2

We frequently need to send entity ids to the client side.

How could we protect this data (especially ids)?

Even if we encrypt using same key every time, it can be identified by analysis.

For example, if I encrypt id "1" to let's say "ae!" (using any algorithm), that same id can be used later on as well.

So should we use session id as key to send data to client side (this will validate data only up-to session is active)? Or could we randomly append a string to id "1", encrypt it and then send to client side (this also can be sent any next time)?

Or is there any other way?

What is best practice for this type of security take care?

I am using .Net MVC C#. But I think question is irrelevant of platform.

Let's take an example.

In the following link id is given in datasource, which is plain text, so any person with technical knowledge can modify it (using developer console of browser).

So IMHO it should be encrypted, to make it unchangeable (because the changed value is not acceptable due to encryption).

https://docs.telerik.com/kendo-ui/api/javascript/ui/grid/configuration/editable

peterh
  • 2,938
  • 6
  • 25
  • 31
Anonymous Creator
  • 129
  • 4
  • 1
    I fail to understand what your problem is. But it seems to be about protecting data transferred between client and server. If this is really your problem why not simply use HTTPS? – Steffen Ullrich May 26 '18 at 19:44
  • I want to make ids unclear to any one (let's say user with developer mind) which can be get using developer console. id should not be open to browser. – Anonymous Creator May 26 '18 at 19:47
  • 1
    If you want have the key to be available within the browser using Javascript but not accessible using developer tools then this is impossible. If you just want to hide the server-side meaning of the key use a random key and associate it server-side with the relevant data using a database or similar. Also note that the 'ids' tag stands for *intrusion detection system* which is probably not what you mean (I've removed it). – Steffen Ullrich May 26 '18 at 19:50
  • key in browser is fine. just it should not be plain text. – Anonymous Creator May 26 '18 at 19:55
  • Why do you need to keep the id private, are there other security holes you wish to work around – jrtapsell May 26 '18 at 21:19
  • suppose user doesnt have permission to id = 1, then instead of checking it on server side it will be better if i don't give a chance to do it from client side. if i keep it in plain text then user can edit it from 2 to 1 directly. and if they are encrypted then it would be difficult to do so. – Anonymous Creator May 27 '18 at 07:46
  • this is somewhat relates to following question. https://security.stackexchange.com/questions/56357/should-i-obscure-database-primary-keys-ids-in-application-front-end – Anonymous Creator May 27 '18 at 08:07
  • It looks like you're trying to (re)invent some kind of security scheme instead of looking for a already available one which fits your purpose. I would recommend against it, because there is a good chance you will overlook some weakness in your own scheme. – allo May 28 '18 at 12:41
  • @HardikViradiya You absolutely need to do server side athentication even if you obfuscate the ids. – FINDarkside May 28 '18 at 14:40
  • @FINDarkside. what can be reason for that. – Anonymous Creator May 28 '18 at 15:58
  • @HardikViradiya Users can still guess ids, and they can share the urls too. If you shared your stackexchange settings page url, you probably don't expect anyone to be able to see and change your settings right? I'm not sure what kind of information those pages contain, but this feels like a really bad idea anyway, maybe you should explain why you don't want to authenticate these requests? – FINDarkside May 28 '18 at 16:07
  • actually it will give me performance issue. I just need this, so that person can not do it in bulky way. so if ids are not obvious. One will not simply change id and send requests in loop through console. Guessing will take time (I guess a lot if big encryption is used) and also I want that encrypted id to be decrypted only by that session. so that till user guesses anything it will get changed once that session gets expired. – Anonymous Creator May 30 '18 at 14:41

1 Answers1

0

You can use an hash of the ids. For example, in pseudo-code, 

sha2(entry_id || delimiter || user_id)

will do what you want:

  • all the users will see the same content on the same id,
  • not the users, not even potentially cooperating different users will be able to identify the entities by their hashes.
  • however, all the user will see the same entity behind the same hash.

The disadvantage of the method is that you need a backend storage for the per-user hash keys - the users will refer the entities only by their hash, and not even you will be able to decode out the entity from them.

You may get increased security by binding the hash to the session instead of the user:

sha2(entry_id || delimiter || session_id)

This will increase security (not even the user will be able to identify the entities between their sessions), and you will need to store the hashes only until session timeout. However, the user will be unable to produce a client-side entity storage (what may be also an advantage, too).

peterh
  • 2,938
  • 6
  • 25
  • 31
  • This seems to be what i wanted. just want ur suggestion. session_id is available at client side cookies. so should i generate key and store in cookies instead? – Anonymous Creator May 30 '18 at 14:48
  • @HardikViradiya Store it in the session, not in cookies... cookies are visible for the client browsers, the session data is not. – peterh May 30 '18 at 15:13
  • I was editing it. but message was showing like "cannot edit in 5 mins" when tried to edit comment. one more thing. it is not feasible to store hash value to some store. :( – Anonymous Creator May 30 '18 at 15:31
  • @HardikViradiya And why? You need only a single `Map` (I don't know the correct syntax in .Net but probably some similar), i.e. an integer array indexed with the hashed entity ids. If you have a `Map cica`, then `cica["fce2c0de...."]` will give you back the integer entity_id belonging to the `cica` entities. But the client browser won't see this id, he will see only the hash. – peterh May 30 '18 at 15:40
  • @HardikViradiya If you want a f*g fast app, you could use some bigint type instead of a String map. For example, if the hash function generates 128bit integers, then instead of using their hexa representation as string, you could use a 128bit binary value (it has probably the "BigInt" or "LongLongInt" or similar name). – peterh May 30 '18 at 15:42