The document discusses India's Unique Identification (UID) project and the Unique Identification Authority of India (UIDAI). It describes the purpose of UIDAI as providing a unique identification number to all Indian residents. It outlines the enrollment and authentication processes and discusses the various agencies, technologies, and challenges involved in implementing the UID system on a large scale. Key risks discussed include issues relating to adoption, privacy/security of biometric data, and ensuring the system's long-term sustainability.

1. UID

2. CONTENTS
 Unique Identification Number & Its Purpose
 AADHAAR Project
 Authentication
 UID System
 UID Agencies
 Challenges Involved in Implementation
 UID Numbering Scheme
 Entity IDs
 Domain analysis
 Business rules
 E-R Diagram & Relational Schema
 Risks & Database Threats and Attacks involved in UID Project
Implementation

3. UNIQUE IDENTIFICATION NUMBER
 The Unique Identification Authority of India (UIDAI) is an agency
of the Government of India responsible for implementing the
AADHAAR scheme, a unique identification project.
 It was established in February 2009, and will own and operate the
Unique Identification Number database.
 The authority aims to provide a unique id number to all Indians.
 The authority will maintain a database of residents containing
biometric and other data.

4. PURPOSE OF UIDAI
 The objective of the project is to determine uniqueness of all
individuals within the territory of India.
 It will only issue a number which will be delivered to the
concerned person's address.
 The UIDAI proposes to provide online authentication using
demographic and biometric data.

5. AADHHAR NUMBER
 The Unique Identification (AADHAAR) Number, which identifies a
resident, will give individuals the means to clearly establish their
identity to public and private agencies across the country.
 AADHAAR Number is provided during the initiation process called
enrolment where a resident‟s demographic and biometric information
are collected .
 Uniqueness of the provided data is established through a process
called de-duplication.

6. AADHAAR AUTHENTICATION
 AADHAAR “authentication” means the process wherein AADHAAR
Number, along with other attributes, including biometrics, are
submitted to the Central Identities Data Repository (CIDR) for its
verification on the basis of information or data or documents
available with it.
 UIDAI will provide an online service to support this process.
 AADHAAR authentication service only responds with a “yes/no” and
no personal identity information is returned as part of the response.

7.  AADHAAR authentication will provide several ways in which a resident
can authenticate themselves using the system.
 At a high level, authentication can be „Demographic Authentication‟
and/or „Biometric Authentication‟.
 But, in all forms of authentication the AADHAAR Number needs to be
submitted so that this operation is reduced to a 1:1 match.
 During the authentication transaction, the resident‟s record is first
selected using the AADHAAR Number and then the
demographic/biometric inputs are matched against the stored data
which was provided by the resident during enrolment process or during
subsequent updates.

8. UID SYSTEM

9. UID ARCHITECTURE

10. UID AGENCIES

11. NUMBERING FORMAT

12. NUMBERING SCHEME
The Version Number:
o Some digits may be reserved for specific applications. This is
an implicit form of a version number embedded into the
numbering scheme.
o We recommend the following reservations: 0- numbers (a1 =
0) could be used as an “escape” for future extensions to the
length of the number.
Number Generation:
o The numbers are generated in a random, non-repeating se-
quence.
o The algorithm chosen to generate IDs should not be made
public and should be considered a national secret.

13.  Lifetime: Individual UID is assigned once, at inception, and
remain the same for the lifetime of the person, and for a
specified number of years beyond. At this point there is no
consideration of reusing numbers.
 Entity ID’s: We expect that entity ID numbers (1- numbers)
will have different rules for periods of validity and retirement.
 The Checksum: There are several schemes possible .The
recommend ed scheme is the Verhoeff scheme.

14. ENTITY ID
 Institutions like Government departments, schools and even companies
can benefit by using a UID like Identifier – this is called an Entity ID.
 Since the UID will potentially be used as a primary identifier in several
transactions in the financial, health, food distribution, job creation
schemes and transactions it is important to assign an entity ID to the
service delivery organization.
 For instance a financial trans-action to transfer money might take the
form:
TransferMoney(From_UID, To_UID, Amount);
 Where the From_UID could be an entity UID of the block level NREGA
entity and the To_UID can be that of the resident to who the amount is
being transferred.
 This symme-tric treatment of both to and from fields simplifies the end-to-
end system.

15. DOMAIN ANALYSIS
• The demographic and biometric fields linked to the Aadhaar
number and stored in the CIDR would consequently, need to
be regularly updated to ensure that the information it stores is
both accurate and relevant for authenticating agencies.
• The data fields held in the CIDR include mandatory
demographic and biometric fields which are central to identity
management, as well as additional, optional fields available
for ease in communicating with the Resident, and for enabling
better service delivery.

16. The UIDAI intends to set up modes through which residents can request
for data updates.
Registrar enrolment centres:
• Most Registrars for the Aadhaar number intend to retain long-term enrolment
centres .
• These centres would have the enrolment client and devices required for
carrying out enrolments, which can also be used for updation purposes.
• These centres would also carry out processes such as document verification
and handling, as well as verifying Introducer details, which are required for
the complete updation solution.

