Thursday, June 21, 2018

(Very) Preliminary Observations on eSign using VID

(These observations are based on a few hours of testing the UAT made available by one ESP provider yesterday. It is possible that some of the aspects mentioned below could change in the next few days)

UIDAI has mandated that OTP-based eSignatures can no longer use the Signer's Aadhaar number. They would have to use the VID (Virtual ID). This goes into effect after June 30, and one ESP has made available its Testing Environment yesterday. Here are some preliminary observations.

1) eSigners will need a VID (Aadhaar not permited)

The eSigner (the individual who will be signing) will need to generate his VID. This can be done from the UIDAI website. The VID is sent over SMS to the registered mobile phone of the individual, and is a 16-digit number. A person can only have 1 VID at a given time. A VID seems to expire after a certain duration. (Not sure exactly how many, but it is probably several days. Early reports seemed to suggest that there would be no expiry, but our tests have revealed that some of the older VIDs have expired.).

2) Freshly generated VID does not seem to be immediately usable for eSigning (!!!)

ESigners had observed in the past, that if you linked a mobile with your Aadhaar, it would not become available immediately for eSigning OTP. The UIDAI website would show that the mobile number was linked, but eSign Gateway would return an error saying it wasnt linked. It used to take several days for eSigning to be possible after the mobile was linked. The same seems to be the case with freshly generated VIDs.

In our testing, it was observed that freshly generated VIDs could not be used for signing for at least a day and maybe more. This can be a big impediment, because most eSigners are unlikely to have a VID prior to eSigning. If the Signer generates it on the spot just before signing, he would have to wait for a while (potentially a few days) before eSigning is possible with the new VID. This issue needs to be addressed by UIDAI / ESP if eSigning has to remain viable.

3) ASP does not pass the VID to ESP

Earlier, the Aadhaar number used to be passed by the ASP to the ESP. Now it appears that the VID has to be entered on the ESP page by the eSigner. The earlier API allowed an ASP to specify a-priori which Aadhaar number had to be used for signing a particular document. This no longer seems to be the case. In other words, a document may end up being signed by someone who was not intended to sign it. Any confirmation of who the actual signer was will have to be done post-facto.

4) eMandates

eMandates will probably be disrupted for a while for a couple of reasons.

a) Banks may have a person's Aadhaar (which does not change), but they may not have his VID (which keeps changing). So these Banks would probably have no way to perform verification of the eMandate unless they happen to have the VID which that person used at the time of eSigning.

b) The X509 does not seem to contain the SHA256 of the VID (as was earlier the case with Aadhaar). Thus Banks will not be able to perform verification even if they did have the VID. This is probably a technical issue that ESPs would need to resolve.

PS> Clarification to commonly asked questions:

a) No, it is not possible to obtain the Aadhaar number from the VID.

b) Only the holder of an Aadhaar number can generate a VID for himself. There is no "API" to automate this on behalf of others.

Sunday, May 13, 2018

Aadhaar Data Vault - who needs it?

UIDAI had made it mandatory for AUAs/KUAs/Sub-AUAs to implement a Aadhaar Data Vault. However, the Aadhaar eKYC landscape has undergone significant changes in the past few weeks.

1) UIDAI stopped sub-AUAs from availing the eKYC services. This is a step in the right direction, because "becoming a sub-AUA" was essentially a way to avail of eKYC data without having to satisfy the audit and other registration / financial requirements imposed by UIDAI on KUAs. Clearly, there was very little control that KUAs could exercise on their sub-AUAs. Now the choice is to either become a KUA (and be audited) or not avail of eKYC.

2) UIDAI has issued an FAQ on Aadhaar Data Vault, which essentially states that any entity (not just AUA/KUA/sub-AUA) that stores Aadhaar numbers needs to implement an Aadhaar Data Vault. (For example, this would cover Schools and Colleges that ask students for their Aadhaar numbers.)

3) In its circular dated May 1 2018, UIDAI states that only Global AUA / KUAs will be allowed to store Aadhaar numbers. Local AUA/KUAs, would not be permitted to store Aadhaar numbers, but could only store UID tokens. If there are no Aadhaar numbers to store, why would they need Aadhaar Data Vaults?

4) At present time therefore it appears that Global KUAs would need to implement Aadhaar Data Vaults. Because these would be audited, ensuring compliance.

As things stand, Local AUAs will not be able to store Aadhaar numbers, but other entities such as Educational Institutes, Employers, etc can. It is not clear how UIDAI would ensure compliance with the Aadhaar Data Vault requirement by schools, colleges, employers and various other agencies that take people's Aadhaar numbers & who don't undergo any sort of an audit at all.

Friday, April 27, 2018

Why does Adobe Acrobat Reader take a few seconds to verify Digital Signatures?

When a document is opened in Adobe Acrobat Reader, it needs a few seconds to verify the signatures in the document. It needs the internet to perform the verification.

1) What are the verifications performed?

