在应用程序中混淆数字 ID 的最佳方法是什么 [英] What is the best way to obfuscate numerical IDs in an application

问题描述

鉴于我有一个网站，其中大部分资源都有数字 ID(即 user.id question.id 等)，但就像德国人回顾二战一样，我宁愿不向观察者透露这些，这是什么混淆它们的最佳方法是什么?

Given I've got a site where most of the resources have numerical IDs (i.e. user.id question.id etc.) but that like the Germans looking back on WWII I'd rather not reveal these to the observers, what's the best way to obfuscate them?

我认为该方法将涉及 .to_param 和一些对称加密算法，但我不确定最有效的加密是什么以及它如何影响数据库中的查找时间等.

I presume the method is going to involve the .to_param and then some symmetric encryption algorithm but I'm not sure what's the most efficient encryption to do and how it'll impact lookup times in the DB etc.

任何来自走过的道路的建议将不胜感激.

Any advice from the road trodden would be much appreciated.

推荐答案

我通常使用加盐哈希并将其存储在数据库中的索引字段中.这取决于您期望的安全级别，但我对所有人都使用一种盐.

I usually use a salted Hash and store it in the DB in an indexed field. It depends on the level of security you expect, but I use one salt for all.

此方法使创建成本更高一些，因为您将有一个 INSERT 和一个 UPDATE，但您的查找速度会非常快.

This method makes the creation a bit more expensive, because you are going to have an INSERT and an UPDATE, but your lookups will be quite fast.

伪代码:

class MyModel << ActiveRecord::Base

  MY_SALT = 'some secret string'

  after_create :generate_hashed_id

  def to_param
    self.hashed_id
  end

  def generate_hashed_id
    self.update_attributes(:hashed_id => Digest::SHA1.hexdigest("--#{MY_SALT}--#{self.id}--"))
  end

end

现在您可以使用 MyModel.find_by_hashed_id(params[:id]) 查找记录，而不会产生任何性能影响.

Now you can look up the record with MyModel.find_by_hashed_id(params[:id]) without any performance repercussions.

这篇关于在应用程序中混淆数字 ID 的最佳方法是什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！