Image Credit: Narendra Bhooshan

Gujarat biometric leak and Registered Devices

The leak proves beyond doubt that Registered Devices cannot protect from fraud or identity theft

The basics

Biometrics are private information — neither a secret, like passwords are, nor public, meant to be shared freely. This distinction is explained in depth by Kiran Jonnalagadda.

Public, private and secret information

How is it possible for, say, Anand Venkatanarayanan to become Kiran Jonnalagadda in a presence-less system to perform an identity theft? There are two requirements.

• Kiran Jonnalagadda has some way of proving himself to the system, like a secret password, that Anand Venkatanarayanan gets hold of.
• Anand Venkatanarayanan provides this information to the presence-less system to effectively become Kiran Jonnalagadda.

This — in essence — is how password theft works. If I get hold of someone’s login id and password, I become them on that system. When a secret password is compromised, it must be changed to prevent identity misuse. This is why good secrets are disposable — why websites have a “change password” feature.

Aadhaar biometric authentication does not use such secrets for authentication. It uses two private identifiers — Aadhaar number and biometrics. This architectural design is a big problem.

Encryption only works for secrets

There are two basic types of encryption: symmetric and asymmetric.

Imagine a house you want to protect from theft. You can lock it with a key. The lock can also be opened with the same key. This is called “symmetric” encryption because the same key is used for both locking and unlocking.

A bank locker has a different type of lock. You need two keys to open the locker, but only one key to lock it. In cryptography we have a similar model called “asymmetric” encryption. There are two keys, of which one key can only be used to lock, and the other key can only be used to unlock.

Irrespective of whether symmetric or asymmetric encryption is used, the basic assumption is that the key is a secret. Anyone who has a copy of your key can open your lock, and in a presence-less system (anything online), that makes them indistinguishable from you. This is identity theft.

Which brings us to the Gujarat biometric leak.

Parallel biometric databases

The use of biometrics to identify genuine beneficiaries predates Aadhaar. Gujarat introduced biometric barcoded ration cards as early as 2011.

Govt plans to launch biometric ration cards across state

The coverage was universal even if the benefits are not, as the ration cards doubled up as identity documents:

The government has decided to separate ration card holders in two categories. One category will be of those who have or want to have ration cards either as mere important identity or residence proof but don’t take or not want to take ration material or just want it for LPG connection only. The other category will be of those cardholders who actually uses or want to use the card for groceries.

This entire ration card database was eventually crosslinked with Aadhaar. Since multiple family members’ fingerprints were associated with the same ration card, the enrolled population is estimated at about 5 crore:

“For example, as of now, we are maintaining data of some 1 crore users. In case of multiple entries on the single card, it can touch 5 crore or even more, which is almost near to the total population of the state,” said a senior official.

This database is hosted in the State Data Centre.

Combined with Aadhaar data, this effectively converted the state database into a mini-CIDR with biometrics, but without any of the protections the CIDR has.

One leak and all is compromised

The initial news reports on the Gujarat PDS leak were unclear about the modus operandi employed to compromise the system:

“The accused who were authorized to use E-FPS application provided by the government for issuing subsidised items to beneficiaries by matching their stored biometric details with barcoded ration card and UID (Aadhar), used illegal software and somehow accessed the data built by the government.

There was a little more detail in the TOI report:

During examination of data, he came to know that some software was being used by FPS owners and he started a search for it. Jangid was offered the software for Rs22,000 by one of the racketeers and he informed the government authorities about the scam.

And almost all we need to reconstruct the story appeared in this DNA report:

Modus operandi of using the biometric leak.

Let us reconstruct the crime scene slowly here:

1. Every one has a ration card (R1, R2 etc.) and an associated biometrics (B1, B2 etc.)
2. Every ration card is associated with an Aadhaar number (A1, A2 etc.)
3. Typically ration is released only when R1 and B1 matches.
4. However, in this case all of (R1, B1), (R2, B2) has leaked from the state’s parallel biometric database.
5. So it is trivial to host a proxy server with the leaked data, to send these leaked biometrics to the actual PDS server given any ration card R1, R2 etc.
6. The PDS server converts (R1, B1) into (A1, B1), verifies it with CIDR, and will then clear the transaction.

The type of encryption used is irrelevant once the secret is no longer a secret. In this case, fingerprints were treated as secrets and they have leaked.

UIDAI touts Registered Devices as a solution to this problem, as they supposedly make it hard for fingerprints to be stolen. But they will not solve the problem. Here is why.

Registered Device Service and dummy devices

The first programming exercise that a device driver developer clears during software development is the “Emulated USB Device”.

Architecture of USB Device Emulation (UDE)

The emulated USB device looks like a real device to applications for all practical purposes. UIDAI’s Registered Device Service can be easily fooled into “registering” the emulated device with UIDAI because the operating system makes it indistinguishable from real hardware. Once done, it is trivial to program the emulated USB device to submit leaked biometric data obtained from elsewhere.

We can think of the proxy server used in the Gujarat biometric PDS hack as a “registered service”, which is connected to thousands of emulated USB fingerprint devices.

When stored information is used as if it were freshly obtained, it is called a “replay attack”. This cannot be prevented by UIDAI as it made the terrible architectural design choice of using a private identifier — fingerprints — as a secret. When a secret leaks, it is no longer a secret and must therefore be discarded and replaced with a new secret. Fingerprints and other biometrics cannot be discarded like this, and therefore are not secrets.

The UIDAI has publicly acknowledged that they are not equipped to prevent replay attacks.

However as late as September 2017, the commonly held belief is that biometrics cannot be faked, which was also relied on by the Supreme Court in Binoy Viswam vs. Union of India.

Conclusion

Encryption is a sophisticated tool to ensure the sanctity of secrets, and it works if data is handled in the correct manner. However, no amount of encryption will help if the secrets are not secrets in the first place.

The ubiquitous use of biometric authentication in Aadhaar has created a thriving black market for biometric data. Further, it has also normalized biometric collection. Since biometric authentication is the basis for other services like eSign, which are used for signing contracts and other financial instruments, the risks of abuse have grown multifold.

As the Gujarat PDS biometric leak has shown conclusively, a proxy server functioning like a Registered Device can perform a “replay attack” on eminent personalities like Bank Chairman, MLAs and MPs, who will not be able to prove that they did not perform the transaction as long as the courts have faith in biometrics.