[Phpwm] Encryption
Elliot Smith
elliot at townx.org
Fri Aug 17 16:08:19 BST 2007
David Edwards wrote:
> On 17/08/07, pete graham <petegraham1 at gmail.com> wrote:
>
>> Its not a high security app, it was debated whether we would even
>> bother encrypting the id at all. The reason for having it is just so
>> random people can't go to the site and guess id values.
>>
>> Regards, Pete
>>
>
> In that case you could use something simple like UUEncode or Base64 to
> sanitize your crypted values for network transmission.
>
I think Pete was concerned with how ugly it looks in the URL when it's
URL-encoded. He mentioned PEAR Crypt in his first post and dismissed it
for this reason, I think.
This is my solution for clean, symmetrically-"encrypted" IDs. (Which was
hastily put together, by the way.) If you really don't want to store the
hashed ID, why not just do a simple Caesar-cipher style encoding which
is easy to reverse?
e.g. replace each digit in the ID with the corresponding letter of the
alphabet (0 = a); then shift two letters forward in the alphabet; then
copy it a few times, reversing it every second copy. Let's say we want
to encode 1234:
1234 becomes bcde
shift two letters to get defg
Then repeat 7 times, reversing the string every second copy:
?id=defggfeddefggfeddefggfeddefg
Then to decode it, you divide the length of the id querystring variable
by 7 to work out how long the real ID is, and take that number of
characters from the end of the string as the actual ID. (You could also
check that the rest of the string is in the correct format by taking
those last few characters and reconstructing what the querystring should
have looked like.) Decode it by shifting back, and you have the numeric
ID again.
This might deter a drive-by malcontent for five minutes, which
presumably is what you're after.
How obfuscated it do you want it? Applying more obfuscation than this is
pretty pointless, as one symmetric cipher is practically as easy as
another to decrypt (as Dave stated). If you actually want it to be
difficult (practically impossible) to break, you need to use and store
hashes.
I reiterate that I haven't really thought through every ramification of
this, but my head hurts for now, so I'll come back to it later.
Elliot
> --
> Dave
>
> _______________________________________________
> Phpwm mailing list
> Phpwm at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/phpwm
>
More information about the Phpwm
mailing list