Re: Any way to implement Secure QR Code (SQRC) feature in ZXing library?

1,988 views
Skip to first unread message

Sean Owen

unread,
Jun 14, 2012, 12:37:03 AM6/14/12
to zx...@googlegroups.com
There is nothing special about that QR code. It just encodes "HTTP://VQR.CO/m" which is a redirector.
I assume the proprietary scanner passes some secret to the redirector too.

So, yes. There's nothing magic about the code itself.

Lachezar Dobrev

unread,
Jun 14, 2012, 4:42:07 AM6/14/12
to Look4SecureQR, zx...@googlegroups.com
I would suspect, that the «Proprietary Barcode Scanner» would
recognise the URL, and change something in it (like the host, or the
port) or completely rewrite the URL based on some obscure algorithm.
However the QR Code only contains what you see. Unless the algorithm
for rewriting the URL is known, there is nothing that can be done
about those.

I suspect, that one could falsify the Reed-Solomon error correction
in a predictable way, so that additional information could be encoded,
but that would severely limit the readability of the code, so it's not
practical (but theoretically possible).

It's easy to implement a similar technique yourself. It's going to
be easy to do that in a web application too, meaning that one could
implement a similar scheme for his own site...

To recap: There is NO private data in the QR Code itself. The data
is stored somewhere else, and the QR code only shows WHERE to find the
data, not the data itself.


2012/6/14 Look4SecureQR <iso...@gmail.com>:
> not at all.
>
> Security QR Code, or SQRC, is a QR Code but with an added layer of security
> to protect private data embedded into the code.
>
> One QR Code with two distinctly different destinations. One is public and
> can be scanned by any mobile device and the other is private that can only
> be read by a proprietary device. Transmit secure data only to those
> authorized to see the data. Applications in health care, identity
> confirmation, security, employee ID credentials, access control, finance,
> shipping, promotion, inventory control and many other disciplines where
> security considerations are critically important. Learn More about secure
> QRCodes and SQRC.
>
> u can see a bit more info about SQRC here:
> http://www.regalscan.com.cn/p4-solution.asp

Look4SecureQR

unread,
Jun 14, 2012, 6:10:17 AM6/14/12
to zx...@googlegroups.com, Look4SecureQR
why URL is here?

The SQRC works like this, suppose two strings: XYZ, and ABC;
SQRC may use a key to encrypt XYZ and generate one QR image contains encrypted string of XYZ and plain string of ABC;

when using a normal QR reader, it can read plain string ABC and will not read the encrypted string XYZ, (either read corrupted texts or just nothing at all); but when using a customized QR reader with the encryption key, it can read both ABC and XYZ.

Sean Owen

unread,
Jun 14, 2012, 6:42:54 AM6/14/12
to zx...@googlegroups.com, Look4SecureQR
Yes, I read the marketing blurb. I am telling you that the QR code's contents are nothing more than a redirector URL. This can be read by any scanner.

My guess is that when you access the URL, you get public info, unless you send a secret key, in which case you get the private data too. That's the simplest guess. In that sense, the QR code itself is unimportant; it's the URL and server that matter.

Now I can come up with some wilder theories, yes, that data is hidden at a deeper level.

Lachezar your idea is a good one; I looked and there is no intentional error introduced here.
Maybe they hide extra info in the image with steganography?

But I really doubt this is the case. The first theory is far more sensible. It's just a URL and there is nothing special about the barcode at all.

Look4SecureQR

unread,
Jun 14, 2012, 1:35:30 AM6/14/12
to zx...@googlegroups.com
not at all.

Security QR Code, or SQRC, is a QR Code but with an added layer of security to protect private data embedded into the code.

One QR Code with two distinctly different destinations. One is public and can be scanned by any mobile device and the other is private that can only be read by a proprietary device. Transmit secure data only to those authorized to see the data. Applications in health care, identity confirmation, security, employee ID credentials, access control, finance, shipping, promotion, inventory control and many other disciplines where security considerations are critically important. Learn More about secure QRCodes and SQRC.

u can see a bit more info about SQRC here: http://www.regalscan.com.cn/p4-solution.asp


On Thursday, June 14, 2012 11:37:03 AM UTC+7, Sean Owen wrote:

Dean Collins

unread,
Feb 1, 2016, 1:43:30 PM2/1/16
to zxing, iso...@gmail.com

Sean did you ever find out if this was the case?

I agree with you that's exactly what I thought, eg how would the SQRC image "know" the reader....it couldn't be updated if a reader was compromised (eg like bluray's were)

It HAS to be getting the "proprietary information" from a webserver somewhere that CAN be updated and say this reader good, this reader bad in real time.

Otherwise how can it be continued to be relied upon as secure.

Bas Vijfwinkel

unread,
Feb 2, 2016, 12:23:33 AM2/2/16
to zxing, iso...@gmail.com
SQRC is nothing more than an application of standard QR codes.

The reader itself is only a dumb QR reader (like any other reader).
All 'security' issues are handled in the application layer that uses the output of the reader.
The idea is to encode an identifier to the actual data in a QR code. Just like we use a url to point to some 'real' data. Make is somehow not-publicly available and you have your SQRC support.

If a normal QR reader would read the QR code, it just gets the identifier, not the actual data.
This makes it possible to provide some security layers to a QR code (As the QR code doesn't have any of such features).

It's just a lot of marketing blurb in order to give QR codes a better image.
For practically everything in Japan conventional 1D barcodes are used.
But you could implement such a 'secure' barcode just as well in 1D barcodes.
Beside for encoding urls for websites, QR codes have practically disappeared here.

Tyson Clugg

unread,
Oct 19, 2016, 7:03:37 AM10/19/16
to zxing, iso...@gmail.com
My understanding of SQRC is that the error correction abilities of the QR code are exploited, and "errors" are introduced (private data) in the raw bit stream which are discarded by normal readers. SQRC readers collect the error data and decrypt the private information using the key which was entered as part of the SQRC data (along with the regular public QR code data).

There have been many people "talking through their hat" so to speak, saying things like "the reader itself is only a dumb QR reader".

Why not have a look at the errors encoded into the following QR code, and see if you can figure out how it's done? http://www.vitreoqr.com/2014/Q_Reader_App_files/SQRC_Demo_VQR_Web_Site.jpg

Try re-encoding the public data from that code at various error levels, and see if you can make your regenerated QR code look the same (or even similar, in terms of grid size). There's a bunch of extra bits there which are being discarded by non-SQRC readers. That's the point - it contains both public and private data encoded in a single QR code. The question is, how do we decode those extra bits?

I suppose someone might try reverse engineering the Arara QR reader android app to find out how... https://play.google.com/store/apps/details?id=com.arara.q

Regards,
Tyson.

Sean Owen

unread,
Oct 19, 2016, 8:59:34 AM10/19/16
to zxing, iso...@gmail.com
Yes, we tried that in the thread above. I just tried decoding the QR code you linked to and there are no erasures/errors according to the Reed-Solomon algorithm. There are however a bunch of bytes after the a "TERMINATOR" mode marker and that's the payload, so it's actually even simpler than that. It will be ignored by normal readers, but it's easily readable. I assume it's the encrypted version of something.

I guess I don't see the point of this because you could just encode the URL of a secure website or just encode some custom content like "supersecret:AB3901FC32001..." without resorting to this. It's an extra layer of obscurity and doesn't require a web service I guess. 
Reply all
Reply to author
Forward
Message has been deleted
0 new messages