Korneel Korneel - 1 month ago 17
Python Question

How to calculate a short fixed length obfuscated ID similar to YouTube (e.g. 2WNrx2jq184)

Each user object in my database has an incremental ID (1, 2, 3, ...). The URL to view a user's profile contains the ID of the user object; e.g. http://www.example.com/users/1. This way everyone can see how many users there are on the website, how fast the userbase is growing etc. I don't want to give that information away.

I would like to convert the incremental ID to a fixed length string in Base58 format, so the URL would look like http://www.example.com/users/2WNrx2jq184 Also, I need the reverse function that converts the string back to the original ID. The reverse function should not be easy to reverse engineer.

The best Python code I found for this purpose is https://github.com/JordanReiter/django-id-obfuscator. It is very good, but in some cases it adds a

0
and/or
.
character, which leads to strings that are not in Base58 and not of fixed length.
(See utils.py lines 24 and 29.)

How can I improve django-id-obfuscator to result in fixed length base58 obfuscated IDs, or how can I create such obfuscated IDs in Python?

Answer

If you want to properly do this, take your user ID, pad it with leading zeros, then encrypt it with something like AES and encode the result with base58. To get the ID back, just decode, decrypt and int() the result.

So for encryption:

>>> from Crypto.Cipher import AES
>>> import base64
>>> obj = AES.new('yoursecretkeyABC')
>>> x = base64.encodestring(obj.encrypt("%016d"%1))
>>> x
'tXDxMg1YGb1i0V29yCCBWg==\n'

and decryption

>>> int(obj.decrypt(base64.decodestring(x)))
1

If you can live with weak crypto, you could also simply xor the padded ID with a key:

>>> key = [33, 53, 2, 42]
>>> id = "%04d" % 1
>>> x = ''.join([chr(a^ord(b)) for a, b in zip(key, id)])
>>> x
'\x11\x052\x1b'
>>> int(''.join([chr(a^ord(b)) for a, b in zip(key, x)]))
1

But this is much less secure since you should never use the same OTP for multiple messages. Also make sure the key is the same length as your padded ID.

Comments