My teachers use a small device, with a press on the only button the device shows a code of numbers.
When they want to change my grades they login to the school system using this code.
NO I DO NOT WANT TO HACK IT ;)
I'd like to know how this sort of code is generated and afterwards how it is authenticated?
Sounds like the device is used for two factor authentication.
RSA makes one type of these devices. Here is a link to more information on it: RSA SecurID
#Mart Haarman, The SecurID is not based on time. It used 128 bit RSA algorithm, has a seed value which is a random generated number embedded in the device and mapped to the device serial number.
Related
If we want to provide more security to the consumer for authenticating their product and by using QR code scans, what techniques we can used for making that QR code copy proof and non-duplicate?
You need to consider the digital image of the QR Code before printing. You can add a secure graphic or copy detection pattern (see https://en.wikipedia.org/wiki/Secure_graphic) into the QR Code (pay attention to the error-correction level of the QR Code versus the space you use). Once printed, the secure graphic will irreversibly loose information, and if someone tries to make a copy of it, there will be an additional information loss. As the secure graphic will a lower amount of information in the copy than in an original print, you can use that that to discriminate originals from counterfeits. An app is needed to analyse the image of the secure graphic in real-time when you scan the QR Code. See example of this is done with Scantrust, and there is a developer portal to support you in integrating in your app.
Note that there are other techniques based on digital watermarking, but they are easier to hack given that digital watermarks need to respect an imperceptibility constraint and the usable signal is much weaker.
Short answer: Think of a QR code as a compressed block of plain text. You can sign it for non purposes of authenticity and non-repudiation, or encrypt it for secrecy, but you can't magically stop it from being copied and reproduced as a whole.
Longer answer:
I think what you are asking is whether it is possible to add some kind of identification or signature to a QR-code? If so, then the answer is yes - you can put pretty much whatever you like in there, so long as you keep it within the storage limits for the input mode you are using (wikipedia).
This means you could for instance add a digital signature to it, if you wanted to.
Example:
Say you wanted to encode the text "Public Message" into a QR-code, and leave it for someone to read. To prove that the message is really from you, you could use PKI and sign it with your secret key - that is, append an encrypted version of "Public Message" to the text. Decryption of that last part will then only be possible using your public key, and doing so will prove that it was encrypted using your private key, which indicates that the message must have come from you (or someone with access to your private key).
Now if someone tried to copy your QR code, and change it's message to the slightly more kinky "Public Massage" instead, a recipient could check the attached signature and see that there is a mismatch, and so conclude that the code is invalid (i.e. has been manipulated).
If a message has a valid signature, this will prove that you are the author, and that the message has not been manipulated. You still won't be able to stop anyone from copying the code and reproducing it as a whole though.
Alternative: Encryption using a public key?
If you wanted to post a secret message intended for a specific recipient, you could encrypt it using that person's public key. In that case you could share the QR-code freely, and only the recipient would be able to read it's contents; anyone else would just see garbled text.
Alternative 2: One-Time Pass (OTP)?
If you want to make sure a QR-code is used only once, you could have it include a unique ID, and implement server side logic that accepts that code, checks it's validity, and invalidates it after a single use. You can also limit the time for which such a QR-Code is valid. This is how website logins using QR-codes work.
I am using qr code for anti-counterfeiting solutions.
But the problem with Qr code is that anyone can easily create a copy of my qr code or anyone can easily read the qr code with "qr code reader" mobile application and can create the same qr code like mine.
if my application reads this fake qr codes then it shows the "valid product" message instead of "fake product" message.
So i just want to know that if there is any way to protect qr code from being copied or can i make qr code which can be readable by my mobile app only and not by any other "qr code reader" application.
There is no way to accomplish this.
QR is merely a format to store information. It does not provide confidentiality in any way.
You are looking at a systemic issue. For fraud detection, you want to use a technology where replication is hard. QR on the other hand is designed to make replication easy. QR codes are redundant and can still be read if a rather large portion of them is lost. QR codes are therefore - even on a basic level - the exact thing you don't want to use to establish the authenticity of an object.
There are different ways to do that: you can insert a copy-sensitive digital image at the center of the QR Code (called copy detection pattern or secure graphic). The secure graphic will naturally degrade and lose information if a counterfeiter tries to copy it, due to uncontrollable effects of dot gain and ink smearing. You can also embed a digital watermark by inserting small modifications that are hard to notice into the QR Code cells. These are generally easier to counterfeit though. A third approach consists in installing a high resolution camera on the printing or production line, and capture the small print variations of each printed QR Code.
