Jump to content

Super Secure Unique ID and Verification concept


Don_Macaroni
 Share

This topic is 1857 days old. Please don't post here. Open a new topic instead.

Recommended Posts

To all interest in creating a virtually bullet proof Unique ID sequence and reverse checker. I designed this concept for use on rfid cards for an entry system. But it can be implemented with barcodes, as well as reverse checked with PHP in case of a web-based solution.
This concept grown from a need to verify the ID on cards. If you have a unique ID of 12345, a person can create a badge with any numeric sequence. But what if you can, as an added security, verify if the sequence is valid? Came up with the following:

1 Global field with something like this "QYUMGZRIHGHMIQSCEBYCWYWLNIPBCEZZCYBZIKJTGLKWGECGJBBQHXVCJQUHAMGWCOCGIAZNYNNOIJLBOSRVDMRFAVNPCOWFGGXNATEUKNPW" (Needs to be 108 characters long, which is 99+9. This will be the verification string.)
1 Number field which receives "Right ( Random ; 9 )" with a script     (eg. 937493814)
1 Text field which receives a calculation via a script:
     - Split the 9 numbers into 3 sequences   (eg. 937  493  814)
     - For each of the 3 sequences you calculate the character position in the verification string by adding the the third number to the first two. (eg. 93+7     49+3     81+4)     This will never be more than 108.
     - The result of the calculation above is used to look up the letter at the specific location in the global verification string. You will get 3 characters.   (N   X   R)
     - Mix the letters into the numbers to get a beautiful sequence; result 937N493X814R.

This number can be easily reverse engineered and checked for validness. The 108 long string can be used in PHP as a var and used to reverse engineer the unique id, and so check it.
It can be even more secure by giving each 3 digit string its own 108 digit verification string. It can be expanded to be more secure and more complex, but the concept is great. I find this method to be fast and secure, adding more is overkill.
I auto-generated 1000 of these sequences and had them program as the UID on rfid cards. Now when a user scans his rfid card, Filemaker first checks the sequence to see if the card is valid. Then checks photo stored, to image on the security camera.
What I also did was avoid certain letters and numbers from appearing. For example capital O and 0 look alike, as well as capital I and 1. So in my verification strings I don't use them, this keeps the strings nicer.

Only downside is if you loose the 108 digit string you are scr3wed.
Anyone interested in a sample file let me know.

Edited by Don_Macaroni
Link to comment
Share on other sites

I sure can... It makes proprietary cards. I implemented this twice. Once in a system where a hotel uses cards to identify pool chairs. I supplied a system and barcode cards. By using this method I forced the customer to buy my cards, because cards with a sequential numbering will not work. And second on a harbor entry system. The system is unmanned and uses rfid cards with my numbers. Prior to the system looking up the person id-ing himself, it checks if the card is one of the system (and not some random id-ed card you can buy anywhere.

It has huge potential and a wide range of implementation. With the 108 digit sequence you make any id card proprietary and protects the vendor from the customer outsourcing elsewhere.

Unless you know the 108 digit key, this can not be guessed. Not in a million years.

Edited by Don_Macaroni
Link to comment
Share on other sites

I would think that if you issue unique IDs, you would keep track of them.

Anyway, if you want to build a "secure" system, you need to learn some basic rules of security first.

15 minutes ago, Don_Macaroni said:

Unless you know the 108 digit key, this can not be guessed. Not in a million years.

I don't need to guess. All I need is to read one of your IDs and I can generate close to 500 others that will pass your verification. For example, given your "937N493X814R" I can generate:

919N493X814R
928N493X814R
946N493X814R
955N493X814R
964N493X814R
973N493X814R
982N493X814R
991N493X814R
919N439X814R
919N448X814R
..

and so on.

