When I saw how dense the European Covid Green Pass QR code is, I got immediately curious: "WOW, there must be a lot of interesting data in here". So, I started to dig deeper and I found that there's really a great wealth of interesting encoding and verification technologies being used in it! In this talk, I will share what I learned! We will go on a journey where we will explore Base54 encoding, COSE tokens, CBOR serialization, elliptic curve crypto, and much more! Finally, I will also show you how to write a decoder for Green Pass certificates in the most hyped language ever: Rust!
4. We are business focused
technologists that deliver.
| |
Accelerated Serverless AI as a Service Platform Modernisation
We are hiring: do you want to
?
work with
us
loige 4
5. loige
🦀I'm learning Rust as a hobby...
Live streaming my attempts to crack Advent of Code in Rust (with
and ): /
@gbinside @88_eugen Twitch YouTube
Wrote articles:
a few
How to to_string in Rust
Rust shenanigans: return type polymorphism
Where to go to learn Rust in 2021
Published (simple) crates: , , ,
a few jwtinfo allwords gmaps-static dgc
5
6. Disclaimers
loige
🤓I am not involved with the DGC working group
😢COVID has been tough on everyone,
we'll try to focus only on the tech here!
6
7. Agenda + Goals
loige
1. Needs and principles
2. 🗝Cryptographic model
3. 📦The data
4. 🧅Layers of encoding
5. 🛠Decoding in Rust
🤨Learn some cool technologies
🧐Learn a tiny bit of Rust
🤓Be nerdy and have fun!
7
8. The need for a digital
certificate in the COVID age
loige 8
9. The need for a digital
certificate in the COVID age
loige
😷We need a system to quickly provide a proof against COVID
(Vaccination, negative test, proof of recovery)
It needs to be personal, easy to carry around (digital),
easy to issue and to validate
🌎It needs to be secure against forgery and work across countries
9
10. The EU Covid Green Pass
a.k.a.
Electronic Health
Certificates (HCERT)
loige.link/hcert-spec
loige 10
11. Electronic Health Certificates (HCERT)
Requirements & Guiding Principles
loige
✍Signed data with machine readable
content
📃Use compact encoding
🤲Based on open standards
11
13. Asymmetric cryptographic signatures
loige
🤫 Private Key 📢 Public Key
101010101000101010010... 0101010101010101010101...
The owner of the
private key signs the
document
Anyone can validate the
signature using the
public key
13
14. What's inside a certificate?
loige
DGC container
Cryptographic header (Key Id,
Algorithm)
Cryptographic Signature
Header (Issuer, Issue date, expiry date)
14
Certificates list
vaccine, test, or recovery data
Personal data (name, surname, DoB)
22. loige
loige.link/base45-rfc
"A QR-code is used to encode text as a graphical image. [...] QR-
codes cannot be used to encode arbitrary binary data directly. [...]
Compared to already established Base64, Base32 and Base16
encoding schemes [...], the Base45 scheme described in this
document offer a more compact QR-code encoding"
Base45
22
25. Zlib compression
loige
"zlib is designed to be a free, general-purpose, legally
unencumbered -- that is, not covered by any patents --
lossless data-compression library for use on virtually any
computer hardware and operating system"
zlib.net
25
31. JSON
loige
A schema-less data format where a value can be:
Null
Boolean
Number
String
Array
Object
null
true
-17.34
"A programmer walks into a bar..."
["foo", 1.23, null, false, [22]]
{"foo": "bar", "manyvals": [1,2,3], "nested": {}}
31
32. CBOR
loige
A schema-less binary data format where a value can be:
Null
Boolean
Number
String Text
Array
Object Map
F6
F5
fbc031570a3d70a3d7
7820412070726f6772616d6d65722077616c6b7320696e746f2061206261722e2e2e
8563666f6ffb3ff3ae147ae147aef6f48116
a363666f6f63626172686d616e7976616c7383010203666e6573746564a0
32
37. CWT
loige
Like but for CBOR
JWT
loige.link/cwt-rfc
Defines a protocol for transferring claims between parties
CBOR Web Token
Claims are digitally signed for authenticity
37
38. CWT
loige
A CWT is made of 4 parts:
Protected header
CBOR Web Token
Non protected header
Payload
Signature
38
39. CWT
loige
A CWT is encoded as a (tagged) CBOR array with 4 values:
Protected header (binary string)
CBOR Web Token
Non protected header (map)
Payload (binary string)
Signature (binary string)
39
67. A better (& more complete) implementation
as a Rust library
loige
github.com/rust-italia/dgc
67
68. Exercise for the viewer:
Try to validate the signature
loige
🔑You can get the Public Key from the certificate
here: loige.link/green-examples
📑Here you can find more about how the
CoseSign1 protocol works: loige.link/cose-sign-
verif
📦You could use a crate like for crypto!
ring
(Spoiler: We implemented some of this stuff in the library!)
dgc
68
69. Is all this stuff legal? 😰
loige
👀You can certainly look into your certificate (and
the test certificates!)
🗣Looking into other people's certificate will
disclose a lot of privacy-sensitive info (thread
carefully)
📲Building a validator app? Check your country's
regulation (especially if you need to store data!)
69
70. Cover Picture by on
❤ Huge thanks to for some precius review sessions and many pull requests!
❤ Thanks to , , , , for reviews and suggestions.
FPVmat A Unsplash
rust-italia
@gbinside @88_eugen @AlleviTommaso @npmccallum @pelger
loige
☝nodejsdp.link
loige.link/rust-green
THANK YOU!
❤
70