2. CONTENTS
Unique Identification Number & Its Purpose
AADHAAR Project
Authentication
UID System
UID Agencies
Challenges Involved in Implementation
UID Numbering Scheme
Entity IDs
Domain analysis
Business rules
E-R Diagram & Relational Schema
Risks & Database Threats and Attacks involved in UID Project
Implementation
3. UNIQUE IDENTIFICATION NUMBER
The Unique Identification Authority of India (UIDAI) is an agency
of the Government of India responsible for implementing the
AADHAAR scheme, a unique identification project.
It was established in February 2009, and will own and operate the
Unique Identification Number database.
The authority aims to provide a unique id number to all Indians.
The authority will maintain a database of residents containing
biometric and other data.
4. PURPOSE OF UIDAI
The objective of the project is to determine uniqueness of all
individuals within the territory of India.
It will only issue a number which will be delivered to the
concerned person's address.
The UIDAI proposes to provide online authentication using
demographic and biometric data.
5. AADHHAR NUMBER
The Unique Identification (AADHAAR) Number, which identifies a
resident, will give individuals the means to clearly establish their
identity to public and private agencies across the country.
AADHAAR Number is provided during the initiation process called
enrolment where a resident‟s demographic and biometric information
are collected .
Uniqueness of the provided data is established through a process
called de-duplication.
6. AADHAAR AUTHENTICATION
AADHAAR “authentication” means the process wherein AADHAAR
Number, along with other attributes, including biometrics, are
submitted to the Central Identities Data Repository (CIDR) for its
verification on the basis of information or data or documents
available with it.
UIDAI will provide an online service to support this process.
AADHAAR authentication service only responds with a “yes/no” and
no personal identity information is returned as part of the response.
7. AADHAAR authentication will provide several ways in which a resident
can authenticate themselves using the system.
At a high level, authentication can be „Demographic Authentication‟
and/or „Biometric Authentication‟.
But, in all forms of authentication the AADHAAR Number needs to be
submitted so that this operation is reduced to a 1:1 match.
During the authentication transaction, the resident‟s record is first
selected using the AADHAAR Number and then the
demographic/biometric inputs are matched against the stored data
which was provided by the resident during enrolment process or during
subsequent updates.
12. NUMBERING SCHEME
The Version Number:
o Some digits may be reserved for specific applications. This is
an implicit form of a version number embedded into the
numbering scheme.
o We recommend the following reservations: 0- numbers (a1 =
0) could be used as an “escape” for future extensions to the
length of the number.
Number Generation:
o The numbers are generated in a random, non-repeating se-
quence.
o The algorithm chosen to generate IDs should not be made
public and should be considered a national secret.
13. Lifetime: Individual UID is assigned once, at inception, and
remain the same for the lifetime of the person, and for a
specified number of years beyond. At this point there is no
consideration of reusing numbers.
Entity ID’s: We expect that entity ID numbers (1- numbers)
will have different rules for periods of validity and retirement.
The Checksum: There are several schemes possible .The
recommend ed scheme is the Verhoeff scheme.
14. ENTITY ID
Institutions like Government departments, schools and even companies
can benefit by using a UID like Identifier – this is called an Entity ID.
Since the UID will potentially be used as a primary identifier in several
transactions in the financial, health, food distribution, job creation
schemes and transactions it is important to assign an entity ID to the
service delivery organization.
For instance a financial trans-action to transfer money might take the
form:
TransferMoney(From_UID, To_UID, Amount);
Where the From_UID could be an entity UID of the block level NREGA
entity and the To_UID can be that of the resident to who the amount is
being transferred.
This symme-tric treatment of both to and from fields simplifies the end-to-
end system.
15. DOMAIN ANALYSIS
• The demographic and biometric fields linked to the Aadhaar
number and stored in the CIDR would consequently, need to
be regularly updated to ensure that the information it stores is
both accurate and relevant for authenticating agencies.
