6

On a REST based system what are the options to "encrypt" resources ID.

For instance: 

 /client/2

would be accessible at 

/client/SOMEHASHKEY

I am thinking :

1 - Have DB tables that keeps track of a resource ID and it's corresponding HASH and look it up on every request. This obviously seems quite heavy to implement, and increase server work quite a bit.

2 - Have some kind of internal encrypting algorithm that would create a hash for instance based on the resources creation date, the resources ID and base64 it (Obviously not optimal but you get the point)

So are there good practices for this kind of scenarios? What would you recommend ?

Many Thanks

silkAdmin
  • 4,640
  • 10
  • 52
  • 83

1 Answers1

2

If your intention is to make it hard to guess client ids, then use uuids, for example 32 hex character long guids such as 21EC2020-3AEA-1069-A2DD-08002B30309D.

Identifiying entities in a domain completely depends on the implementation which provides the REST service.

Some applications use guids by default to identify entities. A good example is for example the lovefilm API:

GET /users/9D48675C-096F-11DC-BF5A-88D01745CE5C HTTP/1.1
Host: openapi.lovefilm.com

However, using hard-to-guess identifiers does not protect you from unauthorized access and is no replacement for a real authentication mechanism.

stmllr
  • 652
  • 3
  • 18
  • hum so if i take your answer and try to apply it to my question you mean using table to keep track of corespondance between Hash, GUID or whatever and the actual resource ? – silkAdmin May 12 '13 at 01:52
  • It depends on how your application stores the resource. I have no idea how the resource looks like inside of the application. But yes, if you have to stick to integer ids internally, then add another guid property to your client model. If your storage is an SQL DB table, then store the guid in an additional field of the client table. – stmllr May 12 '13 at 02:00
  • so that bring us back to the "good practice" question, I guess your point is that I should index a UUID on the resources table itself ? – silkAdmin May 12 '13 at 03:48
  • No. My point is, that it depends on your application and storage. I can't give you a universally valid answer. If you would tell us more details about your application, then one could give you more precise hints. Your initial question was about security design practice for exposing ids. That's what I tried to answer. Nevertheless, good resource discussing uuid and DB keys is http://www.codinghorror.com/blog/2007/03/primary-keys-ids-versus-guids.html KCcoder posted some numbers on MySQL performance and indexing uids: http://kccoder.com/mysql/uuid-vs-int-insert-performance/ – stmllr May 12 '13 at 14:21