The author went out of their way to hide the factors of N, presumably so that nobody else would actually be able to generate signed certificates. However, they did this by hiding half the digits of the factors.
Revealing so many digits of the factors actually allows easily factoring the original number using a version of coppersmith's method (easy as in under a second on my laptop instead of the 9 hours on a distributed cluster the authors used). This is actually a pretty classic CTF exercise.
If I'm still nerdsniped by this tomorrow I'll try my hand at implementing this and factoring the number myself
It is fairly baffling why you'd choose RSA with 512 bit keys; as noted elsewhere I assume this is about the size of the signature. However, a PKCS#1 signature for a 512 bit RSA key is 64 bytes, which is the same size as an ECDSA signature for, say, a NIST P-256 key and you're giving up an enormous amount of security by choosing RSA even vs entirely mainstream stuff like ECDSA.
Take your pick: Needs to be certified FIPS-140-<n>? Or backwards comparability with really old infrastructure that no one really understands? Or it was just conveniently at the top of the list of ciphers to pick?
Key size determines number of bytes the signature takes up, which is one of the determinants of the complexity of a QR code. I suppose if you don't know what you are doing, and want to reduce QR code complexity, you lower the key size.
To turn up speculation to 100, this might also be a third world issue, because here in the west we have high quality smartphones with good cameras, but the smartphone cameras there might not be as good, so they might be challenged reading QR codes. 8 years ago I built a thing that had customized links accessible via QR codes, but my buddy's cheap phone couldn't read them due to issues with the camera resolution. A lot has happened in 8 years in terms of progress, but they still put crappy cameras into cheaper phones, and this might still pose a problem for reading complex QR codes.
Take a look at QR image in the post. I haven't seen a QR code in the first world that carries more data, especially not a printed one. It's doubtful they're optimizing for poor cameras or printers any more than is done in the first world, and to be clear, in the first world we still have to optimize for poor cameras and printers.
Decreasing the message size while improving security would obviously be ideal and most likely quite achievable, but there are plenty of wealthy municipalities in the US who don't exactly cover themselves in honor in similar situations.
While I'm not at all saying it's illegitimate to speculate on wealth disparities as a cause, in this case I think it's lazy to call this a "third world issue", even with speculation up to 100.
Have you ever looked at the size of the standardize EU QR code[0] ? At just a glance it looks at least 2-3x denser than the one presented in the article.
Also, on the specification published by the EU[1], they seem to advise for a 25-60cm size, and also warn about using <300dpi printers.
When I was vaccinated, I was given an A4 sheet with those QR codes on it, and I really wouldn't want to scan those with a crappy camera.
Primary Algorithm: The primary algorithm is Elliptic Curve Digital Signature Algorithm
(ECDSA) as defined in (ISO/IEC 14888–3:2006) section 2.3, using the P–256 parameters as defined in appendix D (D.1.2.3) of (FIPS PUB 186–4) in combination the
SHA–256 hash algorithm as defined in (ISO/IEC 10118–3:2004) function 4.
This corresponds to the COSE algorithm parameter ES256.
Secondary Algorithm: The secondary algorithm is RSASSA-PSS as defined in (RFC
8230) with a modulus of 2048 bits in combination with the SHA–256 hash algorithm as
defined in (ISO/IEC 10118–3:2004) function 4.
My guess is Vietnam’s spec was to achieve the same level of integrity as a paper document (ie. Minimal) and optimize for cheap/poor quality cameras.
Longer keylengths make it difficult to deliver sufficient payload in a QR. not sure about EU, but the SMART health passes that are the emerging standard use ES256 signatures.
The lack of global leadership for interoperable standards early on made this more difficult. You had the EU, Israel, US states and others who were ahead of the curve, but that approach had limits that were reached.
Now in the US we also have the issue of dealing with states with wacky political stances. States like California, New York and Louisiana, combined with private sector leaders like Walmart and Epic made SMART the defacto US standard, and other countries are recognizing them.
This kind of breach isn't possible in Australia since their laws can beat the laws of math. Countries with less powerful laws are apparently not so lucky.
It's unfortunate that we've had successive governments (both sides) attacking privacy and security. From a casual glance, it looks to be done out of incompetence, when you see such headlines. But boy is that a long streak of coincidences.
Sadly, it seems to be power for the sake of power. I've been involved with a few govt green papers over the last 20 years, and most of the proposals are about bureaucrats extending their reach. It's why I vote Green now, as both Labor and Liberal have become so focused on preserving their power that they ignore the Rest Of The World and The Science.
For non-Australians, our Liberals are your Republicans, with all their faults, and our Labor is your Democrats, with all their faults.
Our Greens seem to have broadened their platform to include social justice and true libertarianism, so they're no _as_ powerhungry.
Unfortunately the governments implementing these measures seem absolutely determined to treat Orwell's 1984 as a training or howto manual. As we descend further into authoritarianism, tracking and other privacy busting measures will become even more normalised and entrenched. You'll soon need to show identity and other papers to get into a shop to buy a hammer.
On a note entirely unrelated to the above comment, I find it somewhere between humorous and worrying that people who seem to have never actually read 1984 seem insistent on invoking it for things that are entirely unrelated to the book and have occurred for decades in most countries (showing documents for travel, having to get vaccinated for certain jobs) and ignore all the other things happening that were actually in the book. Like, for example, historical revisionism by party-controlled media.
These vaccination cards are totally unprecedented[1] and authoritarian. Oceania had always been at war with Eastasia.
Plenty of parallels but you won't get exact matches... yet a few things stand out.
I'd point at the war-on-terror as a good example of a permanent or equivalent always-at-war situation. Its not a stretch to suggest that a lot of the privacy and surveillance is based around anti-terrorism initiatives and plenty of security theater is now in place because of that. The war-on-drugs was another version of that. The war-on-... rhetoric in general is almost cliché now. This is not to say its not serious but consider the 1970s had quite a lot of terrorism going on. eg The UK had regular bombings from the IRA.
Political correctness tends to adjust definitions in ways very reminiscent of Double-speak. It seems to be a rich source of new words and terms. Like a conveyor belt.
How did you get there? Vaccination requirements have been a thing for decades in many countries. Showing proof of vaccination to go to the mall or cinema isn't tracking anyone ( with the EU implementation at least, can't talk about all of them) about anything - it's just an app reading a QR code and deciding if it's valid locally, no internet required. Heck, in France the government explicitly stated nobody has the right to ask for an ID to verify you're the actual owner of the vaccine certificate ( bar age-restricted places like bars that have had that right anyways).
Why do people always have to jump to the slippery slope fallacy when anything happens? It's good to be cautious, but you're taking it to paranoia level.
Ironically I got told that you can be required to show immunisation certification to enter a hardware store. My thought-to-be-silly-to-make-a-point example about the hammer is reality right now.
I don't think parent was promoting the use of fake certificates to bypass the need to get vaccinated. They were pointing out that even for vaccinated persons the certificate system was broken, and those folks were resorting to "fake" certificates just to get around.
I got that. I'm just saying I don't really get people who pay hundreds of dollars for fake vaccination certificate, when the other option of getting vaccinated:
1. Gives you the real certificate
2. FOR FREE,
3. With no chance of getting charged with forgery.
4. Gets you vaccinated which will protect you against death and serious illness.
I know dozens of people working in the healthcare sector skeptical of covid vaccines, among them virologists specialized in RNA viruses.
Their skepticism is far more nuanced, and evidence based, than the "All vaccines are poison/bill gates gonna 5G us!" covid vaccine skepticism is usually framed as.
They do not oppose any other common sense measures, like mask wearing, they simply want to be careful about vaccines that have been pushed to markets in record times on very questionable, mostly political, narratives.
Like vaccines allegedly saving us with "heard immunity" when most people familiar with the topic knew very well how that was extremely unlikely to happen.
From the link below we see evidence that the chance of dying from Covid-19 is multiple times bigger for the unvaccinated than for the vaccinated.
I wonder what kind of "smart" person ignores this evidence and puts their life at risk at will? Hey my chance of dying from Covid is 10 times bigger because I don't get vaccinated, but I won't because I believe an even worse fate awaits me if I do. What do they think that worse fate is?
About the vaccine not giving us herd-immunity, of course it doesn't if the herd refuses to get vaccinated.
The chance of dying of Covid-19 while being unvaccinated is very low. The benefit of being vaccinated is a further reduction in the chance of dying if infected and a reduction in symptom severity if infected. There is still a very low chance of severe symptoms and/or death if infected while being vaccinated. Also, there have been cases of people dying within weeks of receiving a vaccine dose; I won't comment on what that implies.
I'm not vaccinated. I did get Covid-19 and recovered well. The only lasting effect seems to be that I smell an anti-freeze odor at times. I don't feel like I was putting my life at risk by not getting vaccinated, in fact, I feel even more strongly against getting a vaccine that appears to be more beneficial to those who are at high risk of severe symptoms and/or death than the general population.
In any case, I respect others' opinions on the matter and don't judge them for their decisions on vaccination. The fact that vaccinated people can still get infected and possibly transmit the virus to others seems to indicate we should stop focussing on a general solution and focus on those in high risk categories. The Covid-19 pill seems like a good first step in that direction.
> From the link below we see evidence that the chance of dying from Covid-19 is multiple times bigger for the unvaccinated than for the vaccinated.
That depends on a lot of factors, among them the virus strain, the age group or how long ago the vaccinations happened.
Germany is already having death streaks in pension homes again, were vaccination rates of the elderly are 100% [0]. But those 100% happened earlier this year, since then the vaccine protection has heavily diminished.
> In human infections of highly pathogenic coronaviruses SARS-CoV and MERS-CoV, the most vulnerable populations are patients over the age of 65 and patients with comorbidities, and design of efficacious vaccines for patients in these groups is difficult. Vaccine formulations that have been developed against SARS-CoV not only fail to protect animal models of aged populations, but also result in immunopathology in younger populations, where SARS disease is enhanced in vaccinated groups that are subsequently challenged with SARSCoV
That's from USAMRIID research into broad-spectrum coronavirus antiviral drugs released in March 2019 [0], relevant citations in the paper.
They also mention the possibility of using a "modular vaccine platform", which would be RNA vaccines, but they only considered their use for emergency coverage and also point out how vaccines alone are unlikely to eradicate it, as long as the virus continues to circulate in potential animal reservoirs.
While earlier in the paper it's pointed out;
> Gammacoronaviruses and deltacoronaviruses have no known viruses that infect humans, but contain important agricultural pathogens of livestock.
Which is also an angle that seems weirdly lacking from the public debate [1]
I know many educated and smart people who are anti vaccine, including doctors, some of them got fake certificates and that is in a modern western country. Nobody is checking it properly, they just see the green colour and let you in, nobody even compare the name to some ID. So the benefit is to get into places they couldn't get into without the vaccine.
I remember here in Canada there were concerns about this sort of thing when rolling out our proof-of-vaccination system, but practically speaking, the number of people with both the technical understanding and inclination to do this is surely too small to have a meaningful impact on COVID spread.
The QR-code based solutions, using elliptic curve asymmetric cryptography, aren't breakable by anyone at present (maybe someone has some monster quantum computer and they could, but they wouldn't be making fake vaccination certificates). The private keys could be stolen or misused of course, but there are very well proven solutions to that given how much of the industry relies upon asymmetric encryption and signing.
Originally the certificates were simple "yeah, they are vaccinated" PDFs that people would alter, which was a pretty low bar.
In discussions like this I think we really need to frame this in the proper context. We're talking about a certificate saying that you did something that you could do for free, which has significant personal benefits, and even greater social benefits, and that a large majority of the public is entirely behind. Making a fake vaccination certificate is like making a fake Grade school graduation certificate -- if someone is at that point in their life, something has gone seriously wrong.
The demand for certificates was just trying to entice the small percentage of holdouts, and of those surely there will be some who will go to great lengths, including committing pretty significant crimes, to avoid it. That pathology can't be fixed easily.
The problem is that the people that are a) evil enough and b) technical enough to understand this will sell COVID passes for hundreds of dollars each.
Here in the NL there have been tons of people that sold COVID passes, some working at vaccination places, others working at testing places. Instead of hacking anything, they've just been committing regular fraud. The street value of these passes seems to be round €300 to €500. The government has been blacklisting these passes ever since they were first spotted, leaving many of their "customers" angry now that they can no longer fraud their way through the necessary checks.
The problem is not so much a technical one, as modern crypto is quite unbreakable. The pass in the article is based on RSA-512, which has been proven to be breakable all the way back in 1999. With elliptic curve cryptography the system can still remain unbreakable even with shorter keys that can fit into a small QR code, though space is rarely a problem with these codes anyway.
You can't tell from the signature itself, but one big group of people got caught with a vaccination record entered into the system from a company that exclusively takes tests.
I don't know the exact methodology the government uses to catch fraudsters, but from someone who just scans the certificates there's no way to find a fake record.
That is, a fake record that matches the person's ID card details. Here in the NL, that's your initials and your partial birthday. Most abuse is people using other people's certificates, which can trivially be caught by checking the necessary identification, as you're told to by the scanning app anyway.
The link you provided describes a simulation based on assumed vaccine effectiveness. It's also from 1 year ago. It doesn't seem to reflect any statistically backed insights into what's actually happened over the past year. Or am I missing something?
Notably, the "Growth Factor" plot looks qualitatively very similar from April 2020 until now. Before then, the data looks more noisy to me but not necessarily different on average. I believe folk started getting vaccinated in December 2020? Based on that plot, it doesn't look like the vaccine is helping much for the death rate. Maybe that data source is not legitimate, or maybe "growth factor" isn't the right metric to look at?
"Covid deaths" are also a very meaningless metric where every country or region does whatever it wants. Excess deaths would be a better metric, but also hard to remove from there all the damage done by lockdowns, stress generated on the population, and by hospitals stopping attending other diseases in some places.
The current virus has a natural growth factor that is about 3x larger than the OG. So vaccines are at least 66% effective if they are keeping it at bay. Probably more since lots of countries have very low restrictions compared to last year.
According to the following graph deaths per 100,000 people
are:
18 for unvaccinated
3 for vaccinated.
at the peak of the graph between July and October 2021.
Doesn't that tell us that vaccinations help
to significantly reduce Covid-deaths?
Thanks for the link. For fun I downloaded the referenced CDC dataset. One thing I noticed is that the fraction of deaths per case for the vaccinated population was higher than for the unvaccinated population until July, at which point it "snapped" to match for the rest of the dataset. It seems like a curious anomaly.
Where older and more venerable people being vaccinated early? They still are more likely to die if infected. Then a spread of vaccination to the general population. You would have to look at a breakdown of who was vaccinated at the time you saw the lower vaccine benefit.
I thought about that, but it seems like whatever changed must have happened nearly instantaneously. Looking at the plot, it's a rather pronounced step change.
Theoretically it could be possible that non-vaccinated infect fewer others than those who are vaccinated -- because unvaccinated more readily die after which they can not keep on infecting others. Nevertheless the goal is not to reduce infections but to reduce deaths and serious illness.
Here's an article which says that vaccination does reduce the risk of you infecting others. But this effect diminishes over time quite fast. That would seem like a good reason to get the booster.
> Nevertheless the goal is not to reduce infections but to reduce deaths and serious illness.
Whose goal? There is no shortage of people and organizations that are trying to force others to vaccinate “to prevent spread”. As your link shows the effectives of this is dubious.
My goal. I assume also your goal. And I assume people who try to "prevent spread" do so because spread of Covid-19 causes death and serious illness.
There have been 799,276 Covid-deaths in the US during the short period it's been around. Almost 800k people dead. Dead. If there was no "Covid spread" those people would not have caught Covid and thus would not have died because of it.
To reduce Covid deaths and serious Covid illness you must try to reduce its spread. If you stop it from spreading you stop it from killing people.
