5G UE Identifier
- Summary
-
Discussion
- What's the structure of SUPI and SUCI?
- What's the use of PEI?
- What's the structure of 5G-GUTI?
- What's the structure of GPSI?
- What's NAI format?
- How does the 5G Core manage SUPI and 5G-GUTI?
- How's a 5G UE identified on the NG interface?
- Which are the main RNTIs used to identify a UE?
- How do 5G UE identifiers map to their 4G equivalents?
- Milestones
- Sample Code
- References
- Further Reading
- Article Stats
- Cite As
Since the 5G System (5GS) serves millions of subscribers, each subscriber must be identified uniquely within the system. A subscriber uses a User Equipment (UE) to connect to 5GS. USIM in the UE stores a permanent identifier called Subscription Permanent Identifier (SUPI). Mobile Equipment (ME) is identified by Permanent Equipment Identifier (PEI).
While the UE is registered with the network, it's allocated a temporary identifier called 5G Globally Unique Temporary Identifier (5G-GUTI). The network maintains a mapping of 5G-GUTI to SUPI. Where possible for security reasons, the UE and the network use 5G-GUTI in all procedures.
Within the NG-RAN, a UE is identified with Radio Network Temporary Identifier (RNTI). There are many types of RNTI, some even used to address a group of UEs.
Discussion
-
What's the structure of SUPI and SUCI? Subscription Permanent Identifier (SUPI) is the subscriber's permanent identifier. It's provisioned in the UDM/UDR. Operator allocates SUPI to uniquely identify the subscriber. SUPI is used only inside 5GS.
SUPI can be based on International Mobile Subscriber Identity (IMSI), Network Specific Identifier (NSI), Global Cable Identifier (GCI) or Global Line Identifier (GLI). GCI and GLI are used for wireline access network and Fixed Wireless Access.
IMSI-based SUPI has three parts: Mobile Country Code (MCC) of 3 digits, Mobile Network Code (MNC) of 2-3 digits, and Mobile Subscriber Identification Number (MSIN) of maximum 10 digits.
SUPI is never sent in the clear over the air interface. It's concealed into a form called Subscription Concealed Identifier (SUCI). The MSIN (IMSI) or username (non-IMSI) is encrypted and is part of the Scheme Output. Elliptic Curve Integrated Encryption Scheme (ECIES) is used to conceal SUPI.
When UE sends SUCI to 5GS, UDM/SIDF de-conceals SUPI from SUCI. Once authenticated, UDM provides the SUPI to AMF.
-
What's the use of PEI? While SUPI identifies the subscriber, Permanent Equipment Identifier (PEI) identifies the mobile equipment hardware. For 3GPP access, PEI is International Mobile Equipment Identity (IMEI) or IMEI and Software Version (IMEISV). For non-3GPP access, a MAC address or an IEEE Extended Unique Identifier (EUI-64) is used.
IMEI has three parts: Type Allocation Code (TAC); Serial Number (SNR); and Check Digit (CD) or Spare Digit (SD). When UE sends IMEI, for the last digit it sends 0 (if SD) or omits it (if CD).
IMEISV has three parts: TAC; SNR; and Software Version Number (SVN). TAC and SNR of IMEISV must match those of IMEI.
GSM Association allocates TAC. Manufacturer allocates SNR in sequential order. SVN is incremented with software upgrades but the value 99 is reserved.
AMF may ask UE to send its PEI during initial registration via the Security Mode Command procedure. It then requests 5G-Equipment Identity Register (5G EIR) to check if the PEI is blacklisted. If so, that UE isn't allowed to access 5G services.
-
What's the structure of 5G-GUTI? Instead of SUCI, 5G-GUTI is used on the air interface. It preserves the privacy of the subscriber's identity. 5G-GUTI as a whole is 80 bits with these parts:
- PLMN: 24 bits. Identifies the operator. Consists of 3 digits of MCC and 2-3 digits of MNC. When encoded for signalling purpose, MCC and MNC are 12 bits each.
- AMF Identifier (AMFI): 24 bits. Identifies the AMF that registered the UE. Consists of AMF Region ID (8 bits), AMF Set ID (10 bits) and AMF Pointer (6 bits).
- 5G Temporary Mobile Subscription Identifier (5G-TMSI): 32 bits. AMF assigns this. Identifies the UE uniquely within the AMF regardless of 3GPP or non-3GPP access. The 10 LSBs must be evenly distributed since these bits influence UE paging.
PLMN together with AMFI is called Globally Unique AMF Identifier (GUAMI). If multiple AMFs share the same GUAMI value, 5G-TMSI shall be unique among all those AMFs.
On the air interface for paging or service request, a shortened 48-bit version of 5G-GUTI called 5G-S-TMSI is used. For NB-IoT RRC Connection Establishment, there's Truncated 5G-S-TMSI that shortens 5G-S-TMSI further to 40 bits.
-
What's the structure of GPSI? Generic Public Subscription Identifier (GPSI) is used by networks outside the 3GPP system to identify a subscriber. It's a public identifier. The 3GPP system maintains a mapping between GPSI and SUPI. However, there need not be a one-to-one mapping between the two. GPSI is either Mobile Station ISDN (MSISDN) or an External Identifier.
MSISDN consists of three parts: Country Code (CC), National Destination Code (NDC), and Subscriber Number (SN).
External Identifier is of the form
username@realm
. In 3GPP, this is implemented as<Local Identifier>@<Domain Identifier>
. An example of this is123456789@domain.com
. -
What's NAI format? RFC 7542 details the Network Access Identifier (NAI). It follows a standard format that domains can use to identify users. This helps with inter-domain authentication services. For example, a user with a valid credentials in the home domain can present those credentials to a visited domain. Due to NAI standardization, the latter can identify and contact the home domain to verify those credentials.
NAI format is
username
,@realm
orusername@realm
. In 5GS, the formusername@realm
is used. For SUPI and SUCI, the realm part includes MCC and MNC. For SNPN, realm also includes the NID. The username part includes MSIN or Network Specific Identifier (NSI). Where SUPI is based on NSI, GCI or GLI, NAI format is used.Here are a few examples given IMSI=234150999999999 (MCC=234, MNC=15, MSIN=0999999999), Routing Indicator=678, NSI=user17@example.com, Home Network Public Key Identifier=27, IMEI=219551288888888, MAC address=44-45-53-54-00-AB:
- SUPI/IMSI:
0999999999@5gc.mnc015.mcc234.3gppnetwork.org
- SUCI/IMSI + Null Scheme:
type0.rid678.schid0.userid0999999999@5gc.mnc015.mcc234.3gppnetwork.org
- SUCI/IMSI + ECIES Profile A:
type0.rid678.schid1.hnkey27.ecckey<ECC ephemeral public key>.cip<encryption of 0999999999>.mac<MAC tag value>@5gc.mnc015.mcc234.3gppnetwork.org
- SUCI/NSI + Null Scheme:
type1.rid678.schid0.useriduser17@example.com
- Emergency identifier:
imei219551288888888@sos.invalid
if IMEI is available, elsemac4445535400AB@sos.invalid
using MAC address
- SUPI/IMSI:
-
How does the 5G Core manage SUPI and 5G-GUTI? AMF in the Serving Network (SN) maintains UE context. This typically includes SUPI, 5G-GUTI, GPSI and PEI. If for any reason the SN is unable to identify the UE from 5G-GUTI, it sends Identity Request to the UE. UE responds with a freshly generated SUCI. AMF initiates authentication with this SUCI. Upon successful authentication, AMF assign a new 5G-GUTI for the UE.
UE without NAS security context is allowed to send SUCI, 5G-GUTI and PEI in the clear. Only after successful activation of a NAS security context, is a new 5G-GUTI sent to the UE. AMF may assign a new 5G-GUTI anytime but mandatorily in the following scenarios:
- UE sends a Registration Request message of type initial registration, mobility registration update, or periodic registration update.
- UE sends a Service Request message in response to a Paging message.
During registration, gNB identifies the AMF based on GUAMI or 5G-S-TMSI received via RRC signalling from the UE. Without these, gNB selects an AMF based on RAT and Requested NSSAI. During N2 Handover, 5G-GUTI is used between old and new AMFs for UE context transfer.
-
How's a 5G UE identified on the NG interface? NG interface connects NG-RAN to 5G Core. This has two parts. N2 interface connects gNB and AMF. It carries control plane NGAP messages over SCTP. N3 interface connects gNB and UPF. It carries user plane PDUs over GTP-U.
On N2, two identifiers are used:
- AMF-UE-NGAP-ID: 40 bits. Identifies UE over the N2 interface within the AMF Set. AMF allocates this and sends to gNB in Initial Context Setup Request or Downlink NAS Transport.
- RAN-UE-NGAP-ID: 32 bits. Identifies UE over the N2 interface within the gNB. gNB allocates this and sends to AMF in the Initial UE Message.
In practice, gNB is not a monolith. Due to new F1 and E1 interfaces connecting gNB's disaggregated parts, many more UE IDs are defined: gNB-CU-UE-F1AP-ID, gNB-DU-UE-F1AP-ID, gNB-CU-CP-UE-E1AP-ID, gNB-CU-UP-UE-E1AP-ID, etc. During Xn handovers, Old-NG-RAN-node-UE-XnAP-ID and New-NG-RAN-node-UE-XnAP-ID are relevant. In general, each of this is an Application Protocol Identity (AP ID) used to identify a UE-specific logical connection.
On N3, Tunnel Endpoint Identifier (TEID) is used to indirectly identify the UE to which a particular GTP-U packet belongs. In addition, UE is allocated an IP address for each PDU session.
-
Which are the main RNTIs used to identify a UE? Radio Network Temporary Identifier (RNTI) is used to identify a UE over the radio interface. Cell RNTI (C-RNTI) is used within the cell. A UE in RRC_CONNECTED state will have a C-RNTI. When there's no RRC Connection, Random Access RNTI (RA-RNTI) and Temporary C-RNTI (TC-RNTI) are used.
RNTI is not actually transmitted to address a UE. RNTI is used to scramble the CRC bits. UE will do the reverse and if the CRC verification passes, it will continue processing the downlink message. Something similar happens in the uplink. Though there are many RNTIs, depending on the channel being received and the UE's current state, only a few RNTIs need to be tested.
Most RNTIs are 32 bits. I-RNTI of 40 bits is used for a UE in RRC_INACTIVE state. Short-I-RNTI is 24 bits. Short-MAC-I of 16 bits is used during RRC Connection Re-establishment.
Only after a successful activation of an AS security context, is a new I-RNTI sent to the UE. New I-RNTI is assigned when UE enters RRC_INACTIVE state or during RNAU procedure.
-
How do 5G UE identifiers map to their 4G equivalents? We note the following 4G↔5G equivalents:
- IMSI↔SUPI: SUPI is often based on IMSI.
- IMEI↔PEI: 4G's IMEI has been extended to PEI, which caters for non-3GPP access as well.
- GUTI↔5G-GUTI: Both are 80-bit values that start with MCC and MNC. MME Identifier (MMEI) in GUTI is replaced with AMFI in 5G-GUTI. M-TMSI is replaced with 5G-TMSI.
- S-TMSI↔5G-S-TMSI: While S-TMSI is 40 bits, 5G-S-TMSI is 48 bits.
- MSISDN↔GPSI: GPSI is either an MSISDN or an External Identifier.
When UE moves from MME to AMF, the specifications define how to map GUTI to 5G-GUTI. The reverse happens when UE moves from AMF to MME. The mapping is shown in the figure.
Milestones
2016
2017
3GPP approves the first specifications for 5G, called "early drop" of Release 15. This is followed with "main drop" (Jun 2018) and "late drop" (Mar 2019). TS 23.003 specification, titled Numbering, addressing and identification, defines the following: 5G-GUTI (Dec 2017); SUPI, SUCI and GUAMI (Jun 2018); PEI (Sep 2018); and GPSI (Dec 2018).
Sample Code
References
- Dahlman, Erik, Stefan Parkvall, and Johan Skold. 2018. "5G NR: The Next Generation Wireless Access Technology." Academic Press. Accessed 2021-02-14.
- Dano, Mike. 2019. "Another set of 5G standards was just released, but no one really cares." LightReading, April 5. Accessed 2024-04-17.
- DeKoK, A. 2015. "The Network Access Identifier." RFC 7542, IETF, May. Accessed 2024-04-15.
- Dominato, L. B., H. C. de Resende, C. B. Both, J. M. Marquez-Barja, B. O. Silvestre, and K. V. Cardoso. 2021. "Tutorial on communication between access networks and the 5G core." v2, arXiv, December 23. Accessed 2024-04-17.
- ETSI. 2022a. "TS 129 511: 5G; 5G System; Equipment Identity Register Services; Stage 3." V17.3.0, July. Accessed 2024-04-17.