The reader verifies that the digital signature has been issued by a trusted authority (more precisely, that the signer's digital certificate in its hierarchy tree has at least one certificate that is already trusted by the Adobe Reader.

Secondly, it verifies that the Signer's certificate has not been revoked. This usually requires the internet. The list of revoked certificates (Called Certificate Revocation List - CRL) is available at a URL embedded within the Digital Signature, and the Reader tries to access that URL to ensure that the Signer's certificate is not in the CRL. Acrobat Readers often store these CRLs in their cache, in which case a connection to the URL may not be made.

2) What are the URLs that need to be accessible to the Acrobat Reader so that the Green tick appears?

These URLs are found in the Signer Certificate Details under the three headings shown below.



The above details have to be checked for URLs for each of the certificates in the tree.

Sunday, January 14, 2018

What is the VID and what problem will it solve?

(At the time of writing this, I have not been able to locate the official VID circular either under the Circulars menu or Notifications menu on the UIDAI website, so I rely on detailed news reports such as [1], [2], [3] for this article.)

UIDAI has recently announced that it would start issuing 16-digit Virtual IDs (VIDs) to individuals on demand, who will then provide these in place of the Aadhaar number if they so choose. Individuals can then keep their Aadhaar number secret.

For a long time now, UIDAI has taken the position that the Aadhaar number is not a secret. (Most recently in a press-note which was issued 4 days before the VID announcement). Given the reality that Aadhaar is being asked virtually everywhere, Aadhaar number cannot be expected to remain a secret. Introducing the VID idea seems like a rethink, in light of the data breach reported in the Tribune.

The other problem that UIDAI is trying to solve with the VID, is to avoid "profiling" of residents. In an article on NDTV it was claimed "the Virtual ID that had been in the works for 18 months was introduced to block any attempt at profiling the crores of people who had enrolled for the unique identification number." (end quote) In other words, it is to guard against the possibility, that a malicious attacker, with knowledge of an Aadhaar number will be able to search across multiple financial, telecom, educational, and other databases and obtain a detailed picture or profile of the individual.

This is a problem that UIDAI is not expected to solve. World over, the security and confidentiality of various databases is the responsibility and duty of the organizations that maintain the databases - banks, telecom companies, etc. The profiling problem arises when the databases of these organizations are compromised.

Issuing a VID will NOT solve the profiling issue for the simple reason that if these databases are compromised, the malicious attacker will easily perform the profiling on the basis of the name or even better, the cell number. [I cannot think of a single instance when I have had to share my Aadhaar but not my cell number. I can think of many places where I have had to give my cell number but not Aadhaar, so the cell number seems like a richer profiling key for any malicious attacker. Oh, and I have always had to give my name everywhere!].

This brings us back to the question - why does UIDAI need to add "layers of security" to something we have been told is "fully secure"? Why is UIDAI still unsure whether the Aadhaar number is to remain secret or not? There is no other country where there are so many questions about the National Identity Database. The Passport authority in India or the IT Dept (that issues PAN cards) have never been questioned on the security of their databases. Why do such questions arise about Aadhaar?

Unique ID Authority of India is "Unique" for one reason. It is the ONLY National Database in the world that GIVES OUT citizen information to private entities. Even the Passport Authority and the IT Dept DO NOT GIVE OUT citizen information to anyone, except investigative agencies in case of some evidence of crime.

It is worth asking, why does UIDAI even need to give out eKYC data unless there is a crime or other over-riding reason? Sure, it may help a telecom company scale up its user base much faster than its competitors, or it may cut down the time and effort required to populate databases of other private companies. But making life easier for private companies was NOT the purpose of Aadhaar Act to begin with and can never be the purpose of any National Identity Database.

Furthermore, none of the Govt savings that are claimed, such as those from eliminating ghost teachers, fake ration card holders or fake students would be compromised if eKYC is stopped and replaced purely with verification or authentication.

Interestingly, UIDAI only did YES/NO verification and biometric authentication until couple of years ago or so. That was the right approach. UIDAI needs to switch back to it immediately. Further, it should restrict biometric authentication only to government agencies. UIDAI should not be an enabler in the replication of its data in private databases in India and abroad. Then it won't have to worry about profiling based on Aadhaar.

The SC bench hearing the Aadhaar case should focus on this insidious eKYC provision of the Aadhaar act. Surely, as Mr Chidambaram said, this is a bit like locking the door after the horses have bolted. Perhaps we can seek satisfaction in the fact that it will protect the privacy of babies who are born today!

Thursday, January 4, 2018

Tribune report on Data breach

The Tribune carried a news of UIDAI data breach:

This was followed by a clarification from UIDAI:

More information about the Aadhaar breach has come into the public domain subsequently. There are some clear facts that have emerged from everything that is known.

1) The UIDAI essentially admits that resident data (demographic and personal information, probably including photo, and not including fingerprint and iris data) has been accessed in an unauthorized manner. It is said that perhaps 1 lakh un-authorized users had accessed Aadhaar data. It also seems that the authorities had no idea this was happening until the reporter broke the story.

