Subscription Permanent Identifier

Description

The Subscription Permanent Identifier (SUPI) is a critical concept in 5G system architecture, defined initially in 3GPP Release 15. It is a globally unique, non-changing identifier that permanently represents a user's subscription within the 3GPP ecosystem. The SUPI is used by the network for identification, authentication, authorization, and accounting purposes. It is stored securely in the Unified Data Management (UDM) and the Universal Subscriber Identity Module (USIM) on the user's device. The SUPI itself is never transmitted in clear text over the air interface to protect user privacy; instead, it is concealed using a privacy-preserving identifier called the Subscription Concealed Identifier (SUCI).

Architecturally, the SUPI is a key input to the 5G Authentication and Key Agreement (5G AKA) and Extensible Authentication Protocol (EAP)-AKA' procedures. During initial registration, the User Equipment (UE) generates a SUCI by encrypting the SUPI with the home network's public key, using the Elliptic Curve Integrated Encryption Scheme (ECIES). This SUCI is sent to the serving network (e.g., visited network in roaming scenarios). The serving network forwards the SUCI to the home network's Authentication Server Function (AUSF), which, with the help of the Subscription Identifier De-concealing Function (SIDF) in the UDM, decrypts it to retrieve the SUPI. The SUPI is then used to fetch the authentication vector and subscription profile from the UDM.

The SUPI can be in two main formats: an IMSI-based format or a Network Access Identifier (NAI) format. The IMSI-based SUPI follows the structure of an International Mobile Subscriber Identity (IMSI), consisting of a Mobile Country Code (MCC), Mobile Network Code (MNC), and Mobile Subscription Identification Number (MSIN). This ensures backward compatibility with legacy systems. The NAI-based SUPI is used for non-3GPP access (e.g., Wi-Fi) and follows the format username@realm. The SUPI's role extends beyond authentication; it is used in policy control (via the Policy Control Function (PCF)), charging (via the Charging Function (CHF)), and network slice selection (via the Network Slice Selection Function (NSSF)). Its permanent nature ensures consistent identification across sessions and mobility events, forming the backbone of subscription management in 5G.

Purpose & Motivation

The SUPI was introduced in 5G Release 15 to address privacy and security shortcomings of previous subscription identifiers, particularly the IMSI used in 4G LTE. In LTE, the IMSI was sometimes transmitted in clear text during initial attach procedures, making it vulnerable to eavesdropping and tracking attacks. This allowed malicious actors to identify and locate users, compromising privacy. The SUPI, combined with the SUCI mechanism, was designed to provide strong subscriber identity privacy by ensuring the permanent identifier is never exposed over the air.

Another motivation was to create a unified subscription identifier that works seamlessly across different access types (3GPP and non-3GPP) and supports emerging services like network slicing and IoT. The legacy IMSI was primarily designed for cellular access, whereas 5G envisions convergence with fixed and wireless local area networks. The SUPI's flexible formats (IMSI-based and NAI-based) accommodate this convergence, enabling consistent subscription management in heterogeneous networks.

Furthermore, the SUPI supports enhanced security protocols and home-routed traffic models in roaming scenarios. By keeping the SUPI concealed until it reaches the home network, it reduces the trust burden on visited networks and mitigates risks associated with international roaming. This aligns with 5G's design principles of security-by-design and privacy-by-design, addressing regulatory requirements like the General Data Protection Regulation (GDPR). The SUPI thus solves the dual problem of providing a robust, permanent subscription anchor while ensuring user privacy in an increasingly connected and scrutinized digital environment.

Key Features

• Globally unique and permanent identifier for a 3GPP subscription
• Never transmitted in clear text over the air; always concealed as SUCI for privacy
• Supports two formats: IMSI-based (for cellular) and NAI-based (for non-3GPP access)
• Fundamental input for 5G AKA and EAP-AKA' authentication procedures
• Used for subscription profiling, policy control, and network slice selection
• Stored securely in UDM and USIM, with decryption only possible by home network

Evolution Across Releases

Defining Specifications