No Luxembourger should have a vaccination certificate in the name of Mickey Mouse, or even a recovery certificate after catching Covid. Behind the controversy, technology has not been caught out in Luxembourg. (Photomontage: Christophe Lemaire)

No Luxembourger should have a vaccination certificate in the name of Mickey Mouse, or even a recovery certificate after catching Covid. Behind the controversy, technology has not been caught out in Luxembourg. (Photomontage: Christophe Lemaire)

Only identity checks together with certificates of vaccination, negative tests or recovery will prevent problems. The technology behind Luxembourg’s CovidCheck has not been compromised. 

Mickey Mouse, Sponge Bob and other fictional characters would not be able to get a Luxembourg certificate of vaccination against Covid. The technology, the safeguard and monitoring procedures put in place by the Ministry of Health, the State Information Technology Centre (CTIE) and Incert are regularly cited as examples at European level.

Ten days after the start of the controversy in Luxembourg, the director of the CTIE, Patrick Houtsch, and the director of Incert, Benoît Poletti, sat down with Delano's sister publication Paperjam to provide some information.

Protection mechanisms

Patrick Houtsch: Today, they are based on cryptography. The authenticity of covid certificates is checked by using a pair of private and a public keys. Each certificate is issued in the name of the Ministry of Health and signed electronically with the private key, as are certificates issued in other countries. The public keys are used to verify the signature of these certificates. The CovidCheck app connects once every 24 hours to the national gateway and downloads the different public keys of the countries that sign these certificates. The app can then verify that a certificate issued in the name of the Ministry of Health or another body in a Member State is valid.

If you wanted to do a forgery, you would have to have the private key, you would have to steal it. And these keys are very well protected. If a private key is compromised, the country would revoke the key, and all certificates signed by that key would no longer be valid.

So far, this protection works very well. In the known cases, in France or Germany, it is people who have legitimate or illegitimate access to an official application that create certificates and abuse this access to issue certificates with false data. They are very difficult to detect. You see 'Mickey Mouse' certificates appearing because someone who has legitimate access to the official application of a member country has taken advantage of that access to create a real certificate in the name of Mickey Mouse.

Benoît Poletti: A lot of news on the internet say that private keys have been hacked and are being reused. This information is wrong. There was a case in a country where they did not have a robust identification system in place against practitioners. A hacker found a way around it. All the certificates of this country, which is not a member of the European Union but which adheres to the DCC concept, were revoked.

At our level, the keys are not exportable from our hardware, because we have configured it that way. This is the same infrastructure that we use to issue passports, identity cards and residence permits in Luxembourg. If these keys were to be corrupted or exportable, we would have much bigger problems.

P.H.: What is essential is to protect access to applications. In Luxembourg, access is protected by strong authentication. On the one hand, there is MyGuichet, through which health professionals authenticate themselves thanks to a Luxtrust certificate. You can't steal someone's password and use their access. Only people authorised by the Ministry of Health have access to this procedure, which the person must carry out in their professional space. It requests the creation of a rapid antigen test certificate. This certificate is generated and then signed by the key mechanism. In addition to strong authentication, we also have activity logs that make it possible to trace people's actions in case of doubt and at the request of the ministry or competent bodies. So we can trace who did what. For vaccinations, the mechanism is the same, via strong authentication, by the application that manages the vaccination. Doctors or those who vaccinate must authenticate themselves via Luxtrust.

Another element, in Luxembourg, we will not see a Mickey Mouse or Sponge Bob vaccination certificate, which are created in other countries, because our vaccination application does not allow us to vaccinate a person who does not exist in the national register. Mickey Mouse doesn't exist in Luxembourg, so nobody can vaccinate Mickey Mouse, and there will be no certificate for people who don't exist. This is something that is not in place in other countries, but it is in place in Luxembourg.

B.P.: We generate a vaccination certificate as soon as the person is registered in the National Register of Natural Persons (such as residents or cross-border workers, editor's note). The same applies to recovery certificates. Some countries don't check and you can come with a fake certificate to get a real certificate of recovery. All positive people are registered in the Ministry of Health databases. The information will be cross-referenced.

In the overall view of risk management, there is the Ministry of Health, which does the entry points, the registration and the knowledge of the people who work in the sector and who have the right to issue certificates. This information is consulted by the authentication systems set up by the CTIE, such as Luxtrust, in order to be able to trace the practitioner authorised upstream by the Ministry of Health. CTIE and Incert have monitoring and alert systems that make it possible to identify fraudulent activities in the production of certificates or increases in generation that would be abnormal compared to a standard practitioner. If a practitioner decides to make a Mickey Mouse PCR test certificate on his own, the risk comes from the ethical aspect of people who would like to discredit the system when they are doing something fraudulent. This penalises us unfairly. The system as designed has enough security measures in place at the Department of Health, EITC and Incert level that the risk is still minimal.

