search

fproulx / shc-covid19-decoder

Very simple app to decode your Vaccination Proof QR Code (such as the one provided by government of Quebec) - Compatible with SHC (Smart Health Card standard)
https://fproulx.github.io/shc-covid19-decoder/
144 stars 34 forks source link

Government of Ab recognized as fake #16

Open P4R4NORM4L opened 3 years ago

P4R4NORM4L commented 3 years ago

Please add Alberta support Thanks

peacey commented 3 years ago

The AB public keys haven't been released yet. You can see the keys here when they're up: https://covidrecords.alberta.ca/smarthealth/issuer/.well-known/jwks.json

P4R4NORM4L commented 3 years ago

oh ok

P4R4NORM4L commented 3 years ago

They should of released it today maybe someone can look into it ?

peacey commented 3 years ago

@P4R4NORM4L, they didn't activate their key server for some reason, however someone did find the keys embedded in a site file a few days ago. Please see my pull request here (steven676/shc-covid19-decoder#3) for more information.

Here are the keys,

keys: [
      { kid: "JoO-sJHpheZboXdsUK4NtfulfvpiN1GlTdNnXN3XAnM",
        alg: "ES256", kty: "EC", crv: "P-256", use: "sig",
        x: "GsriV0gunQpl2X9KgrDZ4EDCtIdfOmdzhdlosWrMqKk",
        y: "S99mZMCcJRsn662RaAmk_elvGiUs8IvSA7qBh04kaw0" },
]
RussellAult commented 3 years ago

@peacey beat me to it.

To add (for background): I believe @grepme discovered (and posted on Reddit) that the public key was published within the JavaScript for the covidrecords site with the name publicSmartHealthKey.

P4R4NORM4L commented 3 years ago

What is the point of having this decoder though, is it just to see the info?? They say that the app does not connect to any external server for checking so i'm assuming anyone could make their own QR code and have it validated on their app ?

https://globalnews.ca/news/8260170/alberta-covid-19-coronavirus-update-october-12/

So, to repeat, the app does not store any personal information, and it does not link to any external data, the QR code isn’t a hot link to an external database or website, all of the required information is contained within the code itself.

RussellAult commented 3 years ago

What is the point of having this decoder though, is it just to see the info?? They say that the app does not connect to any external server for checking so i'm assuming anyone could make their own QR code and have it validated on their app ?

https://globalnews.ca/news/8260170/alberta-covid-19-coronavirus-update-october-12/

So, to repeat, the app does not store any personal information, and it does not link to any external data, the QR code isn’t a hot link to an external database or website, all of the required information is contained within the code itself.

@P4R4NORM4L How familiar are you with public-key cryptography?

The short answer is that the data in an Alberta-issued QR code includes a signature generated by a Government of Alberta private key, and any attempts to alter the contents of the QR code will break this signature. Validators (whether the official app or unofficial ones like this one) use the signing key's public key (which is what we've all been waiting for) to check whether the signature in the QR code is valid.

Because this validation process only requires knowledge of the public key used to sign the QR codes, an app can verify the validity of the QR code itself (and, by extension, its contents) entirely offline (i.e. without referencing an external database).

peacey commented 3 years ago

@P4R4NORM4L, the Alberta app has the keys programmed into it, so it doesn't need to request them from the server.

The QR code contains your health data (name, DOB, vaccine status) unencrypted. The data is then signed with Alberta's private key (which can only be decoded with the public key shown above). Without the Alberta private key, you cannot sign the QR code.

Signing the QR code means taking all the unencrypted health data, hashing it (like md5sum), and encrypting the hash with the private key. This encrypted signature is then placed on the QR code. Validation of a QR code is done by hashing the current health data on the QR, decrypting the signature, and checking that the decrypted hash equals to the currently generated hash. If the hashes aren't equal or the signature could not be decrypted (because of incorrect encryption key) then the data was tampered with and the QR code is invalid.

So, to repeat, the app does not store any personal information, and it does not link to any external data, the QR code isn’t a hot link to an external database or website, all of the required information is contained within the code itself.

That's correct.

P4R4NORM4L commented 3 years ago

oh ok well shit lol