 

 

 

  • Like 2
Link to comment
Share on other sites

The formula listed is an example of how to implement a long verification string. It is not a login or password, it is an alternative to using sequentially numbered unique ids. It is not meant to give access to anything, therefor your arguments are not valid (they are in their respective sence). As said, I used this method to number 100,000 cards, which belong to a proprietary system I own. To prevent my customer from ordering stock sequentially numbered cards cheap from another source, I invented this. For my customer to discover my formula and 'secret' string to make 100,000 numbers that work would be virtually impossible.

Link to comment
Share on other sites

On 26 June 2016 at 0:11 PM, Don_Macaroni said:

For my customer to discover my formula and 'secret' string to make 100,000 numbers that work would be virtually impossible.

Not even close to impossible. Maybe it's more effort than your typical clients are willing to invest, but any competent cryptanalyst would have no problem with this. A more secure approach might be to start with a real-data serial number, run it through a salted hash, and add the hash to the serial number. As long as you keep the salt secret, clients should not be able to reproduce the full value.

A weaker option, but perhaps less effort to implement in FileMaker without a plugin and still stronger than what you have so far, would be to use a basic checksum algorithm instead of a cryptographic hash function:

Let ( [
    _data = Table::serialNumber ;

    _salt = $anyASCIITextYouWant ;

    _checksum = ChecksumCRC16 ( _data & _salt ) ;

    _finalID = _data * 2^16 + _checksum
] ;
    _finalID
)

Edited by jbante
  • Like 1
Link to comment
Share on other sites

Got some numbers here, generated in Filemaker with a different formula than described above...

Y74173N355
G06493Y759
G31838W608
T91983H414
W03699M112
X80284G309
U89344M788
H41948W509
J07854R652
X41583B633
W71034X431
T63546G371
A21734J047
A40260U124
G06500Z626
Z70316G696
B44227R409
D95958K519
G37676K811
R64986D515
Y89980P698
E21673G203
J14951M324
H18747J139
C12631G989
N44233Y131
K76552V582
B25520M706
M47966M194
C54096P508
V45181A942
M54891C968
C46686K554
B59307H098
N44677W353
N94671M631
X41505C241
P31948S471
U14764P595
E45007M706

For the ones that want to reverse engineer it to see if it is easy or not, the numbers can be verified here. https://fieldsmedia.com/verify/
I programmed it with PHP, reverse engineering the string.

Another fact is, by using a string longer than the 24 characters used (26 minus the I and O I took out for confusion), the chances are real that certain combinations/calculations are wrong, but result in the same letter. This can be avoided by using double letters instead of one. But as said, this was never intended to secure data from hackers. It is not a password, nor will it give access to the FBI's Area 51 documents. It is a way to generate unique ids that are virtually impossible, or at least very hard, to crack by the average Joe. Also, I have these programmed on an rfid card and they are not displayed in plain text on the card itself. So you would need an rfid reader as well...

I think it is pretty need and very usable for its purpose. Hope it helps somebody with something, you can take this a long way and expand it greatly.

Link to comment
Share on other sites

You say that's about security ("virtually bullet proof", you said), then that it's not about security (from someone who knows what they're doing), then that it is about security (from someone who does not know what they're doing). You'll understand my whiplash. Good for you if this solution works for you, but I don't want someone else in the future to find this thread and think your solution is a secure one. You have a good idea, but cryptographers have had similar ideas, and they've spent decades refining them. With a little more effort, there are more secure solutions to the same problem. There are even solutions to the same problem that are more secure and don't require any more effort. Others who have a similar need to yours should consider one of those solutions instead.

Edited by jbante
Link to comment
Share on other sites

Maybe a little too enthusiastic with 'super secure', but thanks to the 'constructive' critics ;-) I was able to better the concept. Random string is checked for doubles prior to being calculated, added double letters to the sequence, made the hash longer and made the calculation more complex.

