[Phpwm] Encryption

Elliot Smith elliot at townx.org
Fri Aug 17 16:08:19 BST 2007 

David Edwards wrote:
> On 17/08/07, pete graham <petegraham1 at gmail.com> wrote:
>   
>> Its not a high security app, it was debated whether we would even
>> bother encrypting the id at all. The reason for having it is just so
>> random people can't go to the site and guess id values.
>>
>> Regards, Pete
>>     
>
> In that case you could use something simple like UUEncode or Base64 to
> sanitize your crypted values for network transmission.
>   
I think Pete was concerned with how ugly it looks in the URL when it's 
URL-encoded. He mentioned PEAR Crypt in his first post and dismissed it 
for this reason, I think.

This is my solution for clean, symmetrically-"encrypted" IDs. (Which was 
hastily put together, by the way.) If you really don't want to store the 
hashed ID, why not just do a simple Caesar-cipher style encoding which 
is easy to reverse?

e.g. replace each digit in the ID with the corresponding letter of the 
alphabet (0 = a); then shift two letters forward in the alphabet; then 
copy it a few times, reversing it every second copy. Let's say we want 
to encode 1234:

1234 becomes bcde
shift two letters to get defg
Then repeat 7 times, reversing the string every second copy:

?id=defggfeddefggfeddefggfeddefg

Then to decode it, you divide the length of the id querystring variable 
by 7 to work out how long the real ID is, and take that number of 
characters from the end of the string as the actual ID. (You could also 
check that the rest of the string is in the correct format by taking 
those last few characters and reconstructing what the querystring should 
have looked like.) Decode it by shifting back, and you have the numeric 
ID again.

This might deter a drive-by malcontent for five minutes, which 
presumably is what you're after.

How obfuscated it do you want it? Applying more obfuscation than this is 
pretty pointless, as one symmetric cipher is practically as easy as 
another to decrypt (as Dave stated). If you actually want it to be 
difficult (practically impossible) to break, you need to use and store 
hashes.

I reiterate that I haven't really thought through every ramification of 
this, but my head hurts for now, so I'll come back to it later.

Elliot



> --
> Dave
>
> _______________________________________________
> Phpwm mailing list
> Phpwm at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/phpwm
>

More information about the Phpwm mailing list