[News] CSEC's acceptable proof of vaccination for Saddledome games

[Cecil Terwilliger]

Quote:

Originally Posted by Beatle17

So should everyone get together and head down to the Dome and protest, or just attack CSEC. IF you chose to sign up on some unknown site that is on you (not you specifically) when there were other options.

Sure people can forge the documents but I would bet that is 1 in 100,000 people that think they are proving something cool, they are morons also. People need to take some personal responsibility for choosing to sign up on an unknown website.

No. If the Flames are supporting an app, it is on them to ensure it is safe. If they use ticketmaster and it turns out TM is a scam website that sells fraudulent tickets, that’s on the flames for endorsing TM.

1 in 100k lol? I’d bet it’s more like 50% in Alberta in places where enforcement is in place.

[Press Level]

CSEC are undoubtedly terrified of being sued over this. Don't be surprised if they maintain radio silence for the foreseeable future.

[Otto-matic]

Quote:

Originally Posted by Beatle17

So should everyone get together and head down to the Dome and protest, or just attack CSEC. IF you chose to sign up on some unknown site that is on you (not you specifically) when there were other options.

Sure people can forge the documents but I would bet that is 1 in 100,000 people that think they are proving something cool, they are morons also. People need to take some personal responsibility for choosing to sign up on an unknown website.

Sure people may have jumped the gun and signed up but they did so because the CSEC pushed this app very hard in all the email blasts/media posts over the summer, including getting their social media staff and staff who's on twitter to push it.

This falls solely on the CSEC for not putting in an ounce of effort in vetting and pre-looking the app before it launched. They got sucked into those catch phrases and signed on the dotted line.

[opendoor]

Quote:

Originally Posted by calgarywinning

QR codes are barcodes that can carry larger amounts of data. They don't authenticate the data. Nor do they encrypt it.

In order to have a QR passport of some kind that preserved the individual privacy it would have to be encrypted end to end with the government. Then an external return of valid or not from the encrypted database.

That's not correct. The government app absolutely can authenticate the validity of the QR code without relying on connecting to a database. The QR codes use asymmetric cryptography where every issued QR code is signed using a private key, and the public key (used in the app) can be used to verify that it's genuine. So they can't be altered in any way, or they would fail the signature check when scanned.

[calgarywinning]

Quote:

Originally Posted by opendoor

That's not correct. The government app absolutely can authenticate the validity of the QR code without relying on connecting to a database. The QR codes use asymmetric cryptography where every issued QR code is signed using a private key, and the public key (used in the app) can be used to verify that it's genuine. So they can't be altered in any way, or they would fail the signature check when scanned.

The personal crypto key is completely visible as a data point in the QR barcode. Then I see what you mean about the public key. So my bad. However:

A QR-code is just text. You can encrypt text with your preferred encryption mechanism. Then transform this text into an QR-code. The clue is, that you will need a reader and writer for de- and encryption. The biggest problem ist the size of the text and the resultig size of the QR-code. Encryption enlarges texts a lot.

So lets work through this. Does the public key unlocks a CHECKSUM only, verifying it is a legitimate QR or does it "unlock the personal information" encoded in, such as name, birth date and vac dates, double or single dose". Is the personal data not encrypted in the bar code and just the CHECKSUM? I guess this would happen on end to end encryption as well. I'd be extremely curious about this process.

However, I'm not sure if you had seen Alberta's first version of the vaccine passport which is much like a health card of basic printed data?

[opendoor]

Quote:

Originally Posted by calgarywinning

The personal crypto key is completely visible as a data point in the QR barcode. Then I see what you mean about the public key. So my bad. However:

A QR-code is just text. You can encrypt text with your preferred encryption mechanism. Then transform this text into an QR-code. The clue is, that you will need a reader and writer for de- and encryption. The biggest problem ist the size of the text and the resultig size of the QR-code. Encryption enlarges texts a lot.

So lets work through this. Does the public key unlocks a CHECKSUM only, verifying it is a legitimate QR or does it "unlock the personal information" encoded in, such as name, birth date and vac dates, double or single dose". Is the personal data not encrypted in the bar code and just the CHECKSUM? I guess this would happen on end to end encryption as well. I'd be extremely curious about this process.

However, I'm not sure if you had seen Alberta's first version of the vaccine passport which is much like a health card of basic printed data?

