5G/NR  

 

 

 

UE IDs

The UE ID in a 5G network is used to uniquely identify the UE and establish secure communication between the UE and the network. The UE ID can be a temporary identifier (SUCI) or a permanent identifier (SUPI), and it is used in various network procedures, such as registration, authentication, and key agreement.

Basically the intended role of UE ID is same in 5G and in other legacy technology (4G, 3G etc), but UE IDs in 5G is extended and enhanced to compensate for various issues / vunerabilities observed in previous technologies.

In this note, I want to talk about what type of new UE IDs are introduced in 5G and how they can handle various issues we faced in previous technology.

Types of UE IDs

There are many different types of UE IDs in 5G. A simple way to check on the type of UE IDs in 5G would be to check on the list of UE IDs used in 5G Registration message which are listed as below. You would see some of the IDs same as in 4G (e.g, IMEI, IMEISV) but most of others are new types introduced in 5G (e.g, SUCI, 5G-GUTI etc)

    SUCI

      SUCI (SUPI Format = IMSI)

        mcc

        mnc

        Routing Indicator (16 bit, 4 digit)

        Protection scheme Id (4 bit)

        Home network public key identifier (8 bit)

        Scheme output (n Bytes)

      SUCI (SUPI Format = Network specific identifier)

        Type of identity (3 bit)

        SUCI NAI (n bytes)

    5G-GUTI

      mcc

      mnc

      AMF Region ID (8 bit)

      AMF Set ID (10 bit)

      AMF Pointer (6 bit)

      5G TMSI (32 bit)

    IMEI

    5G-S-TMSI

      AMF Set ID (8 bit)

      AMF Pointer (8 bit)

      5G - TMSI(32 bit)

    IMEISV

International Mobile Subscriber Identity (IMSI): This is a unique identifier assigned to a mobile device that is used to identify the device and its associated subscription information. The IMSI is typically stored on the SIM card and is used during initial registration and authentication with the mobile network.

Temporary Mobile Subscriber Identity (TMSI): This is a temporary identifier assigned to a mobile device by the network to protect the device's identity during normal operation. The TMSI is used instead of the IMSI to reduce signaling overhead and improve security.

5G Globally Unique Temporary Identity (5G-GUTI): This is a temporary identifier used in 5G networks to identify a mobile device and its associated subscription information. The 5G-GUTI is used instead of the IMSI to protect the device's identity and provide improved security and privacy.

    NOTE : We have GUTI in 4G as well. What is the differeces between 4G GUTI and 5G GUTI ?

    The main difference between 4G GUTI and 5G GUTI is that the 5G GUTI contains a temporary identifier (SUCI) that provides enhanced security and privacy features, while the 4G GUTI contains the IMSI which can be used to track a user's location and identity. Additionally, the 5G GUTI is used to identify the UE within a specific network slice, while the 4G GUTI is used to identify the UE within a specific PLMN.

International Mobile Equipment Identity (IMEI): This is a unique identifier assigned to a mobile device by the manufacturer. The IMEI is used to identify the device and is used for purposes such as blocking stolen devices from accessing the network.

Subscription Permanent Identifier (SUPI) : This is a unique identifier used to represent a subscriber's permanent identity in a 5G network. It replaces the IMSI used in 4G networks and is designed to provide enhanced privacy and security features.

Subscription Concealed Identifier (SUCI) : This is a temporary identifier used to conceal the subscriber's permanent identity (SUPI) in a 5G network. It is used for authentication and authorization purposes and provides improved security and privacy features compared to the IMSI used in 4G networks.

The main differences among these IDs are the purpose for which they are used and their scope of use. The IMSI and TMSI are primarily used by the network to identify and authenticate the device, while the 5G-GUTI provides improved security and privacy. The IMEI is used by the network to identify the device and may be used for additional purposes such as blocking stolen devices. Each of these IDs has its own unique characteristics and advantages, and their use may vary depending on the specific requirements of the network and the device.

Differences between 4G UE ID and 5G UE ID ?

In general, 5G UE ID is more complex and provides improved security and privacy compared to 4G UE ID. Main reasons behind these differnces comes from the differnces of network architecture and from the motivation for improved security protection. Followings are some of the important differneces between 4G UE ID and 4G UE ID.

Format: 4G UE ID is usually made up of simple information assigned by manufacturer (e.g,IMEI) and network operator(e.g, IMSI). On the other hand, 5G UE ID is a combination of several identifiers, including the 5G-GUTI (5G Globally Unique Temporary Identity) and the 5G-S-TMSI (5G S-Temporary Mobile Subscriber Identity), which are assigned by the network.

Security: 5G UE ID provides enhanced security and privacy compared to 4G UE ID. In 5G networks, the 5G-GUTI is used as a temporary identifier to protect the UE's identity and prevent tracking. Additionally, 5G networks use stronger encryption algorithms than 4G networks, which further enhance security.

    NOTE : An example of security volnerability in 4G is to use IMSI at the early stage of registration process (e.g, before authentication and key agreement). In 5G, SUPI is a counter part to IMSI in previous technology. But in 5G, it is not allowed to use SUPI even before authentication and key agreement. 5G does not allow SUPI (Plain text information). It uses a kind of encrypted version called SUCI

    NOTE : Refer to How SUPI turn into SUCI section for further details on this.

Network Architecture: 5G networks have a different network architecture than 4G networks, which also affects the UE ID. In 5G networks, the UE ID is used to identify the UE and its associated subscription information in a specific network slice, while in 4G networks, the UE ID is used to identify the UE and its associated subscription information in a specific PLMN (Public Land Mobile Network).

Network Services: 5G networks provide new services such as network slicing and edge computing that require the UE to be identified in a specific network slice. In contrast, 4G networks provide services such as voice and data that do not require the same level of UE identification.

How SUPI turn into SUCI ?

Now I understand a few important things about SUCI as listed below.

  • In 5G, It does not allow SUPI to get directly exchanged over the air since it can easily get snatched by attackers.
  • So they encrypt the SUPI first and transmit the encrypted information over the air. That encrypted version of SUPI is called SUCI.
  • Usually(but not always) this SUCI is transmitted from UE to the network via RegistrationRequest

Now a question arises in my mind. RegistrationRequest is the first NAS message from UE to network and there is no information shared between UE and Network at this point. How can the network decrypt SUCI into SUPI when it recieves it ?

In simple words, the logic is similar to Authentication process. It can be described breifly as below.

  • UE encrypt SUPI using a specifically predefined algorithm known to both UE and the network. UE can select an algorithm from the list as below. (NOTE : you would notice that operate can define their own algorithm if they want. Of course, in that case the operator need to provision the algorithm in USIM and decrypt algorithm in their core network)
    • Null scheme
    • ECIES scheme profile A
    • ECIES scheme profile B
    • Operator-specific protection scheme
  • UE send the encrypted data and a few additional information required for the decoding in RegistrationRequest message (or IdentityInformation if requested by network).
  • Network decrypt the SUCI into plain text using the data and the information contained in the SUCI it recieves (NOTE : This decryption would happen in UDM. SUCI de-consealment is one of UDM functionaligy (23.501-6.2.7)).

Now let's look into this process a little bit more in detail. I am not an expert in encryption. So I would just to write down the overview of the process and do not have detailed knowledge on the encryption and decryption algorithm itself.

Overall signaling flow with SUCI can be illustrated as below.

What's happening on UE side ?

Inside of UE, the process of encrypting SUPI into an encrypted information called SUCI. UE can use a specific algorithm from a list of a few different predefined algorith. Following is the illustration of showing the overview of ECIES based encryption algorithm happening in UE.

< 33.501-Figure C.3.2-1: Encryption based on ECIES at UE >

What's happening on Network side ?

Once SUCI is transmitted by UE and received by Network. The network has to decode it notified by UE with information elements : Protection Scheme ID.  Following is the illustration of showing the overview of ECIES based decryption algorithm happening in Network.

< 33.501-Figure C.3.3-1: Decryption based on ECIES at home network >

RegistrationRequest / RegistrationAccept

Once UE encrypted SUPI into SUCI, it would send it to network via RegistrationRequest message at 5GS mobile identity. NOTE : It is not mandatory in terms of 3GPP for UE to use SUCI. It is allowed to use any type of UE IDs shown here. Which type of ID should be used is determined by the requirement from Network Operator and USIM configuration.

    SUCI

      SUCI (SUPI Format = IMSI)

        mcc

        mnc

        Routing Indicator (16 bit, 4 digit)

        Protection scheme Id (4 bit)

        Home network public key identifier (8 bit)

        Scheme output (n Bytes)

      SUCI (SUPI Format = Network specific identifier)

        Type of identity (3 bit)

        SUCI NAI (n bytes)

    5G-GUTI

      mcc

      mnc

      AMF Region ID (8 bit)

      AMF Set ID (10 bit)

      AMF Pointer (6 bit)

      5G TMSI (32 bit)

    IMEI

    5G-S-TMSI

      AMF Set ID (8 bit)

      AMF Pointer (8 bit)

      5G - TMSI(32 bit)

    IMEISV

IdentityRequest

If UE has not used SUCI at RegistrationRequest and Network wants to know of SUCI, Network can request UE to to inform SUCI by sending IdentityRequest with SUCI.

    Bits

    3 2 1

    0 0 1 SUCI

    0 1 0 5G-GUTI

    0 1 1 IMEI

    1 0 0 5G-S-TMSI

    1 0 1 IMEISV

    1 1 0 MAC address

    1 1 1 EUI-64

IdentityResponse with SUCI

If network request UE to send SUCI via IdentityRequest, UE should send IdentityResponse with SUCI in the format shown below.

