Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST CSWP 36D (Initial Public Draft)

No SUPI-Based Paging: Applying 5G Cybersecurity and Privacy Capabilities

Date Published: January 30, 2025
Comments Due: February 28, 2025
Email Comments to: 5g-security@nist.gov

Author(s)

Michael Bartock (NIST), Jeffrey Cichonski (NIST), Murugiah Souppaya (NIST), Karen Scarfone (Scarfone Cybersecurity), Parisa Grayeli (MITRE), Sanjeev Sharma (MITRE)

Announcement

5G technology for broadband cellular networks will significantly improve how humans and machines communicate, operate, and interact in the physical and virtual world. 5G provides increased bandwidth and capacity, and low latency. However, professionals in fields like technology, cybersecurity, and privacy are faced with safeguarding this technology while its development, deployment, and usage are still evolving.

To help, the NIST National Cybersecurity Center of Excellence (NCCoE) has launched the Applying 5G Cybersecurity and Privacy Capabilities white paper series. The series targets technology, cybersecurity, and privacy program managers within commercial mobile network operators, potential private 5G network operators, and organizations using and managing 5G-enabled technology who are concerned with how to identify, understand, assess, and mitigate risk for 5G networks. In the series we provide recommended practices and illustrate how to implement them. All of the capabilities featured in the white papers have been demonstrated on the NCCoE testbed on commercial-grade 5G equipment.

We are pleased to announce the availability of the fifth white paper in the series:

No SUPI-Based Paging This publication provides an overview of “no Subscription Permanent Identifier (SUPI) based paging,” a 5G capability for protecting users from being identified and located by an attacker. Unlike previous generations of cellular systems, new requirements in 5G protect subscriber confidentiality by using a temporary identity (ID) instead of SUPI for the paging protocol, and explicitly define when the temporary ID must be reallocated (refreshed). 5G network operators and organizations using 5G technologies are encouraged to verify that the paging is happening as described in the 5G standards.

Abstract

Keywords

3GPP; 5G; cybersecurity; paging; privacy; Subscription Concealed Identifier (SUCI); Subscription Permanent Identifier (SUPI)
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.CSWP.36D.ipd
Download URL

Supplemental Material:
Project homepage

Publication Parts:
CSWP 36
CSWP 36A
CSWP 36B
CSWP 36C

Document History:
01/30/25: CSWP 36D (Draft)

Topics

Security and Privacy

risk management

Technologies

mobile, networks

Applications

communications & wireless

Sectors

telecommunications