Registration using Profile A

[FatimaaIsmail27]

I'm trying to use profile A that encrypts SUPI to register UE to open5gs. I used commented steps in udm.yaml where I generated keys using:
$openssl genpkey -algorithm X25519 -out /etc/open5gs/hnet/curve25519-1.key
and I extracted the public key and placed it in home network public key in open5gs-ue.yaml.. I alsochanged protection scheme from 0 to 1 in open5gs-ue.yaml, but I'm getting this error:
fatima@fatima-VirtualBox:~/UERANSIM$ sudo ./build/nr-ue -c config/open5gs-ue.yaml
UERANSIM v3.2.6
[2024-03-28 17:06:03.029] [nas] [info] UE switches to state [MM-DEREGISTERED/PLMN-SEARCH]
[2024-03-28 17:06:03.031] [rrc] [debug] New signal detected for cell[1], total [1] cells in coverage
[2024-03-28 17:06:04.922] [nas] [info] Selected plmn[901/70]
[2024-03-28 17:06:04.922] [rrc] [info] Selected cell plmn[901/70] tac[1] category[SUITABLE]
[2024-03-28 17:06:04.922] [nas] [info] UE switches to state [MM-DEREGISTERED/PS]
[2024-03-28 17:06:04.922] [nas] [info] UE switches to state [MM-DEREGISTERED/NORMAL-SERVICE]
[2024-03-28 17:06:04.922] [nas] [debug] Initial registration required due to [MM-DEREG-NORMAL-SERVICE]
[2024-03-28 17:06:04.924] [nas] [debug] UAC access attempt is allowed for identity[0], category[MO_sig]
[2024-03-28 17:06:04.924] [nas] [debug] Sending Initial Registration
[2024-03-28 17:06:04.940] [rrc] [debug] Sending RRC Setup Request
[2024-03-28 17:06:04.941] [rrc] [info] RRC connection established
[2024-03-28 17:06:04.942] [rrc] [info] UE switches to state [RRC-CONNECTED]
[2024-03-28 17:06:04.942] [nas] [info] UE switches to state [MM-REGISTER-INITIATED]
[2024-03-28 17:06:04.942] [nas] [info] UE switches to state [CM-CONNECTED]
[2024-03-28 17:06:04.972] [rrc] [debug] RRC Release received
[2024-03-28 17:06:04.972] [nas] [error] Initial Registration failed [SEMANTICALLY_INCORRECT_MESSAGE]
[2024-03-28 17:06:04.972] [nas] [debug] Handling Registration Reject abnormal case
[2024-03-28 17:06:04.972] [nas] [info] UE switches to state [5U2-NOT-UPDATED]
[2024-03-28 17:06:04.972] [nas] [info] UE switches to state [MM-DEREGISTERED/ATTEMPTING-REGISTRATION]
[2024-03-28 17:06:04.972] [nas] [info] UE switches to state [CM-IDLE]
Am I missing something?
Note that I tried registration with null scheme and it worked.
Thank you in advance.

[s5uishida]

@FatimaaIsmail27

In my environment, SUCI Profile A Scheme works with Open5GS and UERANSIM by configuring according to the comments in udm.yaml and open5gs-ue.yaml. I tried it with the key file included in Open5GS or a newly created key file, and it works without any problems.

For your reference, the method to extract the public key is as follows.

https://github.com/s5uishida/note_5g_suci_profile_ab

[FatimaaIsmail27]

@s5uishida
Yes I extracted the public key in the same way meentioned and I saved it in home network public key in open5gs-ue.yaml, but it is not working, here is my open5gs-ue.yaml file for your reference:

# IMSI number of the UE. IMSI = [MCC|MNC|MSISDN] (In total 15 digits)
supi: 'imsi-901700000000001'
# Mobile Country Code value of HPLMN
mcc: '901'
# Mobile Network Code value of HPLMN (2 or 3 digits)
mnc: '70'
# SUCI Protection Scheme : 0 for Null-scheme, 1 for Profile A and 2 for Profile B
protectionScheme: 1
# Home Network Public Key for protecting with SUCI Profile A
homeNetworkPublicKey: 'dcd7f0dcafc25cab9206475d7dce6ef0af77b0d54305d2517c2bdd9b875aa04d'
# Home Network Public Key ID for protecting with SUCI Profile A
homeNetworkPublicKeyId: 1
# Routing Indicator
routingIndicator: '0000'

