The app is called VerificaC19 and works with asymmetric encryption that allows you to read the Green Pass without disclosing sensitive information about its owner. Given the many doubts and fears, let's see how the app works on a technical level: what is really contained in the QR code? How does the app guarantee privacy? Can the QR code be shared online?
Let's delve into this particular technology and answer all the most common questions.
UPDATE 11/2021: Be careful, there are several more or less effective tools circulating online that promise to read the Green Pass. DO NOT TRUST THEM, the only official app for reading the Green Pass in compliance with the Privacy directives is the VERIFICA C19 app.
The VerificaC19 App
The app was released by the Ministry of Health, the Ministry of Technological Innovation and Digitalization, Economy and Finance and the Extraordinary Commissioner for the COVID-19 Emergency.
The app allows shopkeepers and operators of shops, bars, hotels and other establishments to check the validity of:
- COVID-19 Green Certifications produced in Italy by the National Platform-DGC of the Ministry of Health;
- European Digital COVID Certificates (“EU Digital COVID Certificate”) issued by other Member States of the European Union.
How does Green Pass verification work in the app?
Technically, the Green Pass verification via app works thanks to asymmetric public/private key cryptography. In essence, the VerificaC19 app “sees” your QR code and derives an alphanumeric public key from it.
The VerificaC19 app then compares this public key it has just “seen” with the official list of valid public keys for the Member States, uniquely identified by the KID (Key Identifier) code.
In order to perform this comparison, every 24 hours the VerificaC19 app queries this European gateway (DGCG) and downloads the list of keys used by all individual States to sign Green Passes. Every day it updates its list, removing the keys that are no longer valid and adding new ones.
Does the app save your Green Pass data?
As you can see, the VerificaC19 does not save individual Green Pass data locally.
It only saves the official public keys, which are used to determine whether the QR code is valid.
If someone reads the public key, they will only see an incomprehensible alphanumeric code, which the app can only connect to your first name, last name and date of birth, without knowing anything about the details of your vaccination. This step is only possible thanks to asymmetric encryption.
What is Asymmetric Public/Private Key Cryptography?
Public/private key cryptography requires the existence of two keys:
- the private one, contained in the QR code, which must be kept secret and is personal;
- the public one, available to everyone and which allows to verify the authenticity of a file signed with the private key.
It is called “asymmetric” because it requires the existence of both keys, and because the two are not equal.
Symmetric encryption
In symmetric cryptography, on the other hand, only private keys are present: the sender encodes his message using a long private key and sends it to the recipient, who has the same private key and can decrypt the message.
Anyone who sees the message in transit will not understand its contents, because they do not have the private key.
The problem with symmetric cryptography is the secure exchange of the private key, which in some contexts cannot be guaranteed: this is why asymmetric cryptography was born.
Examples of asymmetric cryptography: the digital signature
Asymmetric encryption is used, for example, in digital signatures. Here, the user must send the recipient a document, a digital signature, and a public key.
Initially, the sender submits his document to the digital signature tool. The digital signature tool uses a hash algorithm to extract from this document the so-called digital fingerprint or digest, that is, a text string of fixed length, which constitutes a real summary of the text.
At this point, this text string needs to be digitally signed: to do this, the tool uses the user's private key.
Now the sender sends this signature, the document and the public key.
The person receiving:
- Decrypts the digital signature with the public key and gets the digest (the content of the message);
- It submits the document text to a hash algorithm and gets another digest;
- Compare the two digests. If they are the same, the document has been signed correctly.
Remember that all these steps are not performed manually, but by specific applications and programs with interfaces that we can easily understand.
Green Pass Encryption and Privacy Risks
A similar process to the one described above applies to the Green Pass. This document is signed with your private key, but the merchant's app only sees the public key, which allows it to verify if your Green Pass is valid, but does not allow it - as we said - to understand why you received the Green Pass (swab, recovery or vaccine).
What's in the QR code?
QR code is a two-dimensional barcode, which contains some information and a digital signature.
It can be used in both paper and digital format, but its content does not change: by scanning your QR code in a specific app (VerificaC19), the owner of a venue can verify the authenticity and validity of the Certification that produced your Green Pass.
The operation is similar to the digital signature reading process we described above.
What does the merchant see when he scans my Green Pass?
The merchant, after scanning the Green Pass with the app, can see your date of birth, your name and surname, and know whether your Green Pass is valid or not. This information will not be kept in the app's memory or distributed, and therefore the merchant will not be able to track it. Furthermore, the app works offline, so this data cannot "end up online".
Can the Green Pass QR code be published on social media?
Even if the Green Pass QR code contains only some private information, it is not a good idea to publish it on social media: in fact, anyone could get your exact date of birth, along with your first and last name. Furthermore, with a little more computer skills, it is also possible to get the reason for having the Green Pass from the QR code, for example vaccination and vaccine provider, number of doses, possible swab and expiration date of the document.
No sensitive information, such as illnesses or hospitalizations, but the Privacy Guarantor still invites not to share this data publicly.
Can the Green Pass be scanned with a common QR code reader app?
It is not recommended, as it is not recommended to publish it on social media. In fact, the app itself will return a very long and apparently indecipherable code. However, those who know how to decipher it could obtain the information contained in the QR code, such as your date of birth, name, surname, type of vaccination or swab received, expiration date of the Green Pass.
We do not guarantee that this QR code scanning app will treat your data with the necessary confidentiality, so it is better to stick to the official channels: the VerificaC19 Green Pass app has been approved by the competent authorities.
For the merchant: how to use the VerificaC19 app
Using the merchant app does not require any technical skills. Simply launch the app and configure it by following the guided instructions.
Then, just tap “start scan” and frame the QR code of the person entering.
After a few seconds, a screen will appear indicating whether the certificate is valid.
Do you want to increase the security level of your company?
Or would you like to learn more about cryptography?
Contact Pizero Design for a consultation!
