This page is about how to obfuscate / protect a internal id. So that even if they are public, they cannot be guessed.
This is mostly used to prevent guessing your data.
For instance, you can estimate the number of orders
https://example.com/orders?orderid=7865
You can prevent a ddos.
Because this is not shown as a sequence, the attacker cannot guess or create the ids.
Because this is not shown as a sequence, you can prevent a scanning of public data and extraction of information. If you have a public page, the attacker cannot guess, the next id.
The id are encrypted using a symmetric cipher with a secret and a salt because there is only one party, you.
Example:
Stronguest | Description | Note | |
---|---|---|---|
strong | key | Advanced Encryption Standard (AES) | generally with a hash-based message authentication code (HMAC) to protect the IDs from being altered by the attacker |
less strong | alphabet shuffle | the most known example is the hashid library |
Example:
let minimalHashLength = 8;
let hashAlphabet = "abcdefghijklmnopqrstuvwxyz1234567890";
let hashids = new Hashids("this is my salt", minimalHashLength, hashAlphabet)
let encode1 = hashids.encode([1]);
let decode1 = hashids.decode(encode1);
console.log(`The value 1 encoded is: ${encode1}`);
console.log(`The encoded value ${encode1} decoded is: ${decode1}`);
let badvalue = "badvalue";
let decodedBadValue = hashids.decode(badvalue);
console.log(`The bad value (${badvalue}) decoded is an empty array: ${decodedBadValue}`);
let multipleValues = [1,2];
let multipleValuesEncoded = hashids.encode(multipleValues);
console.log(`Mutliple values (${multipleValues}) are encoded to ${multipleValuesEncoded}`);
let multipleValuesDecoded = hashids.decode(multipleValuesEncoded);
console.log(`Mutliple values encoding (${multipleValuesEncoded}) are decoded to ${multipleValuesDecoded}`);
let uuidString = uuid.v4();
let uuidByteArray = uuid.parse(uuidString); // 16 bytes array
let dataViewByteArray = new DataView(uuidByteArray.buffer, 0);
let uuidTimeLow = dataViewByteArray.getUint32(0);
let uuidTimeMid = dataViewByteArray.getUint16(4);
let uuidTimeHighAndVersion = dataViewByteArray.getUint16(6);
let uuidClokSeq = dataViewByteArray.getUint16(8);
let uuidNode1 = dataViewByteArray.getUint32(10);
let uuidNode2 = dataViewByteArray.getUint16(14);
let uuidHashed = hashids.encode([uuidTimeLow,uuidTimeMid,uuidTimeHighAndVersion,uuidClokSeq,uuidNode1, uuidNode2]);
console.log(`The uuid ${uuidString} has been encoded to ${uuidHashed} of length ${uuidHashed.length}`);
Optimus:
Implementation:
SIV solves both:
It produces:
AES-SIV ciphertexts are the size of the input + 128-bits (SIV tag), because it uses AES-CTR encryption.
Siv paper in 2006 by Phil Rogaway “A Provable-Security Treatment of the Key-Wrap Problem” 2) described in RFC 5297