问题
I am trying to implement a search module in my Laravel app that could filter users by name. In order to protect users, the 'name' column rows are encrypted on DB. The problem that I am facing is that query below always returns 0 results.
I am encrypting the search input value before searching into DB.
$patients = DB::select( DB::raw("SELECT * FROM patient WHERE name LIKE '%".Crypt::encrypt($searchText)."%';"));
What am I doing wrong here ?
回答1:
Crypt::encrypt("Text")
The above will rarely generate the same value each time you call it, therefore you will not have the same value stored in your DB.
Suggestion
Don't encrypt users names unless you really have to. If you do have to encrypt the names then try the following.
$patients = DB::select("SELECT * FROM patient WHERE name = '".Crypt::encrypt($searchText)."'");
Your encrypted value will be case sensitive so change the column collation to latin1_general_cs
回答2:
What am I doing wrong here ?
Laravel's encryption is properly implemented, which means that each message is randomized!
Randomization introduces a challenge for implementing searchable encryption: You never get the same ciphertext twice. Fortunately, there's a workaround for making encryption searchable.
- Encrypt each record using authenticated encryption.
- Separately, store HMAC-SHA2/BLAKE2 of the plaintext (with a separate key than the encryption key). You may truncate the hash function output. This is called a blind index.
- Additionally, you may store multiple hash functions of various slices or transformations of the plaintext. (e.g. last 4 digits, first initial + last name, etc.)
- Each blind index should have a distinct key.
- You can combine multiple fields into a single blind index.
- For low-entropy inputs (e.g. boolean fields), never use them in isolation.
- You may also use a slow KDF function (PBKDF2, Argon2id) for highly sensitive fields, although this is not strictly necessary.
- Recalculate the blind indexes when doing SELECT queries, rather than trying to select based on the ciphertext itself.
This may sound like a lot, but in practice, CipherSweet implements all the low-level machinery and should be easy enough for most PHP developers to use. (If this turns out to not be the case, file a bug on Github; we want it to be the case!)
来源:https://stackoverflow.com/questions/30575601/laravel-like-operator-to-search-for-encrypted-values