I don't know the specifics of what Alberta is doing (I assume their QR code is the same as everywhere else, since the Federal Government has requirements for them), but for BC and Quebec (and most states that are doing this), the information itself is not encrypted. Any app that is capable of reading the SMART Health Card QR format can access your name, DOB, vaccination dates, and type of vaccine. Given the relatively low sensitivity of that information, trying to encrypt it would have introduced more problems than it solved (if it even worked at all). So the signature and key are only to ensure that it's a genuine QR code that has been issued by the government and hasn't been tampered with. But it can be done entirely offline, which is vitally important for this kind of thing.

[djsFlames]

Quote:

Originally Posted by Press Level

CSEC are undoubtedly terrified of being sued over this. Don't be surprised if they maintain radio silence for the foreseeable future.

You'd think if they were, they'd have retracted all affiliation with the app the moment that guys tweets came out.

They played a dangerous game continuing to stand by them while they "work out the bugs".

[calgarywinning]

Quote:

Originally Posted by opendoor

I don't know the specifics of what Alberta is doing (I assume their QR code is the same as everywhere else, since the Federal Government has requirements for them), but for BC and Quebec (and most states that are doing this), the information itself is not encrypted. Any app that is capable of reading the SMART Health Card QR format can access your name, DOB, vaccination dates, and type of vaccine. Given the relatively low sensitivity of that information, trying to encrypt it would have introduced more problems than it solved (if it even worked at all). So the signature and key are only to ensure that it's a genuine QR code that has been issued by the government and hasn't been tampered with. But it can be done entirely offline, which is vitally important for this kind of thing.

So a hybrid more or less. So you could literally take the alpha strings from the scan, and insert a valid private encryption key to the data, add the unencrypted information for yourself and away you go. Granted a technical understanding needed.

I'm also not condoning this at all. I am curious to the mechanics and what makes a QR code special. In Alberta's first passport for a few days, the data was just a card that was easily reproducible. In my mind, all the data would have to be encrypted to deliver an on screen verify to government id.

[opendoor]

Quote:

Originally Posted by calgarywinning

So a hybrid more or less. So you could literally take the alpha strings from the scan, and insert a valid private encryption key to the data, add the unencrypted information for yourself and away you go. Granted a technical understanding needed.

How would adding your own private key to the data allow it to pass a check by the government's app? The app only validates the signature against the government's key and if it's tampered with in any way, it won't match and will fail the signature check.

Quote:

I'm also not condoning this at all. I am curious to the mechanics and what makes a QR code special. In Alberta's first passport for a few days, the data was just a card that was easily reproducible. In my mind, all the data would have to be encrypted to deliver an on screen verify to government id.

The QR code is easily reproducible, that's by design. But if the signature isn't validated, it's useless. Quebec's system did have a flaw when it was first introduced, as the app allowed 3rd party keys to be used but didn't verify that those keys matched the issuer (i.e. government of Quebec), but that was fixed almost immediately and now only government issued keys are used:

https://www.welivesecurity.com/2021/08/31/flaw-quebec-vaccine-passport-vaxicode-verif-analysis

[calgarywinning]

Quote:

Originally Posted by opendoor

How would adding your own private key to the data allow it to pass a check by the government's app? The app only validates the signature against the government's key and if it's tampered with in any way, it won't match and will fail the signature check.

If all the data is not encrypted, you would simply convert the QR code to it's text string. Compare where the valid generated key is and copy and paste into a new text string with a valid code and your personals. So you would need a valid QR code (say from a family member), not self generation as in the article (which is a very good read).

If all the data is encrypted, then you would need the public key to reverse engineer.

So if you were collecting unencrypted data, it would be interesting to see how complicated the governments algorithm was for generating the private key.

My initial post was incorrect in that I didn't take into account encrypting within the QR, but the limitation of QR is now the length of data around each key. How sophisticated is the government. See above where they were producing a passport easily replicable for several days here in AB.

This really begets two other questions and your article addresses one of them. Currently access to our health care system is around a government issued Health Card which is easily reproducible.

