10-12-2021, 09:49 PM
|
#361
|
|
Backup Goalie
Join Date: Apr 2014
Exp: 
|
Quote:
Originally Posted by IamNotKenKing
I don't know what any of this means.
|
Okay, let's see if I can explain this better.
Here is a token
Quote:
|
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiS WFtTm90S2VuS2luZyIsImRvc2UxIjoiMjAyMS0wNS0yNSIsImR vc2UyIjoiMjAyMS0wNi0yNSJ9.sX1NJjuE8ATMVrDDKUXe1gYL KL9D7W4nngMbtxLij0JjusfawUmdSvbczJZfRLZisqdVfX_IUZ KAQngCtSaC4oAKqnUQwavvcAKbmjI_9gtNeA5YNKS_nsJGm32a 7vA_mnQO0o6vULrESbOt5sWvnVbP91gxee_ygIuI4Hhsr9uLyJ 0Mi22LMPQHsc45nwYG1mN7JEDbSLaYAlXvwlCbq38ulLwx714h t-SrSE1Mtzc0VEIolr7rNF0obHRGFeEp01BWPHO0gWMm2AxjTvH6 vk-CJw62aeU7eAm4B7-jsGsKOoEGuGaBq0njHrGwPbaAFw1WWEe_6DglAp5m7YRhUA
|
It contains your vaccine info
Quote:
{
"name": "IamNotKenKing",
"dose1": "2021-05-25",
"dose2": "2021-06-25"
}
|
along with some other techincal info, and finally a signature that can be used to verify that the information is correct. It's stored in this format, rather than the easier to read format, so you can easily stick it in a link for an app on your phone to open.
On the government servers, they have your vaccine information, along with a Private Key. This key is what they use to generate signatures, and involves a bunch of complex math. Basically Data + Private Key = Signature. Though it's important to note that you can't use the data + signature to calculate the private key.
When you got your QR code from the governemtn site, they use your data, sign it with the private key, and encode the whole token into the QR code.
On the app used by whoever is verifying your vaccine intormation is a Public Key. This key was generated by the government based on their private key and can be used to verify signatures. Given Data + Public Key + Signature and some complex math you can calculate if the data is valid. The public key is never enough to sign something, it's only ever able to verify a signature. For this reason its safe for the government to give out.
So somebody scans your QR code with their fancy app, they get the token, and the app uses their public key to verify that the data matches the signature. If the data was altered, but not the signature, they get an error because the signature doesn't match the data. If somebody alters the data and signs it with their own private key, then you still get an error because the public key can't verify signatures made with different private keys.
The website I linked, jwt.io, is basically a sandbox for playing with and testing these types of tokens. It's how I was able to generate the example so easily. Since this is an open standard that a lot of the web runs on, there are a lot of libraries out there that do all the heavy lifting an complex math for you. I can go get whatever library that google or facebook uses, give it my user data and private key, and it will create the token for me. On my app I can use the same library and my public key to verify the data. There's more to it than just that for a proper and secure implementation, for example you need a good way to store your private keys so not everybody at your organization has access to them, but the government is likely to have most of that infrastructure in place all ready. So just generating some signed QR codes would be pretty straight forward.
Of course this is just one way that the data could be signed and verified. It's the one I'm most familiar with, and quite popular, but there are plenty of other formats as well.
|
|
|
|
The Following 31 Users Say Thank You to Pellanor For This Useful Post:
|
bdubbs,
BeltlineFan,
Buff,
burn_this_city,
calgarywinning,
chummer,
cSpooge,
darockwilder,
delayedreflex,
Don't Toews Me Bro,
Draug,
Finger Cookin,
getbak,
GreenHardHat,
GreenLantern2814,
IamNotKenKing,
InglewoodFan,
Jethro Choicebro,
jg13,
jtfrogger,
ken0042,
klikitiklik,
Mazrim,
MolsonInBothHands,
opendoor,
powderjunkie,
redflamesfan08,
Rubber Ducky,
Ryan Coke,
SanFranFlamesFan,
ZedMan
|
|
10-12-2021, 11:00 PM
|
#362
|
|
First Line Centre
Join Date: Feb 2013
Location: Field near Field, AB
|
Quote:
Originally Posted by Pellanor
So here's the same signed token with one character changed. Since it's URL encoded, the token has two characters that are different, which I highlighted in red. The signature hasn't changed, so when you decode the token on jwt.io using the provided public key, you can see that it has an invalid signature.
