2

So I have encrypted records in my table and I would like to search these records. The problem is that when I do search and encrypt again my search term, it encrypts it again generating different, random string.

Is there a way to encrypt data so that when encrypting again the same data it would produce the same string as at the first time of encrypting?

Example: I'm using default settings for CI encryption library

$data = "ABC";
$stored_data = $this->encryption->encrypt( $data );

$search = "ABC";
$search_data = $this->encryption->encrypt( $data );

if( $search_data == $stored_data ){
  var_dump("Found it");
}else{
  var_dump("No results");
}

The above produces different random strings, so there is no way of searching encrypted data. Is there a solution to this kind of problem

bukowski
  • 1,893
  • 7
  • 34
  • 54
  • You don't want to encrypt, but to hash, right? CI's Encryption provides semantic security with authentication. You could use pass `array("mode" => "ecb")` as a parameter during construction, but I don't think that's what you should do. – Artjom B. Nov 25 '15 at 15:38
  • 1
    Properly-encrypted data isn't searchable ... that's just how it is. If the cipherText was always the same, it wouldn't be secure. Therefore, whatever you're trying to do, it just won't work this way and you need to think of another solution. – Narf Nov 25 '15 at 15:52
  • Thanks, I guess the only solution is not to encrypt fields that need to be serached.. – bukowski Nov 26 '15 at 08:49
  • There is a way to do what you want, but it's very limited to "does this exact string exist? y/n": https://paragonie.com/white-paper/2015-secure-php-data-encryption#index-encrypted-information – Scott Arciszewski Nov 27 '15 at 20:38

2 Answers2

1

I know this is late but I am in a similar situation. The only solution that I can see is store a separate hashed version of the data and then look that up. It does create extra data storage but if you only store it against specific fields that shouldn't be too bad. You must just make sure that when searching you match exactly as is stored otherwise it won't work (it may be therefore worth lowercasing your Hash and Search values to make sure). Depending on the security of the data - picking the right hash will be key as well as good indexing which would handle speed. Adding a salt to the encrypted string would also make your data more secure.

Antony
  • 3,875
  • 30
  • 32
0

As Narf said in his comment, "Properly-encrypted data isn't searchable". To fully understand why this is, read up on initialization vectors, and then realize that properly-implemented encryption uses random initialization vectors.

You can, however, work around this limitation using a technique called blind indexing, which allows for Bloom filters (made with truncated cryptographic hash functions and/or key derivation functions) to be constructed over deterministic transformations of the plaintext, which can be used in SELECT queries.

If you're looking for an implementation, check out CipherSweet.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206