Home/ Questions/Q 8319027
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T22:10:54+00:00

I need a way to transmit my item IDs to the browser in a

  • 0

I need a way to transmit my item IDs to the browser in a way that prevents spidering/crawling the items.

My thought is to encrypt the integer IDs with a secret and shared salt. This allows a large number of permanent but unpredictable URLs for the same unique item. Suppose I need to transmit results for records 1 and 2. Rather than transmitting IDs in the clear:

{
    1: "Item One",
    2: "Item Two"
}

I’ll first encrypt the IDs at the web server:

string RESULT_SET_SALT = "randomValue1";
foreach(ResultItem item in results) {
    item.id = encrypt(SECRET, RESULT_SET_SALT, id);
}

What is actually transmitted to the client is the salt and encrypted values:

{
    RESULT_SET_SALT: "randomValue1",
    387439: "Item One",
    79: "Item Two"
}

When the client selects an item to view details, the AJAX request includes the salt and encrypted value.

$.get("/ItemDetails/387439?RESULT_SET_SALT=randomValue1");

At the server the ID is decrypted using the SECRET and SALT the client included in the request.

int actualRequestedId = decrypt(387439, "randomValue1", SECRET); // result is 1

This is informative: Simple integer encryption
And this: Way to encrypt a single int

Neither article talks about using a salt. Probably, if I just split the secret into two parts and transmit half of it, no one would put in the effort to crack it, but I know that type of abuse of an algorithm often breaks it and I’d prefer to do it correctly.

Any recommendations? It isn’t necessary to keep the IDs as int, but I’ll be transmitting large batches of them and do need to keep them small. Since there will be a large number of IDs and the encryption process will block the result UI, it shouldn’t be too expensive. It would be nice if this leveraged out-of-the-box .NET (C#) encryption

EDIT: It occurs to me that another (higher bandwidth) approach is to add a random high-32-bits to each ID and encrypt it with the secret, rather than using a salt. That would work great, except since this is another abuse of an algorithm, a user’s ability to generate multiple iterations from the same ID might well compromise the secret (or less importantly the individual ID).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Format preserving encryption is probably the thing you are looking for, but it is not easy to implement. You could use a random key that is linked to the session at the server. An attacker would be able to simply request all values, but it cannot guess them.

    CTR ciphers can encrypt any value and return the same size (in bits). They have a better availability (in API’s), but they require a NONCE for each encryption with the same key.

    Alternatively you could simply keep a table at the server and remember a random ID to item ID. That way the attacker simply has no way to retrieve anything but the items submitted to him through the server. This might be much easier than the other solutions, but it would require additional memory for the table (of course).

    This in addition to the answers submitted in the other links.

    • 0