UIDAI system can thwart manipulation with layers of security checks: CEO

The comments of UIDAI chief come against the backdrop of a recent report alleging Aadhaar software hack

The UIDAI's system contains multiple layers of security checks, and any attempt of manipulation at the operator level will be detected and thwarted at the back-end, Aadhaar-issuing body's CEO Ajay Bhushan Pandey has said.

The comments of the Unique Identification Authority of India (UIDAI) chief come against the backdrop of a recent report alleging Aadhaar software hack.

"The whole Aadhaar system is designed in a manner that it has multiple layers of security. Because of multiple layers of security, if manipulation is done at the systems' front end, at the back-end the security checks will thwart that attempt," Pandey said.

Once the application for enrolment is received, validation or security checks are performed at the system's back-end too, Pandey said, adding that these safeguards allow rogue attempts to be detected.

"...all such attempts will get detected at the back-end and the enrolment packets then get rejected, and Aadhaar is not generated...we are also able to identify which operator has done this and, in such cases, the operator will be blacklisted...in appropriate cases we file prosecution under the Aadhaar Act," Pandey told PTI.

A report recently claimed that Aadhaar software and database have been compromised by a software patch that purportedly disables crucial safety features of the enrolment software.

The report had also said that the patch allegedly enabled unauthorised people to generate Aadhaar, a claim that has been refuted by the UIDAI.

In a statement earlier this week, UIDAI claimed that no operator can make or update Aadhaar unless an individual gives biometrics details.

"Therefore it is not possible to introduce ghost entries into Aadhaar database," the UIDAI statement had said.

When contacted, Jaideep Srivastava, Professor of Computer Science at University of Minnesota said that the generation of an Aadhaar number is the result of a full 'two-way handshake' between the client software and the server software.

"The former collects and sends a packet, and the latter then decides to accept or not accept the enrolment packet. Since the server-end decides the second, it has more power than the client software...Just because a rogue operator or compromised enrolment software tries to register an unauthorised person does not mean that the server will accept the packet and generate Aadhaar," Srivastava said in response to an e-mail query.