Table Of Contents
- 1. INTRODUCTION
- 2. FUNCTIONAL OVERVIEW
- 3. ARCHITECTURE OVERVIEW
- 4. FEATURES
- 5. ARCHITECTURALLY SIGNIFICANT COMPONENTS
- 6. APIs
- 7. PRIVACY AND SECURITY
- 8. HOW TO CONTRIBUTE
- 9. BUILDING AND DEPLOYING (WIP)
- 10. INFRASTRUCTURE RECOMMENDATIONS
- 11. List Of Acronyms
This document describes the objectives and explicit functional requirements of MOSIP. It also gives an overview of architecturally significant features, APIs and standards followed in MOSIP. Lastly, it provides necessary information on implementation, customization and set up.
Further details are available on each modules under Requirement Specifications
Pre-registration is the web channel of the MOSIP. This module enables a user to:
- Book an appointment for registration
- Enter demographic data & upload supporting documents
- Appointment notification, rescheduling and cancellation
- Send resident data to registration center before appointment, which can be used during registration
2.2 Registration Services
Registration Client application captures the demographic and biometric details of an individual along with supporting information (proof documents & information about parent/guardian/introducer) and packages the information in a secure way. This module provides the following capabilities:
- Provides a secure way of capturing an individual's demographic and biometric data
- Provides interfaces to biometric devices that comply to industry standards
- Works in online and offline mode to capture data
- Provides option to transfer data to server when online and helps in uninterrupted registrations
- Client has the ability to update itself for patch upgrades (bug fixes/enhancements) in a remote way. There could be hundreds of client instances running on laptops/desktops. Updates on all of them are controlled by the client and a central server.
- Registration client is secured such that it cannot be tampered with or misused
2.3 Registration Processor
Registration Processor processes the data (demographic and biometric) of an individual for quality and uniqueness and then issues a Unique Identification Number (UIN). The source of data are primarily from:
- MOSIP Registration Client
- Existing ID system(s) of a country
This module has the following capabilities:
- Provides guaranteed packet processing - Not lose the packet once received on the server
- Handle server failure, recovery and re-submission of packets for processing automatically
- Add new processing step(s) without changing existing steps as different countries may have different processing requirements
- Integrate with multiple ABIS providers. Accommodate sending one or more biometric modality to one or more ABISs and calculate a composite fusion score and then take a decision on the processing
- Each processing step is scalable independently based on the load
2.4 ID Authentication
ID Authentication in MOSIP provides services through APIs that validates the authenticity of a resident based on one or more factors (demographic and biometric). The authentication services are integrated with TSPs (Trusted Service Providers) for delivering eKYC services to residents via user agencies.
This module provides the following capabilities:
- Authenticate an individual in a secure and trusted way
- Capture the biometric data as per the defined standards
- Authenticate an individual based on their basic identity data captured via MOSIP
- In addition to demographic and biometric authentication, an individual can also be authenticated based on the following parameters:
- Temporary One Time Password (TOTP) based
- Challenge response
- Authentication APIs
- High Availability (HA) to ensure smooth service
- Scalable to cater to the growing population of a country
- Protects an Individual's identity from request-replay attacks
- Audited for reporting and fraud management checks
Kernel is a platform to build higher-level services as well as a secure sandbox. Functionally it caters to the following services:
- UIN Generation
- Configuration Server
- Audit Manager
- Authentication and Authorization
- Common Services
- Data Services
- Admin Services
2.6 Administrator Services (WIP)
MOSIP Admin manages the functional and non-functional activities of MOSIP on Admin Portal through either the backend process or the UI screens.
Admin will be able to:
- Set up Platform Data, Process Flows, ID Definition, Configuration, and Security Policy (Through backend process).
- Manage (Create, Update, View, Activate/Deactivate, Map/Un-map/Re-map/Decommission) the resources.
- Map the resources (Users, Machines, and Devices) to a registration center.
- Manage the master data (Create/Update/Activate/Deactivate).
- Manage approval requests for creation and updation of resources and master data.
- Manage personal account details (Reset Password, Forgot User Name, Change Password, Unlock Account, and Edit Personal Details.
- Activate/deactivate UIN
- View status of packets
2.9 ID Repository
3.5 High Level Design
4.1 Functional Requirement Specifications
5.1 ID Object Definition
ID definition describes the attributes a Country or entity intends to capture from an Individual, which will formulate the definition of ID for a Country. This section elaborates on the mechanism MOSIP adopts, in order to provide the flexibility for each Country to define its preferred ID definition and ID object definition schema.
MOSIP as a platform will have multiple applications running and each application will have a set of configurations. This section details:
- The key configuration files a system owner has to create before starting the platform – with a centralized Config Server.
- Launcher component which will read the configuration files, validate and launch the platform.
5.3 Registration Packet Structure
This section illustrates the packet creation flow along with the encryption process, as part of Registration Client.
5.4 ABIS Middleware
This section provides details on the ability of MOSIP to support a single or multi-ABIS solution, specifics on the Components & APIs of ABIS Middleware, Strategies for Biometric data management in ABIS and Strategies for de-duplication in case of multiple ABIS systems.
5.5 Biometric Data Standards
This section details out the specifications for Biometric data during data acquisition and verification.
5.6 MOSIP Device Specification
This section illustrates the VDM technical specifications to be adhered by a vendor, who intends to adopt their devices to the MOSIP platform, so as to capture the biometric data and process the same.
5.7 Core Data Management
ID Repository module contains the golden record of Identity for an Individual. Once new/update packets are processed by Registration Processor, the Identity details of an Individual are added/updated in ID Repository. The Identity information available in ID Repository is then used by ID Authentication to authenticate an Individual.
This module exposes few REST APIs which can be used to create/update/retrieve identity of an individual. Please refer to the ID Repository API for more details.
5.8 Integration with External Systems
This section illustrates the integration specifications of MOSIP with an external system.
6.1 External APIs
6.2 Internal APIs
- Kernel APIs---
- ID Repository API
- Admin APIs
- AuthN & AuthZ APIs
- Master Data APIs
Multiple aspects of Security like Confidentiality, Privacy, and Integrity of data are key in ensuring an Individual's identity is not compromised. This section illuminates on the privacy and security design principles MOSIP follows. Please also take a look at Security Tools to know more about the tools used for security testing.
9.2 Tester Documentation
Useful information for the tester community. Tester Documentation
Test Rig represents a one click automation to build, deploy and test a software module. Successful execution of test rig would ascertain complete setup of the MOSIP platform. More details on Test Rig Design.
More details on Test Automation
9.4 Customization (WIP)
10.1 Data Center Architecture (WIP)
11. List Of Acronyms
|ABIS||Automated Biometric Identification System|
|API||Application Programming Interface|
|MOSIP||Modular Open Source Identity Platform|
|OTP||One Time Password|
|SDK||Software Development Kit|
|TBD||To Be Determined|
|TOTP||Temporary One Time Password|
|UIN||Unique Identification Number|
|WIP||Work In Progress|
|CBEFF||Common Biometric Exchange Formats Framework|
|HSM||Hardware Security Module|
|TPM||Trusted Platform Module|