Paper 2022/481

India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities

Pratyush Ranjan Tiwari, Dhruv Agarwal, Prakhar Jain, Swagam Dasgupta, Preetha Datta, Vineet Reddy, and Debayan Gupta

Abstract

India's Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India's 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity - a 12-digit Aadhaar number - using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Minor revision.Financial Cryptography and Data Security (FC) 2022
Keywords
Biometric authenticationBiometric IdentificationApplicationsIdentification Systems Security & Privacy
Contact author(s)
pratyush @ cs jhu edu
t-dhaga @ microsoft com
debayan gupta @ ashoka edu in
History
2022-04-23: revised
2022-04-23: received
See all versions
Short URL
https://ia.cr/2022/481
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/481,
      author = {Pratyush Ranjan Tiwari and Dhruv Agarwal and Prakhar Jain and Swagam Dasgupta and Preetha Datta and Vineet Reddy and Debayan Gupta},
      title = {India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities},
      howpublished = {Cryptology ePrint Archive, Paper 2022/481},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/481}},
      url = {https://eprint.iacr.org/2022/481}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.