When LTE was launched a decade ago a clear cut was made from GSM security when it came to SIM cards and authentication. As far as I remember, LTE was the first system in which mutual authentication between network and devices became mandatory. Fortunately, by the time LTE came around the corner, most subscribers already had a UMTS capable SIM cards that supported this so there was only little pain. So how about 5G?
For the 5G we are using today, i.e. 5G Non-Stanalone with a 4G core network, no changes are required when moving on from LTE. But how about the 5G Standalone Architecture with a new 5G core networks? After all, it introduces new features such as encrypting the IMSI (the SUPI in 5G speak) which requires additional fields on the SIM cards and new key generation algorithms.
This Ericsson paper gives some insight and the short answer is: If the SIM card already supports LTE, it will also run with a 5G core network. However, yes, there is a ‘however’, there are some limitations: When using an ‘old’ LTE SIM card, access to the 5G core is granted, but it is not possible to encrypt the IMSI as this requires a public key of the home network operator on the SIM card. Also, it requires new algorithms to compute the encrypted IMSI (the SUCI in 5G speak).
One way to upgrade would of course be to physically change the SIM card for a new one. Most people probably won’t do that unless the old one starts malfunctioning. But current SIM cards can usually be updated ‘over the air’ (OTA). This opens the door to provision the public key on an existing SIM cards. I expect, however, that in most cases the new authentication and key generation algorithms can’t be pushed to the SIM card. But 3GPP also has an answer to that. Instead of running the algorithms in the SIM card, it is also possible to run them on the mobile device itself. The operator decides where this is done via another field on the SIM card that can be OTA updated. A nice backwards compatible approach that doesn’t open the door to fallback attacks!