QR Code Integrity Verification Based on Modified SHA-1 Algorithm

ABSTRACT


INTRODUCTION
Quick Response (QR) codes are a low-cost tagging technology famous for its simple production and less difficulty in implementation [1].A study of mobile phones reveal fast pace of changes paralleling spreading mobile usage, across different age groups, places, times and situations [2] this increased usage resulted in the utilization of QR codes in different services because of its speedy recognition and processing [3].Today, many areas use QR codes such as in authentication of products [4], [5] student result mark sheets and their profile information [6], [7] and banking [8], [9].
Another application of QR codes includes the checking of the data integrity of certificates issued by institutions to prevent dissemination of fraudulent documents [10].Documents now can be effortlessly forged by tampering names and can be submitted to whichever company or institution to gain employment, reduce costs, and other financial benefits [11], [12].Multimedia security researchers recommend document verification and authentication due to the rise in the number of fake documents because of advances in printing and scanning [13].
Several studies have used QR code for authentication on printing document for fraud identification.A mobile app proposed to use student's information from the database to be encrypted and saved on the server which is then integrated into the QR code and printed on the document for verification purposes [14].A different study combined QR Code, digital signature signed by university authorities, hashing and smartphone application [10] in the verification process.However, both studies need to Install the created mobile application separately to read the QR code.In another study, incorporating a significant amount of self-describing data in the QR protects paper-based documents, but this emphasizes the need for no shake on the camera and better focusing mechanisms of smartphones [12].Another scheme embeds watermark object with QR code to determine printed document validity, but this scheme needs the watermark image transparency set to 50% and prepare validation link in advance, and also set the size of QR to be not less than 2x2 cm2 to be able to read the watermarked QR code efficiently [15].Another study implemented paperbased document authentication with the use of digital signature and QR code however with the inclusion of an optical character recognition (OCR) which requires human intervention when OCR fails which makes it inconvenient [16].This paper will apply QR code technology in verifying the authenticity of certificates using a web application which doesn't require additional installation on the part of the user.
In information security, cryptographic hash algorithms form a significant part specifically in data integrity [17].A hash is computed from data files to verify its integrity and identify duplicated data or files [18].Through this, a small change done on the data during transit will produce a different hash value [19].This way, a hash assures that the receiver obtained the same message sent by the sender without alteration during transmission [20].
Secure Hash Algorithm 1 (SHA-1) is a cryptographic hash function that produces a 160-bit hash value [21], [22].Designed by the National Institute of Standards and Technology (NIST), SHA-1 is considered the most widely used hash algorithm in a vast range of applications [17], [23], [24] due to its time efficiency, robustness [25] and speed [26].Currently, SHA-1 is still in use by 21% of websites in the world in signing certificates [27].SHA-1 based fingerprint is still widely used and supported for verification [28].
Although SHA-1 is popular, widely used, and accepted, it does not seem to offer adequate avalanche effect concerning the distribution of the input differences and unexpected weaknesses in the construction of all the step updating functions [29], [17].This problem will lead to the chance of having two different input that will generate the same output value in the middle of algorithm or compression function [30], [31].Hence, there is a need to devise a function with improved diffusion to distribute the output in each round and prevent the same in the next coming stages [32], [33], [30].
Some studies made proposed enhancements on SHA-1 aimed to attain additional diffusion [34], [35] but did not show the bit-difference on the simulation of result or have shown lower bit difference.Another incorporated MD5 to SHA-1 [32], but this approach will suffer from the same vulnerability [36], [37].Another study has not included actual messages used during the experiment [38].Therefore, the researcher has chosen to improve the algorithm of SHA-1 by increasing hash size output from 160 to 192 bits and provide a mixing mechanism to attain efficient diffusion.
This paper presents a certificate integrity verification process that can be quite convenient and quick by combining the modified SHA-1 hash and QR code technology in a windows and web application.The system will provide a module for printing the certificates with the generated QR code on paper.The study aims to 1) identify requirements in building the application, 2) design and determine the modules included, 3) integrate the modified SHA-1 in the certificate verification application, and 4) test the QR Code Integrity Verification application.This application will enable the verification of documents without a unique gadget or additional installation.The College of Computer Studies of Tarlac State University will test the QR code integrity verification application, but any institution that may require this service can use this application.

The Proposed Integrity Verification System
Figure 1 shows the block diagram applying the modified SHA-1 algorithm to the message integrity verification.The first task is to generate the QR code using the modified SHA-1 algorithm in the certificate.The input message M consists of the students' name and type of certificate for issuance along with the unique ID.The modified SHA-1 algorithm will be applied to the message and ID to create a hash value of 192 bits to be saved to the database.The QR code generator will generate the QR code from the save data in the database.The second task is the verification of the QR code in the printed certificate with the modified SHA-1 algorithm.Figure 2 shows the block diagram of this process.Users who want to verify the certificate will use their smartphones running on Android with a camera to scan the QR code.After capturing the QR code, the web application computes the hash value and send the hash and the message to the web server.After receiving the information, the server search for the hash.If the value exists, the system will retrieve the unique ID of the certificate from the database.Using message M and ID, the modified SHA-1 compute for the hash value h'.If hash value h' = hash value h, the message is said to be authentic.Then, the system will display the resulting message for visual inspection and compare this to the details of the printed certificate.Otherwise, we can say that the QR code message M is modified.

Requirements for building the application
Hardware and software requirements include a camera with a smartphone running in Android 4.0.3 and up to access the web application.The web application will involve the capturing of the QR code printed on the certificate using the phone's camera and sending the obtained message and hash code to the web server.The web application is best viewed using Mozilla Firefox, a fast and free Android browser.A web server, where the QR code is printed on paper and checked against the database of valid hashes is needed.The software used Microsoft Web Server Internet Information Service (IIS) Version 7.5, a general-purpose web server developed by Microsoft running on Windows operating system.In this study, IIS run Active Server Page (ASP).The ASP.NET framework is a server-side script engine that creates interactive web pages.The application uses a server that has an Intel(R) Core(TM) i5-6500 CPU @3.20GHz 3.19 GHz processor, 8.0 GB RAM, running a 64-bit Windows Operating System for testing.On the client side, the required smartphone should have a camera running on an Android platform to be able to use the certificate integrity checker.The data or sample certificate used in this study will come from the College of Computer Studies Data of Tarlac State University.The college issues certifications to students enrolled in the field trips and seminars course.This course exposes the students to IT technologies being applied and adopted by companies.Students enrolled in this course are required to attend seminars to keep abreast of the current trends as far as hardware, software, and telecommunications are concerned.The student enrolled in the course are required to submit a compiled report containing reaction papers about the discussed topics which will be presented to and evaluated by their adviser.One of the requirements to be attached to the portfolio is the certificate of completion.

Design and modules
Three modules were identified and is explained in detail below: a. QR code generation module: This module generates the QR code for printing on certificates.First, the system administrator will input message M which may consist of the name of the student and certificate type with the unique ID of the certificate.Next, the modified SHA-1 will be applied to message M and ID to create a hash value of 192 bits to be saved to the database.The QR code generator will generate the QR code from the save data in the database which consists of the hash value h(ID||M) and message.
The QR code generated is to be printed on the certificates.b.QR code printing module: This module prints the generated QR code on paper.Before the actual printing, the user provides the list of the names, QR code generated, and image for the design of the certificate.The certificates are set using a letter size (8.5"x11")paper.The user will arrange the design of the certificate on a windows application including the background, position of the name, and position of the QR code on paper.Once done, certificates are printed based on the list of students provided.c.QR code scanning and verification module: This module scans the QR code and contacts the server for the verification process.After printing the code on the certificate, clients who want to verify the certificate will use their smartphones running on Android with a camera to scan the QR code.To do this, the user's smartphone WiFi should be connected to the same network as that of the server.The web server is located at the TSU-CCS Control room running on IIS version 7.5.After that, the user needs to access the web server by typing the URL http://193.168.1.28using the phones' web browser.
After typing the address of the server on the mobile browser, the user only needs to scan the QR code using the camera of their smartphone.After capturing the QR code, click the verify button to let the web application send the message M and the hash value to the web server for data integrity verification.The server receives the information stored in the QR code, and then it will search if the hash value exists in the database.If the value exists, the system will retrieve the unique ID of the certificate from the database.The modified SHA-1 will be applied to the message M and ID to create hash value h'.The system will verify if hash value h' = hash value h to check the integrity of the QR code and if successfully verified, the message is said to be authentic.If hash h' does not exist, the QR code message M is modified.The system displays the resulting message for visual inspection of the details from the printed certificate.Integration of the modified SHA-1 in the certificate verification.

Integration of the modified SHA-1 in the certificate verification application
The modified SHA-1 algorithm has been incorporated both in the generation of the QR and in the verification process.Figure 3 illustrates the proposed modification on the SHA-1 construction with the inclusion of a counter.The counter was XORed to the intermediary hash value to strengthen the M-D construction.The counter will have an initialized value of zero and is incremented by 1 for every message block until the last block thus changing the assigned number to the counter changes in every round.A, C, and D) because the contents of the variables will not be the same in the coming rounds.Variable E goes to variable F after executing its addition operations.The difference of SHA-1 and modified SHA-1 lies in the computation of the message digest.The padded message is still used to compute for the message digest.The calculation makes use of two buffers (A, B, C, D, E, F and H0, H1, H2, H3, H4, H5).The first buffer uses five 32-bit words, and the second buffer comprises of eighty 32-bit words (W0, W1 ... W79).This process also applies TEMP1 and TEMP2 buffers.{Hj} are initialized before processing any blocks with values of 67452301, EFCDAB89, 98BADCFE, 10325476, C3D2E1F0, 40385172 (H1-H5).Let hash value length be m.

Testing the QR Code Integrity Verification application
First, the QR code generation module will produce the 192-bit modified SHA-1 hash using the name of the student as the message combined with the ID number and is saved in the database.Figure 5 shows the QR code generation.Third and the last step is the verification process.To access the verification system, the user needs to type the URL http://193.168.1.28on the web browser of their Android phones.The simulation program used the IP address 193.168.1.28for the server situated in the TSU-CCS Control room.After typing the address of the server on the mobile browser, the user only needs to scan the QR code on the designated area as indicated by the red corners shown in Figure 6 (b) and then press the verify button.The generated hash extracted from the QR code will be compared against the hashes saved on the server as a way of verification.If the same hash is found on the server, the name of the student is displayed.
Thirty sample certificates were used in the trial run of the verification app.Four possible test cases were identified.Case 1 includes correct name of attendee and correct QR code; case 2 involves a fake name printed on certificate and valid QR code copied from another certificate; case 3 where the hash value from the QR code of another certificate is used to generate a new QR code along with a new fake name ; and case 4 comprises of fake QR code, this code is not valid because it is not registered on the list saved on the database.Out of the 30 samples, three counterfeit certificates were incorporated.Based on the result of the trial run, the app successfully verified all thirty certificates (27 being correct, and three being faked) achieving a 100% accuracy.Table 1 shows the result of the trial run recognizing all cases, messages displayed by the app for all instances, and the names listed on the certificate for manual inspection.For case 1, the name listed on the certificate and the verification message should match.For case 2, the name listed on the certificate will not match the message displayed in the verification prompt.This signifies that the certificate was modified.For case 3, the hash will be found in the database, but the name produced from the regeneration of QR code is not the same as that on the database therefore the message has been modified is displayed.Lastly, for case 4, the generated hash will not be found on the saved hashes on the database because the hash will not exist so the message "The certificate does not exist" is displayed.This only means that the certificate is also faked.From the trial run, it is also observed that to scan QR codes efficiently, the smartphone camera should be in focus during the capturing.

Conclusion and Future Works
The use of QR codes in smartphones is becoming famous because of its simplicity and low-cost of production.One of the services that make use of QR code is data integrity verification of tampered certificates.Requirements were gathered and identified to build the simulation application.Modified SHA-1 applied a mixing method to attain better diffusion in the hash value and increased the hash value output to 192-bits for added strength.The QR code integrity verification application was tested using sample names and ID number to generate the QR code and print the certificates on paper.The fraudulent and legitimate certificates were included in the testing.Results indicate 100% accuracy in the verification process for thirty printed certificates.Although there were four cases noted including one correct and three other possible cases of faking certificates, the app successfully verified them all.Also, it is noticed during scanning that smartphone camera should be in focus to capture the QR code clearly.
As for future works, the application can be further applied to degree certificate verification and may use optical character recognition algorithms as a supplement to the manual inspection of the certificate.

Figure 1 .
Figure 1.Block Diagram of QR code generation applying the modified SHA-1 algorithm

Figure 2 .
Figure 2. Block Diagram of QR code verification using modified SHA-1

Figure 4 (
Figure 4 (b) shows the mixing function.The function accepts the working variables A, C, and D as the input column then disperses the bits to different arrangement from right to left in row-wise fashion in the output column A', C,' and D'.

Table 1 .
Trial Run