The Unique Identification Authority of India (UIDAI) CEO Ajay Bhushan Pandey on Friday asserted that any attempt to manipulate Aadhaar system at the operator level will be detected and thwarted at the back-end as it contains multiple layers of security checks.
The UIDAI chief’s statement assumes significance as it comes against the backdrop of a recent report alleging Aadhaar software hack.
UIDAI tightens Aadhaar authentication rules, makes facial recognition mandatory for new SIM registration
He said that the Aadhaar system is designed in such a way that its multiple security layers won’t allow any manipulation.
“The whole Aadhaar system is designed in a manner that it has multiple layers of security. Because of multiple layers of security, if manipulation is done at the systems’ front end, at the back-end the security checks will thwart that attempt,” Pandey said.
Once the application for enrolment is received, validation or security checks are performed at the system’s back-end too, Pandey said, adding that these safeguards allow rogue attempts to be detected.
“...all such attempts will get detected at the back-end and the enrolment packets then get rejected, and Aadhaar is not generated...we are also able to identify which operator has done this and, in such cases, the operator will be blacklisted...in appropriate cases we file prosecution under the Aadhaar Act,” Pandey said.
A report recently claimed that Aadhaar software and database have been compromised by a software patch that purportedly disables crucial safety features of the enrolment software.
The report had also said that the patch allegedly enabled unauthorised people to generate Aadhaar, a claim that has been refuted by the UIDAI.
In a statement earlier this week, UIDAI claimed that no operator can make or update Aadhaar unless an individual gives biometrics details.
“Therefore, it is not possible to introduce ghost entries into Aadhaar database,” the UIDAI statement had said.
When contacted, Jaideep Srivastava, Professor of Computer Science at University of Minnesota said that the generation of an Aadhaar number is the result of a full ‘two-way handshake’ between the client software and the server software.
“The former collects and sends a packet, and the latter then decides to accept or not accept the enrolment packet. Since the server-end decides the second, it has more power than the client software...Just because a rogue operator or compromised enrolment software tries to register an unauthorised person does not mean that the server will accept the packet and generate Aadhaar,” Srivastava said in response to an e-mail query.
(With PTI inputs)