In MOSIP, we are using various keys for encryption or signing the data. Every key used needs to be generated and stored in a physical key store. This document details the various keys used in MOSIP.
Key | Application ID | Reference ID | Key type | Objects | Storage | Generated by | Comments |
Kernel Root | ROOT | RSA 2048 | Private key, self signed certificate | HSM-1 | Country | Auto generated by key generator | |
Registration | REGISTRATION | RSA 2048 | Private key, certifcate signed by Kernel Root | HSM-1 | Country | Auto generated by key generator | |
PreReg | PRE_REGISTRATION | RSA 2048 | Private key, certifcate signed by Kernel Root | HSM-1 | Country | Auto generated by key generator | |
Kernel Sign | KERNEL | SIGN | RSA 2048 | Private key, certifcate signed by Kernel Root | HSM-1 | Country | Auto generated by key generator |
Registration Processor | REGISTRATION_PROCESSOR | RSA 2048 | Private key, certifcate signed by Kernel Root | HSM-1 | Country | Auto generated by key generator | |
PMS | PMS | RSA 2048 | Private key, certifcate signed by Kernel Root | HSM-1 | Country | Auto generated by key generator | |
ID Repo | ID_REPO | RSA 2048 | Private key, certifcate signed by Kernel Root | HSM-1 | Country | Auto generated by key generator | |
Resident Services | RESIDENT | RSA 2048 | Private key, certifcate signed by Kernel Root | HSM-1 | Country | Auto generated by key generator | |
Kernel Identity Cache | KERNEL | IDENTITY_CACHE | AES 256 | Symmetric key | HSM-1 | Country | Auto generated by key generator |
Registration Client (TPM) | RSA 2048 | Private key, certificate | Client TPM (private key), Server DB (Certificate) | Registration Client Software | Auto generatde by Registration Client Software in TPM | ||
Registration Client Packet Encryption | REGISTRATION | CenterID_MachineID | RSA 2048 | Private key, certificate signed by registration | Server DB (private key), Client DB (Certificate) | System | Auto-generated when accessed |
Data Share (10000 keys) for zero knowledge encryption |
|
| AES 256 | Symmetric key, encrypted by Kernel Identity Cache | KeyMgr DB | System | Auto generated by key generator |
CA / Sub-CA certificates | - | - | X.509 | Certificates | PMS DB | CA | Manually Uploaded |
Partner certificates* | PARTNER | PartnerID | X.509 | Certificates signed by CA | PMS DB | Partners | Manually Uploaded |
IDA Root | ROOT | RSA 2048 | Private key, self signed certificate | HSM-2 | Country | Auto generated by key generator | |
IDA | IDA | RSA 2048 | Private key, certificate signed by IDA Root | HSM-2 | Country/IDA Partner | Auto generated by key generator | |
IDA Sign | IDA | SIGN | RSA 2048 | Private key, certificate signed by IDA Root | HSM-2 | Country | Auto generated by key generator |
IDA Identity Cache | IDA | IDENTITY_CACHE | AES 256 | Symmetric key | HSM-2 | Country | Auto generated by key generator |
IDA Internal | IDA | INTERNAL | RSA 2048 | Private key, certificate signed by IDA | IDA DB | System | Auto-generated when accessed |
IDA Partner | IDA | PARTNER | RSA 2048 | Private key, certificate signed by IDA | IDA DB | System | Auto-generated when accessed |
IDA FIR | IDA | FIR | RSA 2048 | Private key, certificate signed by IDA | IDA DB | System | Auto-generated when accessed |
IDA Cred Service | IDA | CRED_SERVICE | RSA 2048 | Private key, certificate signed by IDA | IDA DB | System | Auto-generated when accessed |
* The various partner certificates needed in the current version of the MOSIP system are:
Partners | Application ID | ReferenceID | Partner Domain | Partner Type Code |
ABIS | PARTNER | mpartner-default-abis (or partner ID) | AUTH | ABIS_Partner |
Device Providers | PARTNER | Partner ID | DEVICE | Device_Provider |
Print Service Provider | PARTNER | mpartner-default-print (or partner ID) | AUTH | Credential_Partner |
Auth Providers or Relying Party | PARTNER | Partner ID | AUTH | Auth_Partner |
FTM Providers (per Chip Model) | PARTNER | Partner ID | FTM | FTM_Provider |
MISP | PARTNER | Partner ID | AUTH | MISP_Partner |
Manual Adjudicator | PARTNER | mpartner-default-manual-adjudication (or partner ID) | AUTH | Manual_Adjudication |
IDA system | PARTNER | mpartner-default-auth (or partner ID) | AUTH | Online_Verification_Partner |
Resident Services | PARTNER | mpartner-default-resident (or partner ID) | AUTH | Credential_Partner |