Keys

Overview

In MOSIP every cryptographic key is referred by an Application ID and Reference ID.

Refer Key Manager for further details.

Various keys used in MOSIP

S No.KeyApplication IDReference IDKey typeObjectsStorageGenerated byComment

K1

Kernel Root

ROOT

-

RSA 2048

Private key, self signed certificate

HSM-1

Country

Auto generated by key generator

K2

Registration

REGISTRATION

-

RSA 2048

Private key, certifcate signed by Kernel Root

HSM-1

Country

Auto generated by key generator

K3

PreReg

PRE_REGISTRATION

-

RSA 2048

Private key, certifcate signed by Kernel Root

HSM-1

Country

Auto generated by key generator

K4

Kernel Sign

KERNEL

SIGN

RSA 2048

Private key, certifcate signed by Kernel Root

HSM-1

Country

Auto generated by key generator

K5

Registration Processor

REGISTRATION_PROCESSOR

-

RSA 2048

Private key, certifcate signed by Kernel Root

HSM-1

Country

Auto generated by key generator

K6

PMS

PMS

-

RSA 2048

Private key, certifcate signed by Kernel Root

HSM-1

Country

Auto generated by key generator

K7

ID Repo

ID_REPO

-

RSA 2048

Private key, certifcate signed by Kernel Root

HSM-1

Country

Auto generated by key generator

K7.1

ID Repo

ID_REPO

demographic_data

RSA 2048

Private key, certifcate signed by ID Repo

KeyMgr DB

System

Auto-generated when accessed

K7.2

ID Repo

ID_REPO

biometric_data

RSA 2048

Private key, certifcate signed by ID Repo

KeyMgr DB

System

Auto-generated when accessed

K7.3

ID Repo

ID_REPO

identity_data

RSA 2048

Private key, certifcate signed by ID Repo

KeyMgr DB

System

Auto-generated when accessed

K7.4

ID Repo

ID_REPO

uin

RSA 2048

Private key, certifcate signed by ID Repo

KeyMgr DB

System

Auto-generated when accessed

K7.5

ID Repo

ID_REPO

credential_request

RSA 2048

Private key, certifcate signed by ID Repo

KeyMgr DB

System

Auto-generated when accessed

K8

Resident Services

RESIDENT

-

RSA 2048

Private key, certifcate signed by Kernel Root

HSM-1

Country

Auto generated by key generator

K9

Kernel Identity Cache

KERNEL

IDENTITY_CACHE

AES 256

Symmetric key

HSM-1

Country

Auto generated by key generator

K10

Registration Client (TPM)

-

-

RSA 2048

Private key, certificate

Client TPM (private key), Server DB (Certificate)

Registration Client Software

Auto generatde by Registration Client Software in TPM

K11

Registration Client Packet Encryption

REGISTRATION

CenterID_MachineID

RSA 2048

Private key, certificate signed by registration

Server DB (private key), Client DB (Certificate)

System

Auto-generated when accessed

K12

Data Share (10000 keys) for zero knowledge encryption

-

-

AES 256

Symmetric key, encrypted by Kernel Identity Cache

KeyMgr DB

System

Auto generated by key generator

K13

CA / Sub-CA certificates

-

-

X.509

Certificates

PMS DB

CA

Manually Uploaded

K14

PARTNER

PartnerID

X.509

Certificates signed by CA

PMS DB

Partners

Manually Uploaded

K15

IDA Root

ROOT

-

RSA 2048

Private key, self signed certificate

HSM-2

Country

Auto generated by key generator

K16

IDA

IDA

-

RSA 2048

Private key, certificate signed by IDA Root

HSM-2

Country/IDA Partner

Auto generated by key generator

K17

IDA Sign

IDA

SIGN

RSA 2048

Private key, certificate signed by IDA Root

HSM-2

Country

Auto generated by key generator

K18

IDA Identity Cache

IDA

IDENTITY_CACHE

AES 256

Symmetric key

HSM-2

Country

Auto generated by key generator

K19

IDA Internal

IDA

INTERNAL

RSA 2048

Private key, certificate signed by IDA

IDA DB

System

Auto-generated when accessed

K20

IDA Partner

IDA

PARTNER

RSA 2048

Private key, certificate signed by IDA

IDA DB

System

Auto-generated when accessed

K21

IDA FIR

IDA

FIR

RSA 2048

Private key, certificate signed by IDA

IDA DB

System

Auto-generated when accessed

K22

IDA Cred Service

IDA

CRED_SERVICE

RSA 2048

Private key, certificate signed by IDA

IDA DB

System

Auto-generated when accessed

Partner keys

SNo.PartnersApplication IDReferenceIDPartner DomainPartner Type Code

PK1

ABIS

PARTNER

mpartner-default-abis (or partner ID)

AUTH

ABIS_Partner

PK2

Device Providers

PARTNER

Partner ID

DEVICE

Device_Provider

PK3

Print Service Provider

PARTNER

mpartner-default-print (or partner ID)

AUTH

Credential_Partner

PK4

Auth Providers or Relying Party

PARTNER

Partner ID

AUTH

Auth_Partner

PK5

FTM Providers (per Chip Model)

PARTNER

Partner ID

FTM

FTM_Provider

PK6

MISP

PARTNER

Partner ID

AUTH

MISP_Partner

PK7

Manual Adjudicator

PARTNER

mpartner-default-manual-adjudication (or partner ID)

AUTH

Manual_Adjudication

PK8

IDA system

PARTNER

mpartner-default-auth (or partner ID)

AUTH

Online_Verification_Partner

PK9

Resident Services

PARTNER

mpartner-default-resident (or partner ID)

AUTH

Credential_Partner

Device specific keys

S No.KeyKey typeObjectsStorageGenerated byComment

DKL0

Device key SBI CL 1.0

RSA 2048

Private key, self signed certificate

Host machine TPM/key store

Auto generated by SBI Service

DKL1

Device key SBI CL2.0

RSA 2048

Private key, self signed certificate

SBI Service

Auto generated by SBI Service

FK1

FTM key

RSA 2048

Private key, FTM Provider issued certificate

FTM

FTM

DE1

Biometric encryption random session key

AES>=256

No storage, key is created with TRNG/DRBG inside FTM

FTM

FK2

Secure boot

RSA>=256

Private key, self signed certificate

FTM

FTM Provider

Key never leaves FTM

Last updated

Copyright © 2021 MOSIP. This work is licensed under a Creative Commons Attribution (CC-BY-4.0) International License unless otherwise noted.