That paper is purely based on a model with [optimistic] assumed effectiveness and transmission parameters. It does not consider any actual infection statistics to come to its conclusion.
I'd love to see a paper explaining why some two months ago cases were already at or approaching record highs in countries with 70-90% vaccination rates, like UK, Israel, multiple EU nations...Gibraltar is particularly interesting because it has a nearly 100% vaccination rate, yet the case rate continues to climb unabated. [0]
People are treating these vaccines as though they were sacrosanct and unquestionable. Meanwhile the pandemic continues nearly unabated and no, this is not a "pandemic among the vaccinated", despite the fervor with which certain interests have attempted to paint such a picture. Public UK data suggests that vaccinated individuals may actually be more likely to be infected some months after their second doses. But no one is talking about that...
Right, and this is why I have a problem with employer enforced mandates even though I'm vaccinated. The government taking away your right to work and support yourself based on some pretty flimsy data about the public good for something that should be a personal decision. Fact is, the vaccinated really shouldn't be losing much sleep over the unvaccinated other than maybe those dirty people might be taking up an ICU bed when I need one.
Ok fine, you want to enforce this: then just man up and imprison the unvaccinated using force. Don't hide behind employers and make them do your dirty work. Taking away a person's right to work is only 2 degrees separated from making them dependent on the state. It's a fear tactic they're hoping they won't ever have to enforce--not that much different than holding a gun to someone's head.
At the end of the day you're never going to be able make someone do something against their will. People who go against the mainstream will already suffer social consequences. If you have to do something with government resources then beef up the ICU beds .
While you're at it you may as well make it illegal to work if you're a smoker, or obese, or if you've ever had a car accident because those things may lead to eating up an ICU bed for some other person that stands on a higher moral ground.
Comparing failure to vaccinate with smoking or obesity are off the mark because it is not easy to quit smoking or overcome obesity. If there was an effective, cheap, safe and instant cure for smoking addiction or obesity and people refused to take it, societies would indeed by highly critical of those people consuming hospital resources.
Nah, it's really easy to never smoke. I've been not smoking my entire life. I think his comparison is dead on the mark. If people who choose to be unvaccinated can be vilified for taking up hospital beds, then so can people who choose to pick up a smoking habit.
Sorry to hear that, but that's a small minority of people. And I hope you've talked to your doctor about it --- we're lucky with COVID to have a variety of vaccines with different makeups to choose from.
You told sushsjsuauahab that he/she is a small minority of people.
I'm sure that makes sushsjsuauahab and others who have their own (gasp) reasons not to get the vaccine feel better...
See, it's this one-size-fits-all dictum backed by sanctions that's the problem.
The vaccines help prevent sickness, but government policies hurt healthy people.
Dunno about other countries but in NZ you can apply for medical exemption from vaccine mandates. A panel of medical professionals evaluates your situation and if they agree, you get a vaccine pass that works the same as for a vaccinated person.
I don't mind taking a 0.5% risk to avoid 1% of my life spent in lockdown.
Neither does my mother or grandmother.
It is not an axiom that an increase in death rates at the population level is bad, because people are willing to put their lives at a small risk in order to preserve some semblance of meaning in them.
This is a point lost on essentially every lockdown proponent as far as I can tell. They are fundamentally unwilling to accept differing value systems and seek to enforce theirs.
The current situation in Auckland, New Zealand provides very good evidence of vaccines reducing spread, though I don't think it has been written up in a paper yet.
We've had < 10,000 confirmed COVID cases in Auckland so the vast majority of the 2M population cannot have natural immunity. Behavior restrictions have been relaxed gradually over the last two months, yet the COVID case numbers (which were increasing) have actually leveled out at an R value of around 1. Vaccination is the only thing that could plausibly have reduced that infection rate.
In my state the vaccination rate is above 70% and the hospitalization rate has decoupled from the positive rate. The spike this winter ended in October whereas last winter it didn’t end until January. We’ve been on a downward trend even with shows and restaurants open and people having parties. So I would cite that as evidence the vaccine is protecting our population.
Or perhaps people are acquiring immunity through contact since the majority of cases have been known to be mild or asymptomatic since the pandemic started? And/or the virus is mutating into less infectious substrains?
Cold/flu viruses come and go. This virus will do the same. People will see it as evidence that the vaccines worked when in reality the pandemic very likely would have ended without them, yet here we are facing mandates...
Current vaccines are non-sterilizing and therefore do not effectively stop the spread/transmission of SARS-CoV-2 (the virus) but is very effective at preventing the disease the virus causes (COVID-19). Initially the vaccines were able to keep viral loads low enough to meaningfully stop the spread, but the Delta variant resulting in far higher viral loads and removed that advantage compared to the original virus.
Arguing that the infection rates are uncorrelated is one thing, but serious illness and death is what we really need to care about with this virus. And for those metrics, vaccination is highly-correlated to better outcomes.
That’s a common error, reused by antivaxxers. They are indeed because even what we consider relatively high infection levels are just enough to get 15-20% of the population infected per year. This is less than the part of unvaccinated people. That’s why having a very high vaccination rate is critical to kill COVID. Above this threshold you’d see the infection rate affected. Still, vaccinations are good strategies because they still reduce infections, or at least severe forms of it. Without it in many countries would have been totally saturated by Delta.
Random question, but related: Like this example, I see lots of other applications that require a QR code storing binary data and chose to encoded this data as Base64 (or others) and then add it to a ASCII-only QR code format. Why don't they use a binary-mode QR code? Compatibility?
The EU's Digital Green Certificate [1] uses Base45, which I think they basically invented. They do this because "even in Byte mode a typical QR-code reader tries to interpret a byte sequence as a UTF-8 or ISO/IEC 8859-1 encoded text."[2]
They use the 45 chars allowed by the alphanumeric-mode IIRC.
Well, tbh, I don't know the reason, I can only speculate. It is meant to encode pure binary data (cbor) and not to be human readable or URI or anything like that. It is specifically designed for QR Codes.
I read through some Github issue [1] just now and as far as I can tell, it is more or less a design oversight, which might be remedied by a later version.
> It is meant to encode pure binary data (cbor) and not to be human readable or URI or anything like that.
Well the reason to care is to avoid QR decoder quirkiness, otherwise you should probably just use the binary encoding.
> I read through some Github issue [1]
According to a comment near they end they were originally going to try to pack everything as a single base 45 bignum, so that half explains it. But not why they'd stick with 45 characters when changing that.
> The reason for representing Health Cards using Numeric Mode QRs instead of Binary Mode (Latin-1) QRs is information density: with Numeric Mode, 20% more data can fit in a given QR, vs Binary Mode. This is because the JWS character set conveys only log_2(65) bits per character (~6 bits); binary encoding requires log_2(256) bits per character (8 bits), which means ~2 wasted bits per character
If you were using binary storage, you wouldn't use "the JWS character set" (aka base64). You'd store it directly and have 0 wasted bits.
Also, they're not acknowledging the bits wasted by their current system. Numeric mode in QR codes spends 3.33 bits per digit. At two digits per character, they're spending 6.67 bits to store only 6 bits of information.
At some level "compatibility" is correct. System 1 outputs binary data, system 2 takes that and turns it into JSON, system 3 encodes that in base64, system 4 turns that into QR codes, and system 4 was what was mandated for producing all of the organisation's QR codes.
It's a weird situation, but it's very obvious with HC1 and SHC cards.
It starts with JWT. JSON is a human readable format (in utf-8), if humans don't need to read, the data could be binary, and the format could be exact. JSON isn't an exact spec, which is mostly inherited from JavaScript (there's no such thing as an integer only floating point, so 1e3==1000==1000.0==1.00e3 in human-readable form, as a stored number they are identical). Then there's differences in white-space (new lines, indentation) - although this could likely be overcome with convention. Because of this the JWT creators said instead of signing the data, we'll sign the exact representation in the payload - but of course with white-space and formatting variance (including a deserialize/serialize loops changing representations, or - in the case of bearer tokens, the HTTP spec allowing newlines/white space to be inserted at the protocol level) they had to encode it as non-human readable (base64). Now everyone agrees you're signing that exact Base64 representation of the JSON object. But! We've build a(n arguably verbose) human readable format that isn't readable by humans.
The SHC spec (common in North America) actually holds a JWT that's signed by an elliptic curve private key. You can validate the signature with a public key. The public/private choice here is great, the JWT is terrible.. they've doubled down on the mistakes. Further to keep the QR smallish, they zipped the payload portion (which is supported by JWT - this is done before the base64 stage), and use only the minimum QR resilience setting (which is fine if it's on a screen, if it's printed this may lead to reading problems). Now we have human readable (JSON) compressed in machine readable (deflate) in machine readable (base 64) in machine readable (QR) - for machine reading purposes. They didn't even trim the fluff (every SHC begins with 56 because.. you guessed it, the `{` character), or use sensible choices (they don't use IssuedAt/iat, but NotBefore/nbf to indicate the generation date). Anyway, SHC (reasonably) noticed because of the (mostly) base64 encoding the character set is only 64 characters (6 bits) which doesn't use the ASCII space (7 bits) very well, so they store the first 'shc://' in ASCII and the rest is a number (there are three modes in QR: ASCII, binary, numeric - the density loosely matches binary representations - a numeric digit (0-9) takes 4 bits, ascii char takes 7 and binary takes 8).
ASCII doesn't support the world very well, UTF8 isn't supported by QR (except as binary).
In the SHC case, because it's signing a specific format/output of the JSON data, it doesn't have the white-space formatting concerns that JWTs have to overcome. If they wanted to stick with a JWT like format (JSON object), they could have skipped the base64 before sign step, at which point they might as well get rid of the header (we're no longer to JWT spec), deflate the message to be signed, and put the signature after the deflated message. All the same data, less of the overhead, and better use of the binary space.
It doesn’t make any sense to me why they gzipped the data. I’ve looked at a few real world DGCs and the “compressed” output was actually larger than the original data! Just adds more complexity for no purpose…
Real talk: are people saying they wanted this to be secure? If we are going to do this "vaccine paperwork to do anything" regime, I wouldn't want it to be some super secure mechanism that had digital proof of personhood provided by some government entity with an unhackable key! This key size frankly seems like the perfect balance: it took some months for someone to get around to breaking it, and then it took some months for a service that used that cracked key to become popular enough to make a real impact on safety, and maybe maybe just maybe soon we won't need this anymore, and none of these existing digital records will be trustable... and, if we are stuck doing this for another year, we should roll another weak key. (If nothing else, if you make an actually secure mechanism that ties a person to their vaccine record with a signature, you just know that tomorrow some WorldCoin-like company is going to try to use it for some stupid crypto "airdrop" ;P.)
