How to implement search on encrypted database fields
Question
Iam Using PHP & MySql for my web application. I have a requirement where I need to encrypt user specific information, say name & email_id.
$name = "Kevin John";
$encryptionMethod = "AES-256-CBC";
$secretHash = "25c6c7ff35b8879b151f2136cd13574";
$enc_name = openssl_encrypt($textToEncrypt, $encryptionMethod, $secretHash);
Iam storing this encrypted name in my database. But the real problem is that I need to search the users based on their name.For example:-
$qry = "select * from users where name like %john%";
Any suggestion appreciated
3 answers
solution1
0 2018-11-12 13:26:42
It is not suggested to encrypt the data that you want to search on.
- you can either choose not to encrypt the field that you want to search on.
or you can fetch all the data, decrypt and search if the row contains what you want on the app layer(I would not suggest this approach).
// Pseudocode $searchTerm = 'john'; $allNamesQuery = 'select * from users'; $allNamesData = execQuery($allNamesQuery); $suggestions = []; foreach($allNamesData as $row){ $row = decryptNameFromRow($row); if(contains($row['name'], $searchTerm)) array_push($suggestions, $row); } print_r($suggestions);Please suggest if there are any alternatives.
solution2
0 2018-11-12 17:34:48
You may have several options, some easy some not
- search / key fields are usually stored unencrypted to overcome this problem (you don't want this apparently)
- as already suggested - scanning the whole table, decrypting every record would work, but may not be feasible
- you may use static IV achieving deterministic encrytion, encrypt the searched term and search already encrypted value. Knowing that static IV is lowering (and sometimes breaking) the security level
- you may have a look at homomorphic encrytion specifically designed for operations over encrypted data, but without knowing what are you doing that may be very steep and error prone path to implement own crypto (not recommended even for seasoned professionals). I did not dare to go through this door yet.
- you may store cryptographic hashes (eg sha256) of the indexed values (maybe along encrypted values) . Then you could just search for a hashed search term without being able to recoved original value
solution3
0 2018-11-13 11:08:54
Use AES Encryption & Decryption in SQL for implementing search on encrypted DB fields. syntax:-
AES_ENCRYPT('Text_to_encrypt', 'secret_key')
AES_DECRYPT('Text_to_decrypt', 'secret_key')
First encrypt & store the data in DB using AES Encryption in sql
INSERT INTO User (fname,email,mobile) VALUES (AES_ENCRYPT('Arun gopan', 'Qwfe345dgfdg'), AES_ENCRYPT('arun123@fa.com', 'Qwfe345dgfdg'),'9658475577');
Now you can query the DB using AES DECRYPT in sql for performing search operations.
SELECT AES_DECRYPT(fname,'Qwfe345dgfdg'), AES_DECRYPT(email,'Qwfe345dgfdg') FROM User WHERE AES_DECRYPT(fname,'Qwfe345dgfdg') LIKE '%Arun%';
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.