-1

We have developed a mobile app which uses mobile phone number and otp for authentication. Since phone number is part of sensitive user information, we have to encrypt or hash it to reduce the risk of exposing users sensitive data in case of leak.

When a user logs in, after otp, I have to fetch the user information from db and for that purpose, I have to run a query to match against the users phones in database. The encryption works fine as I can decrypt the phone and then match against the login phone number. However, due to large number of users, this is slower

Another option for me is to hash the phone numbers. then I can hash the login phone number against the hashed phone in the database. However, since same phone number will not generate the same hash, comparing is not possible

Another way is to use the Hash check function but that can be used alone when you single value of login phone against a single row fetched from the database.

I would like to know if the hash matching can be used in the laravel query so that the hashed login user phone numbers is checked against the hashed phone numbers in the database.

I would appreciate if someone can give me a solution for this.

Regards

Arif
  • 377
  • 2
  • 5
  • 21
  • 1
    "However, since same phone number will not generate the same hash, comparing is not possible" why not? Hashes are reproducable, for instance, try running the command in your terminal: `php -r "echo hash('sha256', '867-5309');"` you will find that the output is the same no matter how many times you run it. – Matt Korostoff Dec 18 '21 at 23:18
  • To add on, what possible value would a hash have in the first place if you couldn't reproduce it multiple times by starting with the same unhashed data? How would any program ever accomplish password validation if this was the case? It would be akin to just deleting the original data and replacing it with random characters. – Matt Korostoff Dec 18 '21 at 23:21
  • in laravel, the hash::make function uses a different salt every time to generate a different hash for the same string. You can use another function Hash::check('plain-text', $hashedtext) which will return true if both hash are from the same text. However, this function cannot be used inside the query. You have to fetch the desired row first and then run the above function – Arif Dec 18 '21 at 23:50
  • Ok, so why not use a different hashing function that doesn't behave that way, like the one I named above? – Matt Korostoff Dec 19 '21 at 00:19

1 Answers1

0

Apology for writing this as an answer but I have a low reputation to suggest this in the comments section.

When user submit their phone number through registration extract the first 3 digits of the numberUSA phone number

If we use the image above as a reference that will be 555.

Step 1

From your user phone number database create a new column to those 3 digits where will be used as a lookup table. You already mention that you have hashed the phone numbers and for that will need to query all phone numbers decrypt them one by one and add those 3 digits to new column.

Step 2

When you're about to check user phone number, check you're phone number database and retrieve all results that match that lookup number example 555 (if you expect to return a large number of results, make sure you use a Eloquent cursor.

Your query will be something like:


PhoneBook::where('part_number','=',555)->get();

Having that said you can again check if the hash match with Hash::check but the scope of check will be limited and the speed improvements will be significant

Teodor
  • 81
  • 1
  • 11