Fog Creek Software
g
Discussion Board

What to use for Encryption and Decryption?

Hi:

We have an application that send a URL link to an end-user.

The URL link is of the format: www.domain.com/pid=0001?id=56

When the user clicks on the link, a database record (relating to the user) is updated with a fag.

What would be the best method for enrypting the above string after the "www.domain.com/" part?

And decrypting on the other side?

Sojourner
Thursday, January 15, 2004

There is no method that I can think of that wouldn't require a password.

I hope you mean you add a cigarette to your database.

www.MarkTAW.com
Thursday, January 15, 2004

Can heterosexuals use your service too?  :P

John Rose
Thursday, January 15, 2004

What do you want encryption for? 

1. So the user can't modify the URL you send him and return bogus information?
2. So no one will see (potentially sensitive) data transmitted over the network?

I'm assuming #1.  If decryption and encryption happen on the same machine, you don't have to worry about key exchange.  You can append a CRC checksum to your data, encrypt them both with a password that exists only on the server, convert base 64, and return ?query=blahblahblah.  When ?query=blahblahblah comes back, perform the reverse operation and verify the CRC of the data matches the first CRC.  This will pretty much guarantee that unless the user knows the secret password on the server, they won't be able to send random data back and have it mean anything.

Alyosha`
Thursday, January 15, 2004

Good point.  If the url is www.foo.com/login.asp?id=42 what's to stop the user from changing it to id=42 and logging in as somebody else?  Here's what I do.

Suppose your database table looks like this
Field 1:  ID_User (int) (identity)
Field 2: Unique_ID (varchar(50))

The default value for Unique_ID should be some random or pseudo-random value.  Or, if you're using SQL2000 or some other database that supports this, make it a GUID field so you KNOW you know a user can't guess it.

So, when you email out the login link, send the ID_User field AND the Unique_ID field in the url.... www.foo.com/login.asp?id=42& unique_id=489392803

Drawbacks/Gotchas:
1. It's not totally secure.  Nobody's gonna *guess* anybody else's URL, but obviously that querystring is being sent in plaintext so anybody between them and your server can catch that.  For a lot of applications, it's "good enough", though.
2. If you're using a time-based seed and a random value for the unique_id field, you could get a lot of duplicates if you insert a multiple users at once (as part of the bulk import or whatever).
3. If you're using a "real" GUID field I guess it would be globally unique and you could skip the ID_user field in the querystring.

Hope this is applicable to your problem.

John Rose
Thursday, January 15, 2004

"what's to stop the user from changing it to id=42 and logging in as somebody else? "

...should have read, "changing it to id=43" or some such.

John Rose
Thursday, January 15, 2004

Hmm. References to Douglas Adams abound.

If the purpose is to prevent the person from figuring out someone else's URL, then some sort of "obfuscation is in order. Don't even bother to put in ID= because right there that tells me anything after that I can edit. I'm sure some sort of hash style encryption could do the trick. Heck, you could hash the username if you need a longer seed and if you were confident somoeone couldn't obtain the username from the hash.

As I said before, you could require that the user take some action once they visit the URL, thereby preventing a 2nd person from using this link again. If someone gets to it before them, they'll know. If someone gets to it after them, they won't be able to get in.

www.MarkTAW.com
Thursday, January 15, 2004

1. Use forms, with the post method to obfuscate.
2. I don't quite get the login problem. The user will submit their username and password in a form. The system will say yeh, and set a session object or cookie, or nay, and tell the user to try again.

Rhys Keepence
Friday, January 16, 2004

fag??


Friday, January 16, 2004

> fag

Yes, it's a gay guy that adds a 1 to the database every time you access the page.

Here in the states we call them flags.

www.MarkTAW.com
Friday, January 16, 2004

*  Recent Topics

*  Fog Creek Home