research-article

A Holistic Approach to Enhanced Security and Privacy in Digital Health Passports

Author:

Tore FrederiksenAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 133, Pages 1 - 10

https://doi.org/10.1145/3465481.3469212

Published: 17 August 2021 Publication History

Abstract

As governments around the world decide to deploy digital health passports as a tool to curb the spread of Covid-19, it becomes increasingly important to consider how these can be constructed with privacy-by-design.

In this paper we discuss the privacy and security issues of common approaches for constructing digital health passports. We then show how to construct, and deploy, secure and private digital health passports, in a simple and efficient manner. We do so by using a protocol for distributed password-based token issuance, secret sharing and by leveraging modern smart phones’ secure hardware.

Our solution only requires a constant amount of asymmetric cryptographic operations and a single round of communication between the user and the party verifying the user’s digital health passport, and only two rounds between the user and the server issuing the digital health passport.

References

[1]

[n.d.]. ImmuPass. https://www.immupass.org. Accessed: 2021-05-12.

[2]

[n.d.]. Joint Statement on Contact Tracing. https://cispa.de/en/news-and-events/news-archive/articles/2020/joint-statement-on-contact-tracing. Accessed: 2021-05-06.

[3]

2014-08-28. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Official Journal L 257/73 (2014-08-28).

[4]

2020. The 2020 State of Password and Authentication Security Behaviors Report. Technical Report. Ponemon Institute.

[5]

Picascia S. Almagor, J.2020. Exploring the effectiveness of a COVID-19 contact tracing app using an agent-based model. Nature Scientific Report 10, 22235 (2020).

[6]

Apple and Google. 2020. Exposure Notification - Cryptography Specification. Technical Report. Apple and Google. https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotification-CryptographySpecificationv1.2.pdf

[7]

Lindsey R. Baden, Hana M. El Sahly, Brandon Essink, Karen Kotloff, Sharon Frey, Rick Novak, David Diemert, Stephen A. Spector, Nadine Rouphael, C. Buddy Creech, John McGettigan, Shishir Khetan, Nathan Segall, Joel Solis, Adam Brosz, Carlos Fierro, Howard Schwartz, Kathleen Neuzil, Larry Corey, Peter Gilbert, Holly Janes, Dean Follmann, Mary Marovich, John Mascola, Laura Polakowski, Julie Ledgerwood, Barney S. Graham, Hamilton Bennett, Rolando Pajon, Conor Knightly, Brett Leav, Weiping Deng, Honghong Zhou, Shu Han, Melanie Ivarsson, Jacqueline Miller, and Tal Zaks. 2021. Efficacy and safety of the mRNA-1273 SARS-CoV-2 vaccine. New England Journal of Medicine 384, 5 (2021).

[8]

Carsten Baum, Tore Kasper Frederiksen, Julia Hesse, Anja Lehmann, and Avishay Yanai. 2020. PESTO: Proactively Secure Distributed Single Sign-On, or How to Trust a Hacked Server. In IEEE European Symposium on Security and Privacy, EuroS&P 2020, Genoa, Italy, September 7-11, 2020. IEEE, 587–606. https://doi.org/10.1109/EuroSP48549.2020.00044

[9]

G. R. Blakley. 1979. Safeguarding Cryptographic Keys. Proceedings of AFIPS 1979 National Computer Conference 48 (1979), 313–317.

[10]

David Butler, Chris Hicks, James Bell, Carsten Maple, and Jon Crowcroft. 2020. Differentially Private Health Tokens for Estimating COVID-19 Risk. CoRR abs/2006.14329(2020). arxiv:2006.14329https://arxiv.org/abs/2006.14329

[11]

Jan Camenisch, Manu Drijvers, Anja Lehmann, Gregory Neven, and Patrick Towa. 2020. Short Threshold Dynamic Group Signatures. In SCN 20(LNCS, Vol. 12238), Clemente Galdi and Vladimir Kolesnikov (Eds.). Springer, Heidelberg, Germany, Amalfi, Italy, 401–423. https://doi.org/10.1007/978-3-030-57990-6_20

Digital Library

[12]

Wayne Chang and Brent Zundel. [n.d.]. Verifiable Credentials Working Group. https://www.w3.org/2017/vc/WG/. Accessed: 2021-05-12.

[13]

David Chaum. 1982. Blind Signatures for Untraceable Payments. In CRYPTO’82, David Chaum, Ronald L. Rivest, and Alan T. Sherman (Eds.). Plenum Press, New York, USA, Santa Barbara, CA, USA, 199–203.

