Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Government of Ab recognized as fake #16

Open
P4R4NORM4L opened this issue Oct 1, 2021 · 9 comments
Open

Government of Ab recognized as fake #16

P4R4NORM4L opened this issue Oct 1, 2021 · 9 comments

Comments

@P4R4NORM4L
Copy link

Please add Alberta support Thanks
@peacey
Copy link

peacey commented Oct 1, 2021

The AB public keys haven't been released yet. You can see the keys here when they're up: https://covidrecords.alberta.ca/smarthealth/issuer/.well-known/jwks.json

@P4R4NORM4L
Copy link
Author

oh ok

@P4R4NORM4L
Copy link
Author

They should of released it today maybe someone can look into it ?

@peacey
Copy link

peacey commented Oct 13, 2021

@P4R4NORM4L, they didn't activate their key server for some reason, however someone did find the keys embedded in a site file a few days ago. Please see my pull request here (steven676#3) for more information.

Here are the keys,

keys: [
      { kid: "JoO-sJHpheZboXdsUK4NtfulfvpiN1GlTdNnXN3XAnM",
        alg: "ES256", kty: "EC", crv: "P-256", use: "sig",
        x: "GsriV0gunQpl2X9KgrDZ4EDCtIdfOmdzhdlosWrMqKk",
        y: "S99mZMCcJRsn662RaAmk_elvGiUs8IvSA7qBh04kaw0" },
]

@RussellAult
Copy link

@peacey beat me to it.

To add (for background): I believe @grepme discovered (and posted on Reddit) that the public key was published within the JavaScript for the covidrecords site with the name publicSmartHealthKey.

@P4R4NORM4L
Copy link
Author

P4R4NORM4L commented Oct 13, 2021
edited
Loading

What is the point of having this decoder though, is it just to see the info??
They say that the app does not connect to any external server for checking so i'm assuming anyone could make their own QR code and have it validated on their app ?

https://globalnews.ca/news/8260170/alberta-covid-19-coronavirus-update-october-12/

So, to repeat, the app does not store any personal information, and it does not link to any external data, the QR code isn’t a hot link to an external database or website, all of the required information is contained within the code itself.

@RussellAult
Copy link

RussellAult commented Oct 13, 2021
edited
Loading

What is the point of having this decoder though, is it just to see the info?? They say that the app does not connect to any external server for checking so i'm assuming anyone could make their own QR code and have it validated on their app ?

https://globalnews.ca/news/8260170/alberta-covid-19-coronavirus-update-october-12/

So, to repeat, the app does not store any personal information, and it does not link to any external data, the QR code isn’t a hot link to an external database or website, all of the required information is contained within the code itself.

@P4R4NORM4L How familiar are you with public-key cryptography?

The short answer is that the data in an Alberta-issued QR code includes a signature generated by a Government of Alberta private key, and any attempts to alter the contents of the QR code will break this signature. Validators (whether the official app or unofficial ones like this one) use the signing key's public key (which is what we've all been waiting for) to check whether the signature in the QR code is valid.

Because this validation process only requires knowledge of the public key used to sign the QR codes, an app can verify the validity of the QR code itself (and, by extension, its contents) entirely offline (i.e. without referencing an external database).

@peacey
Copy link

peacey commented Oct 13, 2021

@P4R4NORM4L, the Alberta app has the keys programmed into it, so it doesn't need to request them from the server.

The QR code contains your health data (name, DOB, vaccine status) unencrypted. The data is then signed with Alberta's private key (which can only be decoded with the public key shown above). Without the Alberta private key, you cannot sign the QR code.

Signing the QR code means taking all the unencrypted health data, hashing it (like md5sum), and encrypting the hash with the private key. This encrypted signature is then placed on the QR code. Validation of a QR code is done by hashing the current health data on the QR, decrypting the signature, and checking that the decrypted hash equals to the currently generated hash. If the hashes aren't equal or the signature could not be decrypted (because of incorrect encryption key) then the data was tampered with and the QR code is invalid.

So, to repeat, the app does not store any personal information, and it does not link to any external data, the QR code isn’t a hot link to an external database or website, all of the required information is contained within the code itself.

That's correct.

@P4R4NORM4L
Copy link
Author

oh ok well shit lol

@steven676 steven676 mentioned this issue Oct 16, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peacey @RussellAult @P4R4NORM4L