Before the emission for a few days of false vaccination COVID certificates, including some on behalf of Adolf Hitler or Sponge Bob, European countries have rejected the use of malprotected cryptographic keys, while the French and Polish authorities have launched a investigation.
"We are very aware of the alleged fraudulent manipulation of the QR code of the Covid European Certificate," a spokesman for the European Commission told AFP this Friday.
Since Wednesday, some Internet users have secured in forums and social networks that had the secret cryptographic keys used to generate a valid QR code for the European Sanitary Pass.
This code contains the identity of its owner and information about its state of vaccination or immunity. As a test, these users have created valid codes with fantastic names, such as Adolf Hitler or Sponge Bob.
However, private encryption keys were not compromised, AFP ensured the European Commission, discarding the technical failure track and denounced an "illegal activity".
In some cases, "certificates were generated by people with valid credentials to access national computer systems," says the institution.
"Each country has one or more signatures, and in each sweep we find the key by which it was signed," explained to AFP Gaëtan Leurent, a cryptography researcher in the National Institute of Research in Science and Technology. Digital.
For the system to work, all servers used to sign the certificate must be properly protected. "If a service remains open and signing something, in practice it is as if the key would have been stolen," she added.
To remedy the error, the Member States of the EHEALTH network - publicly public throughout the European Union - have agreed to "block the two fraudulent certificates to be considered invalid by verification applications". The Macedonia portal has also been deactivated.
In France, the Tousanticovid Verif application was updated on Thursday morning. The EHEALTH network will also work in "the improvement of the invalidation and revocation systems, to be able to react even more quickly to such cases."
The case is not entirely closed because the origin of some fraudulent health passes is still a mystery. A certificate of vaccination on behalf of Mickey Mouse seems to have been signed by the French authorities, others by the Polish services, perhaps thanks to the complicity among health professionals.
In September, the QR codes of the real health certificates of Emmanuel Macron and Edouard Philippe had been disseminated in social networks, the first by someone who had consulted the Chairman's vaccination file according to his health insurance, and the second by Internet users who They had managed to scan it from a press photo.Updated Date: 07 November 2021, 12:40