I was looking for something like "inverted asymmetric cryptography" and came across a great post, which actually covers what I need.
I want every user of my application has a public key allowing them to decrypt the message hidden in QR code which was encrypted with my private key. I want to make sure my system cannot be deceived by a fake QR code covering mine. Accepted answer suggests using digital signature so I googled Java tutorial, showing how to use that feature.
Here comes a little misunderstanting. I thought that using a digital signature, there would be a simple situation (let's call it a Situation A
):
- Message is encrypted with private key
- User reads encrypted message
- User uses the public key to decrypt message.
However, my understanding is the digital signature works more like:
- A digital signature is created using the private key and the message.
- User needs the original message and the signature file.
- User uses the digital signature to verify the message wasn't changed and comes from me.
Am I right here? If so, how can I put both my message and signature in a QR code? Things seemed pretty easy in case of Situation A
as I simply could encode the encrypted message using Base64 and put the result in the QR code. However, it looks like I can't do the same thing without using tricks like encode message, encode signature, put them in one file, encode it, put the result in the code
. How can I do so then?
Oh, there is also an answer from question "QR code security" saying:
You can put anything you want in a QR code, including Base-64 encoded bytes representing a signed document. No reader will know what to do with it; you'd have to write a custom app that scans and then knows to decode it and act accordingly.
According to the tutorial mentioned earlier it looks like the signed document itself is not enough though.