From this [0] list it seems there are a bunch of RSA root certificates, but they all use RSA 2048 or 4096, both of which are still secure (with 4096 having diminishing returns compared to RSA 2048 [1]).
The article was about RSA 512 which has been known to be weak and crackable for a long time [2].
EU is in discussions right now to expire COVID passes unless you have had recent vaccines i.e. booster shots. Which means any security mechanism that is defeated will just be fixed every 9 months.
Seems like a lot of hassle for a vaccine that is safe and will save your life.
France announced it two days ago, starting in mid January the health pass will only be valid if less than 7 months have passed since your second dose, if it's more than that you need a booster. I don't know how they'll implement this technically.
>UPDATE: French & Polish authorities found no sign of cryptographic compromise in the leak of the private key used to sign the vaccine passports and to create fake passes for Mickey Mouse and Adolf Hitler, et al.
Afaik it was a leaked login, not a leak of the keys.
The keys were not leaked but the web interfaces that allowed generation of these certificates was left open and accessible.
Passes have been sold (through the clear web and the dark web) but many have also been revoked since. As far as I know, the certificates being sold right now are either someone else's certificate (for places that don't check your ID when you walk in) and certificates generated by people working for places that also give out legitimate certificates, such as some pharmacies and hospitals.
There have been fraudulently obtained passes sold on the dark web. There have also been numerous arrests throughout the whole of Europe for this.
The vast majority of the dark-web suppliers are scammers - many of the adverts include a mix of QRs people have posted to social media and a large number of example QR. Including examples that I have generated in the past and used in presentations / on github.
Ah yes, repeat the evil dark web narrative. As if a VPS in Russia would get you into trouble. Criminals will be criminals, also if tor etc. wouldn't exist and non-criminals wouldn't get to be anonymous, too.
> Although the code was provided, we took around 2 days to get this running since the code was written back in 2015. Some libraries are not currently supported forced us to make several changes on the code. The project was then running smoothly.
If you want to minimize the time people spent waiting in queue to have these passes scanned, an offline validation method makes a lot of sense. Also optimizes time spent in queue while site is down or overloaded.
does not surprise me, in the future there will only be two governments in the world, polarization will become the norm. each party will think they are right. it will be an umbrella me echo chamber. but it will only exist online. it will manifest in real life but people who dare or who are brave enough to understand someone outside of their comfort zone will quickly realize that we are not 1’s and 0’s within a machine.
From what I've been able to gather, these QR code systems are mostly based off of the WEF's Commonpass digitial identity standard (either directly, or inspired by), which seems to be a graduated version of the ID2020 project (many of the same ideas and sponsors).
The projects are meant to present a standardized format for the provision of easily validated information about an individual in environments where low-end hardware is common and internet connectivity is unreliable.
The QR code was chosen as the standard form of information transfer because it can be printed on paper and remain easily validated if someone lacks a device to put it on.
The codes aren't primarily meant to control pandemic spread, this just happens to be the first thing driving their widespread adoption.
Credit cards are widespread (esp in places that bother with covid passes) and where I live something like 90% of payments are contactless. Takes about 5 seconds.
Cynic in me says - just disable cards for the unvacced at specific venues…
It is easier to find someone who give you just papers and flush your dose out. But anyway... Proof of anything based on digital ID is pointless and should be abandoned as soon as possible.
In hindsight, the washing was overreaction, but you do have to realize there wasn't enough knowledge in the beginning, and people were assuming the virus was like the influenza virus, and we usually (at least the common wisdom was) catch influenza through touching snot-laden surfaces. It didn't help when China was saying things like they found some viruses on surfaces after 3 days. Sure, but how much virus, i.e. would they be enough to make you sick? The lack of information also made the virus like a super monster, where any trace of it could be deadly...
Now that we've figured out the virus is airborne, I'm a bit disappointed that governments haven't focused on good ventilation, but still on disinfecting and keeping distance. Where I live the bus can be full of people but it seems the governments are saying "It'll be fine to sit so close to each other if you have a mask on", and people also don't know any better...
I remember early articles about how long virus stay on different surfaces. 30 days on metal, 20 days on plastic, 10 days on wood, etc. Also governments tried to convince as that we should wear masks alone in woods or cannot go out in night. Same governments told us that vaccination end spreading virus. It was all lies but still most people believe those lies because propaganda of fear is strong. Today... We still don't know origin of virus. Seriously, this is total resignation on common sense, science, logic, rationalism, etc. It is all about emotions and feelings.
> It was all lies but still most people believe those lies because propaganda of fear is strong.
No, it was all evolving knowledge of an ongoing situation involving an unknown virus, with the initial outbreak happening in a not very transparent country. Many people haven't bothered to keep up with the latest information, even with the efforts of local health authorities to bring that information to them.
> We still don't know origin of virus
Yes, and? Would that change anything in our understanding of it and how to combat it? Or do you just need someone to point s finger at and say it's all been their fault? Even in that case we'd still have to combat spread and hospitalisations ( which vaccines help with). In any case, i personally doubt we'll have a conclusive origin story of the virus. It has been more or less ( as much as possible) conclusively confirmed that it came from around a Wuhan wet market, but it'd be pretty much impossible to retrace the steps of random animals there and the event(s) that passed it to the initial humans after so much time has passed and so many have died.
