifier is called the SUCI.

• The encryption is performed using a public key encryption method based on the operator’s key, meaning only the network operator (who holds the corresponding private key) can decrypt it.

• SUCI is then transmitted from the UE to the network instead of the SUPI, ensuring that an attacker cannot easily intercept or extract the user's permanent identifier.

Usage:

• The network receives the SUCI and decrypts it to obtain the original SUPI during the authentication process.

• This method enhances privacy compared to 4G, where the IMSI was often transmitted in cleartext, making it vulnerable to attacks like IMSI catchers (fake base stations).

3. GUTI (Globally Unique Temporary Identifier)

• GUTI is a temporary identifier assigned to a user by the 5G network, similar to its role in 4G (EPS-GUTI for LTE). It is used to anonymize the user’s identity during active sessions after initial authentication.

How GUTI Works:

• Once a user has successfully attached to the 5G network and been authenticated using the SUPI/SUCI process, the network assigns the user a GUTI.

• The GUTI is used in all subsequent signaling and communication between the UE and the network instead of the SUPI or SUCI. This reduces the frequency at which the SUPI (or SUCI) is used, providing an additional layer of privacy protection.

Structure of GUTI:

• The GUTI is a globally unique identifier consisting of elements that include:

  • The Mobile Network Code (MNC) and Mobile Country Code (MCC) of the network.

  • The AMF (Access and Mobility Management Function) Identifier, which identifies the specific network function responsible for mobility management.

  • A Temporary Identifier (TMSI) assigned to the user for session management.

Usage:

• The GUTI is used for identifying the UE in subsequent communication, such as handovers, paging, and location updates, avoiding the need to repeatedly send the more sensitive SUPI/SUCI.

• The network periodically changes the GUTI to prevent tracking of users based on a static identifier.

Comparison and Security Enhancements in 5G

• SUPI is the permanent identity that is kept secure and never directly transmitted over the air, in contrast to the IMSI in 4G, which was sometimes sent unencrypted.

• SUCI introduces enhanced privacy by ensuring that the SUPI is encrypted when transmitted, protecting the user's identity from eavesdroppers.

• GUTI continues to be a mechanism for temporary, anonymized identification once the user is authenticated, reducing the use of the permanent identifier (SUPI) in everyday network communications.

Why These Identifiers are Important:

• Enhanced Privacy: 5G introduces significant improvements in privacy by encrypting the user’s identity (SUPI) before transmission using SUCI. In 4G, the unencrypted IMSI was susceptible to interception by attackers.

• Better Protection Against Tracking: By assigning temporary identifiers like GUTI for ongoing sessions, the network minimizes the risk of third parties tracking users across different locations or network cells.

• Secured Communication: The introduction of encryption-based SUCI ensures that only authorized parties (i.e., the mobile network operator) can decrypt and access the user’s real identity, thus securing communication against external threats.

Summary

• SUPI is the permanent identity of a user in 5G.

• SUCI is the encrypted version of SUPI, protecting the user’s identity during initial communication.

• GUTI is a temporary identifier used during active sessions to further anonymize the user’s identity.

These mechanisms together enhance user privacy, security, and the integrity of the 5G network compared to previous generations like 4G.