-
Notifications
You must be signed in to change notification settings - Fork 2
How do the vaccine passes work?
With the vaccine passes coming into use soon, it's good to have a general understanding of how they work, and more importantly why we can trust them to indicate a person's vaccination status.
This is especially important for business owners, gathering organisers, and so on, who need to validate passes in order to meet the requirements for operating under the traffic light system.
- General information about the passes (covid19.govt.nz)
- Technical specification published by the Ministry of Health (nzcp.covid19.health.nz)
- Official NZ Pass Verifier app (health.govt.nz)
- My implementation written in Go (github.com/echojc)
- Javascript implementation by the team from vaxx.nz (github.com/vaxxnz)
In short, the QR code on each pass contains all the information physically printed on the pass, plus a few more pieces of data that are only present in the code itself:1
| Data | Example | Printed on pass? | Displayed by official app? |
|---|---|---|---|
| Given name | Jack |
yes | yes |
| Family name | Sparrow |
yes | yes |
| Date of birth | 1960-04-16 |
yes | yes |
| Expiry date | 2031-11-03 |
yes | - |
| Issue date | 2021-11-03 |
- | - |
| Issuer | did:web:nzcp.covid19.health.nz |
- | - |
| Unique pass ID | urn:uuid:60a4f54d-4e30-4332-be33-ad78b1eafa4b |
- | - |
| Signature | arbitrary data | - | - |
When a pass is scanned, the device reads all this data out of the QR code and displays certain portions of it to the user. For example, although the expiry date is printed on every physical pass, the official app chooses not to display it on the device's screen.
Verifying a pass is the most important feature of the system. Since the data on a pass is publicly accessible, how can we know that someone who has a pass really is vaccinated?
- Can you give your (valid) pass to someone else?
- Can you alter a pass (e.g. by changing the name on it)?
- Can you create fake passes?
The system wouldn't work if any of these things could be done. To prevent these things from happening, the data in the pass is signed.
Signing is the practice of using cryptographic principles to mathematically prove that data has not be tampered with. This is why each pass contains a signature: in the case of these vaccine passes, this is a pair of ~80-digit numbers2 that can be used to mathematically determine whether the data in the pass has been changed.
Moreover, the maths ensures that only someone in possession of what's called the private key is able to generate these signatures for a pass. This private key is kept under lock-and-key by the Ministry of Health.3 From a practical standpoint, without this private key, it is impossible to compute a valid signature.
In practice, this means that any vaccine pass that passes verification is guaranteed to be genuine. Any attempt to change even one bit of information in a pass will mean that the pass will no longer validate.
Good question! All this theoretical security means nothing if there was no way to tie a pass to a person.
Practically, the only way to ensure that the person presenting a pass is the same as the person identified by the pass is through the use of secondary photo ID. Anyone validating passes needs to confirm two things:
- The pass itself is valid, and
- The bearer of a pass is indeed the person identified by the pass, using photo ID to check the name and date of birth.
- Bring photo ID. Since the only identification information on a pass is your name and date of birth, a driver's licence or similar is needed to properly establish that a pass actually belongs to you.
-
Passes are secure. Any pass that validates is guaranteed to be a genuine pass issued by the Ministry of Health. It is impossible from a practical standpoint to create a fake pass.
- Following from this, there is no black market for passes since they can't be faked or given to someone else (provided business owners and gathering organisers are vigilant with photo ID).
-
Personally identifiable information is unencrypted. This makes sense from a technical perspective, but if you are concerned about privacy, make sure you either trust the person doing the scanning, or make sure they are using the official app which doesn't keep any records.
- If you have passwords based on your birthday, now might be a good time to change them, since anyone who scans your pass can see your date of birth!
- There is legislation that limits what data may be retained.4
I would like to thank 36wish for helping me proofread this article.
1 Passes also contain extra data to conform to certain standards. Under the hood, the pass is a verifiable credential, formatted as a COSE structure, which is then base32 encoded.
2 Passes are signed with ECDSA using P-256 and SHA-256; 256 bits approximates to roughly 80 digits in decimal. Public keys are distributed via HTTPS on the path /.well-known/did.json on the domain of the issuer.
3 Technically speaking, this responsibility has been contracted out to the tech company providing the underlying services. See this media release.
4 See COVID-19 Response (Vaccinations) Legislation Act 2021 Section 15.