Page |1

Department of Electronics &Communication Engineering

Course No: ECE 4000

Submitted by: Mamdudul Haque Khan Date of submission: 03.10.2013 Roll: 0909038 Department: ECE Year: 4th, Semester: 1st

Page |2

Abstract:
Computers & Mobile phones are widespread and many everyday-objects come equipped with this technology. The comfort and convenience they provide certainly made our lives much easier than ever before. Mark Weisers said The most profound technologies are those that disappear. Two brilliant features found in modern cell phones are: the integration of digital cameras and the ability to access the Internet anytime and anywhere, thus, enabling us to seek information when we need it. A user having a camera phone equipped with the correct reader software can scan a two-dimensional (2D) barcode and decode it to launch and redirect a phones browser to an embedded URL or to resolve text embedded in the scanned barcode. When someone contains important data or privacy information, the risk of security becomes an important problem. QR codes simply feature a square code with a unique pattern that provides you a security to your data and privacy information. In this paper, we discuss QR codes different data types, data encoding process and security application area.

Page |3

Contents:
Articles Page No.

1. What is QR code.........................04 2. Structure of the QR Code .......04 3.The Specifications of the QR Code .06 4. Encoding Data ...09 5. Security application of QR code ...................................................11 6. In other application .14 7. Threat & Possible solution..16 8. Conclusion ..18

Page |4

What is QR code?
QR Codes, QR abbreviated from Quick Response is a Matrix code that has twodimensional. It is a matrix type symbol with a cell structure arranged in a square. It was invented by Denso, one of major Toyota group companies, and approved as an ISO international standard (ISO/IEC18004) in June 2000. QR codes are made up of black squares and white squares. Each of these squares is called a module. The number of available squares is determined by the number of rows and columns a code can contains. It contains 40 versions and a version 40 code would allow for a total of 31,329 squares It can be stored different kinds of information such as a link, plain text, SMS text message, addresses, URLs, email, phone numbers or contact information & are used to encode and decode data in both the vertical and horizontal direction at a high speed. QR code can be used to exchange information between mobile phones and to connect to the mobile web. QR Codes can be considered as physical hyper-links that give the ability to users to access, through their mobile devices that are able to scan QR Codes, additional information located in a web-page.

Structure of the QR Code:

Fig: Different part of QR code

Finder Pattern (1): The finder pattern consists of three identical structures that are
located in three corners of a QR Code. Each pattern is based on a 3x3 matrix. The finder pattern (shown below) consists of an outer black square that is 7 modules by 7 modules, an inner white square that is 5 modules by 5 modules, and a solid black square in the center that is 3 modules by 3 modules. The module widths of the finder pattern have a ratio of 1:1:3:1:1.

Page |5

The Finder Patterns enable the decoder software to recognize the QR Code and determine the correct orientation that means the position, the size, and the angle of the symbol can be detected. These patterns also allow 360 degree (Omni-directional) high-speed reading of the code.

Separators (2): The white separators have a width of one pixel and improve the
recognizability of the Finder Patters as they separate them from the actual data.

Timing Pattern (3): A pattern for identifying the central coordinate of each cell in the
QR Code with black and white patterns arranged alternately. It is used for correcting the central coordinate of the data cell when the symbol is distorted or when there is an error for the cell pitch. It is arranged in both vertical and horizontal directions. They define the positioning of the rows and columns.

Alignment Pattern (4): This pattern allows the QR reader to correct for distortion when
the code is bent or curved. The alignment pattern appears on version 2. This acts as a reference point for the scanner, making sure everything lines up properly An alignment pattern, shown below, consists of a 5 module by 5 module black square, an inner 3 module by 3 module white square, and a single black module in the center.

It is highly effective for correcting nonlinear distortions. The central coordinate of the alignment pattern will be identified to correct the distortion of the symbol. For this purpose, a black isolated cell is placed in the alignment pattern to make it easier to detect the central coordinate of the alignment pattern.

