Calgarypuck Forums - The Unofficial Calgary Flames Fan Community
Old 10-10-2021, 10:02 AM   #341
Cecil Terwilliger
That Crazy Guy at the Bus Stop
 
Cecil Terwilliger's Avatar
 
Join Date: Jun 2010
Location: Springfield Penitentiary
Exp:
Default

Quote:
Originally Posted by Beatle17 View Post
So should everyone get together and head down to the Dome and protest, or just attack CSEC. IF you chose to sign up on some unknown site that is on you (not you specifically) when there were other options.

Sure people can forge the documents but I would bet that is 1 in 100,000 people that think they are proving something cool, they are morons also. People need to take some personal responsibility for choosing to sign up on an unknown website.
No. If the Flames are supporting an app, it is on them to ensure it is safe. If they use ticketmaster and it turns out TM is a scam website that sells fraudulent tickets, that’s on the flames for endorsing TM.

1 in 100k lol? I’d bet it’s more like 50% in Alberta in places where enforcement is in place.
Cecil Terwilliger is offline   Reply With Quote
Old 10-10-2021, 11:41 AM   #342
Press Level
Scoring Winger
 
Press Level's Avatar
 
Join Date: Sep 2017
Exp:
Default

CSEC are undoubtedly terrified of being sued over this. Don't be surprised if they maintain radio silence for the foreseeable future.
Press Level is offline   Reply With Quote
The Following 6 Users Say Thank You to Press Level For This Useful Post:
Old 10-10-2021, 12:06 PM   #343
Otto-matic
Franchise Player
 
Otto-matic's Avatar
 
Join Date: Dec 2003
Location: Sector 7-G
Exp:
Default

Quote:
Originally Posted by Beatle17 View Post
So should everyone get together and head down to the Dome and protest, or just attack CSEC. IF you chose to sign up on some unknown site that is on you (not you specifically) when there were other options.

Sure people can forge the documents but I would bet that is 1 in 100,000 people that think they are proving something cool, they are morons also. People need to take some personal responsibility for choosing to sign up on an unknown website.
Sure people may have jumped the gun and signed up but they did so because the CSEC pushed this app very hard in all the email blasts/media posts over the summer, including getting their social media staff and staff who's on twitter to push it.

This falls solely on the CSEC for not putting in an ounce of effort in vetting and pre-looking the app before it launched. They got sucked into those catch phrases and signed on the dotted line.
Otto-matic is offline   Reply With Quote
Old 10-10-2021, 12:12 PM   #344
opendoor
Franchise Player
 
Join Date: Apr 2007
Exp:
Default

Quote:
Originally Posted by calgarywinning View Post
QR codes are barcodes that can carry larger amounts of data. They don't authenticate the data. Nor do they encrypt it.

In order to have a QR passport of some kind that preserved the individual privacy it would have to be encrypted end to end with the government. Then an external return of valid or not from the encrypted database.
That's not correct. The government app absolutely can authenticate the validity of the QR code without relying on connecting to a database. The QR codes use asymmetric cryptography where every issued QR code is signed using a private key, and the public key (used in the app) can be used to verify that it's genuine. So they can't be altered in any way, or they would fail the signature check when scanned.
opendoor is offline   Reply With Quote
The Following 12 Users Say Thank You to opendoor For This Useful Post:
Old 10-10-2021, 03:01 PM   #345
calgarywinning
First Line Centre
 
calgarywinning's Avatar
 
Join Date: Feb 2013
Location: Field near Field, AB
Exp:
Default

Quote:
Originally Posted by opendoor View Post
That's not correct. The government app absolutely can authenticate the validity of the QR code without relying on connecting to a database. The QR codes use asymmetric cryptography where every issued QR code is signed using a private key, and the public key (used in the app) can be used to verify that it's genuine. So they can't be altered in any way, or they would fail the signature check when scanned.
The personal crypto key is completely visible as a data point in the QR barcode. Then I see what you mean about the public key. So my bad. However:

A QR-code is just text. You can encrypt text with your preferred encryption mechanism. Then transform this text into an QR-code. The clue is, that you will need a reader and writer for de- and encryption. The biggest problem ist the size of the text and the resultig size of the QR-code. Encryption enlarges texts a lot.

