There are clients, they can share links to their profile info, which should be confidential. The link expires in 5 minutes. They set Auth Code, so that the one who gets the link can access the client’s data if he get the correct Auth code.
The link data should be encrypted.
Every client has different key
The client can generate the link in offline mode.
I looked at this answer https://security.stackexchange.com/a/63134/238870
But the same secret key is shared between all clients. Given that the profile, in my problem, contains sensitive information, I can’t rely on that solution.
Also the solution assumes the clients are online and the server knows the IV (I maybe wrong understanding the solution)
What I came up with is combining asymmetric encryption with digital signature:
Clients will encrypt the link data (Auth code, timestamp, user ID) using the server public key, and signs the data using their private key. The combination of the ciphertext and signature is the link data.
At the server, the encrypted data gets decrypted using the server’s private key, then I get the user ID, and by that ID, I get his public key, then verify his signature.
The problem with my solution, is that it’s costly (asymmetric encryption)
And the link gets too long, which is not very handy when sharing links via QR code, which is a main functionality of the application.