No SUPI-Based Paging: Applying 5G Cybersecurity and Privacy Capabilities (Draft)

Bartock, Michael; Cichonski, Jeffrey; Souppaya, Murugiah; Scarfone, Karen; Grayeli, Parisa; Sharma, Sanjeev

doi:https://doi.org/10.6028/NIST.CSWP.36D.ipd

[フレーム]

You are viewing this page in an unauthorized frame window.

This is a potential security issue, you are being redirected to https://csrc.nist.gov.

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

Information Technology Laboratory

Computer Security Resource Center

CSRC Logo

Publications

NIST CSWP 36D (Initial Public Draft)

No SUPI-Based Paging: Applying 5G Cybersecurity and Privacy Capabilities

Documentation Topics

Date Published: January 30, 2025
Comments Due: February 28, 2025 (public comment period is CLOSED)
Email Questions to: [email protected]

Author(s)

Michael Bartock (NIST), Jeffrey Cichonski (NIST), Murugiah Souppaya (NIST), Karen Scarfone (Scarfone Cybersecurity), Parisa Grayeli (MITRE), Sanjeev Sharma (MITRE)

Announcement

5G technology for broadband cellular networks will significantly improve how humans and machines communicate, operate, and interact in the physical and virtual world. 5G provides increased bandwidth and capacity, and low latency. However, professionals in fields like technology, cybersecurity, and privacy are faced with safeguarding this technology while its development, deployment, and usage are still evolving.

To help, the NIST National Cybersecurity Center of Excellence (NCCoE) has launched the Applying 5G Cybersecurity and Privacy Capabilities white paper series. The series targets technology, cybersecurity, and privacy program managers within commercial mobile network operators, potential private 5G network operators, and organizations using and managing 5G-enabled technology who are concerned with how to identify, understand, assess, and mitigate risk for 5G networks. In the series we provide recommended practices and illustrate how to implement them. All of the capabilities featured in the white papers have been demonstrated on the NCCoE testbed on commercial-grade 5G equipment.

We are pleased to announce the availability of the fifth white paper in the series:

No SUPI-Based Paging — This publication provides an overview of "no Subscription Permanent Identifier (SUPI) based paging," a 5G capability for protecting users from being identified and located by an attacker. Unlike previous generations of cellular systems, new requirements in 5G protect subscriber confidentiality by using a temporary identity (ID) instead of SUPI for the paging protocol, and explicitly define when the temporary ID must be reallocated (refreshed). 5G network operators and organizations using 5G technologies are encouraged to verify that the paging is happening as described in the 5G standards.

Abstract

This white paper provides an overview of "no Subscription Permanent Identifier (SUPI) based paging," a 5G capability for protecting users from being identified and located by an attacker. Unlike previous generations of cellular systems, new requirements in 5G protect subscriber confidentiality by using a temporary identity (ID) instead of SUPI for the paging protocol, and explicitly define when the temporary ID must be reallocated (refreshed). 5G network operators and organizations using 5G technologies are encouraged to verify that the paging is happening as described in the 5G standards. This white paper is part of a series called Applying 5G Cybersecurity and Privacy Capabilities, which covers 5G cybersecurity- and privacy-supporting capabilities that were implemented as part of the 5G Cybersecurity project at the National Cybersecurity Center of Excellence (NCCoE).

Hide full abstract