September 29, 2006 1:52 PM Subscribe
Sending many different encrypted strings as URL arguments and want to decode them via a shared public key. How much security is necessary and possible?
posted by ducksauce to technology (32 answers total)
I want to be able to send an encrypted string as a URL variable, decrypt the string in PHP, and then write the decrypted string to the page. Let's assume for the sake of argument that the string contains highly sensitive information and that, unencrypted, it is always less than 25 characters long. Let us also assume that millions of users will be sending their information to the page in this way. Is it possible to create a reasonable system for passing this string to the page without a big risk of it being decrypted by an unauthorized third party?
The first solution to this problem that I thought of was to use RSA. I am not very skilled in encryption, though, so I probably don't understand RSA that well at all. How big would the private and public keys have to be to make decryption not worth the attacker's time (taking longer than 72 hours on a modern desktop computer)? Would the encrypted string be too large to reasonably send in an HTTP get request? Is it a very bad idea to put all my eggs in one basket with the private key, in that if it's ever stolen or hacked a million users would be exposed at once?
Is there a different method I could use that would allow me to totally avoid DB or file system access while decrypting the string? I'd like to avoid sending random hashes and storing them in a DB because my DB configuration skills are also pretty weak, and if the page is highly trafficed I would not want to have to suffer through a bottleneck that could be avoided.