Signatures cryptographiques dans les QR Codes

Embed This Widget

Theme


      
    

Widget powered by . Free, no account required.

How digital signatures verify QR code authenticity: COSE, CBOR, public key infrastructure, and offline verification.

Cryptographic Signatures in QR Codes

Digitally signed QR codes allow offline verification of authenticity — the scanner can confirm the data has not been tampered with, without contacting a server.

The Problem

Standard QR codes have no built-in authenticity mechanism. Anyone can generate a QR code with any content. Sticker attacks and QRishing exploit this — how can a scanner know if a QR code is legitimate?

How Digital Signatures Work in QR

  1. The issuer creates the data payload
  2. The issuer signs the payload with their private key
  3. The signature is appended to the data and encoded in the QR code
  4. The verifier (scanner app) uses the issuer's public key to verify the signature
  5. If the signature is valid, the data is authentic and untampered

COSE and CBOR

Modern signed QR codes typically use:

  • CBOR (Concise Binary Object Representation): A compact binary data format — much smaller than JSON for the same data
  • COSE (CBOR Object Signing and Encryption): A framework for signing and encrypting CBOR data

The combination is space-efficient, which is critical when the signed data must fit in a QR code.

Real-World Implementation: EU DCC

The EU Digital COVID Certificate is the most prominent example:

  1. Health data encoded in CBOR
  2. Signed with COSE (ECDSA with P-256)
  3. Compressed with zlib
  4. Base45-encoded for QR code storage
  5. Offline-verifiable with pre-distributed public keys

Public Key Distribution

The challenge: how does the verifier get the issuer's public key?

  • Embedded in the app: Public keys bundled with the scanner application
  • Key server: Downloaded periodically and cached
  • Blockchain: Public keys published to a distributed ledger
  • Certificate chain: Standard PKI with root certificates

Practical Considerations

  • Signatures add 64-128 bytes to the QR code payload (ECDSA P-256: 64 bytes)
  • The total signed payload must fit within QR code capacity constraints
  • Key management (rotation, revocation) is operationally complex
  • Not all scanner apps support signature verification

Key Takeaways

  • Digital signatures enable offline authenticity verification
  • COSE/CBOR is the standard framework for signed QR code payloads
  • The EU DCC demonstrated large-scale signed QR code deployment
  • Public key distribution is the main operational challenge
  • Signatures add 64-128 bytes — plan QR code capacity accordingly