When Do You Know if Its Po3 or Po4

How to Decode Your Ain European union Vaccination Dark-green Pass With a Few Lines of Python

@ tobsch

Tobias Schlottke

Founder of alphalist.com - a leading community network of pinnacle CTOs who solve tech challenges together,

The EU Vaccination passport has arrived! The company UBIRCH has worked around the clock for the past few weeks to ensure millions of Germans were able to enjoy a summer of complimentary movement.

The vaccination certificate looks similar a uncomplicated QR code on newspaper nonetheless a lot of technology went into making sure to secure the personal data, go far attainable to simply authorized users, and too hard to fake.

In a podcast geared towards CTOs, Matthias Jugel, the CTO of UBIRCH shared what went into the engineering science and explained how to but decode the content of the QR-Lawmaking.

The Eu Vaccine Program

The German vaccination laissez passer is based on the protocols defined past the European Wedlock regarding vaccine certificates for its member states.

When you get your shot you create a little dataset which contains your personal information, your proper noun, and your nascence appointment, for instance, and as well some information about the actual vaccination: the manufacturer; product id of the shot; the engagement when you lot got your shot and which shot in a series of doses.

The EU also has protocols on how this data set should be handled. It needs to be put into a binary representation which is and then signed using a cryptographic key textile. Anyone with the public key tin can now verify that it'south authentic.

This binary representation  is so compressed and encoded into base-45- which is known to be very efficient in combination with QR codes. The base of operations-45 text representation is then put into a QR lawmaking which is printed and has your code and your pass. The complete chain is: base45 > zlib > COSE object -> CBOR

This method is different from a JW token considering it's a flake smaller. A JWT is encoded base-64, purely text-based and information technology's not compressed in itself. This means it cannot contain as much information in the same amount of information basically so it's very large in the end.

Still, someone has to take intendance of converting the dataset into a signed slice of information. Therefore, UBIRCH provides a service in which they receive the data, transform it, sign it, and then hand back something that can be either printed in a QR lawmaking or printed as a PDF certificate. This is all done through the vaccination centers.

Decoding your ain Dark-green Laissez passer

Even though legally just authorised personnel should be checking the contents of the QR code, you can still bank check what'southward inside your own QR code from a technical standpoint. You won't be able to perform signature verification though as access to the public keys is not officially bachelor. So the below lawmaking is only for nerds who want to know what data is encoded in their QR code.

ane. Utilise a QR-Code reader to get the content of your own QR-Code. Browser-based one is here:

Hither is a sample QR code of a fictional person that nosotros will exist using for this instance

                HC1:6BFNX1:HM*I0PS3TLU.NGMU5AG8JKM:SF9VN1RFBIKJ:3AXL1RR+                  viii::Due north$OAG+RC4NKT1:P4.33GH40HD*98UIHJIDB                  4N*2R7C*MCV+1AY                  3:YP*YVNUHC.Chiliad-NFPIR6UBRRQL9K5%L4.Q*4986NBHP95R*QFLNUDTQH-GYRN2FMGO73ZG6ZTJZC:$0$MTZUF2A81R9NEBTU2Y437XCI9DU                  4S3N%JRP:HPE3$                  435QJ+UJVGYLJIMPI%2+YSUXHB42VE5M44%IJLX0SYI7BU+EGCSHG:AQ+58                  CEN RAXI:D53H8EA0+WAI9M8JC0D0S%8PO00DJAPE3 GZZB:X85Y8345MOLUZ3+HT0TRS76MW2O.0CGL EQ5AI.XM5                  01LCWBA.RE.-SUYH+S7SBE0%B-KT+YSMFCLTQQQ6LEHG.P46UNL6DA2C$AF-SQ00A58HYO5:M8                  7S$ULGC-IP49MZCS U8ST3HDRJNPV3UJADJ9BVV:sevenK13B4WQ+DCTEG4V8OT09797FZMQ3/A7DU0.3D148IDZ%UDR9CYF                              

2. Create a Python file with the following code and save as decode.py

                                  #! /usr/bin/env python3                  import                  json                  import                  sys                  import                  zlib                  import                  base45                  import                  cbor2                  from                  cose.messages                  import                  CoseMessage   payload = sys.argv[i][4:] print("decoding payload: "+ payload)                  # decode Base45 (remove HC1: prefix)                  decoded = base45.b45decode(payload)                  # decompress using zlib                  decompressed = zlib.decompress(decoded)                  # decode COSE message (no signature verification done)                  cose = CoseMessage.decode(decompressed)                  # decode the CBOR encoded payload and impress every bit json                  impress(json.dumps(cbor2.loads(cose.payload), indent=2))              

three. Install all libraries required to employ the example code:

                pip3 install cryptography==two.8 pip3 install cose pip3 install cbor2 pip3 install base45              

4. Execute the python file

                python3 decode.py                  'HC1:6BFNX1:HM*I0PS3TLU.NGMU5AG8JKM:SF9VN1RFBIKJ:3AXL1RR+ eight::N$OAG+RC4NKT1:P4.33GH40HD*98UIHJIDB 4N*2R7C*MCV+1AY3:YP*YVNUHC.G-NFPIR6UBRRQL9K5%L4.Q*4986NBHP95R*QFLNUDTQH-GYRN2FMGO73ZG6ZTJZC:$0$MTZUF2A81R9NEBTU2Y437XCI9DU 4S3N%JRP:HPE3$ 435QJ+UJVGYLJIMPI%2+YSUXHB42VE5M44%IJLX0SYI7BU+EGCSHG:AQ+58CEN RAXI:D53H8EA0+WAI9M8JC0D0S%8PO00DJAPE3 GZZB:X85Y8345MOLUZ3+HT0TRS76MW2O.0CGL EQ5AI.XM5 01LCWBA.RE.-SUYH+S7SBE0%B-KT+YSMFCLTQQQ6LEHG.P46UNL6DA2C$AF-SQ00A58HYO5:M8 7S$ULGC-IP49MZCSU8ST3HDRJNPV3UJADJ9BVV:7K13B4WQ+DCTEG4V8OT09797FZMQ3/A7DU0.3D148IDZ%UDR9CYF'                              

five. This is what the output would look like:

                {                  "one":                  "DE", // issuing country                  "4":                  1655209933, // expires at                  "half dozen":                  1623673933, // issued at                  "-260": {                  "1": {                  "v": [         {                  "ci":                  "URN:UVCI:01DE/IZ12345A/21E0JXD7UQY6ECLM3WT7YF#viii",                  "co":                  "DE",                  "dn":                  2,                  "dt":                  "2021-04-01",                  "is":                  "Robert Koch-Institut",                  "ma":                  "ORG-100031184",                  "mp":                  "EU/1/xx/1507",                  "sd":                  2,                  "tg":                  "840539006",                  "vp":                  "1119349007"                  }       ],                  "dob":                  "1964-08-12",                  "nam": {                  "fn":                  "Mustermann",                  "gn":                  "Erika",                  "fnt":                  "MUSTERMANN",                  "gnt":                  "ERIKA"                  },                  "ver":                  "1.0.0"                  }   } }                              

The Verification of Vaccination Passes - Offline

However, the bodily verification can all be done offline - to fit with the requirements of the EU. The corona apps deal with the verification of such passes - without needing the internet. Verification is done entirely through the phone.

 The apps get the public keys and verify the signature, and and then depending on the intended usage, they might nowadays you the content of the QR code - the data that'due south really in at that place.

There are 2 types of apps available.

The official app for authorised personnel and the official app for the public.

CovPass Check App for Authorised Personnel

The official app was made to allow free travel in the European union. It is meant to be used when y'all cross a edge or when checked abroad past police or past somebody who would like to know whether y'all're allowed to exist there.

This information contains personal information and that is why the official app - that can access all the data contained in the QR code is for authorised personnel simply.

The official CovPass app for Public Use

You can get an authorised app from the app store which volition tell you whether the scanned QR lawmaking is valid. The idea backside it is to present as little personal data equally possible, to protect the privacy of everyone involved.

Using Blockchain to verify Vaccine Passes - Online

For their pilot-solution which has been applied in two German counties, UBIRCH used blockchain engineering science to make vaccine passes verifiable for authenticity and integrity in a decentral mode.

1. People in the vaccination center fill in a web form with their details: proper noun, appointment of birth, vaccination date, what blazon - all the data that the European union wants to collect.
2. Upon submit, this information is hashed together with a table salt - making it anonymous
3. The hash is sent to the backend where it is anchored in the blockchain
4. A URL is generated containing all the data provided in the webform
5. A QR is likewise created which when scanned will brandish the data captured by the webform
6. If someone wants to just validate the URL, they tin become to the URL, information technology is decoded and a hash is sent to the server and a response is sent dorsum whether it's valid with a signature.
   

UBIRCH still uses blockchain technology in other utilize cases. Nevertheless, in close collaboration with the customer and in line with final EU requirements another approach for the implementation of the digital COVID-certificate in Germany was chosen.

This article was based on an alphalist podcast episode. The alphalist podcast features interviews of CTOs and other technical leadership figures and topics range from technology to management.

Guests from leading tech companies share their best practices and cognition.

The goal is to back up other CTOs on their journeying through tech and technology, inspire and permit a sneak-peek into other successful companies to understand how they retrieve and act. Get awesome insights into the world'south pinnacle tech companies, personalities and trends by listening today on Apple tree , Spotify , Google , Deezer and more than.

If you are a CTO of tech-product company, possibly you would be interested in joining alphalist -an sectional CTO network? Reach out to us for more information.

Tags

# vaccinepassport# covid19-technology# qr-codes# covid-vaccine# interview# blockchain-startup# identity-management-blockchain# blockchain-adoption

Related Stories

corcoransomele.blogspot.com

Source: https://hackernoon.com/how-to-decode-your-own-eu-vaccination-green-pass-with-a-few-lines-of-python-9v2c37s1

Share this post