Assinaturas criptográficas em QR Codes
How digital signatures verify QR code authenticity: COSE, CBOR, public key infrastructure, and offline verification.
Cryptographic Signatures in QR Codes
Digitally signed QR codes allow offline verification of authenticity — the scanner can confirm the data has not been tampered with, without contacting a server.
The Problem
Standard QR codes have no built-in authenticity mechanism. Anyone can generate a QR code with any content. Sticker attacks and QRishing exploit this — how can a scanner know if a QR code is legitimate?
How Digital Signatures Work in QR
- The issuer creates the data payload
- The issuer signs the payload with their private key
- The signature is appended to the data and encoded in the QR code
- The verifier (scanner app) uses the issuer's public key to verify the signature
- If the signature is valid, the data is authentic and untampered
COSE and CBOR
Modern signed QR codes typically use:
- CBOR (Concise Binary Object Representation): A compact binary data format — much smaller than JSON for the same data
- COSE (CBOR Object Signing and Encryption): A framework for signing and encrypting CBOR data
The combination is space-efficient, which is critical when the signed data must fit in a QR code.
Real-World Implementation: EU DCC
The EU Digital COVID Certificate is the most prominent example:
- Health data encoded in CBOR
- Signed with COSE (ECDSA with P-256)
- Compressed with zlib
- Base45-encoded for QR code storage
- Offline-verifiable with pre-distributed public keys
Public Key Distribution
The challenge: how does the verifier get the issuer's public key?
- Embedded in the app: Public keys bundled with the scanner application
- Key server: Downloaded periodically and cached
- Blockchain: Public keys published to a distributed ledger
- Certificate chain: Standard PKI with root certificates
Practical Considerations
- Signatures add 64-128 bytes to the QR code payload (ECDSA P-256: 64 bytes)
- The total signed payload must fit within QR code capacity constraints
- Key management (rotation, revocation) is operationally complex
- Not all scanner apps support signature verification
Key Takeaways
- Digital signatures enable offline authenticity verification
- COSE/CBOR is the standard framework for signed QR code payloads
- The EU DCC demonstrated large-scale signed QR code deployment
- Public key distribution is the main operational challenge
- Signatures add 64-128 bytes — plan QR code capacity accordingly