Sign in Subscribe

Understanding SUPI in 5G: Subscription Permanent Identifiers Explained

Last updated on 
Understanding SUPI in 5G: Subscription Permanent Identifiers Explained
Understanding SUPI in 5G: Subscription Permanent Identifiers Explained
5G & 6G Prime Membership Telecom

Understanding SUPI in 5G: What You Need to Know About Subscription Permanent Identifiers

Introduction: The Basics of Subscriber Identity in 5G

Every mobile network relies on subscriber identity as the backbone for connectivity, billing, and security. From GSM to LTE, the International Mobile Subscriber Identity (IMSI) has been the go-to unique identifier for users. But with 5G, the way we manage identities has changed to address tougher privacy and security issues.

At the heart of this change is the SUPI (Subscription Permanent Identifier). Like the IMSI in LTE, SUPI serves as the permanent identifier for subscribers, but in 5G, it’s combined with enhanced security features to keep identities safe from exposure.

If you take a look at the image above, you’ll see how SUPI is structured, incorporating key elements like MCC, MNC, and MSIN. Let’s break this down further.

What is SUPI in 5G?

SUPI (Subscription Permanent Identifier): A unique ID assigned to each 5G subscriber.

It’s stored securely in the USIM (Universal Subscriber Identity Module).

It’s not intended to be transmitted openly over the air.

In 5G, instead of sending out SUPI during registration, it gets concealed into a SUCI (Subscription Concealed Identifier) before being shared. This approach keeps SUPI hidden from potential attackers while still functioning as the root identity within the core network.

The Connection Between SUPI and IMSI

SUPI might vary depending on the identifier type, but for most 5G mobile subscriptions, it’s typically derived from the IMSI.

IMSI (International Mobile Subscriber Identity): Traditionally used across 2G, 3G, and 4G.

SUPI (Subscription Permanent Identifier): The 5G equivalent that can represent IMSI, Network Access Identifier (NAI), or other formats.

For standard 5G implementations, you can think of SUPI as IMSI.

Breaking Down the SUPI Structure

According to 3GPP standards, SUPI has a numeric format that can be 15 or 16 digits long.

From the image above, it’s divided into three parts:

MCC (Mobile Country Code) – 3 Digits

Indicates the subscriber's country.

For instance:

310 → United States

404 → India

234 → United Kingdom

MNC (Mobile Network Code) – 2 or 3 Digits

Identifies the subscriber’s home network operator.

Examples:

260 → T-Mobile USA

01 → Vodafone Germany

70 → Tata Docomo India

MSIN (Mobile Subscription Identification Number) – Up to 10 Digits

Identifies the specific subscriber within the operator’s network.

This is assigned by the operator during SIM provisioning.

So the complete structure can be summed up as:

SUPI = MCC (3) + MNC (2 or 3) + MSIN (up to 10)

Example of SUPI Based on IMSI

MCCMNCMSINSUPI (IMSI)31026012345678903102601234567890404709876543210404709876543210

In this example:

MCC = 310 → United States

MNC = 260 → T-Mobile

MSIN = Unique subscriber number

How SUPI Works in 5G

Stored in the SIM/USIM: Each device securely holds its SUPI.

Authentication Use: Core components like UDM and AUSF depend on SUPI for authentication.

Mapped to GUTI: During active sessions, SUPI links to temporary identifiers like GUTI to enhance security.

In simple terms, SUPI is the anchor identity for a subscriber, while SUCI and GUTI serve as privacy-preserving identifiers on the air interface.

SUPI vs. SUCI: What’s the Difference?

FeatureSUPISUCIDefinitionPermanent subscriber identityConcealed (encrypted) SUPILength15–16 digitsVariable (depends on scheme)ExposureNever transmitted in plaintextAlways transmitted instead of SUPIProtectionStored securely in USIMGenerated dynamically by UEExample310260123456789Encrypted string

Enhancements to Security with SUPI

One big concern in past generations was IMSI catching attacks, where unauthorized base stations could trick devices into revealing their permanent identities.

With 5G:

SUPI is never sent out over the air.

The UE creates SUCI using the home network’s public key.

Only the home network can decrypt SUCI back to SUPI.

This design makes it much harder for attackers to intercept or misuse subscriber identities.

The Role of SUPI in Identity Management

SUPI plays a crucial part in various identity management processes in 5G:

Authentication: It serves as the main ID used in authentication within the core network.

Roaming: SUPI maintains unique global identification across networks.

Billing: Operators associate subscriber accounts and services with SUPI.

Session Management: SUPI links to temporary identifiers like GUTI to facilitate smooth mobility and session management.

SUPI in Roaming Situations

When a subscriber roams to another country, SUPI guarantees seamless global identification. For example:

An Indian user (MCC = 404, MNC = 70) roaming in the U.S.

SUPI ensures the visited network can accurately identify and send authentication requests to the subscriber’s home network.

Privacy is maintained because only SUCI is shared at first, while the SUPI stays hidden until decrypted by the home UDM.

Challenges with SUPI and Network Security

Even though SUPI boosts identity management in 5G, there are still hurdles operators need to face:

Key Management: Operators have to manage encryption keys used for generating SUCI securely.

Interoperability: Global roaming requires a consistent approach to handling SUPI across networks.

Scalability: With billions of devices, operators need effective SUPI management to avoid performance issues.

Conclusion: SUPI as the Core of Subscriber Identity in 5G

The Subscription Permanent Identifier (SUPI) is fundamental to how subscriber identity works in 5G networks. Building on the IMSI used in earlier generations, SUPI provides every subscriber with a unique, globally recognized identity.

Here’s a quick recap:

SUPI usually aligns with the IMSI structure: MCC + MNC + MSIN.

It’s never directly revealed over the air in 5G.

Instead, it’s transformed into SUCI before being sent.

SUPI is vital for authentication, billing, mobility management, and roaming.

By integrating SUPI with privacy-focused identifiers like SUCI and GUTI, 5G strikes a balance between maintaining identity integrity and ensuring subscriber privacy. For those in telecom, understanding SUPI is key to grasping how modern networks securely manage identities at scale.