0

I want to use an two way algorithm(means i should both encrypt and decrypt). The below is my

Scenario:

I have a application where user can register by providing their First name, Last name and Email address. Once the data is stored in DB a mail will be sent to Registered User's Registered email address with the below content

Please click the link to configure your account: http://mysitename.com?somepage.aspx?enc=EmailaddresinencyptedFormat

what i am doing is attaching registered user's registered email address in query string in encrypted format. user will click the following link and will be redirected to a configuration page where user enters his/her username,secretquestion. Then the input data and the encrypted emailaddress in the querystring will be passed to service and the service will decrypt them and validate the emailaddress.

Required:

What algorithm can be used to encrypt and decrpt? let me know BEST algorithm for this scenario. Please help me out

Improve this question
5
  • You can't use email as an encrypted secret piece of information, as most people's email address is public knowledge. p.s. why do you want to do it like this? Why can't you follow best practices? Commented Jun 28, 2013 at 5:53
  • when i pass the email address as such in the link: [email protected] eveybody could see the email address and everyone can access the link with their own email address. Commented Jun 28, 2013 at 6:02
  • 1
    Have you thought about using a token? I.e. you save the information in your database and give the user only a random, long, meaningless id which refers to that information. example.com/foo.aspx?enc=klwurh2o3mhf2837gox7g2 Commented Jun 28, 2013 at 6:09
  • per my undersating, you want to me generate a token by using some algorithm during user registration store them in database and embed in the link and send as a email. upon receiving the email user will click the link and fill ncessary info in the page and on submit sent the filled info along with token and based on token update the necessary info in DB? Am in making sense? Commented Jun 28, 2013 at 6:16
  • This question appears to be off-topic because it is about choosing the best encryption algorithm, which is a security-based question rather than a programming question. Commented Jun 28, 2013 at 7:31

1 Answer 1

Reset to default
2

Instead of encrypting the email address, place in the database a sufficiently large, 100% random value (such as a GUID or UUID), and associate it with a salted hash of the email address of the person who signed up. Send the GUID to the user in the link. Then, when they finish, you can saltedly hash the email they filled in on the second link and match it to the email address.

Since it is random there is no possibility of guessing random urls and stumbling across other people's registrations, and even if the database leaks only salted hashed emails are exposed, which cannot be decrypted into an email.

http://www.martinstoeckli.ch/php/php.html#bcrypt is a good resource on what hashing is and what it's for.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

can you pls share any sample code? and what is the name algorithm ur talking about? pls bear with me if didnt make sense.. help me out
Good solution, but I don't think you need to salt or hash the email address. As this value only stays in your database I think just saving the email address with the UUID should be enough.
@korius If the database becomes leaked the email addresses of people who haven't finished signing up yet will become exploitable. I agree that it's pretty minor otherwise.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.