1 Introduction

Quick Response (QR) codes [1, 2] are the advanced version of traditional barcodes. 1-Dimensional barcode comprises of 10–20 characters of information. For more information, a 2-Dimensional code known as QR code is used. The main difference is barcode represents the data in horizontal axis, and QR code represents the data in horizontal axis and vertical axis. Figure 1 gives an illustration of QR code. The salient features of QR code are as follows:

Fig. 1
figure 1

QR code

Full size image

  • High Capacity Data Encoding: More capacity as compared to 1-D barcodes, and the data is stored in two dimensions

  • Small Printing Size: More data in compact form is displayed in small square print area

  • Dirt and Damage Resistant: Error correction technique such as Reed–Solomon codes ensures the reliability of QR codes

  • Easy Decoding: QR code is read from a view of 360° and decoded using mobile phone application. This ease of decoding has led to widespread applications of QR codes in businesses and secure applications

The augmented reality application of QR codes [3] extracts the information in QR codes and represents it in 3D format. The capacity of QR code is the amount of information stored and is dependent on the following factors:

  • Version of QR code

  • Encoded data type

  • Error correction level

There are 40 versions of QR codes, and the capacity of QR codes increases with the version number. There are four data types supported by QR codes: numeric, alphanumeric, kanji and byte. Reed–Solomon algorithm concatenates zeroes at the end of polynomial and the data words and equated to the highest power present in the generator polynomial. The decimal representation of the remainder is used to define the error correcting code words. The error correction code using Reed–Solomon [4, 5] recovers the partially lost data in QR code.

1.1 Encryption: Data Encryption Standard

Data Encryption Standard known as DES is a symmetric encryption algorithm that uses the same key for encoding and decoding. DES as a block cipher divides the data into blocks of 64 bits, and the encryption algorithm is applied to each block simultaneously. The proposed approach uses DES to encode the product ID. For more secure applications, AES is used in QR codes. Figure 2 illustrates the working of DES algorithm.

Fig. 2
figure 2

Working of DES Algorithm

Full size image

1.1.1 DES block size: 64 bits

 

Key size::

Though the key length is 64 bits, last bit of every byte is a parity bit and is not used for encryption. So, the key size is 56 bits.

Input::

Data bits 64-bit block, key 56 bits

Output::

Cipher text 64 bits

Here Block T is the transposition block where the bit order is varied. The sub-block consists of a series of 16 rounds with each round comprising of substitution and permutation. In each of 16 rounds, shifting, permutation and exclusive-OR operations are performed for the key and data bits. Substitutions and permutations are always done with reference to the look-up-table.

Example:

Sample data::

“YOU12345”

Key used::

0E329232EA6D0D73

Encrypted data::

Z+7XwGEP508=

2 Related Work

Pre-processing low-quality QR codes [6] is based on blurred and wrapped images that use intrinsic approach and stored database to restore the quality of QR code. QR codes in high-resolution images [7] based on matrix code detection and Hough’s recognition method uses pre-detection approach and reduces the complexity of QR codes. Identity Document Authentication with Visual Secret Sharing (VSS) and QR codes [8] considers a secret image that is encoded in two different images and further encoded into two distinct QR codes. The first part is printed on the ID card, and the second part is stored in the database. To check a genuine ID card, the printed QR code is scanned and verified with the existing database file. The main limitation of this approach is that the QR code printed on ID card can be copied and misused. QR codes provide enhanced digital services [9] used in various departments of government services, QR codes used in National Park Service store the web links and interactive pages of location coordinates that help to find the valid path in the park. This approach can be extrapolated and scaled to provide enhanced digital services. The main limitation of this approach is the phishing attack. SafeQR (based on two level security related to API’s—Google safe browsing API) and Phishtank API [10] ultimately enhance the malicious URL and malware detection in the system. Both these API’s enable the user to consistently check the URL in updated database of malicious URLs. This method first verifies the URL in Google Safe browsing list and then in the Phistank list to validate the genuine URL. QR codes are used to keep track of beverage consumption [11], the QR labels comprising of QR codes are allocated to each employee with unique ID. For buying any beverage like coffee, tea, etc. two QR codes are scanned: (i) employee QR code and (ii) product QR code. With the confirmation of matched database, coffee is dispensed from the machine, amount is deducted from the user account, and the corresponding e-mail is sent to the employee. Embedding barcode to perform phishing attacks [12] uses 2D barcodes such as Aztec, Data Matrix. Multi-level barcode creates ambiguity and is used in non-secure applications. Geo-location based QR code [13] authenticates the system using session ID, domain name and web server URL. The scanned QR code generates the location of end user, and if there is ambiguity in location authentication, then the system is vulnerable to active real-time man in the middle (ART MITM) phishing attack. A visual QR code known as halftone QR code [14] performs minimal binding with QR code and adapts to halftone images. Challenges and risks associated with QR code security [15] are as follows: (i) QR codes are replaced by malicious code that directs the user to phishing site (ii) intruders modify sections of QR code to generate the fake product. Secure QR code in ecosystem includes digital signature, anti-phishing tools and malicious URL detection. QR codes and visual cryptography based E-voting authentication system [16] logs the voting system by using a unique voter password encoded with QR code. The QR image is encrypted using VSS scheme that creates two parts of the code, one part is given to the user and the other part is stored in the database. The encrypted image is mapped using unique RSA key pairs that are assigned to each voter ID. The public key is given to the voter, and the private key is stored in the database. During the voting procedure, the voter scans the QR code with the assigned public key. A successful match indicates that the authenticated voter can cast the vote. Two major attacks associated with QR codes are phishing (where the URL in QR code directs the user to a fake website binding the user with login ID and password window) and spreading malware. QR code for automated assessment [17] generates a valid task and prevents the user from invalid task. This approach uses randomized input, feedback, and transfer functions. Analysis of QR codes used in the wild environment [18] gives the frequency of user interactions and recognizes the misuse of QR codes.

