Techniques to protect a subscriber identity, by encrypting a subscription permanent identifier (SUPI) to form one-time use subscription concealed identifiers (SUCIs) using a set of one-time ephemeral asymmetric keys, generated by a user equipment (UE), and network provided keys are disclosed. Encryption of the SUPI to form the SUCIs can mitigate snooping by rogue network entities, such as fake base stations. The UE is restricted from providing the unencrypted SUPI over an unauthenticated connection to a network entity. In some instances, the UE uses a trusted symmetric fallback encryption key KFB or trusted asymmetric fallback public key PKFB to verify messages from an unauthenticated network entity and/or to encrypt the SUPI to form a fallback SUCIFB for communication of messages with the unauthenticated network entity.