2

My users can subscribe to threads that send them an email with a simple unsubscribe link. This link contains an encrypted subscribeid and a verifying userid via this process:

// generate iv and create encrypted data
$iv = openssl_random_pseudo_bytes(16);
$encrypted = openssl_encrypt($data, 'AES-128-CBC', ENCRYPTION_KEY,0,$iv);

// send the iv along with the encrypted text
$ciphertext = $iv . $encrypted;

// generate a hash which can verify the data has not changed
$hash = hash_hmac('sha1', $ciphertext, ENCRYPTION_KEY)

// encode the data for email link
encoded = urlencode(base_64_encode($hash.$ciphertext))

This generates a string like: 

www.site.com?id=YzU4MzAzMjljZWUyYmNmY2JmNjE5MGE0YzVhNDUzZjI0YmJmZWI3YoyqdFj6dxA/OVJOw2UN7HErYVV5dmhUVEJzVHBsUGd3aDNHbjVYbmFMa0dhUFczSmpXWnFBN0FyVGxkVml3S041VlhsSXd6TitJYld5QmdhWEFkL3hYSDFiRWdzN0wvNjFXYURiYlNreXpLQ1ZqWnhHMmdCSlZGaUVxU3ZGY3I3RW9GZkJYN3l4Vkp3YmJicg

On the server end, I verify the data and hash and verify the subscribeid is valid for the userid contained in the data and then mark the subscribe record expired.

I developed this encryption for temporary logins (logins with an expiration date) but is a 250 character string overkill for a simple unsubscribe link? The main issues seem to be that it is unsightly in urls and plain text emails. It also has the risk of the link being broken in plain text email clients.

If this were to be hacked, the most that is at risk are the subscribe records being marked as expired. Should I worry about overkill (or anything else). Is there a simpler but still secure method? I am a noob with encryption. The basic question is how much is enough?

mseifert
  • 5,390
  • 9
  • 38
  • 100
  • 1
    Any sensitive data shouldn't be leaving your system, encrypted or not. The sensitive data should be just stored in a database along with a random and unique value such as a hash. The hash can go out and be used to look up the other data if needed. Also, it shouldn't be a "temporary login". The page shouldn't give any information out, just take the hash, update the user setting and echo out a message saying "thanks, unsubscribed. If you want to change your email settings login here". – Jonathan Kuhn Mar 13 '15 at 21:20
  • @JonathanKuhn - The temporary login I mentioned is for a different link in the email which takes users to the subscribed post. It's temporary so that the email isn't a permanent security threat. It makes sense for this scenario to send the hash and look up the hash for the rest of the info. Thanks for the tip. – mseifert Mar 14 '15 at 00:51

1 Answers1

2

Simpler method is a random string of a specific length (e.g. 30 chars) stored in a table with a unique constraint on that field. That random value has no meaning apart from the db and cannot be decrypted because there is no information in it. It only means anything when you use it in a where clause to lookup a record in that table.

developerwjk
  • 8,619
  • 2
  • 17
  • 33