You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This gives you an output that is the square root of the security you expect.
This is also called a "salt" but it's actually an AES key, as we'll see in the next section.
Insecure Encryption
AES_ENCRYPT() encrypts data using ECB mode, and also exposes your key (called a "salt" per the previous section) to anyone capable of running SHOW PROCESSLIST on the server.
$data = DB::table($parameters[0])->whereRaw("CONVERT(AES_DECRYPT(FROM_BASE64(`{$parameters[1]}`), '{$salt}') USING utf8mb4) = '{$value}' ");
Recommendations
Fixing these vulnerabilities would require rearchitecting this library from the ground up with secure data encryption practices in mind. If you managed to make it secure, it would not be compatible with the current implementation. Therefore, you would be better off starting over from scratch.
Insecure Key Management
This is not a secure way to derive a secret. You're hashing data using SHA256, hex-encoded, then only extracting 16 hex characters.
laravel-database-encryption/src/Providers/DBEncryptionServiceProvider.php
Line 84 in 8856e2e
laravel-database-encryption/src/Providers/DBEncryptionServiceProvider.php
Line 60 in 8856e2e
This gives you an output that is the square root of the security you expect.
This is also called a "salt" but it's actually an AES key, as we'll see in the next section.
Insecure Encryption
AES_ENCRYPT()
encrypts data using ECB mode, and also exposes your key (called a "salt" per the previous section) to anyone capable of runningSHOW PROCESSLIST
on the server.laravel-database-encryption/src/Providers/DBEncryptionServiceProvider.php
Line 67 in 8856e2e
laravel-database-encryption/src/Providers/DBEncryptionServiceProvider.php
Line 94 in 8856e2e
Recommendations
Fixing these vulnerabilities would require rearchitecting this library from the ground up with secure data encryption practices in mind. If you managed to make it secure, it would not be compatible with the current implementation. Therefore, you would be better off starting over from scratch.
We have an open source library that provides secure searchable field-level encryption that may be a better starting point than
AES_ENCRYPT()
.The text was updated successfully, but these errors were encountered: