Is the keys are actually proven as stolen, all vaccinated people that have a QR code in France and Poland will probably all have to get a new one again.
Also this is very worrysome.
Geert Wilders, this you?
Is there a list of all the (public) keys for each country? I’ve been sent a key that purports to be the private key for Poland, but I can’t verify it without the public key
“Er ist wieder da”
A very good proof that a compulsory masterkey to break encrypted comunication will be save and there is no risk of losing it.
German keys appear compromised too, proof of mis-issued certificate:
QR Code:
“`
HC1:6BFMX1L0ALVODO3YESMGI.*O:8KKF2SRH/4GIXNGE53:C0KL/WQ2SJUZHZDU9OTA2UA4OM97-E2632DGC*V8/+9CIO8T3HT49$1FFEONE9HS99THR7A6HCZ048S%FBTNP8TO08DNSIRCN*SG6NE032SMNI%UO83.094H2H:RTMJY+D$C2HWLU.K-1R7TADNK6K09QPY37C8G6A8SA76QMAWAVV6I3Q%TA-NH735EQ9W$GIU3$FV1WOD7HGFFPSS+:8Q59 9QLXP8OJ7.P73V1%B7.PI:H6Z5RP9+*DRMLQNC4+V/.F+-GERPM$JK523K0.S85$O63KE M3Y0C24$D2Z40YE56YGTR4A11YOIJRH3697NAURS*010BP*UJ5JS5NJ20FICB.U74H6MHE+MUONDMRM.+QWWK4LK VP1ZKRU4%7HULJO2BT97Q*9XU2RZ84+1ATAZS3+-5KKEKCRJJE SKCQS$JL:XACX98UIM.7S46A*127IVHBV8S.SLQ6D88R4VSKGR/PT*1U*$J015N8S5HTF%VA6L$BF6BWIPPL$DA67Z6LOYE39THEUYPTY SQF9/.1P8MH4
“`
Verification output:
“`
ehn-sign-verify-python-trivial % cat key.txt | python3 ./hc1_verify.py -v -U -p -A
KID in the unprotected header.
Signature : XkVWZqUeeFc= @ ES256
Correct signature againt known key (kid=XkVWZqUeeFc=)
Issuer : DE
Experation time : 1666037984
Issued At : 1634501984
Health payload : {
“dob”: “1917-12-06”,
“nam”: {
“fn”: “Rokotepassieu”,
“fnt”: “ROKOTEPASSIEU”,
“gn”: “Ota Yhteyttä Wickr”,
“gnt”: “OTA<YHTEYTTAE<WICKR”
},
“v”: [
{
“ci”: “URN:UVCI:01DE/A80013335/TCXSI5Q08B0DIJGMIZJDF#T”,
“co”: “DE”,
“dn”: 1,
“dt”: “2021-09-22”,
“is”: “Robert Koch-Institut”,
“ma”: “ORG-100001417”,
“mp”: “EU/1/20/1525”,
“sd”: 1,
“tg”: “840539006”,
“vp”: “1119305005”
}
],
“ver”: “1.3.0”
}
“`
(note old reddit doesn’t render code blocks properly)
He lives…
No secret key has been leaked (for France at least): the COVID certificate for Hitler was generated just like any other COVID certificate: a health professional with access to the appropriate tools was able to declare a fake patient as vaccinated, and the system issued a valid certificate as designed.
If you actually had the secret key, why bother generating a certificate for Hitler ? Why use 01/01/1900 as Hitler’s date of birth (spoiler: the SI-VAC system used in France limited the user’s input to >= 01/01/1900) ? Why not add extra info to the certificate or mess around with the certificate’s unique identifier ?
Has anybody seen that QR code? I’d like to check the scanner I have on my phone, if they really work.
>The Dutch Health Ministry is trying to figure out exactly how this QR code was created.
I don’t get yet why the conclusion is that the private key is compromised because of some bad joke names?
German media had an interview with some furry from Switzerland who was pissed that some of his furry friends couldn’t get to a fetish party in Berlin. He then started selling covid certificates.
How? He paid people working in pharmacies good money to create the fake certificates.
No private key needed.
Edit:
It’s possible that the app / portal used to create them got hacked or someone got access.
Apprently all of those fake keys were created by a North Macedonian ministry
11 comments
Is the keys are actually proven as stolen, all vaccinated people that have a QR code in France and Poland will probably all have to get a new one again.
