Monday, March 26, 2018

Fixing Aadhaar

It is an academic discussion whether any country or society needs something like Aadhaar or not. There are pros and cons of having a single identity system. I am not going into merits or demerits of a system like Aadhaar here. What I want to discuss here are the methods to secure a system like Aadhar.

How should we view the Aadhaar number? The closest equivalence that I can see here is a username to any website. Should the username be secure or not? Making username secure does make it harder for somebody to hack into the account. This is one of the reasons why in case of a failed authentication, we want the developers not to disclose what was wrong, was it username that was wrong? or the password that was wrong?

Another way to look at the Aadhaar number would be a credit card number. The credit card number, on its own, is not sufficient to do any transaction but it is a big piece of the credit card transaction puzzle.

As we have observed in past weeks, there is a case to be made that Aadhaar data center is probably secure but for it to be useful, it has to be connected to the internet. It is this part of the puzzle that completely breaks the Aadhaar architecture.

Aadhaar expects its third-party partners to capture the Aadhaar number and OTP and send it over to UIDAI server for identity verification. This leaves them completely open to misuse by third-party partners. Given that UIDAI has not really shown great foresight in security audit of their partners and has no way to make sure that the partner systems are secure, they really can't depend on their partners (government and private) to secure the system. Any system is as secure as the weakest link in the network. So if a state government has a spreadsheet with Aadhaar details in an open directory all the security of UIDAI data center is just useless. Any malicious user is not going to try to breach the strongest parts of any system, they will go after weakest parts of the system.

I don't really know the details of Aadhaar architecture, but my guess is that at top level following things are happening.

The problem lies in the fact that Aadhaar number is captured by the third party and UIDAI depends on them to handle it properly. To get control over this problem, the best way is to move the capturing of Aadhaar number to the UIDAI server. This problem has been solved in FinTec domain by companies like Visa and Master. The secure information is only captured by UIDAI server and the third-party is just informed of success or failure.

This small modification will at least take the burden of securing Aadhaar system from the hands of third-party. They are only concerned with one information whether the person's identity is verified or not. The persistent verification id can solve that problem.
This does not mean that this makes the system completely secure. A large system like Aadhaar should have their complete source code in public domain so that security researchers can review it and notify changes. Source codes don't implement security, security is implemented by certificates and encryption keys.

No comments:

Post a Comment