Data Area (6): The QR Code data will be stored (encoded) into the data area and is
converted into a bit stream. The data will be encoded into the binary numbers of 0 and 1 based on the encoding rule. The binary numbers of 0 and 1 will be converted into black and white cells and then will be arranged. The data area will have Reed-Solomon codes incorporated for the stored data and the error correction functionality.

Format Information (5): This tells the scanner whether its a website, text message,
Chinese symbols, numbers, or any combination of these. This section consists of 15 bits and contains the error correction rate and the selected mask pattern of the QR code. The error correction level can be identified from the first two modules of the timing pattern. The format information is read first when the QR code is decoded.

Page |6

Error Correction (7): The data code words are used in order to generate the error
correction (EC) code words, which are stored in the error correction section.

Remainder Bits (8): This section contains empty bits if the data or the error correction
bits cannot be divided into 8 bit code-words without a remainder.

The Specifications of the QR Code:

All-Direction (360) High-Speed Reading: Reading matrix symbols will be implemented by using a CCD sensor (area sensor). The data of the scan line captured by the sensor will be stored into the memory. Then, by using the software, the details will be analyzed, finder patterns identified, and the position/size/angle of the symbol detected, and the decoding process will be implemented. Traditional twodimensional symbols used to take much time for detecting the position/angle/size of the symbol, and had a problem that their readings were less accurate when compared with those of linear symbols. QR Code has finder patterns for notifying the position of the symbol arranged in three of its corners to enable high-speed reading in all directions (360). The ratio between black and white among the scan line that runs through the finder patterns is always 1:1:3:1:1 when seen from any direction among the 360 surrounding it. By detecting this specific ratio, the finder pattern can be detected from among the image captured by the CCD sensor to identify the position of the QR Code in a short period of time. Additionally, by identifying the positional relationships of the three finder patterns listed in Figure 5 from among the image field of the CCD sensor, the size (L), the angle (), and the outer shape of the symbol can be simultaneously detected. By arranging the finder patterns into the three corners of the symbol, the decoding speed of the QR Code can be made 20 times faster than that of other matrix symbols. Additionally, detecting finder patterns can be easily implemented by the hardware, and can also be accelerated.

Figure: Identifying a QR Code

Resistant to Distorted Symbols:

Symbols often get distorted when attached onto a curved surface or by the reader being tilted (angled between the CCD sensor face and the symbol face). To correct this distortion, QR Code has alignment patterns arranged with a regular interval within the range of the symbol.

Page |7

The variance between the centre position of the alignment pattern estimated from the outer shape of the symbol and the actual centre position of the alignment pattern will be calculated to have the mappings (for identifying the centre position of each cell) corrected. This will make the distorted linear/ non-linear symbols readable.

Figure: Correcting Distorted Symbols

Masking Process:
Masks are used to generate QR Codes with a good distribution of black and white modules (close to 50:50 and distributed well over the whole code). This increases the contrast of the picture and thus helps devices to decode it. To accurately finalize the data that had been read, it is necessary to arrange the white and black cells in a well-balanced manner. To enable this, EX-OR calculation will be implemented between the data area cell and the mask pattern (template) cell when encoding the stored data and arranging it into the data area. Then, the number of unique patterns existing and the balance between the white cells and the black cells will be assessed against the data area where the calculation had been implemented. There are eight mask patterns. Assessment will be made for each mask pattern, and the mask pattern with the highest assessment result together with the EX-OR calculation result will be stored into the data area.

Figure: Masking Process Each mask pattern uses a formula to determine whether or not to change the color of the current bit. You put the coordinates of the current bit into the formula, and if the result is 0,

Page |8

you use the opposite bit at that coordinate. Here is the list of the mask pattern formulas It should have i corresponding to rows and j corresponding to columns.

