Mixing
How resistant are barcodes and QR-codes against attempts to change stored data?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
10
down vote
favorite
Assume we want to protect a document against manipulating and forging. So, we encode some sensitive information of the document and store it in a QR-code inserted in the document.
Can we be sure that an attacker is not able to change and modify the stored data in the QR-code? And if it is possible to modify it, how difficult is it for an attacker to do so? In other words, how secure is a QR-code?
physical qr-code barcode
edited 19 mins ago
Søren D. Ptæus
1092
asked 22 hours ago
sas
1566
New contributor
sas is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
10
down vote
favorite
Assume we want to protect a document against manipulating and forging. So, we encode some sensitive information of the document and store it in a QR-code inserted in the document.
Can we be sure that an attacker is not able to change and modify the stored data in the QR-code? And if it is possible to modify it, how difficult is it for an attacker to do so? In other words, how secure is a QR-code?
physical qr-code barcode
edited 19 mins ago
Søren D. Ptæus
1092
asked 22 hours ago
sas
1566
New contributor
sas is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
UPC has some minor protection from accidental or intentional corruption built-in. The first and second half of the bar-code have the meaning of black/white inverted in the encoding. And the last digit is a checksum calculated from the rest of the digits in the code. This does nothing to protect from someone putting a sticker over the barcode on a product, though.
– nbering
16 hours ago
add a comment |Â
up vote
10
down vote
favorite
up vote
10
down vote
favorite
Assume we want to protect a document against manipulating and forging. So, we encode some sensitive information of the document and store it in a QR-code inserted in the document.
Can we be sure that an attacker is not able to change and modify the stored data in the QR-code? And if it is possible to modify it, how difficult is it for an attacker to do so? In other words, how secure is a QR-code?
physical qr-code barcode
edited 19 mins ago
Søren D. Ptæus
1092
asked 22 hours ago
sas
1566
New contributor
sas is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Assume we want to protect a document against manipulating and forging. So, we encode some sensitive information of the document and store it in a QR-code inserted in the document.
Can we be sure that an attacker is not able to change and modify the stored data in the QR-code? And if it is possible to modify it, how difficult is it for an attacker to do so? In other words, how secure is a QR-code?
physical qr-code barcode
physical qr-code barcode
edited 19 mins ago
Søren D. Ptæus
1092
asked 22 hours ago
sas
1566
New contributor
sas is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 19 mins ago
Søren D. Ptæus
1092
asked 22 hours ago
sas
1566
New contributor
sas is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 19 mins ago
Søren D. Ptæus
1092
edited 19 mins ago
Søren D. Ptæus
1092
edited 19 mins ago
Søren D. Ptæus
1092
1092
asked 22 hours ago
sas
1566
New contributor
sas is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 22 hours ago
sas
1566
asked 22 hours ago
sas
1566
1566
New contributor
sas is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
sas is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
sas is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
UPC has some minor protection from accidental or intentional corruption built-in. The first and second half of the bar-code have the meaning of black/white inverted in the encoding. And the last digit is a checksum calculated from the rest of the digits in the code. This does nothing to protect from someone putting a sticker over the barcode on a product, though.
– nbering
16 hours ago
add a comment |Â
1
UPC has some minor protection from accidental or intentional corruption built-in. The first and second half of the bar-code have the meaning of black/white inverted in the encoding. And the last digit is a checksum calculated from the rest of the digits in the code. This does nothing to protect from someone putting a sticker over the barcode on a product, though.
– nbering
16 hours ago
1
1
UPC has some minor protection from accidental or intentional corruption built-in. The first and second half of the bar-code have the meaning of black/white inverted in the encoding. And the last digit is a checksum calculated from the rest of the digits in the code. This does nothing to protect from someone putting a sticker over the barcode on a product, though.
– nbering
16 hours ago
UPC has some minor protection from accidental or intentional corruption built-in. The first and second half of the bar-code have the meaning of black/white inverted in the encoding. And the last digit is a checksum calculated from the rest of the digits in the code. This does nothing to protect from someone putting a sticker over the barcode on a product, though.
– nbering
16 hours ago
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
27
down vote
accepted
... how a QR-code is secure?