The common point of these 3 approaches is that you need a specific app on your smartphone to make the authentication. If a consumer makes a normal scan of the QR Code (e.g. with the iPhone camera app), he can on land a page that will instruct her to download this app. Of course the brand owner needs to communicate to his customer or user base on how to authenticate its products. Good example on how this is done can be seen with Scantrust secure QR Code here:
https://www.dupont.com/water/resources/anti-counterfeiting-solutions.html
https://www.nexans.com/business/Telecom---Data/Local-area-network/lan_systems_blog/lan_systems_blog_posts/20.2019-Scantrust.html
There are apps that do what you are looking for. Hologram, marks etc are a waste of money except maybe for preventing some new unscrupulous elements.
Even if the app is copied, Google won't allow apps of the same name which automatically grants it a first level protection. Hence this will work.
The other option is to create a two step process wherein one is a unique number via qr or bar code and the other is linked through ones own proprietary identification system. Other can be qr, bar too or even a scratch code. Any app can be used as effect is the same.
Only difference is that the first one is easy to use.
The condition that only your app can scan your QR can be achieved by encrypting the text you want to convert into QR before converting it using any encryption algorithm and key and again after the QR code is scanned using the same algorithm to decrypt the encrypted text obtained .In this way if any other scanner scans it it will not perform the final algorithm you did to convert it into original text and hence your QR will be secure.
However, copying of QR can be done .
Some companies pair a serialised QR code with a PIN code. It can be copied but the platform will detect multiple scans from different devices and locations and can send an alert.
There are also screen solutions as mentioned such as this.
https://ypbsystems.com/en/protect-code-anti-copy-code/
How exactly does Bluetooth paring work? What is communicated between each device during the pairing process?
I was told if you had device-A wanting to pair with device-B:
A sends a 'unique key' to device B on some wavelength/frequency
B returns an 'echo' back to A, and hence the devices pair.
+-----+ key +-----+
| | ----> | |
| A | | B |
| | <---- | |
+-----+ echoed +-----+
This seems to be inaccurate, so would anyone be able to either expand further or actually explain how/what is communicated to result in a successful pairing of the devices?
I was thinking of incorporating some of this research into a final year project (University), but would at least need to know the something of the Bluetooth programming pairing first.
Any help would be much appreciated in describing how these initial communications work.
I've heard of terms such as 'parked mode', and 'passive mode' within my research, but am yet to find any 'useful' information in the programming behind the design, (and hence I have asked this question). The likes of googling this type of topic is also quite difficult as it seems to bring up stuff like 'how to turn your bluetooth on' pages, and not the design of the programming behind it.
Bluetooth Secure Simple Pairing uses Elliptic Curve Diffie Hellman (ECDH) public key cryptography with approximately 95 bits of entropy using the FIPS approved P192 elliptic curve.
E:y2=x3 +ax+b(modp)
The following parameters are given:
The prime modulus p, order r, base point x-coordinate Gx, base point y- coordinate Gy.
The integers p and r are given in decimal form; bit strings and field elements are given in hex.
p = 6277101735386680763835789423207666416083908700390324961279
r = 6277101735386680763835789423176059013767194773182842284081
b = 64210519 e59c80e7 0fa7e9ab 72243049 feb8deec c146b9b1
Gx = 188da80e b03090f6 7cbf20eb 43a18800 f4ff0afd 82ff1012
Gy = 07192b95 ffc8da78 631011ed 6b24cdd5 73f977a1 1e794811
There are five phases of Secure Simple Pairing:
1. Public key exchange
Each device generates its own Elliptic Curve Diffie-Hellman (ECDH) public-private key pair.
2. Authentication Stage 1
1 of 3 protocol options is chosen by the connecting devices based on the IO capabilities of the two devices. These are:
Numeric Comparison,
Out-of-Band,
Passkey Entry
3. Authentication Stage 2
Each device confirms that both devices have successfully completed the exchange as stipulated by which of protocol was chosen and used in the previous step.
4. Link key calculation
A link key is computed from the derived shared key and the publicly exchanged data. This is the numeric code shown to the user.
5. LMP Authentication and Encryption
The encryption keys are generated. The devices are successfully connected.
Further Reading:
Bluetooth user Interface Flow Diagrams for Bluetooth Secure Simple Pairing Devices (PDF)
Bluetooth Core Complete Specification v4.0 vol0 (ZIP/PDF)
the core specification is 138 pages and to fully answer your question would take at least 20 so to fully answer your question you'll need to read the references
A trusted relationship is established between the devices using a numerical password, commonly referred to as a passkey. Depending on how often one Bluetooth device connects to another, the user might opt to have the passkey saved for future connection attempts or prompt to enter the passkey each time the devices request communication with each other.
Read more : http://www.ehow.com/how-does_4964578_bluetooth-pairing-work.html
For two devices to have the ability to pair, they must share the same bluetooth profile. The following is from the official Bluetooth website:
Pairing devices
Not all Bluetooth enabled devices are designed to be paired. Logically, there's no reason to connect a wireless mouse to a wireless headset. You should be able to pair a Bluetooth enabled headset to a Bluetooth enabled phone, or a Bluetooth enabled mouse to a Bluetooth enabled computer.
