Encrypting member data with keyfiles

问题

I am working on a website where I want members to be able to maintain a list of items in their account. In addition, they should be able to see/browse all items owned by others member (except without seeing any ownership information).

I want to be able to offer some practical reassurance of security to members so that if they log into their account from a device that doesn’t have their keyfile, they will still be able to access and use their account but it will just be limited because it won’t show up that they own any items (and consequently won’t have the privileges to update any of their items or create new items). I’ve been trying to get it working with something like below but I’m not having much - any advisce would be much appreciate!...

<?php

#Encryption/decryption functions ;
function encrypt($value, $key) {
    $ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); 
    $iv     = mcrypt_create_iv($ivSize, MCRYPT_RAND); 
    return    mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $value, MCRYPT_MODE_CBC, $iv); 
}
function decrypt($value, $key) {
    $ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); 
    $iv     = mcrypt_create_iv($ivSize, MCRYPT_RAND); 
    return    mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $value, MCRYPT_MODE_CBC, $iv);
}

#Encryption key that would normally be seeded by user ;
$keyfile='9TOxo1Uy5JsiW1jRPS61';



#Database sandbox;
#------------------------------------------------------------------------------;
$db = new PDO('mysql:dbname=mydb;host=localhost', 'root', '' );
#$db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

#Create dummy table ;
$db->exec("CREATE table items (
owner_id VARCHAR( 20 ) NOT NULL,
ownername VARCHAR( 50 ) NOT NULL, 
itemname VARCHAR( 100 ) NOT NULL,
itemdetails VARCHAR( 250 ) NOT NULL);");



#Populate with test data ;
session_start();
$insert= $db->prepare("INSERT INTO items(owner_id, ownername, itemname, itemdetails) VALUES (?,?,?,?)");
$_SESSION['user_id']=0001;
$db->execute(array(encrypt($_SESSION['user_id'],$keyfile)),"Bob","Bobs 1st Item","Item description of Bobs first item");
$db->execute(array(encrypt($_SESSION['user_id'],$keyfile)),"Bob","Bobs 2nd Item","Item description of Bobs second item");
$_SESSION['user_id']=0002;
$db->execute(array(encrypt($_SESSION['user_id'],$keyfile)),"Tom","Toms Item","Item description of Toms first item");


#Only return items belonging to the current user - but returns nothing without their keyfile present even if the user is logged in)
$userquery = $db->prepare(" SELECT decrypt(ownername, :ownerkey) as ownername, itemname, itemdetails FROM items WHERE $_SESSION('userid') == decrypt(owner_id, :ownerkey) ");
$userquery->execute(array(':ownerkey'=> "$keyfile"));
$result=$userquery->fetchall();


#Without their keyfile a user can still search the items table but with meaningless owner information ;
$fullquery = $db->prepare("SELECT ownername, itemname, itemdetails FROM items");
$userquery->execute();
$result=$fullquery->fetchall();


?>

来源：https://stackoverflow.com/questions/28814737/encrypting-member-data-with-keyfiles