SQN

Sequence Number

Security →
Introduced in Rel-2 Also in: User Equipment

SQN is a security parameter in 3GPP authentication protocols that is generated by the network to ensure freshness, prevent replay attacks, and is verified by the UE for mutual authentication and key derivation.

Category
Security
Introduced
Rel-2
Where
Security
Also touches
1 segments
Specifications
13 specs
SQN Description Purpose Related Classification Detected Changes Specifications

Description

The Sequence Number (SQN) is a fundamental security element in 3GPP systems, defined across multiple specifications such as 33.102 and 33.401, as part of the Authentication and Key Agreement (AKA) protocol. SQN is a counter or nonce value generated by the network's authentication center (AuC) or home subscriber server (HSS) to ensure the freshness of authentication vectors and prevent replay attacks. During the authentication process, SQN is included in the authentication token (AUTN) sent to the User Equipment (UE), which then verifies it against locally stored values to confirm that the authentication request is current and not a duplicate. This mechanism is essential for mutual authentication, where both the network and UE validate each other's legitimacy, and for deriving session keys (e.g., CK, IK) that secure subsequent communications.

Architecturally, SQN operates within the security layer of the core network and UE, interfacing with components like the AuC, HSS, and the UE's universal subscriber identity module (USIM). The SQN is typically a 48-bit value, structured to include sequence information and optionally an index for management. It works by being incremented or updated by the network for each authentication instance, ensuring uniqueness. When the UE receives an AUTN, it extracts the SQN, checks its freshness based on a window of acceptable values, and if valid, proceeds with key derivation. If the SQN is out of sync (e.g., due to network issues or attacks), the UE may trigger resynchronization procedures, as defined in specifications like 33.102, to restore security alignment without compromising service.

In operation, SQN is integral to the AKA process: the network generates an authentication vector containing RAND (random challenge), AUTN (which includes SQN masked with anonymity key AK), XRES (expected response), and session keys. The UE decrypts AUTN to retrieve SQN, verifies it using USIM-stored parameters, and computes a response (RES) for network validation. This ensures that each authentication session is unique and resistant to replay, protecting against eavesdropping and man-in-the-middle attacks. SQN's role extends from 2G (where it was simpler) to 5G, evolving to support enhanced privacy and security features, such as in 5G AKA where SQN handling is refined to address privacy concerns like subscriber traceability.

Purpose & Motivation

SQN was introduced to address security vulnerabilities in early mobile networks, particularly the lack of replay protection in authentication protocols. Prior to SQN, systems like GSM used simple challenge-response mechanisms without sequence tracking, making them susceptible to replay attacks where intercepted authentication messages could be reused to impersonate users. SQN solves this by adding freshness through a sequentially increasing number, ensuring that each authentication attempt is unique and time-sensitive. This enhancement was motivated by the need for stronger mutual authentication as networks evolved from 2G to 3G and beyond, supporting services like mobile banking and IoT that demand higher security.

Historically, SQN was standardized in 3GPP Rel-2 as part of the UMTS AKA protocol, building on lessons from GSM weaknesses. Its creation was driven by the requirement for robust key agreement and privacy in 3G networks, as outlined in specifications like 33.102. Over releases, SQN has been adapted to address new threats, such as in 4G EPS AKA (33.401) where it supports LTE security, and in 5G AKA (33.501) where its structure is optimized to prevent privacy leaks. By ensuring authentication freshness, SQN enables secure mobility, roaming, and service access across generations of mobile technology.

Classification

Part ofAKA
Related approachesAUTNAUCUSIM

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (30 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-2, normative work from Rel-15.

Rel-15 6 changes

In Release 15, updates to USIM management procedures for 5GS were introduced, alongside enhancements to USIM configuration data to support new services like Mission Critical Services and PDU session call control. These changes included allowing the configuration of MCS via USIM and enhancing the USIM OPL configuration to support 3-byte TAC values when connected to NG-RAN. Additionally, clarifications were provided regarding the presence of specific files like EFIMSConfigData within the ISIM and USIM applications.

  • USIM Service Table update for PDU session call control support TS 31.102CR0786
  • Allow configuration of MCS (Access Identity 2) via USIM. TS 31.102CR0794
  • Mission Critical Services configuration data update to USIM TS 31.102CR0808
  • Enhance USIM OPL configuration to support 3 bytes TAC when in NG-RAN. TS 31.102CR0818
  • Updates to USIM management procedures for 5GS TS 31.102CR0806
  • Clarification about presence of EFIMSConfigData in ISIM and USIM TS 31.102CR0833
Rel-16 11 changes

In Release 16, the SQN management function was enhanced by enabling the USIM to store a potentially separate KSEAF for non-3GPP access. Furthermore, the USIM gained the capability to store configuration lists for RLOS PLMNs, URSP rules, and PS Data Off status for home and roaming scenarios. These additions expanded the USIM's role in managing authentication and network selection parameters for 5G systems.

