QR Code for Advance Security System

8/14/2019 QR Code for Advance Security System

1/20

P a g e | 1

Department of

Electronics &Communication Engineering

Course No: ECE 4000

Submitted by:

Mamdudul Haque Khan

Date of submission: Roll: 0909038

03.10.2013 Department: ECE

Year: 4th, Semester: 1st


2/20

P a g e | 2

Abstract:

Computers & Mobile phones are widespread and many everyday-objects come equipped withthis technology. The comfort and convenience they provide certainly made our lives much

easier than ever before. Mark Weisers said The most profound technologies are those thatdisappear. Two brilliant features found in modern cell phones are: the integration of digital

cameras and the ability to access the Internet anytime and anywhere, thus, enabling us to seekinformation when we need it. A user having a camera phone equipped with the correct readersoftware can scan a two-dimensional (2D) barcode and decode it to launch and redirect a

phones browser to an embedded URL or to resolve text embedded in the scanned barcode.When someone contains important data or privacy information, the risk of security becomesan important problem. QR codes simply feature a square code with a unique pattern that

provides you a security to your data and privacy information. In this paper, we discuss QRcodes different data types, data encoding process and security application area.


3/20

P a g e | 3

Contents:Articles Page No.

1. What is QR code.........................04

2. Structure of the QR Code .......04

3.The Specifications of the QR Code .06

4. Encoding Data ...09

5. Security application of QR code ...................................................11

6. In other application .14

7. Threat & Possible solution..16

8. Conclusion ..18


4/20


5/20

P a g e | 5

The Finder Patterns enable the decoder software to recognize the QR Code and determine thecorrect orientation that means the position, the size, and the angle of the symbol can bedetected. These patterns also allow 360 degree (Omni-directional) high-speed reading of thecode.

Separators (2): The white separators have a width of one pixel and improve therecognizability of the Finder Patters as they separate them from the actual data.

Timing Pattern (3):A pattern for identifying the central coordinate of each cell in theQR Code with black and white patterns arranged alternately. It is used for correcting thecentral coordinate of the data cell when the symbol is distorted or when there is an error forthe cell pitch. It is arranged in both vertical and horizontal directions. They define the

positioning of the rows and columns.

Alignment Pattern (4):This pattern allows the QR reader to correct for distortion whenthe code is bent or curved. The alignment pattern appears on version 2. This acts as areference point for the scanner, making sure everything lines up properly An alignment

pattern, shown below, consists of a 5 module by 5 module black square, an inner 3 module by

3 module white square, and a single black module in the center.

It is highly effective for correcting nonlinear distortions. The central coordinate of thealignment pattern will be identified to correct the distortion of the symbol. For this purpose, a

black isolated cell is placed in the alignment pattern to make it easier to detect the centralcoordinate of the alignment pattern.

Data Area (6): The QR Code data will be stored (encoded) into the data area and isconverted into a bit stream. The data will be encoded into the binary numbers of 0 and 1

based on the encoding rule. The binary numbers of 0 and 1 will be converted into black

and white cells and then will be arranged. The data area will have Reed-Solomon codesincorporated for the stored data and the error correction functionality.

Format Information (5): This tells the scanner whether its a website, text message,Chinese symbols, numbers, or any combination of these.This section consists of 15 bits andcontains the error correction rate and the selected mask pattern of the QR code. The error

correction level can be identified from the first two modules of the timing pattern. The formatinformation is read first when the QR code is decoded.


6/20

P a g e | 6

Error Correction (7): The data code words are used in order to generate the errorcorrection (EC) code words, which are stored in the error correction section.

Remainder Bits (8):This section contains empty bits if the data or the error correctionbits cannot be divided into 8 bit code-words without a remainder.