However if I make the same one character change, but sign it with the private key rather that re-using the signature you can see that the entire last segment (after the highlighted characters) of the token has changed to reflect this.
I could use a different private key to sign a modified token, but then it wouldn't match the public key that I'd given out earlier, so you would still get an invalid signature. |
Honestly amazing. Great case of use and answers all my questions. Clearly, I didn't know you could encode so much in a QR.
Thank you for the example and the time!
|
|
|
|
|
The Following 3 Users Say Thank You to calgarywinning For This Useful Post:
|
|
|
10-13-2021, 07:12 AM
|
#363
|
|
Franchise Player
Join Date: Oct 2014
Location: Springbank
|
Just downloaded the QR app that reads the vaccine code and it works just fine. Honestly, this whole Portpass thing was goofy, but having the QR would have made it irrelevant. But there was just no will at the government end until they were forced.
|
|
|
|
|
10-13-2021, 08:08 AM
|
#364
|
|
Franchise Player
Join Date: Mar 2015
Location: Pickle Jar Lake
|
I don't know much about QR codes, but I thought I'd test one thing. I scanned the QR code with the Android camera and got the text of the code. I then used that on this site:
https://www.the-qrcode-generator.com/
It generated a valid code for the app(which makes sense, because the code is just a representation of the text string). I then changed one number, which then generated an invalid code.
|
|
|
|
10-13-2021, 08:21 AM
|
#365
|
|
Powerplay Quarterback
|
Man why can't all threads be this interesting and useful? Thanks for the examples Pellanor.
|
|
|
|
|
The Following User Says Thank You to bdubbs For This Useful Post:
|
|
|
10-13-2021, 08:32 AM
|
#366
|
|
Crash and Bang Winger
Join Date: Aug 2006
Location: Beside the Dome
|
I did not expect to see a solid explanation of asymmetric cryptography and digital signatures on CalgaryPuck.
|
|
|
|
|
The Following 9 Users Say Thank You to SanFranFlamesFan For This Useful Post:
|
|
|
10-13-2021, 08:35 AM
|
#367
|
|
Crash and Bang Winger
Join Date: Aug 2006
Location: Beside the Dome
|
Quote:
Originally Posted by calgarywinning
Honestly amazing. Great case of use and answers all my questions. Clearly, I didn't know you could encode so much in a QR.
|
Of note: there is nothing special about the QR code. It's just a way to encode text in a graphical format. We could equivalent do this whole vaccine passport by having our text-based vaccine passports on our phone. The obvious problem is there's no way to effectively send that text to someone who wants to verify it. (You could text it to them but this would take forever). The QR code makes it scannable so the whole process is dramatically faster.
|
|
|
|
|
10-13-2021, 09:12 AM
|
#368
|
|
#1 Goaltender
|
the only thing that's still slightly annoying is the scanning app says that the person's ID needs to be checked to validate the name and birth date embedded in the QR. so you're still pulling out your driver's license along with your phone or printed code.
in theory that was the one advantage of PortPass is that it combined both into a single scan. not sure if there's a way for the AB app to evolve into that. maybe they should ask Zak about it.
|
|
|
|
|
10-13-2021, 09:20 AM
|
#369
|
|
Franchise Player
Join Date: Mar 2015
Location: Pickle Jar Lake
|
Quote:
Originally Posted by Inglewood Jack
the only thing that's still slightly annoying is the scanning app says that the person's ID needs to be checked to validate the name and birth date embedded in the QR. so you're still pulling out your driver's license along with your phone or printed code.
in theory that was the one advantage of PortPass is that it combined both into a single scan. not sure if there's a way for the AB app to evolve into that. maybe they should ask Zak about it.
|
Without verifying the ID, how do you prove someone didn't just print off someone else's QR code?
|
|
|
|
|
The Following User Says Thank You to Fuzz For This Useful Post:
|
|
|
10-13-2021, 10:00 AM
|
#370
|
|
Franchise Player
|
Quote:
Originally Posted by Inglewood Jack
the only thing that's still slightly annoying is the scanning app says that the person's ID needs to be checked to validate the name and birth date embedded in the QR. so you're still pulling out your driver's license along with your phone or printed code.
in theory that was the one advantage of PortPass is that it combined both into a single scan. not sure if there's a way for the AB app to evolve into that. maybe they should ask Zak about it.
|
If the photo ID is digitized, it'd be pretty trivial to fake it. You get a friend's QR code, scan their ID, and Photoshop your own picture on it and you're good to go. Presenting original pieces of ID is really the only way it'd work.
