🔐高级

SUPI/SUCI Encryption Analyzer

Analyze the encryption transformation from 5G SUPI (Subscription Permanent Identifier) to SUCI (Subscription Concealed Identifier), with real ECIES cryptography

Input Parameters

SUPI Type

MCC (Mobile Country Code)

MNC (Mobile Network Code)

MSIN

Protection Scheme

Protection Scheme ID

0=Null, 1=Profile A, 2=Profile B

Routing Indicator

HN Public Key ID

SUPI Structure Breakdown

imsi-460001234567890

Type MCC MNC MSIN

Profile A (ECIES-P256*)

SUCI Structure Breakdown(per 3GPP TS 33.501 Section 6.12)

SUPI Type	Home Network ID	Routing Indicator	Scheme ID	HN PubKey ID	Scheme Output
0	46000	0123	1	1	computing...

Full SUCI (concatenated):

suci-0-46000-0123-1-1-computing...

SUPI Type (0=IMSI, 1=NAI) HN-ID (MCC+MNC) Routing Indicator Protection Scheme (0/1/2) Public Key ID Scheme Output (encrypted)

ECIES Key Derivation Visualization

Analysis Results

SUPI Stringimsi-460001234567890

SUPI TypeIMSI

MCC460

MNC00

MSIN1234567890

Protection SchemeProfile A (ECIES-P256*)

Scheme ID1

Privacy LevelHigh (ECIES Encrypted)

Privacy Assessment

High (ECIES Encrypted)

Privacy Level

Profile

Protection Scheme

Encrypted

MSIN Status

Threat Analysis: IMSI Catcher Exposure

Comparison of what a passive attacker (IMSI catcher / fake base station) can observe depending on the protection scheme used.

Identifier Field	Null Scheme	Profile A / B
SUPI Type	VISIBLE 0 (IMSI)	VISIBLE 0 (IMSI)
Home Network (MCC+MNC)	VISIBLE 46000	VISIBLE 46000
Routing Indicator	VISIBLE 0123	VISIBLE 0123
MSIN (subscriber identity)	EXPOSED 1234567890	PROTECTED encrypted
Full IMSI	EXPOSED 460001234567890	PROTECTED Cannot be derived
Subscriber tracking	EXPOSED Persistent tracking possible	PROTECTED Each SUCI is unique (fresh ephemeral key)
Linkability across sessions	EXPOSED Same MSIN every time	PROTECTED Unlinkable (randomized each time)

Side-by-Side: Null Scheme vs ECIES

Null Scheme (ID 0)

Protection:None

MSIN on air:1234567890

Key exchange:N/A

Unlinkable:No

suci-0-46000-0123-0-0-1234567890

Profile A / B (ID 1/2)

Protection:ECIES

MSIN on air:encrypted

Key exchange:ECDH (ephemeral)

Unlinkable:Yes (fresh key each time)

suci-0-46000-0123-1-1-...

About SUPI/SUCI

SUPI (Subscription Permanent Identifier) is the 5G permanent subscriber identity, analogous to IMSI in 4G. SUCI (Subscription Concealed Identifier) is the encrypted form of SUPI, used over the air interface to protect subscriber privacy.

Encryption uses the Elliptic Curve Integrated Encryption Scheme (ECIES): Profile A uses X25519 (Curve25519) and Profile B uses secp256r1 (P-256). The home network public key is pre-provisioned in the USIM. Only the home network's UDM/SIDF component can decrypt the SUCI to recover the SUPI.

Each SUCI computation uses a fresh ephemeral key pair, making successive SUCIs unlinkable even for the same subscriber -- a critical property for preventing tracking by IMSI catchers.

Reference: 3GPP TS 33.501 Sections 6.12, Annex C

公式与参考说明

教学实现使用确定性输入派生的伪随机材料来复现 SUCI 生成流程，使相同输入得到相同结果。

学习提示

工具页除了生成结果，还需要解释 SUPI、SUCI、ECIES 和密钥层级。

教学型安全工具应保证同输入可复算，便于学习和核对。