Suci Computation On Ue

08 May 2022 - Syed Muhammad Shahrukh Hussain

In order to secure mobile subscriber identity 5G has introduced subscriber identity concealment (SUCI). SUCI is defined in 23.501. The Subscription Concealed Identifier (SUCI) is an identifier designed to protect privacy, which is concealment of SUPI. UDM on the network side is responsible for de-concealment of the SUCI to extract SUPI.

In the 5G system, the globally unique identifier for subscriptions that remains permanent is referred to as SUPI. SUPI format for IMSI-based:

IMSI consists of MCC|MNC: '274012' and MSIN: '001002086'**

The Mobile Subscription Identification Number (MSIN) is a 10-digit numeric code assigned by a mobile network operator to uniquely identify a mobile subscriber.

SUPI is never transmitted clear on the network.

There two mechanism to compute SUCI

USIM
- Computation of SUCI on USIM requires crypto support within USIM.
UE
- For UE we can use available crypto library to compute SUCI.

The mechanism of computing SUCI on UE is given in 3gpp document 33.501 section “C.3 Elliptic Curve Integrated Encryption Scheme (ECIES)”.

Following diagram is taken from the same document.

Suci computation generally share inputs method like public key provided by the operator a set of ephemeral private and public keys generated by UE for subscriber. KDF, HMAC and AES 256 are shared for both the profiles. Generation of key and encoding is divided into profiles:

Profile A
- Utilizes Curve25519 for ephemeral keys generation and shared secret.
Profile B
- Uses a compressed public key. Utilizes secp256r1 for ephemeral keys generation and shared secret.

Details of profile A/B is given in C.3.4.1 and C.3.4.2 respectively.

To compute SUCI we need USIM that include DF.5GS within ADF.USIM. Service table is enabled for 124 service. There is an interesting gist shared on this topic pysim-SUCI.md.

So basically you need a SIM that support 5G and has public key and profiles pre provisioned / self provisioned in EF SUCI_Calc_Info 3gpp 31.102

31.102, EF SUCI_Calc_Info

wolfSSL cryptography library that is used to compute SUCI.

For Ubuntu 20.4 you will need necessary build tools(gcc) to build wolfSSL from source and install.

Clone wolfSSL source and on the root folder of wolfSSL

./autogen.sh
./configure --enable-curve25519 --enable-eccencrypt --enable-aesctr --enable-x963kdf --enable-compkey
make -j$(nproc)
sudo make install

Sources are available for SUCI computation on UE for both open source GPL and commercial license.

To build once the sources are cloned, on root folder

mkdir build
cd build
cmake ..
make -j$(nproc)

Run

export LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:/usr/local/lib"
./suci