Aadhaar Paperless Offline e-kyc

Introduction

UIDAI has launched Aadhaar Paperless Offline e-KYC Verification to allow Aadhaar number holders to voluntarily use it for establishing their identity in various applications in paperless and electronic fashion, while still maintaining privacy, security and inclusion.

Why Aadhaar Paperless Offline e-KYC ?

UIDAI provides a mechanism to verify identity of an Aadhaar number holder through an online electronic KYC service. The e-KYC service provides an authenticated instant verification of identity and significantly lowers the cost of paper based verification and KYC. However, this method of online e-KYC is not available to all agencies and may not be suitable due to some of the following reasons;

  • Online e-KYC requires reliable connectivity
  • Agency needs to have technical infrastructure to call online e-KYC service and deploy devices (as necessary)
  • The resident may need to provide biometrics for the online e-KYC
  • UIDAI maintains a record of the KYC request for audit purposes

Advantages of Aadhaar Paperless Offline e-KYC

  • Privacy :
    • KYC data may be shared by the Aadhaarnumber holder directly without the knowledge of UIDAI.
    • Aadhaar number of the resident is not revealed, instead only a reference ID is shared.
    • No core biometrics (fingerprints or iris) required for such verification
    • Aadhaar number holder gets a choice of the data (among the demographics data and photo) to be shared.
  • Security:
    • Aadhaar KYC data downloadable by Aadhaar number holder is digitally signed by UIDAI to verify authenticity and detect any tampering.
    • Agency can validate the data through their own OTP/Face Authentication.
    • KYC data is encrypted with the phrase provided by Aadhaar number holder allowing residents control of their data.
  • Inclusion:
    • Aadhaar Paperless Offline e-KYC is voluntary and Aadhaar number holder driven.
    • Any agency working with people can use it with consent of the Aadhaar number holder allowing wide usage.

How does it work?

Aadhaar Paperless Offline e-KYC eliminates the need for the resident to provide photo copy of Aadhaar letter and instead resident can download the KYC XML and provide the same to agencies wanted to have his/her KYC. The agency can verify the KYC details shared by the resident in a manner explained in below sections. The KYC details is in machine readable XML which is digitally signed by UIDAI allowing agency to verify its authenticity and detect any tampering. The agency can also authenticate the user through their own OTP/Face authentication mechanisms.

How to obtain Aadhaar Paperless Offline e-KYC Data

Aadhaar number holders can obtain Aadhaar Paperless Offline e-KYC data through the following channels:

  • Download Aadhaar Paperless Offline e-KYC from resident portal (https://resident.uidai.gov.in)
  • In future, obtain Aadhaar Paperless Offline e-KYC will also be available via:
    • mAadhaarmobile application on a registered phone number
    • Inbound SMS using registered phone number
    • Aadhaar Kendra using Biometric Authentication

What Data is covered in e-KYC

While downloading/obtaining offline e-KYC data, following fields are included in the XML.

  • Resident Name
  • Download Reference Number
  • Address
  • Photo
  • Gender
  • DoB/YoB
  • Mobile Number (in hashed form)
  • Email (in hashed form)

Aadhaar Paperless Offline e-KYC data is encrypted using a “Share Phrase” provided by the Aadhaar number holder at the time of downloading which is required to be shared with agencies to read KYC data.

How to share Aadhaar Paperless Offline e-KYC Data

Aadhaar Paperless Offline e-KYC data may be provided to the verifying agency by the Aadhaar number holder in digital or physical format along with share phrase:

  • Digital Format: XML/PDF
    • This format is preferred when high quality photo is required
  • Printed Format: QR code
    • When resident is more comfortable with a physically printed format
    • Low resolution photo for visual inspection only

Technical Facets of Aadhaar Paperless Offline e-KYC

The following will help residents in getting a better understanding about the technical facets of Aadhaar Paperless Offline e-KYC.

XML Data Format

Offline Paperless e-KYC when downloaded has the following XML :
<OfflinePaperlessKyc referenceId="">
<UidData>
<Poi dob="" gender="" name="" e="" m=""/>
<Poa country="" dist="" house="" loc="" pc="" po="" state="" street="" subdist="" vtc="" />
<Pht></Pht>
</UidData>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue></SignatureValue>
<KeyInfo>
</KeyInfo>
</Signature>

</OfflinePaperlessKyc>

Element Details

Element :

OfflinePaperlessKyc: – Container for keeping the resident kyc data.

Attributes :

version - Version: –Now value will be 1.0.

name - Name: – Present as plain text.

referenceId - Reference Number: – This is a composition of last 4 digits of Aadhaar number followed bytimestamp in YYYYMMDDHHMMSSmmm format.

Example :
Aadhaar Number: XXXX XXXX 3632
Time Stamp : 20181001134543123
Reference Number : r=”363220181001134543123”

Pht - Photo: –Is present in JP2000 format with low resolution. Standard JP2 renderers can be used to show the photo.

dob - DoB/YoB: – Present as plain text in DDMMYYYY or YYYY format

e - EmailID: – This is represented as a hash with following logic.

Hashing logic for Email ID :
Sha256(Sha256(Email+SharePhrase))*number of times last digit of Aadhaar number
(Ref ID field contains last 4 digits).

Example :
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Aadhaar Number:XXXX XXXX 3632
Passcode : Lock@487
Hash : Sha256(Sha256(This email address is being protected from spambots. You need JavaScript enabled to view it. @487))*2
In case of Aadhaar number ends with Zero we will hashed one time.

m - Mobile Number: – This is represented as a hash with following logic.

Hashing logic for Mobile Number :
Sha256(Sha256(Mobile+SharePhrase))*number of times last digit of Aadhaar number
(Ref ID field contains last 4 digits).

Example :
Mobile: 1234567890
Aadhaar Number:XXXX XXXX 3632
Passcode : Lock@487
Hash: Sha256(Sha256(1234567890Lock@487))*2
In case of Aadhaar number ends with Zero we will hashed one time.

gender - Gender: – This is either“M”(Male) or “F”(Female) or “T” (TransGender).

Poa - Address: –Address will come in below tag
Country- Country name like "India"
Dist- Will contains District name
House- will contains House number
loc- Locality
pc-Pincode
po- Post office name
state- State Name
street-Street Name
subdist- Sub District Name
vtc - VTC Name

signature - Signature: – This will a 344 character long digital signature of the data present in the downloaded XML. This can be validated using the public key of UIDAI which will be present in standard signed xml.

Steps to validate signature :

1. Read the entire XML.

2. Get signature from xml

3. Get Certificate from here.

4. If you have downloaded the client before 28 March, then get Certificate from here.

5. Convert certificate to base64 string.

6. Sample code snippets provided here.

XML Validation steps :

1. Aadhaar Paperless Offline e-KYC XML is zipped and protected with the “Share Phrase”. It can be unzipped using any standard unzipping utility (like WinZip, WinRaR, 7Zip etc.). While unzipping, a prompt will show for password where “Share Phrase” should be entered.

2. Parse the XML and use the logic mentioned earlier to validate the digital signature.

3. Optionally do OTP validation against the mobile number (resident needs to provide mobile number which can be hashed and verified against the KYC data) and/or do face validation by capturing face and matching against the photo within the e-KYC XML.