QR Code与1D条码安全
[英]QR Code vs 1D Barcode security
问题描述
I need to make a ticketing system for a local promoter. 
我需要为本地发起人制作票务系统。 I have most of the work done for the barcode but this is pretty old. 我已经完成了条形码的大部分工作,但这已经很老了。 I want to upgrade to use QR code. 我想升级以使用QR码。 The security issue i have is when scanning the QR code. 我的安全问题是扫描QR码时。
The scanning of the QR code seems to be working but what if someone creates his own QR code with URL destination of different URL that the system uses to validate the code, and outputs the same info as a successfully scanned QR Code as the one i use to validate the QR code. 扫描QR码似乎可以正常工作,但是如果有人创建自己的QR码,且该URL的目标网址与系统用来验证该代码的URL的URL不同,并输出与我成功使用的QR码相同的信息验证QR码。
This chances of this happening is small. 发生这种情况的机会很小。 But the client has very big events and if this would to happen it can be trouble. 但是客户有很多大事件,如果发生这种情况可能会很麻烦。
Is the a way that all qr codes i scan will be redirected to my page and i only derive the token in the url to compare with the token in my DB? 我扫描的所有QR码都将重定向到我的页面,而我仅导出URL中的令牌与我DB中的令牌进行比较的方式吗?
Hope it is understandable what i'm trying to explain and any help is appreciated. 希望我正在尝试解释的内容是可以理解的,并希望得到任何帮助。
Regards, 问候,
P P
2 个解决方案
解决方案1
2 2016-07-24 21:23:14
First: There is no inherent security to any kind of bar code, whether QR or otherwise. 第一:无论是QR还是其他方式,任何类型的条形码都没有固有的安全性。 They're just a fancy way of making some data machine-readable. 它们只是使某些数据可机读的一种奇特方法。
Second: QR codes do not have to contain URLs. 第二:QR码不必包含URL。 They can contain URLs, and they're often used that way in advertising, but there's nothing which forces them to be used that way. 它们可以包含URL,并且通常在广告中以这种方式使用URL,但是没有什么可以迫使它们以这种方式使用。
Third: Even if you scan a QR code and it contains a URL, there is no reason you need to visit that URL in a web browser. 第三:即使您扫描QR码并且其中包含URL,也没有理由需要在Web浏览器中访问该URL。 In fact, if you're using the QR codes in a fixed-purpose application (like you're doing here), you probably shouldn't. 实际上,如果您在固定用途的应用程序中使用QR码(就像您在此处所做的那样),则可能不应该这样做。 Look at the text of the URL, check if it fits the right pattern, and extract the user's ID from there. 查看URL的文本 ,检查其是否适合正确的格式,然后从那里提取用户的ID。
解决方案2
0 2016-08-02 13:25:46
If you compare linear barcodes to QR Codes then obviously you should better go with QR Code because: 如果将线性条形码与QR码进行比较,那么显然最好使用QR Code,因为:
- QR Code supports error correction ie if it was partially damaged (up to 25% depending on the configuration) then it will be decoded; QR Code支持纠错,即如果它被部分损坏(取决于配置,最多损坏25%),它将被解码;
- It is widely supported by hardware and software (including mobile phone applications); 它得到硬件和软件(包括手机应用程序)的广泛支持;
- Higher information density per inch comparing to linear barcodes; 与线性条形码相比,每英寸的信息密度更高;
As I understand you worry about possible fake servers + fake tickets with fake QR Codes containing URL to a fake server. 据我了解,您担心可能存在伪造的服务器+伪造的带有带有伪造URL的QR码的票证。
In this case I would consider implementing a digital sign or encryption for repsponses from server so the scanning app could verify if they are coming from the authentic server: 在这种情况下,我会考虑对服务器的响应实施数字签名或加密,以便扫描应用程序可以验证它们是否来自真实的服务器:
- The simpliest (but less secure) way to encrypt string in barcode with a password that is known to the scanning app so the response can be decrypted by the scanning app. 使用扫描应用程序已知的密码对条形码中的字符串进行加密的最简单(但不太安全)的方式,因此扫描应用程序可以解密响应。
- Implement digital sign to sign responses from server and verify these responses if they are coming from an authentic server. 实施数字签名以对来自服务器的响应进行签名 ,并验证这些响应是否来自真实的服务器。
- Use SSL so the data exchange between server and your app is encrypted 使用SSL,以便加密服务器与您的应用之间的数据交换
Also as I know there were cases when tickets were photocopied and an original owner was not able to use the original ticket because fake ticket with fake barcode was used before. 据我所知,有时会复印票证,原始所有者无法使用原始票证,因为以前使用了带有伪造条形码的伪造票证。 So it is usually advised not to publish photo of tickets in social media in general. 因此,通常建议一般不要在社交媒体上发布门票照片。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.