英文:
How can I encrypt and decrypt query my query parameters in a URL?
问题
在我的系统中,我正在生成带有查询参数的URL,用于表示ID。我希望加密这些ID,以便它们不会在URL中明文操作。这些URL将面向公众,我不希望用户能够操纵URL并能够获取其他用户的数据,因此我希望加密这些ID。
我将在Java应用程序中加密ID,然后在Javascript应用程序中解密它们。是否有一些通用的加密算法可以在这两个地方使用?是否有可用的库可以在Java和Javascript中执行此类操作?
我意识到我的两个应用程序都需要访问一个共同的“密码”或解密密钥,我将把它存储在两个应用程序都可以访问的密钥库位置。
英文:
In my system I'm generating URLs with query params that represent IDs. I want to encrypt these IDs so that they are not plainly manipulated in the URL. These will be public facing URLs and I don't want users to be able to manipulate the URL and be able to get other users' data, so I want to encrypt these IDs.
I'll be encrypting the IDs within a Java application and then decrypting them in a Javascript app. Is there some common encryption algorithm I can use in both places? Are there libraries available that would do this sort of thing in Java and Javascript?
I realize both my application will need access to a common "password" or decryption key, I will store this in a keystore location that both apps will have access to.
答案1
得分: 1
IMO你应该自己生成一对公钥/私钥,可以使用OpenSSL、Java keytool等工具。
- 使用JavaScript用公钥加密你的数据
- 在服务器端 - 使用Java,你可以使用私钥解密数据以执行业务逻辑。有许多示例/库可以使用私钥进行解密,例如
你应该阅读一下RSA算法,以更好地理解其工作原理。
基本上,你需要用公钥加密数据(前端部分),然后用私钥解密(后端部分)。
不建议:
如果你仍然想要通过JavaScript在前端解密,这意味着你必须公开可以被JavaScript读取的私钥来进行解密。从技术上讲是可以的,但可能存在安全问题。
另一种解决方案:
- 你可以将数据(Id、秘密数据等)加密为一个加密字符串,然后将该字符串作为URL的参数发送(在服务器端生成)
- 当最终用户点击该URL时,你可以使用私钥(服务器端)解密参数,以获取实际数据(Id、秘密数据等)。
英文:
IMO you should generate a public/private key by your own then (OpenSSL, Java keytool...).
- Using javascript to encrypt your data with the public key
- On Server-side - Java, you can use the private key to decrypt your data to execute your business behaviour. There are many examples/library to decrypt by the private key such as
- https://www.devglan.com/java8/rsa-encryption-decryption-java
- https://gist.github.com/fanglijun/a0d1218c9ef0b0670904e62778f6ed12
You're should read how the RSA algorithm to understand more how it works.
Basically you need to encrypt data by your public key (front end part) and decrypt (backend part)by your private key that it.
Not recommend:
If you're still wanna decrypt on front-end side via javascript, mean that you have to public your private key where javascript can read to decrypt. Technically is fine but It may have a security issue
Another solution:
- You can encrypt your data like (Id, secret_data.....) into an encrypted string then send that string as a parameter of an URL (generate at server-side)
- When end-user clicks that URL you will decrypt parameter by private key (server-side) to get actual data (Id, secret_data...)
答案2
得分: 0
除非您的值实际上需要保密,否则请使用HMAC。这样,您可以验证所提供的URL未被篡改,而无需共享密钥或要求客户端自行解密数据。
只需为所需的关键值生成HMAC,并将该值附加到URL中。当用户访问特定路径时,读取URL并将其与HMAC进行比较。
url = 'http://my.site/users/123'
signature = hmac(secret_key, url);
signed_url = url.addQueryValue('s', signature);
在进入过程中,查看签名并验证它是否与重新生成的HMAC匹配。
您还可以执行其他操作,比如将声明附加到签名中,例如到期时间等。声明可用于跟踪访问,以及在一段时间后撤销对URL的访问权限。
英文:
Unless your values actually need to be secret use an HMAC. This way you can authenticate that url provided has not been tampered with without actually having to share keys or require that the client decrypt data on its own.
Simply generate an hmac for your desired critical values and append the value to the url. When they user accesses the specific path, read the url and compare it to the hmac.
url = 'http://my.site/users/123
signature = hmac(secret_key, url);
signed_url = url.addQueryValue('s', signature);
on the way in, look at the signature and validate it matches the regenerated hmac.
Other things you can do is append claims to the signature such as expiry ect. Claims can be used to track access, as well as revoke access to a url after some time.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论