Forgery-Proof QR Codes for Covid19 Tested Persons - CORSIGN

Forgery-proof tracking via QR codes in all tracking apps through a unified standard and a central authority – CORSIGN ( = Corona Signing )

Corsign is an open-source signing method for Corona-relevant information within forgery-proof QR codes. The signing procedure is described as open source and can be viewed on GitHub. (https://github.com/innFactory/corsign-core) The core of the procedure are so-called JWT tokens, as found as the de-facto standard for website authentication on the internet. These tokens are extended with a so-called payload, in which the data of the tested person and the test result are stored in signed form. Only those who possess a private key can create valid tokens and QR codes. Through a central certification authority managed by the respective agency or state government, such private keys can be issued to testing centers or pharmacies for creation. Only with this private key can these trusted entities create QR codes for tested citizens via an API or web app. Since the QR code is signed and not encrypted, the information can be scanned with any smartphone camera or barcode app. This enables integration into ALL Corona tracing apps. Due to the central signature, forgery without possession of a private key is absolutely impossible, and “trying out” would take longer than the universe will exist at current computing power. (https://de.wikipedia.org/wiki/RSA-Kryptosystem)

The central signing authority does not store any personal information, but only signs the information. The processing of data takes place exclusively in the respective tracing apps. Thus, the QR code is compatible not only with our own tracing app (= Corsign Tracing) but also with the official Corona-Warn-App, Darf ich Rein, or Luca. The authority also has the ability through the central certification authority to verify misuse by comparing the number of actually performed tests with the number of signing attempts. In case of misuse, it can also intervene and revoke all private and public keys of the respective entity. Validation is then no longer possible for the tracing apps either. However, the invalid data from the QR code can still be read so that at least the personal data without a valid test result can be recorded.

Since a unique ID is also signed in the QR code, this can be used as a person ID in SORMAS. In addition, attempts at misuse through sharing of the code can be detected. If the same QR code is scanned at different locations at the same time or if the corresponding person cannot adequately identify themselves with the QR code, this is detected immediately.

Integration in Tracing Apps

Hospitality, retail, and all other POIs can scan the QR codes via any tracing app as long as it integrates the CORSIGN model (see github). Verification of QR codes can be done directly in the tracing apps using the public “Public Keys” provided by the certification authority. When the respective health department contacts the POI, they can transmit the collected QR data of guests for a specific period directly to the health department and to the respective SORMAS. This process can also be fully automated for more speed. In this case, the release of data is fully documented.

CORSIGN Software

Integration is possible for all tracing apps with very little effort, as we publish the model as open source for the most common programming languages. We are also currently programming a reference implementation for a signature authority that can run both in the cloud and in the authority’s data center. In order for the process in the image to work completely, we are also developing a suitable tracing app and trying to build partnerships with the Corona-Warn-App, Luca, or Darf ich rein. Furthermore, our implementation of the CORSIGN model automatically reports data to the respective SORMAS system upon a positive signing attempt, since most pharmacies do not have a connection to SORMAS when testing. Corsign functions as a gateway between (rapid) testing centers, pharmacies, and the tracing apps.