India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities

Pratyush Ranjan Tiwari; Dhruv Agarwal; Prakhar Jain; Swagam Dasgupta; Preetha Datta; Vineet Reddy; Debayan Gupta

doi:10.1007/978-3-031-18283-9_34

India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities

Pratyush Ranjan Tiwari^*, Dhruv Agarwal, Prakhar Jain, Swagam Dasgupta, Preetha Datta, Vineet Reddy, Debayan Gupta

^*Corresponding author for this work

User Interfaces

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

3 Citations (Scopus)

Abstract

India’s Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India’s 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity—a 12-digit Aadhaar number—using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies.

Original language	English
Title of host publication	Financial Cryptography and Data Security - 26th International Conference, FC 2022, Revised Selected Papers
Editors	Ittay Eyal, Juan Garay
Publisher	Springer
Pages	672-693
Number of pages	22
ISBN (Print)	978-3-031-18282-2
DOIs	https://doi.org/10.1007/978-3-031-18283-9_34
Publication status	Published - 2022
MoE publication type	A4 Conference publication
Event	Financial Cryptography and Data Security - Saint George, Grenada Duration: 2 May 2022 → 6 May 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13411 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	Financial Cryptography and Data Security
Abbreviated title	FC
Country/Territory	Grenada
City	Saint George
Period	02/05/2022 → 06/05/2022

Keywords

Biometric
Resident identification
Security & privacy

Access to Document

10.1007/978-3-031-18283-9_34

Cite this

Tiwari, P. R., Agarwal, D., Jain, P., Dasgupta, S., Datta, P., Reddy, V., & Gupta, D. (2022). India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities. In I. Eyal, & J. Garay (Eds.), Financial Cryptography and Data Security - 26th International Conference, FC 2022, Revised Selected Papers (pp. 672-693). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13411 LNCS). Springer. https://doi.org/10.1007/978-3-031-18283-9_34

Tiwari, Pratyush Ranjan ; Agarwal, Dhruv ; Jain, Prakhar et al. / India’s “Aadhaar” Biometric ID : Structure, Security, and Vulnerabilities. Financial Cryptography and Data Security - 26th International Conference, FC 2022, Revised Selected Papers. editor / Ittay Eyal ; Juan Garay. Springer, 2022. pp. 672-693 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{f379a3efa3834c1eb0a1f6a9a9f0299d,

title = "India{\textquoteright}s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities",

abstract = "India{\textquoteright}s Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India{\textquoteright}s 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity—a 12-digit Aadhaar number—using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies.",

keywords = "Biometric, Resident identification, Security & privacy",

author = "Tiwari, {Pratyush Ranjan} and Dhruv Agarwal and Prakhar Jain and Swagam Dasgupta and Preetha Datta and Vineet Reddy and Debayan Gupta",

note = "Publisher Copyright: {\textcopyright} 2022, International Financial Cryptography Association.; Financial Cryptography and Data Security , FC ; Conference date: 02-05-2022 Through 06-05-2022",

year = "2022",

doi = "10.1007/978-3-031-18283-9_34",

language = "English",

isbn = "978-3-031-18282-2",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "672--693",

editor = "Ittay Eyal and Juan Garay",

booktitle = "Financial Cryptography and Data Security - 26th International Conference, FC 2022, Revised Selected Papers",

address = "Germany",

}

Tiwari, PR, Agarwal, D, Jain, P, Dasgupta, S, Datta, P, Reddy, V & Gupta, D 2022, India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities. in I Eyal & J Garay (eds), Financial Cryptography and Data Security - 26th International Conference, FC 2022, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13411 LNCS, Springer, pp. 672-693, Financial Cryptography and Data Security , Saint George, Grenada, 02/05/2022. https://doi.org/10.1007/978-3-031-18283-9_34

India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities. / Tiwari, Pratyush Ranjan; Agarwal, Dhruv; Jain, Prakhar et al.
Financial Cryptography and Data Security - 26th International Conference, FC 2022, Revised Selected Papers. ed. / Ittay Eyal; Juan Garay. Springer, 2022. p. 672-693 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13411 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

TY - GEN

T1 - India’s “Aadhaar” Biometric ID

T2 - Financial Cryptography and Data Security

AU - Tiwari, Pratyush Ranjan

AU - Agarwal, Dhruv

AU - Jain, Prakhar

AU - Dasgupta, Swagam

AU - Datta, Preetha

AU - Reddy, Vineet

AU - Gupta, Debayan

PY - 2022

Y1 - 2022

N2 - India’s Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India’s 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity—a 12-digit Aadhaar number—using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies.

AB - India’s Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India’s 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity—a 12-digit Aadhaar number—using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies.

KW - Biometric

KW - Resident identification

KW - Security & privacy

UR - http://www.scopus.com/inward/record.url?scp=85142713864&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-18283-9_34

DO - 10.1007/978-3-031-18283-9_34

M3 - Conference article in proceedings

AN - SCOPUS:85142713864

SN - 978-3-031-18282-2

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 672

EP - 693

BT - Financial Cryptography and Data Security - 26th International Conference, FC 2022, Revised Selected Papers

A2 - Eyal, Ittay

A2 - Garay, Juan

PB - Springer

Y2 - 2 May 2022 through 6 May 2022

ER -

Tiwari PR, Agarwal D, Jain P, Dasgupta S, Datta P, Reddy V et al. India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities. In Eyal I, Garay J, editors, Financial Cryptography and Data Security - 26th International Conference, FC 2022, Revised Selected Papers. Springer. 2022. p. 672-693. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-18283-9_34