Laravel 5 Encryption - Differences in Values for the Same String?

Question

Laravel 5 Encryption - Differences in Values for the Same String?

I use Laravel 5 for a project for which one of the tenants is that the emails stored in the system must be encrypted. I am using the Laravel 5 Crypt:: facade and the corresponding encrypt() and decrypt() methods.

The problem is that the encrypted value seems to be different even if the same string is given. At first I thought that this could be due to the maximum values of the VARCHAR length, however both hash values are returned under the length of 255 specified in the field.

Take, for example, this dump;

Php

  $hash1 = 'eyJpdiI6InJFNTFkdktpVU9cL1wvRTJPVk94SURiUT09IiwidmFsdWUiOiJIZVh4Y1NyUGpVcTVFVTNSbWdUNnJCUWRHSGZTcnFTQWJKa1h0Q1wvMEVtZnFuM3dDeFwvXC9hdUs4enFXXC94dEJ0cSIsIm1hYyI6IjFjNjZjODFjMjI5NTQ0NmVhZDUwODQzODE0OTQ4NTdjMzAxNTQ5Y2ZjY2M4YzRiODU0ZjIwNDhmMDA0Yjc4OWQifQ'; $hash2 = 'eyJpdiI6ImRBVWNKVTlJZVFmckk2T0c4cXNObFE9PSIsInZhbHVlIjoidElqcE5TMUFwVHZXeW12R3hKMFVFWlR0WmgxOFRBbW5cL2V3dUJ6VndsdktLYjVGR2JQQWpSUUNUWDBJbU5OQWEiLCJtYWMiOiI3MjM3ODNiMzc0NDJlNDVhYzFkOTBmMjhhOTk0MTUyM2FlNzM5ZGE4ODE3MTJlMDM5NWZiMzViZjM5OTA0MGRhIn0='; $dump = [ 'hash1' => $hash1, 'hash2' => $hash2, 'string1' => Crypt::decrypt($hash1), 'string2' => Crypt::decrypt($hash2) ]; return $dump;

Reset Object

 hash1: "eyJpdiI6InJFNTFkdktpVU9cL1wvRTJPVk94SURiUT09IiwidmFsdWUiOiJIZVh4Y1NyUGpVcTVFVTNSbWdUNnJCUWRHSGZTcnFTQWJKa1h0Q1wvMEVtZnFuM3dDeFwvXC9hdUs4enFXXC94dEJ0cSIsIm1hYyI6IjFjNjZjODFjMjI5NTQ0NmVhZDUwODQzODE0OTQ4NTdjMzAxNTQ5Y2ZjY2M4YzRiODU0ZjIwNDhmMDA0Yjc4OWQifQ" hash2: "eyJpdiI6ImRBVWNKVTlJZVFmckk2T0c4cXNObFE9PSIsInZhbHVlIjoidElqcE5TMUFwVHZXeW12R3hKMFVFWlR0WmgxOFRBbW5cL2V3dUJ6VndsdktLYjVGR2JQQWpSUUNUWDBJbU5OQWEiLCJtYWMiOiI3MjM3ODNiMzc0NDJlNDVhYzFkOTBmMjhhOTk0MTUyM2FlNzM5ZGE4ODE3MTJlMDM5NWZiMzViZjM5OTA0MGRhIn0=" string1: " admin03@y..sef...iman.com " string2: " admin03@y..sef...iman.com "

Dots are entered instead of characters for privacy, but they are exactly the same. The only thing I can think of is maybe some kind of encoding formatting?

Any help resolving this would be greatly appreciated!

Sincerely.

+1

php mysql encryption laravel laravel-5

Vitaococo Apr 08 '15 at 15:15

source share

1 answer

mfanto · Accepted Answer · 2015-04-08T16:05:00+0000

If I understand your question, why do different encrypted results differ, even with the same input and the same key?

(You mention this hash, but Crypt :: encrypt () and decrypt () are for symmetric encryption)

Laravel Crypt uses the default CBC mode . This means that it generates a random IV every time you encrypt something to ensure that the output is always different.

Without using a regime such as CBC, you risk leaking information. If I know that admin03@y..sef...iman.com is always encrypted before eyJpdiI6InJFNTFkdktpVU9cL1wvRTJPVk94SURiUT09IiwidmFsdWUiOiJIZVh4Y1NyUGpVcTVFVTNSbWdUNnJCUWRHSGZTcnFTQWJKa1h0Q1wvMEVtZnFuM3dDeFwvXC9hdUs4enFXXC94dEJ0cSIsIm1hYyI6IjFjNjZjODFjMjI5NTQ0NmVhZDUwODQzODE0OTQ4NTdjMzAxNTQ5Y2ZjY2M4YzRiODU0ZjIwNDhmMDA0Yjc4OWQifQ , even without knowing the encryption key, I still know something about your messages (to whom he is sent, for example).

You can see a great example of risk here .

Edit: if this is to store passwords, you should not use encrypt () and decrypt (). You must use bcrypt () or PBKDF2. Otherwise, assuming a compromise, an attacker could simply decrypt all your user passwords.

Laravel 5 Encryption - Differences in Values ​​for the Same String?

More articles:

Laravel 5 Encryption - Differences in Values for the Same String?