Data in a QR code are kind of protected against accidental damage by having some error correction but they are not protected against deliberate manipulation. Also, an attacker might completely replace the QR code in the document with a different one.
answered 22 hours ago
Steffen Ullrich
106k10178246
6
Exactly. To protect sensitivie data in a document, we need to address the specific risks by applying appropriate mitigations. A 2d (or 1d) barcode is just data encoding in a format that is better for digital sensor recognition and parsing. If we rely on a QR code to 'hide sensitive data' then we are using obscurity to protect our data. Obscurity is only valid as one of many techniques in a strategy to reduce risk -- by itself obscurity is mostly worthless. Protect data from overt malicious manipulation one needs to consider a hash/checksum/digital signature.
– 0xSheepdog
16 hours ago
add a comment |Â
up vote
20
down vote
QR codes are normally not protected against manipulation. But:
You could include a digital signature in the data so anyone can check if the QR code is made by you and has not been modified. Then the only thing an attacker can do is replace the QR code by an other QR code you made.
Such an approach wil typically work like this:
- On a secure server, a key pair (public key and private key) is generated. The public key can safely be published. The private key never leaves the server.
- When a QR code needs to be created, the server calculates the digital signature from the information and the private key. The information together with the digital signature is put in a QR code.
- One creates an app for scanning QR codes. The public key is included in the app. An algorithm that takes the public key, the information and the digital signature as input can check whether or not the data in a QR code has been tampered with.
I don't know if there is any standard or good existing software for digital signatures in QR codes.
answered 16 hours ago
Paul
30114
New contributor
Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
A QR code which encodes the digital signature of the containing document might be possible, but there are no official standards doing so. (You need to make sure that the QR signature protects the whole document except for QR code itself, to avoid a chicken-and-egg problem. This requires a clean definition of exactly what is protected)
– MSalters
4 hours ago
add a comment |Â
up vote
4
down vote
QR codes provide no protection against intentional modification.
Document protection can be approached a number of ways depending upon your intent. Verification of content can be done by attaching a digital signature, but there has to be an outside (out of band) verification of your public key to preclude simply replacing the signature key with someone else's signature key. This is common in code downloads where the signature of the code (document) is available via a web site or other out of band check.
Hidden watermarks or other steganographic techniques can help validate a document but it's dependent upon not being detected as opposed to a rigorous cryptographic signature. There are many approaches and their effectiveness is dependent upon distribution and use. For example, custom micro spacing of selected words or letters. Non-standard pie-chart rotations. Extra spaces in selected locations of a digital document. Tiny yellow dots on white paper of a printed document. Many others, but a digital signature is the gold standard.
answered 15 hours ago
user10216038
711
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
27
down vote
accepted
... how a QR-code is secure?
Data in a QR code are kind of protected against accidental damage by having some error correction but they are not protected against deliberate manipulation. Also, an attacker might completely replace the QR code in the document with a different one.
answered 22 hours ago
Steffen Ullrich
106k10178246
6
Exactly. To protect sensitivie data in a document, we need to address the specific risks by applying appropriate mitigations. A 2d (or 1d) barcode is just data encoding in a format that is better for digital sensor recognition and parsing. If we rely on a QR code to 'hide sensitive data' then we are using obscurity to protect our data. Obscurity is only valid as one of many techniques in a strategy to reduce risk -- by itself obscurity is mostly worthless. Protect data from overt malicious manipulation one needs to consider a hash/checksum/digital signature.
– 0xSheepdog
16 hours ago
add a comment |Â
up vote
27
down vote
accepted
... how a QR-code is secure?
Data in a QR code are kind of protected against accidental damage by having some error correction but they are not protected against deliberate manipulation. Also, an attacker might completely replace the QR code in the document with a different one.
answered 22 hours ago
Steffen Ullrich
106k10178246
6
Exactly. To protect sensitivie data in a document, we need to address the specific risks by applying appropriate mitigations. A 2d (or 1d) barcode is just data encoding in a format that is better for digital sensor recognition and parsing. If we rely on a QR code to 'hide sensitive data' then we are using obscurity to protect our data. Obscurity is only valid as one of many techniques in a strategy to reduce risk -- by itself obscurity is mostly worthless. Protect data from overt malicious manipulation one needs to consider a hash/checksum/digital signature.
