Description
The Identity Query Function (IQF) is a security function introduced in 3GPP Release 16 as part of the enhanced 5G security architecture. It operates within the home Public Land Mobile Network (HPLMN) and serves as a critical privacy safeguard. Its primary role is to process queries about concealed user identities. In 5G, to protect user privacy, the permanent subscriber identifier (SUPI) is never sent in clear text over the air. Instead, the UE sends a Subscription Concealed Identifier (SUCI), which is an encrypted form of the SUPI. The IQF provides a way for other authorized network functions to validate this SUCI without those functions ever being exposed to the plaintext SUPI.
Architecturally, the IQF is a standalone Network Function (NF) that exposes a service-based interface, typically based on HTTP/2. It interacts primarily with the Unified Data Management (UDM) and the Authentication Server Function (AUSF). When a consuming NF (such as a Network Exposure Function (NEF) or a Service Communication Proxy (SCP)) receives a service request containing a SUCI, it may need to verify the user's subscription status before proceeding. Instead of decrypting the SUCI itself (which would require the home network's private key), the consuming NF sends an identity query request to the IQF. This request contains the SUCI and the context of the query.
The IQF processes this request by first decrypting the SUCI to retrieve the SUPI. This decryption is performed securely within the IQF's trusted environment using the home network's private key. The IQF then performs a lookup in the UDM to verify the subscription status associated with that SUPI. Crucially, the IQF does not return the SUPI to the requesting NF. Instead, it returns a binary response (e.g., valid/invalid) or a token attesting to the validity of the subscription. This process ensures that the consuming NF can authorize a service request based on a valid identity, while the principle of subscriber identity confidentiality is maintained. The SUPI remains known only to the UE, the AUSF (during authentication), and the UDM/IQF within the home network.
Purpose & Motivation
The IQF was created to resolve a tension between service authorization and user privacy in 5G networks. 5G introduced strong subscriber identity privacy by mandating the use of SUCI over the air interface. However, many network services and exposure APIs require knowledge of a user's subscription status to authorize requests. Prior to IQF, network functions that needed to validate a user had to either handle the SUCI themselves (compromising the privacy boundary) or rely on indirect methods that were inefficient or insecure. For example, a third-party application server accessing the network via the NEF might receive a SUCI and need to check if the user is a valid customer.
The IQF provides a standardized, secure, and privacy-preserving solution to this problem. It establishes a clear functional separation: the IQF is the only entity (besides the AUSF during primary authentication) that decrypts SUCI within the network core. This centralizes the handling of the sensitive private key and minimizes the attack surface. It enables new business models and network exposure scenarios where external or internal service providers can verify user legitimacy without learning their permanent identity, thus upholding the stringent privacy requirements of GDPR and similar regulations. The IQF is a key enabler for secure service-based architecture (SBA) operations in scenarios involving concealed identifiers.
Classification
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (17 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, the Identifier Query Function (IQF) was formally introduced as a dedicated function within the ADMF, responsible for handling real-time Lawful Enforcement Agency (LEA) queries for identifier associations. It was defined with specific interfaces: the LI_HIQR interface for receiving queries from and returning responses to the LEA, and the LI_XQR interface for querying the ICF (Identifier Correlation Function). This introduction supported new capabilities like handling queries based on temporary identifiers and location information, as indicated by the related work on "Start of interception - Reporting SUCI."
- Start of interception - Reporting SUCI TS 33.128CR0046
In Release 16, the IQF function was enhanced with clarifications and corrections for handling identity associations, specifically refining the procedures and information exchanged over the LI_XQR and LI_HIQR interfaces used for identifier association queries. This included fixes for target identity extensions and corrections for scenarios involving unauthenticated or unsuccessful registration SUPI reporting. The updates ensured more precise management of identifier queries between the LICF, IQF, ICF, and the LEA.
In Release 17, the IQF function saw clarifications and corrections focused on terminology and parameter definitions to ensure consistency and completeness. Specifically, this included resolving inconsistent use of terms like "identity" and "identifier" within the context of identifier association and adding a missing "Owner" field to the IdentityAssociationTargetIdentifier parameter. These refinements standardized the IQF's role in handling queries over the LI_HIQR and LI_XQR interfaces for lawful interception identifier associations.
- Inconsistent use of IEF, ICF and IQF terminology TS 33.127CR0165
- Inconsistent use of the terms "identity" and "identifier" in context with the topic "identifier association" TS 33.128CR0336
- Missing "Owner" field in the IdentityAssociationTargetIdentifier parameter definition TS 33.128CR0295
- Corrections on SUCI coding TS 33.128CR0299
In Release 18, the IQF was enhanced to include Cell Site Information in its responses to LEA queries over the LI_HIQR interface, providing location context for identifier associations. Furthermore, the LI_HIQR interface was updated to optionally support identity association requests without the ObservedTime parameter, increasing flexibility for P2T (Person-to-Target) queries. These changes augmented the IQF's real-time query response capabilities with more granular network-based location data and broader request compatibility.
- Location Reporting for Identity Association Record TS 33.128CR0376
- LI_HIQR: Adding option to support P2T identity association requests without ObservedTime parameter TS 33.128CR0614
- Addition of Cell Site Information for IQF responses. TS 33.127CR0245
- Addition of Cell Site Information for IQF responses. TS 33.128CR0668
- Addition of missing parameters to SUCI definition TS 33.128CR0595
In Release 19, the IQF (Identity Query Function) was enhanced to support GPSI/PEI-based identifier association queries for Lawful Interception. This new capability, defined in both Stage 2 and Stage 3 specifications, allows a Law Enforcement Agency (LEA) to query the IQF via the LI_HIQR interface using a Generic Public Subscription Identifier (GPSI) or Permanent Equipment Identifier (PEI) as the target. The IQF can then resolve this to corresponding permanent and temporary identifiers through the ICF over the LI_XQR interface.
Explore further
Broader topics and technologies where IQF plays a role.
Defining Specifications
3GPP specifications that define or reference IQF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 33.127 vj50 | Lawful Interception Architecture and Functions | Rel-19 |
| TS 33.128 vj50 | 3GPP TS 33.128: Lawful Interception Protocols | Rel-19 |