Secure Authentication Method For Banking
Using QR Code
Miss. Manisha Lute1, Miss. Nayana Khandeshi2, Miss. Panchashila Mokal3 Miss. Yogita Bodke4
BE. Scholar, Department of Computer Engineering S.R.E.S’s College Of Engineering Kopargaon, India
Abstract: This paper explains implementation details of secure authentication system using QR codes for Banking.
Security is an important issue for online banking application. While implementing online banking system, secure data
transfer need can be fulfilled by using secure encryption techniques. To eliminate man-in-middle attack and to confirm
users identity we are going to use concept of QR-code with android application. QRP is an extremely secure system
that uses a Two-Factor Authentication by combining a password and a camera-equipped mobile phone. QRP is
extremely secure as all the sensitive information stored and transmitted is encrypted. QRP is portable and can be used
securely in untrusted computers. In this project we have shown different banking operations like money transfer, online
shopping etc.
Keywords: Quick Response (QR) code, Two-factor authentication, mobile phone, encryption, decryption
The structure of this paper as follows: First we will give
the information about QR code and related work which
includes different modules of the system, motivation of
In modern world, we do almost everything on- this paper then design and implementation of system,
online (banking, communicating, storing and sharing experimental results etc.
personal information, shopping) it is now a days a critical
to be able to access these services in the most secured
manner. As viruses and cracking methods becoming more II. RELATED WORK
complex and powerful day by day, so
the available 1. Two-Factor-Authentication:
security techniques must improve as well, to allow users to There are many authentication methods are available for
protect their data and communications with the maximum security while doing transaction such as one-time
security. There is a method called one factor password, one-factor authentication etc, but in one factor
authentication which was used traditionally, but it was less authentication method only one factor is consider like ID
secure because using username and password it is not plus password for authentication which is not that much of
secure enough for critical transactions and anyone can secure. So in two-factor authentication two strong factors
access this information. So this paper represent one are consider like mobile phone that will read the QR code
method i.e. Two Factor Authentication method which and password known by the user.
provide more security than previous one. A two-factor- 2. QR code:
authentication method includes two of three authentication QR Code is a two-dimensional barcode which is
verification method given below:
introduced by the Japanese company Denso-Wave in
Something the user knows such a password or a pin code. 1994. These barcodes was initially used for tracking
Something the user has such a token or a smart card.
inventory in vehicle parts manufacturing and now a days
Something the user is such a fingerprint or a retinal scan. this code is used in many industries. QR stands for “Quick
It is observed that the higher the factor, the most secure Response” because content of this code are decoded at
will be the authentication method. The aim of this paper is very high speed. By using camera-based devices
to developed authentication method using a two-factor authentication method is more secured for critical
authentication: a trusted device (a mobile phone) that will transactions, such as banking operations and most
read a QR code which act as token, and a password known particularly when connecting from untrusted computers. In
by the user. The main advantage of using mobile phone is QR codes are used to store textual information in the form
that any user has mobile phone and because of that there is of image and this image is read by any smart phones.
no need of having hardware token. A QR code is a type of Recently much research has been done that focus on
bar code. A bar code is one dimensional code and QR application of QR code and advancement of the
codes are two dimensional. QR codes can store more data technology for providing better user experience. On the
than bar code. To eliminate attack like phishing attack and other hand, QR codes are only understood by machines
to confirm user identity, QR-code which is scanned by not by human beings. Tis means user is not able to know
user mobile device can be used and weakness of what is behind the QR code and this is good for security.
traditional password based system can be improved by Technology:
finding the user transaction information and unique at the A QR code is matrix code which is easily interpreted by
user side i.e. IMEI number of the mobile phone.
scanner equipment. It contains information in both vertical
I. INTRODUCTION
and horizontal direction, whereas a 1D barcode has only
one direction of data(usually the vertical one) QR Code
also has error correction capability. Data in behind the QR
code can be easily restored even when some parts of the
code are damaged. Compared to a 1D Barcode, a QR Code
can store more data: 7,089 characters for numeric only,
4,296 characters for alphanumeric data, 2, 953 bytes of
binary (8 bits) And 1,817 characters of Japanese
Kanji/Kana symbols.
Decoding of the QR code is depends on the type and the
nature of the data stored in QR code.
3. Android:
Android is a Linux-based operating system which is
design for touch screen mobile devices like smart phones
tablet computers etc. Android was developed by Android
Incorporation, which Google financially supported and
later purchased in 2005.At first time android works on
Linux kernel version 2.6 ,and from android 4.0 OS version
onwards, it works on version 3.x with libraries and APIs.
Here the total information about how the entire system
will be is given module wise:
A. Registration:
The users have to first register him/her to use the system.
if there is any new user he/she first go into the registration
section in the QRP web application and have submit her
username, password, name, address ,contact number etc
and IMEI number of the phone is obtained using
getDeviceId() method which she intends to use for
authentication.
After entering the valid data the (i.e. correct IMEI,
password complex enough, etc.), the server will store this
information on the database.
Next, the server will generate private and public keys that
will unique to the each user that will be stored on the
server.
After this, the user has to download and install the
application on her phone.
The first time the mobile application is run, the user will
need to enter her username and password. And the
credentials (user/password) would be validated against the
III. MOTIVATION
database through a https request to the application server.
