Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
MOSIP platform integrates with the following biometric components:
All biometric components need to comply with standard interfaces defined by MOSIP. Test kits to verify compatibility are available.
Vendors who provide biometric systems are Partners of MOSIP.
Modalities supported in MOSIP are
The Foundational Trust Module (FTM) is created using a secure microprocessor capable of performing all required biometric processing and secure storage of keys. The foundational device trust would satisfy the below requirements.
The module has the ability to securely generate, store, and process cryptographic keys.
Generation of asymmetric and symmetric keys with TRNG.
The module has the ability to protect keys from extraction.
The module has to protect the keys from physical tampering, temperature, frequency, and voltage-related attacks.
The module could withstand Hardware cloning.
The module could withstand probing attacks
The module provides memory segregation for cryptographic operations and protection against buffer overflow attacks
The module provides the ability to withstand cryptographic side-channel attacks like Differential Power analysis attacks, and timing attacks.
CAVP validated the implementation of the cryptographic algorithm.
The module has the ability to perform a cryptographically valid, secure boot.
The module has the ability to run trusted applications.
The foundational device trust derived from this module is used to enable trust-based computing for biometric capture. The foundational device trust module provides a trusted execution environment based on the following:
Secure Boot
Ability to cryptographically verify code before execution.
Ability to check for integrity violations of the module or device.
Halt upon failure.
The ability to securely upgrade and perform forward-only upgrades to thwart downgrade attacks.
SHA256 hash equivalent or above should be used for all hashing requirements
All root of trust is provisioned upon first boot or before.
All upgrades would be considered successful only after a successful boot with proper hash and signature verification.
The boot should fail upon hash or signature failures and never operate in an intermediary state.
A maximum of 10 failed attempts should lock the upgrade process and brick the device. However, chip manufacturers can decide to be less than 10.
Secure application
Ability to run applications that are trusted.
Protect against the downgrading of applications.
Isolated memory to support cryptographic operations.
All trust is anchored during the first boot and not modifiable.
The FTM should have at least one of the following certifications in each category to meet the given requirement.
Category: Cryptographic Algorithm Implementation
CAVP (RSA, AES, SHA256, TRNG (DRBGVS), ECC)
The supported algorithm and curves are listed here
Category: FTM Chip
(ONE of the following certifications)
FIPS 140-2 L3 or above
PCI PTS 5 or above (Pre-certified)
PCI - PED 2.0 or above (Pre-Certified)
One of the following Common Criteria (CC) certification
https://www.commoncriteriaportal.org/files/ppfiles/pp0035a.pdf
https://www.commoncriteriaportal.org/files/ppfiles/pp0084a_pdf.pdf
System/Device Level Tamper (optional)
System/Device Level Tamper Responsiveness is recommended (not mandatory). In this case, FTM should be capable of showcasing Tamper Responsiveness (keys must be erased) against a tamper at the system/device level.
The FTM should protect against the following threats.
Hardware cloning attacks - Ability to protect against attacks that could result in a duplicate with keys.
Hardware Tamper attacks
Physical tamper - No way to physically tamper and obtain its secrets.
Voltage & frequency related attacks - Should shield against voltage leaks and should prevent low voltage. The FTM should always be in either the state operational normally or inoperable. The FTM should never be operable when its input voltages are not met.
Temperature attacks on the crypto block - Low or High the FTM are expected to operate or reach an inoperable state. No state in between.
Differential Power Analysis attack.
Probing attacks - FTM should protect its surface area against any probe-related attacks.
Segregation of memory for execution of cryptographic operation (crypto block should be protected from buffer overflow type attacks).
Vulnerability of the cryptographic algorithm implementation.
Attacks against secure boot & secure upgrade.
TEE/Secure processor OS attack.
