NorthSec 2022

Privacy-friendly QR codes for identity
2022-05-20, 14:20–14:50, Ville-Marie

Presenting personal information in the form of a QR code has become a daily reality for many during the Covid pandemic: in Quebec, people showed their immunization information using the government-issued VaxiCode, a SMART Health Card (SHC) credential that follows a medical standard adopted in Canada and in many other countries. The paradigm of presenting information about oneself can easily be generalized beyond this health scenario.
In this presentation, I’ll first give an overview of the SHC framework, focusing on its security features and describing its deployment in Canada. I’ll then present a generic framework to issue QR codes that can encode attributes of any type. I’ll introduce a strong privacy feature allowing users to only disclose a subset of the encoded attributes, addressing one of the main privacy critiques of SHCs. Finally, I’ll give a demonstration and describe the open-source specification and reference implementation for this generic framework.


Outline of the presentation:

  • SMART Health Card (SHC)
  • Overview of the SHC framework, and of its overseeing organization VCI
  • Security analysis of SHC, including: key management, cryptographic signatures, revocation of issuers and SHCs, and trust establishment (trusted issuer directory and auditing)
  • Claims QR
  • Presentation of the Claim QR framework for generic attributes
  • Hash-based mechanism for selective disclosure of attributes
  • Overview of the open-source specification and reference implementation
  • Demo (issuance and validation of generic attributes)
  • Q&A

What is the language of your talk/workshop?

English

Christian is a Principal Program Manager in Microsoft Research’s Security and Cryptography team. For the last 20 years, Christian has been living at the edge of academic research and industry, with a focus on privacy-preserving identity technologies (notably, U-Prove). Christian joined the COVID response effort, and helped with the design of the SMART Health Card framework; he contributed to the specification, and co-implemented the developer tools to validate SHC implementations. Post-quantum cryptography and zero-knowledge proofs otherwise keep him busy. Based in DC, Christian is always happy to visit his native Montreal.

This speaker also appears in: