2

I am developing a system to prevent frauds in tickets.

What do I need?

  1. An algorithm to generate a QR Code that will be shown to my clients in a ticket.

Ticket

  1. An algorithm to validate (offline) the QR Code, using the user's smartphone (Android or iOS).

App

I would like to start by saying that I know nothing about cryptography, but I did read a few articles about asymmetric encryption.

What did I learn?

With the public key, I can create cypher texts.
With the private key, I can decrypt the cypher texts.

The regular scenario is to keep the private-key private, and the public-key public. Right?

My question is, to achieve what I need, can I invert this process?

Keeping the private key in the app (anyone can tamper the key, but it would be useless), and keeping the public key private (in the server).

I am calling it "inverted" asymmetric encryption.

Why? With the public key I will create the QR Code with the ticket code, and if no one else have my public key, I believe no one can create QR Codes similar to mine, then hard to fake.

Using the smartphone, my client could use my mobile app with the private key to decrypt the text inside the QR Code, and if it could not be decrypted the app would say that the ticket is fake.

Is this assumptions correct and is this method secure?
Stealing the private key (tampering it from the app), can an attacker generate cypher texts like with the public key?

  • 1
    With your role reversal of private & public keys, you have essentially reinvented digital signatures. Now you just need to read up on them, align your terminology with the rest of the world, and understand how your idea has already been refined over the last few decades. – Nefrubyr Dec 05 '14 at 13:47

1 Answers1

4

Interesting thought.

What you need is a digital signature.

A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication) and that the message was not altered in transit (integrity). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.

See more at http://en.wikipedia.org/wiki/Digital_signature.

Is this assumption correct and is this method secure?

I believe your method is secure, but use digital signatures instead, they were made to this.

Stealing the private key (tampering it from the app), can an attacker generate cypher texts like with the public key?

Using the private key you can't cypher a text like using the public key.

Lucas NN
  • 1,336
  • 8
  • 21
  • 3
    I think that in at least some asymmetric cryptosystems, it's simple to create the public key from the private key (even when that need not be the case, like in textbook RSA, an implementation might attach the public key to the private key because the public key need not be secret). Don't rely on the ability to keep the public key secret if the private key is exposed; that's one reason to use digital signatures (others include that they're analyzed for security in this context, and you won't have to implement them yourself). – cpast Dec 05 '14 at 04:57
  • @cpast It can be a problem, thanks for the advice. –  Dec 05 '14 at 07:37
  • 2
    Just be careful because, at least with SSH keys, you can easily find the public key if you have the private. Not sure if this is true for all asymmetric encryption. – drpexe Dec 05 '14 at 09:33