– 0xSheepdog
16 hours ago
add a comment |Â
up vote
27
down vote
accepted
up vote
27
down vote
accepted
... how a QR-code is secure?
Data in a QR code are kind of protected against accidental damage by having some error correction but they are not protected against deliberate manipulation. Also, an attacker might completely replace the QR code in the document with a different one.
answered 22 hours ago
Steffen Ullrich
106k10178246
... how a QR-code is secure?
Data in a QR code are kind of protected against accidental damage by having some error correction but they are not protected against deliberate manipulation. Also, an attacker might completely replace the QR code in the document with a different one.
answered 22 hours ago
Steffen Ullrich
106k10178246
answered 22 hours ago
Steffen Ullrich
106k10178246
answered 22 hours ago
Steffen Ullrich
106k10178246
answered 22 hours ago
Steffen Ullrich
106k10178246
106k10178246
6
Exactly. To protect sensitivie data in a document, we need to address the specific risks by applying appropriate mitigations. A 2d (or 1d) barcode is just data encoding in a format that is better for digital sensor recognition and parsing. If we rely on a QR code to 'hide sensitive data' then we are using obscurity to protect our data. Obscurity is only valid as one of many techniques in a strategy to reduce risk -- by itself obscurity is mostly worthless. Protect data from overt malicious manipulation one needs to consider a hash/checksum/digital signature.
– 0xSheepdog
16 hours ago
add a comment |Â
6
Exactly. To protect sensitivie data in a document, we need to address the specific risks by applying appropriate mitigations. A 2d (or 1d) barcode is just data encoding in a format that is better for digital sensor recognition and parsing. If we rely on a QR code to 'hide sensitive data' then we are using obscurity to protect our data. Obscurity is only valid as one of many techniques in a strategy to reduce risk -- by itself obscurity is mostly worthless. Protect data from overt malicious manipulation one needs to consider a hash/checksum/digital signature.
– 0xSheepdog
16 hours ago
6
6
Exactly. To protect sensitivie data in a document, we need to address the specific risks by applying appropriate mitigations. A 2d (or 1d) barcode is just data encoding in a format that is better for digital sensor recognition and parsing. If we rely on a QR code to 'hide sensitive data' then we are using obscurity to protect our data. Obscurity is only valid as one of many techniques in a strategy to reduce risk -- by itself obscurity is mostly worthless. Protect data from overt malicious manipulation one needs to consider a hash/checksum/digital signature.
– 0xSheepdog
16 hours ago
Exactly. To protect sensitivie data in a document, we need to address the specific risks by applying appropriate mitigations. A 2d (or 1d) barcode is just data encoding in a format that is better for digital sensor recognition and parsing. If we rely on a QR code to 'hide sensitive data' then we are using obscurity to protect our data. Obscurity is only valid as one of many techniques in a strategy to reduce risk -- by itself obscurity is mostly worthless. Protect data from overt malicious manipulation one needs to consider a hash/checksum/digital signature.
– 0xSheepdog
16 hours ago
add a comment |Â
up vote
20
down vote
QR codes are normally not protected against manipulation. But:
You could include a digital signature in the data so anyone can check if the QR code is made by you and has not been modified. Then the only thing an attacker can do is replace the QR code by an other QR code you made.
Such an approach wil typically work like this:
- On a secure server, a key pair (public key and private key) is generated. The public key can safely be published. The private key never leaves the server.
- When a QR code needs to be created, the server calculates the digital signature from the information and the private key. The information together with the digital signature is put in a QR code.
- One creates an app for scanning QR codes. The public key is included in the app. An algorithm that takes the public key, the information and the digital signature as input can check whether or not the data in a QR code has been tampered with.
