Integrate CORSIGN QR Codes for positive tests

[jona7o]

Feature description

We started a PKI system for official authorities. With this Tool they are able to give trust to testcenters in their region. With this trust the test centers are able to sign JWT Tokens inside a QR Code. The full JWT Modell and the signing process is explained open source at https://github.com/innFactory/corsign-core and next week we'll start to integrate this QR codes in a testcity (Rosenheim: https://www.ovb-online.de/rosenheim/rosenheim-stadt/corona-kontaktverfolgung-rosenheim-software-freiheit-90462363.html). So in the near future every testcenter in this region will create a CORSIGN QR Code with at least the following fields from the mentioned model:

{
  "sub": "UUID (Unique User IDentifier) which could be used in third-party applications such as SORMAS, valid until a new test is performed",
  "exp": "The token expires after a pre-defined duration (e.g 24 hours) passed since the Sars-CoV-2 was done",
  "iat": "Date and time of the Sars-Cov-2 test",
  "nbf": "Valid not before Sars-Cov-2 test date and time",
  "aud": "Place for the signer, can be used to store additional information for a third-party application",
  "pld": {
    "person": {
      "firstname": "Max *required",
      "lastname": "Mustermann *required",
      "email": "[email protected] *required or phoneNumber", 
      "phoneNumber": "0803199999 *required or E-Mail",
    },
    "information": {
      "isNegative": true,
    }
  }
}

Because of the JWT format there is also a JWK Remote Source (http://iss.corsign.de/.well-known/jwks.json) where all the public keys for sig check for tracing apps are / validation is stored. The CWA can check if the token is valid and then check if the isNegative field is false. All the other fields can be ignored. But this information could contain the needed information

The QR Code content looks like:

$issuer/v1/validate/$jwt (split before validate/ allows every camera app to scan the qr code and see the result)

for example with our implementation:

https://www.corsign.de/v1/validate/eyJraWQiOiI5ZjhmMzUxZi1kYWNmLTQyMmItOWUwMy05OWQ1YThhMTNmODYiLCJhbGciOiJSUzUxMiJ9.eyJzdWIiOiJjZDIxMGFjMS1hNTdkLTQ5ZTctOGJmMC1kZGVhMjRkMjNiYzYiLCJhdWQiOiJhcG8xLnJvc2VuaGVpbS5kZSIsIm5iZiI6MTYxODIyMzUyNSwiaXNzIjoiaHR0cHM6XC9cL2lzcy5jb3JzaWduLmRlIiwicGxkIjp7InBlcnNvbiI6eyJ6aXAiOiI4MTUwOCIsImNvdW50cnkiOiJHZXJtYW55IiwiZmlyc3RuYW1lIjoiVG9iaWFzIiwicGhvbmVOdW1iZXIiOiIwODE1IDAwIiwiY2l0eSI6InRlc3RjaXR5Iiwic2V4IjoiTSIsImlkQ2FyZE51bWJlciI6IiIsImVtYWlsIjoidGVzdEBpbm5mYWN0b3J5LmRlIiwibGFzdG5hbWUiOiJ0ZXN0In0sImluZm9ybWF0aW9uIjp7ImFwcERhdGExIjp7InRlc3QiOiJ0ZXN0MSJ9LCJpc05lZ2F0aXZlIjp0cnVlLCJhcHBEYXRhMiI6eyJ0ZXN0MiI6InRlc3QzIn0sInZhY2NpbmUiOiJibGEiLCJpc1ZhY2NpbmF0ZWQiOnRydWUsInRlc3RUeXBlIjoidGVzdCJ9fSwiZXhwIjoxNjE4Mzk2MzI1LCJpYXQiOjE2MTgyMjM1MjV9.CUgo2wGlKTb3Mcvh9H7NzxcnbKYwIfBWxBksa6VgPU6Yab26BmQiastf7sZyO1ZLb5Bo5zqODYkKLkZW4Nq0obHXIN5OOtZXXk6MhlPxDVs1p949g51z5blSYh-qNq_CdHq1nlZwIXAiUSzx4SZxBuVTBp_0xg8Eg0EUDdm9-7dO9a0Hp8Y8v9BXmlhIVTAAcd-iUo1jhYOlzoDesieB56EVsJ8-qmao1BTPeTl09ZbN4T6oaSHxx0-NLvqopf77PsKCAsFo5hror2tfzH7Wosx0XcafsDdCkjL2ic5-_dN0RjL1Piq0nS7ByK7lkEDuBT00R8pnbX2mC3e-dPGwpg

Because of the open format every personal information is just stored inside of the QR Codes. One of the Big Tracing Apps ("darf ich rein") has already implemented this qr code.