So lets work through this. Does the public key unlocks a CHECKSUM only, verifying it is a legitimate QR or does it "unlock the personal information" encoded in, such as name, birth date and vac dates, double or single dose". Is the personal data not encrypted in the bar code and just the CHECKSUM? I guess this would happen on end to end encryption as well. I'd be extremely curious about this process.

However, I'm not sure if you had seen Alberta's first version of the vaccine passport which is much like a health card of basic printed data?
calgarywinning is offline   Reply With Quote
Old 10-10-2021, 04:01 PM   #346
opendoor
Franchise Player
 
Join Date: Apr 2007
Exp:
Default

Quote:
Originally Posted by calgarywinning View Post
The personal crypto key is completely visible as a data point in the QR barcode. Then I see what you mean about the public key. So my bad. However:

A QR-code is just text. You can encrypt text with your preferred encryption mechanism. Then transform this text into an QR-code. The clue is, that you will need a reader and writer for de- and encryption. The biggest problem ist the size of the text and the resultig size of the QR-code. Encryption enlarges texts a lot.

So lets work through this. Does the public key unlocks a CHECKSUM only, verifying it is a legitimate QR or does it "unlock the personal information" encoded in, such as name, birth date and vac dates, double or single dose". Is the personal data not encrypted in the bar code and just the CHECKSUM? I guess this would happen on end to end encryption as well. I'd be extremely curious about this process.

However, I'm not sure if you had seen Alberta's first version of the vaccine passport which is much like a health card of basic printed data?
I don't know the specifics of what Alberta is doing (I assume their QR code is the same as everywhere else, since the Federal Government has requirements for them), but for BC and Quebec (and most states that are doing this), the information itself is not encrypted. Any app that is capable of reading the SMART Health Card QR format can access your name, DOB, vaccination dates, and type of vaccine. Given the relatively low sensitivity of that information, trying to encrypt it would have introduced more problems than it solved (if it even worked at all). So the signature and key are only to ensure that it's a genuine QR code that has been issued by the government and hasn't been tampered with. But it can be done entirely offline, which is vitally important for this kind of thing.
opendoor is offline   Reply With Quote
Old 10-10-2021, 04:07 PM   #347
djsFlames
Lifetime Suspension
 
Join Date: Jun 2012
Exp:
Default

Quote:
Originally Posted by Press Level View Post
CSEC are undoubtedly terrified of being sued over this. Don't be surprised if they maintain radio silence for the foreseeable future.
You'd think if they were, they'd have retracted all affiliation with the app the moment that guys tweets came out.

They played a dangerous game continuing to stand by them while they "work out the bugs".
djsFlames is offline   Reply With Quote
Old 10-10-2021, 04:23 PM   #348
calgarywinning
First Line Centre
 
calgarywinning's Avatar
 
Join Date: Feb 2013
Location: Field near Field, AB
Exp:
Default

Quote:
Originally Posted by opendoor View Post
I don't know the specifics of what Alberta is doing (I assume their QR code is the same as everywhere else, since the Federal Government has requirements for them), but for BC and Quebec (and most states that are doing this), the information itself is not encrypted. Any app that is capable of reading the SMART Health Card QR format can access your name, DOB, vaccination dates, and type of vaccine. Given the relatively low sensitivity of that information, trying to encrypt it would have introduced more problems than it solved (if it even worked at all). So the signature and key are only to ensure that it's a genuine QR code that has been issued by the government and hasn't been tampered with. But it can be done entirely offline, which is vitally important for this kind of thing.
So a hybrid more or less. So you could literally take the alpha strings from the scan, and insert a valid private encryption key to the data, add the unencrypted information for yourself and away you go. Granted a technical understanding needed.

I'm also not condoning this at all. I am curious to the mechanics and what makes a QR code special. In Alberta's first passport for a few days, the data was just a card that was easily reproducible. In my mind, all the data would have to be encrypted to deliver an on screen verify to government id.
calgarywinning is offline   Reply With Quote
Old 10-10-2021, 05:05 PM   #349
opendoor
Franchise Player
 
Join Date: Apr 2007
Exp:
Default

Quote:
Originally Posted by calgarywinning View Post
So a hybrid more or less. So you could literally take the alpha strings from the scan, and insert a valid private encryption key to the data, add the unencrypted information for yourself and away you go. Granted a technical understanding needed.
How would adding your own private key to the data allow it to pass a check by the government's app? The app only validates the signature against the government's key and if it's tampered with in any way, it won't match and will fail the signature check.

Quote:
I'm also not condoning this at all. I am curious to the mechanics and what makes a QR code special. In Alberta's first passport for a few days, the data was just a card that was easily reproducible. In my mind, all the data would have to be encrypted to deliver an on screen verify to government id.
The QR code is easily reproducible, that's by design. But if the signature isn't validated, it's useless. Quebec's system did have a flaw when it was first introduced, as the app allowed 3rd party keys to be used but didn't verify that those keys matched the issuer (i.e. government of Quebec), but that was fixed almost immediately and now only government issued keys are used:

https://www.welivesecurity.com/2021/08/31/flaw-quebec-vaccine-passport-vaxicode-verif-analysis
opendoor is offline   Reply With Quote
Old 10-10-2021, 05:33 PM   #350
calgarywinning
First Line Centre
 
calgarywinning's Avatar
 
Join Date: Feb 2013
Location: Field near Field, AB
Exp:
Default

Quote:
Originally Posted by opendoor View Post
How would adding your own private key to the data allow it to pass a check by the government's app? The app only validates the signature against the government's key and if it's tampered with in any way, it won't match and will fail the signature check.
If all the data is not encrypted, you would simply convert the QR code to it's text string. Compare where the valid generated key is and copy and paste into a new text string with a valid code and your personals. So you would need a valid QR code (say from a family member), not self generation as in the article (which is a very good read).

If all the data is encrypted, then you would need the public key to reverse engineer.

So if you were collecting unencrypted data, it would be interesting to see how complicated the governments algorithm was for generating the private key.

My initial post was incorrect in that I didn't take into account encrypting within the QR, but the limitation of QR is now the length of data around each key. How sophisticated is the government. See above where they were producing a passport easily replicable for several days here in AB.

This really begets two other questions and your article addresses one of them. Currently access to our health care system is around a government issued Health Card which is easily reproducible.

Secondly, how much tech do we want associated with our ability to move freely. While we are in a pandemic and I 100% agree with CSEC and this weeks Gov of Alberta to verify vaccination and identity. I am also 100% against document faking.
1) is this a temporary measure
2) is there data being collected and sent back (batch process).
- offline verification; but that's an assumption.
- the article calls for transparency


Very interesting discussion. My initial suggestion was the QR code was a text string, which it is, but if it was a checksum encrypted with all your personal data then it would be next to impossible to replicate. How in 3 days did we go from a basic card to this?

My bet is there is a single key, not user specific. Who knows.
calgarywinning is offline   Reply With Quote
Old 10-10-2021, 09:15 PM   #351
opendoor
Franchise Player
 
Join Date: Apr 2007
Exp:
Default

Quote:
Originally Posted by calgarywinning View Post
If all the data is not encrypted, you would simply convert the QR code to it's text string. Compare where the valid generated key is and copy and paste into a new text string with a valid code and your personals. So you would need a valid QR code (say from a family member), not self generation as in the article (which is a very good read).

If all the data is encrypted, then you would need the public key to reverse engineer.

So if you were collecting unencrypted data, it would be interesting to see how complicated the governments algorithm was for generating the private key.
But the signature is generated based on the information in the records, and modifying the records in any way (e.g. putting your own info into someone else's record) invalidates the signature.

Quote:
With respect to patient privacy, note that when a SMART Health Card is issued, it is cryptographically signed by the Issuer. This means that the contents, including the FHIR Bundle, cannot be changed without invalidating the signature.
https://build.fhir.org/ig/HL7/fhir-shc-vaccination-ig/

Here's more info:

https://github.com/dvci/health-cards...%20Cards.ipynb
opendoor is offline   Reply With Quote
The Following 2 Users Say Thank You to opendoor For This Useful Post:
Old 10-10-2021, 09:49 PM   #352
jayswin
Celebrated Square Root Day
 
jayswin's Avatar
 
Join Date: Mar 2006
Exp:
Default

Quote:
Originally Posted by Press Level View Post
CSEC are undoubtedly terrified of being sued over this. Don't be surprised if they maintain radio silence for the foreseeable future.
Oh absolutely, this is major and the silence is intended. I wouldn't be surprised if CP is contacted sometime soon to ask for the topic to be removed if it keeps getting large views and post counts here.
jayswin is offline   Reply With Quote
Old 10-10-2021, 10:39 PM   #353
calgarywinning
First Line Centre
 
calgarywinning's Avatar
 
Join Date: Feb 2013
Location: Field near Field, AB
Exp:
Default

Quote:
Originally Posted by opendoor View Post
But the signature is generated based on the information in the records, and modifying the records in any way (e.g. putting your own info into someone else's record) invalidates the signature.

https://build.fhir.org/ig/HL7/fhir-shc-vaccination-ig/

Here's more info:

https://github.com/dvci/health-cards...%20Cards.ipynb
I just think a lot more work needs to be done. A QR code isn't anything but a string of text which was my original post and correct. I agree with you it can be encrypted, which doesn't make me wrong. Do I think the government of Alberta is encrypting?

We need to know because this will limit societies ability to move and travel. And we can't leave the methodology up to a government that was issuing such a weak passport to begin without QR.

In fact, i'd be willing to bet the QR code from Alberta is just a flash in the pan or a show that is harder to replicate than their first 3 day attempt
calgarywinning is offline   Reply With Quote
Old 10-12-2021, 04:46 PM   #354
Fuzz
Franchise Player
 
Fuzz's Avatar
 
Join Date: Mar 2015
Location: Pickle Jar Lake
Exp:
Default

Presumably the new provincial app makes all this obsolete and useless at this point?
Fuzz is online now   Reply With Quote
Old 10-12-2021, 07:57 PM   #355
Pellanor
Backup Goalie
 
Pellanor's Avatar
 
Join Date: Apr 2014
Exp:
Default

Quote:
Originally Posted by calgarywinning View Post
Very interesting discussion. My initial suggestion was the QR code was a text string, which it is, but if it was a checksum encrypted with all your personal data then it would be next to impossible to replicate. How in 3 days did we go from a basic card to this?

My bet is there is a single key, not user specific. Who knows.
Honestly, it's not that hard. There's some really good cryptography libraries out there that make this kind of signing really straight forward.

Here's a signed token containing my CP user id, name and join date:
Quote:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxN jY5NSIsIm5hbWUiOiJQZWxsYW5vciIsImpvaW5fZGF0ZSI6IjA 0LTExLTIwMTQiLCJpYXQiOjE1MTYyMzkwMjJ9.LqmX3-yEqGmKDO93dlM0xXD3Q8Jmkow46U_xwfH6c6G1fDwyOK4AtWUK 6rejygLvyUKJ4_8tKkCaPbxvjELfAAGZQKkhyE6becb4R0nuiX WT23Gb3JzVWDcXfuTsVo_t5DI8ZWVvfK9UaK9kUWd-4LSvgWOewn3wHkFDoN8eh77cQMsCbC_GL_2-_2tNfhJ9nWe5UcjiuSUF1yHmeQJ2XHm0MIPth9tDrNdCmi-qaphFTOXgPpewnxb_v5PvvXt0zzbcTGF5VEII6HghWCgCcFh80 7MTwt2Y-7oy3nh8CY1i9EaNtAnqWXcXYiapO7hW4x6vk78Cmuwpb1V50nm AuQ
And the public key it can be verified with
Quote:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1L fVLPHCozMxH2Mo
4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuem MghRniWaoLcyeh
kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjy kkJ
0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAq eGUxrcIlbjXfbc
mwIDAQAB
-----END PUBLIC KEY-----
You can decode it on jwt.io. This took me five minutes to do, and I could code a barebones app to generate QR codes from this in an afternoon.
Pellanor is offline   Reply With Quote
The Following User Says Thank You to Pellanor For This Useful Post:
Old 10-12-2021, 08:07 PM   #356
calgarywinning
First Line Centre
 
calgarywinning's Avatar
 
Join Date: Feb 2013
Location: Field near Field, AB
Exp:
Default

Quote:
Originally Posted by Pellanor View Post
Honestly, it's not that hard. There's some really good cryptography libraries out there that make this kind of signing really straight forward.

Here's a signed token containing my CP user id, name and join date:
And the public key it can be verified with


You can decode it on jwt.io. This took me five minutes to do, and I could code a barebones app to generate QR codes from this in an afternoon.
Amazing. So cool. Concept, proof of concept. Encrypted data. Can you do a private key by changing one value and encrypting to share? Like just one character.
calgarywinning is offline   Reply With Quote
Old 10-12-2021, 08:16 PM   #357
IamNotKenKing
#1 Goaltender
 
Join Date: Nov 2006
Exp:
Default

Quote:
Originally Posted by Pellanor View Post
Honestly, it's not that hard. There's some really good cryptography libraries out there that make this kind of signing really straight forward.