- ETSI. 2022b. "TS 138 414: 5G; NG-RAN; NG data transport." V17.0.0, April. Accessed 2024-04-17.
- ETSI. 2022c. "TS 123 003: Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 5G; Numbering, addressing and identification." V15.11.0, January. Accessed 2024-04-17.
- ETSI. 2023a. "TS 123 003: Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 5G; Numbering, addressing and identification." V17.10.0, July. Accessed 2024-04-15.
- ETSI. 2023b. "TS 123 316: 5G; Wireless and wireline convergence access support for the 5G System (5GS)." V17.5.0, September. Accessed 2024-04-16.
- ETSI. 2024a. "TS 123 501: 5G; System architecture for the 5G System (5GS)." V17.11.0, January. Accessed 2024-04-15.
- ETSI. 2024b. "TS 123 502: 5G; Procedures for the 5G System (5GS)." V17.11.0, January. Accessed 2024-04-15.
- ETSI. 2024c. "TS 138 202: 5G; NR; Services provided by the physical layer." V17.5.0, February. Accessed 2024-04-16.
- ETSI. 2024d. "TS 138 321: 5G; NR; Medium Access Control (MAC) protocol specification." V17.7.0, February. Accessed 2024-04-16.
- ETSI. 2024e. "TS 138 331: 5G; NR; Radio Resource Control (RRC); Protocol specification." V17.7.0, February. Accessed 2024-04-16.
- ETSI. 2024f. "TS 138 413: 5G; NG-RAN; NG Application Protocol (NGAP)." V17.7.0, February. Accessed 2024-04-17.
- ETSI. 2024g. "TS 138 401: 5G; NG-RAN; Architecture description." V17.7.0, February. Accessed 2024-04-17.
- ETSI. 2024h. "TS 133 501: 5G; Security architecture and procedures for 5G System." V17.12.0, January. Accessed 2024-04-03.
- ETSI. 2024i. "TS 133 127: Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 5G; Lawful Interception (LI) architecture and functions." V17.11.0, January. Accessed 2024-04-17.
- EventHelix. 2024. "5G Standalone Access Registration Signaling Messages." EventHelix. Accessed 2024-04-15.
- GSMA. 2023. "RSP Technical Specification." V3.1 Final, GSMA, December 1. Accessed 2024-04-17.
- Mitchell, G. 2022. "5G Anonymity and the SUCI." Blog, Mpirical, January 24. Accessed 2024-04-16.
- Nick. 2021. "EIR in 5G Networks (N5g-eir_EquipmentIdentityCheck)." Blog, Nick vs Networking, July 10. Accessed 2024-04-17.
- Oppido, L. and R. Kengly. 2024. "How to Find the 32-Digit EID Number on iPhone and Android." wikiHow, January 18. Accessed 2024-04-17.
- Pauliac, M. 2020. "USIM in 5G Era." Journal of ICT Standardization, River Publishers, vol. 8, no. 1, pp. 29-40. doi: 10.13052/jicts2245-800X.813. Accessed 2024-04-16.
- Samsung. 2016. "Samsung to Release Gear S2 classic 3G with GSMA Compliant eSIM." News, Samsung, February 18. Accessed 2024-04-17.
- Tech Junction. 2023. "GUTI." Encyclopedia, Tech Junction, November 11. Accessed 2024-04-15.
- Techplayon. 2018. "5G Radio Network Temporary Identifier | 5G RNTI." Techplayon, November 5. Updated 2023-12-07. Accessed 2024-04-16.
- Telcoma Global. 2024. "5G Identifiers." Telcoma Global. Accessed 2014-04-16.
Further Reading
- ETSI. 2023a. "TS 123 003: Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 5G; Numbering, addressing and identification." V17.10.0, July. Accessed 2024-04-15.
- Techplayon. 2018. "5G Radio Network Temporary Identifier | 5G RNTI." Techplayon, November 5. Updated 2023-12-07. Accessed 2024-04-16.
- DeKoK, A. 2015. "The Network Access Identifier." RFC 7542, IETF, May. Accessed 2024-04-15.
Article Stats
Cite As
See Also
- 5G NR RNTI
- 5G Authentication
- 5G UE Capabilities
- 5G Unified Access Control
- 5G Technology
- 5G Service-Based Architecture