Archive for September, 2011

image path obfuscation

Posted on Friday, September 30th, 2011 at 12:18 pm

Someone in my office asked me to hide image URL. The problem is, we’ve a bunch of pictures of students and we don’t want any one to download all of them. The pictures are named by student ID, so it will be easy to write a small code to iterate all ID and download all the pictures. That’s why we need to hide the image URL.

At first, I want to make a hash function. So, it will be harder to break. However, we need a storage to store all hash, either in database or in file, which is I don’t want to . So, hash is gone. The other choice is encryption.

What I did is to write two code, first one is to generate an encrypted text from student id. Then, the second code, convert the encrypted text back to id. So, the image URL will include the encrypted text instead of picture’s name. So, instead of

http://www.foo.com/image/512345.jpg

the url will be

http://www.foo.com/image/get_picture.php?hash=21342u987891234

To do this, I use mcrypt function in php to encrypt and decrypt, this is nothing special.

However, I feel like this method will be a victim of known-plaintext attack. Because the website that shows this picture also shows student ID and everyone can guess that the picture’s name should be the ID itself. So, I would like to change the key periodically. So, I make a cron script to change the encryption key every day. It will be harder to crack the encryption.

The code is here