Information Type and Volume:

QR Code can handle various types of data such as numerical characters, alphabets, signs, Kanji characters, Hiragana, Katakana, control signs, and images. It can basically have character sets supported by ISO/IEC 646 and ISO/IEC 10646. These data can also coexist. The maximum available volume of the information is listed in Table.

Symbol Size:
QR Code can have its size freely selected according to the data volume to be stored and the reading method. The symbol size is incremented by four cells in both vertical and horizontal direction - 21x21 cells, 25x25 cells, 29x29 cells..., and there are 40 size types with the maximum size set to 177x177 cells. For example, in the case for 45x45 cells, if a single square cell is sized 0.25mm, one side of the symbol will be 45x0.25mm = 11.25mm. The quiet zone will need to be added on both sides of the symbol whose minimum size is four cells, and therefore, the space required for having this symbol printed will be a square of (4+45+4) x0.25mm which is 13.25mm.

Error Correction Functionality:

QR Code has error correction functionality for restoring the data. The error correction functionality is implemented according to each of the smudge/damage, and is utilizing Reed-

Page |9

Solomon code which is highly resistant to burst errors. Reed-Solomon codes are arranged in the QR Code data area. By this error correction functionality, the codes can be read correctly even when they are smudged or damaged up until the error correction level. There are four different restoration levels so that you can select the level that matches with each usage environment. Each restoration capability is as listed in Table.

The Confidentiality of the Code:

By making the relationship between the character type and the stored data unique for a special usage, QR Code can be easily encrypted. Unless the conversion table between the character type and the stored data is deciphered, no one will be able to read the QR Code.

Data Conversion Efficiency:

QR Code has four types of conversion mode - numerical characters, alphanumerical/signs, binary, and Kanji characters for encoding the data. Each mode has had considerations to improve its conversion efficiency. The number of cells required for each character in each mode is listed in Table.

Encoding Data:
The message data is placed from right to left in a zigzag pattern. The data bits are placed starting at the bottom-right of the matrix and proceeding upward in a column that is 2 modules wide. The QR code encoding process includes the inputting of the encoded data up to the generation of the QR code diagram.

P a g e | 10

Fig: QR code encoding flowchart The QR code decoding includes determining the region of the QR code up to obtaining the encoded character string.

Fig: QR code decoding flowchart The data bits are placed starting at the bottom-right of the matrix and proceeding upward in a column that is 2 modules wide. When the column reaches the top, the next 2-module column starts immediately to the left of the previous column and continues downward. When-ever the current column reaches the edge of the matrix, move on to the next 2-module column and change direction. If a function pattern or reserved area is encountered, the data bit is placed in the next unused module.

P a g e | 11

Fig: Data encoding process

There are several different source encodings specified for the information contained in the code. Numeric mode: just encoding decimal digits 0 through 9, thus being able to pack a lot of data in one picture. Alphanumeric mode: a set of characters containing upper case letters (not lowercase!) and several additional characters like symbols $, %, *, +, -, ., /, and : as well as a space. Byte mode: by default, is for characters from the ISO-8859-1 character set. However, some QR code scanners can automatically detect if UTF-8 is used in byte mode instead. Kanji mode: It is for double-byte characters from the Shift JIS character set. While UTF-8 can encode Kanji characters, it must use three or four bytes to do so. Shift JIS, on the other hand, uses just two bytes to encode each Kanji character, so Kanji mode compresses Kanji characters more efficiently. If the entire input string consists of characters in the double-byte range of Shift JIS, use Kanji mode. It is also possible to use multiple modes within the same QR code. Extended Channel Interpretation (ECI) mode: It specifies the character set (e.g. UTF-8) directly. However, some QR code readers do not support ECI mode and will not understand QR codes that use it. Structured Append mode: It encodes data across multiple QR codes, up to a maximum of 16 QR codes. I will not be discussing this mode in this tutorial but may add more information at a later time. FNC1 mode: It allows the QR code to function as a GS1 barcode. I will not be discussing this mode in this tutorial but may add more information at a later time.

