COVIDSafe analysis part 2: rotation, reliability & why the 120 characters?

An overview of cryptography

  1. Post Code
  2. Age
  3. Name (or alias)
  4. Phone Number
  5. Device ID (Maybe)
Credit: UNSW Canberra

Risk 1: Key management

  1. If key material is server side and never disclosed to the end user, Is there a universal AES256 key, a per device/user AES256 key, does it rotate, and what operational difficulty does this present? If a master key is in use and the key is disclosed, will this disclose all records especially from bluetooth devices doing open collection right now?
  2. If the private key is stored with the client and only disclosed when required, does this practically assist likely infected people who have not disclosed their client key (making this scenario unlikely).
  3. Will it be possible to disclose the key if its stored on the phone (too late tonight, and I need sleep this evening).
  4. What is the structure of the msg value, does it include a name and phone number that can be disclosed should the above scenario be realised? and is it possible to create a malicious MSG value based on a request to the server (unlikely).

Risk 2: Deriving the private key from known plaintext or at least mapping out some content

  1. The algorithm, the key and the plaintext
  2. The algorithm, the key and the cipher

Side note: an observation of reliability

Still looks like theres no real major issues

--

--

--

Mercury Information Security Services are a leading provider of information security services, advice and consulting.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CRODO — Ambassador Program

What happens when PII is left on an MFD?

{UPDATE} Car Crash Sim Hack Free Resources Generator

The NFTOCEAN Marketplace provide you the latest web3.0

Win 10,000 CRU and Get EQ Bonus with Equilibrium x CRUST

TESPOK’s Kenya Internet Exchange Point (KIXP) Data Traffic Scenario During The Coronavirus…

How To Integrate A Payment Gateway Into A Website

How to Safely Access Sensitive Data From Home — Part 1 — Hysolate

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mercury ISS

Mercury ISS

Mercury Information Security Services are a leading provider of information security services, advice and consulting.

More from Medium

Frontline Otters: Embracing the future of Healthcare With AI Technology

Procedure for Scientific Paper Publication

New York City is filled with aspiring performers that are constantly studying, networking, and…

PCSA Version 8.6 Certification PEGAPCSA86V1 Exam Questions