F.2 Subscriber privacy

33.5013GPPRelease 18Security architecture and procedures for 5G SystemTS

EAP-AKA’ includes optional support for identity privacy mechanism that protects the privacy against passive eavesdropping. The mechanism is described in RFC 4187 [21] clause 4.1.1.2, and it uses pseudonyms that are delivered from the EAP server to the peer as part of an EAP-AKA exchange. The privacy mechanism described in [21] corresponds to the privacy provided by 5G-GUTI, however, assignment of 5G-GUTI is done outside the EAP framework in 5GS.

TS 33.501 assumes that the SUCI is sent outside the EAP messages, however, the peer may still receive EAP-Request/Identity or EAP-Request/AKA-Identity messages. Table F.2-1 specifies how the 5G UE shall behave when receiving such requests.

Table F.2-1: 5G UE behaviour when receiving EAP identity requests

REQUEST

5G UE RESPONSE

EAP-Request/Identity

EAP-Response/Identity SUCI1)

EAP-Request/AKA-Identity

AT_PERMANENT_REQ

EAP-Response/AKA-Client-Error with the error code "unable to process packet" 2)

EAP-Request/AKA-Identity

AT_FULLAUTH_REQ

EAP-Response/AKA-Identity

AT_IDENTITY=SUCI 3)

EAP-Request/AKA-Identity

AT_ANY_ID_REQ

EAP-Response/AKA-Identity

AT_IDENTITY=fast re-auth identity OR

AT_IDENTITY=SUCI 4)

1) RFC 3748 [27] allows the peer to respond with abbreviated Identity Response where the peer-name portion of the NAI has been omitted. The 5G UE responds with SUCI in the same format as sent in the Registration Request, where the peer name has been encrypted.

2) RFC 4187 [21] allows the peer to respond with a pseudonym (cf. 5G-GUTI) or the permanent identity (i.e. SUPI). The 5G UE follows the "conservative" policy that has been described in RFC 4187 [21] clause 4.1.6 (Attacks against Identity Privacy) for the pseudonym based privacy, i.e. the peer shall not reveal its permanent identity. Instead, the peer shall send the EAP-Response/AKA-Client-Error packet with the error code "unable to process packet", and the authentication exchange terminates. The peer assumes that the EAP-Request/AKA-Identity originates from an attacker that impersonates the network, and for this reason refuses to send the cleartext SUPI.

3) RFC 4187 [21] allows the peer to respond with a pseudonym (cf. 5G-GUTI) or the permanent identity (i.e. SUPI). The 5G UE responds with SUCI.

4) RFC 4187 [21] allows the peer to respond with a fast re-authentication identity, pseudonym (cf. 5G-GUTI) or the permanent identity (i.e. SUPI). If the 5G UE supports fast re-authentication, it responds with the fast re-authentication identity, and if the 5G UE does not support fast re-authentication, it responds with SUCI.