SQ66450CB119
AM12264BR442
SD76146FA698
FA78819SW656


https://fieldsmedia.com/verify/

If you give away the key of your SSL certificate, hackers can decrypt it and your doomed. Same here, if the calculation and hash are known, it would be an easy game. Hackers will always go for easy pray first, and base their attacks on what's at stake (decrypting chair tags would not be one of them). In this case it is not an easy task discovering a 800+ string hash and calculation. In my opinion the concept of creating secure unique id sequences, as an alternative to 'open' sequentially numbered ones, is great and something to dive into. For example, lot of companies use sequential numbered barcodes as customer ids. This is easy to duplicate and the system will accept it as usual. If the system could check at id scan if a card is genuine or not, that would be great.

Link to comment
Share on other sites

5 minutes ago, Don_Macaroni said:

If you give away the key of your SSL certificate, hackers can decrypt it and your doomed. Same here, if the calculation and hash are known, it would be an easy game.

No, it's not the same at all.

 

  • Like 1
Link to comment
Share on other sites

I challenge anyone to decrypt this... Even with the verify weblink, which is not available normally, I think it will be hard to impossible. Just added a better hash which adds lower caps and numbers for more randomness.
Oi23825l7455
oP47247E0887
VO957142K378
13739448P283
0f78772Ok163
https://fieldsmedia.com/verify/
 

Link to comment
Share on other sites

2 hours ago, Don_Macaroni said:

I challenge anyone to decrypt this...

If you want to pay for a security audit, I'd be happy to make the attempt. It will require more source data, though.

Edited by jbante
Link to comment
Share on other sites

This topic is 1857 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Similar Content

    • By HOnza
      [FOR IMMEDIATE RELEASE]
      24U releases Gonector 2.0 for Claris FileMaker
      This new version of the mobile hardware integration plug-in doubles the number of supported devices with new barcode and RFID scanners and more
       
      Prague, CZ -- May 4, 2020 -- 24U Software announces immediate availability of Gonector 2.0, the plug-in that enables custom FileMaker apps running on iPhone or iPad to seamlessly integrate with professional mobile hardware devices. such as digital scales, RFID readers and mobile printers. The new version adds support for industrial barcode scanners from Zebra, handheld RAIN UHF RFID readers with circular polarization CANE skID and Alien ALR-S350, and the DPP line of mobile receipt/label printers from Infinite Peripherals. It also extends the existing functionality by allowing for writing to NFC tags on iPhone with no additional hardware and triggering FileMaker scripts by pressing the programmable hardware button available on some sled readers from Infinite Peripherals, such as Infinea X.
       
      Version 2.0 brings:
      Support for Infinite Peripherals DPP receipt/label printers Support for CAEN skID, a new high-performance RAIN/UHF RFID reader Support for Alien ALR-S350 hand-held RAIN/UHF RFID reader Support for Zebra CS4070 and DS3678 barcode scanners Additional Zebra scanners may be compatible but have not been tested Extended CAEN RFID readers support by enabling user memory reading and writing Extended iPhone built-in NFC reader support to enable NFC tag writing Extended Infinea X support to allow for triggering scripts with programmable buttons Added possibility to control visual, audible and haptic feedback of capable readers Improved cadence of script triggers for scales, RFID readers Compatibility with FileMaker iOS App SDK 19  
      About Gonector
      Gonector is a FileMaker plug-in that allows a native application for iPhone or iPad, built using the FileMaker iOS App SDK, to communicate directly with mobile hardware devices. Being able to interact with professional mobile devices enables developers to use the FileMaker platform to create POS, inventory and other heavy-duty mobile business apps with friendly, fast, and reliable user interface.
      The first version of Gonector was released in July 2018. It has enabled custom apps, such as JOGS, to replace manual work with modern technologies, such as RFID and digital scales, without compromising the ease of use and development efficiency provided by the Claris FileMaker platform.
      Duncan McDavid, CEO of Jacoma Estates said about JOGS and its use of Gonector: "The product we received from 24U has been helpful for us because it's given us a competitive edge over some of our suppliers. We've got a much quicker system in terms of procurement products and a much more transparent system... It's cut out a lot of inefficiencies both through removal of paper paperwork and paper-based processing but we're also able to do a lot more transactions now so our return on investment into the system has been very good."
      The JOGS application combines digital scales, RFID and mobile receipt printers to bring modern technologies to one of the poorest countries in Africa. But Gonector can be used even for more than just the devices it explicitly supports. With its function, designed for reading weight from digital scales, Alan Meinhart from Three Z Printing also successfully used Gonector to read data from a specialized sensor in order to accurately measure paper consumption during print jobs.
      Since plug-ins cannot be added to FileMaker Go, adding these features to a mobile FileMaker app requires the use of the FileMaker iOS App SDK. This can be significantly simplified to just a few clicks by using the 24U's Xgode service. With this service, adding the Gonector to the app is a matter of clicking a checkbox and selecting the devices to enable.
       
