In the last year and a half we have added a huge number of terms to our vocabulary, such as “new normal”, “flattening the curve”, “de-escalation” or “telework”. However, in recent months there is one term that dominates above all others: the “COVID Passport”.
In general, we all have an idea of what the COVID Passport (or COVID certificate, according to its official name) is, but very few are aware of the technological challenge it has posed for European and, especially, Spanish health authorities.
When a person downloads their COVID Passport – whether because they have had a vaccination, been discharged from hospital or undergone a diagnostic test – they simply see a document with a series of personal details and a QR code. Something that, on the surface, seems so simple, however, has major implications for the security of citizens’ information.
Medical data is a very sensitive type of information and, for this reason, is included in a special category within the General Data Protection Regulation (GDPR) that prevents its processing (Article 9.1) except for certain exceptions such as, for example, the essential public interest referred to in Regulation (EU) 2021/953 on COVID-19 certificates in its recital 48, to justify it.
The need to have a document that collects the health data of citizens in such a short period of time, within everyone’s reach and guaranteeing the security of the information has been a challenge for the Administrations.
WHO lays the groundwork for its development
Despite the position of the World Health Organization (WHO) that rejects requiring vaccination certificates for travelers to enter or leave a country, the European Union, faced with the initiatives of the Member States to issue vaccination certificates, launched the project for a certificate with a common approach on the content, format, principles, technical standards and level of security, so that they could be used effectively in the cross-border context.
WHO itself published in March an Interim guidance for developing a Smart Vaccination Certificate that avoids fraud and falsifications and, although it was born with COVID-19, can be used in the future to demonstrate vaccinations for other diseases such as Polio or Yellow Fever. These guidelines, which include technical requirements, have formed the basis of the current European COVID Passport.
The rationale behind COVID certificates is that countries should be able to rely on them, that there should be no doubt about the veracity of the data they contain. The method used to create this trust framework is the use of Public Key Infrastructures (PKI) to encrypt the information collected by COVID Passports using Entity Seal certificates.
How is citizen information secured?
On the one hand, thanks to the PKIs, the authorities that are going to read the QR codes have guarantees of the identity of the Passport issuer, which legitimizes the validity of the document and, on the other hand, it is guaranteed that the data contained in the COVID Passport has not been modified. In this way, when an authority reads the QR Code, it will be verified that the information that appears is the same as the one in the Community’s database. Therefore, the PDF document cannot be forged. There is no possibility of a person trying to modify it to incorporate false evidence or vaccinations that have not been given.
A structure from 2001 for a technology of 2021
The WHO recommendations concerning the COVID Passport include the creation of a national PKI by the health authorities, i.e. setting up a Certification Authority (hereinafter CA) within each Administration that issues electronic signatures intended solely for signing COVID certificates. In other words, they recommend copying the infrastructure created for conventional passports.
Currently, following the indications established by the ICAO (International Civil Aviation Organization) after the 9/11 attacks, each State has an authority that issues all passport certificates and is called CSCA (Country Signing Certificate Authority). In Spain, the CSCA is the Directorate General of Police, which issues passports that include biometric information encrypted on a chip.
What has Europe done?
When the EU drafted the technical requirements for the COVID Passport, it directly incorporated this structure without taking into account the difficulties involved in creating a national Certification Authority solely to issue electronic certificates to sign COVID Passport data. In addition to the significant investment, Certification Authorities have to undergo arduous control processes by expert auditors to ensure the security of the processes, so the creation and implementation of a CA is a process that usually takes years.
In addition, another requirement incorporated by the COVID Passport specifications is the key length of the electronic signature, which determines the robustness of the key and its difficulty to be decrypted by external agents. It has been established that for the electronic signatures of the Passports, the system used would be Elliptic Curve Cryptography (ECC) which allows greater cryptographic robustness with smaller key sizes, making it lighter, faster and more secure than the RSA keys that are commonly used.
The use of this cryptographic system is not widespread and, in fact, of the 202 Qualified Electronic Trust Service Providers in the European Union only 20 use ECC and only 9 issue Entity Seal certificates. Therefore, there are very few CAs with the experience to implement Elliptic Curve Cryptography across the continent.
España, pionera en la implantación del Pasaporte COVID
Faced with this situation, the Spanish Administration (Ministry of Health, the Health Departments of the Autonomous Regions and other public bodies) has been a pioneer in the process of developing the COVID Passports and has managed to get it up and running in record time. Why? What have they done differently from other health authorities?
Faced with the obsolete specification of setting up a CSCA from scratch, most Administrations decided to contract the service of issuing electronic certificates to a Spanish Qualified Trust Service Provider: EADTrust, European Agency of Digital Trust.
EADTrust is the only Spanish provider that issues qualified Entity Seal certificates with Elliptic Curve Cryptography and has been recommending its use for years due to its robustness against vulnerabilities such as ROCA, which affected numerous European providers in 2017. It also issues the most secure certificates on the market with ECC 384 bits and RSA 8192 bits.
For this reason, Administrations have decided to use its Certification Authority to sign the data included in COVID Passports. In addition, another advantage over other European countries is that the certificates being used are Qualified, i.e., they are issued in accordance with the eIDAS Regulation that regulates trust services in the European Union.
As the technical specifications are based on those of the conventional passport established by the ICAO, nothing was included regarding the use of qualified certificates. However, Spain decided to use a Subordinate CA published in the European Trusted List as the Root of its PKI.
Being the first country to issue the certificates, thanks to the joint effort of the Administrations, it was possible to verify that the use of EADTrust’s eIDAS technology is compatible with the PKI designed by the ICAO two decades ago.
In short, Spain has decided to rely on the experience of a Qualified Provider that has been working for years with Elliptic Curve Cryptography to guarantee the quality of the service and efficiency in the processes and achieve the implementation of the COVID Passport in record time. Citizens who obtain their certificate have a high level of security in the protection of their personal data, guaranteeing their authenticity.
EADTrust is a Qualified Trust Service Provider that has been working for more than ten years to help companies adapt to the challenges of digitalization, providing them with tools that guarantee the security, authenticity, integrity and legality of their processes.
Its main services are:
- Issuance of qualified certificates for electronic signature of natural person and natural person representative of legal person and qualified certificates for electronic seal of legal person.
- Issuance of qualified timestamps
- Reliable electronic notification (certified e-mail).
- Electronic verification of publications on a web page (Attested Publication), especially related to shareholders’ meetings and other corporate acts.
- Electronic Shareholders’ Forum
- Electronic Voting
- Audit of certified digitalization and advanced digitalized handwritten signature.
EADTrust, European Agency of Digital Trust, S.L. is an entity specialized in solving the challenges of digitization by providing solutions to the needs of companies that are considering changing manual processes for digital ones. The combination of legal and technical knowledge of its specialists leaves no loose ends when it comes to answering about the legality of the developed solutions. Since 2020 it has been providing qualified digital trust services as defined in the European EIDAS Regulation, which is directly applicable in all European countries. Its certificates based on Elliptic Curve Cryptography are used by several Ministries and all autonomous communities for the issuance of digital COVID certificates.