How can we identify a UE without transmitting its permanent identity in clear text over the radio? This is the question we will answer in this video which is a bit long and complex. Here we go. The SUPI or "SUbscription Permanent Identifier" is the globally unique permanent identifier of UE in a 5G network. Quite often, the SUPI is an IMSI or "International Mobile Subscriber Identifier" which was defined in previous generations. Keeping the IMSI simply allows interworking for example with 4G networks but also 3G and 2G networks. The IMSI is formed by a network identity which is itself made up of a "Mobile Country Code" (MCC) and a Mobile Network Code (or MNC). Each operator assigns to each subscriber a serial number known as the Mobile Subscriber Identification Number or MSIN, which is unique in its network. When a user travels abroad, I mean, in the case of international roaming, at the network request the UE indicates its permanent identifier, the IMSI. Why is this? Because it is generally not possible to route the attachment request correctly using the temporary identity also known as the GUTI. What is done with IMSI? In the visited network, there is an analysis of the Mobile Country Code and the Mobile Network Code in order to route to the right home network. But in the home network, there may be several HSS databases. HSS means "Home Subscriber Server" in the case of 4G. And we can have several UDM instances in the case of 5G. Each HSS or UDM instance, manages a range of MSIN numbers. Therefore, in the home network, the first digits of MSIN or in other words the most significant bits must be analyzed to route to the right HSS, namely the one that manages the subscriber. Our objective is to disguise the SUPI by creating a SUCI or Subscription Concealed Identifier, but we must be able to continue routing in the case of international roaming. For this to be possible, the MNC and MCC remain in clear text and only the MSIN will be encrypted. Since 2G, security procedures have been based on asymmetric key. This means that the same subscriber specific key K is stored in the SIM card and in the security database. In 5G, it's the ARPF. Each subscriber has their own key. When there is an attachment request, the AMF, for example, makes a request for a security vector for the IMSI. From the knowledge of the MSIN contained in the IMSI, we can determine the key K and generate the encryption key that is therefore specific to the requesting UE. If we encrypt the IMSI from the key K we would have a version of the encrypted MSIN. To decrypt, we need access to the key K which requires the MSIN in clear text. So, there is a chicken and egg problem to solve. The goal is to have a key that is shared between the UE and the SIDF and to keep it secret with messages exchange in clear text. This is possible, thanks to Diffie-Helmann key exchange which is based on asymmetric cryptography. We have a specific video in the mooc for people who are not familiar with this kind of key exchange. So how is the SUCI built? Well, we have just said that the asymmetric key principle is used. There is a first key pair with a private key stored in the SIDF and the corresponding public key that is stored in the sim card. For all subscribers, it's the same public key. And there is a second key pair that will change over time. The UE randomly draws a secret key and deduces the corresponding public key, which can therefore be transmitted externally. From the public key transmitted by the UE and the private key stored in the SIDF, the later calculates key and the same key is obtained by the UE taking this time the public key stored by the operator in the SIM card and the secret key generated by the UE. All this makes it possible to have one shared key, which was our goal. This key is referred to as ephemeral because it's only used to create the SUCI. This shared ephemeral key is used to calculate an encryption sequence. Here, XOR means "exclusive OR" as usual. The UE XORes this sequence with the MSIN, (the serial number) and creates an encrypted version of the MSIN. The UE transmits this encrypted version of the MSIN and adds the public key it created. The SIDF for its part takes the private key it has stored and with the public key that is received, calculates the shared ephemeral key. It then deduces the same encryption sequence as the UE and by XORing the encrypted version of the MSIN, it is able to deduce the plaintext MSIN. An attacker might decide to modify the SUCI that is transmitted. So, we need to protect the SUCI with a Message Authentication Code or MAC. This message authentication code is calculated from the shared secret key and it's added to that what we have seen in the SUCI. When the SIDF receives a SUCI, it will first check that there have been no changes along the way. It will therefore check with the shared secret key that the MAC is valid. If the MAC is not valid, we stop. If the MAC is valid then the MSIN is decrypted. Note that this avoids having a change in the SUCI along the way. However, it's very easy for an attacker to create a valid SUCI from any IMSI. So verifying the MAC of a SUCI is not an authentication of the SUPI. On the other hand, it is possible that the private key might be broken. In this case the operator will try to use a new key but should not have to modify the SIM cards. So, he does not prepare a single private key and its corresponding public key. Instead, he prepares a set, which means that we have to indicate the number of the key that is used in the SUCI. So, we integrate this number into the SUCI. So we have a SUCI that is relatively complex. In the SUCI we must first indicate the following elements, the type of the SUPI: it's 0 when it is an IMSI that has been used. The identity of the home network: the MCC mobile country code and the MNC mobile network code. We add the routing indications which are the equivalent of the MSIN most significant bits. We add an indicator because the SUCI might evolve in the future and we can use other algorithm and we integrate the network public key number. The UE public key itself is transmitted. Note that it is between 256 and 264 bits. Finally, we add the encrypted MSIN as well as the MAC to verify integrity. This gives us a SUCI that is typically 400 bits long, which can be compared to the 60 bits of SUPI when it's an IMSI. The SUCI is therefore relatively longer. The terminal with the SIM card creates the SUCI. It transmits it to the AMF. The AMF as we have seen analyzes the PLMN code to route to the right home network. In the home network, there is an analysis of the routing indication in order to route to the right UDM instance. The SUCI is sent to the UDM and the SIDF function provides the SUPI, which can then be transmitted to the visited network or more precisely to the AMF of the visited network. To sum up, in 5G we have the SUPI or the permanent identity, which in practice is equivalent of the IMSI we are familiar with in 4G networks. Normally, the SUPI is never transmitted and a concealed version called SUCI (SUbscription Concealed Identifier) is created. Part of the SUPI is encrypted using asymmetric cryptography. And we also use protection by the Message Authentication Code known as the MAC. The disclosure of the SUPI from the SUCI is provided by the SIDF of the home network. Note that the GUTI for "Globally-Unique Temporary Identifier" is still used most of the time. The main purpose of the SUCI is that when the GUTI cannot be used or is not available because it's the first time the UE is being used, using SUCI avoids transmitting the SUPI in clear text. The limitation of the SUCI is that it's an optional mechanism. Therefore, there can be no absolute guarantee of security, since it might not be used. On the other hand, there is a certain operational cost for the operator to implement SUCI. The private public key pairs need to be created. The same cards have to be updated and the SIDF must be implemented.
