search
UIDAI

ISO 18013-5 Aadhaar mDoc Specs

This document covers mDoc schema specifications

hashtag
1. Introduction

This specification defines the Aadhaar mDoc schema for digital identity verification compliant with ISO/IEC 18013-5. It enables:

  • Privacy-preserving identity sharing

  • Offline-capable verification

  • Selective disclosure of Aadhaar attributes

  • Cryptographic integrity using COSE and salted hashes

hashtag
2. mDoc Data Model

hashtag
2.1 Encoding Format

Item
Specification

Data Format

CBOR

Object Signing

COSE_Sign1 (RFC 9052)

Namespace Model

Modular namespace-based

Digest Algorithm

SHA-256

Claim Protection

Salted Hash per attribute

Each claim is encoded as:

IssuerSignedItem = {
  digestID: uint,
  random: bstr,              ; per-claim salt
  elementIdentifier: tstr,   ; claim name
  elementValue: any          ; claim value
}

hashtag
2.2 Namespace Definition

hashtag
Namespace: in.gov.uidai.aadhaar.1

All resident attributes reside inside this UIDAI namespace. Each element is wrapped in CBOR Tag 24 for cryptographic isolation.

hashtag
2.3 Issuer Authentication (issuerAuth)

The issuerAuth field is a COSE_Sign1 structure containing the Mobile Security Object (MSO).

Component
Description

Protected Header

Signing algorithm metadata (e.g., ECDSA-256)

Unprotected Header

X.509 certificate or UIDAI key reference

Payload

Mobile Security Object (MSO)

Signature

UIDAI signature over protected headers + MSO

hashtag
2.4 Mobile Security Object (MSO)

The MSO links issuer signature → salted claim hashes.

Field
Description

digestAlgorithm

Hash algorithm (SHA-256)

valueDigests

Map of namespace → digestID → hash

deviceKey

Holder device public key

docType

in.gov.uidai.aadhaar.1

validityInfo

signed / validFrom / validUntil timestamps

The MSO prevents signing each attribute individually and enables selective disclosure verification.

hashtag
2.5 Credential Validity Rules

Credential validity = earliest of:

  1. Default Expiry: 1 year from issuance

  2. Aadhaar Expiry: aadhaar_expires_on

  3. Status Update: Age/eligibility state change

hashtag
2.6 Supported Claims

All listed claims are selectively disclosable (Y) — meaning the holder can share them individually.

Field

Description / Meaning

Selectively Disclosable

CredentialIssuingDate

Credential Issuance Date

Y

EnrolmentDate

Enrolment Date

Y

EnrolmentNumber

Enrolment Number

Y

IsNRI

Whether the Resident is an NRI or not

Y

IsResidentForeigner

Whether the resident is a foreign national

Y

AadhaarType

Type of Aadhaar (RF / NRI / IN)

Y

AadhaarExpiresOn

Date of Expiry for the Aadhaar

Y

MaskedUID

Masked UID of Resident

Y

ResidentName

Name of the Aadhaar Holder

Y

LocalResidentName

Local language name of the Aadhaar Holder

Y

Dob

Date of Birth

Y

Email

Email ID of resident

Y

MaskedEmail

Masked Email

Y

Mobile

Mobile number

Y

MaskedMobile

Masked mobile number

Y

Gender

Gender of the Aadhaar Holder

Y

ResidentImage

Photo of the Aadhaar holder

Y

AgeAbove18

Is age above 18 years?

Y

AgeAbove50

Is age above 50 years?

Y

AgeAbove60

Is age above 60 years?

Y

AgeAbove75

Is age above 75 years?

Y

CareOf

Guardian / Head of Family name

Y

LocalCareOf

Guardian / HOF name in local language

Y

Building

Building details

Y

LocalBuilding

Building details in local language

Y

Locality

Locality details

Y

LocalLocality

Locality in local language

Y

Street

Street details

Y

LocalStreet

Street in local language

Y

Landmark

Landmark details

Y

LocalLandmark

Landmark in local language

Y

Vtc

Village / Town / City

Y

LocalVtc

Village / Town / City in local language

Y

SubDistrict

Sub-district details

Y

LocalSubDistrict

Sub-district in local language

Y

District

District details

Y

LocalDistrict

District in local language

Y

State

State details

Y

LocalState

State in local language

Y

PoName

Post Office Name

Y

LocalPoName

Post Office name in local language

Y

PinCode

Pin code

Y

Address

Full address (individual fields also disclosable)

Y

RegionalAddress

Address in local language

Y

hashtag
2.7 Verification Workflow

  1. Signature Verification Validate COSE signature using UIDAI public key.

  2. Hash Verification For each disclosed claim:

  1. Device Binding Ensure MSO deviceKey matches presenting device key.

hashtag
2.7 Security Architecture

Mechanism
Purpose

CBOR

Compact binary transport

COSE

Tamper-proof signing

Salted Hashes

Prevent dictionary attacks

Device Key Binding

Prevent cloning

Namespace Isolation

Modular claim separation

hashtag
3.0 Standards & Technology Implementation

hashtag
3.1 Object Representation (CBOR)

Concise Binary Object Representation (CBOR) is the primary encoding format. It is designed for interoperability with JSON but offers a more compact binary footprint. This allows for faster offline transmission (via NFC or BLE) and supports complex data types like images with reduced size overhead.

hashtag
6.2 Object Signing (COSE)

To ensure data is tamper-proof, UIDAI uses CBOR Object Signing and Encryption (COSE) . Every mso is signed as a COSE_Sign1 message. This process authenticates both the Issuer (UIDAI) and binds the document to the Holder's Device Key , preventing unauthorized cloning of the credential.

hashtag
6.3 Hashed Salted Claims

Aadhaar mDocs use salted hashes to enhance privacy. Each claim is combined with a unique "salt" (the random hex value) before being hashed. This prevents "dictionary attacks" where a verifier could guess a birthdate by comparing hashes, ensuring that shared data remains private and unique to each transaction.

PreviousVerifiable Credential SpecificationsNextAadhaar SD-JWT Specifications

Last updated