5G - GUTI

 

 

 

 

GUTI

GUTI stands for Globally Unique Temporary Identifier. The GUTI is a critical temporary identifier used in 5G (and 4G/LTE) networks to protect the privacy and security of a UE. It serves as a substitute for the UE’s permanent identity (SUPI – Subscription Permanent Identifier) during interactions with the network, ensuring sensitive subscriber information is not transmitted over the air.

  • Privacy Protection: Prevents exposure of the UE’s permanent identifier (SUPI) over radio interfaces.
  • Efficiency: Allows the network to uniquely and temporarily identify the UE during mobility, session management, and authentication procedures.
  • Security: Reduces the risk of tracking or eavesdropping on the UE by using a temporary, reallocatable identity.

GUTI Structure (5G):

The 5G GUTI is structured as follows:

    GUTI = <GUAMI> + <5G-TMSI>

  • GUAMI (Globally Unique AMF ID):
  • Identifies the specific AMF (Access and Mobility Management Function) serving the UE.
  • Composed of:
    • MCC (Mobile Country Code)
    • MNC (Mobile Network Code)
    • AMF Region ID (Identifies the AMF region)
    • AMF Set ID (Identifies an AMF set within the region)
    • AMF Pointer (Identifies a specific AMF within the set).
  • 5G-TMSI (5G Temporary Mobile Subscriber Identity):
    • A unique identifier assigned by the AMF to the UE within the scope of the GUAMI.
    • Typically 32 bits long.

Example :GUTI in Registraion Request

    5GS mobile identity:

      5G-GUTI

        MCC = 001

        MNC = 01

        AMF Region ID = 128

        AMF Set ID = 4

        AMF Pointer = 1

        5G-TMSI = 0x32efe46b

Key Aspects of 5G-GUTI

  • Temporary Identity
    • 5G-GUTI is used instead of the permanent SUPI (e.g., IMSI).
    • Helps protect the subscriber’s privacy by minimizing the exposure of permanent identifiers over the air interface.
  • Structure
    • The 5G-GUTI contains two main parts:
      • GUAMI (Globally Unique AMF Identifier) – indicates which AMF is serving the UE.
      • 5G-TMSI – a temporary number unique within that AMF’s scope.
    • This combination ensures the 5G-GUTI is unique globally.
  • Assignment & Update
    • The AMF allocates a 5G-GUTI during initial registration (similar to the “attach” process in LTE).
    • The network can reassign a 5G-GUTI at any time—particularly after location updates or mobility events—to provide additional privacy.
  • Usage in NAS Signaling
    • Once assigned, the 5G-GUTI is used in Non-Access Stratum (NAS) procedures (e.g., registration updates, paging) instead of the SUPI.
    • NAS messages carry this GUTI so the AMF can uniquely identify the UE.
  • Security & Privacy
    • Because the 5G-GUTI is temporary and can change over time, it helps thwart tracking and eavesdropping attempts.
    • It is a core part of 5G’s improved identity protection and aligns with 3GPP security requirements (see 3GPP TS 23.501 and TS 33.501).

How is it used in NAS Signaling ?

In 5G networks, the 5G-GUTI (often referred to simply as GUTI) is a temporary identifier that the AMF assigns to a UE. Once assigned, the UE uses this identifier to communicate with the network in subsequent NAS signaling procedures—rather than using its permanent identifier (SUPI, e.g., IMSI)

Initial Registration (Attach)

Registration Request

  • When a UE powers on or moves into a new network area (and does not have a valid GUTI), it sends a Registration Request to the gNB.
  • If the UE already holds a valid GUTI from a previous session, it can include that in the Registration Request (instead of the SUPI) to expedite identification. If no valid GUTI exists, the UE might have to include its SUCI (Subscription Concealed Identifier, which the network can use to derive the SUPI).

Example : When UE does not have a valid GUIT

    Message: Registration request

     

    Protocol discriminator = 0x7e (5GS Mobility Management)

    Security header = 0x0 (Plain 5GS NAS message, not security protected)

    Message type = 0x41 (Registration request)

    5GS registration type:

      Follow-on request bit = 1

      Value = 1 (initial registration)

    ngKSI:

      TSC = 0

      NAS key set identifier = 7

    5GS mobile identity:

      SUCI

        SUPI format = 0 (IMSI)

        MCC = 001

        MNC = 01

        Routing indicator = 0

        Protection scheme id = 0 (Null scheme)

        Home network public key identifier = 0

        MSIN = 0123456789

    UE security capability:

      0xe0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=0, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

      0xe0 (5G-IA0=1, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=0, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

Example : When UE already holds a valid GUIT

    Message: Registration request

     

    Protocol discriminator = 0x7e (5GS Mobility Management)

    Security header = 0x1 (Integrity protected)

    Auth code = 0x4295c610

    Sequence number = 0x2e

    Protocol discriminator = 0x7e (5GS Mobility Management)

    Security header = 0x0 (Plain 5GS NAS message, not security protected)

    Message type = 0x41 (Registration request)

    5GS registration type:

      Follow-on request bit = 1

      Value = 1 (initial registration)

    ngKSI:

      TSC = 0

      NAS key set identifier = 6

    5GS mobile identity:

      5G-GUTI

        MCC = 001

        MNC = 01

        AMF Region ID = 128

        AMF Set ID = 4

        AMF Pointer = 1

        5G-TMSI = 0x32efe46b

    UE security capability:

      0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

      0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

      0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

      0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

    NAS message container:

      Protocol discriminator = 0x7e (5GS Mobility Management)

      Security header = 0x0 (Plain 5GS NAS message, not security protected)

      Message type = 0x41 (Registration request)

      5GS registration type:

        Follow-on request bit = 1

        Value = 1 (initial registration)

      ngKSI:

        TSC = 0

        NAS key set identifier = 6

      5GS mobile identity:

        5G-GUTI

          MCC = 001

          MNC = 01

          AMF Region ID = 128

          AMF Set ID = 4

          AMF Pointer = 1

          5G-TMSI = 0x32efe46b

      5GMM capability:

        0x03 (SGC=0, 5G-IPHC-CP CIoT=0, N3 data=0, 5G-CP CIoT=0, RestrictEC=0, LPP=0, HO attach=1, S1 mode=1)

      UE security capability:

        0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

        0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

        0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

        0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

      Requested NSSAI:

        S-NSSAI

          Length of S-NSSAI contents = 1 (SST)

          SST = 0x01

      Last visited registered TAI:

        MCC = 001

        MNC = 01

        TAC = 0x000064

      S1 UE network capability:

        0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

        0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

        0xc0 (UEA0=1, UEA1=1, UEA2=0, UEA3=0, UEA4=0, UEA5=0, UEA6=0, UEA7=0)

        0x40 (UCS2=0, UIA1=1, UIA2=0, UIA3=0, UIA4=0, UIA5=0, UIA6=0, UIA7=0)

        0x19 (ProSe-dd=0, ProSe=0, H.245-ASH=0, ACC-CSFB=1, LPP=1, LCS=0, 1xSRVCC=0, NF=1)

        0x80 (ePCO=1, HC-CP CIoT=0, ERw/oPDN=0, S1-U data=0, UP CIoT=0, CP CIoT=0, ProSe-relay=0, ProSe-dc=0)

        0xb0 (15 bearers=1, SGC=0, N1mode=1, DCNR=1, CP backoff=0, RestrictEC=0, V2X PC5=0, multipleDRB=0)

      UE's usage setting = 0x01 (Data centric)

      LADN indication:

        Length = 0

        Data =

      Network slicing indication = 0x00 (DCNI=0, NSSCI=0)

      5GS update type = 0x01 (EPS-PNB-CIoT=no additional information, 5GS-PNB-CIoT=no additional information, NG-RAN-RCU=0, SMS requested=1)

Registration Accept

  • The AMF processes the request, establishes a security context, and then assigns (or reassigns) a 5G-GUTI.
  • The new 5G-GUTI is included in the Registration Accept message and delivered to the UE via the gNB.