Upon the FTM provider's approval by the MOSIP adopters, the FTM provider would submit a self-signed public certificate to the adopter. Let us call this the FTM root. The adopter would use this certificate to seed their device's trust database. The FTM root and their key pairs should be generated and stored in FIPS 140-2 Level 3 or more compliant devices with no possible mechanism to extract the keys. The foundational module upon its first boot is expected to generate a random asymmetric key pair and provide the public part of the key to obtain a valid certificate. The FTM provider would validate to ensure that the chip is unique and would issue a certificate with the issuer set to FTM root. The entire certificate issuance would be in a secured provisioning facility. Auditable upon notice by the adopters or its approved auditors. The certificate issued to the module will have a defined validity period as per the MOSIP certificate policy document defined by the MOSIP adopters. This certificate and private key within the FTM chip are expected to be in its permanent memory.
The validity of the chip certificate can not exceed 20 years from the date of manufacturing.
The FTM should have at least one of the following certifications in each category to meet the given requirement.
Secure provisioning applies to both the FTM and the Device providers.
The devices and FTM should have a mechanism to protect against fraudulent attempts to create or replicate.
The device and FTM trust should be programmed in a secure facility which is certified by the respective MOSIP adopters.
The organization should have a mechanism to segregate the FTMs and Devices built for MOSIP using a cryptographically valid and repeatable process.
All debug options within the FTM or device should be disabled permanently
All key creations needed for provisioning should happen automatically using FIPS 140-2 Level 3 or higher devices. No individual or group or organization should have a mechanism to influence this behaviour.
Before the devices/FTM leaves the secure provisioning facility all the necessary trust should be established and should not be re-programmable.
As there is no adopter-specific information being exchanged at the management server or the FTM provisioning server, there are no mandates from MOSIP where these are located globally. However, the adopter is recommended to have an audit and contractual mechanisms to validate the compliance of these components at any point in time.
Providing a unique identity for a resident is one of the key features of any identity platform. To achieve this, MOSIP interfaces with an Automated Biometric Identification System (ABIS) to perform the de-duplication of a resident's biometric data.
The ABIS system never learns about residents' identities. Any Personally Identifiable Information (PII), such as demographic details or an applicant's AID (application ID), is not shared with the ABIS system. Internally, MOSIP maintains a mapping between the ABIS-specific reference ID and the AID of the resident.
ABIS is used for 1:N deduplication. For 1:1 authentication, Biometric SDK is used. MOSIP does not recommend using an ABIS for 1:1 authentication.
MOSIP interacts with ABIS only via message queues. The JSON format is used for all control messages in the queue. MOSIP ABIS middleware sends requests to the inbound queue address and receives responses from the outbound queue address. ABIS must comply with the interface defined in ABIS API Specifications
The interface may be tested using the ABIS testing kit.
ABIS must support the following types of biometric images:
Individual fingerprint images (segmented)
Iris images (left, right)
Face image
Biometrics data in MOSIP is exchanged as per formats defined in Biometric Image Specification.
MOSIP provides kits to test the interface. Refer to the abis-testing-kit repo
ABIS must comply with ABIS API Specifications.
The queues can be configured in the RegistrationProcessorAbis-env.json file. The ABIS system connects to the queues using a pre-defined user ID and password.
It is recommended that ABIS be deployed in the same secure zone (military zone) where the registration processor is deployed.
ABIS system is not recommended to connect to any external network.
Registration Client.
Backend quality check.
Biometric authentication during onboarding (internal auth).
ID Authentications.
The library is used by Registration Client to perform 1:N match, segmentation, extraction etc. For more information on integration with Registration Client, refer to Registration Client Biometric SDK Integration Guide.
A simulation of this library is available as Mock BioSDK. The same is installed in the MOSIP sandbox.
For 1:1 match and quality check of biometrics at the MOSIP backend, the BioSDK must be running as a service that can be accessed by Registration Processor and IDA Internal Services. The service exposes REST APIs specified here.
A simulation (mock) service has been provided. The mock service loads mock BioSDK internally on the startup and exposes the endpoints to perform 1:N match, segmentation, extraction as per IBioAPI.
