The security of user data is given the highest priority in MOSIP. Data is protected in flight and rest using strong cryptographic techniques. All operations on decrypted data are done in memory.
- 5.The UINs are hashed, encrypted and stored in
uinthe table of
- 6.Biometrics are shared and encrypted with the ABIS partner's key (PK1).
- 7.Registration processor stores encrypted demographic data in
Data shared with all partners like ABIS, Print, Adjudication, IDA etc. is encrypted using partners' public key. Note that IDA is also a partner, however, a special partner in the sense that data is additionally zero-knowledge encrypted before sending to IDA (see the section below).
The ID Authentication module (IDA) is an independent module and may be hosted by several providers. IDA hosts all the biometric templates and demographic data. Unique additional protection is provided here to make sure that mass decryption of user data is very difficult to achieve. The data can only be decrypted if the user's UIN is provided. Here is the encryption scheme:
- 1.Generate master symmetric encryption key K9.
- 2.Generate a 10,000 symmetric keys pool (ZKn). Encrypt each ZKn with K9 and store it in DB. (K12)
- 3.Randomly select one key from ZKn, and decrypt using K9.
- 4.Derive new key ZKn' = ZKn + UIN/VID/APPID.
- 5.Encrypt biometric templates and demographics.
- BIO = encrypt(bio/demo with ZKn').
- 6.Encrypt ZKn (this is done to share ZKn with IDA).
- ZKn-IDA = encrypt(ZKn with K22)
- 7.Share the following with IDA:
- 3.Random index (0 - 9999)
- 4.SHA-256 hash of UIN/VID/APPID
- 1.Generate master symmetric encryption key K18.
- 2.Decrypt data in Step 8 above using PK8.
- 3.Decrypt ZKn-IDA with K22 to get ZKn.
- 4.Encrypt ZKn with K18 and store it at a random index.
- 5.Bio-data is stored as is.
- 2.The authentication client further encrypts the auth request with IDA-PARTNER public key.