This blog entry is about a small utility I made, which I call VerifiedQR. So read on if you want to know what VerifiedQR is about.
The short version
It allows one to store data in a QR code together with a digital signature, so the data can be authenticated by verifying the signature when reading the QR code.
The longer version
QR codes are often used for ticketing, especially self-print tickets. To verify the validity of such a ticket, one will normally use one of the following two solutions: Either give the QR reader online access to a database of valid ticket IDs, or preload the reader with all valid ticket IDs. However, both solutions have their disadvantages. Online access is not always (reliably) available, and preloading all valid ticket IDs on the reader prevents you from verifying tickets issued after the preloading has been done.
The solution which VerifiedQR uses, is to store a digital signature in the QR code together with the data. Hence all readers equipped with the public key can verify that the data in the QR code is correct. Clearly this is nothing new and has been possible for a long time (although I haven’t yet seen it done for data in QR codes). However, for typical signature schemes such as RSA, the size of the signature will be prohibitively large for storage inside a QR code, which can only hold a very limited amount of data and still be easy to read. Another cryptographic solution is to use symmetric key authentication such as HMAC or CBC-MAC, but now anyone with access to a reader can potentially extract the key and forge tickets.
VerifiedQR uses a type of public key cryptography (BLS signatures based on pairings) to keep the signature size as small as possible while still using public key cryptography. Furthermore, the data is compressed to reduce its size as much as possible. VerifiedQR is a set of Java libraries that allows one to easily generate a QR code storing a list of data items, as well as easily recover and verify data from a QR code.
Here are some code snippets that demonstrate how it is used. First one must initialise the BLS signature scheme and generate keys. In this example we store them as well:
BLS bls = new BLS("curve.properties"); bls.keygen(); bls.storePublicKey("key.public"); bls.storeSecretKey("key.secret");
One can (of course) also load keys existing keys. The curve parameters must be the same as when the keys were generated:
bls = new BLS("curve.properties"); bls.loadPublicKey("key.public"); bls.loadSecretKey("key.secret");
The data to be stored in the QR code are simply stored as strings in a Vector:
Vector vec = new Vector(); vec.add("John Doe"); vec.add("2012-11-12"); vec.add("192-562-3945");
It is very simple to generate a 200×200 pixel qr.png file containing the QR code:
VerifiedQR qr = new VerifiedQR(); String strData = qr.encodeAndSign(bls, vec); qr.generate("qr.png", strData, 200, 200);
To verify the data, first get the Vector from the QR code data stored in strData:
Vector vec = qr.decodeAndVerify(bls, strData);
If verification fails, decodeAndVerify will throw a SignatureException. Also note that for verification one does not have to call bls.loadSecretKey(). In fact verifiers should not have access to the secret key at all.
VerifiedQR includes a small test program similar to the code above that demonstrates the functionality. Simply compile it with
and run it with
This will generate key material, output a qr.png file, and verify the generated data.
If you don’t have the make command on your system, just take a look at the Makefile to see what commands should be used.
The program needs some curve parameters for an elliptic curve to use. Some examples are found in the curves/ directory, but depending on your exact needs (performance and security) you might need to generate other curves.
License and libraries
This program is distributed under the GNU GPL v3 and makes use of the following libraries:
- Apache Commons Codec (Apache License 2.0)
- ZXing (Apache License 2.0)
- BouncyCastle (MIT License)
- jPBC (LGPL 3.0)
If you want to license the code under a different license, want me to help building an application around this, or just want to chat, feel free to contact me.
Here is the link to download VerifiedQR.