There is a line like site.name/ck/{resource_name}?data={id}&trc={token}

it looks like this

http://site.name/ck/blabla?data=22248&trc=x5jH0h8xUX6Gd6h1AYZEaY2VrVCpQSiuBW0oIEfQ

How can you encrypt (so that only the server can decrypt) the transmitted data and trc parameters trc that you can then decrypt them on the backend?

UPD: The task itself is that if a visitor passes through an encrypted link, the transmitted data is decrypted on the server and processed, a new object is created, and some data returned to the visitor based on the transmitted data. The bottom line is that it would be impossible to replace the ID transmitted by the visitor. for this and want to encrypt it

  • For example RSA ... - Vladimir Martyanov
  • @ Vladimir Martiyanov Could you give an example? - Alex_01
  • you will need to use javascript. Is this solution appropriate? - Mikhail Vaysman
  • @MikhailVaysman if the data can not be woken up to decrypt on the front (with js disabled or something else), then it fits - Alex_01
  • @ Alex_01 without JavaScript it will be difficult to encrypt data - Mikhail Vaysman

3 answers 3

If the task is to protect data from human-in-the-middle (MITM), then the most effective way is to use the Secure Sockets Layer (SSL). To do this, you will need to acquire a private key, and send a certificate (public key) to the client. There is no point in listing the implementation details here - everything is encapsulated inside the HTTPS application-level protocol. Therefore, to use this technology, it is enough to make sure that your hoster supports requests via the HTTPS protocol.

A simpler option (if real-time protection against MITM is not required, but there is some small amount of transmitted traffic that we would like to protect), then there is no solution. At least safe. No, for the reason that any information encrypted on the client’s side (any cryptographic algorithm, its keys, etc.) is in the public domain — its encryption algorithm is known a priori by anyone who knows how to use the F12 key (and the like). However, the method voiced in paragraph 1, open cryptography, remains valid. But in this case, again, the client will first need to send the public key from the server, which is already implemented automatically at the SSL / TLS level - such a cipher can be "unlocked" either by the server or by the software that managed to access the information before using to her public key.

PS about

"The bottom line is that it would be impossible to replace the ID transmitted by the visitor. For this, I want to encrypt it."

.. then just take it for granted that all data sent by the client, with a probability close to one, will be changed by the interceptor. So just implement secure server-side logic that does not trust the client.

  • The encryption algorithm itself does not guarantee that its knowledge will allow data to be decrypted by security.stackexchange.com/questions/86595/ ... Another thing is that the data that is in runtime is pulled out in much easier ways - etki
  • Well, the certificate itself is the public key - etki
  • @Etki, this topic is about one-way functions, the safe use of which is possible only in the case of asymmetric cryptography, which I wrote about above. If there is a shared secret that will be transmitted to the client (the value of the degree, salt, etc.), then this is obviously unsafe. Knowledge of the algorithm itself is often safe, but the same knowledge + input parameters used are unsafe. - AseN

Who should not decrypt the data?

  • If you want to protect the communication channel (MITM etc), then move the data to the entity-body and enable SSL. No one except the server will read this data.
  • If you do not want to explicitly transfer this data, then generate a hash from these parameters on the server, save the data in a tablet (using the hash as a unique identifier). On the client you will have a link of the form: http://site.name/ck/blabla?hash=my_hash_func
  • Updated the question. What is required - Alex_01

This means that the link itself should encrypt the server.

Any data from the client can be changed.

  • one
    Minusators, and what actually does not suit the answer? - Qwertiy