The Specifications of the QR Code:

All-Direction (360) High-Speed Reading:

Reading matrix symbols will be implemented by using a CCD sensor (area sensor). The dataof the scan line captured by the sensor will be stored into the memory. Then, by using the

software, the details will be analyzed, finder patterns identified, and the position/size/angle ofthe symbol detected, and the decoding process will be implemented. Traditional two-dimensional symbols used to take much time for detecting the position/angle/size of thesymbol, and had a problem that their readings were less accurate when compared with thoseof linear symbols. QR Code has finder patterns for notifying the position of the symbolarranged in three of its corners to enable high-speed reading in all directions (360). The ratio

between black and white among the scan line that runs through the finder patterns is always1:1:3:1:1 when seen from any direction among the 360 surrounding it. By detecting thisspecific ratio, the finder pattern can be detected from among the image captured by the CCDsensor to identify the position of the QR Code in a short period of time. Additionally, byidentifying the positional relationships of the three finder patterns listed in Figure 5 from

among the image field of the CCD sensor, the size (L), the angle (), and the outer shape ofthe symbol can be simultaneously detected. By arranging the finder patterns into the threecorners of the symbol, the decoding speed of the QR Code can be made 20 times faster thanthat of other matrix symbols. Additionally, detecting finder patterns can be easilyimplemented by the hardware, and can also be accelerated.

Figure: Identifying a QR Code

Resistant to Distorted Symbols:

Symbols often get distorted when attached onto a curved surface or by the reader being tilted

(angled between the CCD sensor face and the symbol face). To correct this distortion, QRCode has alignment patterns arranged with a regular interval within the range of the symbol.


7/20

P a g e | 7

The variance between the centre position of the alignment pattern estimated from the outershape of the symbol and the actual centre position of the alignment pattern will be calculatedto have the mappings (for identifying the centre position of each cell) corrected. This willmake the distorted linear/ non-linear symbols readable.

Figure: Correcting Distorted Symbols

Masking Process:

Masks are used to generate QR Codes with a good distribution of black and white modules(close to 50:50 and distributed well over the whole code). This increases the contrast of the

picture and thus helps devices to decode it. To accurately finalize the data that had been read,it is necessary to arrange the white and black cells in a well-balanced manner. To enable this,EX-OR calculation will be implemented between the data area cell and the mask pattern(template) cell when encoding the stored data and arranging it into the data area. Then, the

number of unique patterns existing and the balance between the white cells and the blackcells will be assessed against the data area where the calculation had been implemented.There are eight mask patterns. Assessment will be made for each mask pattern, and the mask

pattern with the highest assessment result together with the EX-OR calculation result will bestored into the data area.

Figure: Masking Process

Each mask pattern uses a formula to determine whether or not to change the color of thecurrent bit. You put the coordinates of the current bit into the formula, and if the result is 0,


8/20

P a g e | 8

you use the opposite bit at that coordinate. Here is the list of the mask pattern formulas Itshould have i corresponding to rows and j corresponding to columns.

Information Type and Volume:

QR Code can handle various types of data such as numerical characters, alphabets, signs,Kanji characters, Hiragana, Katakana, control signs, and images. It can basically havecharacter sets supported by ISO/IEC 646 and ISO/IEC 10646. These data can also coexist.The maximum available volume of the information is listed in Table.

Symbol Size:

QR Code can have its size freely selected according to the data volume to be stored and thereading method. The symbol size is incremented by four cells in both vertical and horizontaldirection - 21x21 cells, 25x25 cells, 29x29 cells..., and there are 40 size types with themaximum size set to 177x177 cells. For example, in the case for 45x45 cells, if a singlesquare cell is sized 0.25mm, one side of the symbol will be 45x0.25mm = 11.25mm. Thequiet zone will need to be added on both sides of the symbol whose minimum size is fourcells, and therefore, the space required for having this symbol printed will be a square of(4+45+4) x0.25mm which is 13.25mm.

Error Correction Functionality:

QR Code has error correction functionality for restoring the data. The error correctionfunctionality is implemented according to each of the smudge/damage, and is utilizing Reed-


9/20

P a g e | 9

Solomon code which is highly resistant to burst errors. Reed-Solomon codes are arranged inthe QR Code data area. By this error correction functionality, the codes can be read correctlyeven when they are smudged or damaged up until the error correction level. There are fourdifferent restoration levels so that you can select the level that matches with each usageenvironment. Each restoration capability is as listed in Table.

The Confidentiality of the Code:

By making the relationship between the character type and the stored data unique for aspecial usage, QR Code can be easily encrypted. Unless the conversion table between thecharacter type and the stored data is deciphered, no one will be able to read the QR Code.