Example

    Message: Registration accept

     

    Protocol discriminator = 0x7e (5GS Mobility Management)

    Security header = 0x2 (Integrity protected and ciphered)

    Auth code = 0xeab2c7d4

    Sequence number = 0x01

    Protocol discriminator = 0x7e (5GS Mobility Management)

    Security header = 0x0 (Plain 5GS NAS message, not security protected)

    Message type = 0x42 (Registration accept)

    5GS registration result = 0x09 (Disaster roaming registration result=0, Emergency registered=0, NSSAA to be performed=0, SMS allowed=1, 3GPP access)

    5G-GUTI:

      5G-GUTI

        MCC = 001

        MNC = 01

        AMF Region ID = 128

        AMF Set ID = 4

        AMF Pointer = 1

        5G-TMSI = 0xe216d4e9

    TAI list:

      Length = 7

      Data = 00 00 f1 10 00 00 64

    Allowed NSSAI:

      S-NSSAI

        Length of S-NSSAI contents = 1 (SST)

        SST = 0x01

    Configured NSSAI:

      S-NSSAI

        Length of S-NSSAI contents = 1 (SST)

        SST = 0x01

    5GS network feature support:

      0x03 (MPSI=0, IWK N26=0, EMF=not supported, EMC=not supported, IMS-VoPS-N3GPP=1, IMS-VoPS-3GPP=1)

      0x00 (5G-UP CIoT=0, 5G-IPHC-CP CIoT=0, N3 data=0, 5G-CP CIoT=0, RestrictEC=both CE mode A and CE mode B are not restricted, MCSI=0, EMCN3=0)

    T3512 value:

      Value = 30

      Unit = 5 (1 minute)

    Emergency number list:

      Length = 8

      Data = 03 1f 19 f1 03 1f 11 f2

UE Context Creation

  • From that point on, the AMF uses the 5G-GUTI to track the UE’s NAS signaling context (mobility management, session management, etc.).

Subsequent NAS Procedures

Once the UE has a valid GUTI, it uses that GUTI in all subsequent NAS messages to avoid exposing its permanent identity. Examples include:

Service Request

  • When the UE is in idle state and wants to send data or respond to paging, it issues a Service Request.
  • The UE includes the 5G-GUTI to identify itself, so the AMF can quickly retrieve the correct UE context.

Registration Update (Periodic or Mobility-Based)

  • If the UE needs to update its registration (e.g., moving to a new TA—Tracking Area—outside its current Registration Area), it sends a Registration Update Request.
  • The UE includes its 5G-GUTI, allowing the AMF to identify the existing UE context.

Security Procedures

  • With an established NAS security context (integrity protection and ciphering), the GUTI is included in encrypted and/or integrity-protected NAS messages, preventing third-parties from discovering the UE’s permanent identity.

GUTI Re-Allocation / Re-Assignment

To further protect the subscriber’s privacy and prevent long-term correlation:

  • The AMF may reassign a new 5G-GUTI to the UE at any time (e.g., after a Registration Update, periodically, or due to certain mobility events).
  • This mechanism works much like TMSI reallocation in LTE; it helps thwart efforts to track a UE over long periods based on a single temporary identifier.

Handling Unknown or Invalid GUTI

  • If the UE’s stored 5G-GUTI has become invalid or unknown to the network (e.g., the AMF lost context, the UE changed serving AMFs without a proper handover procedure, etc.), the network may request the UE’s SUCI.
  • The UE then provides a secured version of its SUPI (the SUCI), which the network uses to re-establish the user’s identity and assign a fresh GUTI.

Reference :

[1]