In 2017 the Unique Identification Authority of India (UIDAI), a Government of India statutory authority, mandated the use of hardware security modules (HSMs) to secure Unique Identification numbers (UIDs) named “Aadhaar”. As Aadhaar contain Personally Identifiable Information (PII), it is important to protect the UIDs and ultimately the residents – are you ready to meet compliance?
Aadhaar are 12 digit unique-identity numbers issued to all residents, and are based on a person’s biometric and demographic data. The UIDs are intended to: eliminate duplication and fake identities; empower residents to authenticate anytime, anywhere; and provide an easy, cost–effective way for residents to verify their identity and authenticate to Aadhaar-linked applications.
What you need to know:
The Government of India has provided the following detailed guidelines for securing UIDs and ultimately its residents from the data breach threats that are prevalent today:
- Store the private keys used for digital signing of Auth XML and decryption of electronic “know your customers” (e-KYC) data
- Authentication User Agencies (AUA) and Know Your Customers User Agencies (KUA) must digitally sign the authentication requests and / or they must be signed by the Authentication Service Agency (ASA) HSM
- To decrypt the e-KYC response data received from the UIDAI, the KUA must use its own HSM
- The HSM to be used for signing Auth XML as well as for e-KYC decryption should be FIPS 140-2 compliant
High-Assurance Key Protection with Keys in Hardware
In the case of UIDAI, private cryptographic keys used to digitally sign, encrypt and authenticate the UIDs must be stored in a HSM. HSMs are dedicated crypto processors that are specifically designed to securely manage, process, and store cryptography keys. But buyer beware – not all HSMs are created equal. Storing private crypto keys inside a hardened, tamper-resistant, FIPS 140-2-validated device ensures your keys cannot be accessed, unlike alternative solutions on the market. With the keys in hardware approach, applications communicate via a client with keys stored in the HSM – but keys never leave the appliance.
Learn more about UIDAI, the steps you need to take to become compliant, and how a keys in hardware approach can ensure that only the right people have access to the data, download the Securing UIDAI Unique Identification Numbers with Gemalto’s Data Protection Solutions solution brief.