2) The breach of demographic information is a serious matter. Consider for a moment - if intelligence agencies of  foreign countries have access to this information, they can look up the residential address of any officer in Indian security forces. Less ominously, mischief-makers and marketeers can create targeted databases of individuals with particular characteristics within a PIN code.

3) Had the Aadhaar system restricted itself to YES / NO verification (as it correctly did when it was conceived), none of this would have happened. Unfortunately, after the NDA Govt took office, private entities were permitted to access and obtain Aadhaar information (via what is called eKYC). eKYC has permitted many private entities to essentially replicate large sections of Aadhaar database in private databases over which no one can exercise control.

4) Any corrective action at this time is akin to bolting the door after the horses have fled. While the SC continues to debate and hear "privacy" related cases, the reality of the situation is that much of the information has already been compromised and the genie cannot be put back in the bottle.

(This post was modified in light of information available after the initial Tribune story.)

Sunday, September 10, 2017

RBI moves towards eAadhaar

The RBI has issued a notification enabling the use of eAadhaar obtained from UIDAI website as a valid form of eKYC. See their notification below:

This is a move in the right direction - eAadhaar is absolutely the right way to perform eKYC.

The RBI notification is a vindication of what we have said all along. An individual submitting his eAadhaar is better than having thousands of private entities collect people's biometrics and accessing information directly from UIDAI database.

Friday, September 1, 2017

GSTN sandbox / production mismatch

As of the morning of 1 Sept 2017, we have received information that the signatures that passed in GSTN sandbox do not pass in GSTN production. This is unusual because the two versions (sandbox & production seem to be accepting two different formats).

We are in the process of finding more information and addressing the issue.

Monday, August 28, 2017

GSTN Signatures successful

Working with some of our partners, Truecopy has in past few days been able to successfully demonstrate Digital Signing of GST returns in GSTN sandbox. Anyone who has dealt with the available documentation (or lack thereof) on GSTN signatures would be able to tell you that this definitely deserves a blog post!

Without getting into the details (because GSTN has not asked for our opinion), we want to state that we do not believe that the signature format that GSTN seems to accept is a suitable one. However, we will keep our disagreement aside and help all our partners get their returns accepted in their sandbox.

PS> We also hope there are no more changes to spec, and the same signature formats continue to be accepted tomorrow.

Tuesday, August 1, 2017

The Aadhaar / Privacy case in SC.

The SC is currently considering cases pertaining to Privacy issues surrounding Aadhaar. A few aspects that are relevant to this discussion, have not been brought up prominently so far:

1) Many countries have citizen databases, which include confidential information about citizens. Aadhaar is probably the ONLY example in the world where the Govt actually GIVES OUT information in its database to private parties. (I have not been able to find any other example of a country where the Govt shares information in its database with private entities). This is quite remarkable. Perhaps the Privacy arguments need to focus around whether the Govt can give out citizen data, instead of focusing on whether Govt can collect citizen data.

Some may point out (correctly) that data is given out only after user consent. However, we know that in most cases citizens barely read the consent fine print. Secondly, it is always possible to word the consent in a manner that is deliberately vague, and enables usage of the same data for other purposes.

Perhaps there is a reason why no other country actually GIVES OUT data from citizen databases.

2) The early implementations at UIDAI required the individual to furnish his/her information to the receiving entity, and the receiving entity could only verify that information with a YES / NO response from UIDAI. It was up to the individual to decide what pieces of personal information s/he wanted to share with a particular receiving entity. Today, a receiving entity can fetch ALL pieces of client information in the UIDAI database (except bio-metrics).

3) Collection of bio-metrics is being "normalized". Under the guise of eKYC, so many organizations have begun asking for bio-metrics, that we no longer find it unusual. Recently, there was news that air-travelers would be allowed to fly only after they had authenticated themselves at the airports with their fingerprints. It would be interesting to see how people react when this actually happens.

Sharing your bio-metrics is like sharing your password - except, this is a "password" that you can never change even if its compromised.

A recent news said that almost 93 cr (i.e. 930 million) people had done bio-metric eKYC during July 17, and presented this as a 'proof' that residents were OK with sharing their bio-metrics. The fact is that in most cases, residents are denied service if they decline. A poor person agreeing to provide bio-metrics to get his PDS ration hardly constitutes 'proof'.

4) A citizen has no way to easily ascertain whether a particular device recording his fingerprints is compliant with UIDAI guidelines. Because of 3) above, it is easy for fraudulent entities to trick people into giving their fingerprints on non-UIDAI devices. While Govt bears no direct responsibility for such fraudulent acts, surely its the Govt that is responsible for 3) above.

The Govt may want to consider reverting back to its earlier YES/NO verification system instead of sharing UIDAI data. It may also want to define the circumstances / purposes for which biometrics of citizens can be captured.