针对加密密码使用身份验证

Question

I have the password encrypted in dataBase by zend2 's BlockCipher :

 public function cipher($incKey, $password) {

        $cipher = BlockCipher::factory ( 'mcrypt', array (
                'algorithm' => 'aes'
        ));

        $cipher->setKey ( $incKey );
        $text = $password;

        $encrypted = $cipher->encrypt ( $text );

        echo "Encrypted text: $encrypted \n";
        return $encrypted;

    }

Now I need to authenticate the user's password when logging in:

$cipher = new Cipher();

$ciphered_password = $cipher->cipher($incKey, $data['usr_password']);

$authAdapter = new AuthAdapter($dbAdapter,
        'users', 
        'email',
        'password', 
        "CONCAT('$ciphered_password') AND state= 1"
        );

But doesn't pass the authentication;

with code: FAILURE_CREDENTIAL_INVALID

Am I doing something wrong here?

Any help would be appreciated.

Answer 1

The encryption mode Blockcipher::factory uses is not deterministic. It uses CBC which is initialized with a random IV and thus every ciphertext (encrypted plaintext) looks differently and pseudorandom. You should use password hashing instead. This page seems to be the appropriate resource for it in zend. Over at security.se you can find some background knowledge to password storage .