Home Esplora
Accedi
clementinecomputing
/
popufare
1
0
Forka 0
File Problemi 12 Pull Requests 0 Wiki
Ramo (Branch): release
Rami (Branch) Tag
popufare
/
server
/
qr_generator
/
Notes.md

Notes.md 2.4 KB
Permalink Cronologia Originale

QR Generator

This has some code to generate QR codes for use in the camera setup for the PIU.

python3 -m http.server

Go to

http://localhost:8000/qr_mag.html

For future reference, here is a proposal to generate QR codes for one time use:

  • Generate a list of secret bit string pairs (s_pub,s_hash)
  • s_hash should be at least as long as the longest credential string
  • Distribute the bit string pairs to the fleet, housing them on the DIU
  • Server side, when a rider wants a QR code, give generate as follows:
    • hash the credential (call it a virtual magstripe, vmag, for ease) with s_hash
    • create the string qrstr as %s_pub@<b64(xor(vmag,s_hash))> (where <xor...> is the xor of vmag and s_hash and b64 is the base64 encoding of the xor)
    • generate a QR code of qstr and give the rider a PDF (or whatever else)
    • mark the pair as 'used' server side
  • When the rider presents the QR code to the PIU/DIU, the DIU will decode as follows
    • look in the local database of bit string pairs for the s_pub
    • if s_pub doesn't exist, reject outright
    • if s_pub exists but is marked as used, reject
    • if s_pub exists and isn't used, retrieve the s_hash string
    • xor the s_hash string with the encoded string to retrieve the credential
    • process the credential (vmag) as normal
  • DIUs will communicate back to the server about used bit string pairs
  • The server will push out an update message to invalidate certain bit string pairs based on what's been used

There might need to be some fiddling with the base64 encoding to make sure it works out and doesn't become too large.

If the messages are through a different channel or through a known channel but masked as debug or update messages that are ignored by the legacy system, it should be able to be used in tandem with the legacy system without issue.

Some notes:

  • s_pub, while "public", doesn't give enough information, by itself, to get free rides
  • Seeing the QR code will not allow someone snooping to glean what the credential is as it's masked with the s_hash bit string
  • If someone manages to get the QR code, this only allows the thief to use the card once
  • "Double spending" of the QR code reduces to double spending of the credential as it maps back to an underlying credential

References