  • Add new general abbreviations MCC Note: CR cover sheet wrongly shows CR number as "1118". TS 21.905CR0118
  • Support for USIM configuration of RLOS PLMN list TS 31.102CR0847
  • URSP storage in USIM TS 31.102CR0861
  • Specify storage for a potentially separate KSEAF for non-3gpp access on the USIM TS 31.102CR0864
  • USIM configuration of RLOS allowed MCC list TS 31.102CR0881
  • Support for Trusted non-3GPP access networks list by USIM TS 31.102CR0891

+ 5 more changes

Rel-17 9 changes

In Release 17, the key enhancement for the SQN function was the support of enhanced 5G-AKA sequence number re-synchronization. This update specifically improved the authentication and key agreement procedures for 5G systems. The change aimed to provide a more robust mechanism for managing sequence number synchronization between the network and the USIM during the authentication process.

  • Introduce a USIM file to store pre-configured CAG information list TS 31.102CR0904
  • SOR-CMCI storage in USIM TS 31.102CR0917
  • Addition of USIM files for the indication of whether disaster roaming is enabled in the UE, disaster roaming wait range, disaster return wait range and applicability indicator for disaster roaming PLMNs list provided by VPLMN. TS 31.102CR0938
  • Adding eDRX parameters in the USIM for NG-RAN TS 31.102CR0943
  • 5G NSWO (Non-Seamless WLAN Offload) configuration support in the USIM compromised proposal. TS 31.102CR0946
  • Support of 'No E-UTRA Disabling In 5GS' in USIM TS 31.102CR0947

+ 3 more changes

Rel-18 3 changes

In Release 18, the SQN function was enhanced by mandating that Service n°133 (5G Security Parameters extended storage) be enabled whenever Service n°123 is enabled on the USIM. This change ensures extended storage for security parameters is consistently available. Furthermore, new Elementary Files (EFs) were introduced on the USIM for Access Control to GBA_U_APIs and for IMS Data Channel configuration, expanding the data managed by the USIM application.

  • 5G Security Parameters extended storage on USIM (Mandating Service n°133 to be enabled when Service n°123 is enabled) Rel18. TS 31.102CR1014
  • Add EF of Access Control to GBA_U_APIs to the USIM TS 31.102CR1007
  • Add EF of IMS Data Channel configuration to the USIM TS 31.102CR1006
Rel-19 1 change

In Release 19, a key update for the SQN function involved enhancements for backward compatibility, specifically addressing the handling of USIMs that lack extended security parameter storage in the EF_5GAuthKeys file. This change ensures proper authentication sequence management for legacy USIMs within the 5G system. The modification focuses on the USIM's implementation capability regarding security parameter storage without altering the fundamental SQN procedures.

  • Backward compatibility handling of USIM without extended security parameter storage in EF_5GAuthKeys - Rel19 TS 31.102CR1074

Explore further

Broader topics and technologies where SQN plays a role.

Topics
SON (Self-Organizing Networks)OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)Roaming & InterconnectMEC (Edge Computing)Privacy (SUPI, SUCI)
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference SQN, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TR 21.905 vj00 3GPP Technical Terms and Definitions Rel-19
TS 24.109 vj00 HTTP Digest AKA & GAA Stage 3 Rel-19
TS 24.229 vj50 IMS call control protocol based on SIP and SDP Rel-19
TS 31.102 vj40 USIM Application Specification Rel-19
TS 31.103 vj00 ISIM Application Specification Rel-19
TR 31.900 vj00 3GPP TS 31.900: Security Interworking Guidance Rel-19
TS 33.102 vj10 3G Security Architecture Specification Rel-19
TS 33.105 vj00 3G Security: Cryptographic Algorithm Requirements Rel-19
TS 33.401 vj10 EPS Security Architecture Rel-19
TS 33.863 ve20 Security for Battery-Efficient IoT Device to Enterprise Rel-14
TS 35.205 vj00 MILENAGE Algorithm Set: General Overview Rel-19
TR 35.909 vj00 3GPP MILENAGE Algorithm Design Report Rel-19
TR 35.934 vj00 Tuak algorithm set for 3GPP auth & key gen Rel-19