Friday, 27 September 2013

System for securely authenticating content acquisition

System for securely authenticating content acquisition

I'm having trouble designing a system for having authenticated content
from my site distributed by other people. I'm working in Ruby on Rails,
but I don't think that at a theoretical level my question is restricted to
that framework. In order to not give too much away, my site (let's call it
www.site.com) helps businesses keep inventory of who has purchased what
item, and allows customers to view their purchase history.
Hence, I have the following problem:
Suppose Alice sells cheeseburgers. Alice makes an account on site.com and
registers her cheeseburgers as an item that she sells. Consequently,
site.com stores Alice's cheeseburger in a SQL database with the id 92314
Bob is a customer at Alice's cheeseburger stand and has recently purchased
a cheeseburger.
Alice would like to tell Bob about site.com and its ability to track
purchases. Hence, Alice sends a request to site.com to return hashA that
corresponds to item with id 92314.
Bob visits www.site.com/purchase/hashA and is prompted to either create an
account or sign in to log his new cheeseburger purchase from Alice's
Delicious and Delectable cheeseburgers.
Charlie also visits Alice's cheeseburger stand and purchases a cheeseburger.
Alice would also like to tell Charlie about site.com and sends a request
that generates hashB for Charlie to use in the same manner.
My question is, how do I come up with a scheme that can generate hashA and
hashB in a way that my web server can efficiently lookup the items. I
suspect that hashB can be generated from hashA using some sort cipher
using hashA as a seed. I don't know how, upon receiving hashA or hashB,
site.com will know that it corresponds to item 92314. I suspect that using
a nonce will help.
Things that I would like to avoid include:
Having Charlie use hashA after it has been used by Bob
Exposing the id 92314 to the user
Having a single point of failure (i.e. a single key that encrypts hashes
for all ids)
Having things break if Charlie uses hashB before Bob uses hashA.
Disclaimer: My expertise is more in computer graphics and less in web
development or cryptography, so pointing me towards things to Google is
helpful. If this belongs in any of the other stackexchange sites
(Cryptography, Programmers, etc). Feel free to let me know and I will move
it.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)