Paper 2022/481
India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities
Pratyush Ranjan Tiwari, Dhruv Agarwal, Prakhar Jain, Swagam Dasgupta, Preetha Datta, Vineet Reddy, and Debayan Gupta
Abstract
India's Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India's 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity - a 12-digit Aadhaar number - using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies.
Metadata
- Available format(s)
-
PDF
- Category
- Applications
- Publication info
- Published elsewhere. Minor revision. Financial Cryptography and Data Security (FC) 2022
- Keywords
- Biometric authenticationBiometric IdentificationApplicationsIdentification Systems Security & Privacy
- Contact author(s)
-
pratyush @ cs jhu edu
t-dhaga @ microsoft com
debayan gupta @ ashoka edu in - History
- 2022-04-23: revised
- 2022-04-23: received
- See all versions
- Short URL
- https://ia.cr/2022/481
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/481,
author = {Pratyush Ranjan Tiwari and Dhruv Agarwal and Prakhar Jain and Swagam Dasgupta and Preetha Datta and Vineet Reddy and Debayan Gupta},
title = {India’s “Aadhaar” Biometric {ID}: Structure, Security, and Vulnerabilities},
howpublished = {Cryptology {ePrint} Archive, Paper 2022/481},
year = {2022},
url = {https://eprint.iacr.org/2022/481}
}
