0

There are various encryption options available for PHP where some of them are explained nicely in the following question:

How do you Encrypt and Decrypt a PHP String?

The updated and accepted answer gives a nice, working example with openssl_encrypt function from PHP OpenSSL Library.

But when I tested the code, I noticed the encrypted string is always different when you want to recreate the encrypted string while using the same ENCRYPTION_KEY.

While this may be useful for applications like network communication, I need a solution where the encrypted string can be obtained as same for the same encryption key.

I am planning to use it for user authentication with userid and password. I will be using the userid (together with some padded characters) as the encryption key and store it in MySQL DB as encyrpted.

During the authentication, I DO NOT WANT TO DECRYPT the stored password to compare with the entered password. I do not want at any time the stored password to be seen in clear. Just compare encrypted string with stored (encrypted) password. This of course needs the encrypted string to be the same for all encryptions.

Is there a way, an option, a parameter setting or anything else to get a UNIQUE encrypted string?

user2800464
  • 113
  • 3
  • 11
  • Typically hashing (and not encryption) is used for this purpose, e.g. [Argon2](https://framework.zend.com/blog/2017-08-17-php72-argon2-hash-password.html). – Topaco Apr 12 '20 at 12:16
  • MySQL itself provides hashing functionality to create hashed passwords, but I would rather prefer to have an independent function and non-human-readable (i.e. binary) output for additional security. Encryption has a much higher level of security tahn hashing in terms of the algorithms used. – user2800464 Apr 12 '20 at 14:33
  • Concerning the disadvantages of encryption vs. hashing for password authentication there are many articles, e.g. [this one](https://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374). But of course that's your decision. _I will be using the userid ... as the encryption key_ sounds dangerous. But maybe I misunderstand. – Topaco Apr 12 '20 at 15:27
  • Regarding the posted link: The code applies (authenticated) encryption with AES in CBC mode using a random generated IV. Thus different ciphertexts are provided even for the same plaintext and the same key. That's for security reasons. To get always the same ciphertext, ECB mode can be used, which doesn't require an IV, and therefore provides the same ciphertext for the same plaintext and the same key, but this is generally insecure, [here](https://crypto.stackexchange.com/a/20946). – Topaco Apr 12 '20 at 15:28
  • @Topaco: Thanks for your detailed answers. I understand why and where different keys and hence different strings are useful, more secure and required. But as I said, mostly they are appliactions like communications, where they may need "changing" keys and strings - but also they decrypt to get the actual string. In my case I do not want the password to be decrypted by no means. Yes, I will use the userid as the key, but not as is; with some pre and post paddings. I will have a look at ECB mode. – user2800464 Apr 12 '20 at 18:20

0 Answers0