Rajesh’s Fireside Chat with Nikhil Jhingan - Co Founder, Qryptal
COVID-19 Vaccination Certificates and how countries should improve the trustworthiness of these Certificates - a fireside chat with Nikhil Jhingan, Co-Founder of Qryptal
As the COVID-19 Vaccination Certificates soon become a reality, Rajesh Soundararajan had a conversation with Nikhil on the future path focussing on best practices for these certificates to serve the end goal of being recognized & verifiable by authorities and third parties for health tracking. Here is the transcript of the interview
1. Nikhil, it is a pleasure to connect with you today on the Fireside Chat. Today, we will discuss “COVID-19 Vaccination Certificates” and how countries should improve the trustworthiness of the certificates that they issue. Before we proceed, can we have a little bit of background on Qryptal, how you founded it, what was your mission and how you are helping document security across the world?
Thanks, Rajesh. Qryptal is a company that we founded in 2011, focused on document security. So, I have a background in security for a long time. Before Qryptal, I founded a company called Accellion in 1999, which was focused on file transfer security, moving files securely from one user to another, or one process to another.
In 2011, I focused on a different problem of securing the file itself, and it was a very global problem. Thirty years back, you had mainframes. It was okay to write a computer-generated statement, no signature required, but now with access to software, good scanners, printers, people can manufacture authentic-looking documents all the time.
Secondly, we are in a unique state where we are still living with both physical printed and electronic documents, and there is no right answer for securing the document in all forms.
So, we founded Qryptal to solve this everyday problem, which many organisations face, where they suddenly come across their documents that have been tampered or even entirely fake documents have been created which they never generated. This is the problem we have focused on for our customers in all parts of the world. And we are deeply passionate about this problem.
For the first few years of the company, we were mostly in research mode. And then, around 2015, we got our first production customers, and they are still using us today.
2. Absolutely. Tampering is a global phenomenon, and now in today’s #FiresideChat, we will be talking of vaccine certificates. Vaccine certificates or Immunity Certificates are becoming a reality. What challenges do you see in the world today when the certificate is getting issued? And how do you think improving the credentials are critical to ensure the trustworthiness of such certificates?
I think today, the authorities worldwide are grappling with a crucial first part of the problem: which vaccine itself. On vaccine production, how to get it to the citizens to protect them and roll out the program on a scale.
But once that is done, we will be dealing with the second level where what does this vaccine do apart from protecting? It enables people to move. It facilitates commerce. For that to happen, governments will have to issue certificates, so that when a citizen goes from one city to another or goes from country to another country, the destination authorities should be able to validate easily.
This is similar to the problem many years back when yellow fever was rampant, and when you visited parts of the world, which had yellow fever, you needed to be vaccinated before you could go. And the United Nations came up with a very common format, a yellow booklet, which literally - because of yellow fever, I think they call it the yellow booklet. You go to a clinic to get the vaccine for yellow fever, after that, they will put your name, identification and vaccination date and give it to you. So, say about 40-50 years ago, it was okay. Today, if you go online, you can find, and you can order these yellow fever books. You can fool authorities in all parts of the world. So, we should not repeat the same mistakes now.
So, what we are interested in, and so are many others in Government who believe that we must do better for our citizens and the world. The implications of people without vaccination travelling with fake certificates are very severe. We will be back to square one and will be starting a pandemic 2.0.
To prevent that, it is imperative to have a simple, foolproof, and easy method to validate that this individual did indeed get the vaccine and you can trust this document that they are presenting. So, this is the crux of the problem. And of course, many governments are approaching it differently. So, I think that is the problem that we want to talk about today.
3. Yes, absolutely. Yellow fever, booklet it seems so ancient today. How do you think technology can fix this problem? And because you are working in QR codes, do you foresee secure QR codes or security codes or something similar to play a significant role in this process?
Yes. I think the adoption of QR codes has improved, but obviously, a problem can be solved in many ways, and there is no right and wrong. Let us go back to the basics.
Most governments will have a centralised database of citizens who have been vaccinated. It is not only for tracking, but it is also because typically most of these vaccines are two doses and you have to track who has taken one and when are they eligible to get the second one. So, let’s assume that you are a country which has this centralised database and you’re tracking all the citizens. Next, typically they’ll give you a piece of paper, because the vaccination, particularly in large countries will be very distributed. You need to be able to provide something on the spot to the person you have got this vaccine at this time.
But that piece of paper is not like a certificate; it is just like a chit or a tracking receipt. But later, when you want to get a vaccine certificate, our recommendation to most countries is to use a centralised database and let their citizens login through the National ID programs. So, when they login to request for a certificate at that time, they can query your centralised database to check whether you have indeed received the vaccination.
And yes, you can get them to download a PDF, which will show the detail, something like this. I have a sample here. So, it is just a sample.
Sample Vaccination Certificate with Secure QR Code
The real certificate would possibly have the country’s national emblem, or Ministry of Health logo or the authority, issuing the certificate, with the certificate’s precise details. And this could be given to the citizen as an electronic copy PDF, which they can store on their phone or print it out.
It is vital not to have a pure electronic credential because, in the real world, we have got people of varied technical abilities, who will need these certificates while travelling. So, they must be able to print it, and not be depended on a smartphone or an app to carry the certificate. Our recommendation is to give them an electronic PDF, which they can print or keep electronically . And now the problem is when that person presents that certificate to an airline at the check-in counter, online check-in, or destination country - how do the authorities there verify it? And that is where secure technologies like Qryptal come in, where we provide the ability to create a secure and tamper-proof QR code with all this data, and yet be easily verifiable by third parties.
We print it (secure QR code) on the certificate as seen. Inside this QR code, it (data) is digitally signed cryptographically, and anyone needs to visit the domain, which can be verified.country.gov, whatever the country domain is. And when the person goes there, they can install the app, or they can upload a copy of the PDF or take a photo of the certificate, or even use the phone camera or the laptop camera to validate without installing an app, So, for such ad hoc verification, you now must think of scale. You will have hundreds of millions of people having these certificates, travelling. It might become a regular part of the online check-in process. How would you validate at scale? Qryptal’s technology enables decentralisation validation with a public key. Our recommendation to our customers is to issue your public key, and you upload a copy of a certificate. And then the airlines or immigration authorities in other countries can immediately verify if you can enter that country
They can programmatically do that with an API or an SDK to validate this QR code without even network connectivity; it works offline. And they can instantly validate, it works flawlessly, and they can trust that the other country’s Ministry of Health or the Government has issued the certificate. They can verify the name, passport number and all such details. And once they are satisfied in their database, they can allow that person to enter and automate the entire process.
This is where I think this is an appropriate solution because it enables the person at the airline desk or a security officer at an airport to use an app to scan and validate. That is one, but it also allows automated validation when people upload millions of these certificates every day when they do online check-in or get online permission to enter the country.
It is suitable for privacy because no data is stored outside the country; it is all inside this QR code. Many countries have healthcare compliance requirements that the citizens’ healthcare data can not be stored outside the country’s borders. It is a total non-issue with secure QR Code since all the data is inside the QR code and you do not have to worry about that.
4. This sounds exciting. And since we are talking of QR codes, what if tampering of these certificates happens? What is your recommendation on the good practices a country should adopt when talking of these Immunity Certificates or COVID Vaccination Certificates?
I think many smart people are solving this problem. Our role is only on the validation part, but just to put it in like a checklist format, one - have a centralised database, track, nothing to do with the certificate. Obviously, each country would be doing that. I think it’s kind of like a given.
Second, there would be a centralised location where people can log in and download these certificates.
And thirdly, they must make sure these certificates can be validated offline.
Fourthly, they may try to do a digital signing. I think that the only right way is to have a PKI infrastructure where the public keys can be distributed, and other people or third parties can validate.
There is a best practice, and we recommend using the HSM - Hardware Security Module - to store the private key, and Qryptal software works with HSM, where the digital signing happens on the HSM. So, there’s an entire chain of non-repudiation where the signing happens in a sealed containerised environment. And then anyone in the world can validate with just the public key and the QR code.
It is effortless, very few moving parts and it scales well, no network dependencies. So, when you have millions of people every day being validated, there are no bottlenecks in this, and everything is in the control of the issuing organisation.
