Affected version:
- Technical Specifications for Digital COVID Certificates, Volume 5: Public Key Certificate Governance, v1.0
Fixed version:
- Technical Specifications for Digital COVID Certificates, Volume 5: Public Key Certificate Governance, v1.1
Description
A potential vulnerability has been discovered in the Governance of the public key certificates of DSC (Digital Signing Certificates) in the EU Digital Covid Certificates (EU DCC) system, insofar the public key certificates of DSCs are re-used between production and testing environments. This vulnerability was due to the then applicable “Guidelines for the Governance of the Public Key Certificates”, adopted in May 2021 by the eHealth Network, whose members are experts representing Member States.
Solution
Immediately after receiving the report (July 20th, 2021), a discussion with the experts of Member States started on how to implement appropriate mitigation measures and eliminate the vulnerability (DCC Community Newsletter of August 11th, 2021). To this end, the first step was to update the “Guidelines for the Governance of the Public Key Certificates” that are managed and adopted by the eHealth Network (Nov 17th, 2021).
As of today, the situation is as follows:
- The updated guidelines have been adopted by the eHealth Network and now prevent the re-use of DSCs’ public keys, as well as of other public keys, between the Production and non-Production environments.
https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_v5_en.pdf
- The onboarding process has been modified accordingly, so no country connected to the EU DCC Gateway would ever be able to use public key certificates already used in TEST or ACC in the Production environment.
- All the re-used public keys are changed and there are no duplicates between the production and non-production environments.
- Periodical checks for re-used public keys between the environments are established and the Operations Team is notified. Improvements in the codebase for preventing the uploading of duplicate public keys are scheduled. In addition, we are introducing additional automatic checks and monitoring processes to reduce risks of errors.
- All countries connected to the EU DCC Gateway do now comply with the new guidelines. No duplicates exist.
Lastly, it is worth highlighting that the only authoritative list of EU DCC public keys in Production is the one securely distributed through the EU DCC Gateway. Hence, any other publicly available list, which might have been published by any 3rd party, must not be considered an authoritative list mirroring the list EU DCC trust list.
Acknowledgments
The eHealth Network and the European Commission would like to thank the researchers who have identified and timely reported this vulnerability:
- Jan Kvapil
Independent security researcher
- Ján Jančár
Security researcher, Masaryk University
References
Affected version:
Fixed version:
Description
A potential vulnerability has been discovered in the Governance of the public key certificates of DSC (Digital Signing Certificates) in the EU Digital Covid Certificates (EU DCC) system, insofar the public key certificates of DSCs are re-used between production and testing environments. This vulnerability was due to the then applicable “Guidelines for the Governance of the Public Key Certificates”, adopted in May 2021 by the eHealth Network, whose members are experts representing Member States.
Solution
Immediately after receiving the report (July 20th, 2021), a discussion with the experts of Member States started on how to implement appropriate mitigation measures and eliminate the vulnerability (DCC Community Newsletter of August 11th, 2021). To this end, the first step was to update the “Guidelines for the Governance of the Public Key Certificates” that are managed and adopted by the eHealth Network (Nov 17th, 2021).
As of today, the situation is as follows:
https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_v5_en.pdf
Lastly, it is worth highlighting that the only authoritative list of EU DCC public keys in Production is the one securely distributed through the EU DCC Gateway. Hence, any other publicly available list, which might have been published by any 3rd party, must not be considered an authoritative list mirroring the list EU DCC trust list.
Acknowledgments
The eHealth Network and the European Commission would like to thank the researchers who have identified and timely reported this vulnerability:
Independent security researcher
Security researcher, Masaryk University
References