ON Aug 10, the then deputy health minister Datuk Dr Noor Azmi Ghazali announced that enforcement officers from his ministry and other government agencies would take stern action on anyone who tries to forge the digital Covid-19 vaccination certificate in the MySejahtera app.

It has been reported that anti-vaxxers are willing to fork out at least RM1,000 to obtain forged vaccination certificates in an effort to enjoy the “freedom” given to those who are fully vaccinated, “The threat of fake vaccine certs” (The Star, Aug 25).

Bukit Aman CID director Comm Datuk Seri Abd Jalil Hassan has warned the public that forging the vaccination certificate is a serious offence, “Forging digital cert is a serious offence, says Bukit Aman” (The Star, Aug 25).

The Star also reported that there is a verification app that can be used to scan a QR code in the MySejahtera vaccination certificate. However, this app does not prevent people from stealing, duplicating or misusing the vaccination details.

It is well known that the validity/authenticity of a digital document can be determined by using a cryptographic element known as digital signature.

Contrary to public understanding, which is that a digital signature is the digital image of their signature, a digital signature actually has its technological foundation in a mathematical cryptography that is installed on a digital app using a programming language chosen by the developer.

A developer can refer to the National Trusted Cryptographic Algorithm List (MySEAL) developed by CyberSecurity Malaysia (CSM) and other local cryptographic experts from 2016 to 2020 for suitable cryptographic digital signature algorithms.

A digital signature is an electronic signature that enables one to verify the identity of a sender/signatory of a message. It is used to ensure the transmitted information is correct and legitimate within an electronic transaction.

The digital signature enables a recipient to confirm the integrity and authenticity of a message without hesitation. At the same time, the digital signature disallows repudiation by the sender of a message.The enforcement of digital signatures in Malaysia is governed by the Digital Signature Act 1997 (DSA1997). The Act, which is enforced by the Malaysian Communications and Multimedia Commission (MCMC), has provisions to regulate the use of digital signatures and related matters. Digital signatures are supplied through a digital certificate provided by the Certificate Authorities mandated by the Act.

Without the cryptographic digital signatures, a digital app provider cannot reliably determine the authenticity of a digital information transaction.

Furthermore, DSA1997 only mandates the cryptographic digital signature process as a mechanism with legal provisions in terms of ensuring the integrity and authenticity of a digital information transaction.

Thus, to ensure the authenticity of the MySejahtera Covid-19 vaccination certificate, the administrator of this application must review its development framework in terms of its compliance with DSA1997.

Only by incorporating a cryptographic digital signature mechanism into the MySejahtera app can the parties concerned confidently verify the authenticity of the digital Covid-19 vaccination certificates.

PROF DR MUHAMMAD REZAL KAMEL ARIFFIN , Director, Institute for Mathematical Research, UPM President, Malaysian Society for Cryptology Research