QR Code as an Authentic Aarogya Setu Pass
Many Employers, Service providers, RWAs and Malls have made Aarogya Setu as mandatory for entry or providing service. People open their app and show the home page of the App which indicates the current status of the user. But there are couple of shortcomings in this process:
- Home screen doesn’t mention the name of the person. So there is no way for the other user to find out the name or number of the person who is logged-in
- It is difficult to find out that the person is using the original or fake app. People can create a similar looking screen and show that instead of original Aarogya Setu app.
Let us find out how Aarogya Setu QR code solves the above problems.
QR Code Flow
- Every user has an option to generate a QR code in Aarogya Setu app
- User can show the QR code or its screenshot(yes, it is possible) to gain entry/access
- Scan QR Code option is available to all users in their app.
- When this QR code is scanned by another user, it displays the name, registered mobile number and status on the screen. Message is colour coded as per the risk level of the individual.
- QR code older than 45 minutes when scanned will show an “Expired QR Code” message.
- Users have an option to refresh the QR code at any point of time.
- QR code which is modified or not generated by Aarogya Setu when scanned will show an “Invalid QR Code” message.
Various Colours of Aarogya Setu
As of today, there are five possible valid status messages that can be displayed on the screen of the person who is scanning the QR Code.
Messages are very simple and self-explanatory. To understand them in more detail, please refer to the article below:
Multi-lingual
Messages are available in all 12 languages and are displayed in the language of the person who is scanning the QR Code and not of the person whose QR Code it is.
Where can you find your QR Code?
Look for a hamburger menu(top left corner) on the home screen. First option in the menu is to “Generate/Scan QR Code”. In case you don’t see the hamburger menu, its time to upgrade the app from the play / app store.
How does it work and why it can’t be faked?
We use JSON Web Tokens(JWT) for securely transmitting the information. This information can be verified and trusted because it is digitally signed using a public/private key pair.
encrypted_data = jwt.encode(qr_data, private_key, algorithm='RS256').decode()HEADER: ALGORITHM & TOKEN TYPE
{
"typ": "JWT",
"alg": "RS256"
}PAYLOAD: DATA
{
"exp": 1592067451,
"name": "Rahul Goyal",
"mobile_no": "+919XXXXXXXXX",
"status_code": 303,
"color_code": "#3AA84C",
"message": "Rahul Goyal (+919XXXXXXXXX) is safe"
}What happens when the expired QR Code is scanned?
How to Refresh the QR Code?
Click on “Refresh” button on top right corner of the screen at any point of time to refresh the QR Code.
What happens if someone tries to modify the QR Code?
How can you build your own app which can scan Aarogya Setu QR Code?
We have uploaded a demo app on GitHub for you to get started:
Use the below Public Key to verify the signature of the JWT:
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxwI0izb2Zn5GBLUop/AzyE9+79xkF4J7m+Nw9nOqTPixtg6fiKvlH7Mqz+NarljTvWjMVm9MGuf2GcmXNmIhWzjUyj7Wq5EOQPRAQykbM6ekjsXGUa/P2TLlVoogFxlipMD0ge1AFaBcOlZ+Ov+yoJS7qYw3w0577nnHIupZB1YAbPo8ZeOYQCkiU6UiTe9SaCBLpUFuIZdrcvoGWs3kBRz60UtIswMIuYFj1JaK9EGdpEhoTc114yDx6IFtTOccGBMN32Ysw4IVlWJ2iiIWuKJRvUjXbYsu42hokW3lHd9N/djt7qL+l2vM1dDyi9TG+zhuBS8hOGWU1GCZPtikVFQUjAaHJ33xaDE3qtkUw7nK/wIPYJNqJqVDQoQk7oGpRZYIh6sVuDc1CFeMj/9VwGKD+X32SW4ZOs+hEojaAeDw0a/TSGbsy1lodZvLwAPFLvgsNovF6YOL6LbMremKNP119ghYfnCL968+osTPY89ZWQQ/SdBf8ixU8doYAX2OWJ0e9EqUrORkmW1qdOpZdUl7RkDpRJ/zjK7yuKymFAKFiQadmKISHGhjSdTAdvgtFLJDb0RKsltiWNCO3aVcpT3t+JL+ltg83nsSNvclAKPAPL0NRchHwah0k+nn4rGdEKZvWJAEDOE5yMXZSBIb61DZHDpnI2oIaAguh4jEBOsCAwEAAQ==
