2000-02-03-13:36:42 Ameet Chaubal:
> I have a customer site which needs to send me a url in encrypted
> format. I need to be able to decrypt the data and use it in some
> programs. Set up is kind of like this:
>
> The URL( which points to us) on the customer's web site needs
> to be hidden(encrypted) because that URL contains important
> information for us. So preferably it should be encrypted. When
> this URL is clicked on , only our site should be able to decrypt
> the url and extract the information from it.
>
> Or if there is any other way of establishing a secure encrypted
> communication between two sites, and then passing the information
> in encrypted form, that will work too. It's just that it needs to
> be done on the click of a url.
I still don't have a clear enough picture of your needs to suggest
a single answer.
If the only need is to protect the gizmo in transit, then just make
sure all the transactions against both webservers are https (SSL).
The whole http dialogue, including all the headers (e.g. the URL)
all tunnel through the encrypted channel, and so are all protected.
If you need to prevent the user from being able to get their hands
on the contents of the URL, then the first server could encrypt
it; I'd probably use a simple symmetric algorithm (e.g. blowfish)
unless key management were a worry, in which case I'd probably use
GnuPG to get an implementation of ElGamal public key (free of patent
problems). Whatever you use to encrypt, if you want it in the URL,
just use it as a query string after a CGI URL, and remember to URI
escape it.
And if the magic wad o' bits cannot be allowed to appear in
cleartext on the first server, then you'll have to encrypt it on
your own (no reason not to use a simple symmetric algorithm) and
pass the encrypted wad to the first server. For server<->server data
xfers, I like building using rsync over ssh. I find it reliable,
simple to use, efficient, and secure. If speed is less of an issue,
you can probably make something absolutely terrific with GnuPG and
email.
-Bennett
PGP signature