P a g e | 12

Four-bit indicators are used to select the encoding mode and convey other information. Encoding modes can be mixed as needed within a QR symbol.

Security application of QR code:

QR code based mobile payment process:

Step #0: A registered mobile user uses his/her user account and PIN to login the mobile payment system by sending a login request to the mobile payment server. The mobile server processes mobile client authentication and sends a login response with the server certificate ID, and secured session ID, as well as a public key for the communications. Step #1: The mobile client authenticates the mobile server with received public and servers certificate.

P a g e | 13

Step #2: The mobile client captures or receives a QR code for an interested product from its advertisement. There are two scenarios in which a mobile user can get a QR code. In the first case, a mobile user may use a mobile camera on the mobile device to capture the image of a QR code from a posted product. In the second case, a mobile user may receive a mobile ad on a mobile device from a merchant. Meanwhile, the mobile client decodes the received QR code, which includes product and makers information, marketing data, merchants mobile URL information. Step #3: The mobile use clicks the given QR code to switch the target merchants mobile site using the provided URL in the received QR code. Step #4: The mobile use prepares and submits a purchasing request with a digital signature as a QR code to the merchant server. Step #5: The merchant server authenticates the mobile client based on the provided the secured session ID from the mobile client, as well as the public key. Meanwhile, the received signed request is validated by the merchant using the private key. Step #6: The merchant server generates and sends a signed purchase invoice with a transaction ID to the mobile client. Step #7: The mobile client prepares and sends a payment request with the same transaction ID and a digital signature to initiate a payment request. The digital signature is made using the client private key. The entire message is encoded as a QR code. Step #8: A secure session is established between the payment server and the mobile client. In this step, the payment server validates the given security information, including the certificate from mobile client, session ID, public key, and received digital signature. The mobile payment server processes the payment transaction. Step #9: The payment server prepares and sends a payment confirmation with a QR code receipt to the mobile client. The mobile client displays the received confirmed message to the mobile user. Step #10: The mobile server also sends a payment transaction completion notice with a QR code to the merchant server. This code will be useful for the merchant to carry out the postsale operations, such as pick-up validation or product delivery.

Personal account/webpage login:

Instead of entering an account password on public computers that might be infected with keystroke loggers, Google is experimenting a new login mechanism for users on public computers -- authentication via QR codes scanned by mobile devices. QR codes can be used to log in into websites: a QR Code is shown on the login page on a computer screen, and when a registered user scans it with a verified smartphone, they will automatically be logged in on the computer. Authentication is performed by the smartphone which contacts the server. Google tested such a login method in January 2012. The code contains address to the central

P a g e | 14

server + unique identifier of the token that has been assigned by server to the session on the desktop computer. After scanning the code, the phone is opening a page that checks if it has been used with this service before by looking for a cookie containing encrypted information about the users credentials (hash of username/user id). The hash is being checked against servers database and if its valid - token in database is being updated with information that the access is granted to user X. Phone shows information that the user has logged to site XYZ. Browser on desktop is constantly checking status of the token and once it says that the user has logged in - its redirecting to secure part of website. The Google login prompt will appear on your phone, and logging in there will log you into a session on the desktop. This prevents the user from having to type sensitive login credentials into a public machine, which could be compromised with keylogging software. The new QR code feature is an alternative to Google's 2-step verification. This generates a unique short code on your mobile, which you must input for each desktop login, using the presence of your phone as a form of identification.

Short URLs and Tracking Codes:

It is important to be able to track how many people are using the codes once you have installed them. We found that the easiest way to do this was by using a URL shortening service, like goo.gl. URL shorteners take long links and make them short. This is helpful for reducing the overall size of a QR code, as the more text it has to encode, the bigger it has to be. More importantly, however, by generating a new unique URL that is associated only with the QR code, it is easier to see who is checking out your content through the code itself as opposed to people who are finding your content by searching YouTube or clicking on browser links. Goo.gl automatically keeps track of who is viewing your link and how with charts and detailed information.

