0

I need details about QR code that provides information about whether its product is original or not.

The situation is a stamp that tells that this product has been certified as safe to be use by this safety boards. And its not for just one company. It has various range of products and company. And a fake product might just steal the QR code copy and paste it on their products.

So do you guys have any idea on how QR code helps? Is there any implementation yet?

Henning Klevjer
  • 1,815
  • 15
  • 20
Haikal
  • 1
  • 1
  • 2
  • Qr-Code is just text for a camera. It's like the plain old barcodes, but with more information. They have no mechanism for certification, authentication or anything like that. They are a tool to make easy to type lots of text without actually typing. – ThoriumBR Oct 12 '18 at 19:56

2 Answers2

11

QR Codes do not convey this type of information. They can be used to encode arbitrary text, a URL, or a number of other structured content, but in the end it's just printed information.

A QR Code is no more or less secure than any other label printed on an object.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • I'd argue that, if anything, QR codes are *less secure* than printed text, because a computer is involved. What if someone slaps a bunch of their own QR stickers over the top of your products? Could be dangerous. – Polynomial Oct 17 '12 at 05:47
  • How about this (insane?) scheme: 1. Digitally sign the product serial number with the company's private key 2. Have an app on your phone scanning the QR, which validates the QR with the company's public key and if it matches the serial number, we're alright? Or maybe I didn't think this one through? – Henning Klevjer Oct 17 '12 at 06:02
  • 2
    @Polynomial QR Codes don't themselves have any security features or vulnerabilities except for those that are common with any printed content. Any insecurities in a machine can read it are attributes of the machine, not the QR Code. – tylerl Oct 17 '12 at 06:10
  • 4
    @HenningKlevjer You're assuming that a counterfeit product can't simply copy the original product's serial number. That's silly. QR Codes don't magically make it possible to uniquely identify an item, and if you *could* uniquely identify an item then you wouldn't need a QR Code. They're as relevant as box of ducks when it comes to security. – tylerl Oct 17 '12 at 06:17
  • Heh, you're right. Lucky I have my (insane?)-disclaimer pointed out! – Henning Klevjer Oct 17 '12 at 06:25
  • @tylerl True, but they're not human readable, so a machine is always involved. That immediately increases the attack surface, especially with the recent [wipe code problem](http://www.techradar.com/news/phone-and-communications/mobile-phones/killer-code-could-wipe-samsung-handsets-1099605). – Polynomial Oct 17 '12 at 07:32
1

A paper certificate attesting to attributes of some product or person that are not easy to test for directly can include a URL deep-linking into the issuer's website.

Someone trying to evaluate the legitimacy of the certificate can visit the URL and see the certificate information on the issuer's website. The information displayed on the website may also contain information about exactly what product it is certifying (description, serial number, etc.) and hard-to-forge ways of identifying that specific product. Depending on the application, it could also offer a way to register ownership and/or indicate if that product (same serial number etc.) has been previously registered (helping detect duplication).

This is much harder to forge, requiring an attacker to hack into the issuer's website (or verifier's path to it) in addition to all the skills required to produce a paper forgery that appears credible to a potential verifier. Use of blockchain technology can raise the bar even more.

A QR code can just be a way of encoding that URL in a way that is easier for a machine to read.

Ideally, the QR code reader would tell the user what URL the code corresponds to before just opening the contents of that URL, so the user can verify that it looks like a trusted host (and block some attack strategies involving getting a target to visit an arbitrary URL).

For convenience and stronger association, the QR code can be engraved in or otherwise attached to a product directly, instead of a paper certificate meant to accompany the product. With the information available online, the rest of the certificate text can (in some applications) be omitted.

If a forger made an exact copy of a product the authentic seller had produced but not yet sold, including a code directing potential verifiers to the legitimate certificate, the issuer could potentially revoke that certificate and change the code/number on their own unsold inventory; the forger risks being exposed.

While this system is not 100% foolproof to the most advanced forgers, it raises the bar to successful forgery, especially compared to the status quo in many domains. In common practice, once that bar is high enough, it can become easier for the forger to just go through the certification steps and legitimately make genuine products, or pursue forgery/other activity elsewhere.

As an example of information related to a person rather than a product, see the Red Cross's training certificates program.

WBT
  • 556
  • 1
  • 7
  • 14