alphalist Blog

The Use of BlockChain for Verification - EU Vaccines Passport Program and more

Share

Based On Podcast Featuring:
Matthias Jugel // Co-Founder of UBIRCHMatthias Jugel // Co-Founder of UBIRCH

Matthias Jugel // Co-Founder of UBIRCH

Episode #29

As the CTO of UBIRCH, Matthias Jugel spent the past few weeks getting the German vaccine passes ready. He followed EU protocols to create an authenticated system. His real specialty is in using crypto and blockchain for verification purposes such as tickets, manufacturing, self-sovereign identities, and more. Find out about the uses of blockchain and its future in this comprehensive article on the topic

Table of Contents

Matthias Jugel is the guy who is responsible for our German members being able to take summer vacations again and travel across country borders again. As the CTO of UBIRCH, he has spent the past few weeks working without weekends to get the program ready for its 10 June launch date. To the extent that he lost track of time. UBIRCH is still a rather small company but with their cybersecurity background and knowledge of cybersecurity, they were the perfect fit for the consortium together with IBM, govdigital and Bechtle to develop the German solution for the digital COVID-certificate of the EU . IBM is taking care of the rollout and communication and developing the apps, while UBIRCH - which had prior experience in vaccination passes and test certificates - took care of the technological backend. Govdigital supplies the data center in the area and Bechtle assists with application and customer support.

His BackgroundMatthias grew up in East Germany and always wanted to be a computer scientist. However, under the East German regime, he was not given an option to study it. But as soon as the Wall came down, he voiced his desire to study computer science and switched degrees. He even completed his studies in London. However, when he graduated, it was still too early for the computer science field - it was hard to get a job - so he got a job in research where he worked for the next 14 years. However, in between, he took breaks and founded 2 start-ups. He also went to South Korea on a project that involved going to North Korea and finding out how Computer Science was taught there. When he returned from South Korea, he went into Machine Learning. It was then that he became acquainted with the Technical University of Berlin. During that time, he founded a real-time data analysis startup with a friend. After that, he founded UBIRCH with Stefan Noller.

So in short, his nerd path took him from research straight to self-employed. And issuing vaccination passes. But vaccination passes only came about through Crypto. 

UBIRCH utilized blockchain technology and crypto techniques to help a variety of companies with their verification processes.

They believe in crypto without the human part- because that's always the hard part. They wanted to encrypt and make data verifiable in machines or from machines because machines don't ask you all these questions. 

Crypto is shrouded in mystery to even those in tech. There are multiple layers involved like data formats, algorithms, and encodings and then, in the end, to have something printed on a piece of paper that somehow translates into these complicated things. “So there's security that you don't see- it's not like a key that you can put into a lock and then open something,” says Matthias. 

But that doesn’t stop him from trying to explain it.

The Use of BlockChain for verification

UBIRCH uses blockchain as a tool and verifies a few different aspects of the data for its customers. It is a security as a service.

Using blockchain technology, UBIRCH secures data ensuring that: - Data is authentic, so we know where it comes from.  - Data is unmodified - It’s origin in time e.g. when the data was generated 

The challenge many industries face in improving their security is that data is already flowing from A to B.  Using blockchain, UBIRCH can secure data without changing the way the data is flowing right then. All clients need to do is take anonymous fingerprints of their data at key points using the UBIRCH client and send them to them. UBIRCH then makes sure to store it securely unmodified and the data flow continues. When you need to verify it, you just recreate the hash, the fingerprint from the data, and then check with its original and authenticate it. Using blockchain, the technology can perform security checks without disturbing the data flow. This means you can access the data and perform security checks at any point in time. This system works over system borders and so it can be used to verify that the data you sent to external parties is correct.  

All this is done through the blockchain. When the data flows into their system, they only record it in their local database, basically the hash, and then this hash goes together with a lot of other measures from other customers together in a very big Merkle tree. It is only the roots of  these Merkle trees that end up in a public blockchain.

Therefore, they verify data using the public blockchain, like Ethereum but also store the hashes internally. UBIRCH never actually sees the content of the customer - they only handle hashes. Their customers are still the owner of this data, and UBIRCH only records for them a fingerprint of the data and makes sure that this fingerprint is then also locked in time and space.

Multiple Blockchains

It also makes a difference where these five blockchains came from. 

UBIRCH doesn’t only store these root hashes in one blockchain, but in multiple, because there are a lot of different blockchains out there. Some are very fast, some are very slow, and some are very expensive. By not using just one blockchain, UBIRCH has proof that a piece of data was generated at any point in time also has proof of order and completeness. That also means that the data - no matter where it's generated - is also connected. This means each data packet that is generated is then connected to the one before and one after. All this comes together to verify data as part of the blockchain.

The EU Vaccine Program

The German vaccination pass is based on the protocols defined by the European Union regarding vaccine certificates for its member states.  When you get your shot you create a little dataset which contains your personal information, your name, and your birth date, for example, and also some information about the actual vaccination: the manufacturer; product id of the shot; the date when you got your shot and which shot in a series of doses. The EU also has protocols on how this data set should be handled. It needs to be put into a binary representation which is then signed using a cryptographic key material. Anyone with the public key can now verify that it's authentic. This binary representation is then compressed and encoded into base-45- which is known to be very efficient in combination with QR codes. The base-45 text representation is then put into a QR code which is printed and has your code and your pass. The complete chain is: base45 > zlib > COSE object -> CBOR

This method is different from a JW token because it's a bit smaller. A JWT is encoded base-64, purely text-based and it's not compressed in itself. This means it cannot contain as much information in the same amount of data basically so it's very big in the end.

Still, someone has to take care of converting the dataset into a signed piece of data. Therefore, UBIRCH provides a service in which they receive the data, transform it, sign it, and then hand back something that can be either printed in a QR code or printed as a PDF document. This is all done through the vaccination centers. 

Here is an example of a QR code. (the code contains spaces due to Base45 - so it may be hard to copy/paste)

Erika Mustermann: : HC1:6BFNX1:HM*I0PS3TLU.NGMU5AG8JKM:SF9VN1RFBIKJ:3AXL1RR+ 8::N$OAG+RC4NKT1:P4.33GH40HD*98UIHJIDB 4N*2R7C*MCV+1AY3:YP*YVNUHC.G-NFPIR6UBRRQL9K5%L4.Q*4986NBHP95R*QFLNUDTQH-GYRN2FMGO73ZG6ZTJZC:$0$MTZUF2A81R9NEBTU2Y437XCI9DU 4S3N%JRP:HPE3$ 435QJ+UJVGYLJIMPI%2+YSUXHB42VE5M44%IJLX0SYI7BU+EGCSHG:AQ+58CEN RAXI:D53H8EA0+WAI9M8JC0D0S%8PO00DJAPE3 GZZB:X85Y8345MOLUZ3+HT0TRS76MW2O.0CGL EQ5AI.XM5 01LCWBA.RE.-SUYH+S7SBE0%B-KT+YSMFCLTQQQ6LEHG.P46UNL6DA2C$AF-SQ00A58HYO5:M8 7S$ULGC-IP49MZCSU8ST3HDRJNPV3UJADJ9BVV:7K13B4WQ+DCTEG4V8OT09797FZMQ3/A7DU0.3D148IDZ%UDR9CYF

This is the python code

#! /usr/bin/env python3
import json
import sys
import zlib


import base45
import cbor2
from cose.messages import CoseMessage
# decode Base45 (remove HC1: prefix)
decoded = base45.b45decode(sys.argv[1][4:])
# decompress using zlib
decompressed = zlib.decompress(decoded)
# decode COSE message (no signature verification done)
cose = CoseMessage.decode(decompressed)
# decode the CBOR encoded payload and print as json
print(json.dumps(cbor2.loads(cose.payload), indent=2))

This is what the data contains

{
  "1": "DE", // issuing country 
 "4": 1655209933, // expires at 
  "-260": { 
      "v": [  { 
          "co": "DE",
          "dn": 2,
          "dt": "2021-04-01",
          "is": "Robert Koch-Institut",
          "ma": "ORG-100031184",
          "mp": "EU/1/20/1507",
          "sd": 2,
          "tg": "840539006",
          "vp": "1119349007"
        }
      ],
      "dob": "1964-08-12",
      "nam": {
        "fn": "Mustermann",
        "gn": "Erika",
        "fnt": "MUSTERMANN",
        "gnt": "ERIKA"
      },
      "ver": "1.0.0"
    }
  }
}

The Verification of Vaccination Passes - Offline

However, the actual verification can all be done offline - to fit with the requirements of the EU. The corona apps deal with the verification of such passes - without needing the internet. Verification is done entirely through the phone. The apps get the public keys and verify the signature, and then they present you the content of the QR code - the data that's actually in there.

The official app was made to allow free travel in the EU. It is meant to be used when you cross a border or when checked abroad by police or by somebody who would like to know whether you're allowed to be there. 

This information contains personal data and that is why the official app - that can access all the data contained in the QR code is for authorised personnel only. 

The apps you can download in the app store will only be able to tell you if the QR code is valid. It won’t tell you more. The idea behind it is to present as little personal information as possible, to protect the privacy of everyone involved. 

Matthias isn’t able to talk about what goes into the pharmacies issuing vaccine passes in Germany. There is a queue outside every day now mainly because pharmacies are limited to how many people they can admit at once, not because of the machine. Matthias also can’t disclose whether each pharmacy has a public and private key to sign or generate the certificates you would have to get that information from the Ministry of Health. 

Using Blockchain to verify Vaccine Passes - Online

For their pilot-solution which has been applied in two German counties, UBIRCH used blockchain technology to make vaccine passes verifiable for authenticity and integrity in a decentral manner.  1. People in the vaccination center fill in a web form with their details: name, date of birth, vaccination date, what type - all the data that the EU wants to collect. 2. Upon submit, this information is hashed together with a salt - making it anonymous 3. The hash is sent to the backend where it is anchored in the blockchain 4. A URL is generated containing all the data provided in the webform 5. A QR is also created which when scanned will display the data captured by the webform 6. If someone wants to just validate the URL, they can go to the URL, it is decoded and a hash is sent to the server and a response is sent back whether it's valid with a signature. 

UBIRCH still uses blockchain technology in other use cases. However, in close collaboration with the customer and in line with final EU requirements another approach for the implementation of the digital COVID-certificate in Germany was chosen.

Other uses of blockchain

Online PCR test verification 

Matthias believes that PCR tests will still need to be used in conjunction with vaccine passes for free movement. UBIRCH has developed technology to verify PCR tests that will allow anyone to verify a PCR test - including your hairdresser or restaurant owner. 

It is quite simple. PCR test the lab gives you back a QR code as well. Anyone can just scan the QR code and a web page opens. The web app then checks whether the encoded text is a valid test result. This is different from the vaccine passes in that PCR tests verification requires internet access which makes verification easier. 

Use of blockchain for event ticketing

Ticket sales companies are interested in harnessing blockchain technology for event tickets - especially if they can be used in conjunction with the Health Passes. UBIRCH also provides. Blockchain is great for event ticketing as a ticket needs to be unique and valid, but also invalidated once used so no one can use it again. This is something that is a simple use case of the blockchain which can record everything that happened to a particular ticket. To prevent a ticket from being copied, a second factor should also be used for verification - like a passport or NFC or a similar hardware piece. 

However, if the data is changed when the ticket is used - won’t the QR code need to change as well? What if it's printed somewhere? Although QR codes can be changed dynamically if only used digitally, most people prefer to have a QR code printed on a ticket. If it's printed, then one can make it valid until it's used and the state changes.

Use of sensors in Insurance

UBIRCH also uses sensors to help insurance companies deal with insurance claims. 

Using car sensors means insurance companies don't have to involve a lot of parties to check that this car crash happened or not. They can trust the data coming from the device as it has been recording data the whole time and it's very hard for the user of this device to fake anything. 

All users have a sensor in their car and when they drive it records how well they drive, whether they had acceleration spikes, whether they had a car crash, or something. In this case, it is important that the sensor data comes from this piece of hardware that you have in your car and that it's not modified. Therefore, users were also required to use their phone next to it. Sometimes the phone would query the data from the device which allowed the system to not only verify that the data is actually from this device but also that the device is bound to the user.

Use of BlockChain in Pharmaceuticals

How do you verify that the production of the doses is correct that they have been transported at the right temperature all the time? This is a challenge all pharmaceuticals face. The temperature needs to be recorded and also verified that the recording is accurate- making a perfect use case of blockchain. However many pharmaceuticals don’t do it yet because directly using blockchain can be expensive and complicated. But they can use companies like UBIRCH that will build it and give them a simple API where they need to put the data in and the API takes care of everything.

