How I decided to protect documents from forgery and “invented” an electronic digital signature

What is it about


The idea to create my own little Internet project to protect documents from falsification was prompted by a discussion at the forum of defectoscopists dedicated to a total falsification of the quality control conclusions they issued.

During the implementation of my project, I realized that I came to the concept of electronic digital signature, that is, a bicycle, of course, I did not invent, but the story of my path may be instructive.

Relevance of the task of protection against fakes


The fact is that in our century of paperless information, not a single capital construction, be it a gas pipeline or a shopping center, can do without preparing a complete set of as-built documentation, which includes non-destructive testing (visual, radiographic, ultrasound) conclusions.



This conclusion is a document drawn up on a certain form with a conclusion on the suitability or unsuitability of, for example, a weld. Non-destructive testing services cost money, and often quite considerable. An unscrupulous customer / intermediary may hire an accredited laboratory, receive several opinions from it, and stop or suspend work.

What surprise the flaw detector operator or the head of the laboratory may be when they learn that even after the termination of work, conclusions are issued on their behalf, they are put on fake seals and forged signatures. The reputation of the laboratory is suffering, and in fact the law is being violated. It’s just that in a number of cases no one will know about it.

As part of the discussion - how to protect your documents, the idea was expressed to put a QR code on the document, in which the conclusion number, date and conclusion about the suitability or unsuitability of the control object will be recorded. Why is this method good - the QR code will remain clearly distinguishable when scanning, copying a document.

However, scammers will also be able to simply generate a QR code with the necessary content.

The birth of an idea


And then a thought dawned on me - why not encrypt the contents of such a QR code with a reliable algorithm. If so, you need to come up with a way to decrypt it when scanning, for example, through the camera of a smartphone. Here the idea was born to do decryption on the side of the web service, which will store the key for decryption.

The last time I made a site in 2000 in notepad and I’m not very familiar with modern site building technologies, so I chose Wix, thinking that with the help of the service I will get a beautiful picture and minimal possibilities for working with a database, and with Wix code I will encode that what I need.

I must say right away that I did it without any difficulty and in a few evenings, as an amateur, I was able to assemble the solution I needed from more or less ready-made blocks.

Encryption


I took the finished AES 128-bit encryption algorithm with Java Script implementation on Github and placed it in the backend section of the site.

This was perhaps the easiest part of the job. How encryption itself works was not entirely uninteresting to me. I was worried about the grandeur of the plan.

The main thing is not to forget to translate the encoded text into Bytes, and the encryption result in HEX.

// Convert text to bytes
var textBytes = aesjs.utils.utf8.toBytes(text);
// The counter is optional, and if omitted will begin at 1
var aesCtr = new aesjs.ModeOfOperation.ctr(key, new aesjs.Counter(5));
var encryptedBytes = aesCtr.encrypt(textBytes);
// To print or store the binary data, you may convert it to hex
var encryptedHex = aesjs.utils.hex.fromBytes(encryptedBytes);

QR code generation


I used the ready-made API .

To work, just create an html1 object - to display arbitrary html code and call the API function

let val = “Шифруемый текст"
$w("#html1").src = "https://api.qrserver.com/v1/create-qr-code/?size=100x100&data=" + val.toString();
$w("#html1").show();

Work with users


Wix supports basic user registration and profile editing features. The tool is somewhat buggy, but workable.

I just needed to add a field that describes the name of the organization that the registered user represents, but this field is read only and it is filled in by the service administrator when it receives confirmation that the registered user really represents the specified organization.

It was also necessary to fasten the simplest logic associated with paid / free access to functions (up to 20 documents per month can be protected for free) and the term for paying for services.

Principle of operation


A unique private encryption key is bound to the user's account.

A logged-in user fills out a form with information about the conclusion (number, date, result):



Then the algorithm returns a URL containing the encrypted TEXT text and acting as the public key USER_ID, as in the example below: The URL turns into a QR code that the user already applies to your document by copying it to the clipboard (you can include it in the source file or stick it as a sticker on a finished printed document). What is important here - as such, the information does not get into the site database, but remains only in the form of this link and a QR code containing this link. Thus, no information about the contents of the protected document is stored on the server.

https://*имя сервиса*/checkqr?user=3b01b0aa-68a0-4521-ab12-f17b86d3eabc&v=1.0&text=8a026594c26be959f4280e28fe8402c1acef233e369a31613d654d3b0a5bbaca206f3058d27d2fde66b65cb64a5a6caecb69b07ad39c0015e923dad89eb723







The code is checked by the site when parsing the link


For parsing when a site recognizes a link, I used the help on Wix code
www.wix.com/code/reference/wix-http-functions.html

If something went wrong during decryption, it could be if the original QR code tried to make some changes
“The document code was decrypted with an error. Possible fake. Contact the organization that prepared the document for clarification. ”
If the decryption is completed successfully, then the decrypted text is issued containing the name of the laboratory, document number, date of issue and result, and the user is asked to compare the decryption result with what he sees on the real document.

Conclusion


From the birth of the idea, with the help of a number of ready-made bricks, I came to a working implementation.

I invite you to a discussion on the idea I came up with, an attempt to test / hack my service.

What remains to be completed


  • Write on the results of implementation on habr
  • Understand how to reset the query if there has already been a link check once
  • To figure out how to shrink the ciphertext, because when a long URL is encoded, then the size of the QR code is too large
  • Add the ability to copy code to the clipboard or send it by e-mail at the click of a button (until I figured out how to do it in javascript)
  • Improve work with the mobile version

Preliminary response to possible criticism:


Isn't it easier for a laboratory to keep a register of conclusions on its website, and will a similar QR tag lead to this registry or even display a copy of the report?
This can be done, but significant manual work or the introduction of your own IT solution like that developed by me will be required, but it will obviously cost more than using a ready-made solution.

It is impossible to make such a register completely publicly accessible, because the information is not public, but can only be considered by the contractor, customer, and Rostekhnadzor.

Also popular now: