As per Aadhaar circular , all KUA have to implement HSM to store all Digital Signature Certificate and Encryption Keys.
Extract of circular
“In eKYC service, UIDAI encrypts the eKYC response data use KUA public key and subsequently forwards the encrypted response to KUA. One receiving the encrypted response, the KUA decrypts the data using their own Private Key stored in HSM.
Further to enhance the security of Aadhaar authentication eco-system, under Regulations (14)n and 19(o) of Aadhaar (Authentication Regulations, 2016, it is hereby decided to mandatorily use Hardware based Security Module (HSM) for digital signing of Auth XML and decryption of eKYC Data”
SigningAPI understands requirement of KUA and provides out of the Box WebserivcealongwithSigningAPI HSM Appliance. SigningAPI HSM appliance comes with Webservice to Sign AuthXML, Encryption of XML and Decryption of eKYC response.
The third party application which integrates the webservice has to pass the following details to Signer Api method call,
- XML data
- Action type
- Unique ID of the signer
- HSM credentials