Now a days, use of online banking is increased gradually, If validation is successful, then user has to enter other
existing online banking system usage one time password credentials. And according to those credentials the QR
which is send to user mobile so any one can hack the code will be generated.
information in between transaction. In our project we use
the QR code so this drawback is overcome. In this project B. QR Code Generation:
for authentication there is no need of additional tokens After successfully login user has to enter the details like
because it uses mobile phone .man-in-middle attack is not whether he uses the Debit Card or Credit Card and the
credentials like Account Number (16 digit number), Name
possible as all the communication is encrypted.
On Card, ATM Pin, CVV Number (Number On Back Side
Of Card) and Bank Name and the Expiry Date of Card and
IV. SYSTEM IMPLEMENTATION
the IMEI can be verified by the mobile application After
submitting details through secure channel three files will
be imported and stored in the user's phone internal storage:
the server's public key, the user's private key and a user
data file, containing the user's encrypted credentials. The
server's public key will be used to decrypt the credentials
file. The user's private key will be used to authenticate in
the server. From this encrypted file the QR Code will be
generated. For encrypting the credentials AES Encryption
algorithm is used. After submitting all correct credential
.png image for QR code is generated and that image is get
stored in user’s phone SD card and in database also.
 2.1 Encrypting the message
The AES encryption algorithm uses a set of specially
derived keys called round keys. These keys are applied,
along with other operations, on an array of data that holds
exactly one block of data, the data to be encrypted. This
block is called as the state array. Following are the steps in
AES Algorithm.
-Derive the set of round keys from the cipher key.0
-Initialize the state array with the block data (plaintext).
-Add the initial round key to the starting state array.
Fig.1 Online Authentication System
-Perform nine rounds of state manipulation.
The above figure shows the overall design of the system.
-Perform the tenth and final round of state manipulation.
The System structure mainly focuses on following -Copy the final state array out as the encrypted data
Modules:
(cipher text).
 Registration
The following figure shows the encryption process.
 QR Code Generation
 QR Code Scanner
 Authentication
 Online Transaction simulation
QR code scanner is used to scan the content of
the QR code. After scanning the QR code, to get the
original credentials AES Decryption algorithm is.
3.1 AES Decryption Algorithm:
Decryption involves reversing all the steps taken in
encryption using inverse functions:
(a) InvSubBytes
(b) InvShiftRows
(c) InvMixColumns
XorRoundKey doesn’t need an inverse function because
XORing twice takes you back to the original value.
InvSubBytes works the same way as SubBytes but uses a
different table that returns the original value.
InvShiftRows involves rotating left instead of right and
InvMixColumns uses a different constant matrix to
multiply the columns.
The order of operation in decryption is:
(a) Perform initial decryption round:
XorRoundKey
InvShiftRows
InvSubBytes
(b) Perform nine full decryption rounds:
XorRoundKey
InvMixColumns
InvShiftRows
InvSubBytes
(c) Perform final XorRoundKey
Fig. AES Encryption process
2.1.1 QR Code structure:
Fig.4.4 QR code structure
C. QR code scanner:
Without a machine, its impossible for a human to
Fig.4.5 AES Decryption process
manually decode QR Codes but they are easily processed
by scanning equipment. So after QR code image is D. Authentication:
displayed on computer screen (bank server). Customer The encrypted string plus the username are sent to the web
will scan the QR code by android QR code scanner server via POST through a secured channel (https).
application.
The server decrypts the string using the user public
key and verifies that the details which gets after the
decryption are exist in the table or not.
The server checks then that the IMEI is correct and [4] AviKak;”AES: The Advanced Encryption Standard
assigned to an user as per the users table.
Lecture Notes on “Computer and Network Security””
In case of success full validation the user March 6, 2014
authenticated.
E. Online Transaction simulation
In this module we are implementing online
banking operations such as:
 Money transfer
 Online shopping
In money transfer the user can add the details of
the other person to whom he want to transfer money.
And in online shopping the user can buy various
products online such as cloth shopping and other product.
For doing all these transactions all the details or
credentials that need to be sent to server will be in the
form of QR Code. And if sufficient balance is available in
user’s account then the transactions will be performed
successfully.
Experimental Result
We represent the methodology of QR code that
provide the encoding and decoding capacity then find the
following result:
1. Integration of QR code resolve the capacity problem
and store the max data as compare to the conventional
barcode.
2. The QR code increases the security of data as all
information is encrypted and QR code is stored in users
phone so that unauthorized person could not decrypt the
information.
3. User can do any combination to generate QR code of
provided information so that it will give more security.
CONCLUSION
Security has become an extremely important
matter in our digital society and therefore, two-factor
authentication methods plays very important role to store
sensitive information. Therefore QR based authentication
method allows user to perform all transactions securely.
This is more user friendly as the user does not need to
carry another device and more secure because the smart
phone act as a token.
The QR code is very user friendly because the
data can be access only single scan by using the smart
phone. Using QR codes large amount of data is encrypted
and user can prevent from hacking.
REFERENCES
[1] QRP: An improved secure authentication method using
QR codes
[2] Kuan-Chieh Liao; Wei-Hsun Lee: "A Novel User
Authentication Scheme Based on QRCode". Journal of Networks, Vol 5, No 8 (2010), 937-941,
Aug. 2010.
[3]ShindeJagajit.G;
SonawaneSourabh.:“AN
AUTHENTICATION SYSTEM IN ONLINE BANKING
USING MOBILE OTP WITH ENCRYPTED QR
CODE”International
Journal
of
Innovations
&
Advancement in Computer Science IJIACS ISSN 2347 –
8616 Volume 3, Issue 3 May 2014