      Requirements
      For development, Gonector 2.0 requires any Mac running macOS 10.12 or later and FileMaker Pro 16 or later, or an x86 PC running Windows 7 or later and FileMaker Pro 16 or later.
      macOS 10.14.6 or later and Xcode with Swift version 5 is necessary for building the iOS and iPadOS apps containing Gonector 2.0. Alternatively, the 24U's Xgode online service can be used.
      Apps built with Gonector 2.0 can be installed on iOS 13.1 or newer.
       
      Availability and Pricing
      Gonector 2.0 is immediately available for download free of charge as a fully functional 14-days trial version. Development dummy plug-in does not require activation, iOS version embedded into an app can be activated with a license that is tight to specific bundle ID of the app.
      Licenses for Gonector start at US$499 per year for app deployed to up to 20 users.
      License for Payment Terminals Edition of Gonector is available for US$7999 and includes implementation support for one type of payment terminal.
       
      More information about the new version: https://24usw.com/gon2wf
      More information about Gonector: https://24usoftware.com/gonector
      Download: https://24usoftware.com/gonector#download
      Buy: https://24uSoftware.com/gonector#buy
       
       
      About 24U Software
      With customers in 76 countries and 30 years of experience with the Claris FileMaker platform, 24U excels in developing new or taking care of existing custom desktop, web and mobile apps, optimizing their performance, identifying and resolving potential issues and liabilities, improving reliability, stability and scalability, integrating them with other systems including various hardware devices, and extending them beyond expectation.
      As a Claris Platinum Partner, 24U helps global businesses around the world to maintain sustainable growth by working with their in-house developers or completely taking care of the maintenance and development of their business solutions.
       
      Customer contact:
      HOnza Koudelka
      Software Division Manager, 24U s.r.o.
      sales@24usoftware.com
      http://www.24usoftware.com
       
      Press Contact:
      pr@24uSoftware.com
       
      ###
       
      (c)2021 24U s.r.o. All rights reserved. 24U and 24U Software are trademarks of 24U s.r.o. Claris and FileMaker area trademarks of Claris International, Inc., registered in the U.S. and other countries. All other trademarks are the property of their respective owners. Pricing and availability are subject to change without notice.
    • By HOnza
      Excerpts from my “FileMaker 17 Performance Lab” session are available, covering some of the topics not covered anywhere else, as well as from my presentation of upgraded demo integrating 11 hardware technologies. Take a look at highlights of the FileMaker Konferenz 2018 and learn how field dependencies can slow down your Set Field, how to minimize the impact of slow network connection, why to avoid overusing conditional formatting, how to benchmark and optimize layout rendering, or how to integrate RFID, NFC, mobile printer, motors, digital scale, and other hardware with FileMaker app running on iOS.
      Click here for the whole article and videos
       




    • By HOnza
      [FOR IMMEDIATE RELEASE]
       
      24U Software releases Gonector for custom mobile FileMaker® apps
      Gonector connects a custom native app built with the FileMaker iOS App SDK directly to mobile hardware devices
       
       
      Prague, CZ — July 27, 2018 — 24U Software releases Gonector, a FileMaker plug-in that allows a native application for iPhone or iPad, built using the FileMaker iOS App SDK, to communicate directly with mobile hardware devices.
       