# Permanent subscription key
key: '465B5CE8B199B49FAA5F0A2EE238A6BC'
# Operator code (OP or OPC) of the UE
op: 'E8ED289DEBA952E4283B54E88E6183CA'
# This value specifies the OP type and it can be either 'OP' or 'OPC'
opType: 'OPC'
# Authentication Management Field (AMF) value
amf: '8000'
# IMEI number of the device. It is used if no SUPI is provided
imei: '356938035643803'
# IMEISV number of the device. It is used if no SUPI and IMEI is provided
imeiSv: '4370816125816151'

# List of gNB IP addresses for Radio Link Simulation
gnbSearchList:
  - 192.168.100.5

# UAC Access Identities Configuration
uacAic:
  mps: false
  mcs: false

# UAC Access Control Class
uacAcc:
  normalClass: 0
  class11: false
  class12: false
  class13: false
  class14: false
  class15: false

# Initial PDU sessions to be established
sessions:
  - type: 'IPv4'
    apn: 'internet'
    slice:
      sst: 1

# Configured NSSAI for this UE by HPLMN
configured-nssai:
  - sst: 1

# Default Configured NSSAI for this UE
default-nssai:
  - sst: 1
    sd: 1

# Supported integrity algorithms by this UE
integrity:
  IA1: true
  IA2: true
  IA3: true

# Supported encryption algorithms by this UE
ciphering:
  EA1: true
  EA2: true
  EA3: true

# Integrity protection maximum data rate for user plane
integrityMaxRate:
  uplink: 'full'

Thank you for your time.

[s5uishida]

@FatimaaIsmail27

Does homeNetworkPublicKeyId match udm.yaml->udm->hnet->id?

[FatimaaIsmail27]

@s5uishida Yes, the id for /etc/open5gs/hnet/curve25519-1.key is id=1, here is the udm.yaml file for your reference:

logger:
  file: /var/log/open5gs/udm.log
#  level: info   # fatal|error|warn|info(default)|debug|trace

global:
  max:
    ue: 1024  # The number of UE can be increased depending on memory size.
#    peer: 64

udm:
  hnet:
    - id: 1
      scheme: 1
      key: /etc/open5gs/hnet/curve25519-1.key
    - id: 2
      scheme: 2
      key: /etc/open5gs/hnet/secp256r1-2.key
    - id: 3
      scheme: 1
      key: /etc/open5gs/hnet/curve25519-3.key
    - id: 4
      scheme: 2
      key: /etc/open5gs/hnet/secp256r1-4.key
    - id: 5
      scheme: 1
      key: /etc/open5gs/hnet/curve25519-5.key
    - id: 6
      scheme: 2
      key: /etc/open5gs/hnet/secp256r1-6.key
  sbi:
    server:
      - address: 127.0.0.12
        port: 7777
    client:
#      nrf:
#        - uri: http://127.0.0.10:7777
      scp:
        - uri: http://127.0.0.200:7777

#
################################################################################
# (and the rest is commented)
      

[FatimaaIsmail27]

@s5uishida when you used the home network public key already saved in open5gs-ue.yaml, did you save it in /etc/open5gs/hnet/curve25519-1.key or something or you just changed protection scheme to 1?

[s5uishida]

@FatimaaIsmail27

I built the latest source of Open5GS and tried it.
Just set the scheme id of open5gs-ue.yaml to 1 and set the calculated public key string, and set homeNetworkPublicKeyId.

# SUCI Protection Scheme : 0 for Null-scheme, 1 for Profile A and 2 for Profile B
protectionScheme: 1 <--
# Home Network Public Key for protecting with SUCI Profile A
homeNetworkPublicKey: 'XXXXXXXXX' <--
# Home Network Public Key ID for protecting with SUCI Profile A
homeNetworkPublicKeyId: 1 <--

[FatimaaIsmail27]

@s5uishida
yes this is exactly what I'm doing. I'm thinking if the problem maybe because I installed open5gs from package installer and I didn't build it fro source because I literally tried everything and it didn't work. Do you have an idea if this could be the problem?
Thank you for your time, I truly appreciate it.

[s5uishida]

@FatimaaIsmail27

I built the latest main branch without installing any packages.
I don't know why it fails, but I think it would be a good idea to check Open5GS logs.