In my system I'm generating URLs with query params that represent IDs. I want to encrypt these IDs so that they are not plainly manipulated in the URL. These will be public facing URLs and I don't want users to be able to manipulate the URL and be able to get other users' data, so I want to encrypt these IDs.

I'll be encrypting the IDs within a Java application and then decrypting them in a Javascript app. Is there some mon encryption algorithm I can use in both places? Are there libraries available that would do this sort of thing in Java and Javascript?

I realize both my application will need access to a mon "password" or decryption key, I will store this in a keystore location that both apps will have access to.

In my system I'm generating URLs with query params that represent IDs. I want to encrypt these IDs so that they are not plainly manipulated in the URL. These will be public facing URLs and I don't want users to be able to manipulate the URL and be able to get other users' data, so I want to encrypt these IDs.

I'll be encrypting the IDs within a Java application and then decrypting them in a Javascript app. Is there some mon encryption algorithm I can use in both places? Are there libraries available that would do this sort of thing in Java and Javascript?

I realize both my application will need access to a mon "password" or decryption key, I will store this in a keystore location that both apps will have access to.

• javascript
• java
• url
• encryption
• query-string

Share Follow asked Sep 10, 2020 at 18:02 intAintA 2,7311515 gold badges4848 silver badges7272 bronze badges 5

• By public facing, do you mean that the page could actually be opened by unlogged users, and it should work this way ? – FTW Commented Sep 10, 2020 at 18:12
• Manipulated how? You're using contiguous integer IDs, and you don't want someone to go from shop./product/1 to shop./product/2 by just incrementing the number? Better yet, don't use contiguous integer IDs in the first place – Michael Commented Sep 10, 2020 at 18:13
• @Michael yes, that is what I mean. They're not contiguous integers, they're strings, but the same concept applies. I can't really change that part of the design. – intA Commented Sep 10, 2020 at 18:25
• @FTW yes, you do not need to log in to access the page – intA Commented Sep 10, 2020 at 18:26
• You may not have to encrypt the query parameters. Use a server side HMAC to authenticate that critical query values have not been tampered with. You would not need to add anything client side. – Brenden Commented Sep 10, 2020 at 18:34

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 1

IMO you should generate a public/private key by your own then (OpenSSL, Java keytool...).

1. Using javascript to encrypt your data with the public key

• https://code.google./archive/p/crypto-js/downloads
• https://nodejs/api/crypto.html

2. On Server-side - Java, you can use the private key to decrypt your data to execute your business behaviour. There are many examples/library to decrypt by the private key such as

• https://www.devglan./java8/rsa-encryption-decryption-java
• https://gist.github./fanglijun/a0d1218c9ef0b0670904e62778f6ed12

You're should read how the RSA algorithm to understand more how it works. Basically you need to encrypt data by your public key (front end part) and decrypt (backend part)by your private key that it.

Not remend: If you're still wanna decrypt on front-end side via javascript, mean that you have to public your private key where javascript can read to decrypt. Technically is fine but It may have a security issue

Another solution:

• You can encrypt your data like (Id, secret_data.....) into an encrypted string then send that string as a parameter of an URL (generate at server-side)
• When end-user clicks that URL you will decrypt parameter by private key (server-side) to get actual data (Id, secret_data...)

Unless your values actually need to be secret use an HMAC. This way you can authenticate that url provided has not been tampered with without actually having to share keys or require that the client decrypt data on its own.

Simply generate an hmac for your desired critical values and append the value to the url. When they user accesses the specific path, read the url and pare it to the hmac.

url = 'http://my.site/users/123
signature = hmac(secret_key, url);
signed_url = url.addQueryValue('s', signature);

on the way in, look at the signature and validate it matches the regenerated hmac.

Other things you can do is append claims to the signature such as expiry ect. Claims can be used to track access, as well as revoke access to a url after some time.