Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

github.com/alextanhongpin/go-obfuscate

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/alextanhongpin/go-obfuscate

  • v0.0.0-20230206042310-515c6844884b
  • Source
  • Go
  • Socket score
Version published
Created
Source

go-obfuscate

How can we encrypt the int primary key of a relational database (e.g. MySQL)?

  1. aes-siv (the fastest choice if you have to do it, used by connect2id to encrypt user id 1). Also mentioned in 2.
  2. aes-gcm (not an option, because the salt is random)
  3. hashid (possible, but slow)
  4. None of the above, just generate a uuid and store in the db as the secondary key 3.

TL;DR; stick with option 4. How others do it 4 and 5.

The issue with all the other approaches is that the logic to generate such identifier is tied to the application. Consider the scenario where you need to generate a unique user identifier to be send to analytics tool. Now it becomes a problem to identify which id belongs to which user if they are generated through the app.

Instead, if they are stored in the database, queries can still be done directly to access them. Note that if you don't have to return the ids to the end-users, then this article can be disregarded.

For some other scenarios like pagination token etc, using AES-SIV works better over AES-GCM too because the result will always be consistent when encrypting with the same payload, which could be useful for caching etc.

Benchmark

➜  go-obfuscate go test -bench=.
goos: darwin
goarch: amd64
pkg: github.com/alextanhongpin/go-obfuscate
cpu: Intel(R) Core(TM) i5-6267U CPU @ 2.90GHz
BenchmarkHashID-4         131371              8760 ns/op
BenchmarkDaead-4          283908              3939 ns/op
BenchmarkAESGCM-4         364515              2951 ns/op
PASS
ok      github.com/alextanhongpin/go-obfuscate  9.290s

Footnotes

  1. https://connect2id.com/blog/deterministic-encryption-with-aes-siv

  2. https://www.reddit.com/r/cryptography/comments/bit7k8/unsatisfied_with_hashids_ive_created_sound/

  3. https://stackoverflow.com/questions/32795998/hiding-true-database-object-id-in-urls

  4. https://andrew.carterlunn.co.uk/programming/2020/05/17/encrypting-integer-primary-keys.html

  5. https://medium.com/@patrickfav/a-better-way-to-protect-your-database-ids-a33fa9867552

FAQs

Package last updated on 06 Feb 2023

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries

Research

Security News

Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries

Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.

By Kirill Boychenko  -  Nov 22, 2024
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc