IQF

Identity Query Function

Security
Introduced in Rel-16
The Identity Query Function (IQF) is a 5G network function that provides a privacy-preserving identity verification service. It allows a consuming network function (NF) to query whether a subscriber's concealed identifier (SUCI) corresponds to a valid subscription without learning the permanent subscriber identity (SUPI).

Description

The Identity Query Function (IQF) is a security function introduced in 3GPP Release 16 as part of the enhanced 5G security architecture. It operates within the home Public Land Mobile Network (HPLMN) and serves as a critical privacy safeguard. Its primary role is to process queries about concealed user identities. In 5G, to protect user privacy, the permanent subscriber identifier (SUPI) is never sent in clear text over the air. Instead, the UE sends a Subscription Concealed Identifier (SUCI), which is an encrypted form of the SUPI. The IQF provides a way for other authorized network functions to validate this SUCI without those functions ever being exposed to the plaintext SUPI.

Architecturally, the IQF is a standalone Network Function (NF) that exposes a service-based interface, typically based on HTTP/2. It interacts primarily with the Unified Data Management (UDM) and the Authentication Server Function (AUSF). When a consuming NF (such as a Network Exposure Function (NEF) or a Service Communication Proxy (SCP)) receives a service request containing a SUCI, it may need to verify the user's subscription status before proceeding. Instead of decrypting the SUCI itself (which would require the home network's private key), the consuming NF sends an identity query request to the IQF. This request contains the SUCI and the context of the query.

The IQF processes this request by first decrypting the SUCI to retrieve the SUPI. This decryption is performed securely within the IQF's trusted environment using the home network's private key. The IQF then performs a lookup in the UDM to verify the subscription status associated with that SUPI. Crucially, the IQF does not return the SUPI to the requesting NF. Instead, it returns a binary response (e.g., valid/invalid) or a token attesting to the validity of the subscription. This process ensures that the consuming NF can authorize a service request based on a valid identity, while the principle of subscriber identity confidentiality is maintained. The SUPI remains known only to the UE, the AUSF (during authentication), and the UDM/IQF within the home network.

Purpose & Motivation

The IQF was created to resolve a tension between service authorization and user privacy in 5G networks. 5G introduced strong subscriber identity privacy by mandating the use of SUCI over the air interface. However, many network services and exposure APIs require knowledge of a user's subscription status to authorize requests. Prior to IQF, network functions that needed to validate a user had to either handle the SUCI themselves (compromising the privacy boundary) or rely on indirect methods that were inefficient or insecure. For example, a third-party application server accessing the network via the NEF might receive a SUCI and need to check if the user is a valid customer.

The IQF provides a standardized, secure, and privacy-preserving solution to this problem. It establishes a clear functional separation: the IQF is the only entity (besides the AUSF during primary authentication) that decrypts SUCI within the network core. This centralizes the handling of the sensitive private key and minimizes the attack surface. It enables new business models and network exposure scenarios where external or internal service providers can verify user legitimacy without learning their permanent identity, thus upholding the stringent privacy requirements of GDPR and similar regulations. The IQF is a key enabler for secure service-based architecture (SBA) operations in scenarios involving concealed identifiers.

Key Features

  • Provides privacy-preserving validation of Subscription Concealed Identifiers (SUCI) without exposing the SUPI
  • Acts as a centralized, trusted function for SUCI decryption using the home network's private key
  • Exposes a service-based interface (e.g., Niqf) for consumption by other authorized Network Functions
  • Returns attestation tokens or binary validity responses to querying entities
  • Enables service authorization for third-party applications and internal NFs while maintaining subscriber identity confidentiality
  • Integrates with the UDM to verify subscription status corresponding to a decrypted SUPI

Evolution Across Releases

Rel-16 Initial

Initial introduction of the Identity Query Function (IQF) as a new 5G core network function. It defined the service-based architecture, the Niqf service-based interface, and its core procedures for receiving SUCI queries, decrypting them, consulting the UDM, and providing privacy-preserving validity responses to consuming network functions.

TS 33.127TS 33.128

Defining Specifications

SpecificationTitle
TS 33.127 3GPP TR 33.127
TS 33.128 3GPP TR 33.128