Data Conversion Efficiency:

QR Code has four types of conversion mode - numerical characters, alphanumerical/signs,binary, and Kanji characters for encoding the data. Each mode has had considerations toimprove its conversion efficiency. The number of cells required for each character in eachmode is listed in Table.

Encoding Data:

The message data is placed from right to left in a zigzag pattern. The data bits are placedstarting at the bottom-right of the matrix and proceeding upward in a column that is 2modules wide. The QR code encoding process includes the inputting of the encoded data upto the generation of the QR code diagram.


10/20


11/20

P a g e | 11

Fig: Data encoding process

There are several different source encodings specified for the information contained in thecode.

Numeric mode: just encoding decimal digits 0 through 9, thus being able to pack alot of data in one picture.

Alphanumeric mode: a set of characters containing upper case letters (notlowercase!) and several additional characters like symbols $, %, *, +, -, ., /, and : aswell as a space.

Byte mode: by default, is for characters from the ISO-8859-1 character set. However,some QR code scanners can automatically detect if UTF-8 is used in byte modeinstead.

Kanji mode: Itis for double-bytecharacters from the Shift JIS character set. WhileUTF-8 can encode Kanji characters, it must use three or four bytes to do so. Shift JIS,on the other hand, uses just two bytes to encode each Kanji character, so Kanji modecompresses Kanji characters more efficiently. If the entire input string consists ofcharacters in the double-byte range of Shift JIS, use Kanji mode. It is also possible to

use multiple modes within the same QR code.

Extended Channel Interpretation (ECI) mode: It specifies the character set (e.g.UTF-8) directly. However, some QR code readers do not support ECI mode and willnot understand QR codes that use it.

Structured Append mode: It encodes data across multiple QR codes, up to amaximum of 16 QR codes. I will not be discussing this mode in this tutorial but may

add more information at a later time.

FNC1 mode: It allows the QR code to function as a GS1 barcode. I will not bediscussing this mode in this tutorial but may add more information at a later time.


12/20

P a g e | 12

Four-bit indicators are used to select the encoding mode and convey other information.Encoding modes can be mixed as needed within a QR symbol.

Security application of QR code:

QR code based mobile payment process:

Step #0: A registered mobile user uses his/her user account and PIN to login the mobilepayment system by sending a login request to the mobile payment server. The mobile serverprocesses mobile client authentication and sends a login response with the server certificateID, and secured session ID, as well as a public key for the communications.

Step #1: The mobile client authenticates the mobile server with received public and serverscertificate.


13/20


14/20

P a g e | 14

server + unique identifier of the token that has been assigned by server to the session on thedesktop computer. After scanning the code, the phone is opening a page that checks if it has

been used with this service before by looking for a cookie containing encrypted informationabout the users credentials (hash of username/user id). The hash is being checked against

servers databaseand if its valid - token in database is being updated with information that

the access is granted to user X. Phone shows information that the user has logged to siteXYZ. Browser on desktop is constantly checking status of the token and once it says that theuser has logged in - itsredirecting to secure part of website. The Google login prompt willappear on your phone, and logging in there will log you into a session on the desktop. This

prevents the user from having to type sensitive login credentials into a public machine, whichcould be compromised with keylogging software. The new QR code feature is an alternativeto Google's2-step verification.This generates a unique short code on your mobile, which youmust input for each desktop login, using the presence of your phone as a form ofidentification.

Short URLs and Tracking Codes:

It is important to be able to track how many people are using the codes once you haveinstalled them. We found that the easiest way to do this was by using a URL shorteningservice, like goo.gl. URL shorteners take long links and make them short. This is helpful forreducing the overall size of a QR code, as the more text it has to encode, the bigger it has to

be. More importantly, however, by generating a new unique URL that is associated only withthe QR code, it is easier to see who is checking out your content through the code itself asopposed to people who are finding your content by searching YouTube or clicking on

browser links. Goo.gl automatically keeps track of who is viewing your link and how with

charts and detailed information.