I don't know if there is any standard or good existing software for digital signatures in QR codes.
answered 16 hours ago
Paul
30114
New contributor
Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
A QR code which encodes the digital signature of the containing document might be possible, but there are no official standards doing so. (You need to make sure that the QR signature protects the whole document except for QR code itself, to avoid a chicken-and-egg problem. This requires a clean definition of exactly what is protected)
– MSalters
4 hours ago
add a comment |Â
up vote
20
down vote
QR codes are normally not protected against manipulation. But:
You could include a digital signature in the data so anyone can check if the QR code is made by you and has not been modified. Then the only thing an attacker can do is replace the QR code by an other QR code you made.
Such an approach wil typically work like this:
- On a secure server, a key pair (public key and private key) is generated. The public key can safely be published. The private key never leaves the server.
- When a QR code needs to be created, the server calculates the digital signature from the information and the private key. The information together with the digital signature is put in a QR code.
- One creates an app for scanning QR codes. The public key is included in the app. An algorithm that takes the public key, the information and the digital signature as input can check whether or not the data in a QR code has been tampered with.
I don't know if there is any standard or good existing software for digital signatures in QR codes.
answered 16 hours ago
Paul
30114
New contributor
Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
A QR code which encodes the digital signature of the containing document might be possible, but there are no official standards doing so. (You need to make sure that the QR signature protects the whole document except for QR code itself, to avoid a chicken-and-egg problem. This requires a clean definition of exactly what is protected)
– MSalters
4 hours ago
add a comment |Â
up vote
20
down vote
up vote
20
down vote
QR codes are normally not protected against manipulation. But:
You could include a digital signature in the data so anyone can check if the QR code is made by you and has not been modified. Then the only thing an attacker can do is replace the QR code by an other QR code you made.
Such an approach wil typically work like this:
- On a secure server, a key pair (public key and private key) is generated. The public key can safely be published. The private key never leaves the server.
- When a QR code needs to be created, the server calculates the digital signature from the information and the private key. The information together with the digital signature is put in a QR code.
- One creates an app for scanning QR codes. The public key is included in the app. An algorithm that takes the public key, the information and the digital signature as input can check whether or not the data in a QR code has been tampered with.
I don't know if there is any standard or good existing software for digital signatures in QR codes.
answered 16 hours ago
Paul
30114
New contributor
Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
QR codes are normally not protected against manipulation. But:
You could include a digital signature in the data so anyone can check if the QR code is made by you and has not been modified. Then the only thing an attacker can do is replace the QR code by an other QR code you made.
Such an approach wil typically work like this:
- On a secure server, a key pair (public key and private key) is generated. The public key can safely be published. The private key never leaves the server.
- When a QR code needs to be created, the server calculates the digital signature from the information and the private key. The information together with the digital signature is put in a QR code.
- One creates an app for scanning QR codes. The public key is included in the app. An algorithm that takes the public key, the information and the digital signature as input can check whether or not the data in a QR code has been tampered with.
I don't know if there is any standard or good existing software for digital signatures in QR codes.
answered 16 hours ago
Paul
30114
New contributor
Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 3 hours ago
answered 16 hours ago
Paul
30114
New contributor
Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 16 hours ago
Paul
30114
answered 16 hours ago
Paul
30114
30114
New contributor
Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
A QR code which encodes the digital signature of the containing document might be possible, but there are no official standards doing so. (You need to make sure that the QR signature protects the whole document except for QR code itself, to avoid a chicken-and-egg problem. This requires a clean definition of exactly what is protected)
– MSalters
4 hours ago
add a comment |Â
A QR code which encodes the digital signature of the containing document might be possible, but there are no official standards doing so. (You need to make sure that the QR signature protects the whole document except for QR code itself, to avoid a chicken-and-egg problem. This requires a clean definition of exactly what is protected)
– MSalters
4 hours ago
A QR code which encodes the digital signature of the containing document might be possible, but there are no official standards doing so. (You need to make sure that the QR signature protects the whole document except for QR code itself, to avoid a chicken-and-egg problem. This requires a clean definition of exactly what is protected)
– MSalters
4 hours ago
A QR code which encodes the digital signature of the containing document might be possible, but there are no official standards doing so. (You need to make sure that the QR signature protects the whole document except for QR code itself, to avoid a chicken-and-egg problem. This requires a clean definition of exactly what is protected)
– MSalters
4 hours ago
add a comment |Â
up vote
4
down vote
QR codes provide no protection against intentional modification.
