How to encode or encrypt the attributes included in a URL

Protecting respondents' personal information is a crucial step to ensure the compliance of data collected through your surveys.

In this article, we present solutions to encode or encrypt the attributes contained in a URL, thereby guaranteeing their confidentiality and integrity during the stages of data collection, transmission, and analysis.

If you would like to learn more about ensuring compliance with current data retention regulations, we invite you to read the article Ensuring GDPR compliance with Skeepers Feedback Management.

We recommend sharing this documentation with the teams responsible for integrating data into your external email or SMS sending tool.

Presentation

Skeepers Feedback Management offers two distinct methods that provide varying levels of security :

  Base64 encoding

AEAD encryption

Objective Converts the attributes present in the URL into ASCII characters

Secures the attributes in the URL and ensures the integrity of the data

Nature Does not encrypt data and provides no protection against reading or tampering Encrypts data to make it unreadable without an appropriate key and adds authentication to verify that the data has not been tampered with
Limitations Can easily be decoded with a converter, making it insufficient for protecting sensitive information Requires proper key management to ensure security

Base64 encoding method

Presentation

To hide from respondents the attributes and their values that are usually visible in the URL of your surveys, you can use base64 encoding of the attributes.

Unlike the AEAD encryption method, the base64 encoding method does not provide a high level of security because the attributes are only encoded. They can be easily decoded using a converter. This method is simple to implement but only "obscures" the personal information in the URL, without securing it.

Implementation

Here are the steps to follow to use the base64 encoding method:

1. Generate a new URL link (with a code or with manual attribute value completion) for a survey ready to be deployed.

2. Isolate the URL parameters containing the attributes and their values "d:attribute1=value1&d:attribute2=value2&d:attribute3=value3". The "lang" and "value" parameters should not be encoded.

3. Use an external tool (online service, AI, software or script) to encode the URL parameter corresponding to the attributes into base64.

3. Reconstruct the tracked URL by linking the survey access URL with the attributes encoded in base64 (do not forget the "=").

4. If defined in the original link, add the language parameter at the end of the URL.

The tracked URL granting access to your survey, with attributes hidden from respondents, is now ready to be deployed.

For technical and functional reasons, the decoding of the base64-encoded URL varies between a classic integration and an integration with pre-filled first question or saved at click. In cases where the embedded first question is integrated, if URL encoding is not used, the decoding of the base64 string may be incorrect when it contains Chinese or Japanese characters. These alphabets, when converted into base64, may generate special characters that disrupt decoding. It is therefore recommended to use URL encoding in such cases.

AEAD encryption method

Overview

To hide from respondents the attributes and their values that are usually visible in the URL of your surveys while ensuring the confidentiality and authenticity of the data, you can use the AEAD encryption method.

Unlike the base64 encoding method, the AEAD encryption method (Authenticated Encryption with Associated Data) offers a high level of security. This method uses an Encrypt then MAC (EtM) approach to ensure data integrity by using one key to encrypt the payload (EncryptKey) and another key for the MAC part (AuthKey). It requires a more significant setup than base64 encoding because both keys must be generated from your Skeepers instance, and a JSON payload containing business data in the form of attributes must be created beforehand.

Presentation

Here are the steps to follow to use the AEAD encryption method :

1. On the Skeepers Feedback Management platform, with the appropriate rights, go to the 'Settings' category accessible from the left sidebar menu. Access the 'Encryption' section.

2. If no key pair has ever been generated on the account, click on the "Generate Keys" button. A new encryption key and a new authentication key will be created.

A Skeepers account can only be associated with one key pair at a time. If necessary, a key pair can be revoked by contacting Skeepers Support. When a key pair is revoked, all links generated before the revocation, containing data encrypted with this pair, will become invalid. A new key pair can then be generated following the procedure described here.

3. Create the JSON payload containing the business data (attributes) according to the following structure :

{

"attribute1": "value1",

"attribute2: "value"

}

4. Encrypt the payload using the AES-CBC algorithm with the 256-bit encryption key retrieved from the platform, a block size of 128 bits, and the PKCS7 padding mode.

5. Then generate an initialization vector (IV) based on the 128-bit block size, and encrypt the JSON payload using the encryption key and IV.

6. Generate a signature for the obtained ciphertext using the HMAC-SHA256 algorithm and the authentication key retrieved from the platform. Determine the HMAC by hashing the IV concatenated with the ciphertext :

HMAC = HMAC-SHA256(IV + ciphertext)

7. Encode in base64 the combination of the IV, the ciphertext, and the HMAC :

base64_payload = base64(IV + ciphertext + HMAC)

Finally, since base64 can contain special characters like "/" and "+", it is necessary to encode the encrypted and signed payload URL before adding it to the survey URL :

payload = urlencode(base64_payload)

8. If the URL is shared within an email template, integrate the survey URL as follows :

"https://room.myfeelback.com/websites/xxxxxxxxxxxxxxx?p="

 

If you want to add another layer of security, we invite you to read the article Using Account Data.

 

If you have any questions, feel free to contact our Customer Care team.

 

Was this article helpful?
0 out of 1 found this helpful