Aadhar with a Security Perspective

Kapil Varma
7 min readJun 1

--

Hi folks, I am Kapil Varma, a cybersecurity enthusiast and security researcher from India!

This is my new write-up about Aadhar and security!…suggestions and appreciation is welcomed…hope this article will be helpful and y’all would like it!

WHAT EXACTLY “AADHAR” IS?

Aadhaar is a 12-digit unique identity number that can be obtained voluntarily by the citizens of India and resident foreign nationals who have spent over 182 days in twelve months immediately preceding the date of application for enrolment, based on their biometric and demographic data.

The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established in January 2009 by the Government of India, under the jurisdiction of the Ministry of Electronics and Information Technology, following the provisions of the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016.

Aadhaar is the world’s largest biometric ID system.

World Bank Chief Economist Paul Romer described Aadhaar as

“the most sophisticated ID program in the world”.

Considered a proof of residence and not a proof of citizenship, Aadhaar does not itself grant any rights to domicile in India.

HOW AADHAR ACTUALLY WORKS:

This operating model of Aadhar outlines the actors involved in its authentication ecosystem. The following figure identifies the key actors in the Aadhaar authentication model and depicts the data flow in which the key actors could engage with each other. The brief description of key actors and the scenarios in which they engage with each other are indicated in the figure below:

Stakeholders in Aadhaar Authentication Ecosystem

  • "Aadhaar number holder" means an individual who has been issued an Aadhaar number under the Act.
  • “Authentication” means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it.
  • “Authentication facility” means the facility provided by the Authority for verifying the identity information of an Aadhaar number holder through the process of authentication, by providing a Yes/ No response or e-KYC data, as applicable.
  • “Authentication Service Agency” or “ASA” mean an entity providing necessary infrastructure for ensuring secure network connectivity and related services for enabling a requesting entity to perform authentication using the authentication facility provided by the Authority.
  • “Authentication User Agency” or “AUA” means a requesting entity that uses the Yes/ No authentication facility provided by the Authority.
  • “Central Identities Data Repository” or “CIDR” means a centralized database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto.
  • Authentication Devices: These are the devices that collect PID (Personal Identity Data) from Aadhaar holders, encrypt the PID block, transmit the authentication packets and receive the authentication results. Examples include PCs, kiosks, handheld devices etc. They are deployed, operated and managed by the AUA/Sub AUA.

Process of sending authentication requests

  • After collecting the Aadhaar number or any other identifier provided by the requesting entity which is mapped to Aadhaar number and necessary demographic and / or biometric information and/ or OTP from the Aadhaar number holder, the client application shall immediately package and encrypt these input parameters into PID block before any transmission, as per the specifications laid down by the Authority, and shall send it to server of the requesting entity using secure protocols as may be laid down by the Authority for this purpose
  • After validation, the server of a requesting entity shall pass the authentication request to the CIDR, through the server of the Authentication Service Agency as per the specifications laid down by the Authority. The authentication request shall be digitally signed by the requesting entity and/or by the Authentication Service Agency, as per the mutual agreement between them.
  • Based on the mode of the authentication request, the CIDR shall validate the input parameters against the data stored therein and return a digitally signed Yes or No authentication response, or a digitally signed e-KYC authentication response with encrypted e-KYC data, as the case may be, along with other technical details related to the authentication transaction.
  • In all modes of authentication, the Aadhaar number is mandatory and is submitted along with the input parameters specified in sub-regulation (1) above such that authentication is always reduced to a 1:1 match.
  • A requesting entity shall ensure that encryption of PID Block takes place at the time of capture on the authentication device as per the processes and specifications laid down by the Authority.”

HOW AADHAR IS DIFFERENT FROM SSN USED IN UNITED STATES:

A Social Security number (SSN), issued to U.S. citizens, is a unique identifier issued by the Social Security Administration. You need an SSN to work, and it’s used to determine your eligibility for Social Security benefits and certain government services.

The SSN collects the demographic information of its users. Public entities can request the SSN to track individuals in a system or as a form of identifying an individual as long as the user does not violate federal or state law. Shortly, the SSN can be requested by private and public entities.

Whereas, the Aadhar takes minimal demographic and biometric information of its users. The biometric information is used for security purposes and authentication of the user.

Third-party organizations can send requests for verification to the UIDAI, as its used for authentication. The Aadhaar number can be adopted by any public or private entity as a sole means of identifying an individual.

But under UIDAI and Supreme Court guidelines, submission of Aadhaar is not mandatory, making it convenient and safe for people to disclose their Aadhar details.

AADHAR’S SECURITY CONCERNS AND ACTIONS OVER THEM :

Aadhaar’s importance cannot be understated, as it contains the data of billions of people, and the security of this data and the system itself is an incredibly important point of political contention. Complicating the issue is the fact that ever since its inception, Aadhaar has been plagued by a myriad of internal and legal problems, as well as major leaks and vulnerabilities in the overall security of the system.

Usually, the Aadhar data is breached through external sources where users provide their Aadhar information.

During such events, many questions and allegations were officially raised against UIDAI about Aadhar’s security, in response, UIDAI denied any data breach through their infrastructure and stated that the Aadhar Data Vault stores only minimal biometric and demographic information of the users.

Similarly in 2018, a French security researcher on Twitter claimed a vulnerability from the mAadhar android app by UIDAI, stating that the application was storing the user’s settings in a local database with a password generated using a random number as seed and an easy hardcoded string, stating that the password was stored in a safe box, which required a key to get access. Surprisingly, the researcher found out that the key required for the safe box access was so easily guessable as it was a 7-character set of numbers and capital alphabets.

However, a bunch of security experts proved that the application used by the researcher was tampered with and required physical access to the victim’s phone for actual access, which is not considered to be a legit flaw in UIDAI security.

Biometric data safety is a big concern for Aadhar.

Hence, recently Aadhar took a step towards Biometric Data Safety by implementing a new security mechanism for Aadhar-based fingerprint authentication and faster detection of spoofing attempts.

This security mechanism is AI/ML (Artificial Intelligence/ Machine Learning) based, developed in-house is now using a combination of both finger minutia and finer image to check the liveness of the fingerprint captured.

The SSN enrolment is regulated by SSA(Social Security Administration) only and its data are stored in the “numident” (or numerical identification system). The numident is a centralized database containing the individual's original SNN and application, and any re-application for the same.

Whereas, Aadhar stores data in the CIDR (or the central identities data repository), and is processed in the physical data warehouse of the UIDAI and its enrolment is regulated by multiple factors, making the enrolment more legitimate and safe.

Overall, security concerns exist in almost every infrastructure till today as there is a risk of attack due to political or social events, over any infrastructure storing information.

Though, many steps are being taken to improve security, usually by using new technologies.

So, even if the Government is frequently working on improvising the security in our Indian cyberspace, why shouldn’t we initiate the most basic security practice by ourselves, by being safe and creating cybersecurity awareness socially?!

Thanks for reading!

I’ll be coming up with new write-ups in future, so stay tuned ;)

#Support me on: 1) Twitter 2) Instagram 3) LinkedIn

#Buy me a coffee: Link

--

--

Kapil Varma

A Cybersecurity Enthusiast, Ethical Hacker and Security Researcher