UID
Transcript of UID
UID
CONTENTS
Unique Identification Number & Its Purpose AADHAAR Project Authentication UID System UID Agencies Challenges Involved in Implementation UID Numbering Scheme Entity IDs Domain analysis Business rules E-R Diagram & Relational Schema Risks & Database Threats and Attacks involved in UID
Project Implementation
UNIQUE IDENTIFICATION NUMBER
The Unique Identification Authority of India (UIDAI) is
an agency of the Government of India responsible for
implementing the AADHAAR scheme, a unique
identification project.
It was established in February 2009, and will own and
operate the Unique Identification Number database.
The authority aims to provide a unique id number to all
Indians.
The authority will maintain a database of residents
containing biometric and other data.
PURPOSE OF UIDAI
The objective of the project is to determine
uniqueness of all individuals within the territory of
India.
It will only issue a number which will be delivered to
the concerned person's address.
The UIDAI proposes to provide online authentication
using demographic and biometric data.
AADHHAR NUMBER
The Unique Identification (AADHAAR) Number, which
identifies a resident, will give individuals the means to
clearly establish their identity to public and private agencies
across the country.
AADHAAR Number is provided during the initiation process
called enrolment where a resident’s demographic and
biometric information are collected .
Uniqueness of the provided data is established through a
process called de-duplication.
AADHAAR AUTHENTICATION
AADHAAR “authentication” means the process wherein
AADHAAR Number, along with other attributes, including
biometrics, are submitted to the Central Identities Data
Repository (CIDR) for its verification on the basis of
information or data or documents available with it.
UIDAI will provide an online service to support this process.
AADHAAR authentication service only responds with a
“yes/no” and no personal identity information is returned as
part of the response.
AADHAAR authentication will provide several ways in which a
resident can authenticate themselves using the system.
At a high level, authentication can be ‘Demographic
Authentication’ and/or ‘Biometric Authentication’.
But, in all forms of authentication the AADHAAR Number needs
to be submitted so that this operation is reduced to a 1:1 match.
During the authentication transaction, the resident’s record is
first selected using the AADHAAR Number and then the
demographic/biometric inputs are matched against the stored
data which was provided by the resident during enrolment
process or during subsequent updates.
UID SYSTEM
UID ARCHITECTURE
UID AGENCIES
NUMBERING FORMAT
NUMBERING SCHEME
The Version Number: o Some digits may be reserved for specific applications.
This is an implicit form of a version number embedded into the numbering scheme.
o We recommend the following reservations: 0- numbers (a1 = 0) could be used as an “escape” for future extensions to the length of the number.
Number Generation: o The numbers are generated in a random, non-
repeating se-quence. o The algorithm chosen to generate IDs should not be
made public and should be considered a national secret.
Lifetime: Individual UID is assigned once, at
inception, and remain the same for the lifetime of the
person, and for a specified number of years beyond.
At this point there is no consideration of reusing
numbers.
Entity ID’s: We expect that entity ID numbers (1-
numbers) will have different rules for periods of
validity and retirement.
The Checksum: There are several schemes
possible .The recommend ed scheme is the Verhoeff
scheme.
ENTITY ID
Institutions like Government departments, schools and even
companies can benefit by using a UID like Identifier – this is called
an Entity ID.
Since the UID will potentially be used as a primary identifier in
several transactions in the financial, health, food distribution, job
creation schemes and transactions it is important to assign an
entity ID to the service delivery organization.
For instance a financial trans-action to transfer money might take
the form:
TransferMoney(From_UID, To_UID, Amount);
Where the From_UID could be an entity UID of the block level
NREGA entity and the To_UID can be that of the resident to who the
amount is being transferred.
This symme-tric treatment of both to and from fields simplifies the
end-to-end system.
DOMAIN ANALYSIS
• The demographic and biometric fields linked to the
Aadhaar number and stored in the CIDR would
consequently, need to be regularly updated to ensure
that the information it stores is both accurate and
relevant for authenticating agencies.
• The data fields held in the CIDR include mandatory
demographic and biometric fields which are central to
identity management, as well as additional, optional
fields available for ease in communicating with the
Resident, and for enabling better service delivery.
The UIDAI intends to set up modes through which residents can request
for data updates.
Registrar enrolment centres:
• Most Registrars for the Aadhaar number intend to retain long-term
enrolment centres .
• These centres would have the enrolment client and devices required
for carrying out enrolments, which can also be used for updation
purposes.
• These centres would also carry out processes such as document
verification and handling, as well as verifying Introducer details,
which are required for the complete updation solution.