Figure: URL shortening & tracking

P a g e | 15

Production management:
In order to maintain the quality of production, a great deal of man-hours used to be required to deal with picking-out mistakes, wrong items and out-of-stock items. QR code is used in production. By checking data matching at each production process, mistakes can be reduced and is possible to trace production history and a reliable production management system will be established.

When picking out parts, QR codes on an instruction are matched with those on labels affixed to part shelves.

In the assembly process, QR codes on an production instruction are matched with those on product labels.

When storing product units in a warehouse, QR codes on production instruction are read in to collect data on stored items.

When shipping out product units, shipping management is carried out reading QR codes.

Data hiding:
In todays world, security is a big issue and securing important data is very essential, so that the data cannot be intercepted or misused for any kind of unauthorized use. The hackers and intruders are always ready to get through personal data or important data of a person or an organization, and misuse them in various ways. A busy active person wants to keep his valuable data like passport information, bank statements, social security number, etc. with

P a g e | 16

himself/herself all the time, but he/she is always afraid of doing so because these information are threatened and can be easily intercepted by outsiders for misuse. This problem can be solved by encrypting the data and hiding it in a QR Code. QR codes can contain contact information so someone can easily scan a QR code, view your contact details, and add you on their phone. You can input your name, phone number, e-mail, address, website, memo, and more. In modern world the most commonly used encryption technique in QR Codes is the DES (Data Encryption Standard). Most of the institutions / organizations use their own custom methods to encrypt QR Code data.

In other application:
QR code for medical field:
Hospitals in some countries such as Japan, Hong Kong and Singapore have adopted QR Code printed on patient wrist band to identify the patients. Examples of information encoded on QR Code are patients name, identification number, date of birth, sex, ward and bed numbers. Merit of Using QR Code in Hospital is to ensure that the right patient gets the right medicine or right treatment at the right time. QR Code also Use for Blood Test Process. Collected blood is put in a test tube. The test tubes marked with QR Code are inserted into the tester.

Picking task:
Since workers have to match items on a shipping, bus, departmental store list with actually delivered items with their eyes, the job usually takes up a great deal of time. Since it sometimes is difficult to distinguish similar items with eyesight alone, workers often make mistakes. By changing the conventional method of picking out items with eyesight to the code matching method, the burden on workers and the time required for the task can be reduced. When an item is picked out erroneously, a notifying sound is emitted, thereby eliminating mistakes.

P a g e | 17

A list of QR codes for shipping items to be picked out that is made from a shipping instruction is read in with a handheld terminal unit to register the data for picking.

Items are picked out following instructions displayed on the terminal unit by matching with codes on the labels affixed to the shipping boxes for the items.

When a code for an item not to be shipped out is read in, an error sound is emitted, and a vibrating response is made from the terminal, notifying the

QR Codes in Marketing & Advertisement:

There are a variety of good reasons to advertise using QR codes.

QR codes can lead users to more information about a product or service, QR codes engage potential customers because they are interactive. QR codes offer instant action. Remembering to do something in the future makes potential customers lose interest, but with a QR code, your action can be completed immediately, whether it is liking a page, watching a video or purchasing a product. QR codes make typing in a long URL unnecessary. QR code analytics can be used to assess the success of your advertising. There are many websites that offer a breakdown of how many scans your code gets, when it gets them, etc. QR codes can fit in small spaces and can be scanned on computer screens, print ads, and television ads. QR codes can even be scanned off of someone else's cell phone's screen.

P a g e | 18

Figure: QR code in Advertisement QR Codes are part of daily life in Japan, Korea, Taiwan, Hong Kong and China. A study published by MRI showed that out of 2053 Japanese mobile phone users, 90% have recognized a QR Code. McDonalds uses codes to inform users about the nutritious value of its burgers. Apple advertised the new i-Pod on billboards with QR codes. QR Codes used in a Nike advertising campaign allows direct access to a dedicated mobile site.

