locked
Best encryption for query string RRS feed

  • Question

  • User-454825017 posted

    Now i am encrypt query string using base64 but it is very weak. so what encryption a standard web site follows which not generate very large text.

    should i use AES or TripleDes etc ?

    should i follow this approach mention in this link https://stackoverflow.com/a/50232009/14326209

    thanks

    Monday, October 19, 2020 1:46 PM

Answers

  • User475983607 posted

    Sir, this is not clear what you have said - if you will use on query string you should use the new base64url format  instead of using base64, which is not url safe. 

    can you please elaborate this point with a example code. what is base64url format not aware of. how base64url format can encrypt the query string value ?

    The encryption process produces a byte array that can contain special URL characters.   Base64 encoding can also produce special URL characters.  The steps, which are found in any fundamental tutorial on the subject, is encrypt the data then base64url encode the encrypted data if the data is submitted in the URL.

    Do you really need encryption?  The rule of thumb is not rendering sensitive data to the browser.  Encryption does not secure data in a URL. The data is automatically decrypted on the server.  A check is required to make sure the the current user should have access to the data.  Especially an HTTP GET which are cached and bookmarked.

    Perhaps if you provide the use case someone can help you come up with a proper solution.  Or maybe you can do research on your own???

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 19, 2020 8:15 PM
  • User1686398519 posted

    Hi TDP, 

    1. should i use AES or TripleDes etc ?
      1. AES is considered more secure.
        • Even triple DES cannot provide enough protection.
        • AES allows you to choose a 128-bit, 192-bit or 256-bit key, making it exponentially stronger than the 56-bit key of DES.
      2. Triple DES:
        • It is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block.
      3. Advanced Encryption Standard (AES):
        • AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data
    2. Base64:
      • Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically a sequence of 8-bit bytes) in an ASCII string format by translating it into a radix-64 representation.
      • Base64 is used to encode data that may be unsupported or damaged during transmission, storage, or output. It can preserve the original bytes of the encryption function.
    3. https://stackoverflow.com/a/50232009/14326209

      • The example in this link seems to use AES for encryption, you can try this method.

    Best Regards,

    YihuiSun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, October 20, 2020 7:10 AM

All replies

  • User475983607 posted

    Encryption alone does not secure a URL.  You should be able to come up with a solution once you understand the requirement.  What is the use case?   

    Monday, October 19, 2020 3:14 PM
  • User-474980206 posted

    base64 is encoding not encryption.

    you should probably use AES with 256 key size. if you will use on query string you should use the new base64url format  instead of using base64, which is not url safe. 

    Monday, October 19, 2020 6:58 PM
  • User-454825017 posted

    Sir, this is not clear what you have said - if you will use on query string you should use the new base64url format  instead of using base64, which is not url safe. 

    can you please elaborate this point with a example code. what is base64url format not aware of. how base64url format can encrypt the query string value ?

    thanks

    Monday, October 19, 2020 7:49 PM
  • User475983607 posted

    Sir, this is not clear what you have said - if you will use on query string you should use the new base64url format  instead of using base64, which is not url safe. 

    can you please elaborate this point with a example code. what is base64url format not aware of. how base64url format can encrypt the query string value ?

    The encryption process produces a byte array that can contain special URL characters.   Base64 encoding can also produce special URL characters.  The steps, which are found in any fundamental tutorial on the subject, is encrypt the data then base64url encode the encrypted data if the data is submitted in the URL.

    Do you really need encryption?  The rule of thumb is not rendering sensitive data to the browser.  Encryption does not secure data in a URL. The data is automatically decrypted on the server.  A check is required to make sure the the current user should have access to the data.  Especially an HTTP GET which are cached and bookmarked.

    Perhaps if you provide the use case someone can help you come up with a proper solution.  Or maybe you can do research on your own???

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 19, 2020 8:15 PM
  • User1686398519 posted

    Hi TDP, 

    1. should i use AES or TripleDes etc ?
      1. AES is considered more secure.
        • Even triple DES cannot provide enough protection.
        • AES allows you to choose a 128-bit, 192-bit or 256-bit key, making it exponentially stronger than the 56-bit key of DES.
      2. Triple DES:
        • It is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block.
      3. Advanced Encryption Standard (AES):
        • AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data
    2. Base64:
      • Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically a sequence of 8-bit bytes) in an ASCII string format by translating it into a radix-64 representation.
      • Base64 is used to encode data that may be unsupported or damaged during transmission, storage, or output. It can preserve the original bytes of the encryption function.
    3. https://stackoverflow.com/a/50232009/14326209

      • The example in this link seems to use AES for encryption, you can try this method.

    Best Regards,

    YihuiSun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, October 20, 2020 7:10 AM
  • User-454825017 posted

    Sir thanks for reply. suppose if i encrypt any query string value by AES then how could i check the value is encrypted by AES or not because anything is encrypted then it should not be encrypted again.

    tell me how to determine the value is encrypted by AES or not. thanks

    Tuesday, October 20, 2020 9:05 AM
  • User475983607 posted

    Sir thanks for reply. suppose if i encrypt any query string value by AES then how could i check the value is encrypted by AES or not because anything is encrypted then it should not be encrypted again.

    tell me how to determine the value is encrypted by AES or not. thanks

    You should know what values are encrypted and which are not since you designed the application.  

    Explain the use case - the requirements.  

    Tuesday, October 20, 2020 11:02 AM