-2

Can QR codes always be copied? I am looking for some sort of QR code or chip that can be readily scanned (preferably via smartphone) and linked to a secure website, but that cannot be copied or reproduced in any way. Any thoughts?

Mitch
  • 17
  • 1
  • 1
  • 4
    Interesting concept, creating something that needs to be imaged to be read that cannot be imaged to be copied. It's like creating listenable non-copyable music, a much sought after dream of the recording industry. – Fiasco Labs Jun 30 '12 at 06:26
  • 6
    Anything visual that has to be interpreted by a camera can be copied. – schroeder Jun 30 '12 at 06:55
  • 3
    Can you explain your use case to some level of detail. Because there are many different things you could mean. But my immediate question is this -- if the QR code can't be readily scanned, what purpose does it serve? The point of a QR code is to allow some piece of information to be readily scanned. – David Schwartz Jun 30 '12 at 09:26
  • 5
    See [QR codes that can't be copied - possible?](http://security.stackexchange.com/q/5420/971), which looks like the same question. – D.W. Sep 22 '12 at 00:07

6 Answers6

13

If such a thing existed, we could have solved counterfeiting printed money ages ago.

Hendrik Brummermann
  • 27,158
  • 6
  • 80
  • 121
tylerl
  • 82,665
  • 26
  • 149
  • 230
7

If it can be read, it can be copied. This is also the main reason DRM is useless.

Zzz
  • 766
  • 5
  • 9
  • 1
    DRM works very well in online games such as Second Life. The trick is not to give the protected data (e. g. server side scripts, virtual items that cannot be uploaded) to the client. I went into details on that topic in [Are there DRM techniques to effectively prevent pirating?](http://security.stackexchange.com/a/4640/665). – Hendrik Brummermann Jun 30 '12 at 16:50
3

It might be a good idea to give more context. There are multiple uses cases and it is hard to guess what you are aiming at.

As far as I understand you, we need to distinguish two aspects:

  • copying the chip
  • copying the link

How to prevent copying the chip?

Common smartcards store a private key. The chip can be told to decrypt or sign data. But the chip has no command to read the private key.

Smardcards are designed in a way which makes it extremely difficult to get external access to the internal memory without destroying the card. While there are attacks on smartcards (e. g. based on power analysis or artificial wearing), they are out of scope for most use cases.

The smardcard can sign the provided information and the reader can verify that the signature is correct.

How to prevent copying the link?

If you make the link available to an untrusted reader, it can be copied. For example there is quite a number of exploits that give full permissions to the owner of a smartphone.

So you must ensure that the user never knows the link. This can be done by replacing the link with a token.

The token is generated by the chip and contains a unique identifier and the link. It is encrypted with a public key that is known to the chip and signs it with its own private key.

The user submits this token to a server. The server verifies the signature and decrypts the token to extract the identifier and link. It checks that the identifier has not been used before. Then it connects to the target of the link, and forwards the response to the user.

The user does not know the link because it gets the response from the relay server. After the request the token is marked as used, so copying the token is not useful.

Hendrik Brummermann
  • 27,158
  • 6
  • 80
  • 121
0

It's not impossible but maybe very expensive for a product, we can use a random pattern for each label(maybe fiber like mostly bank note used)and you can use anti scan ink and photo blocker ink(used mostly on license plate)

  • 1
    "You can use anti-scan ink" is explicitly ruled out by the author's desire for "some sort of QR code or chip that can be readily scanned". – J Kimball Apr 06 '16 at 11:48
  • so sorry got little confused here, so what author's what to protect? the QR code image? or the value of the qr code/the website link? if the image that author want to protect maybe you can use security paper/ink if author want to protect the value, maybe he can make some encrypt - decryption apps with user authentication to generate and read/scan qr code. – Febri Ade Putra Manusama Apr 11 '16 at 08:10
0

What about combining several factors to make it unique? Like a SMS text callback confirmation or require a facial pic of the user to unlock the scanned qr code?

schroeder
  • 125,553
  • 55
  • 289
  • 326
0

Use a hard to find or hard to buy paper color that cannot be copied, like metalic ones, watermarked, ...

jippie
  • 790
  • 1
  • 4
  • 9