Counterfeit EU Green Passes

Question

In the EU, a person will soon be able to perform certain activities (going to concerts, to sports events, etc.) only if they can present a valid Green Pass that certifies that the bearer has been vaccinated, or has recovered from Covid, or has been tested negative in the recent past.

The Green Pass is basically a QR code that contains information encrypted with public-key cryptography (see here for details).

As soon as it was introduced, spammers started promoting fake Green Passes for people who did not want to get vaccinated. Some of these are clearly attempts at identity theft, since the spammers claim that they need a copy of a valid ID to generate the Green Pass.

I'd like to know whether the Green Pass scheme has actually been broken¹; the few sources that I've found are clearly unreliable (their technical explanations are gibberish).

NOTE: I've had my shots and have a valid Pass; I'm only interested in the technical aspect (i.e. robustness) of the scheme.

---

¹ Moderator note: we are on a cryptographic forum, and if we discuss that subject, at least we should stick strictly to it's cryptographic aspects.

Answer 1

The specification mentions that the signature is per ECDSA on curve "P-256" (aka secp256r1), or RSASSA-PSS with a modulus of 2048 bits in combination with the SHA–256 hash (I guess with MGF1 with SHA-256; can't be sure for salt size). These are state-of-the-art, unbroken algorithms.

I find it unbelievable that a cryptographic attack would let emit fake passes that are accepted with proper validation per this specs, with forged user data.

Answer 2

Answering the question what is broken, with focus on cryptographic aspects:

"Green Pass" title implies yes/no decision, while the application actually scans the name, birthday, and vaccination info from QR-code, and prints it in cleartext. To achieve the goal, it requires infrastructure like publicly accessible database with medical information, and manual ID check.

No attempt is suggested in the technical description to use any well-known cryptographic tool for data privacy. Even worse, signatures require all the signed data to be available in the cleartext. Declaring signatures short-lived with X.509 attributes is not the solution to privacy. To be constructive, please let me remind zero-knowledge proofs were considered for democratic voting since late 80s.

According to "Interoperability of health certificates Trust framework V.1.0 2021-03-12" section "7 Verification protocol", scanner verifies signature and prints the the signed data (offline part):

Once this digital signature has been verified, the verification software can decode the information in the 2D barcode and rely on its content.

UVCI part of the certificate is the searching key into a database expected later (function creep):

Online verification will rely on the UVCI and it will be incorporated in the next version of the specifications (V2).

EU Commission was asked on zero knowledge applicability:

Parliamentary questions, 13 April 2021, Pier Nicola Pedicini (Verts/ALE) ... Is the Commission considering:

1. using ZKP for the Digital Green Certificate; ...

Brian Behlendorf (Linux Foundation) did say at the "Vaccine Passports: A public health solution or ethical & legal minefield?":

There’s been recent advancements in cryptography and mathematics that are much better aligned with this idea of being able to prove a thing without having to show a lot of information about that thing. .. That same kind of zero-knowledge system and zero-knowledge proof needs to be something that we standardize across the system.

Update: cryptographic aspects of the recent data leak may include reasoning like untraceability of copying signed data that was sent out for verification at least twice, and precise meaning of "unavailable" of that signed data.