The author went out of their way to hide the factors of N, presumably so that nobody else would actually be able to generate signed certificates. However, they did this by hiding half the digits of the factors.<p>Revealing so many digits of the factors actually allows easily factoring the original number using a version of coppersmith's method (easy as in under a second on my laptop instead of the 9 hours on a distributed cluster the authors used). This is actually a pretty classic CTF exercise.<p>If I'm still nerdsniped by this tomorrow I'll try my hand at implementing this and factoring the number myself
Short version if they get taken down:<p>The validation apps used a 512 bit RSA public key.<p>They used a factoring app and spend $200 on amazon to factor the private key from the public key.<p>They were then able to generate the COVID passes.<p>This is for the Honai Police Dept.
This kind of breach isn't possible in Australia since their laws can beat the laws of math. Countries with less powerful laws are apparently not so lucky.<p><a href="https://www.gizmodo.com.au/2017/07/prime-minister-says-the-laws-of-australia-can-beat-the-laws-of-math/" rel="nofollow">https://www.gizmodo.com.au/2017/07/prime-minister-says-the-l...</a><p>(Yeah, tongue firmly in cheek. Laws of math oddly enough seem to work just fine for taxation, depreciation, etc etc)
Here in Mexico the gov issued vaccination certificates always have errors.<p>People have resorted to downloading the PDF and "hacking it" (editing it in Acrobat).<p>Nobody ever actually checks whether the certificate is valid or not.
I remember here in Canada there were concerns about this sort of thing when rolling out our proof-of-vaccination system, but practically speaking, the number of people with both the technical understanding and inclination to do this is surely too small to have a meaningful impact on COVID spread.
Random question, but related: Like this example, I see lots of other applications that require a QR code storing binary data and chose to encoded this data as Base64 (or others) and then add it to a ASCII-only QR code format. Why don't they use a binary-mode QR code? Compatibility?
Real talk: are people saying they wanted this to be secure? If we are going to do this "vaccine paperwork to do anything" regime, I wouldn't <i>want</i> it to be some super secure mechanism that had digital proof of personhood provided by some government entity with an unhackable key! This key size frankly seems like the perfect balance: it took some months for someone to get around to breaking it, and then it took some months for a service that used that cracked key to become popular enough to make a real impact on safety, and maybe maybe just maybe soon we won't need this anymore, and none of these existing digital records will be trustable... and, if we are stuck doing this for another year, we should roll another weak key. (If nothing else, if you make an actually secure mechanism that ties a person to their vaccine record with a signature, you just <i>know</i> that tomorrow some WorldCoin-like company is going to try to use it for some stupid crypto "airdrop" ;P.)
> Although the code was provided, we took around 2 days to get this running since the code was written back in 2015. Some libraries are not currently supported forced us to make several changes on the code. The project was then running smoothly.<p>Why not use a VM with older libraries and tools ?
Here is how government-issued QR codes (not only vaccination ones) works in my country: it's just a link to government site.<p>Why reinvent crypto, PKI and all? Also solves updates/invalidation issues.
Here is the New Zealand version - <a href="https://nzcp.covid19.health.nz/#examples" rel="nofollow">https://nzcp.covid19.health.nz/#examples</a>
does not surprise me, in the future there will only be two governments in the world, polarization will become the norm. each party will think they are right. it will be an umbrella me echo chamber. but it will only exist online. it will manifest in real life but people who dare or who are brave enough to understand someone outside of their comfort zone will quickly realize that we are not 1’s and 0’s within a machine.
Offline first seems such an oversight from contact tracing perspective.<p>Also NFC tags could’ve been better solution, but probably would’ve sent too much Bill Gates vibes.
It is easier to find someone who give you just papers and flush your dose out. But anyway... Proof of anything based on digital ID is pointless and should be abandoned as soon as possible.
> we found all hard-coded Public keys were using RSA 512<p>> Next, the data was hashed using a custom hashing algorithm developed by lachongtech.<p>Yeahhhh.....soooo.......
Physical Covid certificates are also not secure at all.<p>They are easy to copy or fake.<p>Any scheme which simply puts a cryptographic number on a some
Physical card - or behind a regular QR is not secure. A simple photocopy will work just as well as the original. Not to mention Photoshop.<p>But there is actually a new way to make physical things - like printed Covid vaccination cards - provably unique and authentic.<p>Much more powerful than holograms and also much more secure, unclonable and authenticatable.<p>Take a look at Blocktag (blocktag dot com) - Next gen QR codes that anyone can print, yet cannot be counterfeited. And of course linked to blockchain and ready for physical NFTs too.