This week I attended the InfoSecurity Europe conference in London and as with all big conferences, I was issued my own personal identity badge. After the conference was finished one of my colleagues pointed out something interesting about the QR code printed on our badges.
What's on the badge?
This is the badge I was issued and as you can see, it contains a QR code (both sides of the badge are identical).
Upon scanning the QR code with the appropriate app on my phone, I can see that QR code contains the following data:
{"CJe";"5F56M:H","DO";"Qfouftu Mjnjufe","G";"Tdpuu","KU";"Tfdvsjuz Dpotvmubou","T";"Ifmnf"}
This looks pretty meaningless at first glance but Mark was looking at someone else's badge and spotted a pattern in a word that looked like "Google" (which was on the badge) and he realised it was encrypted with a Caesar Cipher.
Caesar Cipher
The Caesar Cipher is an ancient and widely known encryption cipher that is named after, you guessed it, Julius Caesar! Using a simple shift operation the plain text is converted into cipher text by substituting each Latin character with another character that is a fixed number of positions further along in the alphabet. The number of characters along in the alphabet is determined by the key. For example, using a key of 1 we would see the following:
Plain Text: Scott
Cipher Text: Tdpuu
Each character is shifted by 1 position in the alphabet. Similarly a key of 3 would yield:
Plain Text: Scott
Cipher Text: Vfrww
This is what Julius Caesar first used to encrypt messages of military importance for transit! Suffice to say that using this form of 'encryption' these days offers absolutely no protection whatsoever which leads me nicely on to the next question.
Why is it encrypted?
I can't figure out why the data on the badge would be encrypted like this. We've had a few guesses but none seem to really explain it. Perhaps it was an accident or perhaps it has a purpose, either way it'd be great to hear your guesses below or even an explanation if you know why! Decrypting the data on the QR code was easy, there's only 25 possible keys, and the resulting plain text was found using the key value 25.
{"BId";"5E56L:G","CN";"Pentest Limited","F";"Scott","JT";"Security Consultant","S";"Helme"}