Of course we need to know origin of virus. Man made virus is bioweapon. No matter if you think it is conspiracy theory or not. We need proofs and transparency both on virus origin and vaccine development.
It's only a bioweapon if it was made on purpose with the goal of using it as a weapon, and nobody serious is suggesting that. If it was made in a lab to study coronaviruses, as some people claim, it's not a bioweapon, it's a biomistake, biotragedy, bionegligence if you will, but not a weapon.
Why do you think that anyone serious should suggest that? Who is serious for you? Gonverments? Google? TV?
It could be just business. We have never ever before vaccine on new virus after 3 months. Censoring any other opinions than "in vax we trust" agenda in serious media just support this narrative.
Choosing not to be vaccinated is a harm to society. Being vaccinated isn't just about protecting yourself. It is people's choice not to be vaccinated, and they're responsible for the consequences of that choice, including not being allowed in spaces where they're a hazard to others.
No, stripping unvaccinated people of their fundamental freedoms (as happened in countries like Lithuania and Austria) is a harm to society. More than harm, it's a complete disintegration.
ridiculous dodge. if you want to bar your unvaxxed family from coming to thanksgiving or christmas, go right ahead. the point of a mandate is that it's MANDATED, top down, where businesses don't have any choice in the matter.
Because first we were told "two weeks to flatten the curve and slow the spread". We were also told we didn't really need masks. Then we were told, as late as last October by CNN, and even later by the new guy himself, we should be scared of the new vaccine, because it was released super fast, and endorsed by the last guy.
Then the new guy came in and even though he had nothing to do with it, suddenly, in the blink of an eye, the vaccine was super awesome, a heaven-sent miracle cure. 99%+ effectiveness! Take it now, you anti-vaxxer! Wait, you're scared? Low-IQ retard, forget about the FUD we spread before the election, we were just kidding. ;-)
And besides, well, the vaccine is so awesome that even though I got this awesome injection, I'm still afraid of getting COVID, so you still need to get it, even though it's super effective, and I'm going to treat you like dirt until you get this vaccine. Which will totally eliminate COVID, we promise. Because I have total faith in this vaccine I want to force you to get because I don't want to interact with unvaccinated people because I might get COVID and get sick despite this amazing vaccine, because I've never gotten sick before COVID.
So then we were told we needed no more masks. Which it turns out, caused even more of a spread (but it's okay, because new guy), because guess what, the vaccinated spread almost as easily as the unvaccinated. So now you need to show your vax card to get into places, because the vaccinated can't spread COVID... oh wait.
Then we find out the vaccine dips hard, real hard, in effectiveness after a few months. Oops. But now you still need to get it or you're fired. Show your papers, comrade. Why didn't you get your 12th booster yet, fellow citizen?
See what I'm getting at? Basically, we're tired of listening to you, and we're not going to anymore. What will time prove you wrong about next? My guess: we're going to find out for certain that COVID will never go away, and is here to stay forever, just like the flu.
Most people who favor the COVID vaccine being mandatory to participate in life trust CNN. If you distrust CNN, you're probably already opposed to the mandates.
"immunisation with either the Pfizer or AstraZeneca vaccine reduced the chance of onward virus transmission by 40–60%" [1]
That is not marginally less and which is why people should be vaccinated. Also unvaccinated people place significant strain on the hospital system preventing elective surgery and increasing my costs as a taxpayer.
a) There are still soaring case rates because vaccination rates are not 100% and you have waning immunity. People who are dying are the ones who are unvaccinated. But you will still get breakthrough cases which nobody has ever denied will happen.
b) If you some independent study which proves your statement that vaccines only "marginally" affect transmission then please post it.
case rates are as high or higher among the vaxxed in every age group that matters.
as for 100% vaxx rates as our way into the promised land: a) lmao and b) this is unfalsifiable. we could get up to 99.9% vaxx rates and corona fanatics like you would still say it's the intransigent 0.01% holdout are keeping us from crossing the finish line. you are just like every other ideological zealot who dismisses the empirical failures of their ideas (nazism, communism, etc) by saying all those real life examples weren't really the True Ism, and that we would have immanentized the eschaton already if not for all those pesky people with their free will.
not to mention there are stable wild animal reservoirs of the virus and those are never going away.
again, you haven't made any coherent argument as to why I can't just look at the case rates by country and compare them to vaxx rates and draw the obvious conclusion. am I not allowed to say the sky is blue without a peer reviewed study?
> so why are there still soaring case rates in the countries with the most vaccines?
Vaccinated people are not submitted to the same constraints (such as mandatory tests for accessing this and that) so carry the virus in more places favourable for transmission. They also don't worry as much about getting the virus (at the same time rightfully so and not rightfully so), so they give up on taking the precautions they took the previous year, and they also do not take a test when symptoms arise but remain light. All this unfortunately compensate for the fact that, individually, they are less subjected to spreading the virus.
Over here, when a vaccinated person tests positive, their pass is not even revoked :-/ Also, in order to promote vaccination, tests which were free have been made paying for non-vaccinated people; so as a perverse result, non-vaccinated people now test less, thus spread more too.
Basically, the current attitude (both individual and official) seem to imply that it does not matter any more to care about spreading the virus, so long as you are relatively/fairly protected against the consequences. I don't think this is going to turn well, but...
>Vaccinated people are not submitted to the same constraints (such as mandatory tests for accessing this and that) so carry the virus in more places favourable for transmission. They also don't worry as much about getting the virus (at the same time rightfully so and not rightfully so), so they give up on taking the precautions they took the previous year, and they also do not take a test when symptoms arise but remain light. All this unfortunately compensate for the fact that, individually, they are less subjected to spreading the virus.
this is complete conjecture and moreover the conditions vary by place. for my part (in england) there are no meaningful restrictions on anyone whatsoever, so this can't be the explanation. I've also heard completely opposing theories, that the _un_vaccinated aren't worried about getting the virus so they don't get tested. you can spin any theory you want. nobody knows shit.
(by the way, england currently has the lowest case rates out of the four UK countries + ROI, despite those other jurisdictions having coronapass regimes of varying strictness)
> That's a ridiculous narrative for covid where vaccinated people are marginally less contagious than unvaccinated people.
Almost two years in and people still don't understand that there is a difference in severity of an infection. When vaccinated, you are much less likely to develop severe symptoms and very unlikely to have to get hospitalized.
> If you are worried about getting covid, vaccinate yourself. That's it, you don't need anyone else to be vaccinated.
What if I'm worried about healthcare system collapse by surge of unvaccinated people, resulting in disruption of non-covid-related medical care? This disruption can even last after the epidemic ends, as the medical staff is burning out and quitting. (this is happening right now in .cz)
Privatise the health system so that it can be more flexible and provide treatments in a more elastic manner (not necessarily in big expensive hospitals).
Deregulate until things are sane if you live in the USA were the government and insurance companies propped up the prices ridiculously.
I'm sure that if you prevent non-vaccinated people not to go to public hospital, they will gladly comply.
But I don't think covid is a battle we will win with vaccines, the virus mutates fast and the effectiveness drops pretty fast.
As of the latest figures I'm reading in the newspapers, 40% of people in ICU because of Covid are vaccinated, 60% are not.
Hopefully some medication will come up to cure the symptoms, like remdesivir.
While I agree with you in principle, in this specific case smokers have an advantage; it is harder for them to get covid. So here it is not exactly motivating to stop smoking.
> Good! Keep it up. Let things be, enough of this vaccine pass comrade BS.
You're going to get heavily downvoted, but I totally agree. The vaccine pass is a complete farce. I even have non-technical friends that have faked vaccine passes. For someone even remotely technical, it's trivial to Photoshop.
If only we had the same fervor when it comes to demonizing weight gain, we could save 10x more lives.
If only there was a super cheap, safe, effective and instant medical treatment that could prevent obesity or at least its negative health effects. Because if there was, and yet obese people refused to take it and consequently soaked up a lot of health-care resources, you can be sure they would be demonized just as much as people who refuse to take COVID vaccines.
Despite having most of the world being under lockdown as well as increasing vaccination. Without those measures it could easily have been hundreds of millions.
It is ridiculous and baseless to compare it to obesity which is not causing any significant strain on the hospital system like COVID is.
> It is ridiculous and baseless to compare it to obesity which is not causing any significant strain on the hospital system like COVID is.
Wrong[1][2][3][4]. I get that it may not be politically convenient for you, but let's not mince words: obesity is killing many more people than COVID ever did or ever will.
Actually, it is, as it tends to be intergenerational[1]. Parents that don't care about their health will raise kids that don't care about their health.
And yet obesity whilst being a problem for decades has not caused an epidemic of obese people.
Why is that ? Because obesity is not contagious and most people don't make decisions about what they eat and their activity levels based on choices other people make.
Physical Covid certificates are also not secure at all.
They are easy to copy or fake.
Any scheme which simply puts a cryptographic number on a some
Physical card - or behind a regular QR is not secure. A simple photocopy will work just as well as the original. Not to mention Photoshop.
But there is actually a new way to make physical things - like printed Covid vaccination cards - provably unique and authentic.
Much more powerful than holograms and also much more secure, unclonable and authenticatable.
Take a look at Blocktag (blocktag dot com) - Next gen QR codes that anyone can print, yet cannot be counterfeited. And of course linked to blockchain and ready for physical NFTs too.
The QR codes in Germany include your name and a digital signature. You can photocopy them, but the photocopy doesn't work for another person (if the venues would actually ask for your ID).
They ask you to take it down momentarily to check your face. Come on now, a kid could have thought of that and it has been used for months ( just go to an airport or whatever).
Here is Switzerland and EU your name is encoded in the signed qr code. If you photocopy a pass your name won't match and everywhere you go you must show ID with the pass.
For places that are 3G you have the option in the app to not disclose your vaccination status in the code. So the scanning entity will know ow if you have one of the 3 possible requirements. Vaccinated, recovered or tested.
usa has a real problem with this, afaik there is no way to get a duplicate/back up of your hard copy vaccination record. so i’m supposed to carry a piece of paper with me, and not lose it, i guess that’s what makes it a passport.
meanwhile ime most places with vaccine requirement accept a photo on my cell phone - not exactly cryptographically signed stuff over here.
Revealing so many digits of the factors actually allows easily factoring the original number using a version of coppersmith's method (easy as in under a second on my laptop instead of the 9 hours on a distributed cluster the authors used). This is actually a pretty classic CTF exercise.
If I'm still nerdsniped by this tomorrow I'll try my hand at implementing this and factoring the number myself