Residents of the EU have also acquired QR codes to avoid coronavirus restrictions. Why is it much more difficult to counterfeit them than in Russia?
Starting from June 28, in Moscow, visiting cafes, restaurants and public events of more than 500 people is possible only using covid QR codes. Immediately, the issuance of fake QR codes was launched – Roskomnadzor has already blocked a couple of dozen sites that generated them. At the same time, on July 1, in the EU countries, as well as in Iceland, Liechtenstein, Norway and Switzerland, their system of digital certificates COVID-19, also presented in the form of QR codes, officially entered into force . At the same time, the Europeans figured out in advance how to prevent the appearance of fakes (spoiler: it’s all about digital signatures).
How Russian QR codes are counterfeited
A QR code is a variant of a two-dimensional barcode. They were invented to overcome the main limitation of linear barcodes (found on groceries in stores), which can encode too little information. QR codes are used to transfer a wide variety of information: text, hyperlinks, electronic business cards, geo-points, data for connecting to Wi-Fi, and so on.
In Russia, “covid” QR codes contain only hyperlinkwith the identifier of your certificate (about vaccination or about transferred COVID-19 or with the results of a PCR test). Verification of this QR code is arranged as follows:
- it is scanned,
- open a link in a special application or a regular browser,
- compare the personal data on the page that opens with the presented identity card (some of the data is hidden).
This scheme is used both in those QR codes that can be obtained on the State Services website , and in those issued by the Moscow government at immune.mos.ru . At the same time, the former provide a little more information about the owner of the certificate: in addition to the exact date of birth and part of the full name, you can find part of the number of internal and foreign passports there.SOME INFORMATION IS “HIDDEN”
The problem with this scheme lies precisely in the fact that such a QR code in practice can be “checked” in any browser. The inspector may be slipped a fake QR code with a link to a fraudulent site that will look exactly like the site of “Gosuslug” or the Moscow government, even its address in theory may be similar.
Therefore, the verifier must either independently carefully study the link each time, or install and use official applications that automatically conduct such a verification. But it may be beneficial for a business to conduct a lax verification: their client, who presents a fake QR code, will bear responsibility for the deception.
How European QR Codes are protected
In the European Union, QR codes are used to verify information of the same types of “covid” certificates: about the vaccination carried out, about the results of laboratory tests, about the fact that a person has had COVID-19. But there is not a hyperlink in each QR code, but a COVID-19 digital certificate –document certified digitally signed… It contains the full name and date of birth of its owner and information corresponding to the specific type of certificate. For example, for a vaccination certificate, this would be the name of the vaccine and its manufacturer, the number of doses received, and the date of vaccination.
Each EU state independently creates its own certification center (certification center). It issues and distributes the keys that enable these digital certificates to be signed. In theory, such keys can be issued not only to institutions, but also to specific doctors.
They enter the data of a specific person into the template of the required type of certificate, after which this document is converted into a compact file, which is then signed with a digital signature, packed into an archive and converted into a two-dimensional barcode.
The same certification authorities publish their public keys (each country has its own), with the help of which special applications ultimately verify the authenticity of the signature. As a result, European QR codes (unlike Russian ones) are checked offline. That is, personal data and the certificates themselves are not sent anywhere over the Internet – there is no single pan-European repository of such certificates. QR codes are scanned only by special applications. This application verifies the signature with the public key issued in each country and shows the content of the certificate. Then the personal data of the bearer, as in Russia, is compared with the identity card.
If the verifier tries to scan such a QR code with a regular application, he will only see the zipped file.
Thanks to this scheme and the use of compact digital signatures, the application will need very little space to store public keys: in five years, taking into account the monthly change of public keys in the certification centers of each European country, it will be less than one megabyte . The verifier’s application only needs to occasionally go online – to check whether the certification authorities have issued new keys, and to download new ones.
Digital signatures, as in the case of ordinary documents, reliably protect European certificates from counterfeiting. Only a person with access to a private key issued by a national certification authority can help create a fake certificate. But if such a person is caught, the signatures created by him can be revoked. This functionality is planned but not yet implemented.