Problem and motivation

The problem is, that nearly every testcenter has it's own software system for their appoinments and tests. every software sends different qr codes for the result. with the corsign model we try to start an open source modell for this problem to connect the testcenter software with the tracing apps.

[vaubaehn]

Hi @jona7o ,
why are the personal data of the testees not encrypted and only encoded base64?
Are you warning the testees to keep their QR code strictly private, because any malicious attacker (e.g., an unauthorized gate keeper) with access to that code and an arbitrary scanning app could extract their personal details (including full address, telephone, email) to carry out a subseeding social engineering attack like Enkeltrick and alike? In your case there would also be an attack surface for a nice identity theft due to the completeness of the personal data inside the QR code.
See also corona-warn-app/cwa-documentation#587

https://www.corsign.de/v1/validate/eyJraWQiOiI5ZjhmMzUxZi1kYWNmLTQyMmItOWUwMy05OWQ1YThhMTNmODYiLCJhbGciOiJSUzUxMiJ9.eyJzdWIiOiJjZDIxMGFjMS1hNTdkLTQ5ZTctOGJmMC1kZGVhMjRkMjNiYzYiLCJhdWQiOiJhcG8xLnJvc2VuaGVpbS5kZSIsIm5iZiI6MTYxODIyMzUyNSwiaXNzIjoiaHR0cHM6XC9cL2lzcy5jb3JzaWduLmRlIiwicGxkIjp7InBlcnNvbiI6eyJ6aXAiOiI4MTUwOCIsImNvdW50cnkiOiJHZXJtYW55IiwiZmlyc3RuYW1lIjoiVG9iaWFzIiwicGhvbmVOdW1iZXIiOiIwODE1IDAwIiwiY2l0eSI6InRlc3RjaXR5Iiwic2V4IjoiTSIsImlkQ2FyZE51bWJlciI6IiIsImVtYWlsIjoidGVzdEBpbm5mYWN0b3J5LmRlIiwibGFzdG5hbWUiOiJ0ZXN0In0sImluZm9ybWF0aW9uIjp7ImFwcERhdGExIjp7InRlc3QiOiJ0ZXN0MSJ9LCJpc05lZ2F0aXZlIjp0cnVlLCJhcHBEYXRhMiI6eyJ0ZXN0MiI6InRlc3QzIn0sInZhY2NpbmUiOiJibGEiLCJpc1ZhY2NpbmF0ZWQiOnRydWUsInRlc3RUeXBlIjoidGVzdCJ9fSwiZXhwIjoxNjE4Mzk2MzI1LCJpYXQiOjE2MTgyMjM1MjV9.CUgo2wGlKTb3Mcvh9H7NzxcnbKYwIfBWxBksa6VgPU6Yab26BmQiastf7sZyO1ZLb5Bo5zqODYkKLkZW4Nq0obHXIN5OOtZXXk6MhlPxDVs1p949g51z5blSYh-qNq_CdHq1nlZwIXAiUSzx4SZxBuVTBp_0xg8Eg0EUDdm9-7dO9a0Hp8Y8v9BXmlhIVTAAcd-iUo1jhYOlzoDesieB56EVsJ8-qmao1BTPeTl09ZbN4T6oaSHxx0-NLvqopf77PsKCAsFo5hror2tfzH7Wosx0XcafsDdCkjL2ic5-_dN0RjL1Piq0nS7ByK7lkEDuBT00R8pnbX2mC3e-dPGwpg

Decodes to

{
    "kid":"9f8f351f-dacf-422b-9e03-99d5a8a13f86",
    "alg":"RS512"
}
{
    "sub":"cd210ac1-a57d-49e7-8bf0-ddea24d23bc6",
    "aud":"apo1.rosenheim.de",
    "nbf":1618223525,
    "iss":"https:\/\/iss.corsign.de",
    "pld":
    {
        "person":
        {
            "zip":"81508",
            "country":"Germany",
            "firstname":"Tobias",
            "phoneNumber":"081500",
            "city":"testcity",
            "sex":"M",
            "idCardNumber":"",
            "email":"[email protected]",
            "lastname":"test"},
            "information":
            {
                "appData1":
                {
                    "test":"test1"
                },
                "isNegative":true,
                "appData2":
                {
                    "test2":"test3"
                },
                "vaccine":"bla",
                "isVaccinated":true,
                "testType":"test"
            }
    },
    "exp":1618396325,
    "iat":1618223525
}

(Edit: formatted by @heinezen for clarity)

Binary:

09 48 28 db 01 a5 29 36 f7 31 cb e1 f4 7e cd cf 17 27 6c a6 30 21 f0 56 c4 19 2c 6b a5 60 3d 4e 98 69 bd ba 06 64 22 6a cb 5f ee c6 72 3b 56 4b 6f 90 68 e7 3a 8e 0d 89 0a 2e 46 56 e0 da b4 a1 b1 d7 20 de 4e 3a d6 57 5e 4e 8c 86 53 f1 0d 5b 35 a7 de 3d 83 9d 73 e5 b9 52 62

Am I the only one who is seeing a problem here?

[jona7o]

Hi @vaubaehn,
the testees are warned that they should keep this code private and use it only for check-ins in restaurants / etc. Every app could take the information it needs from the model and encrypt it in their data model. The model just contains that much fields for later purposes. Right now, when the people are tested the testcenters will only write data for: firstname, lastname, phone and/or email and the test result. The people are also aware that the qr code is only valid if they have their id card with the same name on it, so that an authorized gate keeper is able to check them in.

For example "darf ich rein" shows this screen if the code is valid or if the code is expired

[vaubaehn]

@jona7o
Thanks for your explanation. Yes, people must be warned that this QR contains sensitive data and only trusted places/personnel should get access to it. In daily living, it will get difficult to understand, who is authorized and who not. Especially when not so tech-savvy people or our grands are requested to present their code to anyone.
I don't see any problem to encrypt the personal data right from the beginning inside the QR code.

[vaubaehn]

@jona7o
Just two last questions: may I kindly ask, which Landesdatenschützer or authority gave their approval for that project?
Could you provide a sample paper print out with the warning text, please?
Thank you very much in advance.

[jona7o]

For the usage in corona warn app an encrypted version is no problem. I think for cwa only the isNegative flag is needed. But all the centralized tracing apps need the data to encrypt them with their own mechansim to transfer the data to the related health authority. I think this Problem can be solved when IRIS is available and all tracing apps and health agencies use the same plattform for data exchange. The city is rosenheim. I can send you the article by mail. They want to get a bavarian reference city when reopening is possible. For this case everyone needs a negative test and has to get checked in. The Problem you mentioned is the same if you give away your official id card to a foreigner. You should not do this without a reason.

[vaubaehn]

Hi @jona7o , thanks for staying in discussion, I think it's important.
Just as to be clear I don't want to 'destroy' anything: Personally, I'm supporting your idea, and I think it would be a big gain for everyone if processing and attesting immune/test status fast and easy without any headache.
However, personal data must be protected as good as possible, and here we're dealing with health data also.

To make my points understandble more easy, I'm emphasizing that I understood, either an app could be used to be used as an entry pass (showing a summary of the already extracted data from QR code), or the QR code itself on a paper copy for people without a mobile phone.

For the usage in corona warn app an encrypted version is no problem. I think for cwa only the isNegative flag is needed.

CWA is planning to provide rapid test data as an entry pass. For this, a testcenter-generated QR code will contain First Name, Last Name and Date of Birth as personal data base64 encoded, and some identifiers, that will enable CWA to fetch the test result from a secured server (to set the negativeFlag accordingly) after the test result becomes available (for currently planned implementation code, see e.g., here: corona-warn-app/cwa-app-android@12aa8dc).
I already raised my doubts here corona-warn-app/cwa-documentation#587 that it's not a good idea to do so in an unencrypted way. You will find some more details there.
Also, for me it's unclear at the time being, if CWA will even be able to persist personal data in a future release without violating the Terms of Usage by Apple and Google, see also here: #459 (comment) So I guess it needs a new thorough evaluation if such an approach can be implemented into CWA at all.

But all the centralized tracing apps need the data to encrypt them with their own mechansim to transfer the data to the related health authority.

True, but the personal data can be embedded into the QR code in an encrypted way, the app can decrypt it (there would be different options on how this could be possible to fetch an authorized decryption key from online db), and then persist it again encyrypted inside the app in line with standards of data security.

The city is rosenheim. I can send you the article by mail.

Thanks for your suggestion, it could be interesting, but I won't expose my private e-Mail here publicly :)

The Problem you mentioned is the same if you give away your official id card to a foreigner. You should not do this without a reason.

Now we're arriving at the most important points: Yes, absolutely true, the QR code would need to be treated as carefully as an official id card. But there are important differences between our Bundespersonalausweis and your QR code:
It is in our cultural knowledge and common sense, that our official ID cards should only be presented to authorized or trusted people. They're usually wearing a uniform. If you leave a copy of your ID anywhere else (bank, renting agency, whatever) then you KNOW where you left your ID, and in case of abuse you would be able to trace the case.
I don't see this cultural/public knowledge with QR codes in general yet. One big problem here is, that you are not able to see 'with your eyes' which data are stored insied the QR code (in opposite to an ID). Even if you're techy enough to scan the code with an arbitrary scanning app, you will only see the base64 encoded data, and probably don't question anything. But as said before, for a malicious attacker it's a seconds task to extract these data and later abuse them.
Also, how will you find out, who's authorized to scan your QR code and who not? If you will be asked to present your QR code inside the entrance of a restaurant, I think it's unlikely that the person is unauthorized. But how about in front of a public toilet, for example. If you were asked there to present your QR code (to let only negative tested people inside, "because of the aerosols"), would you ask the guy to authorize himself in front of you by showing his company id or his personal id?
Would your mom or your grand-mother be careful in such a situation?

Another problem is the 'time-limited value' of such a test certificate. After it expires, how many people will just leave the paper on an outside cafe's table? How many will throw it to a publicly accessible trash can without even thinking how many personal data they were just giving out of there hands? How many people would think about to blacken (or destory) the QR code before wasting it to the paper recycle can?

There are two solutions:
Either the people must be made aware strongly and repeatedly, which data is embedded inside the QR code, that they need to see an authorization from anyone who is requesting to see it in doubt, and that it needs to be trashed/destroyed securely after it expired, and must not be lost!
You can achieve this, by printing out a long explaining text next to the QR code. But who will read it carefully? What about blind people, analphabetics and people with language barriers?

Or you encrypt the personal data, before embedding into QR code. The decryption key can be fetched from an online db from authorized apps/persons only. This will provide maximum security and won't burden testees with long explaing texts. If you're interested in details how this could be achieved, just leave a note here.

You didn't answer my above two questions yet: Do you already have a warning text on your paper print outs? Could you provide an example here?
And: has your project already been approved by your local Rosenheim's DSB and/or by Thomas Petri, the LBDS of Bavaria?

(FYI: @rugk - is this discussion something, you or some of your fellows are interested in? Or can you calm me down ;)?)

[rugk]

True, but the personal data can be embedded into the QR code in an encrypted way, the app can decrypt it

If the app can decrypt it, it somehow needs to get the key for that. This can't be static nor hardcoded into the app for obvious reasons (it's easily extractable).
I'm not sure whether there would even be a way to do this decentralized and security. I won't claim there is none, but it will need some very clever (cryptographic) stuff, probably, as you of course also cannot expose the encryption key to anyone, who requests an API or so.
One way could be to generate the private or symmetric key before you even get your QR code and transfer the public/symmetric key to the ones, who generate your test result… but… you see this gets way too difficult to do practically.

And:

The decryption key can be fetched from an online db from authorized apps/persons only.

No, I don't really consider this a solution and it is none, because the app also needs to get the key… And even if that worked, the "authorized personal" is just a smaller group of people and we just decreased the potential misuse potential.

Another idea I'd had would be to turn the stuff around, encrypt and safe the sensitive data symmetrically and upload it to some server. The QR code then only contains the API details (some ID or so) and the encryption key. Then you can download and encrypt the data once you have the key.

The advantage of that approach would mainly tackle this risk:

Another problem is the 'time-limited value' of such a test certificate. After it expires, how many people will just leave the paper on an outside cafe's table? How many will throw it to a publicly accessible trash can without even thinking how many personal data they were just giving out of there hands?

I do see this as a big risk, actually, as I think that problem is very realistic. I mean you hopefully won't get the test result by doing that – if the API can only be requested once, but it's indeed still personal data. (I only skimmed over what has been written here and judge the shown security issues, so please bear with me if I interpret something incorrectly, but isNegative sounds as if the test result may[?] be included.) In any case

So with the "encrypt data and send to server" you would have two advantages:

• no sensitive data in the QR code, so once it is lost, it does not matter where you throw it away
• the API can delete the data when requested once, respectively only downloaded once

[rugk]

You didn't answer my above two questions yet: Do you already have a warning text on your paper print outs? Could you provide an example here?

👍

Also, I still don't quite understand, why the name needs to be included in there anyway. Just to go one step back and consider whether we can just remove the data (data minimalisation ya' know).

[jona7o]

Hi,

thanks for the feedback. I will answer tomorrow again.

But for now this is the resulting PDF template. I am sure nobody will left this on a table or throws it away without "destroying" it. It contains quite the same values like most of the PCR lab resulting pdfs. The PDF is transmitted AES encrypted and the user needs a Passwort to get this PDF. Then the QR Code contains the data without encryption just signed with a PKI key, so that all the centralized tracing app are able to read the data and encrypt it their way. It is just the same if you tell the restaurant owner you are Person X, with Phone Y and so on and then showing a negative test result to prove that you are tested negative (just if you must bring a negative test in you area/city). He will write the data in his tracing app, that you have visited his restaurant.

[vaubaehn]

Hi @rugk , thanks a lot for contributing to this discussion!
There were some points, where you disagreed, but where we actually have the same opinion/understanding. but that was maybe because of

(I only skimmed over what has been written here and judge the shown security issues, so please bear with me if I interpret something incorrectly,

and so I can easily bear it 😉 Yes, the texts are already quite long...

But you also added some valuable points which are definetly worth to have a closer look,. I'm a bit short in time at the moment, but will try to comment in the evening. The reason why I'm putting so much effort in this issue, is, that I don't want to see CWA getting in trouble, and that CWA issue is very closely related to the one discussed here. Also, I'm very nervous that the planned implementation of the European Vaccination Pass will become a similar "data privacy El Dorado", and that these "entry passes" here is kind of a test run for that.

---

Hi @jona7o ,
thanks a lot for providing the sample paper print out/PDF. I think that will help to continue to evaluate the "QR code approach" further, for you, but also for CWA's already planned RAT implementation.
As stated above I'm a bit short in time. I'd like to continue the discussion later, preferrably after

I will answer tomorrow again.

you added some more to the discussed points.
Thank you very much in advance!

[jona7o]

So now i am back and in the meantime i have checked everything with our special attorney for computer science and privacy law. He told me that we could store all the data inside of the QR Code, but the tracing/corona related apps like CWA, Luca, "Darf ich rein" and others must treat this data as they have described the usage of data in their privacy policy. The only thing our attorney told me is that the QR Code should not contain more data than printed on the test result page. So if you just process the isNegative Boolean field compared with the iat (issued at) date everything should be completely fine.

The test centers are also permitted to transmit the data, because in our use-case we don't save anything in a backend service and just transmit positive tests AES encrypted to the related health authority like "Rosenheim". Every Testcenter in the city or in the district of rosenheim is able to transmit their positive data. Right now we are talking with a lot of test center software developers and most of them are open to use this technology, because of the side-effect of transmitting their positive data encrypted. While doing my research on test certificates and transmitting test results, I came across a very frightening fact. It is common practice that the "schnelltest" centers transmit their data of positive persons as an unencrypted and unsigned email attachment every day. I'll hope our corsign service will fix this soon in a lot of smaller test centers, because they don't have access to RKI DEMIS.