Threat:
One can distinguish two different threat models for manipulating QR Codes. First, an attacker may invert any module, changing it either from black to white or the other way round. Second, a more restricted attacker can only change white modules to black and not vice versa.

Attacking Human Interaction:

Humans cannot read the code without reader software, the information stored within the code is completely obfuscated. But by reading the manipulated QR code, vulnerability in the reader software or the browser might get triggered. Modes of Attack of QR code is JavaScript based attacks. URI based attacks:

Phishing and Pharming based attacks Downloaded malware/Trojan based attacks Potential misuse of short URL and fraud Phishing and Pharming: If QR Codes are used for links in augmented reality scenarios, an attacker might set up a fake website and redirect users by changing the QR Code. This is

P a g e | 19

dangerous if some forms of credentials are needed to access the website. The user has no possibility to verify that the link is not modified. Fraud: QR Codes are often used in advertisements to direct the target audience to special offers or additional information about specific products. If the QR Code can be manipulated to redirect the user to a cloned website, an adversary could sell the solicited product without ever fulfilling the contract. The victim implicitly trusts the advertising company by following the link. Attacking reader software: Different implementations of the reader software on computers or cell phones might be attackable via command injection or traditional buffer overflows if the encoded information is not sanitized. An attacker might gain control over the entire smartphone, including contact information or the victim's communication content like Email or SMS. Social engineering attacks: Building on these attacks, more specific attacks like spear phishing or other variants of social engineering are enabled, depending on the goal of the attacker. Leaving a poster of a QR Code on the parking lot of a company (instead of the traditional attack with an USB drive) offering discount in a nearby restaurant is a new attack vector which is likely to be successful.

Heres some practical advice on how to spot and avoid malicious QR codes Use a mobile QR code-/barcode-scanning app that previews URLs. Avoid scanning suspicious codes and links that dont seem to match the ads theyre incorporated in; also avoid shortened links. Dont scan QR codes in the form of stickers placed randomly on w alls. QR codes can be generated by anybody and stuck on walls in public places. And in todays QR code hype, scammers think someones bound to scan such a code, just for curiosity. They can also stick malicious QR codes over legit ones on a billboard. So look at a QR code placed in public places closely before you scan it. Be extra careful if your smartphone works on the Android mobile operating system. Android is an open platform, which means that its source code can be examined by criminals and exploited easily when they find a weakness in, say, the Android browser. Thats why most malicious apps transmitted via QR codes target the Android-based smartphones. So, make sure your Android browser is always upto-date and only scan QR codes from trusted sources. Install a mobile security app right away. An efficient mobile security suite can protect you from all living cyber-creatures, such as viruses, worms, Trojans, spyware and other malware that can be transmitted via QR codes.

P a g e | 20

References:
QR Code Security, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Lindsay Munroe, Sebastian Schrittwieser, Mayank Sinha, Edgar Weippl,SBA Research, Favoritenstrasse 16 AT-1040 Vienna, Austria,[1stletterfirstname] [lastname]@sbaresearch.org. Security of QR Codes, Ioannis Kapsalis ,Norwegian University of Science and Technology, June 2013 Tan Jin Soon,Executive Director, EP Cglobal Singapore Council Chairman, Automatic Data Capture Technical Committee. International Journal of Electronics and Computer Science Engineering Available Online at www.ijecse.org ISSN- 2277-1956, SURESH GONABOINA 1, SURESH GONABOINA , LAKSHMI RAMANI BURRA , PRAVEEN TUMULURU Ben Dodson, Debangsu Sengupta, Dan Boneh, and Monica S. Lam, Computer Science Department, Stanford University Stanford, CA 94305{bjdodson, debangsu, dabo,lam} @cs.stanford.edu. Kaspersky Labs.