The service may be packaged as a docker running inside MOSIP Kubernetes cluster or running separately on a server. It is important that the scalability of this service is taken care depending on the load on the system, i.e., the rate of enrolment and ID authentication.
BioSDK library: IBioAPI.
BioSDK service: TBD.
BioSDK server request/response may be tested using BioSDK testing kit.
The following properties in application-default.properties needs to be updated to integrate the BioSDK library and service with MOSIP.
Biometric devices capture individuals' biometric data (fingerprint, iris scan, photo) and send it to a registration client or authentication client (app). The functional architecture of the various entities involved is shown below.
* An adopter may choose to have different subtypes, however, the certification needs to be adhered to.
The following calculator may be used to estimate the number of devices required for a rollout.
Providers of biometric devices are Partners of MOSIP and need to be onboarded to a given deployment of MOSIP. Specifically,
| Purpose | Type | Subtype* | Certification | Specification |
|---|
compliance of a device may be tested using an .
Registration | Fingerprint | Slap scanner | SBI 1.0 |
Registration | Iris | Double eye scanner | SBI 1.0 |
Registration | Face | Camera | SBI 1.0 |
Authentication | Fingerprint | Single finger scanner | SBI 2.0 |
Authentication | Iris | Single eye scanner | SBI 2.0 |
Authentication | Face | Camera | SBI 2.0 |
This document defines the APIs specifications for various operations that ABIS can perform to integrate with MOSIP.
API specification version: 0.9
Published Date: February 05, 2021
| Publish Date | Revision |
|---|---|
An ABIS system that integrates with MOSIP should support the following operations.
All ABIS operations are via. a message queue and are asynchronous. The data sent in ABIS can be byte array or text based on a configuration in the registration processor.
Common parameters used for all ABIS operations:
The following operations are supported by MOSIP:
ABIS must get biometric data from referenceURL, process it and store it locally within the ABIS reference database. More details about the referenceURL is mentioned in our referenceURL section.
referenceId must not be active prior to this operation i.e., it must not have been used before this operation.
De-duplication must not be performed in this operation.
MOSIP will provide biometric data in CBEFF format to ABIS as a response of referenceURL and the data will be encrypted and encoded as mentioned below.
Insert Request
Success Response
Failure Response
The reference URL is MOSIP's datashare URL which is generated based on a policy defined by MOISP's adopter.
The referenceURL is authenticated and authorized; ABIS needs to send a JWT token inside the request header COOKIE.
The referenceURL will be active for a certain time as decided by the MOSIP adopter.
The data sent in the referenceURL will be encrypted.
Authentication Token
As mentioned above in order to access the request URL the ABIS system needs to send a JWT token inside the request header COOKIE. In order to get the token ABIS needs to call MOSIP's AuthN & AuthZ API with Client ID & Secret Key by passing the credentials (clientid, secretkey and appid) which would be provided by the System Integrator (SI).
Below are the sample API details for getting the authentication token. More details about the API are available in our AuthN & AuthZ document.
Sample Request URL
POST https://{base_url}/v1/authmanager/authenticate/clientidsecretkey
Sample Request Body
Sample Response
DataShare URL
Below is the sample API detail for reference URL.
Sample Request URL
GET https://{base_url}/v1/datashare/get/mpolicy-default-abis/mpartner-default-abis/mpartner-default-abismpolicy-default-abis20210205062412BlQo0rJB
Sample Encrypted Response
The structure of the encrypted data downloaded from referenceURL in MOSIP 1.2.0 or later versions
The data downloaded would be URL-safe base64 encoded. Hence, after decoding the data will be in the below format. It will be divided into two Parts after splitting using #KEY_SPLITTER#.
Block 1:
Block 1, i.e. the encrypted key data is again split into three parts,
The 1st part is VER_BYTES (version bytes). The Current version constant is set as VER_R2 and this is present in the first 6 bytes of Block 1.
