5G/6G Academy

5G/6G Academy

Telecom certifications · since 2009

SUPI / SUCI Analyzer

Paste a SUCI NAI string (suci-0-MCC-MNC-RI-Scheme-HNPKI-SchemeOutput), a raw hex SUCI payload (per TS 24.501 §9.11.3.4), or a plain IMSI — and see every field decoded instantly.

Samples:
Detected format
SUCI-NAI
SUPI Type
0 · IMSI
MCC
208
MNC
93
Routing Indicator
0
Protection Scheme
0 · Null scheme (IMSI in the clear)
HNPKI
0
MSIN
0000000001
Null protection scheme detected. The IMSI / MSIN is transmitted in the clear — this is equivalent to 4G privacy (i.e. none). Production networks should enforce ECIES Profile A or Profile B per TS 33.501 §6.12.
Warnings
  • Protection Scheme = 0 (null) — the SUPI / IMSI portion is sent in the clear.
Notes
  • Routing Indicator = 0 means no NSSAI-based AUSF routing (default).
  • Scheme Output in the null case is the raw MSIN.

Field reference

FieldValuesMeaning
SUPI Type0 / 10 = IMSI, 1 = NAI (network-specific)
MCC3 digitsMobile Country Code (e.g. 208 = France)
MNC2–3 digitsMobile Network Code (operator within country)
Routing Ind0 – 999Steers the SUCI to the right AUSF/UDM; 0 = default
Prot. Scheme0 / 1 / 20 = null, 1 = ECIES Profile A, 2 = ECIES Profile B
HNPKI0 – 255Home Network Public Key Identifier (0 for null scheme)
Scheme OutputHex / digitsNull: raw MSIN. ECIES: ephemeral PK + ciphertext + MAC

About SUPI, SUCI and the privacy leap from 4G

In 4G, the UE sent its IMSI in the clear whenever the network couldn't map a GUTI — enabling well-known IMSI-catcher attacks. 5G fixes this with the SUbscription Permanent Identifier (SUPI) and its concealed form, the SUbscription Concealed Identifier (SUCI). The SUCI is built by the UE, encrypting the MSIN portion of the SUPI with the Home Network's public key using ECIES (Profile A or B, per TS 33.501 §6.12). The MCC, MNC and Routing Indicator remain in the clear so the serving network can route the authentication request to the right AUSF/UDM, but the subscriber identity itself is protected.

This tool decomposes either the NAI string representation (used in SBI / JSON bodies) or the raw hex payload carried inside the 5GS Mobile Identity IE (TS 24.501 §9.11.3.4), and calls out the classic misconfiguration: deploying a profile with Protection Scheme = 0, which gives you exactly zero privacy over 4G.

References

  • 3GPP TS 23.003 — Numbering, addressing and identification
  • 3GPP TS 24.501 §9.11.3.4 — 5GS Mobile Identity IE (SUCI format)
  • 3GPP TS 33.501 §6.12 — Privacy of subscription identifier

Related tools

7-Day Free Trial

Calculator gave you the answer? Learn the theory in 7 days, free.

$19.99/mo (global) · ₹999/mo (India). Full Pro access — 150+ hands-on exercises, 20+ troubleshooting Scenarios, 17 certifications, TelcoMentor AI coach. No credit card.

  • No credit card
  • Cancel anytime
  • Full Pro access
  • TELCOMA since 2009
Start My 7-Day Trial