Social Icons

Showing posts with label threat. Show all posts
Showing posts with label threat. Show all posts

Sunday, September 09, 2018

Aadhaar on Blockchain : Consider or not? - Post 1/2

[This post builds upon introducing Aadhaar,its size,current way of handling the data sets,discuss its problems and subsequently followed by proposing Blockchain as a solution]

1.   When Aadhaar was originally introduced around 2009-10 by the Unique Identification Authority of India (UIDAI),it would not have envisaged the kind of Data juggling,analytics and security threats it would be subjected to in times to come.And here we are around the third quarter of 2018,wherein Aadhaar is central to so many authentications in the country ,being exploited in so many public utility services and also at the same time being subjected to all kind of threats and claims of data theft and leaks.For a record,it is estimated that around 1.2 billion citizens record are held in the CENTRAL servers and thus forms the worlds largest bio-metric identity repository in the world.UIDAI claims that the same is protected by layers of state of art cryptography in central servers located in the country. 

2.  Now in the world of IT,wherein claiming to be 100% secure is likely to remain a myth for ages ahead,can something like un-hackable really exist on this earth? We may harden something,we may actually add layers of security, we may do every possible hard encryption on this earth,but can we imagine a fool-proof IT domain anywhere. The question here attains severe importance when a Bio-metric repository data of 1.2 billion plus population of a country is at stake.

3.  Now what do we have on the platter here,if we consider the size of data,we can have the following assumptions :

(a) Per person biometric data size : 4-6 MB (Maximum I take)

(b) Approx data populated for : Around 1.25 billion plus ie 1,250,000,000 count

Total data ie to say 6 MB x 1,250,000,000 = 7500000000 MB Data ie around 7.5 Petabyte.....that's it...extrapolate the same with on-site backup and mirrors around...disaster recovery sites...we may just be discussing around 20 PB of data.

Even if we consider,augmenting data with the remaining population and generations ahead,we will be at max around 40-45PB of data to suffice around next few decades.That's all from point of view of the scalability of data and size.

4.  Now for this amount data, what are our security options in the present scenario.

Firstly we keep doing permutations and combinations and applying layers of hard coded security to the central servers that we have at various locations mirrored to each other.This presently includes the following : [SOURCE : http://www.cse.iitd.ernet.in/~suban/reports/aadhaar.pdf]

- 2048 bit PKI  encryption of biometric data in transit. End-to-end encryption from enrollment/POS to CIDR.

-   Trusted network carriers.

Effective precaution against denial of service (DOS) attacks.

- HMAC(
keyed-hash message authentication code) based tamper detection of PID (Personal Identity Data) blocks,  which encapsulate bio-metric and other data at the field devices.

Registration and authentication of AUAs.

-  Within CIDR only a SHA-n Hash of Aadhaar number is stored.

Audit trails are stored SHA-n encrypted, possibly also with HMAC based tamper detection.

Only hashes of passwords and PINs are stored

-  Biometric data are stored in original form though.

Authentication requests have unique session keys and HMAC.

- Protection against replay attacks.

-  Resident data stored using 100 way sharding (vertical partitioning).First two digits of Aadhaar number are used as shared keys.

-  All system accesses, including administration, through a hardware security module (HSM) which maintains an audit trail.

All analytics carried out only on anonymized data.

From the IT guys perspectives,don't we actually know that above are all individual knitted layers and tools of security wherein we are creating a very complex network of solution for ourselves which might get even more complex to handle and manage in times to come with more severe security threats in pipelines. 

At the same time, above all solutions and knits combinations are looking and bracing for external threats while we take the insider threats as negligible or taken for granted any day.

So do we have any other ecosystem of architecture that turns the tables upside down from the security and immutability point of view while OFFERING A MORE ROBUST SECURE IMMUTABLE AND TRANSPARENT ARCHITECTURE...whether BLOCKCHAIN can be a solution?

So,we have the above scenario which discusses what do we have on the platter and what are we actually doing to negate the threats....the next post will discuss how BLOCKCHAIN can assist to negate the security threats Aadhaar faces as on date.

