0

I have an api that I want allow users to send an id to, but I don't want the id to be visible over a network. I decided that I will then generate a secret for the user which will be used as a salt to hash the id they send. They will then take that id and secret to connect to my api.

The server is written with node.js, and the client will be written in c#, so I need a way so that both languages can encode/decode if they know the secret.

So...

  • C# will encode the id
  • Node.js will decode the id

I have never create an salt like this before, so what method(s) can I use to do this? I think eventually I will be using more just C# to encode the id, so methods for other languages would be awesome too!

Get Off My Lawn
  • 34,175
  • 38
  • 176
  • 338

1 Answers1

1

If you want to hide information from prying eyes, use TLS (as suggested in the comments). Also from the comments, it looks like what you want is not to hide the ID but a way to sign messages so you can make sure the messages you receive are legal messages from your application. In this case, each message you receive will come with a hash, that hash is computed from the message and the secret key. Then your server will try to compute the same hash from the received message and the stored secret key and then compare it to the received hash. A salt has a different use. (this was intended as a comment but didn't fit)

See:

Community
  • 1
  • 1
Josep Valls
  • 5,483
  • 2
  • 33
  • 67
  • This sound like a legit way to do it, basically I would send a token along with the request that my server could build. – Get Off My Lawn May 12 '15 at 20:13
  • @TheBoogieMan if that's what you want its called HMAC: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code – Josep Valls May 12 '15 at 20:15