TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

HSS

Home Subscriber Server β€” the 4G master subscriber database

Type

node

Generations

4Gcross-gen

Threat level

high
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

The HSS β€” Home Subscriber Server β€” is the master subscriber database in a 4G EPC deployment. It is the custodian of every subscriber's identity, subscription entitlements, authentication credentials, and location state. When a UE attaches to LTE, the MME consults the HSS twice: once to obtain authentication vectors (the AIR/AIA exchange) and once to retrieve the full subscription profile (the ULR/ULA exchange). Without the HSS, no subscriber can attach to the LTE network.

The HSS is the evolution of the HLR from 2G and 3G networks. The HLR held subscriber data for MAP-based interfaces β€” SS7 MAP Update Location, Send Routing Info, Authentication Information β€” and was the authoritative source for MSISDN-to-IMSI mapping. In 4G, the HSS performs the same role but over Diameter interfaces. In networks that run combined 2G/3G/4G, the HSS and HLR are frequently the same physical system, with the same subscriber record being accessed via MAP (from MSC/SGSN) and via Diameter (from MME) simultaneously.

Beyond LTE core access, the HSS interfaces with IMS through the Cx interface (to the I-CSCF and S-CSCF for IMS registration and multimedia authentication) and the Sh interface (to Application Servers for subscriber preference data). In a VoLTE deployment, the HSS serves both the EPC (via S6a to MME) and the IMS core (via Cx to CSCF) for the same subscriber.

The HSS's internal data model is built around the subscriber's IMSI as the primary key, with associated MSISDN(s), the EPS subscription profile (APNs, QoS, roaming restrictions), and the security data β€” the root Ki from which authentication vectors are computed using the MILENAGE or TUAK algorithm. The Ki never leaves the HSS. Authentication vectors are computed on demand and returned to the MME or SGSN as consumed, one-time values.

How it works

Authentication Information Request/Answer (AIR/AIA)

The AIR/AIA exchange is the most latency-critical HSS procedure β€” it is on the critical path of every new LTE attach. The MME sends an AIR before it can initiate NAS security with the UE.

  1. The MME sends a Diameter AIR to the HSS on S6a, providing the IMSI in the User-Name AVP and the visited network identity (VPLMN-ID AVP) for roaming validation.
  2. The HSS retrieves the subscriber's Ki and sequence counter (SQN) from its credential store. It runs the MILENAGE (or TUAK) algorithm with a fresh RAND to generate an EPS Authentication Vector (EPS-AV): RAND, AUTN, XRES, KASME. The SQN is incremented for the next use.
  3. The HSS returns the AIA carrying the EPS-AV. Typically one or a small batch of AVs is returned β€” the MME caches unused AVs to avoid re-querying for re-authentication.
  4. The MME uses RAND and AUTN in the NAS Authentication Request. The UE verifies AUTN, computes RES from its Ki (identical computation), and returns RES. The MME compares RES with XRES. Both values were derived from the same Ki; equality proves the subscriber's USIM holds the correct credential.

Update Location Request/Answer (ULR/ULA)

After successful authentication, the MME performs the ULR to register the subscriber's current serving MME and retrieve the full subscription profile.

  1. The MME sends a Diameter ULR to the HSS with the IMSI and the MME identity (Origin-Host, the MME's Diameter FQDN).
  2. The HSS updates its location record: this IMSI is now served by this MME. If the subscriber was previously registered to a different MME, the HSS sends a Cancel Location to the old MME (CLR/CLA exchange) to deregister the old context.
  3. The HSS returns the ULA with the subscriber's EPS Subscription Data: a list of APNs the subscriber is permitted to use, the default APN, per-APN QoS profiles, roaming restrictions (VPLMN barred or allowed), and AMBR (Aggregate Maximum Bit Rate) for the subscriber.
  4. The MME stores this profile and uses it to determine which bearers to create and what QoS to apply.

Insert Subscriber Data (ISD)

The HSS can push updated subscription data to the MME without waiting for a ULR β€” for example, when an operator changes a subscriber's data plan mid-session or when a subscriber's roaming allowance is exhausted.

  1. The HSS initiates a Diameter ISD command to the registered MME.
  2. The ISD carries updated EPS subscription data β€” new APNs, revised QoS parameters, or revoked roaming permissions.
  3. The MME applies the changes: it may initiate a dedicated bearer modification or, if the subscriber's current session violates the new profile (e.g., a barred APN is now active), initiate a PDN disconnection.

Cx interface for IMS

In VoLTE deployments, the HSS's Cx interface connects it to the IMS core for multimedia authentication and service profile management.

  • Multimedia Authentication Request (MAR/MAA): The S-CSCF requests IMS authentication credentials for a registering UE. The HSS generates an IMS authentication vector (SIP Digest or IMS-AKA) and returns it.
  • Server Assignment Request (SAR/SAA): The S-CSCF registers itself as the serving CSCF for a subscriber and downloads the IMS Service Profile.
  • Location Information Request (LIR/LIA): The I-CSCF queries the HSS to find which S-CSCF is serving a subscriber for routing an incoming call.

Architecture role

The HSS is the single source of truth for subscriber identity and entitlement in the 4G EPC. It has no user plane involvement β€” its role is entirely to answer questions from other nodes: "Who is this subscriber? What are they allowed to do? Authenticate them."

In 4G EPC: The HSS is queried by the MME for every new attach (S6a AIR/ULR), by the SGSN for 3G access (S6d), and by the IMS core for VoLTE registration (Cx). All authentication originates here.

Compared to the HLR: The HLR served the same role in 2G/3G but over SS7 MAP interfaces. The HSS often physically contains the HLR β€” the same subscriber records are exposed via MAP to the MSC/SGSN and via Diameter to the MME. In most deployed EPC networks, HSS = HLR + Diameter interface.

Superseded by UDM: The UDM in 5G SA replaces the HSS, using HTTP/2 SBI instead of Diameter. The UDM separates the authentication credential store (ARPF, kept in hardware where possible) from the subscription data management function.

In roaming, the subscriber's home network HSS is always authoritative. The visited MME reaches the home HSS via the S6a interface, which in roaming scenarios traverses the IPX network through Diameter Routing Agents (DRA/DEA). The home HSS generates the authentication vectors regardless of where the subscriber is roaming.

Key interfaces

InterfaceBetweenProtocolPurpose
S6aHSS ↔ MMEDiameterEPS auth vectors (AIR/AIA), subscriber profile (ULR/ULA)
S6dHSS ↔ SGSNDiameter3G packet access β€” same functions as S6a but for SGSN
ShHSS ↔ ASDiameterIMS application server subscriber data and notifications
CxHSS ↔ CSCFDiameterIMS registration, multimedia auth, S-CSCF assignment
GrHSS ↔ SGSNMAPLegacy 2G/3G SGSN access when HLR/HSS integrated

Security posture

The HSS's threat model mirrors the HLR's β€” it is the credential oracle for the network. Anything the HSS provides to an MME (authentication vectors) or registers (the subscriber's current MME address) can be abused by a malicious or compromised peer. The difference from the HLR era is that the HSS's Diameter S6a interface has significantly better security primitives available β€” TLS, SCTP port filtering, Origin-Host validation β€” but whether operators deploy these controls consistently is a different matter.

In roaming scenarios, the S6a interface traverses the IPX network. The IPX is not a trusted operator-controlled network β€” it is a commercial transport shared among many operators and IPX providers. Diameter messages crossing the IPX are protected only by hop-by-hop TLS between DRAs, not end-to-end. An IPX provider with visibility into the routing path can see Diameter headers and, if the DEA edge filtering is absent, observe AIR/AIA exchanges including XRES values.

Attack surface

Authentication vector theft via IPX (roaming S6a)

In roaming, the AIR/AIA exchange travels from the visited MME through the IPX to the home HSS. The EPS-AV contains XRES β€” the expected response value. If an attacker positioned on the IPX intercepts this (e.g., via a compromised DRA), they obtain XRES for the current authentication session. While XRES is not the long-term Ki, it can be used to construct a man-in-the-middle attack: the attacker sends RAND+AUTN to the UE, the UE returns RES, and the attacker forwards a valid XRES to the home MME to make authentication succeed.

