logoalt Hacker News

formerly_provenyesterday at 11:56 AM5 repliesview on HN

If all you want is to obfuscate the fact that your social media site only has 200 users and 80 posts, simply use a permutation over the autoincrement primary key. E.g. IDEA or CAST-128, then encode in base64. If someone steps on your toes because somewhere in your codebase you're using a forbidden legacy cipher, just use AES-128. (This is sort of the degenerate/tautological base case of format-preserving encryption)

(What do you think Youtube video IDs are?)

Replies

enzyesterday at 1:11 PM

The problem with this approach is that you now have to manage a secret key/secret for a (maybe) a very long time.

I shared this article a few weeks ago, discussing the problems with this kind of approach: https://notnotp.com/notes/do-not-encrypt-ids/

I believe it can make sense in some situations, but do you really want to implement such crypto-related complexity?

show 1 reply
benterixyesterday at 12:47 PM

I always thought they are used and stored as they are because the kind of transformation you mention seems terribly expensive given the YT's scale, and I don't see a clear benefit of adding any kind of obfuscation here.

pdimitaryesterday at 12:21 PM

> What do you think Youtube video IDs are?

I actually haven no idea. What are they?

(Also what is the format of their `si=...` thing?)

show 1 reply
Retr0idyesterday at 1:02 PM

Why not use AES-128 by default? Your CPU has instructions to accelerate AES-128.

conradfryesterday at 1:45 PM

Can't you just change the starting value of your sequence?