      Being able to interact with professional mobile devices enables developers to use the FileMaker platform to create POS, Inventory and lots of other heavy-duty mobile business apps with friendly, fast, and reliable user interface.
       
       
      Gonector Features:
       
      - qID mini UHF RFID reader enables custom mobile apps to read UHF RFID tags
      - Support for reading NFC tags on iPhone 7 or later lets a custom mobile FileMaker app read NFC without additional hardware
      - Linea Pro and Infinea support enables custom apps to read and write RFID/NFC tags, and read barcodes, 2D codes, and magnetic stripe cards
      - Reading data from digital scales allows custom FileMaker apps to capture weight data directly from the scale without interfering with the user interface
      - Support for BlueTooth mobile receipt printers allows for printing professionally looking receipts directly from a mobile FileMaker app
       
       
      Requirements:
       
      Recommended configuration for development:
      - Mac: Any Intel Mac, 4 GB RAM, macOS 10.12, FileMaker Pro 16 Advanced.
      - Windows: CPU: 1 GHz or faster x86- or x64-bit processor RAM: 2 GB or more, Windows 10 Pro Edition, FileMaker Pro 16 Advanced.
       
      Minimum requirements for development:
      - Mac: Any Intel Mac, 4 GB RAM, macOS 10.12, FileMaker Pro 16 Advanced.
      - Windows: CPU: 1 GHz or faster x86- or x64-bit processor RAM: 1 GB, Windows 7 SP1 Professional Edition, FileMaker Pro 16 Advanced.
       
      Minimum requirements for building and deployment:
      - macOS 10.13 and Xcode 9.2/Swift 3.2 (or build online at https://www.24uSoftware.com/Xgode)
      - iOS 11.3
      - developer.apple.com account (for testing and deployment on device)
      - FileMaker iOSAppSDK 16.0.1 or newer
      - Gonector is fully supported by Xgode, 24U’s online service for building iOS apps
       
       
      Warning:
       
      According to the FileMaker iOS App SDK, “FileMaker, Inc. does not recommend or support using the App Store to distribute apps created with iOS App SDK. FileMaker, Inc. recommends using the Apple Developer Enterprise Program to distribute your iOS apps. You can also use the Volume Purchase Program (VPP) to distribute your iOS apps through the VPP store.”
       
       
      Availability and Pricing of Gonector:
       
      Gonector is immediately available for download free of charge. Incuded a placeholder
      desktop plug-in for development can be used without limitation. iOS version of the plug-in works with one bundle ID for one hour, and can be activated after purchasing a license.
      Gonector license costs US $499 per application (bundle ID).
       
      More information: https://www.24uSoftware.com/Gonector
      Download: https://www.24uSoftware.com/Gonector#download
      Buy: https://www.24uSoftware.com/Gonector#buy
       
       
      About 24U Software
       
      With a team of full-time testers, web, plug-in, Mac, Windows, Linux, iOS, and Android native app developers, and FileMaker certi ed developers, led by the FileMaker DevCon 2015 Developer Cup champion, 24U excels in taking care of existing FileMaker solutions, optimizing their performance, identifying and resolving potential issues and liabilities, improving reliability, stability and scalability, integrating them with other systems including various hardware devices, and extending them beyond expectation.
       
      As a platinum member of the FileMaker Business Alliance, we help global businesses around the world to maintain sustainable growth by working with their in-house developers or completely taking care of the maintenance and development of their business solutions.
       
       
      Customer contact:
      HOnza Koudelka
      Software Division Manager, 24U s.r.o.
      sales@24usoftware.com
      http://www.24usoftware.com
       
      Press Contact:
      pr@24uSoftware.com
       
      ###
       
      (c)2018 24U s.r.o. All rights reserved. 24U, 24U Software, and FM Bench are trademarks of 24U s.r.o. FileMaker is a trademark of FileMaker, Inc., registered in the U.S. and other countries. All other trademarks are the property of their respective owners. Pricing and availability are subject to change without notice.
  • Who Viewed the Topic

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.