Should I encrypt a GUID passed by URL-parameters?

Question

We are creating a Silverlight application and need to have a few parameters pass in with the URL from calling site.

example: http://oursite.com/index.aspx?test=d53ae99b-06a0-4ba7-81ed-4556adc532b2

We want to give the calling website 'test' string that links back to the GUID of our table which tells the Silverlight application what it's task is when they arrive. We also use this GUID for authentication on our application among other things.

The GUID are as such:

1. d53ae99b-06a0-4ba7-81ed-4556adc532b2
2. 8354b838-99b3-4b4c-bb07-7cf68620072e

Encrypted, the values are much longer:

1. l5GyhPWSBUw8KdD+TpWJOsoOFDF0LzmGzd4uufLx+v/d3eByGZ6zPcRjvCRMG2tg
2. WVMN7B0FPa18/Q7+U4njb5AOKnx6Ga9xoAsvCET6MyjM5TV6dO86OexaCXDiXaES

My question is, with security in mind, should we give them the GUID encrypted or like it is, unencrypted?

Does it matter?

What is everyone's experience with this type of parameter passing?

Answer 1

In matters of encryption, the key is to define your security context. What might someone be able to do if they had access to the original GUIDs? If they couldn't do anything hazardous, there's no point encrypting, and it's generally best not to encrypt. If there's any security risk posed by this information being publicly available, you'd better encrypt it.

Since you say:

We also use this guid for authentication on our application among other things

... I'm guessing you'll want to encrypt. But you may want to re-think your authentication strategy. It's often best to use time-tested, well-accepted methods for things like authentication and encryption, since you can be relatively certain that there aren't unknown exploits.