Figure: URL shortening & tracking
http://www.readwriteweb.com/archives/google_rolls_out_2-step_verification_to_help_prote.phphttp://www.readwriteweb.com/archives/google_rolls_out_2-step_verification_to_help_prote.php


15/20

P a g e | 15

Production management:

In order to maintain the quality of production, a great deal of man-hours used to be requiredto deal with picking-out mistakes, wrong items and out-of-stock items. QR code is used in

production. By checking data matching at each production process, mistakes can be reduced

and is possible to trace production history and a reliable production management system willbe established.

When picking out parts, QR codes onan instruction are matched with thoseon labels affixed to part shelves.

In the assembly process, QR codes onan production instruction are matchedwith those on product labels.

When storing product units in awarehouse, QR codes on productioninstruction are read in to collect data onstored items.

When shipping out product units,shipping management is carried outreading QR codes.

Data hiding:

In todays world, security is a big issue and securing important data is very essential, so that

the data cannot be intercepted or misused for any kind of unauthorized use. The hackers andintruders are always ready to get through personal data or important data of a person or an

organization, and misuse them in various ways. A busy active person wants to keep hisvaluable data like passport information, bank statements, social security number, etc. with


16/20

P a g e | 16

himself/herself all the time, but he/she is always afraid of doing so because these informationare threatened and can be easily intercepted by outsiders for misuse. This problem can besolved by encrypting the data and hiding it in a QR Code. QR codes can contain contactinformation so someone can easily scan a QR code, view your contact details, and add you ontheir phone. You can input your name, phone number, e-mail, address, website, memo, and

more. In modern world the most commonly used encryption technique in QR Codes is theDES (Data Encryption Standard). Most of the institutions / organizations use their owncustom methods to encrypt QR Code data.

In other application:

QR code for medical field:

Hospitals in some countries such as Japan, Hong Kong and Singapore have adopted QR Codeprinted on patient wrist band to identify the patients. Examples of information encoded onQR Code are patients name, identification number, date of birth, sex, ward and bed numbers.

Merit of Using QR Code in Hospital is to ensure that the right patient gets the rightmedicine or right treatment at the right time.QR Code also Use for Blood Test Process.Collected blood is put in a test tube. The test tubes marked with QR Code are inserted intothe tester.

Picking task:

Since workers have to match items on a shipping, bus, departmental store list with actually

delivered items with their eyes, the job usually takes up a great deal of time. Since it

sometimes is difficult to distinguish similar items with eyesight alone, workers often make

mistakes. By changing the conventional method of picking out items with eyesight to the

code matching method, the burden on workers and the time required for the task can be

reduced. When an item is picked out erroneously, a notifying sound is emitted, thereby

eliminating mistakes.


17/20

P a g e | 17

A list of QR codes forshipping items to be

picked out that is madefrom a shippinginstruction is read inwith a handheldterminal unit to register

the data for picking.

Items are picked outfollowing instructionsdisplayed on theterminal unit bymatching with codes onthe labels affixed to theshipping boxes for the

items.

When a code for an itemnot to be shipped out isread in, an error soundis emitted, and avibrating response ismade from the terminal,

notifying the

QR Codes in Marketing & Advertisement:

There are a variety of good reasons to advertise using QR codes.

QR codes can lead users to more information about a product or service, QR codes engage potential customers because they are interactive. QR codes offer instant action. Remembering to do something in the future makes

potential customers lose interest, but with a QR code, your action can be completedimmediately, whether it is liking a page, watching a video or purchasing a product.

QR codes make typing in a long URL unnecessary. QR code analytics can be used to assess the success of your advertising. There are

many websites that offer a breakdown of how many scans your code gets, when it getsthem, etc.

QR codes can fit in small spaces and can be scanned on computer screens, print ads,and television ads. QR codes can even be scanned off of someone else's cell phone's

screen.
http://www.createqrcodes.org/qr-codes-in-marketing.htmlhttp://www.createqrcodes.org/qr-codes-in-marketing.html


18/20

P a g e | 18

Figure: QR code in Advertisement

QR Codes are part of daily life in Japan, Korea, Taiwan, Hong Kong and China. A studypublished by MRI showed that out of 2053 Japanese mobile phone users, 90% haverecognized a QR Code. McDonalds uses codes to inform users about the nutritious value of

its burgers. Apple advertised the new i-Pod on billboards with QR codes. QR Codes used in aNike advertising campaign allows direct access to a dedicated mobile site.

Threat:

One can distinguish two different threat models for manipulating QR Codes. First, an attackermay invert any module, changing it either from black to white or the other way round.Second, a more restricted attacker can only change white modules to black and not viceversa.

Attacking Human Interaction:

Humans cannot read the code without reader software, the information stored within the codeis completely obfuscated. But by reading the manipulated QR code, vulnerability in thereader software or the browser might get triggered. Modes of Attack of QR code is

JavaScript based attacks.

URI based attacks:

Phishing and Pharming based attacks

Downloaded malware/Trojan based attacks

Potential misuse of short URL and fraud

Phishing and Pharming:If QR Codes are used for links in augmented reality scenarios, anattacker might set up a fake website and redirect users by changing the QR Code. This is


19/20

P a g e | 19

dangerous if some forms of credentials are needed to access the website. The user has nopossibility to verify that the link is not modified.

Fraud: QR Codes are often used in advertisements to direct the target audience to specialoffers or additional information about specific products. If the QR Code can be manipulated

to redirect the user to a cloned website, an adversary could sell the solicited product withoutever fulfilling the contract. The victim implicitly trusts the advertising company by followingthe link.

Attacking reader software:Different implementations of the reader software on computersor cell phones might be attackable via command injection or traditional buffer overflows ifthe encoded information is not sanitized. An attacker might gain control over the entiresmartphone, including contact information or the victim's communication content like Emailor SMS.

Social engineering attacks: Building on these attacks, more specific attacks like spear

phishing or other variants of social engineering are enabled, depending on the goal of theattacker. Leaving a poster of a QR Code on the parking lot of a company (instead of thetraditional attack with an USB drive) offering discount in a nearby restaurant is a new attackvector which is likely to be successful.

Heres some practical advice on how to spot and avoid malicious QR codes

Use a mobile QR code-/barcode-scanning app that previews URLs. Avoidscanning suspicious codes and links that dont seem to match the ads theyre

incorporated in; also avoid shortened links.

Dont scan QR codes in the form of stickers placed randomly on walls. QR codescan be generated by anybody and stuck on walls in public places. And in todays QR

code hype, scammers think someones bound to scan such a code, just for curiosity.

They can also stick malicious QR codes over legit ones on a billboard. So look at aQR code placed in public places closely before you scan it.

Be extra careful if your smartphone works on the Android mobile operatingsystem. Android is an open platform, which means that its source code can be

examined by criminals and exploited easily when they find a weakness in, say, theAndroid browser. Thats why most malicious apps transmitted via QR codes target

the Android-based smartphones. So, make sure your Android browser is always up-to-date and only scan QR codes from trusted sources.

Install a mobile security app right away. An efficient mobile security suite canprotect you from all living cyber-creatures, such as viruses, worms, Trojans, spywareand other malware that can be transmitted via QR codes.


20/20

P a g e | 20

References:

QR Code Security, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, LindsayMunroe, Sebastian Schrittwieser, Mayank Sinha, Edgar Weippl,SBA Research,

Favoritenstrasse 16 AT-1040 Vienna, Austria,[1stletterfirstname] [lastname]@sba-research.org.

Security of QR Codes, Ioannis Kapsalis ,Norwegian University of Science andTechnology, June 2013

Tan Jin Soon,Executive Director, EP Cglobal Singapore Council Chairman,Automatic Data Capture Technical Committee.

International Journal of Electronics and Computer Science Engineering AvailableOnline at www.ijecse.org ISSN- 2277-1956, SURESH GONABOINA 1, SURESHGONABOINA , LAKSHMI RAMANI BURRA , PRAVEEN TUMULURU

Ben Dodson, Debangsu Sengupta, Dan Boneh, and Monica S. Lam, ComputerScience Department, Stanford University Stanford, CA 94305{bjdodson, debangsu,dabo,lam} @cs.stanford.edu.

Kaspersky Labs.

QR Code for Advance Security System

Documents

Transcript of QR Code for Advance Security System