Data Protection

The security of user data is given the highest priority in MOSIP. Data is protected in flight and rest using strong cryptographic techniques. All operations on decrypted data are done in memory.

Various flows with encryption are illustrated below. Refer to for all references of the type 'Kx' and 'KPx'.

Registration data flow

The below diagram represents a registration data flow system for biometric authentication and identity management.

1. Biometric Capture:

   • A biometric device captures and signs biometric data before sending it to the Registration Client (PK2). Then registration client verifies the signature

2. Registration & Encryption:

   • The Registration Client, running on the operator’s system, receives biometric data and securely encrypts it into packets.

   • The client always refers to Keycloak for authentication, ensuring that only authorized operators can access the system.
3. Data Processing & Storage:

   • The encrypted packets are transmitted to the Registration Processor, which processes and signs the data.

   • The processed data is then stored in the Object Store and ID Repository for further use.

4. Secure Storage of Biometric Data:
5. Hashed UIN Storage:

   • The UINs are hashed, encrypted, and stored in uin the table of mosip_idrepo DB. (K7.4)

6. Data Sharing & Policy Enforcement:

   • When encrypted biometric data needs to be shared, it is sent to ABIS for authentication.

   • The system consults the Partner/Policy Management System to verify partner details and enforce data-sharing policies.

   • Only partners who have registered and authenticated via Keycloak can access the Partner Management System, where they must subscribe to specific policies to receive data.

7. Demographic Data Storage:

   • Encrypted demographic data is stored in the Registration Processor Database. (K11)

8. Credential Issuance:

   • Encrypted resident data is shared with credential requestors and printers based on the subscribed policies. (K12)

9. Operator Authentication:

   • The Registration Client checks Keycloak to ensure that only authenticated operators can perform registrations.

10. Policy Validation for Data Transfer:

• Before transferring encrypted data to ABIS, partners, or credential requestors, the system refers to the Partner/Policy Management System to validate policies.

11. Partner & Policy Control:

• The Partner Management System is controlled by Keycloak, ensuring that only registered partners with valid credentials can subscribe to and enforce policies for data access. (11,12,13)

Datashare

Data shared with all partners like ABIS, Print, Adjudication, IDA, etc. is encrypted using partners' public key. Note that IDA is also a partner, however, a special partner in the sense that data is additionally zero-knowledge encrypted before sending to IDA (see the section below).

Zero-knowledge encryption

Encryption and sharing by Credential Service

1. Generate master symmetric encryption key K9.

2. Generate a 10,000 symmetric keys pool (ZKn). Encrypt each ZKn with K9 and store it in DB. (K12)

3. Randomly select one key from ZKn, and decrypt using K9.

4. Derive new key ZKn' = ZKn + UIN/VID/APPID.

5. Encrypt biometric templates and demographics.

   • BIO = encrypt(bio/demo with ZKn').

6. Encrypt ZKn (this is done to share ZKn with IDA).

   • ZKn-IDA = encrypt(ZKn with K22)

7. Share the following with IDA:

   1. ZKn-IDA

   2. BIO

   3. Random index (0 - 9999)

   4. SHA-256 hash of UIN/VID/APPID

Decryption by IDA

1. Generate master symmetric encryption key K18.

2. Decrypt data in Step 8 above using PK8.

3. Decrypt ZKn-IDA with K22 to get ZKn.

4. Encrypt ZKn with K18 and store it at a random index.

5. Bio-data is stored as is.

ID authentication flow

2. The authentication client further encrypts the auth request with the IDA-PARTNER public key.