Searching encrypted data in database

Question

Searching encrypted data in database

blumfontein opened this issue 5 years ago · 3 comments

Hello!

I am totally new to encryption. I am wondering, if it is normal to generate every time different encrypted strings from the same raw data and key? The problem is I can't search in the database like "select * from table where field='encrypted_string' ", because 'encrypted_string' is different from what is stored in database, although the decrypted data is the same.

Answer 1 · 2020-05-22T08:20:42.000Z

Ok, I think I've invented workaround. I need to store in database also some hash (for instance SHA256) from the value and make search operations against this hash.

Answer 2 · 2020-05-22T10:47:34.000Z

It is indeed absolutely normal and very important that the ciphertext will always be different, even if you use the same plaintext and key. This is achieved by using a unique (random) initialization vector (IV) which acts as a counter:
https://github.com/defuse/php-encryption/blob/master/src/Crypto.php#L265

What you have invented is called a blind index or bloom-filter. You should however better not apply a hash function to the plaintext only. A better idea is to use a Key Derivation Function (KDF) and then use truncated values from it (it can be little complicated to determine how long the truncated values should be). Have a look into CipherSweet:
https://ciphersweet.paragonie.com/security

Answer 3 · 2020-05-22T13:45:52.000Z

Thank you for assistance!