[14]

EU Commission. 2021. Questions and Answers – Digital Green Certificate. https://ec.europa.eu/commission/presscorner/detail/en/qanda_21_1187. Accessed: 2021-05-06.

[15]

Yvo Desmedt. 1988. Society and Group Oriented Cryptography: A New Concept. In CRYPTO’87(LNCS, Vol. 293), Carl Pomerance (Ed.). Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 120–127. https://doi.org/10.1007/3-540-48184-2_8

[16]

Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. 2013. Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. In 54th FOCS. IEEE Computer Society Press, Berkeley, CA, USA, 40–49. https://doi.org/10.1109/FOCS.2013.13

Digital Library

[17]

Shafi Goldwasser, Silvio Micali, and Andrew Chi-Chih Yao. 1983. Strong Signature Schemes. In 15th ACM STOC. ACM Press, Boston, MA, USA, 431–439. https://doi.org/10.1145/800061.808774

Digital Library

[18]

Bluetooth Core Specification Working Group. 2019. Bluetooth Core Specification 5.2. Technical Report.

[19]

Matthieu GUILLAUME, Saad BOUNJOUA, and Claire CLEMOT. 2020. eIDAS COMPLIANT eID SOLUTIONS - Security Considerations and the Role of ENISA. (March 2020).

[20]

Yaron Gvili. 2020. Security Analysis of the COVID-19 Contact Tracing Specifications by Apple Inc. and Google Inc. IACR Cryptol. ePrint Arch. 2020 (2020), 428. https://eprint.iacr.org/2020/428

[21]

Haya R. Hasan, Khaled Salah, Raja Jayaraman, Junaid Arshad, Ibrar Yaqoob, Mohammed Omar, and Samer Ellahham. 2020. Blockchain-Based Solution for COVID-19 Digital Medical Passports and Immunity Certificates. IEEE Access 8(2020), 222093–222108. https://doi.org/10.1109/ACCESS.2020.3043350

[22]

Chris Hicks, David Butler, Carsten Maple, and Jon Crowcroft. 2020. SecureABC: Secure AntiBody Certificates for COVID-19. CoRR abs/2005.11833(2020). arxiv:2005.11833https://arxiv.org/abs/2005.11833

[23]

ISO/IEC 18013-5 mdoc for eHealth 2021. ISO/IEC 18013-5 mdoc for eHealth - Internationally standardized protocols for vaccination certificates. Standard.

[24]

ISO/IEC 24760-1:2019 2019. IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts. Standard. International Organization for Standardization, Geneva, CH.

[25]

ISO/IEC FDIS 18013-5:2020 2020. ISO/IEC FDIS 18013-5 Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application. Standard. International Organization for Standardization, Geneva, CH.

[26]

Matt J Keeling, T Déirdre Hollingsworth, and Jonathan M Read. 2020. The Efficacy of Contact Tracing for the Containment of the 2019 Novel Coronavirus (COVID-19). Journal of Epidemiology and Community Health 10, 74 (October 2020).

[27]

Dougles J. Leith. 2021. Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google. https://www.scss.tcd.ie/doug.leith/apple_google.pdf. Trinity College Dublin(2021).

[28]

Rafael Torres Moreno, Jorge Bernal Bernabé, Jesús García Rodríguez, Tore Kasper Frederiksen, Michael Stausholm, Noelia Martínez, Evangelos Sakkopoulos, Nuno Ponte, and Antonio F. Skarmeta. 2020. The OLYMPUS Architecture - Oblivious Identity Management for Private User-Friendly Services. Sensors 20, 3 (2020), 945. https://doi.org/10.3390/s20030945

[29]

Rafael Torres Moreno, Jesús García Rodríguez, Cristina Timón López, Jorge Bernal Bernabé, and Antonio F. Skarmeta. 2020. OLYMPUS: A distributed privacy-preserving identity management system. In 2020 Global Internet of Things Summit, GIoTS 2020, Dublin, Ireland, June 3, 2020. IEEE, 1–6. https://doi.org/10.1109/GIOTS49054.2020.9119663

[30]

Michael Neve, Eric Peeters, David Samyde, and Jean-Jacques Quisquater. 2003. Memories: A Survey of Their Secure Uses in Smart Cards. In 2nd International IEEE Security in Storage Workshop (SISW 2003), Information Assurance, The Storage Security Perspective, 31 October 2003, Washington, DC, USA. IEEE Computer Society, 62–72. https://doi.org/10.1109/SISW.2003.10004

[31]

Sundhedsdatastyrelsen og Digitaliseringsstyrelsen. 2021. Whitepaper om coronapas-appen. Technical Report.

