Flaw in the Quebec vaccine passport analysis cvv shop, cc shop

ESET cybersecurity expert Marc-Étienne Léveillé analyses in-depth the Quebec vaccine proof apps VaxiCode and VaxiCode Verif.
The launch of the mobile applications allowing the storage and verification of the vaccination passport by the Quebec government (VaxiCode and VaxiCode Verif) has caused a lot of ink to flow last week. It is with good reason; the VaxiCode Verif app will be used by all non-essential service merchants as of September 1, 2021.
Like many other experts, I analyzed the contents of the QR code as soon as I received it during my first vaccination last May. Last week, I also analyzed the two applications established by the Quebec government and developed by Akinox.
This blogpost explains how the vaccine passport system set up by the Quebec government works from a technical point of view, as well as details about the vulnerability we found in VaxiCode Verif that allowed the application to be forced to recognize non-government issued QR codes as valid. At this time, it is impossible to confirm that this is the same vulnerability found by “Louis” as reported by Radio-Canada last Friday, since no technical details have yet been released.
We informed Akinox about the vulnerability we found on Sunday, and we have confirmed that the VaxiCode Verif 1.0.2 update for iOS released in the last few days fixes the flaw. The Android version of the apps has not yet been analyzed, but VaxiCode and VaxiCode Verif use the Expo framework that allows iOS and Android apps to be produced using the same source code. Therefore, the applications on both platforms are probably equivalent.
First, let’s look at what the QR code contains. Generally speaking, a QR code includes only text. It is often a URL.
But let’s go back to the Quebec vaccine passport application. We notice that the URL contained in this QR code begins with . “shc” is actually an acronym for SMART Health Cards , a specification that defines a format for exchanging information about a person’s vaccination status. This specification was born in 2021 with the objective of being able to issue this famous vaccine passport and to be able to verify its veracity. This is the same standard that has been chosen by several American states, including California, New York and Louisiana. The development of this specification is being spearheaded by the Vaccination Credential Initiative , a coalition of public and private organizations working to enable the secure deployment of the passport around the world. Akinox, the company that developed VaxiCode and VaxiCode Verif for the Quebec government, is a member of this organization.
The specification describes how to decode the numbers in the URL into readable content.
The information is decoded into a JSON Web Token (JWT), or more specifically a JSON Web Signature (JWS) since it is a signed token. The SHC specification did not reinvent the wheel: JWT is an existing technology for exchanging encrypted or digitally signed information.
If you would like to know more about the contents of your vaccine passport, you can easily inspect it from a mobile device using an online tool developed by François Proulx.
Many have suggested encrypting the information in the QR code. This may seem like a good way to protect it; however, it would be much too easy to decipher this information. The information must be understood by VeriCode Verif, so the application should contain the decryption key. Once the key is extracted, anyone could decrypt the QR codes. This would give a false impression of security and lead to more criticism from the public.
For these reasons, the SHC protocol does not provide an encryption method. However, it does require a digital signature.
The digital signature is based on asymmetric cryptography , which means that a key pair is used. This pair is composed of a private key, which only the issuer (here, the Government of Quebec) has in its possession to sign data, and a public key, which verifies that the signature has been made with the private key.
Asymmetric cryptography is used, among other things, to encrypt communications on the Internet. There are no known attacks to sign without having the private key or to guess the private key from the public key.
This also means that the priority is to protect this private key at all costs. Compromising this key would allow the generation of cryptographically valid QR codes. This is not the case with the flaw we found: we did not need the private key to forge a vaccine proof that VaxiCode Verif deemed valid. Rather, the problem was in the implementation of the verification algorithm in VaxiCode Verif.
The SMART Health Cards specification was designed to allow for the possibility of multiple vaccine evidence issuers. This reflects the reality that each country or region is responsible for issuing its own evidence. Therefore, each government has its own pair of keys to sign and verify passports.
The SHC specification requires the issuing entity to make its public key(s) available on the Internet. The vaccine proof contains a URL to the issuer’s website in the “iss” (short for issuer) field. A verifying application should find the issuer’s public key(s) by concatenating /.well-known/jwks.json to this URL.
The specification does not define (at least for now) a way to determine if the issuer is trustworthy.
Akinox has chosen to include the Quebec government’s public key in VaxiCode and VaxiCode Verif. The application uses this key when the issuer is the Quebec government (specifically if iss is https://covid19.quebec.ca/PreuveVaccinaleApi/issuer). However, the code to download third party issuer keys is still in the application, even though it is not required.
The vulnerability lies in the fact that once a public key is downloaded, it is used to validate any other passport, without checking if it matches the content of the issuer field (iss).
Here is an attack scenario to display a forged vaccine proof as valid:
The version 1.0.2 available since Sunday on the Apple App Store fixes the problem. This update completely removes the functionality of downloading public keys from the issuer’s URL.
The authorities and developers responsible for deploying the vaccine proof are under a restriction that is difficult to mitigate: time. The entire development and deployment of proof of vaccination in Quebec was done in a few months. While there have been some shortcomings, the system is working.
The Quebec government may have missed a good opportunity to publish the source code of the applications it produced for the sake of transparency. After all, there is nothing to hide and nothing secret about these applications. The rapid discovery of flaws has shown that analysis by a larger number of experts improves the security of this type of application. The publication of the source code and its analysis by experts might have avoided scandals that could affect the public’s confidence, since the whole population would have been able to check the security by itself.
Some people also feel that the personal data contained in the Quebec vaccine passport is excessive. In this regard, it would have been possible to produce a lighter version of the passport containing less information. That said, this lighter version could potentially be unusable outside of Quebec, since the rules for determining whether a person is protected can change from region to region (which vaccines are considered valid, how many doses, etc.).
This is what Switzerland chose with its “COVID light certificate”. It should also be noted that the source code of the Swiss applications has also been available for several months.
We did not test the servers allowing the issuance of vaccine passports, because we have neither the mandate nor the permission from the Quebec government or Akinox to do so. Unlike the analysis of the applications provided by Quebec, this would constitute an attack on a remote system that could result in a risk of service interruption.
Our analysis first looked at the development history of the CHS specification, which was developed internationally specifically for issuing COVID-19 vaccination confirmations. We then explained the importance of using asymmetric cryptography for signing data, and in this case, to ensure the validity of the vaccination proofs provided. However, we discovered a flaw in the implementation of the verification algorithm, which allowed vaccine proofs displayed as legitimate by VaxiCode Verif to be forged. We notified Akinox of this flaw, and it was fixed as soon as the application was updated, which was within a few days. Finally, we pointed out the potential benefits of greater transparency with respect to the source code of these applications.
As a result of this analysis, I believe that, although VaxiCode Verif had some problems at its release, the technologies on which the system is based are solid. The idea of using existing standards and technologies is in my opinion a good decision. It ensures both signature security and interoperability between regions using the SMART Health Cards protocol. In my opinion, a flaw in the system that denied a valid vaccine passport would have a much more serious impact than the reverse, and that is not the case here.
That the problem was fixed in just a few days shows that all parties want a secure system. There are always areas for improvement, but the use of the digital signature proposed by SHC is, to date, secure.
The technical information in your article “Flaw in the Quebec vaccine passport: analysis”, was very interesting and useful. Thank you for sharing. Merci Marc-Etienne M.Léveillé.
Thanks,Deric
Which is besides the point. It’s still an unethical thing to do to segregate society. Quebec is a segregationist society and we should not accept this scientifically or morally. I couldn’t care less about the tech data. What matters is these facts: The ‘vaccines’ do not halt transmission. They do not confer full protection and now we know the vaccinated are, ironically, asymptomatic spreaders of the disease. But we’re going to target the healthy and unvaccinated? Based on what EVIDENCE? Mind you, it’s not like the Quebec government has produced a single piece of evidence to back their wholly futile and draconian measures since 2020. Nor has the province (or Health Canada for that matte) conducted any studies to see if, say, masks did anything. No, instead they waste money of this stupidity. Secure or not, this cuts right to the heart of what it means to live in a free society.
Ummm… I think there should be an “ANTIBODY-DEPENDENT ENHANCEMENT PASSPORT”… proving that your vaccination will not soon be a liability to yourself, and to others!. https://tapnewswire.com/202… https://pubmed.ncbi.nlm.nih… https://en.wikipedia.org/wi… https://blogs.sciencemag.or… https://rivercitymalone.com… https://www.ecdc.europa.eu/… https://medicalxpress.com/n… .BTW!… now that the due-date (August 15th, 2021) for American Intelligence to report back to congress on the origination of the COVID-19 disease has passed, what has American Intelligence come up with regarding this matter? .Apart from the insane ramblings of the former U.S. President as to the origins and man-made nature of SARS-CoV-2/ COVID-19 (and I’ll not speculate here on the origins and man-made nature of any VOC “adaptations”!), even Joe Biden has received evidence linking SARS-CoV-2/ COVID-19 to the notorious Wuhan Lab– and, to a disease onset time-frame that/ which PRECEDES the time-frame that we have been previously led to believe was the TRUE disease onset time-frame!… the which, has led to a UNANIMOUS VOTE in the U.S. (SUPPORTED BY BOTH HOUSES!) to have all documentation associated with the origin and “nature” of SARS-CoV-2/ COVID-19 brought into the public domain, and, that U.S. Intelligence be required to report back to the Biden Administration by no later than mid-August, of 2021 (pending, of course, any amended announcements made by the Biden Administration!… see, https://www.govinfo.gov/con… .And so and thus, and to conclude, to act as if NO CRIME has been perpetrated in the entry of this disease (and, it[‘]s variants!) into the global arena, is to preempt and second-guess the outcome of the facts being sought elsewhere!… and to– by default– give deference to the “status quo version” of events and their time-frames!.In the light of the mounting scientific evidence that the very “Vaccination Agenda” itself may pose an even greater problem for global public health than the onset of the original SARS-CoV-2/ COVID-19, I find it quite appalling that the global community is now not only having to contend with an evil that/ which may yet be proven to have originated from the Wuhan Lab (and by default, would thereby be “anthropogen[icly] derived”/ “man-made”), but– in addition– is having to contend with a “Public Health Agenda” that/ which is in a SYSTEMIC CONFLICT OF INTEREST IN THE PROFFERING OF “IMPARTIAL” PUBLIC HEALTH TREATMENT INFORMATION ON THE ONE HAND, WHILST LOCKSTEP WITH A MYOPIC AND POTENTIALLY LETHAL “PHARMA-CENTRIC TREATMENT INTEREST AGENDA” ON THE OTHER!.In Posting ANYWHERE, I give NO SANCTION to/ for a breach of my Constitutionally protected Rights and Freedoms, nor, to/ for a violation of any of the “Articles” to be found within the “Universal declaration of Human Rights”/ UDHR (and, e.g., Article 27 of the UDHR, wherein we read: 1. Everyone has the right freely to participate in the cultural life of the community [e.g., this site], to enjoy the arts and to share in scientific advancement and its benefits; and 2., Everyone has the RIGHT to the PROTECTION of the MORAL and MATERIAL INTERESTS resulting from any scientific, literary or artistic production of which he [one] is the creator [e.g., the Blog Comment that you are now reading!]). And so and thus, EVERY WEBSITE on the Net– by Human Rights default– must not only provide webizens with a Blog Comment Host widget with which to facilitate PUBLIC Free Speech and Press Freedom re PUBLICLY POSTED site blogs, but also ensure that webizen Postings (Public or Private) are Constitutionally and UDHR protected!.P.S.:….The Far-UVC treatment of COVID-19 (and its “adaptations”) in POPULATED CONFINED PUBLIC SPACES proffered by Dr. David Brenner of Columbia University, is a LEGIT public application supported by the following scientific documentation!…. https://bit.ly/3yv0hjY https://bit.ly/2NNMylZ https://bit.ly/3sALwrG (note the name David J. Brenner in the authorship) https://bit.ly/2NKZZ60 .All the best, and God Bless!… and no emails required! – JM.Prof. David BrennerThe CRR/ Center forRadiologI̲C̲ ResearchColumbia University630 W. 168th StreetNew York, NY 10032.Tel: (212) 305-5660Fax: (212) 305-3229djb3@cumc.columbia.edu
Final am̲ended version, coming up…
Ummm… I think there should be an “Antibody-dependent Enhancement Passport”… proving that your vaccination will not soon be a liability to yourself, and to others!. https://tapnewswire.com/202… https://pubmed.ncbi.nlm.nih… https://en.wikipedia.org/wi… https://blogs.sciencemag.or… https://rivercitymalone.com… https://www.ecdc.europa.eu/… https://medicalxpress.com/n… .BTW!… now that the due-date (August 15th, 2021) for American Intelligence to report back to congress on the origination of the COVID-19 disease has passed, what has American Intelligence come up with regarding this matter? .Apart from the insane ramblings of the former U.S. President as to the origins and man-made nature of SARS-CoV-2/ COVID-19 (and I’ll not speculate here on the origins and man-made nature of any VOC “adaptations”!), even Joe Biden has received evidence linking SARS-CoV-2/ COVID-19 to the notorious Wuhan Lab– and, to a disease onset time-frame that/ which PRECEDES the time-frame that we have been previously led to believe was the TRUE disease onset time-frame!… the which, has led to a UNANIMOUS VOTE in the U.S. (SUPPORTED BY BOTH HOUSES!) to have all documentation associated with the origin and “nature” of SARS-CoV-2/ COVID-19 brought into the public domain, and that U.S. Intelligence be required to report back to the Biden Administration by no later than mid-August, of 2021 (pending, of course, any ammended announcements made by the Biden Administration!… see, https://www.govinfo.gov/con… .And so and thus, and to conclude, to act as if NO CRIME has been perpetrated in the entry of this disease (and, it[‘]s variants!) into the global arena, is to preempt and second-guess the outcome of the facts being sought elsewhere!… and to– by default– give deference to the “status quo version” of events and their time-frames!.In the light of the mounting scientific evidence that the very “Vaccination Agenda” itself may pose an even greater problem for global public health than the onset of the original SARS-CoV-2/ COVID-19, I find it quite appalling that the global community is now not only having to contend with an evil that/ which may yet be proven to have originated from the Wuhan Lab (and by default, would thereby be “anthropogen[icly] derived”/ “man-made”), but– in addition– is having to contend with a “Public Health Agenda” that/ which is in a SYSTEMIC CONFLICT OF INTEREST IN THE PROFFERING OF “IMPARTIAL” PUBLIC HEALTH TREATMENT INFORMATION ON THE ONE HAND, WHILST LOCKSTEP WITH A MYOPIC AND POTENTIALLY LETHAL “PHARMA-CENTRIC TREATMENT INTEREST AGENDA” ON THE OTHER!.In Posting ANYWHERE, I give NO SANCTION to/ for a breach of my Constitutionally protected Rights and Freedoms, nor, to/ for a violation of any of the “Articles” to be found within the “Universal declaration of Human Rights”/ UDHR (and, e.g., Article 27 of the UDHR, wherein we read: 1. Everyone has the right freely to participate in the cultural life of the community [e.g., this site], to enjoy the arts and to share in scientific advancement and its benefits; and 2., Everyone has the RIGHT to the PROTECTION of the MORAL and MATERIAL INTERESTS resulting from any scientific, literary or artistic production of which he [one] is the creator [e.g., the Blog Comment that you are now reading!]). And so and thus, EVERY WEBSITE on the Net– by Human Rights default– must not only provide webizens with a Blog Comment Host widget with which to facilitate PUBLIC Free Speech and Press Freedom re PUBLICLY POSTED site blogs, but also ensure that webizen Postings (Public or Private) are Constitutionally and UDHR protected!.P.S.:….The Far-UVC treatment of COVID-19 (and its “adaptations”) in POPULATED CONFINED PUBLIC SPACES proffered by Dr. David Brenner of Columbia University, is a LEGIT public application supported by the following scientific documentation!…. https://bit.ly/3yv0hjY https://bit.ly/2NNMylZ https://bit.ly/3sALwrG (note the name David J. Brenner in the authorship) https://bit.ly/2NKZZ60 .All the best, and God Bless!… and no emails required! – JM.Prof. David BrennerThe CRR/ Center forRadiologI̲C̲ ResearchColumbia University630 W. 168th StreetNew York, NY 10032.Tel: (212) 305-5660Fax: (212) 305-3229djb3@cumc.columbia.edu
Ummm… I think there should be an “Antibody-dependent Enhancement Passport”… proving that your vaccination will not soon be a liability to yourself, and to others!
https://tapnewswire.com/202… https://pubmed.ncbi.nlm.nih… https://en.wikipedia.org/wi… https://blogs.sciencemag.or… https://rivercitymalone.com… https://www.ecdc.europa.eu/… https://medicalxpress.com/n…
cvv shop cc shop

Author: wpadmin