Impact: Session-level man-in-the-middle for roaming subscribers; potential NAS key compromise if the attacker can also intercept the NAS security setup.
Difficulty: High. Requires network access at an IPX DRA and knowledge of Diameter message formats. GSMA FS.19 edge filtering mitigates this for compliant operators.

Rogue MME requesting subscriber data

The HSS trusts Diameter ULR requests from peers whose Origin-Host matches a configured MME. If an attacker can register a rogue Diameter peer presenting a valid Origin-Host (e.g., by compromising a legitimate MME's configuration or by exploiting a loose wildcard match in the HSS's peer table), they can send ULR requests for arbitrary IMSIs β€” retrieving the full subscription profile including APNs, QoS, and AMBR for any subscriber.

Impact: Subscriber profile exfiltration for targeted or bulk IMSI sets.
Difficulty: Medium. Requires either a compromised Diameter peer connection or a misconfigured Origin-Host validation rule on the HSS.

ULR flood β€” location database poisoning

An attacker with access to the S6a Diameter path can send a stream of ULR messages for real IMSIs, each claiming the subscriber has moved to a new MME. The HSS processes each ULR, sends CLR to the "old" MME (triggering context deletion), and updates its location record. This continuously deregisters legitimate subscribers and disrupts their sessions.

Impact: Continuous session disruption for targeted subscribers; CLR floods against MMEs; HSS CPU exhaustion if scaled to large IMSI sets.
Difficulty: Medium. Requires a valid Diameter peer connection to the HSS.

Mitigations

  • Strict Origin-Host validation on S6a: Maintain an explicit allowlist of MME Origin-Host FQDN values and their expected source IP addresses. Reject any Diameter connection from an IP address not associated with a provisioned MME. Do not use wildcard Origin-Host matching.

  • Diameter TLS on all S6a peers: Require TLS on all S6a connections, both domestic and roaming. For roaming S6a via IPX, ensure the DEA enforces TLS and applies GSMA FS.19 category filtering before messages reach the HSS.

  • AIR rate limiting per IMSI: Limit AIR requests to a maximum rate per IMSI β€” more than one AIR per 60 seconds for the same IMSI indicates either a rapid auth retry loop or an attack. Alert and temporarily reject further requests beyond the threshold.

  • HSS management plane isolation: The HSS's OAMP (Operations, Administration, Maintenance, and Provisioning) interface must be on a separate network segment from the S6a Diameter interface. An attacker who compromises the S6a path should not be able to reach HSS management functions.

  • CLR storm detection: Monitor the rate at which the HSS sends Cancel Location Requests. A CLR storm β€” many CLRs sent to many different MMEs in a short period β€” indicates either a ULR flood attack or a misconfigured peer sending spurious location updates.

Spec references

  • 3GPP TS 29.272 β€” The normative Diameter S6a/S6d interface specification. Defines AIR/AIA, ULR/ULA, ISD, PUR, and CLR command codes and all AVPs. The essential implementation reference for HSS-MME integration.

  • 3GPP TS 23.401 β€” EPC architecture and procedures. Section 5.3.2 defines how the MME interacts with the HSS during attach and subscription profile management.

  • 3GPP TS 29.328 β€” The Sh interface specification. Defines HSS-to-Application-Server interactions for subscriber preference data and event notification.

  • 3GPP TS 29.229 β€” The Cx/Dx interface specification for IMS. Defines MAR/MAA, SAR/SAA, LIR/LIA between HSS and CSCF.

Related topics

The HSS is the Diameter-era evolution of the HLR. In most deployed networks, they are the same physical system: the same subscriber record is exposed via SS7 MAP to the MSC and SGSN for 2G/3G access, and via Diameter S6a to the MME for 4G access.

The UDM supersedes the HSS in 5G SA. The UDM separates the authentication credential store (ARPF) from the subscription data function, and uses HTTP/2 SBI instead of Diameter. In many deployments, UDM and HSS co-exist β€” the HSS serving 4G access, the UDM serving 5G SA, both backed by the same subscriber database.

The DRA (Diameter Routing Agent) handles routing of S6a Diameter traffic in multi-MME or roaming deployments, ensuring that ULR and AIR messages reach the correct HSS instance for a given IMSI range.

For the full 4G context, see 4G EPC.

Relationships