Description
The Subscription Permanent Identifier (SUPI) is a critical concept in 5G system architecture, defined initially in 3GPP Release 15. It is a globally unique, non-changing identifier that permanently represents a user's subscription within the 3GPP ecosystem. The SUPI is used by the network for identification, authentication, authorization, and accounting purposes. It is stored securely in the Unified Data Management (UDM) and the Universal Subscriber Identity Module (USIM) on the user's device. The SUPI itself is never transmitted in clear text over the air interface to protect user privacy; instead, it is concealed using a privacy-preserving identifier called the Subscription Concealed Identifier (SUCI).
Architecturally, the SUPI is a key input to the 5G Authentication and Key Agreement (5G AKA) and Extensible Authentication Protocol (EAP)-AKA' procedures. During initial registration, the User Equipment (UE) generates a SUCI by encrypting the SUPI with the home network's public key, using the Elliptic Curve Integrated Encryption Scheme (ECIES). This SUCI is sent to the serving network (e.g., visited network in roaming scenarios). The serving network forwards the SUCI to the home network's Authentication Server Function (AUSF), which, with the help of the Subscription Identifier De-concealing Function (SIDF) in the UDM, decrypts it to retrieve the SUPI. The SUPI is then used to fetch the authentication vector and subscription profile from the UDM.
The SUPI can be in two main formats: an IMSI-based format or a Network Access Identifier (NAI) format. The IMSI-based SUPI follows the structure of an International Mobile Subscriber Identity (IMSI), consisting of a Mobile Country Code (MCC), Mobile Network Code (MNC), and Mobile Subscription Identification Number (MSIN). This ensures backward compatibility with legacy systems. The NAI-based SUPI is used for non-3GPP access (e.g., Wi-Fi) and follows the format username@realm. The SUPI's role extends beyond authentication; it is used in policy control (via the Policy Control Function (PCF)), charging (via the Charging Function (CHF)), and network slice selection (via the Network Slice Selection Function (NSSF)). Its permanent nature ensures consistent identification across sessions and mobility events, forming the backbone of subscription management in 5G.
Purpose & Motivation
The SUPI was introduced in 5G Release 15 to address privacy and security shortcomings of previous subscription identifiers, particularly the IMSI used in 4G LTE. In LTE, the IMSI was sometimes transmitted in clear text during initial attach procedures, making it vulnerable to eavesdropping and tracking attacks. This allowed malicious actors to identify and locate users, compromising privacy. The SUPI, combined with the SUCI mechanism, was designed to provide strong subscriber identity privacy by ensuring the permanent identifier is never exposed over the air.
Another motivation was to create a unified subscription identifier that works seamlessly across different access types (3GPP and non-3GPP) and supports emerging services like network slicing and IoT. The legacy IMSI was primarily designed for cellular access, whereas 5G envisions convergence with fixed and wireless local area networks. The SUPI's flexible formats (IMSI-based and NAI-based) accommodate this convergence, enabling consistent subscription management in heterogeneous networks.
Furthermore, the SUPI supports enhanced security protocols and home-routed traffic models in roaming scenarios. By keeping the SUPI concealed until it reaches the home network, it reduces the trust burden on visited networks and mitigates risks associated with international roaming. This aligns with 5G's design principles of security-by-design and privacy-by-design, addressing regulatory requirements like the General Data Protection Regulation (GDPR). The SUPI thus solves the dual problem of providing a robust, permanent subscription anchor while ensuring user privacy in an increasingly connected and scrutinized digital environment.
Classification
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (713 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, the SUPI was newly introduced as the globally unique 5G Subscription Permanent Identifier, replacing the IMSI as the fundamental subscription identifier. The release also defined the SUCI as a privacy-preserving identifier containing the concealed SUPI, specifying its structure to include a SUPI Type, Home Network Identifier, Routing Indicator, and Protection Scheme Identifier. This enabled the Subscription Identifier Privacy support, allowing a UE to provide a SUCI instead of the plaintext SUPI during initial registration.