5. Much as the concept looks simple and possibly sophisticated, how is this in terms of security? Compared to the standard QR code, how is secure QR code different?
You must think of a normal QR code like a file. There is no security, just like you can write ABCD, you can write it in QR code if you want it to look like a QR code.
So, for security, you have to see what you put inside the QR code, in what form. At Qryptal, we compress the information highly so that you can have a small QR code, we’ve digitally signed it and sealed it inside, and we encode it so that you end up with a small secure QR code.
A standard QR code that you find typically has a URL inside, even for validation, which is not suitable for security. We have all heard of phishing - do not click on links inside emails, always be careful where you are connecting, which server you are connecting to and so on. If you put a URL inside the QR code, you’re opening up your QR code for ‘QR phishing manipulation’, where people will take your certificate, replace the QR code and put their own QR code and will point to their own server. And when someone visits that server, they are hardly looking at what is the exact hostname. There might be some spelling changes or something. Your logo will be there and everything. And not only can they mislead the people and make false look authentic, but they can even go beyond that. They can ask people to share sensitive, personal details before they can validate. And they can not only fool by getting their tampered certificates validated but collect information as well.
None of this is good for security, and that is why we recommend that your QR code never has a URL inside if you value security in that use case.
6. If I extend that further, what you are essentially saying is that the QR code is secured at the place of generation of the certificate. The second point is that irrespective of how the medium exists digital or physical; it can be verified by a third party, an immigration officer, health officer or airline official who is not connected into the network. So, a third party can verify this using a web or a mobile app. Have I summarised that?
Right. So, I think, again, we have to understand that today’s world is very fluid. So, let’s take the example of a passport. A passport typically, the e-passports today have a chip inside, requiring special hardware to validate. So, what happens is that when you use that passport to open a bank account, they cannot validate whether for example it’s a German passport or not, but immigration departments from all over the world can validate because they have a chip reader. But then you have the validation happening at only select points in this case.
We can do a lot better with this digitally signed secured QR code because we can empower anyone who comes across that document to validate with just the issuing organisation’s public key. The only requirement is just a smartphone, which nearly everyone in the world has.
It works in developed countries, developing countries, even under-developed countries. It will work everywhere. It works without network connectivity because it just works with a public key. It is a very democratic technology in the sense that everyone can use it and it is a much lower cost than hardware-based solutions, which are much more expensive, not only for document generation but also for validation.
7. Nikhil, I think this is a fantastic insight, and hopefully, the audience listening to you take cognisance of how secure QR helps improve the overall efficiency and trustworthiness of the vaccine certificates. Is there any specific audience that you think should start looking at this seriously?
I think it is two audiences.
One is the National Health authorities which need to issue these certificates, and to them, my message is - this works. This is very simple. We have had customers getting the POC done within a day. So, it is not that kind of technology, which will take months and you’ll have an army of consultants, just one or two developers can get the POC working within a day. And then after that, you can deploy it, which of course is a more detailed discussion. But we are talking about weeks here, not even months.
And the other audience is the people in the travel business; authorities, the airlines, the immigration departments of the different countries who will be the consumers of this information and who need to validate.
So, our primary message is to the issuers, which are the health authorities, and the secondary message is to all the people who will benefit from it. And it is a straightforward, better way, and we do not have to suffer from, “Oh, we got a fake or tampered vaccination certificate. And now another city is under lockdown because infections have spread.”
8. So, just how the whole vaccination development has speeded up, you’re now saying that we have made the certificate generation and implementation speeded up in less than 24 hours? That organisations can implement this solution is one part, on the other side, this seems to give immense flexibility and efficiency in terms of the rollout. Any other message, otherwise, we can close this discussion.
I think we have covered it enough and it is a simple thing. It is a neat technology but packaged in a remarkably simple way to consume for everyone. And there is nothing more to it than what I just said. It is simple to do, simple to implement, simple to use, and we have customers who have cut down on fraud with this. It just works.
9. It just works. That summarises it adequately. Thank you once again, Nikhil, it was a great discussion with you, and I hope together, we all contribute our little bit as humanity to get over this health crisis that we have worldwide. Thank you very much. It was wonderful talking to you.
Thanks, Rajesh, and we look forward to doing our bit. 【】