Also this is very worrysome.
Geert Wilders, this you?
Is there a list of all the (public) keys for each country? I’ve been sent a key that purports to be the private key for Poland, but I can’t verify it without the public key
“Er ist wieder da”
A very good proof that a compulsory masterkey to break encrypted comunication will be save and there is no risk of losing it.
German keys appear compromised too, proof of mis-issued certificate:
QR Code:
“`
HC1:6BFMX1L0ALVODO3YESMGI.*O:8KKF2SRH/4GIXNGE53:C0KL/WQ2SJUZHZDU9OTA2UA4OM97-E2632DGC*V8/+9CIO8T3HT49$1FFEONE9HS99THR7A6HCZ048S%FBTNP8TO08DNSIRCN*SG6NE032SMNI%UO83.094H2H:RTMJY+D$C2HWLU.K-1R7TADNK6K09QPY37C8G6A8SA76QMAWAVV6I3Q%TA-NH735EQ9W$GIU3$FV1WOD7HGFFPSS+:8Q59 9QLXP8OJ7.P73V1%B7.PI:H6Z5RP9+*DRMLQNC4+V/.F+-GERPM$JK523K0.S85$O63KE M3Y0C24$D2Z40YE56YGTR4A11YOIJRH3697NAURS*010BP*UJ5JS5NJ20FICB.U74H6MHE+MUONDMRM.+QWWK4LK VP1ZKRU4%7HULJO2BT97Q*9XU2RZ84+1ATAZS3+-5KKEKCRJJE SKCQS$JL:XACX98UIM.7S46A*127IVHBV8S.SLQ6D88R4VSKGR/PT*1U*$J015N8S5HTF%VA6L$BF6BWIPPL$DA67Z6LOYE39THEUYPTY SQF9/.1P8MH4
“`
Verification output:
“`
ehn-sign-verify-python-trivial % cat key.txt | python3 ./hc1_verify.py -v -U -p -A
KID in the unprotected header.
Signature : XkVWZqUeeFc= @ ES256
Correct signature againt known key (kid=XkVWZqUeeFc=)
Issuer : DE
Experation time : 1666037984
Issued At : 1634501984
Health payload : {
“dob”: “1917-12-06”,
“nam”: {
“fn”: “Rokotepassieu”,
“fnt”: “ROKOTEPASSIEU”,
“gn”: “Ota Yhteyttä Wickr”,
“gnt”: “OTA<YHTEYTTAE<WICKR”
},
“v”: [
{
“ci”: “URN:UVCI:01DE/A80013335/TCXSI5Q08B0DIJGMIZJDF#T”,
“co”: “DE”,
“dn”: 1,
“dt”: “2021-09-22”,
“is”: “Robert Koch-Institut”,
“ma”: “ORG-100001417”,
“mp”: “EU/1/20/1525”,
“sd”: 1,
“tg”: “840539006”,
“vp”: “1119305005”
}
],
“ver”: “1.3.0”
}
“`
(note old reddit doesn’t render code blocks properly)
He lives…
No secret key has been leaked (for France at least): the COVID certificate for Hitler was generated just like any other COVID certificate: a health professional with access to the appropriate tools was able to declare a fake patient as vaccinated, and the system issued a valid certificate as designed.
If you actually had the secret key, why bother generating a certificate for Hitler ? Why use 01/01/1900 as Hitler’s date of birth (spoiler: the SI-VAC system used in France limited the user’s input to >= 01/01/1900) ? Why not add extra info to the certificate or mess around with the certificate’s unique identifier ?
Has anybody seen that QR code? I’d like to check the scanner I have on my phone, if they really work.
>The Dutch Health Ministry is trying to figure out exactly how this QR code was created.
I don’t get yet why the conclusion is that the private key is compromised because of some bad joke names?
German media had an interview with some furry from Switzerland who was pissed that some of his furry friends couldn’t get to a fetish party in Berlin. He then started selling covid certificates.
How? He paid people working in pharmacies good money to create the fake certificates.
No private key needed.
Edit:
It’s possible that the app / portal used to create them got hacked or someone got access.
Apprently all of those fake keys were created by a North Macedonian ministry
https://github.com/ehn-dcc-development/hcert-spec/issues/103#issuecomment-953382640
It is morally justified to fake your QR codes