Summary
Hi there, how are your vacations going? Today we're talking about a subject that's all too trendy: the health pass (yes, I'm still in vogue!).
What do you mean? Another thorny subject? But no, no ... it'll pass.
This article is in the same vein as "the HTTPS padlock" and "ransomware", because the health pass uses cryptography, but not for encryption.
Ready to go? Let's get started!
Ah! that's why you're here (you little rascal?), OK, I'm going to give you the ultimate solution for getting your own health pass in your name and all and all ... plus, it's guaranteed to go absolutely everywhere ...
All you have to do is book an appointment on, for example, " Vitte ma dose ", and bang, a month later you've got your precious sesame. It's super simple and works every time?
Let's start by looking at what's inside the health pass QR code. First of all, the data format.In France, it's the "2D-DOC" format that's used, while in Europe it's the "DCC" format. If you're interested, you can do your research on the Internet.
Now, what does the QR Code actually contain?
This list is based on what I was able to understand by scanning the QR Code, it is not intended to be exact, what I am sure of is that there is indeed a digital signature ... otherwise this article would not even exist!
No, anyone in possession of the QR Code can read it, which is why you shouldn't share your health pass on the Internet (not even by blurring part of the QR Code). It cannot be falsified, but it can be copied (with surname, first name, etc.).
But even if I've already explained it, I'm going to try here to make it even easier to understand what a public key and a private key are in cryptography (as a complement, I strongly recommend that you read the private/public key part of the article on ransomware).
The private key
Let's try to draw some parallels with everyday life.
When you want to have a document certified by a company or a public organization (e.g. a town hall), the person certifying the document uses a stamp, and some stamps leave a relief in the paper to make them even more difficult to copy.
The stamp is the equivalent of the private key. It's the one that leaves its mark on the document, but without it, it's impossible to leave a trace, so it's pretty hard to forge. A private key is like a stamp, completely impossible to falsify today. In fact, if it were possible, the Internet would be in chaos, and I'm not even talking about banking services ... ?
The private key can also be thought of as a key to your trousseau (you know, the kind of key that's WELL secured and impossible to copy without going through the manufacturer),
The key can open a lock, and if the key can open the lock, we know it's the right key).
The public key
When the "private key" is the stamp, well, the public key and the "trace" of this stamp left on the document, we know that it was stamped by "this stamp".It's visible, but very difficult to imitate (depending on the buffer's complexity). The trace of the stamp on the document lets you know that the document has been "signed" by the right organization, and therefore makes it official. For the sanitary step, the digital signature does the same.
And for the second parallel, when the key on your keyring is the "private key" and well ... the lock is the "public key", this doesn't allow you to recreate the key of your keyring (normally), but it does let you know when it's the right key that's being used.
A private key remains in the hands of an organization that enables it to certify digital data. In my case, for example, I have several private keys.hen I came to this site, I used one of my private keys to certify that you were indeed connected to "Ludo Dev" using HTTPS(see article on the HTTPS padlock).
As for the health pass key, it's in the hands of the health insurance company... and given the work they've done on the health pass, I can safely say that they've protected it well enough to prevent theft.
As its name suggests, it's public, so it's available for all to see. For example, the "TousAntiCovid - Verif" application uses it to display whether a sanitary pass is valid or not.
When the health pass is created (with first and last name, etc.), all the data is passed to an algorithm that uses the private key to create a digital signature.) without modifying the signature, the QR Code will no longer be valid, and the "TousAntiCovid - Verif" application will display "invalid pass" because the signature no longer corresponds to the pass data.
To make the modified pass valid, the new data must be digitally signed, which is impossible without the private key.
Well, that's my interpretation, not what the health pass developers say.
This method makes it possible to check the authenticity of a health pass WITHOUT tracking users. The developers could have used a method with a central server, where each time a QR Code is scanned, a central server is queried to find out if it's OK.The problem is that the central server method allows you to track people, find out where they've been and when... which would be a problem for privacy... Here, this method has been completely discarded.
So no ... the health pass is not a mass surveillance tool. If it were, it wouldn't have been designed that way.
Stubborn, aren't you?
Let's start by reminding you that the creation and use of forgeries are punishable by law ...
The only possible ways to create a fake health pass would be to :
The health pass has been done properly, there's no attempt at tracking, they've set up a system to check authenticity, in short, it does what it was created to do.
All that's left for me to do is to wish you a happy weekend?