National level common updation agency:
• The UIDAI can work with the Registrars such as the National
Securities Depository Limited (NSDL) where Residents can
update their records not just through theUIDAI, but also
other service agencies.
• The networks of these agencies would be used for recording
information update requests.
BUSINESS RULES
At the start of the process, the Resident arrives at the centre
with his/her Aadhaar letter or his/her Aadhaar number.
He/she fills up an updation request form detailing the
specific demographic/biometric information that needs to be
updated.
If the information being updated requires supporting
documentation, the resident may first have to get
documents verified from the Verifying Official.
The Resident then provides the Operator at the centre with
the verified documents, or with the Introducer who verifies
that the updated information is accurate.
The Operator performing the updation checks the Resident’s
Aadhaar letter.
When the Resident provides the updated information, the
operator verifies the information matches any documentary
evidence/introducer provided.
The Operator enters the Resident’s information into the
software client updating the demographic or biometric
information as required.
Both Operator and Resident verify the accuracy of the data
that is entered.
The Operator then captures the Resident’s biometrics to
confirm his/her authenticity as well as the Resident's sign-off
on the update.
The updated information is transferred to the CIDR .
Once it reaches the database, the information is updated in
the CIDR, and the information on the update is then
communicated to the Resident.
ER DIAGRAM
TABLES
CIDR(Uid,Cname,Fname,DoB,Address,Eye color,D mark)
ENROLLMENT_AGENCY(E_id,E_name,)
REGISTRAR(R_code,R_name,P_name,R_addr,R_ phno)
OPERATOR(O_id,O_name,Quali,O_addr,O_phno,certif_no,O_g
ender)
UIDAI_ADMIN(A_code,A_name,A_gender,A_addr,A_phno,A_e
mail)
CITIZEN(C_id,C_name,C_addr,C_phno,C_dob,C_gender)
BANK(Uid,Branch,Acc_no,Acc_bal,CreditCard)
RELATIONAL SCHEMA
CIDR
REGISTRAR
ENROLLMENT_AGENCY
Uid Cname
Fname DoB DoE Eye color
Dmark
RegCode
Rname Pname R_addr R_phno
E_id E_name O_name Quali O_Addr Cert_no
UIDAI_ADMIN
BANK
CITIZEN
A_code A_name A_gender
A_addr A_phno A_email
Uid Branch Acc_no Acc_bal CreditCard
C_id Cname C_addr C_phno C_dob C_gender
CHALLENGES IN INDIA IDENTITY CARD
RISKS INVOLVED
Adoption risk A critical mass is required for the participation of service providers
Political risk Support from state and local governments is critical
Enrollment risk Enough touch points in rural areas and enrolling 60,000 newborns
every day Risk of scale
Administration and storage of ~1B records Technology risk
Authentication, de-duplication and data obsolescence Privacy and security risk
Biometric data security Sustainability risk
Maintaining the initial momentum over a longer term
RISKS IN VARIOUS STAGES
Collection
Data leakage Scenarios across various Registrars and Enrollment agencies:• Intentional or unintentional compromises • Logical or physical security compromise• Third party attacks
Integrity and accountability of Registrars and enrollment agencies
Reliance on multiple vendors increases vulnerabilities
RISKS IN VARIOUS STAGES ( CONT..)
Transmission
Need for secured communication channels: VPN, SSL-VPN, MPLS clouds
Encryption of the data: strong encryption required for securing biometrics
Key Management: departmental interactions, coordination
Non-Repudiation: attack vectors like a man-in-the-middle attack
RISKS IN VARIOUS STAGES ( CONT..)
Storage
Management of roughly 10,000 TB of sensitive information spread across the country, in addition to storage in CIDR
Accountability of users : data base administrators, network administrators, application owners, third party employees
Accountability and assurance of people working with registrars and sub-registrars
DATABASE THREATS & ATTACKS
Spoofing
Tampering
Masquerade attack
Trojan horse attacks
Overriding Yes /No response
CONCLUSION
Unique Identification System will be beneficiary to the
citizens as it is a unique number which contains basic
information of every person.
After the ID will be issued there is no need to carry driving
license, voter cards, pan card, etc for any govt. or private
work.
But to some extent it is harmful to the general public as all
the data related to them is stored on computers and can be
misused by hackers if the multiple security strategies will
not be adopted.
The UID authority in specific should make sure that they
have the highest standards of integrity, openness,
transparency and process in all stages of UID System.
The UID project should not become compulsory until there
is an established judicial overview to ensure that the privacy
rights of citizens are not unlawfully violated.
Thank you