Why does the introduction of QR codes verification make no sense in public transport and shopping centers?
Friends, this is my first publication, if something is wrong, do not judge strictly, leave constructive criticism in the comments, I will try to react and improve the content.
The post will reveal information about what the QR code of the vaccination certificate is, whether it can contain the seal of Satan, how to check it correctly, information about the pros, cons, existing restrictions and application features. Material for general understanding, does not contain complex technical details, all data is taken from open sources, there is no personal information in it.
1. What kind of beast is QR code?
QR code (Quick Response code) – type matrix barcodes (or two-dimensional barcodes). A QR code consists of black squares arranged in a square grid on a white background, which can be read by imaging devices such as a camera.
The “QR code” designation is registered trademark “DENSO Corporation”, and the use of codes is not subject to any license feesand they themselves are described and published as ISO / IEC18004 standards.
I will not overload the description of coding algorithms and other technical information, if details are required, they can be found in GOST R ISO / IEC 18004-2015…
It’s important to know that a QR code can contain text information, web page URLs, business cards, and even images (on the subject of printing, you know who). Depending on the size, QR codes can contain from 21×21 to 177×177 modules (versions from 1 to 40 in increments of four modules for each side), while up to 4296 alphanumeric characters can be encoded.
2. How to get the QR code of the vaccination certificate?
You can legally obtain a certificate and the coveted QR code by completing the full course of vaccination (valid for 1 year), or by receiving a negative PCR test result (valid for 72 hours). In my opinion, from the point of view of the speed of obtaining and the duration of action, the most optimal way to obtain a certificate is vaccination with Sputnik Light, in this case a certificate with a QR code should be available already 3 days after vaccination, the validity period is 1 year.
3. What is the QR code of the vaccination certificate?
The vaccination certificate will be available in the personal account of the portal of public services, it can be downloaded in pdf format and printed, or saved in the phone’s memory. You can read information about a QR code using a special software and hardware device (scanner), or using a smartphone with installed software for reading QR codes, the QR code recognition functionality can be built into the Camera application of many modern smartphones. Having scanned the QR code, you can see that it contains a link to the State Services portal, for example:
- «https://www.gosuslugi.ru/covid-cert/verify/» - адрес страницы проверки;
- «9710000025717304» – номер сертификата;
- «lang=ru» – язык, на котором будет возвращен результат проверки;
- «ck=f2ab62b1a16724942b19e836a83c5258» – некая уникальная HASH-сумма, рассчитанная для конкретного сертификата.
If you open the link that is contained in the QR code of the certificate, we will get to the page with the verification result. As we can see, the result of the check does not contain personal information – this is a plus. The main disadvantage is that it is impossible to check the QR code without an Internet connection or if the State Services portal is inaccessible!
Given the complexity of the HASH code, it is theoretically possible to generate a correct link to someone else’s vaccination code, but for this you need to be either phenomenally lucky or have a quantum computer in use, in practice this is very unlikely.
4. How to check the QR code of the vaccination certificate?
To make sure that the QR code is valid and that you are being shown vaccination certificates, and not a code from a chicken breast from the grocery department, or even some kind of encrypted obscene ditty, you need:
1.carry out scanning using the official application “STOP COVID-19” (Google market, App store);
2. to verify the passport data with the obtained result of the check.
Why does this check need to be done this way and only this way? More on this …
If you read carefully and have basic concepts about the IT sphere, then you have already guessed that the QR code is compromised at the first scan, as an example – the code from this article, I took it from the site “TV Channel Tulsky 1”, such the code can be presented for verification by any person, moreover, having the address of the verification line, you can easily generate a new QR code. One of the many generation services available on the site tec-it.com…
The generated code, although it does not exactly repeat the image of the source code of the certificate, contains completely valid information that is identical to the original one.
Thus, someone else’s certificate can be presented for verification, and the data of your personal certificate becomes available to the person performing the verification. It is for this reason that a reconciliation of passport data is necessary!
With the passport check, everything is clear, a reasonable question arises: why check the code using the “STOP COVID-19” application? But why – as it has been said many times, a QR code is just an image in which the address of a web page is encoded, and this address may not be a resource of a public services portal at all. The page with valid vaccination data can be easily copied, modified and placed at a completely different network address, an inattentive inspector, most likely, will not recognize a fake even if he verifies the passport data, because the data has been changed for a specific document, while the page will not differ in any way from portal of public services, excluding only the url-address of this page.
A friend of the author of this material claims that after the introduction of QR codes, he walked around with a QR code from a chicken breast for some time, then completely generated a fake web page and absolutely wherever he presented these QR codes, they were checked. I think that there is no need to talk about a banal copy of the existing QR code at all, have you seen somewhere that the inspectors verify passport data? Personally, I am not.
6. Checking QR codes in public transport and shopping centers is a utopia
Recently, in various regions, it is being introduced or is planned to introduce the verification of QR codes in public transport and shopping centers. I can assume that this idea is absolutely not thought out, because if you check QR codes as expected, then this check will simply paralyze the activities of public transport and shopping centers, and if you create only the appearance of a check, then all sense of this initiative is lost. Before implementing such business processes, I can recommend to those who make such decisions, first to understand the essence of the issue, conduct timing on a test route, check the throughput and other significant characteristics of the process, and only then take decisive actions. In any case, it is worth remembering that checking QR codes is possible only if there is an Internet connection, the appropriate software and hardware and the mandatory verification of passport data.
In conclusion, I would like to fantasize about how you can improve the process and ensure its greater safety. The first thing that can be done is to enable the user to generate a new version of the QR code, making the previous one invalid, thus it will be more difficult to use someone else’s QR code, in addition, you can limit the validity of the QR code to a certain period, for example, a month, after which generating a new QR code automatically.
Alternatively, additional information must be sewn into the QR code – information about the owner, vaccination period, validity period, and digital signature, such a QR code can be checked without an Internet connection. This is exactly what was done in the West, for example, in Canada (Reverse engineering of the QR code to prove vaccination https://habr.com/ru/company/timeweb/blog/560688/).
It seems to me that in an ideal world, which will certainly come someday, the QR code should not be tied to the vaccination certificate, but to the passport, then there will be no need to present a certificate, any information, including about vaccination, can be checked by sending the passport ID to the appropriate system. I am sure that the introduction of digital passports will inevitably await us in the near future.
I would like to wish everyone good health in this difficult time, and officials – sanity, because it is much easier to restrict the movement of socially unprotected groups of people and the activities of small businesses than to agree to suspend work during a lockdown with big business, airports, airlines and religious institutions, where, as we all know, despite the massive crowds, there are no restrictions or checks on vaccination certificates.