1

I am working on a Spring Web application, and came across a scenario that requires passing an identifier in the URI (GET over HTTPS), for example: https://www.targetdomain.com/services?id=123. This URI appears on the end user browser, and my concern is that, anyone can tamper this identifier "123" that is linked in my database as primary key in one of the table.

One way to resolve this issue could be to save this in user's session (HTTPSession), another could be to encrypt it and throw that in browser as https://www.targetdomain.com/services?id=jk3434jj123jkh23jh213h. Once end user clicks on the link, I can decrypt that on the server side to retrieve the identifier.

I am new to encryption, and I wanted to know what suitable encryption algorithm, I should use to encrypt this identifier before printing that on browser, so that I can retrieve it on the server

I came across some post (for example - encrypt and encode URL parameters spring mvc) where a working code is presented using "AES/CBC/PKCS5Padding" as cipher. Does that looks a good solution for this use case?

Improve this question
3
  • Hello Nizel! Welcome to SO. This question is primarily opinion based, as the answer varies according to user opinions. Ask questions that can always be answered in a factual manner. Commented Apr 27, 2020 at 4:08
  • I respectfully disagree with this being opinion based. This is an application security question, I think on-topic for SO. Commented Apr 27, 2020 at 7:07
  • From security perspective the best way would be to implement an authorization layer into your application so that each user can only access those database entries she/she is authorized to see. Then manipulating the id would only allow to access the user's data. Commented Apr 28, 2020 at 10:05

1 Answer 1

Reset to default
1

The most secure solution would be to manage the parameter in the session as you described, if that's an option. That way it's all on the server and it's protected against an attacker having access to a user session in a browser (but not to the server). If you can do this, it's probably the right thing.

However, sometimes you need to pass through the browser. For whatever you send to the browser, you might have two distinct requirements:

  1. You might want that the user cannot read it, for which the solution is encryption. In case of an id, this is probably less relevant, but your ids might also be sensitive in some way, only you can tell.

  2. You might want that the user cannot modify them, and for this you need message authentication. This requires a secret on the server, used to generate an authentication code for your parameter, that upon receiving them back can be verified (using the secret again).

Note that these are two separate things, encrypted messages are not necessarily authenticated, and authenticated messages are not encrypted.

So if you only care about message authentication, you could add an authentication code as a separate parameter, generated with eg. HMAC, and then check that upon getting your parameter back.

Or depending on your requirements, you can choose an authenticated encryption (AEAD), which provides both features in one. Such an algorithm is eg. AES in GCM mode. (AES-CBC mentioned in your question is not an authenticated mode for AES.)

Note that you would have to consider replay attacks as well. If you only authenticate or encrypt the parameter itself, a user can observe such encrypted parameters in other sessions for example, and replay those in his own session. One standard solution to this is to include a timestamp as well so that such secure parameters are also timebound, and even this in your specific scenario might not be enough. For example if access control is based on such an authenticated parameter, an observed authenticated, timebound parameter in another user's session might be used to access data in the current user's session (albeit this would be harder to actually exploit).

Or you can still just do it through the session... :)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.