Ludovic Frank - Freelance developer

Why can't I falsify the QR Code on my health pass?

ionicons-v5-k Ludovic Frank Jul 28, 2021
78 reads Level: Beginner

Hi there, how are your vacations going? Today we're talking about a subject that's all too trendy: the health pass (yes, I'm still in vogue!).
What do you mean? Another thorny subject? But no, no ... it'll pass.
This article is in the same vein as "the HTTPS padlock" and "ransomware", because the health pass uses cryptography, but not for encryption.
Ready to go? Let's get started!

How do I get a free health pass?

Ah! that's why you're here (you little rascal?), OK, I'm going to give you the ultimate solution for getting your own health pass in your name and all and all ... plus, it's guaranteed to go absolutely everywhere ...
All you have to do is book an appointment on, for example, " Vitte ma dose ", and bang, a month later you've got your precious sesame. It's super simple and works every time?

The heart of the matter: why can't a health pass be falsified?

What's in a health pass?

Let's start by looking at what's inside the health pass QR code. First of all, the data format.In France, it's the "2D-DOC" format that's used, while in Europe it's the "DCC" format. If you're interested, you can do your research on the Internet.

Now, what does the QR Code actually contain?

  • Last name
  • First name
  • Date of birth
  • Disease (Covid-19)
  • Vaccine code (I don't know what it's really called)
  • Vaccine name
  • Number of doses received / number of doses required
  • Injection date
  • Where you are in the cycle (started, finished ...)
  • Signature (this is what we're interested in)

This list is based on what I was able to understand by scanning the QR Code, it is not intended to be exact, what I am sure of is that there is indeed a digital signature ... otherwise this article would not even exist!

Is the health pass data encrypted?

No, anyone in possession of the QR Code can read it, which is why you shouldn't share your health pass on the Internet (not even by blurring part of the QR Code). It cannot be falsified, but it can be copied (with surname, first name, etc.).

The data is digitally signed using an asymmetric key system.

Yess! This is where I can refer you to the article "How to protect yourself from ransomware" for the public/private key part. (when I tell you that "everything is linked"?)

But even if I've already explained it, I'm going to try here to make it even easier to understand what a public key and a private key are in cryptography (as a complement, I strongly recommend that you read the private/public key part of the article on ransomware).

The private key
Let's try to draw some parallels with everyday life.

When you want to have a document certified by a company or a public organization (e.g. a town hall), the person certifying the document uses a stamp, and some stamps leave a relief in the paper to make them even more difficult to copy.
The stamp is the equivalent of the private key. It's the one that leaves its mark on the document, but without it, it's impossible to leave a trace, so it's pretty hard to forge. A private key is like a stamp, completely impossible to falsify today. In fact, if it were possible, the Internet would be in chaos, and I'm not even talking about banking services ... ?

The private key can also be thought of as a key to your trousseau (you know, the kind of key that's WELL secured and impossible to copy without going through the manufacturer),
The key can open a lock, and if the key can open the lock, we know it's the right key).

The public key
When the "private key" is the stamp, well, the public key and the "trace" of this stamp left on the document, we know that it was stamped by "this stamp".It's visible, but very difficult to imitate (depending on the buffer's complexity). The trace of the stamp on the document lets you know that the document has been "signed" by the right organization, and therefore makes it official. For the sanitary step, the digital signature does the same.

And for the second parallel, when the key on your keyring is the "private key" and well ... the lock is the "public key", this doesn't allow you to recreate the key of your keyring (normally), but it does let you know when it's the right key that's being used.

Who owns the sanitary pass's private key?

A private key remains in the hands of an organization that enables it to certify digital data. In my case, for example, I have several private keys.hen I came to this site, I used one of my private keys to certify that you were indeed connected to "Ludo Dev" using HTTPS(see article on the HTTPS padlock).
As for the health pass key, it's in the hands of the health insurance company... and given the work they've done on the health pass, I can safely say that they've protected it well enough to prevent theft.

Where's the public key?

As its name suggests, it's public, so it's available for all to see. For example, the "TousAntiCovid - Verif" application uses it to display whether a sanitary pass is valid or not.

How the signature works

When the health pass is created (with first and last name, etc.), all the data is passed to an algorithm that uses the private key to create a digital signature.) without modifying the signature, the QR Code will no longer be valid, and the "TousAntiCovid - Verif" application will display "invalid pass" because the signature no longer corresponds to the pass data.
To make the modified pass valid, the new data must be digitally signed, which is impossible without the private key.

Why was this method used?

Well, that's my interpretation, not what the health pass developers say.
This method makes it possible to check the authenticity of a health pass WITHOUT tracking users. The developers could have used a method with a central server, where each time a QR Code is scanned, a central server is queried to find out if it's OK.The problem is that the central server method allows you to track people, find out where they've been and when... which would be a problem for privacy... Here, this method has been completely discarded.
So no ... the health pass is not a mass surveillance tool. If it were, it wouldn't have been designed that way.

So it's impossible to create a fake health pass?

Stubborn, aren't you?
Let's start by reminding you that the creation and use of forgeries are punishable by law ...
The only possible ways to create a fake health pass would be to :

  • Stealing the private key from the health insurance company (don't forget, they've protected it?)
  • Corrupting someone who has access to the creation software (I'd hate to be in that person's shoes, it's going to sting a lot once you've got your hand in the jam).


The health pass has been done properly, there's no attempt at tracking, they've set up a system to check authenticity, in short, it does what it was created to do.
All that's left for me to do is to wish you a happy weekend?