Sunday, Aug 09, 2020 | Last Update : 02:54 PM IST

137th Day Of Lockdown

Maharashtra49026232728117092 Tamil Nadu2850242275754690 Andhra Pradesh2069601204641842 Karnataka164924842322998 Delhi1427231282324082 Uttar Pradesh113378668341981 West Bengal89666630601954 Bihar7179446294400 Gujarat68855517922604 Assam5549737225132 Rajasthan4941835186763 Odisha4255028698292 Haryana4005433444467 Madhya Pradesh3729827621962 Kerala3170019147103 Jammu and Kashmir2392716218449 Punjab2193014040539 Jharkhand165427503154 Chhatisgarh11408831987 Uttarakhand89015731112 Goa7947559570 Telangana751354330615 Tripura6014408437 Puducherry5123291475 Manipur3466192610 Himachal Pradesh3206200813 Nagaland26578247 Arunachal Pradesh204913263 Chandigarh137482023 Meghalaya10234236 Sikkim8544061 Mizoram5672890
  360 Degree   14 Jan 2018  Beef up Aadhaar security

Beef up Aadhaar security

THE ASIAN AGE. | DR G.V.K. REDDY
Published : Jan 14, 2018, 3:28 am IST
Updated : Jan 14, 2018, 6:42 am IST

UIDAI must take steps to have multiple key holders.

The possibility of insider attacks could be the most dangerous threat to the Aadhaar ecosystem. (Photo: PTI)
 The possibility of insider attacks could be the most dangerous threat to the Aadhaar ecosystem. (Photo: PTI)

Right from its inception, the Aadhaar project has been and continues to be questioned as it violates privacy and data security issues. The issue has taken the centrestage like never before after an expose by a journalist. Though UIDAI has denied any such breach, its defence has been at best ambiguous. The core of Aadhaar is Central Identities Database Repository (CIDR) may be strong by design. However, its support systems, processes, and wider ecosystems are exposed with open access to any government authorised or private entities.

Some crucial lacunae in the identification and authentication processes of Aadhaar have been pointed out by Center for Internet and Society. Some possible ways of breach are correlation of identities across domains, identification without consent using Aadhaar data, and illegal tracking of individuals.

 

The possibility of insider attacks could be the most dangerous threat to the Aadhaar ecosystem. It could also come under attack if the attacker can collude with an insider with access to various components of the Aadhaar system - something akin to the recent breach aided by the involvement of an insider. Though an FIR has been filed with the police, there is no information UIDAI taking any action against either government or private employees. According to various studies on Aadhaar ecosystem, there are no safeguards or guidelines - either technical or legal - on how the Aadhaar number should be maintained and how it should be used by Authentication User Agencies (AUA) in a cryptographically secure way, and how to prevent the Aadhaar number of an individual from becoming public.

 

MEASURES AGAINST INSIDER ATTACKS
Apart from the implementation of recommendations of Shah and Sinha committees, UIDAI could appoint independent third-parties who can individually perform the roles of an auditor and a keeper of Cryptographic keys. The separation of administrative control can strengthen security of the overall system.

Other techniques that can be used are: 1) To store only hash of biometric data, 2) Tamper-resistant code to avoid arbitrary behaviour, 3) Tamper- resistant hardware may be leveraged for protection of cryptographic keys, and 4) Whiteboxing and encryption methods.

Virtual ID
UIDAI has introduced a system of virtual authentication for citizens enrolled on its database and limited the access available to service providers in a move aimed at allaying widespread concern over security breaches that have dogged the UIDAI central repository.  Significant security upgrades announced by UIDAI is to create a "virtual ID" which can be used in lieu of 12-digit aadhaar number. Some database with Aadhaar numbers will still float around unless there is complete revocation of the number. For trust to prevail tokenisation should be implemented across all data controllers including Authentication User Agencies. This concept will also prevent combining and correlating of databases across domains that are linked to Aadhaar number.

 

VULNERABILITY
One of the vulnerability is making copies of fingerprints, By law, one should not store copies of fingerprints. However, it is hard to spot vulnerabilities embedded in thousands of lines of code. Though biometric sensors "are increasingly implementing liveness detection to ensure any attempt at making fake fingers and iris are prevented." It is not clear if biometric readers certified by UIDAI have been tested for liveness detection.

(The writer is a professor at Vardhaman College of Engineering)

Tags: aadhaar, uidai, aadhaar ecosystem