Cryptography · Mobile Security

How to create encrypted barcode and prevent hacking of it on mobile phone's side ?

Anonymous

November 2nd, 2015


I need to push customer authentication data to a mobile phone so that it could authenticate 200 distinct users via unique barcode even if there is no internet. Problem:
1) whatever data is stored on the device it must be impossible hack to create user's authentication barcode itself
2) barcode needs to be fairly small and not very dense so that it could be displayed on the user's phone or printed and still scan reliably by most phone cameras.

Encrypting database doesn't sound too reliable because someone could run some debugger and get decrypted data from memory.
Public key cryptography comes to mind, but how to satisfy both requirement?
PGP level may not be necessary, as long as it would take over $1,000,000 in computer time to create one fake barcode it will work for my purposes.
Any ideas for iOS & Android?

Amir Yasin Developer, Architect

November 2nd, 2015

I assume you're ok using a QR code in place of a normal bar code, and 2 you aren't shipping your entire database to the phone.  I also assume you're doing this to check people into an event or something.

The solution given those criteria is pretty simple.  
1. Generate a really long random password (say 160 chars)
2. Split the password into 2 equal parts (80 chars each)
3. Using bcrypt or some other means and this password create a 1 way hash.
4. Put the first half of the password and the 1 way hash on the device you take to check people into the event.
5.  Generate a QR code with the other half and have people use that as their ticket.
6.  When matching, combine the 2 halves (the one on your checkin device, and the one in the QR code), regen the hash and see if it matches.


Art Yerkes Computer Software Professional

November 2nd, 2015

You're likely looking for Ed25519, or similar, which provides asymmetric key generating and message signing. 

Each person's device would generate a private key and send a public key to the event organizer, then use the private key to sign a message (for example, a 4 digit code put up at the event) and display the bytes of the signed message as a QR code.  Your person at the event would need an app with a list of public keys only, not enough to properly sign a message, but enough to validate each signed message.

https://github.com/orlp/ed25519 <-- one implementation of ed25519, although there are a lot floating around

Stas Khirman SVOD Conference CoChair

November 3rd, 2015

One of the challenges is that due requirement of offline functionality, you need to generate "single use" bar  code. Otherwise, it will be quite easy to get a screen capture and generate multiple copies. If scancode reading devices don't have online access and you assume simultaneous use of multiple scanners, you may decrease fraud by embedding a timestamp into signed message and require barcode generation at checkpoint. (certainly it not 100% foolproof solution, but minimise fraud in offline mode with multiple simultaneous scanners)

Joanan Hernandez CEO & Founder at Mollejuo

November 6th, 2015

Answers here are accurate according to the complexity of the given problem (question). I'm curious -though-, if the initial problem needs to be that complex, because if it is, end users will surely be confused on the end solution. It will not be an easy one for end users.

Best of lucks!