1. 18

  2. 4

    Cool post! To me, it’s interesting to compare other countries’ solutions to the EU Green Pass:

    This one is easier to decode, on the expense of less information density (especially with the many non-shortened JSON keys, but also JSON syntax itself). The EU version also only records information about the last shot¹.

    What is SHCEncoding? It’s where you create pairs of digits and subtract 45 from them. Yep. There is no real explanation for this anywhere.

    This reads awfully like base45, which was developed by and for the Green Pass. base45 uses the QR code ‘alphanumeric’ charset (which has 45 characters) to encode binary data with near-0% overhead. This would probably also replace the base64 encoding you mentioned.

    ¹: although the format is designed to accomodate more than one, given a spec change from “allow only 1 entry” to “allow >=1 entries”

    Shameless plug for my EU QR code analysis: https://lobste.rs/s/mgeay3/what_s_inside_eu_green_pass_qr_code

    1. 1

      Wow yeah, your post is excellent too. I’ll reference it in my document. ☺

      It may be base45! I’ll have to look closer, and if it is, I’ll update the document.

      Edit: The EU Green pass is certainly better.

    2. 3

      Facepalming hard at these articles (posted a few hours ago) https://globalnews.ca/news/8145997/quebec-covid-passports-hack-police/

      It goes to show the public was not well informed enough about what the QR code contains (practically nothing identifying without additional documentation).

      1. 3

        I found most news coverage about the QR Code misleading and reporting on “cybersecurity experts” that keep claiming they “hacked” the QR Code by decoding it. And then this other privacy group claimed they were able to hack many politicians QR Code when in fact they simply went through the portal, provided the information required to get your QR Code (Name, Date of birth, Vaccination dates and health insurance number, which is the previous information + 2 random number). You will guess that for high profile most of these data points are known and the QR Code you get gives you pretty much the exact same data. Lots of FUD being thrown around by privacy groups looking to get media coverage. I’m all for having a debate about privacy, but these people just keep throwing terms they know are going to be misunderstood by the lay persons and this is plain irresponsible. There have been a few actual bug found in the app that was able to validate a crafted QR Code and another one that allowed a government employee to download thousands of QR Code. But these researchers went through the proper channel and didn’t spread fear around these.

        1. 1

          You must be speaking specifically about the iOS app? I’m still waiting for the Android one to get the public keys.

          1. 1

            The key is not iOS or Android specific. They are the same key pair. You can find it in all the many third party apps that have been developed over the last months.

            1. 1

              Oh that I know. What I don’t know is how to download and reverse an iOS application, but I do an Android application.

              How have the other applications gotten the keys?

              1. 3

                There’s this minified and ugly async compiled into sync state machine javascript that has been shared with me (Seems to be using this SDK ) that has been extracted from the iOS app. As for the public key, don’t quote me on this, but I think someone just asked for it to the right person. Now you can find it in the minified code:

                    s.exports = {
                      alg: "ES256",
                      kty: "EC",
                      crv: "P-256",
                      use: "sig",
                      kid: "fFyWQ6CvV9Me_FkwWAL_DwxI_VQROw8tyzSp5_zI8_4",
                      x: "XSxuwW_VI_s6lAw6LAlL8N7REGzQd_zXeIVDHP_j_Do",
                      y: "88-aI4WAEl4YmUpew40a9vq_w5OcFvsuaKMxJRLRLL0",
                1. 2

                  I’ve written a decoder, verifier, and encoder. Refresh the document to see it at the bottom.

                  Also I found out the QR code can hold about 250 doses before it starts becoming unscannable. X)