Wednesday, September 18, 2013

LATEST ISSUES & TRENDS IN CYBER SECURITY &THREATS :IETE Diamond Jubilee National Seminar

 1.  Copy of the presentation that I gave at Ajay Kumar Garg Engineering College on the occasion of IETE Diamond Jubilee National Seminar.The Institution of Electronics and Telecommunication Engineers (IETE) is India's leading recognized professional society devoted to the advancement of science, technology, electronics, telecommunication and information technology. Founded in 1953, it serves more than 69,000 members through 59 centers/ sub centers primarily located in India (3 abroad) . The Institution provides leadership in scientific and technical areas of direct importance to the national development and economy.Association of Indian Universities (AIU) has recognized AMIETE. Government of India has recognised IETE as a Scientific and Industrial Research Organization (SIRO) and also notified as an educational Institution of national eminence. The objectives of IETE focus on advancing electro-technology. The IETE conducts and sponsors technical meetings, conferences, symposia, and exhibitions all over India, publishes technical journals and provides continuing education as well as career advancement opportunities to its members.


Tuesday, January 10, 2012

NATIONAL CYBER SECURITY POLICY : DRAFT


1.    Finally we are working on a national cyber policy....infact late but ...IT'S NEVER TOO LATE....the thing that we have started on this is a good sign.The draft of the subject policy is available at www.mit.gov.in/sites/upload_files/dit/files/ncsp_060411.pdf and is in fact inviting comments in case u have any!!!

2.   The draft is a 21 page report.After going through the same I have given the following points at the desired email address available in the draft report.

PARA 3.3 (I) C
GOVERNMENT SECURED INTRANET :
Addition point :

“ In addition to the emphasis on creation of such kind of intranet, efforts at the design stage should be made to exclude all possible options of internet connectivity with this intranet to avoid any kind of imminent threats. This intranet may need internet for various updates etc ,but this should be a privilege access point and no node should be allowed a free access. Any attempts to connect the same may invite action as a threat to nation. The limited internet connectivity to this is required for the following purpose :

- It is the most common action by any user to browse the net. Once given a opportunity he/she is always eager to access emails and download malware or infected software or any third party application. This is the point where command and control centre of a Botnet can be established by a cyber criminal. To avoid such practices it would always be the endeavor of the designer and the super administrator to ensure physical separation of Intranet and Internet. This Intranet should also be subject to regular cyber /IT audits by govt recognized penetration testers and forensic experts to maintain a cyber secure working environment.

PARA 3.3(D) @ Page 12
OPEN STANDARDS

The strength and power of open standards and applications remains unexploited in our country. Other developed nations who have realized the potential of this standard are already contributing significantly to their positive growth in cyber space. This has largely been possible owing to the lack of exposure of such standards by the new generation who is only exposed to the windows environment. Policy should be in place to ensure growth of open standards at school level curriculum.

PARA 3.5.2
COMBATING HIGH TECH CRIME/CYBER CRIME

Though the cat and mouse race between the good and the bad cyber guy would remain on always,it is worth noting that cyber crime if not controlled at such a nascent stage of induction and growth, has the full potential to become a cyber threat.No single policy would be able to achieve a CYBER CRIME FREE CYBER SPACE.It remains the onus of the common man how he tackles the cime himself.It is here that the National Cyber Policy can contribute in the following manner :

- Cyber Huntsville is a collaborative cyber community with the aim of attracting and developing the brightest minds, attacking the most complex problems, and providing the best solutions of national and international significance. Cyber Huntsville is an integral part of the National Cyber Initiative. Similar establishments should be encouraged at India level. More info at http://www.hsvcity.com/cyber/

4.2.3
Thrust areas of R&D  : 

-  Thrust areas of R&D should majorly focus on inducing maximum SRS and QRs at the DESIGN STAGE. Because, if not done at this stage, whatever work follows is patch work that remains a cover up action.
- Analysis of data flow in a network
- Pentration testing
- Storage solutions with backup, archiving, recovery provisioning of entire data.

5.1.1
ENABLING PEOPLE

Promoting a comprehensive national awareness program to include organizing seminars, events, webinars, guest lecture’s in tie up with established societies like IETE,Institution of  Engineers, Computer Society of India etc

Besides,these points I would suggest to include ensuring information security by managing the flow of information to the citizens as well as on securing its physical information infrastructure.The policy should call for the following :

- Popularize e- government
- Optimize the cyber industry structure.
- Provide a rugged 24x7 nationwide cyber infrastructure.
- Promote innovation of cyber technologies.
- Build a cyber oriented national economy.
- Design way to advanced internet culture.

Powered By Blogger