二维码安全 [英] QR code security
问题描述
我阅读了很多关于二维码以及二维码本身如何导致严重安全风险的文章.但我没有遇到的一件事是以下内容.
I have been reading a lot about QR codes and how the code itself can lead to serious security risks. But one thing that I did not come across is the following.
在以下场景中:我有一个二维码,它显示了我的一些数据,可以说:- 名称- 地址- 我可以做的事情的清单
In the following scenario: I have a QR code which displays some of my data lets say: - Name - Address - A list of things I'm allowed to do
然后我扫描我的代码以查看其内容,将一些东西添加到我可以做的事情列表中并重新打印 QR 码.第二天我上班时扫描我的代码,然后被允许做我添加到代码中的额外事情.
And I scans my code to see its contents, add some stuf to the list of things that I'm allowed to do and reprint the QR code. The next day I come to work scan my code and am allowed to do the extra thing I added to the code.
我的问题是:我怎样才能阻止这种情况发生.请注意,无法检查我的数据是否与数据库数据一致.
My question is: how can I stop this scenario from happening. Note that it is not possible to check if my data is consistent with DataBase data.
更多信息:
我将 phonegap 与 Sencha Touch 2 结合使用来创建我的二维码阅读器.
它是专为 Android 4.0 设备设计的 Android 应用程序.
二维码每年提供一次.
如果有人扫描他去年的二维码,那将不起作用.
请注意:理论上,如果他更改他能够进入的代码上的日期,这正是我想要阻止的.
一些员工可以访问读取代码的应用程序.
应用程序无法验证二维码上的数据,因此只能使用二维码上的数据.
I'm using phonegap in combination with Sencha Touch 2 to create my QR code reader.
It is an Android application designed only for Android 4.0 devices.
The QR codes are provided once a year.
If someone would scan his QR code of last year it would not work.
Note that: in theory if he'd change the date on the code that he would be able to get in, this is exactly what I'm trying to block.
Some employees have access to the application which reads the code.
The application does not have any way to verify the data on the QR code, so it has to be something using only the data on the QR code.
推荐答案
使用私钥对二维码数据进行签名.读者需要公钥来验证二维码,但公钥不需要保密.
Sign the QR code data with a private key. The readers will need the public key to verify the QR code, but the public key need not be kept secret.
如果您使用 ECDSA Secp256K1 密钥,则签名只会向二维码数据添加大约 68 个字节.
If you use an ECDSA Secp256K1 key, the signature will only add about 68 bytes to the QR code data.
在二维码中也包括发行日期.阅读器需要一个本地时钟来检查二维码是否太旧.如果阅读器没有时钟,您至少可以跟踪您所见过的最新有效代码.任何在该日期之前一年以上发布的代码肯定是无效的.
Include the date of issue in the QR code as well. The reader will need a local clock to check that the QR code isn't too old. If the reader doesn't have a clock, you can at least keep track of the newest valid code you have ever seen. Any code issued more than a year before that date is definitely invalid.
BouncyCastle 和 OpenSSL 都包含您需要的代码的实现.
Both BouncyCastle and OpenSSL contain implementations of the code you'll need.
如果代码阅读器/验证器可以包含生成假二维码所需的所有信息,那么您可以使用 HMAC 而不是 ECDSA.这更简单,HMAC 可以只有 16 字节,但仍然可以完成工作.
If it's okay for the code readers/verifiers to contain all the information needed to generate a fake QR code, then you can use HMAC instead of ECDSA. That's simpler and an HMAC can be as little as 16-bytes and still do the job.
这篇关于二维码安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
