Skip to content
5G/6G Academy
5G/6G AcademyTelecom certifications · since 2009

SUPI / SUCI Analyzer

Paste a SUCI NAI string (suci-0-MCC-MNC-RI-Scheme-HNPKI-SchemeOutput), a raw hex SUCI payload (per TS 24.501 §9.11.3.4), or a plain IMSI — and see every field decoded instantly.

Samples:
Detected format
SUCI-NAI
SUPI Type
0 · IMSI
MCC
208
MNC
93
Routing Indicator
0
Protection Scheme
0 · Null scheme (IMSI in the clear)
HNPKI
0
MSIN
0000000001
Null protection scheme detected. The IMSI / MSIN is transmitted in the clear — this is equivalent to 4G privacy (i.e. none). Production networks should enforce ECIES Profile A or Profile B per TS 33.501 §6.12.
Warnings
  • Protection Scheme = 0 (null) — the SUPI / IMSI portion is sent in the clear.
Notes
  • Routing Indicator = 0 means no NSSAI-based AUSF routing (default).
  • Scheme Output in the null case is the raw MSIN.

Field reference

FieldValuesMeaning
SUPI Type0 / 10 = IMSI, 1 = NAI (network-specific)
MCC3 digitsMobile Country Code (e.g. 208 = France)
MNC2–3 digitsMobile Network Code (operator within country)
Routing Ind0 – 999Steers the SUCI to the right AUSF/UDM; 0 = default
Prot. Scheme0 / 1 / 20 = null, 1 = ECIES Profile A, 2 = ECIES Profile B
HNPKI0 – 255Home Network Public Key Identifier (0 for null scheme)
Scheme OutputHex / digitsNull: raw MSIN. ECIES: ephemeral PK + ciphertext + MAC

About SUPI, SUCI and the privacy leap from 4G

In 4G, the UE sent its IMSI in the clear whenever the network couldn't map a GUTI — enabling well-known IMSI-catcher attacks. 5G fixes this with the SUbscription Permanent Identifier (SUPI) and its concealed form, the SUbscription Concealed Identifier (SUCI). The SUCI is built by the UE, encrypting the MSIN portion of the SUPI with the Home Network's public key using ECIES (Profile A or B, per TS 33.501 §6.12). The MCC, MNC and Routing Indicator remain in the clear so the serving network can route the authentication request to the right AUSF/UDM, but the subscriber identity itself is protected.

This tool decomposes either the NAI string representation (used in SBI / JSON bodies) or the raw hex payload carried inside the 5GS Mobile Identity IE (TS 24.501 §9.11.3.4), and calls out the classic misconfiguration: deploying a profile with Protection Scheme = 0, which gives you exactly zero privacy over 4G.

References

  • 3GPP TS 23.003 — Numbering, addressing and identification
  • 3GPP TS 24.501 §9.11.3.4 — 5GS Mobile Identity IE (SUCI format)
  • 3GPP TS 33.501 §6.12 — Privacy of subscription identifier

Related tools

How to use the SUPI / SUCI Analyzer

  1. Paste an identifier. Drop in a SUCI NAI string (suci-0-MCC-MNC-RI-Scheme-HNPKI-SchemeOutput), a raw hex SUCI payload, or a plain IMSI — the tool auto-detects the format.
  2. Or load a sample. Click one of the sample buttons if you just want to see a worked example, including an encrypted SUCI and a null-scheme one.
  3. Read the decoded fields. Inspect the parsed SUPI type, MCC, MNC, routing indicator, protection scheme, HNPKI and the MSIN or scheme output.
  4. Heed the privacy banner. A null protection scheme raises a warning that the identity is sent in the clear; an ECIES scheme confirms the MSIN is concealed.
  5. Check warnings and notes. Review the flagged inconsistencies (wrong digit counts, HNPKI mismatches) and the explanatory notes before trusting a captured value.

Frequently asked questions

What is the difference between SUPI and SUCI?
The SUPI (Subscription Permanent Identifier) is the subscriber’s permanent identity in 5G — typically an IMSI, sometimes a network-specific NAI. The SUCI (Subscription Concealed Identifier) is the privacy-protected form the UE actually sends over the air: the MSIN portion of the SUPI is encrypted, while the MCC, MNC and routing indicator stay in the clear for routing.
How is the SUCI structured?
A SUCI carries the SUPI type, the home network identifier (MCC and MNC), a routing indicator that steers it to the right AUSF/UDM, the protection scheme id, the home network public key id (HNPKI), and the scheme output. With the null scheme the scheme output is just the plaintext MSIN; with an ECIES profile it is the ephemeral public key plus the ciphertext and a MAC tag.
What are SUCI protection schemes 0, 1 and 2?
Scheme 0 is the null scheme — no encryption, so the IMSI/MSIN travels in the clear, which is no better than 4G privacy. Scheme 1 is ECIES Profile A and scheme 2 is ECIES Profile B; both conceal the MSIN with the home network public key so only the home UDM/SIDF can recover the SUPI. Production networks should use Profile A or B, not the null scheme.
What is a 5G-GUTI and how does it relate to the SUPI?
The 5G-GUTI is a temporary identity the AMF assigns after registration so the permanent SUPI does not need to be sent again. It encodes the serving PLMN, the AMF that owns the UE, and a temporary identity (5G-TMSI). The UE presents the 5G-GUTI on later signalling; the network only falls back to requesting an identity when it cannot resolve the GUTI.

Get the next 5G/LTE engineering deep-dive in your inbox

These calculators give you the number — the weekly digest gives you the theory. One technical breakdown every Tuesday, plus first access to new tools. Unsubscribe in one click.

7-Day Free Trial

Calculator gave you the answer? Learn the theory in 7 days, free.

Full Pro access — 142+ hands-on exercises, 20+ troubleshooting scenarios, 21 certifications, TelcoMentor AI coach. No credit card. See pricing on /pricing.

  • No credit card
  • Full Pro access
  • 21 verifiable certs
  • TELCOMA since 2009
Start My 7-Day Trial