Less haste, more speed: Base45, zlib and Vaccine Passports
Less haste, more speed: Base45, zlib and Vaccine Passports
Well, we now live in a strange world. Our world has been damaged over the past 18 months, and, for the sake of our next generation, we must now rebuild our economic infrastructure, and look to rebuild our links between countries.
And so we have reached the point of rebuilding trust between the regions and nations of the world, and enabling safe travel must be a key way forward. For this, a concrete proof (eg vaccine status verification) at our borders seems to be the best way forward for the nations and regions of the world to rebuild trust. The usage of vaccine passports for events, such as football matches and concerts, is a whole other debate. At a border, you can invest in trusted systems and have a high degree of integrity, but at a football match there is a whole different level of trust and integrity required (and where paper versions of documents are likely to be preferred).
And so, yesterday, Scotland released their ‘vaccine passport’ (which I think is a terrible term) and which has an integrated QR code:
The vaccine status document can be downloaded as a PDF, and contains printed confirmation of vaccine status, and also a QR code. I immediately downloaded mines and it contained all the key details required to prove my vaccination status:
Unfortunately, the PDF is editable, but this is easily fixable, and I hope NHS Scotland will just integrate a PDF builder and lock down the security of this. It is just a bit of trust in the document. As a student project it could be done in an hour or so, and fully tested. Along with this, a signed PDF would considerably help trust levels in sharing the document:
This just needs a trusted signer (such as the NHS) to sign the PDF, and lock it. It is that simple. For an entity of the size and importance of NHS Scotland, you would hope they can just fix this glitch.
A well thought-out approach
So I spent some time yesterday looking at the QR code, and I managed to decode all the information. And, overall, I am really impressed that there has been a good deal of thought spent on creating this. Technically, it uses a trusted system that is used in the EU and is defined as the green pass [here]. From a cryptography point-of-view, it is not perfect and there would be better ways in the future to do this, but it’s a giant step in moving forward. As far as I can tell, too, it is going to be followed soon by a trusted app, and this will provide people in Scotland with a way to provide their vaccine status over the EU — and that’s a great thing for building up trust between the nations and regions of the world.
If you are interested, the data from the QR code uses a Base-45 format, and where we have 45 characters defined. The encoding table is:
Value Encoding Value Encoding Value Encoding Value Encoding
00 0 12 C 24 O 36 Space
01 1 13 D 25 P 37 $
02 2 14 E 26 Q 38 %
03 3 15 F 27 R 39 *
04 4 16 G 28 S 40 +
05 5 17 H 29 T 41 -
06 6 18 I 30 U 42 .
07 7 19 J 31 V 43 /
08 8 20 K 32 W 44 :
09 9 21 L 33 X
10 A 22 M 34 Y
11 B 23 N 35 Z
The Base-45 character set [here] limits the characters that can be used, so that there cannot be any confusion with certain ‘difficult’ characters (such as upper and lowercase representations).
With we take two bytes [A, B] and convert into [ C, D, E] and where:
(A*256) + B = C + (D*45) + (E*45*45).
For example, for “hello”, we have:
h e l l o
0110 1000 0110 0101 0110 1100 0110 1100 0110 1111
The first two bytes are A=64+32+8=104 and B=64+32+5 =101, and where:
(104*256)+101 = 26,725
We then divide by 45 and note the remainder:
26725 / 45 = 593 r 40 = ‘+’
593 /45 = 13 r 8 -> ‘8’
13/45 = 0 r 13 -> ‘D’
h e l l o
0110 1000 0110 0101 0110 1100 0110 1100 0110 1111
Message: hello 68656c6c6f
Encoded: +8D VDL2
Decode: hello
If we scan from the QR code, we get a format of:
We then extract the “HC1:” part, and then just convert it into a byte stream with:
decoded = base45.b45decode(payload)
The format is then in a compressed form using zlib, and decompressed with:
decompressed = zlib.decompress(decoded)
The format of this message is in the COSE (CBOR Object Signing and Encryption) form [here], and we can easily decrypt with:
cose = CoseMessage.decode(decompressed)
We then get the output in a JSON format:
And which contains the name of the person to match to their passport, and also details of the vaccination and the signer entity. I was able to read all the details of mines, and I was so impressed with the approach.
Conclusions
From a technical point of view, this looks like a thoughtful approach by NHS Scotland. They did very well with the COVID-19 tracking agent and took their time to select the right options, and it has generally worked well. For the vaccine status, they seem to have gone down a sensible route, and with the release of the app, it would be hoped that Scotland will enable travel into the EU with a trusted integration of the green pass. I only ask that NHS Scotland just fix the PDF protection, as it should be simple to do this.
Please note that I am a cryptography/cybersecurity professor, and cannot pass judgment on any moral, legal and ethical aspects (apart from my self-belief that this is a good thing for building up trust on travelling over borders). For me, this is a great step forward, and I would hope that the next stage involves a more distributed viewpoint on trust, but you can’t get there until you have, at least, an agreement on the standards that can be applied.
For me, well done NHS Scotland. Sensible and considered, as always in these difficult times. Less haste, more speed. You did the right thing for tracking, and this is a great step forward for vaccine status proof over borders. We need to rebuild our world and break down the barriers which falsely divide us. I assume this green pass will be a short-term method, but it is needed to reduce the blanket restrictions that we now face.
If you want the full code (and it is available on other blog posts on the Internet), just get in contact with me.
Subscribe: https://billatnapier.medium.com/membership