用户ID混淆 [英] User ID obfuscation
问题描述
我希望这已经被问过了,但在这里还没有真正找到合适的答案,也没有时间提出自己的解决方案...
I expect this's been asked before but haven't really found an appropriate answer here and also don't have the time to come up with my own solution...
如果我们有一个具有 int identity 主键的用户表,则我们的用户在网站上注册时将具有连续的ID.
If we have a user table with int identity primary key then our users have consecutive IDs while they register on the site.
我们在网站URL上有用户公开资料页:
The we have user public profile page on the site URL:
www.somesite.com/user/1234
其中1234是实际用户ID.很难看到用户的ID 本身,但是它确实使任何人都可以检查在我的站点上注册了多少用户...手动增加数量最终使我进入了无效的个人资料.
where 1234 is the actual user ID. There is nothing vulnerable to see user's ID per se, but it does give anyone the ability to check how many users are registered on my site... Manually increasing the number eventually gets me to an invalid profile.
这是为什么我要将可逆ID映射到固定长度的看似随机数的主要原因:
This is the main reason why I wand a reversible ID mapping to a seemingly random number with fixed length:
www.somesite.com/user/6123978458176573
您能指出我要进行此映射的一个简单类吗?当然,该映射必须是可逆的,这很重要,否则我将不得不将映射与其他用户的数据一起保存.
Can you point me to a simple class that does this mapping? It is of course important that this mapping is simply reversible otherwise I'd have to save the mapping along with other user's data.
GUID索引搜索的速度较慢,因为它们不连续,因此SQL必须扫描整个索引以匹配特定的GUID而不是特定的计算索引页...
GUIDs are slower to index search them because they're not consecutive so SQL has to scan the whole index to match a particular GUID instead just a particular calculated index page...
如果我具有ID + GUID,那么我将始终需要获取原始用户ID来进行任何有意义的数据操作,这又会降低速度...
If I'd have ID + GUID then I would always need to fetch original user ID to do any meaningful data manipulation which is again speed degradation...
数学可逆整数置换似乎是最快的解决方案...
A mathematical reversible integer permutation seems the fastest solution...
推荐答案
我会100%使用向表添加GUID列"方法.为每个当前用户生成一个,并更新您的插入过程,为每个新用户生成一个,将花费几秒钟.这是最好的解决方案.
I would 100% go with the "Add a GUID column to the table" approach. It will take seconds to generate one for each current user, and update your insert procedure to generate one for each new user. This is the best solution.
但是,如果您真的不想采用这种方法,则可以使用多种混淆技术.
However, if you really dont want to take that approach there are any number of obfuscation techniques you could use.
简单地用Base64编码数字的字符串表示形式是一种(不好的)方法.
Simply Base64 encoding the string representation of your number is one (bad) way to do it.
static public string EncodeTo64(string toEncode)
{
byte[] toEncodeAsBytes
= System.Text.ASCIIEncoding.ASCII.GetBytes(toEncode);
string returnValue
= System.Convert.ToBase64String(toEncodeAsBytes);
return returnValue;
}
static public string DecodeFrom64(string encodedData)
{
byte[] encodedDataAsBytes
= System.Convert.FromBase64String(encodedData);
string returnValue =
System.Text.ASCIIEncoding.ASCII.GetString(encodedDataAsBytes);
return returnValue;
}
不好,因为任何人只要有半盎司的技术知识(黑客/剧本往往就拥有大量知识),都可以立即将结果识别为Base64,并且可以轻松地进行逆向工程.
Bad because anyone with half an ounce of technical knowledge (hackers/scriptkiddies tend to have that in abundance) will instantly recognise the result as Base64 and easily reverse-engineer.
:此博客文章使用Rails混淆URL中的ID提供了一个可行的示例.转换为C#后,您会得到类似的东西:
This blogpost Obfuscating IDs in URLs with Rails provides quite a workable example. Converting to C# gives you something like:
static int Prime = 1580030173;
static int PrimeInverse = 59260789;
public static int EncodeId(int input)
{
return (input * Prime) & int.MaxValue;
}
public static int DecodeId(int input)
{
return (input * PrimeInverse) & int.MaxValue;
}
输入->输出
1234-> 1989564746
5678-> 1372124598
5679-> 804671123
Input --> Output
1234 --> 1989564746
5678 --> 1372124598
5679 --> 804671123
另一位作者的后续帖子说明了如何确保这一点使用随机XOR以及如何计算 Prime 和 PrimeInverse 的更多内容-我只是使用了原始博客中的预先罐头进行演示.
This follow up post by another author explains how to secure this a little bit more with a random XOR, as well as how to calculate Prime and PrimeInverse - ive just used the pre-canned ones from the original blog for demo.
这篇关于用户ID混淆的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