What exactly does the app do?

P.H.: The app does two things: it checks the authenticity of the certificate, that the electronic signature of the certificate is valid and that the certificate has been issued by a health authority. Every 24 hours, the app connects to the national gateway to update the public keys it uses. If the certificate is not signed with a key from a country in the list, the app displays a red screen. The certificate is not valid.

B.P.: The app will synchronise itself every 24 hours. Our national back-up is synchronised every hour. But we have chosen not to force people to synchronise with the national back-end every time they start their app. They can do so if they have a red certificate and find it strange. In proportion to the errors that come back to us, this is really anecdotal. When you go to a restaurant, it's CovidCheck. When you want to go to a bar, it's CovidCheck. When you want to go to the Christmas market, it's CovidCheck. Even sometimes at the workplace, it's CovidCheck.

In view of the thousands of checks that are made every day, there are less than ten known certificates based on fraudulent action. In relation to the more than 2.2 million certificates issued, every day we estimate the number of synchronisations at 100,000. 100,000 users who connect at least once a day.

P.H.: The app also checks the validity of the data in the certificate against the business rules. The date of issue, the type of vaccine, etc. The app checks this against the national rules. If a fast antigenic certificate is older than 48 hours, the app says that the certificate is not valid. It checks for consistency with national rules.

B.P.: Luxembourg is commonly cited as a reference by the European Commission in relation to implementation times and the level of reliability of the CovidCheck application. We were the first European country to implement the business rules in mid-July. We have a certain maturity. It is all the more important that we will have two types of business rules. When you travel from one country to another and when you are in a country because the national rules will still change. For example, if you want to go to Austria, you can travel with a two-dose vaccination certificate, but you won't be able to take the lifts if you don't have three doses. This is going to add another level of complexity. We are thinking about how best to present the rules for Luxembourgers who want to go to Austria to ski, for example.

P.H.: The application has been in constant evolution since its inception. Each time, we adapt very quickly to the new measures validated by the European Commission.

What about false vaccination certificates?

P.H.: For names of people who do not exist, for the vaccine, this cannot exist for certificates issued in Luxembourg.

B.P.: This only happened for PCR certificates, and there were less than 10. And not for vaccination certificates, nor for recovery certificates.

P.H.: These cases are handled by the public prosecutor's office.

Can a Luxembourg citizen obtain a false foreign certificate?

P.H.: If the person creating the fraudulent certificates has access to a foreign system, he or she can create them in the name of anyone in that same country.

B.P.: Otherwise, no. Technically, there is still forgery, the imitation of an existing one. If I get your pass, I can make a copy of your QR code and give it to you on a piece of paper and I can go everywhere. This cannot be prevented, because, for the moment, there is no identity verification associated with the health pass.

What about identity checks at the same time?

P.H.: We can't answer that. This is a political decision.

What about invalidating certificates when they are fraudulent?

P.H.: Work is underway to finalise a standard that will be used in Europe, to exchange between countries to identify certificates that are fraudulent and that must be neutralised even though they have a valid electronic signature, typically the Mickey Mouse case. We are waiting for the technical standards to be finalised before implementing them.

And soon the third dose...

P.H.: You go to the vaccination centre or to your GP. When the vaccine is administered, the doctor connects to the vaccination application and enters the third dose. He prints out a certificate of the third dose and gives it to the patient. The new certificate can be downloaded within a minute, in real time. The old certificate is also available.

B.P.: Why do we still have access to the old certificate? Because according to the business rules, you assume that you have the third dose and that you have a certificate that becomes green. In other countries, you have to wait for a waiting period, even if it's the third dose. In France, there will be a waiting period of 15 days. They are in the process of changing these rules. We still invite people who have the third dose to keep the old certificate, for a fortnight, so as not to have any surprises when they travel. There are countries that still have rules that may seem surprising, but that's the way it is. As a general rule, the vaccination certificate is valid for one year until you reach the third dose in the next few months.

On the Mickey Mouse controversy

P.H.: I can understand that people are asking questions. But not that people think that the security systems are not good enough or are hacked. There is always a human factor. If someone with legitimate access abuses it to create false certificates, these things can happen.

B.P.: The human factor has always been a weak point. Sanction procedures must be put in place. It's the same problem with passports. There have always been false passports, and there always will be. Especially since DCCs are used much more. 

This story was first published in French on . It has been translated and edited for Delano.