Here's a signed token containing my CP user id, name and join date:
And the public key it can be verified with


You can decode it on jwt.io. This took me five minutes to do, and I could code a barebones app to generate QR codes from this in an afternoon.
I don't know what any of this means.
IamNotKenKing is offline   Reply With Quote
Old 10-12-2021, 08:46 PM   #358
Pellanor
Backup Goalie
 
Pellanor's Avatar
 
Join Date: Apr 2014
Exp:
Default

Quote:
Originally Posted by calgarywinning View Post
Amazing. So cool. Concept, proof of concept. Encrypted data. Can you do a private key by changing one value and encrypting to share? Like just one character.
Quote:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxN jY5NSIsIm5hbWUiOiJQZWxsYW5vciIsImpvaW5fZGF0ZSI6IjA 0LTExLTIwMTQiLCJpYXQiOjE1MTYyMzkwMjN9.LqmX3-yEqGmKDO93dlM0xXD3Q8Jmkow46U_xwfH6c6G1fDwyOK4AtWUK 6rejygLvyUKJ4_8tKkCaPbxvjELfAAGZQKkhyE6becb4R0nuiX WT23Gb3JzVWDcXfuTsVo_t5DI8ZWVvfK9UaK9kUWd-4LSvgWOewn3wHkFDoN8eh77cQMsCbC_GL_2-_2tNfhJ9nWe5UcjiuSUF1yHmeQJ2XHm0MIPth9tDrNdCmi-qaphFTOXgPpewnxb_v5PvvXt0zzbcTGF5VEII6HghWCgCcFh80 7MTwt2Y-7oy3nh8CY1i9EaNtAnqWXcXYiapO7hW4x6vk78Cmuwpb1V50nm AuQ
So here's the same signed token with one character changed. Since it's URL encoded, the token has two characters that are different, which I highlighted in red. The signature hasn't changed, so when you decode the token on jwt.io using the provided public key, you can see that it has an invalid signature.

However if I make the same one character change, but sign it with the private key rather that re-using the signature you can see that the entire last segment (after the highlighted characters) of the token has changed to reflect this.
Quote:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxN jY5NSIsIm5hbWUiOiJQZWxsYW5vciIsImpvaW5fZGF0ZSI6IjA 0LTExLTIwMTQiLCJpYXQiOjE1MTYyMzkwMjN9.N9IU4NkGVOKzjuY9D0T6IQNDN9t2kFZRiqua0Kgrkt-AoQo5oYnUoN_vDgTw89foFmw122dAE0_OGAskvkQp2JKBLjTqY kSnA9Q9FqUVbCwJClNRgdNYEM5tSnCHKAqnG-nLFTqX1j9UnSWJcob9xEUEhBS58yaVOq0JG7XwjfOfOV6lvcG6 CWpHC3jy6Z4aCIg6LvuJKJ43v0Svf8inQ1iTUX6pr5RS_W47gM aJ-JaT7QsDy99BeWLPzL_xfwQGRg2jVrjXW-DAVIqtrqJGYeMDvBtPYpDqUFq_AdNYOicjBX4yptcAZ55VdAKG _eMrEDDrucfpZtvRAkCgwvsXBgp
I could use a different private key to sign a modified token, but then it wouldn't match the public key that I'd given out earlier, so you would still get an invalid signature.
Pellanor is offline   Reply With Quote
The Following 3 Users Say Thank You to Pellanor For This Useful Post:
Old 10-12-2021, 09:26 PM   #359
RM14
First Line Centre
 
RM14's Avatar
 
Join Date: Oct 2009
Location: Calgary
Exp:
Default

After all of the pre season games.. can anyone confirm the most efficent way to enter a game?
RM14 is offline   Reply With Quote
Old 10-12-2021, 09:28 PM   #360
Since1984
First Line Centre
 
Join Date: Nov 2007
Exp:
Default

Quote:
Originally Posted by RM14 View Post
After all of the pre season games.. can anyone confirm the most efficent way to enter a game?
Through the doors... Zing
Since1984 is offline   Reply With Quote
The Following User Says Thank You to Since1984 For This Useful Post:
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 08:50 PM.

Calgary Flames
2024-25




Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Copyright Calgarypuck 2021 | See Our Privacy Policy