3 Proposed Product Authentication using QR Codes: A Mobile Application to Combat Counterfeiting

To counterfeit a product, the original QR product code generated by the manufacturer is considered. If the counterfeiting practitioner tries to copy the QR information of an existing product, or if the same QR code is scanned again, then the product authentication system using the QR code displays the following message: “QR code was scanned earlier” or “The product is not genuine”. Hence, to solve the problem of counterfeiting of genuine products, the product IDs are encrypted which further adds an additional layer of security in QR coding method. Product IDs are passed as query string parameters to the link authentication page, and the encryption will hide the product IDs from the customer. This method supports shorter product IDs and reuses them after a considerable amount of time.

3.1 Working Mechanism

  • The proposed application needs login access to facilitate authentic products

  • After login to the company, authorized personnel enters the product details such as product ID, product name, category description, batch number, price, manufactured date and is_verified. The product ID is unique and stored in the database. The attribute ‘is_verified’ is initially set to NULL for all the products registered in the database.

  • The product ID is encrypted using symmetric key DES algorithm

  • The product URL directs the user to product web page with encrypted product ID (as query string parameter). This URL is encoded into the QR code and printed on the product package.

  • The QR code is covered with a plastic seal. When a customer buys a product, the plastic seal is removed and the QR code is scanned for product authenticity. This process directs the customer to URL web page of the product.

  • The encrypted product ID passed as query string parameter is decrypted using the same key and further authenticated with the database. If the product ID is found, it is marked as ‘verified’ in the database (the product is genuine), else the message “Not Found” is displayed.

  • The product is identified as a counterfeit product for the following conditions: (i) if the scanned product ID is not found in the database and (ii) the scanned product ID is already verified (that is the QR code is a copy of original product ID). In the proposed secure approach, the QR codes can be scanned only once, and this method ensures genuine products in the market.

QR code comprises of four levels of error correction schemes [19] such as: L (LOW), M (MEDIUM), Q (QUARTILE) and H (HIGH). The number of error correction codewords increases from Level L to Level H. Data restoration rate for QR code error correction [20, 21] is given as follows: L [LOW level] : 7 %, M [MEDIUM level] : 15 %, Q [QUARTILE level] : 25 %, H [HIGH level] : 30 %.

3.2 Error Correction Level

The number of data words accommodated in QR code version decreases from level L to level H, that is more space will be needed to accommodate the information when encoded in level H as compared to level L.

For example:

Message to be encoded is www.ankitdugarart.com

Clearly, QR codes encoded using level Q and level H require more space (approx 39 % increase in area) as compared to QR codes encoded using level L and level M. Based on product size and secure level the corresponding QR code is selected. The error correction level is selected based on the operational environment and the space available for printing QR code. QR code used in harsh conditions such as the factory or industrial environments use either level Q or level H error correction since the impairment probability of QR code is high.

3.3 Database Scheme

Database comprises of four tables as illustrated in Fig. 3. The attributes of each table are given as follows:

Fig. 3
figure 3

Database Schema

Full size image
  1. (i)

    EncryptionINFO

    • Attributes: EncryptedProductID, EncryptionKEY

      Encrypted ProductsID with EncryptionKey is used to encrypt the ProductID and the same key is used to decrypt the ProductID

  2. (ii)

    ProductINFO

    • Attributes: ProductID, ProductName, Category, BatchNumber, MRP, ManufactureDate, is_verified

      ProductINFO attributes identify the product, and is_verified attribute indicates scanned status of the product

  3. (iii)

    Categorydetails

    • Attributes: Category, CategoryDescription

      Description for each category of ProductINFO

  4. (iv)

    VerifiedTime

    • Attributes: ProductID, VerifyTime

      Date and time of ProductID that was scanned for the first time

3.4 Algorithms for Product Authentication Using QR Codes

figure c
figure d

4 Simulation Results

Simulation is performed using .NET and C# with Visual Studio Software and MS SQL Server as the database. We have provided an illustration for the Art Company known as ankitdugarart.com. Every painting is provided with a unique ID, and the authenticity is checked by scanning the QR code.

Simulation parameters

Software used::

Visual Studio 2013 Ultimate

Platform::

Microsoft.Net

Programming language::

C#

Library used::

Open Source QRCode Library

DES key size::

56 bits (64 bits including parity)

Error correction levels::

L, M, Q, H

Mobile platform used::

Android 4.4.2

Android app used::

QR code reader

Database primary key::

Product ID

Webpage URL::

http://www.ankitdugarart.com/Authenticity_Chk.html (The web page prompts an alert saying "Invalid or Null Product ID", since, the Product ID is not passed as string parameter (to check the authenticity))

  1. (i)

    Text encoded in QR code


http://www.ankitdugarart.com/Authenticity_Chk.html?id=luivH%20jsuek


Whenever a user scans that QR code, the webpage display the message for authenticity check as: “THIS PRODUCT IS GENUINE” or “THIS PRODUCT IS NOT GENUINE”. Here, since the QR code is scanned more than once, the web page displays the message: “THIS PRODUCT IS NOT GENUINE”.

Number of characters::

66 in decimal; 01000010 in binary

Encoding mode::

0010 Alphanumeric

  1. (a)

    Alphanumeric equivalent

    figure e
  2. (b)

    Alphanumeric binary equivalent with added encoding mode and character count

    figure f
  3. (c)

    Resultant string divided into block of 8 bits

    figure g
  4. (d)

    Decimal equivalent

    figure h

The error correction code words are then appended to the final string based on error correction level (L, M, Q, H). The results of four possible error correction levels are shown as follows:

  1. (ii)

    Error correction levels

    figure i
  2. (iii)

    Screen outputs

Figure 4 illustrates the creation of unique QR code for the selected product and attributes such as product ID, product name, category, batch number, MRP, date of manufacture and error correction level. This image shows an example of creating a unique QR code for a painting being sold by ART Company. Figure 4 also show the resultant QR code generated.

Fig. 4
figure 4

Unique QR code generated for a product

Full size image

Figure 5 shows the information contained in the QR code. This process succeeds the previous step where the administrator successively enters the product attributes. QR code as shown in Fig. 5 directs the user to product website with encrypted product ID passed as the query string operator.

Fig. 5
figure 5

Extraction of QR code information

Full size image

The product ID is encrypted as follows:

Product ID used here::

95632

Encryption algorithm::

DES

DES encryption Key::

0E329232EA6D0D73

Encryption mode::

CBC

Encrypted text::

luivH+jsuek=

Figure 6a illustrates the scanning of QR code using an Android phone with QR Reader application, and Fig. 6b illustrates the URL displayed on the mobile phone and directs the user to authentic product website: http://www.ankitdugarart.com/Authenticity_Chk.html. The product information is retrieved from the database, and the status of the product (genuine or fake) is verified.

Fig. 6
figure 6

Scanning of QR code using mobile application. a Mobile application scanning the QR code. b URL page of the corresponding QR code

Full size image

Figure 7 illustrates the URL opened by the mobile application. The product is identified as genuine when the QR code is scanned for the first time, and the corresponding product information is displayed. The authentic QR code used in our approach is only one-time scan, which indicates that a product cannot be scanned more than once. Hence, the product is scanned after buying the item, and verified with the manufacturer database for product authentication.

Fig. 7
figure 7

QR code scanned for the first time

Full size image

Figure 8 illustrates the scanning of QR code for the second time. In the proposed approach, the QR codes are one-time scan. Hence, this feature as shown in Fig. 8a illustrates that the QR code is copied from the genuine product or the product is not authentic. Figure 8a opens the URL page and displays the message: “This Product is Not Genuine”.

Fig. 8
figure 8

Scanning of QR code for the second time. a Mobile application scanning the QR code (second time). b URL page opened with the corresponding QR code

Full size image
  1. (iv)

    Database tables and SQL queries

Table 1 illustrates the product database with corresponding attributes where QR code is generated for each product. The last field ‘is_verified’ is set to NULL. This feature illustrates that the product (one-time scan) is not verified. Table 2 illustrates the database table of EncryptionINFO, and Table 3 illustrates the database table of CategoryDetails

Table 1 Database table of ProductINFO before QR code was scanned
Full size table
Table 2 Database table of EncryptionINFO
Full size table
Table 3 Database table of CategoryDetails
Full size table
  1. (a)

    SQL queries for product authentication using QR codes

    1. (i)

      When the product QR code is scanned, the Encrypted ProductID is passed as query string operator in the URL (here, ‘x’). This is further used to query the ‘EncryptionINFO’ table to retrieve the Encryption key. The SQL query is given as follows:

      • Select EncryptionKEY

      • From EncryptionINFO

      • Where EncryptedProductID = x

      In the example shown, x = luivH+jsuek=

    2. (ii)

      The Encrypted ProductID (here, luivH+jsuek=) can be decrypted using the encryption key fetched from the previous query to generate the original Product ID (PID), here PID is 95632.

    3. (iii)

      The generated PID is used to query the ProductINFO table to find the value of ‘is_verified’ attribute. The SQL query to fetch ‘is_verified’ attribute is given as follows:

      • Select is_verified

      • From ProductINFO

      • Where ProductID = PID

    4. (iv)

      ‘is_verified’ attribute can be either NULL or Verified. If the ‘is_verified’ attribute is NULL, then the product is genuine and a message is sent to the end user. After scanning the QR code, ‘is_verified’ attribute is set to Verified. Table 4 illustrates that the QR code is VERIFIED for the product in the third row. The SQL query to update the ProductINFO table is given as follows:

      Table 4 Database table of ProductINFO table after the QR code was scanned
      Full size table

      • Update ProductINFO

      • set is_verified=‘Verified’

      • where ProductID=95632

    5. (v)

      The VerifiedTime table given in Table 5 is updated with date and scan time. The SQL query of updated VerifiedTime table is given as follows:

      Table 5 Database table of VerifiedTime after QR code verification
      Full size table

      • Update VerifiedTime

      • set VerifyTime=getdate()

      • where ProductID=95632

    6. (vi)

      If the ‘is_verified’ attribute is enabled with Verified (which means the product was scanned before), then the product will be identified as “Not Genuine” and the message will be sent to end user.

    7. (vii)

      SQL queries used by administrator to display the product database before QR code was scanned (as shown in Table 6), fetch the verified products after QR code was scanned (as shown in Table 7), and fetch the unverified products (that is unscanned QR codes as shown in Table 8) is given as follows:

      Table 6 Database of each product before QR code was scanned
      Full size table
      Table 7 Database table of verified products (scanned QR code)
      Full size table
      Table 8 Database table of unverified products (unscanned QR codes)
      Full size table

      • SQL query to fetch all product details is given as follows:

        Select ProductID, ProductName, c.categoryDescription, BatchNumber, MRP, ManufacturedDate, is_verified

        from ProductINFO p join CategoryDetails c on p.Category=c.Category

      where p and c are aliases for ProductINFO table and CategoryDetails table respectively.

      • SQL query to fetch all verified products details is given as follows:

        Select ProductID, ProductName, c.categoryDescription, BatchNumber, MRP, ManufacturedDate, is_verified

        from ProductINFO p join CategoryDetails c on p.Category=c.Category

        where is_verified =’Verified’

      where p and c are aliases for ProductINFO table and CategoryDetails table respectively.

      • SQL query to fetch all unverified product details is given as follows:

        Select ProductID, ProductName, c.categoryDescription, BatchNumber, MRP, ManufacturedDate, is_verified

        from ProductINFO p join CategoryDetails c on p.Category=c.Category

        where is_verified = NULL

5 Conclusions

QR codes are extensively used to identify the product ID. The proposed product authentication for QR codes combats counterfeiting of products and identify product genuineness. The proposed QR authentication generates the QR code based on product attributes and directs the user to company web page indicating whether the product is genuine or fake. Comparative analysis of error corrections in QR code indicates the relationship between the size of QR codes, data capacity and levels of QR code. This significant approach combats the problem of counterfeit products and benefits the customer and product manufacturers. This work can be extended to include company specific QR code reader that provide two level authentication such as (i) offline authenticity (mobile application scans the QR code), online authenticity (the scanned QR code directs the user to product manufacturer’s web page) and (ii) update the list of items purchased and scanned at the manufacturer web site. Further extension would be to include the time stamp approach in encrypted QR codes.