Use of BlockChain in Manufacturing

Another use of blockchain is if one company has to talk to another company and if they have to transfer data between them. How are they going to make sure the information is not only safe but has not been tampered with? For example, a manufacturer creates data for the manufacturing of a certain piece of product, and then they ship it and they also would like to ship the conditions under which this product was created. This is important in the chemical industry because sometimes a compound product has to be created under certain pressure and temperature regulation. This data is anyways being recorded (or at least it should be) but blockchain can be built on top of your existing data pipeline to make sure that the temperature recorded is authentic and fits in with the rest of the product data.   There are many applications of this use case and many steps in the process this technology could be used.

How to Get Started with BlockChain

How does one get into the crypto world? Do they start with playing with the whole Ethereum ecosystem? Sometimes it feels like a huge mountain to tackle Matthias Jugel suggests that the best way is to start with actual cryptography.  - how to create a signature - how to encrypt stuff, - how to decrypt stuff - how to verify signatures, and then play with it.  - how to create a connected hash list 

Things like how to create a connected hash list form the basis of most of the blockchain and distributed ledger technology. It's about creating hashes of data, fingerprints of data, and then connecting them to each other. Because when you create one of these linked hash lists, it's very hard to break them without breaking the whole system. Which is what the blockchain is about. If you break one link, you break the whole thing. This is also why you must distribute it so a lot of people have a copy so we can recreate it and also detect when something's broken. Once you have covered all that you can look at how blockchain works because a lot of blockchains or distributed ledger technology is more about the infrastructure behind it than the actual crypto in it.

Blockchain strength is in its master replication, how distributed it is. The more people are required to write it and verify- the more the information is correct.

The Future of Blockchain

Matthias predicts in the future blockchain will be used for the area of self-sovereign identity - like passports or insurance cards.

The Benefits of Digital Passports

People will just have an app on their phones for their identity.

This digital passport will have some markers in a distributed ledger system that prove that this is the right thing and you can transmit it whenever you need to. This will also allow people to choose what data they show to officials at border control. All border control needs to know is if you have a visa and thus a right to be there. Border control does not need to know where you have been before and thus the other stuff in your passport would not be visible.  This will be useful when you visit 2 enemy countries and you don’t want the other country to know your connection with its enemy -like when Mathias visited both North and South Korea. Mathias ended up having 2 passports. Israel for example stamps a piece of paper and not the visa itself in order not to harm your future travel.

Second Factor Authentication

Even in the era of digital passports, MFA will still be needed. Matthias Jugel thinks the safest way is still a long PIN in your head. Because there are a lot of technologies that make it possible to use a photo of your fingerprints so you need to verify it's a living finger. In regards to facial recognition, most phones have introduced a lifeness check so they know it's a person and not a picture in front of the camera. All these methods are as secure as it always is - a race between those who try to break it vs those who want to improve it.

The Digitization of Germany

The Vaccine Passes proved to the people and the German government that they can trust technology and hopefully that will be a positive step in the digitization of Germany. Soon there will be a digital health insurance card. Mathias Jugel points out that the national electronic patient record (ePA) which many health care providers are pushing just shows the progress. 

The Vaccine Passes roll out.

On the first day, June 14, 2021, the Association of Pharmacists in Germany announced that 140,000 certificates had been issued by approximately 13,000 pharmacists by around 11 am.  That is a huge launch - especially one in which a company had a few weeks to prepare and was unable to postpone the launch date.  UBIRCH needed to scale very fast so they could handle the heavy load patterns on their systems with thousands of pharmacies accessing it at the same time. Mathias spent the first night watching the dashboards - yet thankfully nothing serious happened.  The holdups came from other places though - there were queues outside pharmacies. This was because of COVID-19 protocols limiting the amount of people indoors but also takes some time to ask them, check the vaccination passes the yellow ones, then enter the data, and then print it out. This takes a little longer than it takes for UBIRCH to generate the actual vaccine certificate.  But wait times aside, by the last week in June over 30 million vaccine passports were issued. Looking back, the one thing he would have done differently is sleep and eat more. He finds this is a common problem people face when under such pressure. Yet having more sleep and food will improve their performance.

Tobias Schlottke

Tobias Schlottke

CTO @ saas.group

Tobias Schlottke is the founder of alphalist, a community dedicated to CTOs, and the host of the alphalist CTO podcast. Currently serving as the CTO of saas.group, he brings extensive experience in technology leadership. Previously, Tobias was the Founding CTO of OMR, notable for hosting Germany's largest marketing conference. He also founded the adtech lab (acquired by Zalando) and the performance marketing company adyard, which was sold to Ligatus/Gruner + Jahr in 2010.