laravel 4.2查询加密列(laravel 4.2 queries with an encrypted column)

我目前在我的控制器中显示一组记录，这里是我的代码

public function view() { $title = "View Guardian Information"; $vPa = DB::table('dbo_guardianinformation') ->join('dbo_cities', 'dbo_guardianinformation.CityID', '=' , 'dbo_cities.CityID') ->select('dbo_guardianinformation.ParentAccountID','dbo_guardianinformation.FirstName','dbo_guardianinformation.LastName','dbo_guardianinformation.Roles', 'dbo_guardianinformation.Address','dbo_cities.CityName','dbo_guardianinformation.Status','dbo_guardianinformation.EmailAddress') ->get(); //encrypt decrypt algo // $sptkey = md5('sample_encryptkey'); // $enPass = rtrim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $sptkey, $defPass, MCRYPT_MODE_ECB))); // $decPass = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $sptkey, base64_decode($enPass), MCRYPT_MODE_ECB)); return View::make('ssims.view_parentAccount',compact('title','vPa')); }

我的问题是，列dbo_guardianinformation.Address包含加密记录我目前不知道应该在哪里放置解密代码，以便$vPa将传递给视图时它已经包含解密的记录。有任何想法吗？感谢任何人的帮助

i currently have this code in my controller which display a set of records here is my code

public function view() { $title = "View Guardian Information"; $vPa = DB::table('dbo_guardianinformation') ->join('dbo_cities', 'dbo_guardianinformation.CityID', '=' , 'dbo_cities.CityID') ->select('dbo_guardianinformation.ParentAccountID','dbo_guardianinformation.FirstName','dbo_guardianinformation.LastName','dbo_guardianinformation.Roles', 'dbo_guardianinformation.Address','dbo_cities.CityName','dbo_guardianinformation.Status','dbo_guardianinformation.EmailAddress') ->get(); //encrypt decrypt algo // $sptkey = md5('sample_encryptkey'); // $enPass = rtrim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $sptkey, $defPass, MCRYPT_MODE_ECB))); // $decPass = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $sptkey, base64_decode($enPass), MCRYPT_MODE_ECB)); return View::make('ssims.view_parentAccount',compact('title','vPa')); }

my problem is that the column dbo_guardianinformation.Addresscontains encrypted records i currently have no idea on where should i put the decryption code so that when the $vPa will be passed to the view it already contained the decrypted records. any ideas? thanks to anybody who would help

最满意答案

索引加密数据

如果您需要快速有效地在SQL数据库中搜索加密列，则需要构建数据的盲目索引（即在另一列中存储hash_hmac('sha256', $plaintext, $separate_key_here) ）并构建您的选择基于此的查询。（链接的文章解释了安全要求。）

这样可以避免您必须执行foreach()循环，但是由于使用了HMAC-SHA256，因此访问数据库的攻击者可以将明文从系统中取出，这是极其不可能的。

也就是说，还有一些我想要解决的问题：

弱密码学

请不要使用您问题中包含的加密代码。这是非常不安全的。 Laravel拥有自己的加密类 ; 请改用它。它包含很多正确的东西，您所包含的代码片段不会。例如：它提供经过身份验证的加密。

$sptkey = md5('sample_encryptkey');

如果您希望在您的应用程序中使用一定程度的安全性，请勿使用md5($string)来生成密钥。这完全是一个坏主意：

md5()返回一个32个字符的十六进制字符串大多数加密函数需要一个原始二进制字符串 MD5是一个令人难以置信的破碎散列函数要将密码转换为加密密钥，您需要使用密钥导出函数，即使用SHA-256（PBKDF2-SHA256）密码密钥生成函数＃2。

例如，考虑这个代码：

define('MY_APP_PBKDF2_ITERATIONS', 86000); define('MY_APP_KEY_LENGTH', 32); // or 16 for AES-128 // ... $sptkey = hash_pbkdf2( 'sha256', $your_password, $salt, // 32 bytes from /dev/urandom MY_APP_PBKDF2_ITERATIONS, MY_APP_KEY_LENGTH, true );

我在这里扩展了空白，并在下面留下了一些内联注释：

$enPass = rtrim( // Unnecessary, base64_encode doesn't leave whitespace base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, // This isn't AES-256 by the way $sptkey, $defPass, MCRYPT_MODE_ECB // ECB mode is the worst mode ) ) ); $decPass = rtrim( // Padding oracle attack mcrypt_decrypt( MCRYPT_RIJNDAEL_256, $sptkey, base64_decode($enPass), // No error checking MCRYPT_MODE_ECB ) );

进一步阅读具体问题：

MCRYPT_RIJNDAEL_256 MCRYPT_MODE_ECB 填充Oracle攻击

改为做什么（选择一项）：

使用Laravel的加密功能，因为您已经在使用Laravel。使用libsodium （强烈推荐）使用Defuse Security的PHP加密类当Halite达到1.0.0时，切换到（对新手来说基本上是libsodium）

Indexing Encrypted Data

If you need to search an encrypted column in a SQL database quickly and efficiently, you need to construct a blind index of the data (i.e. store hash_hmac('sha256', $plaintext, $separate_key_here) in an additional column) and structure your select queries based on that. (The linked article explains the security requirements.)

This saves you from having to do a foreach() loop but, since HMAC-SHA256 is used, it's incredibly unlikely that an attacker with access to the database will be able to tease the plaintext out of the system.

That said, there's something else I would like to address:

Weak Cryptography

Please don't use the encryption code you included in your question. It's very insecure. Laravel has its own encryption class; please use that instead. It does a lot of the things right that the code snippet you included does not. For example: it provides authenticated encryption.

$sptkey = md5('sample_encryptkey');

If you want a modicum of security in your application, don't ever use md5($string) to generate a key. This is just a bad idea all around:

md5() returns a 32-char hex string Most encryption functions expect a raw binary string MD5 is an incredibly broken hash function To transform a password into an encryption key, you need to use a key derivation function, i.e. Password-Based Key Derivation Function #2 with SHA-256 (PBKDF2-SHA256).

Consider, for example, this code instead:

define('MY_APP_PBKDF2_ITERATIONS', 86000); define('MY_APP_KEY_LENGTH', 32); // or 16 for AES-128 // ... $sptkey = hash_pbkdf2( 'sha256', $your_password, $salt, // 32 bytes from /dev/urandom MY_APP_PBKDF2_ITERATIONS, MY_APP_KEY_LENGTH, true );

I've expanded the whitespace here and left some inline-comments below:

$enPass = rtrim( // Unnecessary, base64_encode doesn't leave whitespace base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, // This isn't AES-256 by the way $sptkey, $defPass, MCRYPT_MODE_ECB // ECB mode is the worst mode ) ) ); $decPass = rtrim( // Padding oracle attack mcrypt_decrypt( MCRYPT_RIJNDAEL_256, $sptkey, base64_decode($enPass), // No error checking MCRYPT_MODE_ECB ) );