17. National level common updation agency:
• The UIDAI can work with the Registrars such as the National
Securities Depository Limited (NSDL) where Residents can update
their records not just through theUIDAI, but also other service
agencies.
• The networks of these agencies would be used for recording
information update requests.

18. BUSINESS RULES
 At the start of the process, the Resident arrives at the centre with
his/her Aadhaar letter or his/her Aadhaar number.
 He/she fills up an updation request form detailing the specific
demographic/biometric information that needs to be updated.
 If the information being updated requires supporting documentation,
the resident may first have to get documents verified from the
Verifying Official.
 The Resident then provides the Operator at the centre with the
verified documents, or with the Introducer who verifies that the
updated information is accurate.

19.  The Operator performing the updation checks the Resident‟s
Aadhaar letter.
 When the Resident provides the updated information, the operator
verifies the information matches any documentary
evidence/introducer provided.
 The Operator enters the Resident‟s information into the software
client updating the demographic or biometric information as required.
 Both Operator and Resident verify the accuracy of the data that is
entered.
 The Operator then captures the Resident‟s biometrics to confirm
his/her authenticity as well as the Resident's sign-off on the update.

20.  The updated information is transferred to the CIDR .
 Once it reaches the database, the information is updated in the
CIDR, and the information on the update is then communicated to
the Resident.

21. ER DIAGRAM

22. TABLES
 CIDR(Uid,Cname,Fname,DoB,Address,Eye color,D mark)
 ENROLLMENT_AGENCY(E_id,E_name,)
 REGISTRAR(R_code,R_name,P_name,R_addr,R_ phno)
 OPERATOR(O_id,O_name,Quali,O_addr,O_phno,certif_no,O_gende
r)
 UIDAI_ADMIN(A_code,A_name,A_gender,A_addr,A_phno,A_email)
 CITIZEN(C_id,C_name,C_addr,C_phno,C_dob,C_gender)
 BANK(Uid,Branch,Acc_no,Acc_bal,CreditCard)

23. RELATIONAL SCHEMA
 CIDR
Uid Cname Fname DoB DoE Eye Dmark
color
 REGISTRAR
Reg Rname Pname R_addr R_phno
Code
 ENROLLMENT_AGENCY
E_id E_name O_name Quali O_Addr Cert_no

24.  UIDAI_ADMIN
A_code A_name A_gender A_addr A_phno A_email
 BANK
Uid Branch Acc_no Acc_bal CreditCard
 CITIZEN
C_id Cname C_addr C_phno C_dob C_gender

25. CHALLENGES IN INDIA IDENTITY CARD

26. RISKS INVOLVED
 Adoption risk
 A critical mass is required for the participation of service providers
 Political risk
 Support from state and local governments is critical
 Enrollment risk
 Enough touch points in rural areas and enrolling 60,000 newborns every
day
 Risk of scale
 Administration and storage of ~1B records
 Technology risk
 Authentication, de-duplication and data obsolescence
 Privacy and security risk
 Biometric data security
 Sustainability risk
 Maintaining the initial momentum over a longer term

27. RISKS IN VARIOUS STAGES
 Collection
Data leakage Scenarios across various Registrars and Enrollment agencies:
• Intentional or unintentional compromises
• Logical or physical security compromise
• Third party attacks
Integrity and accountability of Registrars and enrollment agencies
Reliance on multiple vendors increases vulnerabilities

28. RISKS IN VARIOUS STAGES ( CONT..)
 Transmission
Need for secured communication channels: VPN, SSL-
VPN, MPLS clouds
Encryption of the data: strong encryption required for
securing biometrics
Key Management: departmental interactions,
coordination
Non-Repudiation: attack vectors like a man-in-the-
middle attack

29. RISKS IN VARIOUS STAGES ( CONT..)
 Storage
Management of roughly 10,000 TB of sensitive information spread
across the country, in addition to storage in CIDR
Accountability of users : data base administrators, network
administrators, application owners, third party employees
Accountability and assurance of people working with registrars
and sub-registrars

30. DATABASE THREATS & ATTACKS
Spoofing
Tampering
Trojan horse attacks
Masquerade attack
Overriding Yes /No response

31. CONCLUSION
 Unique Identification System will be beneficiary to the citizens as it is
a unique number which contains basic information of every person.
 After the ID will be issued there is no need to carry driving license,
voter cards, pan card, etc for any govt. or private work.
 But to some extent it is harmful to the general public as all the data
related to them is stored on computers and can be misused by
hackers if the multiple security strategies will not be adopted.

32.  The UID authority in specific should make sure that they have the
highest standards of integrity, openness, transparency and process
in all stages of UID System.
 The UID project should not become compulsory until there is an
established judicial overview to ensure that the privacy rights of
citizens are not unlawfully violated.

33. Thank you