The 2nd part is the Certificate Thumbprint i.e. the key identifier which is present in the next 32 bytes after VER_BYTES.
The 3rd part is the Encrypted Random AES Key, encrypted with the RSA OAEP - SHA256-MFG1. This constitutes the remaining 256 bytes of Block 1.
Block 2:
Block 2, i.e. the encrypted actual data is again split into two parts,
The 1st part is the random 32 bytes which will be used as AAD in AES encryption(first 32 bytes). From this 32 bytes AAD data, the first 12 bytes is IV/Nonce.
The 2nd part is the encrypted data which is encrypted using AES GCM PKCS5Padding.
Note: In Java 11, PKCS5Padding serves as a synonym for NoPadding in GCM mode encryption. Conversely, in Java 17, the synonym PKCS5Padding has been eliminated, and it is now mandatory to exclusively use NoPadding. Consequently, if data is encrypted using PKCS5Padding in Java 11, it will be decrypted with NoPadding in Java 17.
The structure of the encrypted data downloaded from referenceURL in MOSIP 1.1.5.5 or prior versions
The data downloaded would be base64 encoded. Hence, after decoding the data will be in the below format. It will be divided into two Parts after splitting using #KEY_SPLITTER#.
Block 1:
Block 1, i.e. the encrypted key data is again split into two parts,
The first part is the Certificate Thumbprint i.e. the key identifier which is the first 32 bytes in Block 1.
The second part is the Encrypted Random AES Key which is encrypted with RSA OAEP - SHA256-MFG1. This constitutes the remaining 256 bytes of Block 1.
Block 2:
Block 2, i.e. the encrypted actual data is again split into two parts,
The 1st part is the Encrypted data, encrypted using AES GCM PKCS5Padding.
The 2nd part is IV/Nonce i.e. the last 32 bytes appended after encrypted data.
Note: In Java 11, PKCS5Padding serves as a synonym for NoPadding in GCM mode encryption. Conversely, in Java 17, the synonym PKCS5Padding has been eliminated, and it is now mandatory to exclusively use NoPadding. Consequently, if data is encrypted using PKCS5Padding in Java 11, it will be decrypted with NoPadding in Java 17.
Sample Response after Decryption
Sample Response in case of Authentication Failure
All Possible Error codes and Messages from Datashare URL
Please note that for all the functional failures MOSIP sends a response code 200.
All Insert requests added to the queue earlier must be serviced by ABIS when performing an Identify request.
Identify request provides a 1:N comparison. The given input is compared either against the gallery passed or if the gallery is not specified the entire database.
The input for comparison can be provided by referenceID or referenceURL.
If the referenceID is given it is used as the preferred option. The given referenceID must be existing in the ABIS database else ABIS will throw an error.
If the referenceID is omitted or NULL and the referenceURL is passed the ABIS retrieves the biometrics provided in the referenceURL and compares the same against either a gallery or its database.
If in case, both referenceID and referenceURL are missing ABIS throws an error.
We are not using the referenceURL in Identify request for our current implementation. Hence, it will be an empty string for Identify request. MOSIP adopters can have customized workflows where the referenceURL can be used.
Identify requests should give to all candidates which are considered as a match based on ABIS thresholds.
This request should not match against referenceID that is not in the reference database.
The response now has a section for analytics that contains key-value pairs. Values can be JSON objects also. The contents of the analytics section will be agreed upon by the MOSIP adopter with the ABIS provider. Scores are also moved to this section and are not mandatory response parameters anymore.
Ordering or ranking of results is not explicitly specified and can be agreed upon between the MOSIP adopter and the ABIS provider.
The flags section of the request can be used to customize or control ABIS behaviour by sending specific key-value pairs.
"targetFPIR" or "maxResults" are examples of such flags that can alter ABIS behaviour. These are optional attributes for MOSIP during an identify request. MOSIP expects the adopters to define these parameters based on the accuracy expectations and workflow requirements. These can be set at the ABIS configuration level and need not be part of the individual request at all.
To give an example, please find the following calculation for targetFPIR - which is the error rate at which identification requests are expected to return a non-empty candidate list.
round (-10 * log10 (target false positive identification rate))
With this calculation:
Removes only the entry referred by the referenceId.
This operation can be used to remove duplicates found by Identify.
A Ping request should respond with a response on the liveness of the ABIS system.
ABIS responds with the count of requests that are still pending.
ABIS will send a count of records in the reference database
Biometric Specification to know about the biometric specification in MOSIP.
CBEFF XML to know how MOSIP stores biometric data.
Authentication and Authorization API to get the JWT token.
MOSIP's de-duplication process for details about the De-Duplication process in MOSIP.
Standards:
ISO 19785-3
Patron identifier 257
Patron format identifier 11
for Format Type ISO/IEC JTC 1 SC 37-biometrics
Patron identifier 257
BDB patron format identifier
7 for finger image
2 for finger minutiae
8 for face image
9 for iris image
is similar to , with an optional attribute called others added from the LTS version.
MOSIP's can be used to create and validate CBEFF XML data.
| Name | Description | Restrictions | Type |
|---|---|---|---|
| Code | Status |
|---|---|
| Code | Reason |
|---|---|
| Encrypted Key Data | KEY_SPLITTER | Encrypted Actual Data |
|---|---|---|
| Encrypted Key Data | KEY_SPLITTER | Encrypted Actual Data |
|---|---|---|
| Error Code | Error Message |
|---|---|
| Target False Positive Identification Rate | targetFPIR |
|---|---|
May 07, 2020
This is the first formal publication of the interface as a version-ed specification. Earlier draft are superseded by this document. The interface is revamped to make it friendlier to programmers and also has a new method for conversion.
June 09, 2020
A note related to targetFPIR was added.
June 26, 2020
New failure reason (code - 6, 8, 9, 10, 11, 12) for ABIS have been added.
August 04, 2020
Analytics section has been added to the overall response for Identify and the failure reason have been updated.
November 19, 2020
Note on encryption of biometric data share using referenceURL has been added.
February 05, 2021
Note on referenceURL and authentication token was added for Insert Request.
March 23, 2021
New failure reason (code - 17) for ABIS has been added.
May 3, 2021
The logic for encryption has been updated for ABIS Datashare URL.
September 8, 2021
All possible error codes for DataShare URL has been added.
requestID
ID that is associated with each request sent to ABIS
ABIS should not use this ID in any other context outside the request
UUID
referenceID
ID of a single registration record. Registration record is maintained in MOSIP. This ID is the mapping between MOSIP and ABIS
None
UUID
referenceURL
URL to the biometrics data stored in MOSIP. This URL will have read only access
None
HTTPS URL
biometricType
Type of biometric data sent in the request
FID/FIR/IIR
String
returnValue
Code for response
String
failureReason
Code for failure reason
String
1
Success
2
Failed
1
internal error - Unknown
2
aborted
3
unexpected error
4
unable to serve the request - invalid request structure
5
missing referenceId (in request body)
6
missing requestId (in request body)
7
unable to fetch biometric details (using referenceURL)
8
missing reference URL (in request body)
9
missing requesttime (in request body)
10
referenceId already exists (in ABIS)
11
CBEFF has no data
12
referenceId not found (in ABIS)
13
invalid version
14
invalid id
15
invalid requesttime format
16
invalid CBEFF format
17
data share URL has expired
18
Biometric Quality check failed
Block 1
#KEY_SPLITTER#
Block 2
Block 1
#KEY_SPLITTER#
Block 2
DAT-SER-003
File does not exists or File is empty
DAT-SER-006
Data share not found
DAT-SER-006
Data share usage expired
KER-ATH-401
Authentication Failed
KER-ATH-403
Forbidden
1 in 1,000
30
1 in 10,000
40
1 in 100,000
50
