Subscription Identifier De-concealing Function

Description

The Subscription Identifier De-concealing Function (SIDF) is a dedicated security entity introduced in the 5G System (5GS) architecture as part of the Authentication Server Function (AUSF). Its primary technical role is to perform the de-concealment operation on the Subscription Concealed Identifier (SUCI) that a User Equipment (UE) sends during initial network registration. The SUCI is a privacy-preserving identifier created by the UE by encrypting the permanent Subscription Permanent Identifier (SUPI) using the home network's public key. When the Serving Network (e.g., a visited operator) receives a SUCI, it forwards it to the home network's AUSF. The AUSF then invokes its internal SIDF component.

The SIDF executes the cryptographic de-concealment process. It uses the home network's private key, which corresponds to the public key provisioned in the UE's Universal Subscriber Identity Module (USIM), to decrypt the SUCI. This process reveals the plaintext SUPI (typically an IMSI or network-specific identifier). The SIDF is the only network function in the 5G architecture permitted to hold the necessary private key and perform this operation, centralizing a critical security function. After successful de-concealment, the AUSF uses the retrieved SUPI to locate the corresponding authentication credentials in the Unified Data Management (UDM) and proceeds with the primary authentication and key agreement (AKA) procedure.

Architecturally, the SIDF is not a standalone Network Function (NF) but a logical function integrated within the AUSF. This design consolidates sensitive key material and limits its exposure. The interface between the SIDF and the rest of the AUSF is internal. The SIDF's operation is triggered via the Nausf_UEAuthentication service operation. Its successful execution is a prerequisite for all subsequent authentication steps. By ensuring that the SUPI is never transmitted in clear text over the radio access network, the SIDF is a cornerstone of 5G's enhanced subscriber privacy, protecting against IMSI catchers and location tracking attacks that were feasible in previous generations. Its role is purely for identifier resolution; it does not participate in the subsequent key derivation or session establishment.

Purpose & Motivation

The SIDF was created to address a major privacy vulnerability inherent in previous cellular generations (2G, 3G, 4G): the transmission of the permanent subscriber identifier (IMSI) in clear text over the radio interface. This allowed passive eavesdroppers with inexpensive equipment to harvest IMSIs, track users' locations, and profile their movements. 5G's design principle of 'subscription identifier privacy' demanded a solution where the permanent identifier is never exposed outside the secure confines of the home network. The SIDF is the technical enabler of this principle, solving the problem of how a network can authenticate a user without knowing who the user is initially.

The historical context is the evolution from 4G EPS-AKA, where the IMSI could be sent in plain text under certain conditions (e.g., initial attach), to 5G's mandatory use of SUCI for initial registration. The SIDF performs the essential 'keyhole' operation that allows the legitimate home network—and only the home network—to learn the user's true identity. This addresses the limitation of previous approaches where privacy was often an optional add-on or relied on temporary identifiers (GUTI/TMSI) that could still be forced to fall back to IMSI.

Its creation was motivated by stringent regulatory requirements for user privacy (e.g., GDPR) and the industry's need to restore user trust in mobile networks. By centralizing the de-concealment in a single, highly protected function (the SIDF within AUSF), the 5G architecture minimizes the attack surface for credential compromise and establishes a robust foundation for identity protection that is integral to the network's initial access procedure.