- SUCI encoding format and protection scheme TS 24.501CR0254
- Nudm_SDM retrieval of SMS Management Subscription data TS 29.503CR0037
- Subscription and notification of resources allocation outcome, data model TS 29.514CR0007
- Subscription to resources allocation outcome, service procedures TS 29.514CR0008
- Subscription and notification of out of credit events, data model TS 29.514CR0010
- Subscription to out of credit notification, service procedures TS 29.514CR0011
+ 135 more changes
In Release 16, the SUPI function was expanded to include new identifier types for wireline access, specifically the Global Line Identifier (GLI) and Global Cable Identifier (GCI), which take the form of a Network Access Identifier (NAI). This release also introduced a SUPI pattern capability and formally defined the handling of these new SUPI types within the SUCI structure for privacy protection. These additions enabled 5G system integration for fixed and cable network subscribers.
- SUPI and SUCI for wireline access TS 23.501CR0744
- Subscription Information Influence on PDU Session Rate Control TS 23.501CR1251
- Alternative 2: Handling of a UE not allowed to access SNPN services via a PLMN by subscription with 5GMM cause value #72 TS 24.501CR2252
- SUPI and SUCI for legacy wireline access TS 24.502CR0118
- SUPI/SUCI of N5GC devices TS 24.502CR0143
- Add PDU Session continuity at inter RAT mobility to and from NB-IoT in SM Subscription data TS 29.503CR0176
+ 123 more changes
In Release 17, the SUPI function was enhanced to support new use cases including Anonymous SUCI for privacy, the use of IMSI-based SUPI for accessing Standalone Non-Public Networks (SNPN) using credentials from a Credentials Holder, and a defined SUCI/SUPI format for device onboarding. The release also introduced specific subscription data types for new services such as aerial UE, 5MBS, ProSe, and group-based event subscriptions.
- Anonymous SUCI TS 23.003CR0626
- SNPN with separate entity hosting subscription TS 23.501CR2625
- IMSI based SUPI support when access an SNPN using credentials owned by CH TS 23.501CR2919
- Format of SUCI/SUPI used for Onboarding TS 23.501CR3097
- AUSF/UDM discovery based SUCI information TS 23.501CR3170
- Authentication and Subscription information checking for Disaster Roaming service TS 23.501CR3251
+ 196 more changes
In Release 18, the primary enhancement for the SUPI function was the introduction of a decorated NAI format for 5G-NSWO (Non-Seamless WLAN Offload) specifically for the SUPI. This builds upon the existing SUPI types, such as the Global Line Identifier (GLI) and Global Cable Identifier (GCI), which already use the NAI format as defined in IETF RFC 7542. The change provides a structured method for conveying the SUPI within network access procedures for non-3GPP access.
- SNPN Identifier based N3IWF FQDN TS 23.003CR0687
- Decorated NAI format for 5G-NSWO for SUPI TS 23.003CR0696
- Adding time synchronization service based on subscription TS 23.501CR3762
- PIN identifiers TS 23.501CR4287
- Protecting the N3IWF/TNGF identifier information in the REGISTRATION REJECT message TS 24.501CR5932
- Resolving the EN related to N3IWF selection based on N3IWF identifier information in the REGISTRATION REJECT message TS 24.502CR0230
+ 133 more changes
In Release 19, the SUPI function was enhanced to support the conversion of **Multiple SUPI to GPSI in the UDM** and to enable **AF Specific Identifier Selection during Multiple Identifiers Translation in the UDM**. Furthermore, the release introduced new subscription data handling for identifiers of **non-3GPP devices connecting behind a UE/5G-RG**, defining specific identifiers for such scenarios. These updates expand the UDM's role in managing and translating a broader set of subscriber and device identifiers within the 5G system.
- Non-3GPP Device Identifier TS 23.003CR0708
- Definition of AIoT Device Permanent Identifier TS 23.003CR0713
- Subscription-based routing to a target core network TS 23.501CR5380
- Supporting direct subscription of UPF event exposure using UE's IP address TS 23.501CR5540
- KI#2: UE subscription and policy control for energy efficiency and energy saving TS 23.501CR5739
- Updates to UPF data exposure for KI#2 direct subscription TS 23.501CR5452
+ 96 more changes
Explore further
Broader topics and technologies where SUPI plays a role.