If you're not sure whether the two devices you want to connect are designed to be paired with each other, make sure their Bluetooth profiles match.
I have been reading a lot about QR codes and how the code itself can lead to serious security risks. But one thing that I did not come across is the following.
In the following scenario:
I have a QR code which displays some of my data lets say:
- Name
- Address
- A list of things I'm allowed to do
And I scans my code to see its contents, add some stuf to the list of things that I'm allowed to do and reprint the QR code.
The next day I come to work scan my code and am allowed to do the extra thing I added to the code.
My question is: how can I stop this scenario from happening.
Note that it is not possible to check if my data is consistent with DataBase data.
More info:
I'm using phonegap in combination with Sencha Touch 2 to create my QR code reader.
It is an Android application designed only for Android 4.0 devices.
The QR codes are provided once a year.
If someone would scan his QR code of last year it would not work.
Note that: in theory if he'd change the date on the code that he would be able to get in, this is exactly what I'm trying to block.
Some employees have access to the application which reads the code.
The application does not have any way to verify the data on the QR code, so it has to be something using only the data on the QR code.
Sign the QR code data with a private key. The readers will need the public key to verify the QR code, but the public key need not be kept secret.
If you use an ECDSA Secp256K1 key, the signature will only add about 68 bytes to the QR code data.
Include the date of issue in the QR code as well. The reader will need a local clock to check that the QR code isn't too old. If the reader doesn't have a clock, you can at least keep track of the newest valid code you have ever seen. Any code issued more than a year before that date is definitely invalid.
Both BouncyCastle and OpenSSL contain implementations of the code you'll need.
If it's okay for the code readers/verifiers to contain all the information needed to generate a fake QR code, then you can use HMAC instead of ECDSA. That's simpler and an HMAC can be as little as 16-bytes and still do the job.
This is all easier to reason about if you realize that QR codes simply encode plain text. If your scheme is insecure if you were just dealing in text files or text printed on a wall -- QR codes don't change that. There is no security mechanism in a QR code.
Turning it around -- whatever means are available to secure your scheme, outside of QR codes, can probably be applied here. What you are looking for is a digital signature, the same sort of public/private key scheme used to prove that SSL certs are valid and that emails are from the claimed sender. The data your users need to supply must be signed by you to know they haven't tampered with it.
You can put anything you want in a QR code, including Base-64 encoded bytes representing a signed document. No reader will know what to do with it; you'd have to write a custom app that scans and then knows to decode it and act accordingly.
I do think it's by far easier to conceive a scheme that involves directing a user to a web site you control securely.
If you can't do any comparison, I don't know how you can secure. Maybe all information may be hashed with a secret key? then you can't reprint your code without the key
QR code is not more than encode a text into 2D image. So it is not QR code's responsibility to encrypt. But you can always generate a simple verification code, e.g. MD5 or Base64 that created from an unique id plus the date. Depends on what kind protection you want, you can either reject or disable the code comes with wrong verification code.
This is a question purely to satisfy my own curiosity.
Here in Norway it's common for netbanks to use a calculator-like (physical) dongle that all account holders have. You type your personal pin in the dongle and it generates an eight-digit code you can use to login online. The device itself is not connected to the net.
Anyone knows how this system works?
My best guess is that each dongle has a pregenerated sequence of numbers stored. So the login process will fail if you type an already used number or a number that is too far into the future. It probably also relies on an internal clock to generate the numbers. So far none of my programmer peers have been able to answer this question.
[Edit]
In particular I'm curious about how it's done here in Norway.
Take a look here: http://en.wikipedia.org/wiki/Security_token. If you are interested in the algorithms, these might be interesting: http://en.wikipedia.org/wiki/Hash_chain and http://en.wikipedia.org/wiki/HMAC.
TOKENs have very accurate real-time clock, and it is synced with same clock on the auth server. Real time is used as a seed along with your private key and your unique number is generated and verified on the server, that has all the required data.
One major one-time password system is Chip and PIN, in which bank cards are inserted into special, standalone card readers that accept a PIN and output another number as you describe. It is widely deployed in the UK.
Each bank card is a smart card. The card's circuitry is what checks the PIN and generates the one-time password. Cryptographic algorithms that such cards can use include DES, 3DES (Triple DES), RSA, and SHA1.
I recently went overseas and used the dongle there with no problems.
It is a sealed battery powered dongle. One pushes the button and a code number appears.
The only way it could work is that it is time synchronised to the bank.The number that is recruited only lasts for a minute if that.
A random number generator is used to create the stream of numbers recorded in the memory of the device.
It therefore becomes unique for the user and only the bank 'knows' what that random number generator produced for that particular user and dongle.
So there can only be one next number .
If the user makes a mistake, the bank 'knows' they are genuine because the next try is the next sequential number that is in the memory.
If the dongle is stolen the thief also has to have the other login details to reach the account.