Page 1 of 1

Barcodes

Posted: Thu Jul 23, 2009 9:02 am
by William
Hey all,

I'm working on a project that allows a user to download a barcode, print it out, give it to someone, and scan it back in. (This isn't exactly how it works, but to explain it to you simple, that is the best way.)

Anyways, think of it like a confirmination link you send to someones inbox, the has links to an entry in the database, it's not the users ID because then anyone could confirm anyones account, etc.

Now, when I store data in this barcode I'm trying to think of the best method. Do I generate a unique hash, store it in our database and then when someone scans this barcode in it checks that hash in our database?

Or it can be simply something like sha512 + id + salt. I'm a bit interested in what other peoples opinions are.

Re: Barcodes

Posted: Fri Jul 24, 2009 1:04 pm
by kaisellgren
I have two questions. What are these barcodes used for and how do you generate these? Sounds kinda interesting.

Re: Barcodes

Posted: Fri Jul 24, 2009 2:44 pm
by William
Faxing. When a user receives a fax there will be a barcode on the coversheet. When a user sends back a fax they'll use our coversheet so that our servers will be able to recognize the barcode, decode it, and use that to relate to their account.

I think what I'll end up doing is having a table that has all the current faxes going on with a unique code randomly generated for each one. This will make it impossible to fake since there is no possible way for the user to generate their own (since it's just random).

As for how I generate them, there are tons of libraries online for different types of barcode generators in multiple languages. We'll be using QR_Code most likely. The problem is anyone can decode / encode the data, so I was just wondering the best method of doing this. It was kind of a stupid question really.

Thanks

Re: Barcodes

Posted: Sat Jul 25, 2009 3:12 am
by kaisellgren
Tough subject. I thought faxes are dead, apparently not. Can't you modify your generator or use some sort of key so that no one can create fake barcodes? How easy and fast is it to send fake barcodes? The easier and faster it is, the more strength your barcodes have to contain. For example, if your barcode has a strength of 32-bits in a digital form, you would need to create a fax with a barcode containing information that is capable of producing 2^32 different possibilities. If you have a black and white picture (2 different colors per point/pixel), then having a barcode with a strength of 32-bits needs to contain 32 points/pixels.

Re: Barcodes

Posted: Sat Jul 25, 2009 9:06 am
by William
kaisellgren wrote:Tough subject. I thought faxes are dead, apparently not. Can't you modify your generator or use some sort of key so that no one can create fake barcodes? How easy and fast is it to send fake barcodes? The easier and faster it is, the more strength your barcodes have to contain. For example, if your barcode has a strength of 32-bits in a digital form, you would need to create a fax with a barcode containing information that is capable of producing 2^32 different possibilities. If you have a black and white picture (2 different colors per point/pixel), then having a barcode with a strength of 32-bits needs to contain 32 points/pixels.
You can generate a barcode instantly. Think of the barcode like a base64_encode(). It's really fast and thats all it does, encodes it into a small square. The point of a barcode isn't to hide information, it's just to encode it into a square so it can easily be scanned into a picture and analyzed. That being said, I think I'll just assign maybe a sha512 hash (it would be hashing random data from probably urandom) and storing that into the database. This "hash" would be valid until the fax is sent. No other person can fake this "fax" transaction unless they had this exact hash. Sure once last of fax transactions are going through there will be lots of hashes in the database, but there won't ever be "that many".

To give you a bit more information, we prefer them "not" to use a fax. Fax is just an option.

So the only time there could ever be conflict is if someone sent in a fax with a barcode containing 64 characters that matched a current "active" fax. Plus, usually faxes are handled within a day, so the chances are slim. And if they are, hopefully we'll be able to validate if it's a bad document or not. So if anything, it would be luck, plus there is "no" gain for the person to do this, to be honest, they would have NO way of even knowing if it was successful or not.

Although I do like to think of the "possibility". You never know when some script kiddie might leave a bot running for like 6 months hoping that it might mess something up.

Re: Barcodes

Posted: Sat Jul 25, 2009 9:24 am
by kaisellgren
Don't use hashes. Just read /dev/urandom and convert it to hexadecimal base and use it. Reading 32-bytes from /dev/urandom will create so many possibilities that no one is going to brute force (create fakes and try to use them).