    SUCI

      SUCI (SUPI Format = IMSI)

        mcc

        mnc

        Routing Indicator (16 bit, 4 digit)

        Protection scheme Id (4 bit)

        Home network public key identifier (8 bit)

        Scheme output (n Bytes)

      SUCI (SUPI Format = Network specific identifier)

        Type of identity (3 bit)

        SUCI NAI (n bytes)

Quote from 24.501-Table 9.11.3.4.1: 5GS mobile identity information element

Protection scheme identifier (octet 10 bits 1 to 4)

 

Bits

4 3 2 1

0 0 0 0 Null scheme

0 0 0 1 ECIES scheme profile A

0 0 1 0 ECIES scheme profile B

0 0 1 1

to Reserved

1 0 1 1

1 1 0 0

to Operator-specific protection scheme

1 1 1 1

Bits 5-8 of octet 10 are spare and shall be coded as zero.

 

Home network public key identifier (octet 10)

 

The Home network public key identifier (PKI) field is coded as defined in 3GPP TS 23.003. Home network public key identifier shall be coded as "00000000" when Protection scheme identifier is set to "0000" (i.e. Null scheme).

 

Bits

8 7 6 5 4 3 2 1

0 0 0 0 0 0 0 0 Home network PKI value 0

0 0 0 0 0 0 0 1

to Home network PKI value (1-254)

1 1 1 1 1 1 1 0

1 1 1 1 1 1 1 1 Reserved

 

Scheme output (octets 12 to x)

 

The Scheme output field consists of a string of characters with a variable length or hexadecimal digits as specified in 3GPP TS 23.003. If Protection scheme identifier is set to "0000" (i.e. Null scheme), then the Scheme output consists of the MSIN and is coded using BCD coding with each digit of the MSIN coded over 4 bits. If the MSIN includes an odd number of digits, bits 5 to 8 of octet x shall be coded as "1111". If Protection scheme identifier is not "0000" (i.e. ECIES scheme profile A, ECIES scheme profile B or Operator-specific protection scheme), then Scheme output is

coded as hexadecimal digits.

For the SUCI with SUPI format set to "Network specific identifier", the SUCI NAI field contains an NAI constructed as specified in subclause 28.7.3 of 3GPP TS 23.003 and encoded as UTF-8 string.

For the SUCI with SUPI format set to "GCI", the SUCI NAI field contains an NAI constructed as specified in subclause 28.15.5 of 3GPP TS 23.003 and encoded as UTF-8 string.

For the SUCI with SUPI format set to "GLI", the SUCI NAI field contains an NAI constructed as specified in subclause 28.16.5 of 3GPP TS 23.003 and encoded as UTF-8 string.

For the SUCI with SUPI format set to "GLI", the SUCI NAI field contains an NAI constructed as specified in subclause 28.16.5 of 3GPP TS 23.003 and encoded as UTF-8 string.

For the 5G-S-TMSI, bits 5 to 8 of octet 4 are coded as "1111". The coding of the 5G-STMSI is left open for each administration.

NOTE : For the full log with Amarisoft WebGUI, check out this tutorial of Amarisoft TechAcademy.

Example 01 >  SUCI with ECIES-A in RegistrationRequest

Following is an example of SUCI being used in real communication between UE and a Network.  (NOTE : This is an example from Amarisoft Callbox and Amarisoft UEsim)

    Protocol discriminator = 0x7e (5GS Mobility Management)

    Security header = 0x0 (Plain 5GS NAS message, not security protected)

    Message type = 0x41 (Registration request)

    5GS registration type:

      Follow-on request bit = 1

      Value = 1 (initial registration)

    ngKSI:

      TSC = 0

      NAS key set identifier = 7

    5GS mobile identity:

      SUCI

        SUPI format = 0 (IMSI)

        MCC = 001

        MNC = 01

        Routing indicator = 0

        Protection sheme id = 1 (ECIES scheme profile A)

        Home network public key identifier = 2

        ECC ephemeral public key = 0x13e1feffd2e39a0674efe37ab493bb4bb8a0a338077b28ef294e247709907350

        Ciphertext = 0x294a3f4f32

        MAC tag = 0xd08cab25fd4f58f3

    UE security capability:

      0xe0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=0, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

      0xe0 (5G-IA0=1, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=0, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

Example 02 > SUCI with Null Algorithm in Identity Response

Following is an example of SUCI being used in real communication between UE and a Network.  (NOTE : This is an example from Amarisoft Callbox and Commerical UE)

    Protocol discriminator = 0x7e (5GS Mobility Management)

    Security header = 0x1 (Integrity protected)

    Auth code = 0xd6ead5fa

    Sequence number = 0x0a

    Protocol discriminator = 0x7e (5GS Mobility Management)

    Security header = 0x0 (Plain 5GS NAS message, not security protected)

    Message type = 0x5c (Identity response)

    Mobile identity:

      SUCI

        SUPI format = 0 (IMSI)

        MCC = 001

        MNC = 01

        Routing indicator = 0

        Protection sheme id = 0 (Null scheme)

        Home network public key identifier = 0

        MSIN = 0123456789

Reference