Defining Specifications
3GPP specifications that define or reference SUPI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 23.003 vj50 | Numbering, addressing and identification in 3GPP | Rel-19 |
| TS 23.501 vk00 | 5G System Architecture Stage 2 | Rel-20 |
| TS 23.700 vk00 | XR Services Application Enablement Layer | Rel-20 |
| TS 24.501 vj50 | 5G NAS Protocols Specification | Rel-19 |
| TS 24.502 vj20 | 5G Core Access via Non-3GPP Networks; Stage 3 | Rel-19 |
| TS 24.526 vj30 | UE Policies for 5GS; Stage 3 | Rel-19 |
| TS 28.204 vi11 | Charging management | Rel-18 |
| TR 28.840 vi10 | Technical Report | Rel-18 |
| TS 29.503 vj50 | UDM Service Based Interface Stage 3 | Rel-19 |
| TS 29.504 vj50 | Nudr Service Based Interface Stage 3 Protocol | Rel-19 |
| TS 29.505 vj50 | UDR Service for Subscription Data Usage | Rel-19 |
| TS 29.507 vj40 | 5G Access & Mobility Policy Control Service | Rel-19 |
| TS 29.508 vj40 | 5G Session Management Event Exposure Service | Rel-19 |
| TS 29.514 vj40 | 5G System; Policy Authorization Service; Stage 3 | Rel-19 |
| TS 29.515 vj50 | Ngmlc Service Based Interface Protocol | Rel-19 |
| TS 29.517 vj40 | 5G AF Event Exposure Service Stage 3 | Rel-19 |
| TS 29.518 vj50 | AMF Service Based Interface Protocol | Rel-19 |
| TS 29.519 vj40 | UDR Usage for Policy & Exposure Data | Rel-19 |
| TS 29.520 vj40 | 5G Network Data Analytics Services Stage 3 | Rel-19 |
| TS 29.521 vj40 | 5G Binding Support Management Service Stage 3 | Rel-19 |
| TS 29.523 vj20 | 5G Policy Control Event Exposure Service | Rel-19 |
| TS 29.525 vj40 | 5G UE Policy Control Service Stage 3 | Rel-19 |
| TS 29.541 vj30 | NEF Service-Based Interfaces for NIDD & SMS | Rel-19 |
| TS 29.550 vj20 | 5G Steering of Roaming Service Based Interface | Rel-19 |
| TS 29.571 vj50 | Common Data Types for 5G Service Based Interfaces | Rel-19 |
| TS 29.591 vj40 | 5G NEF Southbound Services Stage 3 | Rel-19 |
| TS 29.594 vj20 | 5G Spending Limit Control Service Stage 3 | Rel-19 |
| TS 29.890 vg00 | CT3 5G System Technical Report | Rel-16 |
| TS 31.102 vj40 | USIM Application Specification | Rel-19 |
| TS 32.255 vk10 | Telecom Management; Charging for 5G Data Connectivity | Rel-20 |
| TS 32.256 vj40 | 5G Connection & Mobility Charging Spec | Rel-19 |
| TS 32.291 vj40 | Charging Management: Service-Based Interface Protocol | Rel-19 |
| TS 33.126 vj30 | Lawful Interception Requirements | Rel-19 |
| TS 33.127 vj50 | Lawful Interception Architecture and Functions | Rel-19 |
| TS 33.501 vk00 | 5G Security Architecture and Procedures | Rel-20 |
| TS 33.514 vk00 | 5G Security Assurance for UDM | Rel-20 |
| TR 33.741 vi01 | Home Network Triggered Authentication | Rel-18 |
| TS 33.749 vj00 | Study on security aspects of edge computing enhancement | Rel-19 |
| TS 33.835 vg10 | Study on authentication and key management for apps | Rel-16 |
| TR 33.841 vg10 | Security aspects; Study on 256-bit algorithms for 5G | Rel-16 |
| TR 33.938 vj10 | 3GPP Cryptographic Inventory for 5G | Rel-19 |