Gateways

 As the feature overview of apps and devices and protocols demonstrate, a variety of technologies are in use for COVID-related solutions in various European countries. To enable these countries to exchange relevant information from these solutions, gateways are developed which distribute this data between national backends. This page summarizes and points to subpages for the following gateways:

 The European Federation Gateway Service (EFGS) for exchange of diagnosis keys (detailed page here)
The EU Digital COVID Certificate Gateway (DGCG) for exchange of vaccination certificates (detailed page here)

European Federation Gateway Service

The European Federation Gateway Service is a pan-European solution to allow national backends of contact (or proximity) tracing apps to upload keys of newly infected people and download diagnosis keys from the backends of other participating countries. The EFGS was initiated and designed by Deutsche Telekom (T-Systems) and other contributors and has been made available under an Apache 2.0 open source license.

The implementation of the EFGS draws on and adds to the document 'European Proximity Tracing An Interoperability Architecture' and the document 'European Interoperability Certificate Governance' of the eHealth Network, a voluntary network of European national authorities on digital health.

The current repository offers details on the dataflow from and to national backends, (third-party) dependencies and requirements to build the system and backend technology expected to be in use.

Security assessment

A design and source code evaluation of the EFGS was carried out between October 1, 2020 and October 19, 2020 that found 1 low-severity issue and 9 observations. For more detail and the public report see the security assessments.

Digital Green Certificate Gateway

The Digital Green Certificate Gateway is designed to exchange different kinds of information to support the validation of the vaccination status, test result, or recovery status of people across European countries. For this purpose an EU Trust Framework was designed that introduces a standardized signed data structure, represented as a 2D code (QR). To validate this data structure in each country, cryptographic public keys are distributed using the DGCG, which acts as a trust anchor. The architecture of the DGCG is inspired by the design of the EFGS. The DGCG was initiated and designed by Deutsche Telekom (T-Systems) and other contributors and has been made available under an Apache 2.0 open source license.

The framework and structure of the DGCG is described in the document 'Interoperability of health certificates Trust framework' and the high-level architecture is described in the document 'European Digital Green Certificate Gateway'.

The current repository offers details on the dataflow from and to national backends, (third-party) dependencies and requirements to build the system and backend technology expected to be in use. For more detail and the public report see the security assessments.

Security assessment

A source code audit of the DGCG and a penetration test of the Digital Covid Certificate Gateway in its acceptance environment was carried out between June 1, 2021 and June 30, 2021, that found 1 severely high, 3 low, 1 elevated and 1 moderately  issues. Exploiting the highly severe issue would enable amongst others na attacker to re-upload certificates in the name of another member state, impersonate other member states and that this vulnerability very likely also effects other similar gateways like the European Federation Gateway Service.

Tags:
Created by Joost Agterhoek on 2021/08/10 09:57
    

Need help?

If you need help with XWiki you can contact: