Add Health Authority interface for communicating contacts of infected users

[dspinellis]

• [ ] The back-end supplies to the health-authority device a one-off upload authorization code
• [ ] The health-authority device enganges the upload authorization switch and supplies via a special beacon packet the one-off upload key to the device
• [ ] The device's beacon receiver process checks for health-authority beacon packets and the authorization switch to upload immediately, or at a later point when the test results are in) possibly-infected contacts
• [ ] The back-end verifies the key, uploads the required data, and deletes the key

Threat model and countermeasures

• Government tries to obtain contacts from healthy individuals: unable to do without access to the physical interlock
• Alice's boyfriend Bob, who is jealous of her, accesses the physical interlock to upload her contacts so that Duncan who works at a health authority can look at them: unable to do due to lack of a health authority beacon.

TODO: How can the health authority beacons be protected?

[dspinellis]

See also the DP-3T proposals