Document protection can be approached a number of ways depending upon your intent. Verification of content can be done by attaching a digital signature, but there has to be an outside (out of band) verification of your public key to preclude simply replacing the signature key with someone else's signature key. This is common in code downloads where the signature of the code (document) is available via a web site or other out of band check.
Hidden watermarks or other steganographic techniques can help validate a document but it's dependent upon not being detected as opposed to a rigorous cryptographic signature. There are many approaches and their effectiveness is dependent upon distribution and use. For example, custom micro spacing of selected words or letters. Non-standard pie-chart rotations. Extra spaces in selected locations of a digital document. Tiny yellow dots on white paper of a printed document. Many others, but a digital signature is the gold standard.
answered 15 hours ago
user10216038
711
add a comment |Â
up vote
4
down vote
QR codes provide no protection against intentional modification.
Document protection can be approached a number of ways depending upon your intent. Verification of content can be done by attaching a digital signature, but there has to be an outside (out of band) verification of your public key to preclude simply replacing the signature key with someone else's signature key. This is common in code downloads where the signature of the code (document) is available via a web site or other out of band check.
Hidden watermarks or other steganographic techniques can help validate a document but it's dependent upon not being detected as opposed to a rigorous cryptographic signature. There are many approaches and their effectiveness is dependent upon distribution and use. For example, custom micro spacing of selected words or letters. Non-standard pie-chart rotations. Extra spaces in selected locations of a digital document. Tiny yellow dots on white paper of a printed document. Many others, but a digital signature is the gold standard.
answered 15 hours ago
user10216038
711
add a comment |Â
up vote
4
down vote
up vote
4
down vote
QR codes provide no protection against intentional modification.
Document protection can be approached a number of ways depending upon your intent. Verification of content can be done by attaching a digital signature, but there has to be an outside (out of band) verification of your public key to preclude simply replacing the signature key with someone else's signature key. This is common in code downloads where the signature of the code (document) is available via a web site or other out of band check.
Hidden watermarks or other steganographic techniques can help validate a document but it's dependent upon not being detected as opposed to a rigorous cryptographic signature. There are many approaches and their effectiveness is dependent upon distribution and use. For example, custom micro spacing of selected words or letters. Non-standard pie-chart rotations. Extra spaces in selected locations of a digital document. Tiny yellow dots on white paper of a printed document. Many others, but a digital signature is the gold standard.
answered 15 hours ago
user10216038
711
QR codes provide no protection against intentional modification.
Document protection can be approached a number of ways depending upon your intent. Verification of content can be done by attaching a digital signature, but there has to be an outside (out of band) verification of your public key to preclude simply replacing the signature key with someone else's signature key. This is common in code downloads where the signature of the code (document) is available via a web site or other out of band check.
Hidden watermarks or other steganographic techniques can help validate a document but it's dependent upon not being detected as opposed to a rigorous cryptographic signature. There are many approaches and their effectiveness is dependent upon distribution and use. For example, custom micro spacing of selected words or letters. Non-standard pie-chart rotations. Extra spaces in selected locations of a digital document. Tiny yellow dots on white paper of a printed document. Many others, but a digital signature is the gold standard.
answered 15 hours ago
user10216038
711
answered 15 hours ago
user10216038
711
answered 15 hours ago
user10216038
711
answered 15 hours ago
user10216038
711
711
add a comment |Â
add a comment |Â
sas is a new contributor. Be nice, and check out our Code of Conduct.
sas is a new contributor. Be nice, and check out our Code of Conduct.
sas is a new contributor. Be nice, and check out our Code of Conduct.
sas is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194313%2fhow-resistant-are-barcodes-and-qr-codes-against-attempts-to-change-stored-data%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
UPC has some minor protection from accidental or intentional corruption built-in. The first and second half of the bar-code have the meaning of black/white inverted in the encoding. And the last digit is a checksum calculated from the rest of the digits in the code. This does nothing to protect from someone putting a sticker over the barcode on a product, though.
– nbering
16 hours ago