• The data fields held in the CIDR include mandatory
demographic and biometric fields which are central to identity
management, as well as additional, optional fields available
for ease in communicating with the Resident, and for enabling
better service delivery.
16. The UIDAI intends to set up modes through which residents can request
for data updates.
Registrar enrolment centres:
• Most Registrars for the Aadhaar number intend to retain long-term enrolment
centres .
• These centres would have the enrolment client and devices required for
carrying out enrolments, which can also be used for updation purposes.
• These centres would also carry out processes such as document verification
and handling, as well as verifying Introducer details, which are required for
the complete updation solution.
17. National level common updation agency:
• The UIDAI can work with the Registrars such as the National
Securities Depository Limited (NSDL) where Residents can update
their records not just through theUIDAI, but also other service
agencies.
• The networks of these agencies would be used for recording
information update requests.
18. BUSINESS RULES
At the start of the process, the Resident arrives at the centre with
his/her Aadhaar letter or his/her Aadhaar number.
He/she fills up an updation request form detailing the specific
demographic/biometric information that needs to be updated.
If the information being updated requires supporting documentation,
the resident may first have to get documents verified from the
Verifying Official.
The Resident then provides the Operator at the centre with the
verified documents, or with the Introducer who verifies that the
updated information is accurate.
19. The Operator performing the updation checks the Resident‟s
Aadhaar letter.
When the Resident provides the updated information, the operator
verifies the information matches any documentary
evidence/introducer provided.
The Operator enters the Resident‟s information into the software
client updating the demographic or biometric information as required.
Both Operator and Resident verify the accuracy of the data that is
entered.
The Operator then captures the Resident‟s biometrics to confirm
his/her authenticity as well as the Resident's sign-off on the update.
20. The updated information is transferred to the CIDR .
Once it reaches the database, the information is updated in the
CIDR, and the information on the update is then communicated to
the Resident.
26. RISKS INVOLVED
Adoption risk
A critical mass is required for the participation of service providers
Political risk
Support from state and local governments is critical
Enrollment risk
Enough touch points in rural areas and enrolling 60,000 newborns every
day
Risk of scale
Administration and storage of ~1B records
Technology risk
Authentication, de-duplication and data obsolescence
Privacy and security risk
Biometric data security
Sustainability risk
Maintaining the initial momentum over a longer term
27. RISKS IN VARIOUS STAGES
Collection
Data leakage Scenarios across various Registrars and Enrollment agencies:
• Intentional or unintentional compromises
• Logical or physical security compromise
• Third party attacks
Integrity and accountability of Registrars and enrollment agencies
Reliance on multiple vendors increases vulnerabilities
28. RISKS IN VARIOUS STAGES ( CONT..)
Transmission
Need for secured communication channels: VPN, SSL-
VPN, MPLS clouds
Encryption of the data: strong encryption required for
securing biometrics
Key Management: departmental interactions,
coordination
Non-Repudiation: attack vectors like a man-in-the-
middle attack
29. RISKS IN VARIOUS STAGES ( CONT..)
Storage
Management of roughly 10,000 TB of sensitive information spread
across the country, in addition to storage in CIDR
Accountability of users : data base administrators, network
administrators, application owners, third party employees
Accountability and assurance of people working with registrars
and sub-registrars
31. CONCLUSION
Unique Identification System will be beneficiary to the citizens as it is
a unique number which contains basic information of every person.
After the ID will be issued there is no need to carry driving license,
voter cards, pan card, etc for any govt. or private work.
But to some extent it is harmful to the general public as all the data
related to them is stored on computers and can be misused by
hackers if the multiple security strategies will not be adopted.
32. The UID authority in specific should make sure that they have the
highest standards of integrity, openness, transparency and process
in all stages of UID System.
The UID project should not become compulsory until there is an
established judicial overview to ensure that the privacy rights of
citizens are not unlawfully violated.