Link to home
Start Free TrialLog in
Avatar of M S
M S

asked on

Url Encryption tied to physical infrastructure

I have a requirement where i need to store confidential data in an encrypted format in the url, i understand POST with body is better approach but it is not an option for me. I am thinking of using a pass phrase based AES 128 bit encryption for encrypting the query string parameter. The concern i have is that the url could get cached in different parts of the internet and if the pass phrase is exposed somehow then it could be used to decrypt these values. Are there any encryption mechanisms which allow to decryption to happen only within our infrastructure? Is there a way to tie the decryption to our infrastructure along with the key so that even if key is lost nobody outside can decrypt it?
Avatar of arnold
arnold
Flag of United States of America image

Not sure I understand what your requirement is and what you are envisioning passing.

The query string can be a HASH that includes several data points
IP
Date and time
for restriction while the other data points up to a total of 4096 which I think is the query string length limit which you can mitigate by using a session ID that can be rertrieved from a DB.
site
session ID

when the request is received, the query-string data extracted, IP is validated and the time window lets say is 15 minutes, if it is within the allowed time frame, you proceed further, if it is not, the query is treated as either invalid or expired.


The key is never exposed to the outside it is always on the system.
Only if the system is compromised and the key can be located ...

Using SSL connection secures the data transfers.

Adding URL encrypted/Encoded data point


is handled on the server side where it sends the issue is that the URL encoding is done by the client
so your form has to include the FORM action GET
fieldidentifier=encrypted_string

If you want your javascript or similar code within the browser to encrypt data, all you need to provide it is the PUBLIC side not the Private KEY.
It needs only know the public key which is used to encrypt.
 it will not be able to decrypt encrypted messages unless you build-into your code a means by which the Client side browser can negotiate/exchange a randomly generated client side key pair from which it will provide the session public key to the server.
Once the session ends, the client side key pair is lost/discarded

This is how SSL connections between unauthenticated users and servers work.
The browser creates a random and temporary client certificate for the session. during the connection negotiation it exchanges the public portion to the server and then the two the others public key to encrypt and transmit the data.
1) Are there any encryption mechanisms which allow to decryption to happen only within our infrastructure?

HTTPS wrap your site - all requests.

Then no one can read any parameters passed.

2) Is there a way to tie the decryption to our infrastructure along with the key so that even if key is lost nobody outside can decrypt it?

So... the answer is yes... What you're describing is... an entire login + nonce type of system.

Take a look at how WordPress handles user authentication.

Or... you can also just use WordPress, so all this is handled for you.
Avatar of M S
M S

ASKER

My requirement once again if it was not clear is to store PHI information of a patient(Name, DOB etc) in encrypted(done on server side) form in the url as query string parameter, users can bookmark if needed the link to a specific patient and when they click the link, we will decrypt the query string parameter on server side, search and send back the results to be displayed in our single page application. I cannot use a hash for it since i need to have the understanding of the original data for doing the search.  The other approach is to store this info in a database table and use a guid or any other identifier for the url, I do not have any existing data layer in the application and i am trying to avoid it. Hope it helps. Also, with regards to usage of IP, my application runs in a container/pod on kubernetes. Whatever dynamic environment based key i come up with for encrypting has to be always same otherwise the links would not work for the user. Hope this context helps.

OWASP url vulnerability https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url 
The only decryption occurs on your server side.
The issue on your side is you have to maintain and generate keys on regular basis.
Since the encrypted string relies on data plainly visible.
You could include non phi information as a seed to as an example reflect when it was originally provided ....

There is nothing from your description that will require having the decryption key exposed to the client side.

The query string is a reference, limited by the max query_string.
You can encode it as you see fit when you redirect the user, location.

The private keys will be retained
Do you want the link to be forever?. Or has to be replaced every two years, the access after one year will include a warning with a new query string ......
Avatar of M S

ASKER

Thanks for your feedback so far appreciate the inputs. In existing infra i have, the plan was to store the passphrase for the AES encryption as a kubernetes secret. Now that url with encrypted PHI is out there in the world in form browser caches and what not, the concern from management is that if this passphrase is let out by lets say a disgruntled employee there is no way to make sure that those encrypted values cannot be decrypted and PHI recovered from it. Hence the question thrown at me is can we secure it such that the decryption can only happen within our infra somehow or some other mechanism which is safer than what i have thought of right now for this use case.The url will be long lived since it just has the search criteria for finding a patient. Yes, the application can take care of providing adequate information to the user in case the url does not work in future.
No, you can not limit the decryption to your infrastructure.
 things have to be known
The private key, the passphrase if required to use the private key to decrypt the query string.
They also need to know which algorithm was used to encrypt.

Given the encrypted data is out the door, you can not alter that data set.
get vs post is of no incidence whatsoever appart from the string length

to tie the decryption to your infra is not feasible. but if it feasible to use asymmetric encryption to minimise the likeliness of key theft, or rather only store the data on premises and rather move around some kind of token

neither home made AES not SSL ( which is also aes based ) can currently be reasonably considered as safe
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.