QR Generator === This has some code to generate QR codes for use in the camera setup for the PIU. ``` python3 -m http.server ``` Go to ``` http://localhost:8000/qr_mag.html ``` --- For future reference, here is a proposal to generate QR codes for one time use: * Generate a list of secret bit string pairs (`s_pub`,`s_hash`) * `s_hash` should be at least as long as the longest credential string * Distribute the bit string pairs to the fleet, housing them on the DIU * Server side, when a rider wants a QR code, give generate as follows: - hash the credential (call it a virtual magstripe, `vmag`, for ease) with `s_hash` - create the string `qrstr` as `%s_pub@` (where `` is the xor of `vmag` and `s_hash` and `b64` is the base64 encoding of the xor) - generate a QR code of `qstr` and give the rider a PDF (or whatever else) - mark the pair as 'used' server side * When the rider presents the QR code to the PIU/DIU, the DIU will decode as follows - look in the local database of bit string pairs for the `s_pub` - if `s_pub` doesn't exist, reject outright - if `s_pub` exists but is marked as used, reject - if `s_pub` exists and isn't used, retrieve the `s_hash` string - `xor` the `s_hash` string with the encoded string to retrieve the credential - process the credential (`vmag`) as normal * DIUs will communicate back to the server about used bit string pairs * The server will push out an update message to invalidate certain bit string pairs based on what's been used There might need to be some fiddling with the base64 encoding to make sure it works out and doesn't become too large. If the messages are through a different channel or through a known channel but masked as debug or update messages that are ignored by the legacy system, it should be able to be used in tandem with the legacy system without issue. Some notes: * `s_pub`, while "public", doesn't give enough information, by itself, to get free rides * Seeing the QR code will not allow someone snooping to glean what the credential is as it's masked with the `s_hash` bit string * If someone manages to get the QR code, this only allows the thief to use the card once * "Double spending" of the QR code reduces to double spending of the credential as it maps back to an underlying credential References --- * [QRCode.js](https://github.com/davidshimjs/qrcodejs)