Hiding token information from users

Tobiah toby at tobiah.org
Tue Aug 23 15:27:39 CEST 2011


I am making QR codes that cell phone users scan in order
to make use of an application.  Part of the information
is a token that needs to be passed on to the server, but
I'd rather not allow a person examining the QR code to
be able to see that plain bit of information.  I'd like
to scramble up the token so that the result:

1) takes up the same (near, or less) number of characters as the 
original token.

2) They key can be derived from the input, and vise versa.

3) The result is alphanumeric.

4) When one character changes in the source,
    many characters are likely to change in the
    result.

So if my token is:

         mytoken2011

The result might be something like:

         xm23ffz4uuw

Then
         mytoken2012

might yield something very different:

         d8ru3jdhvhd

I was thinking of just stringing up all letters and
numbers into a 'wheel' and doing an 18 char rotation on
the chars in the token, but that fails #4.  The secret is not like
the key to Fort Knox.  We would rather not have the plain
token out there, as it's internal business information,
but we don't have to protect the information at all costs.
Just making it really inconvenient to extract is fine.

Thanks,

Tobiah



More information about the Python-list mailing list