MOSIP Device Service Specification

Objective: Establish technical and compliance standards for biometric devices in MOSIP solutions.

Target Audience: Biometric device manufacturers, developers and designers.

MOSIP Devices: Devices collecting biometric data must operate within this specification.

Versions: 0.9.2 (Aug-2019), 0.9.3 (Feb-2020), 0.9.5 (Jun-2020, Dec-2020, Feb-2021, Apr-2021, May-2021, Apr-2022, Jul-2022, Oct-2023)

Device Provider:   Entity manufacturing or importing devices.

FTM Provider:   Entity guaranteeing foundational trust module trustworthiness.

Device:   Hardware capturing biometric information.

L1 Certified Device:   Device performing encryption in trusted zone.

L0 Certified Device:   Device performing encryption on host machine.

FTM Provider Certificate:   Certificate proving FTM provider evaluation.

Device Provider Certificate:   Certificate proving device provider compliance.

Registration:   Applying for a Foundational Id.

KYC:   Know Your Customer.

Auth:   Identity verification.

FPS:   Frames Per Second.

Management Server:   Server managing biometric device lifecycle.

Device Registration:   Device obtaining certificate from management server.

Signature:   All signatures should be as per RFC 7515.

Device Capability: 

• Collect one or more biometrics.

• Sign captured biometric image or template.

• Protect secret keys.

• No mechanism to inject biometric.

Base Specifications: For biometric data specifications view MOSIP Biometric Specification.

Device Trust: 

• L1: Secure chip with secure execution environment.

• L0: Software-level trust with no hardware related trust.

Foundational Trust Module (FTM): 

•  Secure microprocessor for biometric processing and secure key storage.

•  Protect keys from extraction, physical tampering and attacks.

•  Provide memory segregation and withstand cryptographic side-channel attacks.

Physical ID:  Unique device serial number and make/model.

Digital ID:  Signed JSON (RFC 7515) with FTM Identity key.

Accepted Values:  Serial number, make, model, type, device subtype, device provider, device provider ID, date time.

 Device Key: Authorized private key after registration.

FTM Key:  Root of identity, permanent key.

MOSIP Key:  Public key for encrypting biometric data.

Device Discovery: Identify MOSIP-compliant devices.

Device Discovery Request: Type of device.

Device Discovery Response: Device ID, status, certification, service version, device sub ID, callback ID, digital ID, device code, spec version, purpose, error.

The device will open a channel to send live video streams which is useful for assisted operations in collecting biometrics. Note that the stream APIs are available only in the registration environment.

This API is used exclusively for devices compatible with the registration module and is visible only to devices registered for "Registration" purposes.

Management Client

The management client's objectives are:

• Auto-Registration: Automatically register devices with the server.

• Secure Communication: Ensure all communications are digitally signed encrypted (TLS 1.2/1.3) and include ISO timestamped signatures.

• Device Detection: Detect devices in a plug-and-play manner.

• Key Rotation: Trigger key rotations from the server.

• Server Validation: Verify communication with the correct server.

• Software Upgrades: Verify and prevent downgrades of software.

• Security: No API for biometric capture, no logging of biometric data and ensure software upgrades are verifiable.