How can I encrypt and decrypt query my query parameters in a URL?

Question

In my system I'm generating URLs with query params that represent IDs. I want to encrypt these IDs so that they are not plainly manipulated in the URL. These will be public facing URLs and I don't want users to be able to manipulate the URL and be able to get other users' data, so I want to encrypt these IDs.

I'll be encrypting the IDs within a Java application and then decrypting them in a Javascript app. Is there some common encryption algorithm I can use in both places? Are there libraries available that would do this sort of thing in Java and Javascript?

I realize both my application will need access to a common "password" or decryption key, I will store this in a keystore location that both apps will have access to.

Answer 1

Unless your values actually need to be secret use an HMAC. This way you can authenticate that url provided has not been tampered with without actually having to share keys or require that the client decrypt data on its own.

Simply generate an hmac for your desired critical values and append the value to the url. When they user accesses the specific path, read the url and compare it to the hmac.

url = 'http://my.site/users/123
signature = hmac(secret_key, url);
signed_url = url.addQueryValue('s', signature);

on the way in, look at the signature and validate it matches the regenerated hmac.

Other things you can do is append claims to the signature such as expiry ect. Claims can be used to track access, as well as revoke access to a url after some time.

Answer 2

IMO you should generate a public/private key by your own then (OpenSSL, Java keytool...).

1. Using javascript to encrypt your data with the public key

• https://code.google.com/archive/p/crypto-js/downloads
• https://nodejs.org/api/crypto.html

2. On Server-side - Java, you can use the private key to decrypt your data to execute your business behaviour. There are many examples/library to decrypt by the private key such as

• https://www.devglan.com/java8/rsa-encryption-decryption-java
• https://gist.github.com/fanglijun/a0d1218c9ef0b0670904e62778f6ed12

You're should read how the RSA algorithm to understand more how it works. Basically you need to encrypt data by your public key (front end part) and decrypt (backend part)by your private key that it.

Not recommend: If you're still wanna decrypt on front-end side via javascript, mean that you have to public your private key where javascript can read to decrypt. Technically is fine but It may have a security issue

Another solution:

• You can encrypt your data like (Id, secret_data.....) into an encrypted string then send that string as a parameter of an URL (generate at server-side)
• When end-user clicks that URL you will decrypt parameter by private key (server-side) to get actual data (Id, secret_data...)