UIDAI’s Aadhaar Number Regulation
Comply with key Aadhaar provisions
The Unique Identification Authority of India (UIDAI) was established under the provisions of India’s 2016 Aadhaar Act. UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar, and providing Aadhaar cards to all residents of India. The 12-digit UIDs are generated after the UIDAI verifies the uniqueness of enrollees’ demographic and biometric information; UIDAI must protect individuals’ identity information and authentication records.
Entrust can help your organization comply with many of the regulations and mandates required for Aadhaar.
The following standards are excerpted from the “UIDAI Information Security Policy – UIDAI External Ecosystem – Authentication User Agency/KYC User Agency” section of UIADAI’s 30 April 2018 update of its Compendium of Regulations, Circulars & Guidelines for (Authentication User Agency (AUA)/E-KYC User Agency (KUA), Authentication Service Agency (ASA) and Biometric Device Provider) [The Compendium]:
User Access Control
2.6 Access Control
1. Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing UIDAI information
Encryption of Data in Motion
2. The PID shall be encrypted during transit and flow within the AUA / KUA ecosystem and while sharing this information with ASAs
Encryption Key Management
6. Key management activities shall be performed by all AUAs / KUAs to protect the keys throughout their lifecycle. The activities shall address the following aspects of key management, including;
a) Key generation;
b) Key distribution;
c) Secure key storage;
d) Key custodians and requirements for dual Control;
e) Prevention of unauthorized substitution of keys;
f) Replacement of known or suspected compromised keys;
g) Key revocation and logging and auditing of key management related activities.
The use of FIPS 140-2 Certified HSMs for Cryptographic Key Protection
This guidance is from Circular 11020/205/2017 in The Compendium:
(f) The Aadhaar number and any connected data maintained on the Aadhaar Data Vault shall always be kept encrypted and access to it strictly controlled only for authorized systems. Keys for encryption are to be stored in HSM devices only.
Entrust can help you meet several of the requirements of UIDAI’s Aadhaar Number regulation through:
The Use of Certified HSMs for Cryptographic Key Protection: nShield HSMs
Entrust nShield® HSMs provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more. Certified at FIPS 140-2 Levels 2 and 3, Entrust HSMs support a variety of deployment scenarios, including Cloud Bring Your Own Key. nShield Connect and Solo HSMs also provide a secure environment for running sensitive applications.
Strong User Authentication
Entrust nShield® HSMs can help you create high-assurance systems to authenticate users and devices using enterprise systems, limiting accessing to only authorized entities.
UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar, and providing Aadhaar cards to all residents of India. Learn how Entrust can help your organization comply with many of the regulations and mandates required for Aadhaar.
Entrust nShield HSMs provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more. Available in three FIPS 140-2 certified form factors, Entrust nShield HSMs support a variety of deployment scenarios.