Skip to content
5G/6G Academy
5G/6G AcademyTelecom certifications · since 2009
Security

SUCI

Subscription Concealed Identifier: the privacy-preserving, encrypted form of SUPI sent by the UE during registration, using the home network's public key (ECIES scheme).

The SUCI is 5G's answer to a long-standing privacy hole: the IMSI catcher. By concealing the permanent identity before it ever hits the air, it stops a passive attacker from harvesting subscriber identities. The UE encrypts the subscriber's MSIN portion using ECIES (elliptic-curve integrated encryption) with the home network's public key, which is provisioned on the USIM. The routing parts — MCC and MNC — stay in the clear so the visited network knows which home network to forward to.

Only the home network holds the matching private key, so only it can recover the SUPI. A subtle but important detail: ECIES uses a fresh ephemeral key each time, so the same subscriber produces a different SUCI on every registration — no fixed value an attacker could track. There's also a "null scheme" that sends the identity unprotected; it exists for emergencies and unprovisioned cases, but a properly configured network won't rely on it.

Frequently asked questions

Can someone decrypt a SUCI they capture over the air?
Not in practice. The SUCI is encrypted with the home network operator's public key using ECIES, and only the operator holds the corresponding private key (in the SIDF function, typically co-located with the UDM). A captured SUCI can't be reversed without that private key, and because a new ephemeral key is used each time, two SUCIs from the same subscriber don't even look related.

Related terms

SUPIAUSF5G-AKA
Learn SUCI in depthCovered in our 5G Security course — Protect 5G networks from threats.
7-Day Free Trial

Want to truly understand SUCI? Learn it in context — free for 7 days.

SUCI is taught inside our 5G Security course with diagrams, labs and a TelcoMentor AI coach. Start a free 7-day Pro trial — no credit card.

  • No credit card
  • Full Pro access
  • 21 verifiable certs
  • TELCOMA since 2009
Start My 7-Day Trial

Get weekly 5G/LTE engineering deep-dives

One technical breakdown every Tuesday — plus first access to new tools and lessons. No spam, no marketing, just engineering. Unsubscribe in one click.

Back to glossary