Secondly, how much tech do we want associated with our ability to move freely. While we are in a pandemic and I 100% agree with CSEC and this weeks Gov of Alberta to verify vaccination and identity. I am also 100% against document faking.
1) is this a temporary measure
2) is there data being collected and sent back (batch process).
- offline verification; but that's an assumption.
- the article calls for transparency


Very interesting discussion. My initial suggestion was the QR code was a text string, which it is, but if it was a checksum encrypted with all your personal data then it would be next to impossible to replicate. How in 3 days did we go from a basic card to this?

My bet is there is a single key, not user specific. Who knows.

[opendoor]

Quote:

Originally Posted by calgarywinning

If all the data is not encrypted, you would simply convert the QR code to it's text string. Compare where the valid generated key is and copy and paste into a new text string with a valid code and your personals. So you would need a valid QR code (say from a family member), not self generation as in the article (which is a very good read).

If all the data is encrypted, then you would need the public key to reverse engineer.

So if you were collecting unencrypted data, it would be interesting to see how complicated the governments algorithm was for generating the private key.

But the signature is generated based on the information in the records, and modifying the records in any way (e.g. putting your own info into someone else's record) invalidates the signature.

Quote:

With respect to patient privacy, note that when a SMART Health Card is issued, it is cryptographically signed by the Issuer. This means that the contents, including the FHIR Bundle, cannot be changed without invalidating the signature.

https://build.fhir.org/ig/HL7/fhir-shc-vaccination-ig/

Here's more info:

https://github.com/dvci/health-cards...%20Cards.ipynb

[jayswin]

Quote:

Originally Posted by Press Level

CSEC are undoubtedly terrified of being sued over this. Don't be surprised if they maintain radio silence for the foreseeable future.

Oh absolutely, this is major and the silence is intended. I wouldn't be surprised if CP is contacted sometime soon to ask for the topic to be removed if it keeps getting large views and post counts here.

[calgarywinning]

Quote:

Originally Posted by opendoor

But the signature is generated based on the information in the records, and modifying the records in any way (e.g. putting your own info into someone else's record) invalidates the signature.

https://build.fhir.org/ig/HL7/fhir-shc-vaccination-ig/

Here's more info:

https://github.com/dvci/health-cards...%20Cards.ipynb

I just think a lot more work needs to be done. A QR code isn't anything but a string of text which was my original post and correct. I agree with you it can be encrypted, which doesn't make me wrong. Do I think the government of Alberta is encrypting?

We need to know because this will limit societies ability to move and travel. And we can't leave the methodology up to a government that was issuing such a weak passport to begin without QR.

In fact, i'd be willing to bet the QR code from Alberta is just a flash in the pan or a show that is harder to replicate than their first 3 day attempt

[Fuzz]

Presumably the new provincial app makes all this obsolete and useless at this point?

[Pellanor]

Quote:

Originally Posted by calgarywinning

Very interesting discussion. My initial suggestion was the QR code was a text string, which it is, but if it was a checksum encrypted with all your personal data then it would be next to impossible to replicate. How in 3 days did we go from a basic card to this?

My bet is there is a single key, not user specific. Who knows.

Honestly, it's not that hard. There's some really good cryptography libraries out there that make this kind of signing really straight forward.

Here's a signed token containing my CP user id, name and join date:

Quote:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxN jY5NSIsIm5hbWUiOiJQZWxsYW5vciIsImpvaW5fZGF0ZSI6IjA 0LTExLTIwMTQiLCJpYXQiOjE1MTYyMzkwMjJ9.LqmX3-yEqGmKDO93dlM0xXD3Q8Jmkow46U_xwfH6c6G1fDwyOK4AtWUK 6rejygLvyUKJ4_8tKkCaPbxvjELfAAGZQKkhyE6becb4R0nuiX WT23Gb3JzVWDcXfuTsVo_t5DI8ZWVvfK9UaK9kUWd-4LSvgWOewn3wHkFDoN8eh77cQMsCbC_GL_2-_2tNfhJ9nWe5UcjiuSUF1yHmeQJ2XHm0MIPth9tDrNdCmi-qaphFTOXgPpewnxb_v5PvvXt0zzbcTGF5VEII6HghWCgCcFh80 7MTwt2Y-7oy3nh8CY1i9EaNtAnqWXcXYiapO7hW4x6vk78Cmuwpb1V50nm AuQ

And the public key it can be verified with

Quote:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1L fVLPHCozMxH2Mo
4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuem MghRniWaoLcyeh
kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjy kkJ
0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAq eGUxrcIlbjXfbc
mwIDAQAB
-----END PUBLIC KEY-----

You can decode it on jwt.io. This took me five minutes to do, and I could code a barebones app to generate QR codes from this in an afternoon.

