0

I am building a web service that I want my users to register for before they can use it. I would then give them a registration key.

When they call my service they would pass me the registration key. I would then decrypt the key to validate the user and service.

I tried this using AES for the encryption, but the key was way too large. Is there another way to encrypt that would give me a smaller key that can be passed in the URL.

I want it to be decryptable so to avoid a database lookup.

Thanks

Edit: Sorry I was not passing around the AES key, I meant the encrypted AES value. which was 96 bytes if I counted correctly.

Improve this question
4
  • 2
    "i want it to be decryptable so to avoid a database lookup" just use a database-stored key like any other normal service. Commented May 28, 2013 at 16:36
  • What do you mean the "key was way too large"? Define "too large". Commented May 28, 2013 at 16:37
  • @KirkWoll He means it's too large for URI portion. Probably more than 2k characters long. Commented May 28, 2013 at 16:37
  • 1
    You don't need to encrypt it as it will not contain any secrets. You only have to make sure the user cannot alter the value, so signing it is enough, no need to encrypt it. and a HMAC signature takes 128 or 160 bits, therefore can easily be added to an URL together with the clear-text userid and permission fields. Also take in mind when doing the encryption route instead of signing, that you do not use a chaining mode that makes it possible to alter parts of the message randomly (i. e. log in as a random user) Commented May 28, 2013 at 16:47

2 Answers 2

Reset to default
2

You shouldn't be passing around the key. You use the key to encrypt the user's ID, e.g.

$userID = 42;
$crypted = aes_encrypt($key, $userID . "some random salting/padding stuff");
$encoded = base64_encoded($crypted);

$url = "http://example.com?registrationConfirnmationID=$encoded";

then you send the user $url via the registration email. They click on it, and you do the reverse on the server:

$encodedID = $_GET['registrationConfirmation'];
$crypted = base64_decode($encodedID);
$registrationString = aes_decrypt($key, $crypted);

which would give you

42some random salting/padding stuff

After that, you strip off the salt, and you're done.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

The encrypted data from AES is not too big, even if the key is quite large. The size of the URL parameter can be pretty big but it all depends on what exactly you need to encrypt. A database lookup is probably quicker than the CPU load in decrypting the key in the web service!

There are lots of options but any hash or encrypted data can be encoded to something like Base64 which makes it sendable via URL.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.