Venue Registration

Professional Venue Owners can register their venue with the luca system via a web application. The venue can then be managed via a web interface in order to set up individual Operator Apps and Scanner Frontends and to configure other venue-specific parameters (for example auto checkout behavior).

Overview

Preconditions

  • the venue is not registered

Postconditions

Secrets

The following secrets are involved in this process:

Secret

Use / Purpose

Location

venue keypair

Encrypt the contact data reference of Guests during check-in and decrypt it during Tracing the Check-In History of an Infected Guest.

Both the public and private key are stored locally by the Venue Owner Frontend. The public key is shared with Scanner Frontends when they are set up. The private key is shared with Operator Apps in certain roles.

Process

To initiate the process the Venue Owner registers with their email address and a password. They enter further information, such as the name of the venue and their contact information in the Venue Owner Frontend (see Venue Information for the complete list of the data collected).

Subsequently, the Venue Owner Frontend generates the venue keypair. Both the public and private key are stored locally1. The keypair’s public key is used to set up new Scanner Frontends, which utilize it to encrypt Guests’ contact data reference during Check-In via Scanner or Operator App. The keypair’s private key is needed by the Venue Owner Frontend in order to lift this encryption when assisting a Health Department in the process of Tracing the Check-In History of an Infected Guest.

Operator App Registration

Optionally, the Venue Owner can use the Venue Owner Frontend to register one or more Operator Apps for themselves or their employees.

Roles

An Operator App can be registered with one of three roles: _Employee, Supervisor or Administrator. These roles have the following capabilities:

Employee

Supervisor

  • can scan QR codes presented by the Guest App to check-in Guests

  • can view the number of Guests seated at each table

  • can check-out Guests by table

Administrators

Provisioning

In order to perform their scanning tasks, Operator Apps of any role are provisioned with the public key of the venue keypair. Additionally, apps in the Supervisor or Administrator role need to be provisioned with the keypair’s private key. The keys are transferred to the App during registration via a QR code displayed in the Venue Owner Frontend and scanned by the Operator App. To mitigate the risk of compromising the key material, for example by taking a photo from the displayed QR code, the private key is protected by a six digit PIN2. The PIN is displayed in the Venue Owner Frontend and manually typed into the Operator App.

In addition to the key material, the Operator App is provisioned with a session token which is required for the App to perform certain requests, including fetching the symmetric secret to decrypt the private key1. Venue Owners can delete registered Operator Apps and revoke session tokens at any time in the Venue Owner Frontend.

Security Considerations

Authenticity of the Venue Keypair’s Public Key

As the Venue Owner holds no certificate with which they could sign the public key of the venue keypair there is no secure way to validate its authenticity when it is used in the check-in process. This affects both the Check-In via Scanner or Operator App and the Check-In via a Printed QR Code.

It is therefore important that the public key is transmitted to the Scanner Frontend on a secure out-of-band channel (specifically, not the Luca Server).

Prospectively, this will be implemented by attaching the venue keypair’s public key to the fragment component of the link to the Scanner Frontend, which is created in the Venue Owner Frontend. For printed QR codes for self Check-In the public key will be part of the QR code.

Note that the impact of this only affects the outer layer of the contact data reference’s encryption. It is still encrypted with the daily keypair and thus only accessible for the Health Department.

Sensitivity of the Venue Keypair

The venue keypair’s private key must not be lost or made accessible to third parties. Hence, organizational measures are taken to specifically inform the Venue Owner that special care must be taken when dealing with this key.


1(1,2)

The locally stored private key is encrypted using a symmetric secret that authenticated Venue Owners retrieve from the Luca Server. This mitigates the risk of leaking the key, as the Venue Owner’s authentication credentials are required to use it.

2

A symmetric secret is derived from the PIN using scrypt and a random 32 byte salt. The private key is encrypted with the derived secret using AES-128-GCM and a random 12 byte initialization vector.