[calgarywinning]

Quote:

Originally Posted by Pellanor

Honestly, it's not that hard. There's some really good cryptography libraries out there that make this kind of signing really straight forward.

Here's a signed token containing my CP user id, name and join date:
And the public key it can be verified with


You can decode it on jwt.io. This took me five minutes to do, and I could code a barebones app to generate QR codes from this in an afternoon.

Amazing. So cool. Concept, proof of concept. Encrypted data. Can you do a private key by changing one value and encrypting to share? Like just one character.

[IamNotKenKing]

Quote:

Originally Posted by Pellanor

Honestly, it's not that hard. There's some really good cryptography libraries out there that make this kind of signing really straight forward.

Here's a signed token containing my CP user id, name and join date:
And the public key it can be verified with


You can decode it on jwt.io. This took me five minutes to do, and I could code a barebones app to generate QR codes from this in an afternoon.

I don't know what any of this means.

[Pellanor]

Quote:

Originally Posted by calgarywinning

Amazing. So cool. Concept, proof of concept. Encrypted data. Can you do a private key by changing one value and encrypting to share? Like just one character.

Quote:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxN jY5NSIsIm5hbWUiOiJQZWxsYW5vciIsImpvaW5fZGF0ZSI6IjA 0LTExLTIwMTQiLCJpYXQiOjE1MTYyMzkwMjN9.LqmX3-yEqGmKDO93dlM0xXD3Q8Jmkow46U_xwfH6c6G1fDwyOK4AtWUK 6rejygLvyUKJ4_8tKkCaPbxvjELfAAGZQKkhyE6becb4R0nuiX WT23Gb3JzVWDcXfuTsVo_t5DI8ZWVvfK9UaK9kUWd-4LSvgWOewn3wHkFDoN8eh77cQMsCbC_GL_2-_2tNfhJ9nWe5UcjiuSUF1yHmeQJ2XHm0MIPth9tDrNdCmi-qaphFTOXgPpewnxb_v5PvvXt0zzbcTGF5VEII6HghWCgCcFh80 7MTwt2Y-7oy3nh8CY1i9EaNtAnqWXcXYiapO7hW4x6vk78Cmuwpb1V50nm AuQ

So here's the same signed token with one character changed. Since it's URL encoded, the token has two characters that are different, which I highlighted in red. The signature hasn't changed, so when you decode the token on jwt.io using the provided public key, you can see that it has an invalid signature.

However if I make the same one character change, but sign it with the private key rather that re-using the signature you can see that the entire last segment (after the highlighted characters) of the token has changed to reflect this.

Quote:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxN jY5NSIsIm5hbWUiOiJQZWxsYW5vciIsImpvaW5fZGF0ZSI6IjA 0LTExLTIwMTQiLCJpYXQiOjE1MTYyMzkwMjN9.N9IU4NkGVOKzjuY9D0T6IQNDN9t2kFZRiqua0Kgrkt-AoQo5oYnUoN_vDgTw89foFmw122dAE0_OGAskvkQp2JKBLjTqY kSnA9Q9FqUVbCwJClNRgdNYEM5tSnCHKAqnG-nLFTqX1j9UnSWJcob9xEUEhBS58yaVOq0JG7XwjfOfOV6lvcG6 CWpHC3jy6Z4aCIg6LvuJKJ43v0Svf8inQ1iTUX6pr5RS_W47gM aJ-JaT7QsDy99BeWLPzL_xfwQGRg2jVrjXW-DAVIqtrqJGYeMDvBtPYpDqUFq_AdNYOicjBX4yptcAZ55VdAKG _eMrEDDrucfpZtvRAkCgwvsXBgp

I could use a different private key to sign a modified token, but then it wouldn't match the public key that I'd given out earlier, so you would still get an invalid signature.

[RM14]

After all of the pre season games.. can anyone confirm the most efficent way to enter a game?

[Since1984]

Quote:

Originally Posted by RM14

After all of the pre season games.. can anyone confirm the most efficent way to enter a game?

Through the doors... Zing