2

MySQL

ENCODE('pass','salt')

What kind of cryptography is used? Very similar to DES

Is it brute force to go salt when the password is known?

haukex
  • 2,973
  • 9
  • 21
Андрей
  • 73
  • 9

1 Answers1

3

The source for the algorithm used by ENCODE() and DECODE() is available here:

https://github.com/mysql/mysql-server/blob/5.7/sql/sql_crypt.cc

Comments in that file say that this algorithm "should be ok for short strings" but that doesn't give me confidence that it is a professional-strength encryption algorithm.

Note that these two functions have been deprecated in MySQL 5.7. You should use AES_ENCRYPT() & AES_DECRYPT() instead.

However, there is also a recommendation to avoid using encryption functions in SQL at all, because if you do, the plaintext string is going to be added to your query logs or binary logs:

INSERT INTO SuperSecureTable 
SET secret = AES_ENCRYPT('no one should see this', 'secret');

Re comment from @ikegami:

I think you're confusing encryption with hashing.

Correction: I take your point. Depending on how secure the requirements for the encryption, AES_ENCRYPT() is not appropriate either. It's better to use the state of the art encryption in one's application, and insert the resulting encrypted data into the database.

This would also address the problem I mentioned above, of plaintext being recorded in logs.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
  • 1
    Note that `AES_ENCRYPT` performs no salting or blocking chaining, so it's also woefully insufficient. – ikegami Apr 01 '18 at 20:03
  • 1
    Re "*I think you're confusing encryption with hashing*", I'm not. Encrypting a bitmap of Tux without using any block chaining results in [this](https://en.wikipedia.org/wiki/File:Tux_ecb.jpg). As you can see, it's very insecure!!! To avoid this problem, every block should be encrypted using a different key. For the first block, this is achieved through salting (using a random initialization vector). For subsequent blocks, this is achieved using [block chaining](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation). `AES_ENCRYPT` lacks both of these basic, crucial features. – ikegami Apr 02 '18 at 00:04
  • Very well. I am not formally educated in cryptographic techniques, and I appreciate the information you gave me. I'll edit my answer above. – Bill Karwin Apr 02 '18 at 04:49