Obfuscating primary keys
Often you'll want urls that are not authenticated, yet are not easily guessed. Giving each of your models a UUID is one approach. Another elegant approach is to use a block cipher to "encrypt" a unique identifier like the primary key (PK).
Let's sketch out what properties a good solution for PK obfuscation has:
- Generates a one to one mapping between all PKs and obfuscated PKs, with no possibility of collision.
- Not easily possible for an attacker to determine the obfuscated PK given a PK and vice versa.
- Reversible, i.e. the originator can determine the original PK given an obfuscated PK.