Saturday, Aug 08, 2020 | Last Update : 09:18 AM IST

136th Day Of Lockdown

Maharashtra49026232728117092 Tamil Nadu2850242275754690 Andhra Pradesh2069601204641842 Karnataka164924842322998 Delhi1427231282324082 Uttar Pradesh113378668341981 West Bengal89666630601954 Telangana7525753239601 Bihar7179446294400 Gujarat68855517922604 Assam5549737225132 Rajasthan4941835186763 Odisha4255028698292 Haryana4005433444467 Madhya Pradesh3729827621962 Kerala3170019147103 Jammu and Kashmir2392716218449 Punjab1901512491462 Jharkhand140705199129 Chhatisgarh10109761369 Uttarakhand8008484795 Goa7075511460 Tripura5520367528 Puducherry4147253758 Manipur301818147 Himachal Pradesh2879171013 Nagaland24056594 Arunachal Pradesh179011053 Chandigarh120671520 Meghalaya9173305 Sikkim7832971 Mizoram5022820
  360 Degree   14 Jan 2018  Beef up Aadhaar security

Beef up Aadhaar security

Published : Jan 14, 2018, 3:28 am IST
Updated : Jan 14, 2018, 6:42 am IST

UIDAI must take steps to have multiple key holders.

The possibility of insider attacks could be the most dangerous threat to the Aadhaar ecosystem. (Photo: PTI)
 The possibility of insider attacks could be the most dangerous threat to the Aadhaar ecosystem. (Photo: PTI)

Right from its inception, the Aadhaar project has been and continues to be questioned as it violates privacy and data security issues. The issue has taken the centrestage like never before after an expose by a journalist. Though UIDAI has denied any such breach, its defence has been at best ambiguous. The core of Aadhaar is Central Identities Database Repository (CIDR) may be strong by design. However, its support systems, processes, and wider ecosystems are exposed with open access to any government authorised or private entities.

Some crucial lacunae in the identification and authentication processes of Aadhaar have been pointed out by Center for Internet and Society. Some possible ways of breach are correlation of identities across domains, identification without consent using Aadhaar data, and illegal tracking of individuals.


The possibility of insider attacks could be the most dangerous threat to the Aadhaar ecosystem. It could also come under attack if the attacker can collude with an insider with access to various components of the Aadhaar system - something akin to the recent breach aided by the involvement of an insider. Though an FIR has been filed with the police, there is no information UIDAI taking any action against either government or private employees. According to various studies on Aadhaar ecosystem, there are no safeguards or guidelines - either technical or legal - on how the Aadhaar number should be maintained and how it should be used by Authentication User Agencies (AUA) in a cryptographically secure way, and how to prevent the Aadhaar number of an individual from becoming public.


Apart from the implementation of recommendations of Shah and Sinha committees, UIDAI could appoint independent third-parties who can individually perform the roles of an auditor and a keeper of Cryptographic keys. The separation of administrative control can strengthen security of the overall system.

Other techniques that can be used are: 1) To store only hash of biometric data, 2) Tamper-resistant code to avoid arbitrary behaviour, 3) Tamper- resistant hardware may be leveraged for protection of cryptographic keys, and 4) Whiteboxing and encryption methods.

Virtual ID
UIDAI has introduced a system of virtual authentication for citizens enrolled on its database and limited the access available to service providers in a move aimed at allaying widespread concern over security breaches that have dogged the UIDAI central repository.  Significant security upgrades announced by UIDAI is to create a "virtual ID" which can be used in lieu of 12-digit aadhaar number. Some database with Aadhaar numbers will still float around unless there is complete revocation of the number. For trust to prevail tokenisation should be implemented across all data controllers including Authentication User Agencies. This concept will also prevent combining and correlating of databases across domains that are linked to Aadhaar number.


One of the vulnerability is making copies of fingerprints, By law, one should not store copies of fingerprints. However, it is hard to spot vulnerabilities embedded in thousands of lines of code. Though biometric sensors "are increasingly implementing liveness detection to ensure any attempt at making fake fingers and iris are prevented." It is not clear if biometric readers certified by UIDAI have been tested for liveness detection.

(The writer is a professor at Vardhaman College of Engineering)

Tags: aadhaar, uidai, aadhaar ecosystem