Interestingly, because of the ID check, I know a few people who have opted for paper QR codes over digital ones. They just keep it in the same spot as their license and instead of fiddling with their phone and a piece of ID, they just pull both out at once.
|
|
|
|
|
The Following 2 Users Say Thank You to opendoor For This Useful Post:
|
|
|
10-13-2021, 10:04 AM
|
#371
|
|
Franchise Player
|
Quote:
Originally Posted by Pellanor
The website I linked, jwt.io, is basically a sandbox for playing with and testing these types of tokens. It's how I was able to generate the example so easily. Since this is an open standard that a lot of the web runs on, there are a lot of libraries out there that do all the heavy lifting an complex math for you. I can go get whatever library that google or facebook uses, give it my user data and private key, and it will create the token for me. On my app I can use the same library and my public key to verify the data. There's more to it than just that for a proper and secure implementation, for example you need a good way to store your private keys so not everybody at your organization has access to them, but the government is likely to have most of that infrastructure in place all ready. So just generating some signed QR codes would be pretty straight forward.
Of course this is just one way that the data could be signed and verified. It's the one I'm most familiar with, and quite popular, but there are plenty of other formats as well. |
Fantastic explanation. And signed JSON Web Tokens are exactly how the QR codes are validated, so your example is perfect.
|
|
|
|
|
The Following 2 Users Say Thank You to opendoor For This Useful Post:
|
|
|
10-13-2021, 10:47 AM
|
#372
|
|
Backup Goalie
Join Date: Apr 2014
Exp:
|
Quote:
Originally Posted by calgarywinning
Honestly amazing. Great case of use and answers all my questions. Clearly, I didn't know you could encode so much in a QR.
Thank you for the example and the time!
|
Thanks for asking! Usually I'm just absorbing information from everybody who knows way more about hockey than I do, so it's nice to be able to share some of my expertise this time.
|
|
|
|
|
The Following 9 Users Say Thank You to Pellanor For This Useful Post:
|
|
|
10-13-2021, 11:10 AM
|
#373
|
|
#1 Goaltender
|
Quote:
Originally Posted by Pellanor
Okay, let's see if I can explain this better.
Here is a token
It contains your vaccine info
Quote:
{
"name": "IamNotKenKing",
"dose1": "2021-05-25",
"dose2": "2021-06-25"
}
along with some other techincal info, and finally a signature that can be used to verify that the information is correct. It's stored in this format, rather than the easier to read format, so you can easily stick it in a link for an app on your phone to open.
On the government servers, they have your vaccine information, along with a Private Key. This key is what they use to generate signatures, and involves a bunch of complex math. Basically Data + Private Key = Signature. Though it's important to note that you can't use the data + signature to calculate the private key.
When you got your QR code from the governemtn site, they use your data, sign it with the private key, and encode the whole token into the QR code.
On the app used by whoever is verifying your vaccine intormation is a Public Key. This key was generated by the government based on their private key and can be used to verify signatures. Given Data + Public Key + Signature and some complex math you can calculate if the data is valid. The public key is never enough to sign something, it's only ever able to verify a signature. For this reason its safe for the government to give out.
So somebody scans your QR code with their fancy app, they get the token, and the app uses their public key to verify that the data matches the signature. If the data was altered, but not the signature, they get an error because the signature doesn't match the data. If somebody alters the data and signs it with their own private key, then you still get an error because the public key can't verify signatures made with different private keys.
The website I linked, jwt.io, is basically a sandbox for playing with and testing these types of tokens. It's how I was able to generate the example so easily. Since this is an open standard that a lot of the web runs on, there are a lot of libraries out there that do all the heavy lifting an complex math for you. I can go get whatever library that google or facebook uses, give it my user data and private key, and it will create the token for me. On my app I can use the same library and my public key to verify the data. There's more to it than just that for a proper and secure implementation, for example you need a good way to store your private keys so not everybody at your organization has access to them, but the government is likely to have most of that infrastructure in place all ready. So just generating some signed QR codes would be pretty straight forward.
Of course this is just one way that the data could be signed and verified. It's the one I'm most familiar with, and quite popular, but there are plenty of other formats as well. |
Thanks for this! The first time I read it, your comments about "ease" and changing things made me think this was bad as it could be faked.
There's one problem though, those aren't the dates I got my vaccinations, so there must be a flaw somewhere...
[ducks]
|
|
|
|
|
The Following User Says Thank You to IamNotKenKing For This Useful Post:
|
|
|
10-13-2021, 11:33 AM
|
#374
|
|
My face is a bum!
|
Quote:
Originally Posted by Fuzz
Without verifying the ID, how do you prove someone didn't just print off someone else's QR code?
|
The only way this could work is if the system used short term tokens. You, the vaccinated person, generate a QR code just before you gain entry into a venue. It expires in X minutes, so you can't just distribute it (easily).
This would suck though, because any disruption to connectivity etc would cause major problems, whereas the current system can work totally offline.
|
|
|
|
|
10-13-2021, 11:44 AM
|
#375
|
|
Franchise Player
Join Date: Oct 2014
Location: Springbank
|
Showing a picture ID along with your code is no big deal. It’s just like getting on a plane with an e-ticket. You show both and you’re in.
|
|
|
|
|
The Following User Says Thank You to GioforPM For This Useful Post:
|
|
|
10-13-2021, 12:24 PM
|
#376
|
|
Franchise Player
Join Date: Oct 2001
Location: Flames fan in Seattle
|
Once again proving CP members could do a better job than the professionals..
__________________
|
|
|
|
|
10-13-2021, 01:34 PM
|
#377
|
|
Backup Goalie
Join Date: Apr 2014
Exp:
|
Quote:
Originally Posted by FBI
Once again proving CP members could do a better job than the professionals..
|
To be fair, I am a professional, just not one working for the government.
Also to be fair to the province, while it took them a while to get here, I'm impressed with the final product. They're following the Smart Health Card spec, which is open, well designed, focused on privacy and used in many places across the world. It's got good support, documentation and is built on top of open libraries, which helped them get it set up quickly and smoothly. Also because so many places use the same spec it's easy to set up a trust model (and the spec is designed for it) so that the AB app could be used to, for example, verify the vaccine status for somebody from New York. The AB app would just have to add NY's public key to their list of trusted signers.
So much better than that garbage portPass app.
|
|
|
|
|
The Following 10 Users Say Thank You to Pellanor For This Useful Post:
|
|
|
10-13-2021, 02:07 PM
|
#378
|
|
#1 Goaltender
|
Quote:
Originally Posted by GioforPM
Showing a picture ID along with your code is no big deal. It’s just like getting on a plane with an e-ticket. You show both and you’re in.
|
in a typical year I'll get on a plane maybe 4 times, while a restaurant or similar public venue maybe 70-100 times. the orderliness and expectations of the boarding process are also much different from that of a bunch of people crowding around the host stand at a restaurant.
from a security perspective, the airline staff are going to be significantly more diligent about the ID and pass matching. I can see that not happening at a restaurant if things are busy and the staff are in a hurry, or just don't really care. the fastest solution either way is to print the card and hand both over from the wallet, rather than fumbling with both wallet and phone (unless you've combined those into one as well).
|
|
|
|
|
10-13-2021, 03:06 PM
|
#379
|
|
Franchise Player
Join Date: Oct 2014
Location: Springbank
|
Quote:
Originally Posted by Inglewood Jack
in a typical year I'll get on a plane maybe 4 times, while a restaurant or similar public venue maybe 70-100 times. the orderliness and expectations of the boarding process are also much different from that of a bunch of people crowding around the host stand at a restaurant.
from a security perspective, the airline staff are going to be significantly more diligent about the ID and pass matching. I can see that not happening at a restaurant if things are busy and the staff are in a hurry, or just don't really care. the fastest solution either way is to print the card and hand both over from the wallet, rather than fumbling with both wallet and phone (unless you've combined those into one as well).
|
Meh - that was one example. The same happens every time I go to court (assuming I want to skip the metal detectors). And in the US they are searching bags at NFL games, Disneyland, etc.
A bunch of nightclubs around here already run your licence through the “troublemaker” scan.
Phone plus drivers’ licence is a first world problem and takes almost as little time as the scan itself, as long as people aren’t dumbasses and have their info ready in line.
|
|
|
|
|
The Following User Says Thank You to GioforPM For This Useful Post:
|
|
|
10-19-2021, 09:45 AM
|
#380
|
|
Franchise Player
|
In case anyone was wondering, they had scanners at the game last night and were able to scan the provincial QR codes (despite earlier information stating they would not be doing so, at least right away). Had no issues; did have to show photo ID though.
I also note that the Flames website no longer appears to make any reference to PortPass. https://www.nhl.com/flames/fans/vaccination-policy
|
|
|
|
|
The Following User Says Thank You to tvp2003 For This Useful Post:
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -6. The time now is 01:00 PM.
|
|
