0

In the EU, a person will soon be able to perform certain activities (going to concerts, to sports events, etc.) only if they can present a valid Green Pass that certifies that the bearer has been vaccinated, or has recovered from Covid, or has been tested negative in the recent past.

The Green Pass is basically a QR code that contains information encrypted with public-key cryptography (see here for details).

As soon as it was introduced, spammers started promoting fake Green Passes for people who did not want to get vaccinated. Some of these are clearly attempts at identity theft, since the spammers claim that they need a copy of a valid ID to generate the Green Pass.

I'd like to know whether the Green Pass scheme has actually been broken¹; the few sources that I've found are clearly unreliable (their technical explanations are gibberish).

NOTE: I've had my shots and have a valid Pass; I'm only interested in the technical aspect (i.e. robustness) of the scheme.

¹ Moderator note: we are on a cryptographic forum, and if we discuss that subject, at least we should stick strictly to it's cryptographic aspects.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
Vorbis
  • 119
  • 3
  • Thank you for raising this. Specifications seems showing privacy-safety balance like open everything, signed by the authority, giving "identity protection" against someone unable to collect and decode QR codes. There might be a problem linking a signed "vaccinated" document to a person showing a QR code on his device. Any chance to borrow it from a friend, any liability for doing that? Is it required to also show ID card, matching them at the door? – Vadym Fedyukovych Jul 28 '21 at 20:33
  • @vadym, there are several apps that read the QR code and prints the name of the bearer, and his/her date of birth. The idea is that the store owner will ask for a matching ID. – Vorbis Jul 30 '21 at 16:53
  • The privacy idea is to give green/red only, as implied by the catchy name. Giving name, date, or any match/link is "convenience". Assuming someone else would ask for Id looks like "this is not my problem, they are good trusted people". – Vadym Fedyukovych Jul 31 '21 at 04:38

2 Answers2

8

The specification mentions that the signature is per ECDSA on curve "P-256" (aka secp256r1), or RSASSA-PSS with a modulus of 2048 bits in combination with the SHA–256 hash (I guess with MGF1 with SHA-256; can't be sure for salt size). These are state-of-the-art, unbroken algorithms.

I find it unbelievable that a cryptographic attack would let emit fake passes that are accepted with proper validation per this specs, with forged user data.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • 3
    One not inconceivable possibility is that a mistake by an issuer caused them to generate two signatures with the same ECDSA nonce; if someone found that, they could recover the ECDSA private key, and generate forgeries. I don't think it's very likely in this case - it is possible. – poncho Jul 28 '21 at 14:10
-1

Answering the question what is broken, with focus on cryptographic aspects:

"Green Pass" title implies yes/no decision, while the application actually scans the name, birthday, and vaccination info from QR-code, and prints it in cleartext. To achieve the goal, it requires infrastructure like publicly accessible database with medical information, and manual ID check.

No attempt is suggested in the technical description to use any well-known cryptographic tool for data privacy. Even worse, signatures require all the signed data to be available in the cleartext. Declaring signatures short-lived with X.509 attributes is not the solution to privacy. To be constructive, please let me remind zero-knowledge proofs were considered for democratic voting since late 80s.

According to "Interoperability of health certificates Trust framework V.1.0 2021-03-12" section "7 Verification protocol", scanner verifies signature and prints the the signed data (offline part):

Once this digital signature has been verified, the verification software can decode the information in the 2D barcode and rely on its content.

UVCI part of the certificate is the searching key into a database expected later (function creep):

Online verification will rely on the UVCI and it will be incorporated in the next version of the specifications (V2).

EU Commission was asked on zero knowledge applicability:

Parliamentary questions, 13 April 2021, Pier Nicola Pedicini (Verts/ALE) ... Is the Commission considering:

  1. using ZKP for the Digital Green Certificate; ...

Brian Behlendorf (Linux Foundation) did say at the "Vaccine Passports: A public health solution or ethical & legal minefield?":

There’s been recent advancements in cryptography and mathematics that are much better aligned with this idea of being able to prove a thing without having to show a lot of information about that thing. .. That same kind of zero-knowledge system and zero-knowledge proof needs to be something that we standardize across the system.

Update: cryptographic aspects of the recent data leak may include reasoning like untraceability of copying signed data that was sent out for verification at least twice, and precise meaning of "unavailable" of that signed data.

Vadym Fedyukovych
  • 2,267
  • 13
  • 19
  • 2
    I don't get what "publicly accessible database" refers to. Independently, I don't see how ZKP or anything else can help on privacy in the situation, if we assume that the pass must be a static QR code, not be trivially transferable to anyone else, and verifiable without any secret. – fgrieu Aug 06 '21 at 10:51
  • UVCI verification (scheduled for version 2) is the database reference. With ZKP there should be a chance to handle all "intermediate" data like name and birthday as a witness on the user-controlled device, rather than printing it. That means, only printing yes or no. – Vadym Fedyukovych Aug 07 '21 at 15:28