Every EU member state is rushing to implement Digital Green Certificates until the end of June yet no one is stopping to look at their security.
Digital Green Certificates are a European solution to the problem of free movement in the times of the COVID pandemic. The idea is that while travelling to some other country in the EU you won’t have to mess about with the random paper confirmation of vaccination you got at the vaccination place but instead will be able to present a standardized and interoperable vaccination or test certificate that the authorities of each member state will validate. The need for interoperability is significant and thanks to the European Comission the opportunity to standardize on one format was used. In this post I look at the design of Digital Green Certificates from a security perspective and outline several security issues.
The Digital Green Certificate (DGC) is a digital proof that a person has been vaccinated against COVID-19, received a negative test result or recovered from COVID-19. It is valid in all EU countries and even though it contains the word digital in its name it can be in the form of a paper or a digital certificate1. In the end it is just a QR code that has the vaccination/test/recovery data in it, signed by an issuing body from some member state. This is supported by public key infrastructure similar to the one used in e-passports that will be centrally operated by the EU (DIGIT). The QR code contains data such as the name of the holder, date of birth, type of the certificate and respective certificate data (e.g. date of vaccination, vaccine name). Contrary to many claims in the media - one even from the Slovak government agency implementing the DGC apps2 - the data on the QR code can be read by anyone and its confidentiality is not protected.