Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
TurbID is a Python library that provides ID obfuscation and encryption for sequential integer primary keys. With TurbID, your database can store clear, sequential integer primary keys, while your public API and the rest of the world sees opaque and seemingly random long-form string IDs. This approach avoids the database performance downsides of long random IDs and sidesteps the privacy and security risks of clear integer IDs.
Unlike other libraries that merely encode integers with a randomized alphabet, TurbID uses format-preserving encryption for additional security.
TurbID currently supports SQLAlchemy with an optional extension that provides a custom column type, but it can be extended to work with other ORMs or frameworks.
[!WARNING]
TurbID is not intended for protecting sensitive numeric data, such as credit card numbers or PINs. For these use cases, please use standard, secure encryption methods.
TurbID is compatible with Python 3.8+ and available on PyPI. Install it with pip, or your package manager of choice:
pip install turbid
But you probably want to install with the optional SQLAlchemy extension:
pip install turbid[sqlalchemy]
With SQLAlchemy, just replace your column's Integer
column type with TurbIDType
:
class User(Base):
__tablename__ = "user"
user_id = sa.Column(TurbIDType(key=KEY, tweak="user"), primary_key=True)
name = sa.Column(sa.String(200))
If you have foreign keys, do the same for the ForeignKey
columns, but remember
to use the same key
and tweak
values as the referenced column:
class Post(Base):
__tablename__ = "post"
post_id = sa.Column(TurbIDType(key=KEY, tweak="post"), primary_key=True)
user_id = sa.Column(TurbIDType(key=KEY, tweak="user"), sa.ForeignKey("user.user_id"))
title = sa.Column(sa.String(200))
You can use your columns as usual, in joins, filters, data retrieval, etc. In queries or when updating data you can use either the original integer ID or the obfuscated string ID, but retrievals will always return the obfuscated string ID.
If you don't use SQLAlchemy or you want to encrypt/decrypt IDs at another layer
of your application, like when serializing objects for responses, you can use
the TurbIDCipher
class directly.
>>> from turbid import TurbIDCipher
>>> import secrets
>>>
>>> key = secrets.token_hex()
>>> tweak = "my_table_name"
>>> obscure_id = TurbIDCipher(key, tweak=tweak)
>>>
>>> # Encrypt an integer ID
>>> encrypted_id = obscure_id.encrypt(12345)
>>> print(f"Encrypted ID: {encrypted_id}")
Encrypted ID: VTxLWjgdCWGjLSIiZtCQCMvu
>>>
>>> # Decrypt the ID back to the original integer
>>> original_id = obscure_id.decrypt(encrypted_id)
>>> print(f"Original ID: {original_id}")
Original ID: 12345
The required parameters are:
secrets.token_hex
function.key
.SQLAlchemy extension parameters:
tweak
value if an explicit one isn't provided.tweak
for each table.tweak
and a prefix
. In this case, the prefix
will be merely cosmetic and the tweak
will be used to differentiate the
encrypted values.Optional parameters with tested defaults:
24
:
ValueError
will be raised if the alphabet length is incompatible with
the specified length.string.digits + string.ascii_letters
:
length
.128
:
TurbID is tested with the following values:
0
to 2^63-1
length
: 20
to 32
, inclusivealphabet
: string.digits + string.ascii_letters
and "0123456789abcdef"
key_length
: 128
, 194
, and 256
It probably works with other values, but you should review the limitations of the FF3-1 algorithm and the ff3 library and implement tests to ensure it works as expected.
TurbID is licensed under the MIT License. See the LICENSE file for details.
FAQs
Transparent obfuscation of numeric IDs
We found that turbid demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.