[32]

Thomas SJ Kitchin N Absalon J Gurtman A Lockhart S Perez JL Pérez Marc G Moreira ED Zerbini C Bailey R Swanson KA Roychoudhury S Koury K Li P Kalina WV Cooper D Frenck RW Hammitt LL Türeci Ö Nell H Schaefer A Ünal S Tresnan DB Mather S Dormitzer PR Şahin U Jansen KU Polack, FP and WC Gruber. 2020. Safety and Efficacy of the BNT162b2 mRNA Covid-19 Vaccine. New England journal of medicine 383, 27 (2020), 2603‐2615.

[33]

Adi Shamir. 1979. How to Share a Secret. Communications of the Association for Computing Machinery 22, 11 (Nov. 1979), 612–613.

Digital Library

[34]

Carmela Troncoso, Mathias Payer, Jean-Pierre Hubaux, Marcel Salathé, James Larus, Edouard Bugnion, Wouter Lueks, Theresa Stadler, Apostolos Pyrgelis, Daniele Antonioli, Ludovic Barman, Sylvain Chatel, Kenneth Paterson, Srdjan Čapkun, David Basin, Jan Beutel, Dennis Jackson, Marc Roeschlin, Patrick Leu, Bart Preneel, Nigel Smart, Aysajan Abidin, Seda Gürses, Michael Veale, Cas Cremers, Michael Backes, Nils Ole Tippenhauer, Reuben Binns, Ciro Cattuto, Alain Barrat, Dario Fiore, Manuel Barbosa, Rui Oliveira, and José Pereira. 2020. Decentralized Privacy-Preserving Proximity Tracing. arxiv:2005.12273 [cs.CR]

[35]

Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In USENIX Security 2018, William Enck and Adrienne Porter Felt (Eds.). USENIX Association, Baltimore, MD, USA, 991–1008.

Cited By

Krenn SOrlicky JSlamanig DTrpišovský T(2023)RiBAC: Strengthening Access Control Systems for Pandemic Risk Reduction while Preserving PrivacyProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605039(1-9)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3605039
Rashid MChoi PLee SKwon K(2022)Block-HPCT: Blockchain Enabled Digital Health Passports and Contact Tracing of Infectious Diseases like COVID-19Sensors10.3390/s2211425622:11(4256)Online publication date: 2-Jun-2022
https://doi.org/10.3390/s22114256
Bandi AFellah A(2022)An Implementation and Evaluation of Blockchain-based Digital Health Passports2022 International Conference on Inventive Computation Technologies (ICICT)10.1109/ICICT54344.2022.9850724(476-482)Online publication date: 20-Jul-2022
https://doi.org/10.1109/ICICT54344.2022.9850724

Index Terms

A Holistic Approach to Enhanced Security and Privacy in Digital Health Passports
1. Social and professional topics

Index terms have been assigned to the content through auto-classification.

Recommendations

PUF-enhanced offline RFID security and privacy

RFID (Radio Frequency IDentification) based communication solutions have been widely used nowadays for mobile environments such as access control for secure system, ticketing systems for transportation, and sport events. These systems usually depend on ...
An efficient privacy mechanism for electronic health records

Electronic health records (EHRs), digitization of patients' health record, offer many advantages over traditional ways of keeping patients' records, such as easing data management and facilitating quick access and real-time treatment. EHRs are a rich ...
Efficient mutual authentication for multi-domain RFID systems using distributed signatures
WISTP'10: Proceedings of the 4th IFIP WG 11.2 international conference on Information Security Theory and Practices: security and Privacy of Pervasive Systems and Smart Devices

The use of RFID technology in complex and distributed environments often leads to a multi-domain RFID system in which security issues such as authentication of tags and readers, granting access to data, and revocation of readers turn into an ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

European Union Horizon 2020

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
105
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)2

Reflects downloads up to 27 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Krenn SOrlicky JSlamanig DTrpišovský T(2023)RiBAC: Strengthening Access Control Systems for Pandemic Risk Reduction while Preserving PrivacyProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605039(1-9)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3605039
Rashid MChoi PLee SKwon K(2022)Block-HPCT: Blockchain Enabled Digital Health Passports and Contact Tracing of Infectious Diseases like COVID-19Sensors10.3390/s2211425622:11(4256)Online publication date: 2-Jun-2022
https://doi.org/10.3390/s22114256
Bandi AFellah A(2022)An Implementation and Evaluation of Blockchain-based Digital Health Passports2022 International Conference on Inventive Computation Technologies (ICICT)10.1109/ICICT54344.2022.9850724(476-482)Online publication date: 20-Jul-2022
https://doi.org/10.1109/ICICT54344.2022.9850724

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents