Security - Generating Auth-Key for users using Base64?

Question

I'm creating a website on which each new user created (that's what I'm doing for now) will have a auth-key generated which is in Base64 encoding. The auth-key is important as almost all actions performed will require the auth-key of the user. The problem started when I read this article on Base64-Padding and created a few users with more or less the same unique-name (the encryption is done using the unique-name and LocalDateTime at which the user is created). I saw that the keys generated are all very similar to one-another. And then I went through a few more resources and found it is extremely easy to decode it.

Ever since I've been wondering what are the security flaws that I'm facing if I use Base64 encoding? How bad is it? How vulnerable the website will be etc.?

Apart from the above questions I want to know when should I be using Base64 encoding and when I should not? Also what should I use if not Base64?

Note: I'm generating auth-key in Java and the encryption is in AES. Thank you.

http://security.stackexchange.com/questions/24850/choosing-a-session-id-algorithm-for-a-client-server-relationship — deviantfan, Sep 16 '15 at 09:33

score 0 · Answer 1 · answered Sep 16 '15 at 08:13

0

In security, use of Base64 is not to encrypt a string you want to keep secret, it is used to encode it.

In Basic Authentication, for example, the intent of the encoding is to encode non-HTTP-compatible characters that may be in a user name, password, or token into those that are HTTP-compatible.

Encoding does not provide any confidentiality, for that you need to encrypt the string.

Think of the encryption as the security bit, and the encoding is the making string play nice with HTTP.

A common approach at generating a token is to first encrypt it, and then encode it.

answered Sep 16 '15 at 08:13

jacks

4,614
24
34

I've edited the question. I'm using `AES encrpytion` to encrypt the key and then it is encoded using `Base64`. – thegauravmahawar Sep 16 '15 at 08:22
Then your approach is quite secure - encrypt then encode. What bit are you still stuck on understanding? – jacks Sep 21 '15 at 20:14

score 0 · Answer 2 · edited May 23 '17 at 11:44

As the first line of the article you gave tells :

Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation.

As Base64 encoding can be reversed very easily (it has been designed for this) it would be easily to break through your authentication. You shouldn't consider using Base64 encoding or any cipher encryption for your purpose but instead an hash algorithm like MD5, SHA or other because they are, theoretically, non-reversible and unique. Here is an example for MD5 :

public byte[] digestAuthKey(String login, Date d) {
   MessageDigest md = MessageDigest.getInstance("MD5");
   String key = login + SALT + d.getTime();
   return md.digest(key.getBytes());
}

The SALT contant is a randomly generated string that enhanced the security making it harder to break. To convert the byte array to string see this post

Security - Generating Auth-Key for users using Base64?

2 Answers2