How to use bcrypt in mysql with php

Question

I want to encrypt/secure my phoneNumber column in MySQL so for this purpose I used bcrypt but unable to decrypt this

Here is my code

$password="abcd";
echo $pwd=password_hash($password, PASSWORD_DEFAULT);   //$2y$10$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Now I want to dcrypt so I tried with the following code but showing me "invalid password", where I am wrong?

if (password_verify($password, $pwd)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

Answer 1

A very basic encryption class, such as the following, would allow you to encrypt and decrypt data - the encrypted data can be stored in the db or sent via email etc - no promises are made about the levels of security offered however as it was quickly put together.

The longer the pubkey and hashsecret the better...

<?php

    class encryption{
        
        public function __construct(){
            $this->config=array(
                'hashalgo'      =>  'sha256',
                'cipher'        =>  'AES-128-CBC',
                'hashsecret'    =>  'banana womble hippopotamus pomegranate',
                'pubkey'        =>  'CAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4GA1UECxMXR2xv
YmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2Jh
bFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxT
aWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2ln
bjCCASIwDQYJKoZIhvcNAQEBBQADggEPA'
            );
        }
        
        private function makehash( $data, $key ){
            return hash_hmac( $this->config['hashalgo'], $data, $key, true );
        }
    
        public function encrypt( $data=false ){
            $conf=(object)$this->config;
            
            if( !empty( $data ) && in_array( $conf->cipher, openssl_get_cipher_methods() ) ){
                
                $ivlen = openssl_cipher_iv_length( $conf->cipher );
                $iv = openssl_random_pseudo_bytes( $ivlen );
                
                $encrypted = openssl_encrypt( $data, $conf->cipher, $conf->pubkey, $options=OPENSSL_RAW_DATA, $iv );
                $hash = $this->makehash( $encrypted, $conf->pubkey );
                
                return base64_encode( $iv . $hash . $encrypted );
            }
            return false;
        }
        
        public function decrypt( $data ){
            $conf=(object)$this->config;
            if( !empty( $data ) && in_array( $conf->cipher, openssl_get_cipher_methods() ) ){
                
                $shalength=32;
                $data = base64_decode( $data );
                $ivlen = openssl_cipher_iv_length( $conf->cipher );
                $iv = substr( $data, 0, $ivlen );
                $hash = substr( $data, $ivlen, $shalength );
                
                $encrypted = substr( $data, $ivlen + $shalength );
                $decrypted = openssl_decrypt( $encrypted, $conf->cipher, $conf->pubkey, $options=OPENSSL_RAW_DATA, $iv );
                
                if( $decrypted && hash_equals( $hash, $this->makehash( $encrypted, $conf->pubkey ) ) ){
                    return $decrypted;
                }
            }
            return false;
        }   
    }
    
    
    
    $obj=new encryption;
    
    
    $password="pocahontas";
    $encrypted=$obj->encrypt( $password );
    $decrypted=$obj->decrypt( $encrypted );
    
    printf('<pre>
    Password: %s
    Encrypted: %s
    Decrypted: %s
    </pre>',$password,$encrypted,$decrypted);

?>

This will output something like:

Password: pocahontas
Encrypted: Hvx3j9lwtEII3pR+m05TYDv+BV0IwLa8dQavGgaeQCJITSCU88AYhZrt+swMYNKOD3VQX6PN0mcA/rDkdwmqGw==
Decrypted: pocahontas

As you can see the original password is encrypted with different values each time but always decodes to the same original password when decrypted.

Answer 2

As stated in other comments the bcrypt-method is good for comparing passwords ("is the password correct?") but not as a source for encryption/decryption.

For a minor security level (saving a telephone number) I believe a combination of a key derivation method (here PBKDF2) and AES in ECB mode is OK for that, because ECB mode is getting unsecure when the data is longer than the block length of 16 bytes (most telephone numbers should fit in this length of 16 :-). If you need a more secure level you should consider to use GCM mode but that would be another question.

My code is simulating an encryption and later decryption within one PHP-class; usually that would be done in separate classes and therefore I'm using "doubled" variable names (e.g. 'salt' and 'saltToDecrypt') and it is using the openssl-library available on almost all modern PHP implementations (I'm using PHP 7.3).

The code is full of echoing to "prove" that the variables on encryption side are the same as on decryption side, they can get commented out in production.

The code does not do ANY error handling (e.g. wrong password given on decryption side) and is for education only.

The result will show the correct decryption and because of the random element in 'salt' each run of the program (with same plaintext and password) gets a different encoded string.

Here is the output:

Encryption with AES ECB mode and PBKDF2 key derivation<br>
plaintext              : 0123-45678-90123<br>
password               : myPassword<br>
salt                   : 2dccc75991638322d6b1954726f969bcbfc86b00e9928a759c0ea9618eedd4f8<br>
hash                   : a86178ca7aebf3cde4b8472ac5825cea<br>
ecbEncrypt             : NWt6Cyi11m7Vzwm1tsRhE6l8S5IH8Ko9HIgYeKg7yFQ=<br>
token                  : Tld0NkN5aTExbTdWendtMXRzUmhFNmw4UzVJSDhLbzlISWdZZUtnN3lGUT06Oi3Mx1mRY4Mi1rGVRyb5aby/yGsA6ZKKdZwOqWGO7dT4<br>

Decryption
passwordToDecrypt      : myPassword<br>
dataToDecrypt          : NWt6Cyi11m7Vzwm1tsRhE6l8S5IH8Ko9HIgYeKg7yFQ=<br>
saltToDecrypt          : 2dccc75991638322d6b1954726f969bcbfc86b00e9928a759c0ea9618eedd4f8<br>
hashToDecrypt          : a86178ca7aebf3cde4b8472ac5825cea<br>
decrypted plaintext    : 0123-45678-90123<br>

Code:

<?php
echo PHP_EOL . "Encryption with AES ECB mode and PBKDF2 key derivation" . '<br>' . PHP_EOL;
// https://stackoverflow.com/questions/62930372/how-to-use-bcrypt-in-mysql-with-php/62931080#62931080

$plaintext = "0123-45678-90123"; // telephone number
$password = "myPassword";
echo "plaintext              : " . $plaintext . '<br>' . PHP_EOL;
echo "password               : " . $password . '<br>' . PHP_EOL;
$iterations = 10000; // better to use higher iterations but this slows down the process (but this is wanted !)

// generate password hash with pbkdf2 and encrypt
$salt = openssl_random_pseudo_bytes(32);
$hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 32);
echo "salt                   : " . bin2hex($salt) . '<br>' . PHP_EOL;
echo "hash                   : " . $hash . '<br>' . PHP_EOL;
$ecbEncrypt = openssl_encrypt($plaintext, "aes-256-ecb", $hash, $options=0);
echo "ecbEncrypt             : " . $ecbEncrypt . '<br>' . PHP_EOL;
$token = base64_encode($ecbEncrypt . '::' . $salt);
echo "token                  : " . $token . '<br>' . PHP_EOL;
// save this token in the database

// load the token from the database and decrypt
echo PHP_EOL . "Decryption" . PHP_EOL;
$passwordToDecrypt = "myPassword";
$iterationsToDecrypt = 10000; // better to use higher iterations but this slows down the process (but this is wanted !)
$tokenLoad = $token;
list($dataToDecrypt, $saltToDecrypt) = explode('::', base64_decode($tokenLoad), 2);
echo "passwordToDecrypt      : " . $passwordToDecrypt . '<br>' . PHP_EOL;
echo "dataToDecrypt          : " . $dataToDecrypt . '<br>' . PHP_EOL;
echo "saltToDecrypt          : " . bin2hex($saltToDecrypt) . '<br>' . PHP_EOL;
$hashToDecrypt = hash_pbkdf2("sha256", $passwordToDecrypt, $saltToDecrypt, $iterationsToDecrypt, 32);
echo "hashToDecrypt          : " . $hashToDecrypt. '<br>' . PHP_EOL;
$ecbDecrypt = openssl_decrypt($dataToDecrypt, "aes-256-ecb", $hashToDecrypt, $options=0);
echo "decrypted plaintext    : " . $ecbDecrypt . '<br>' . PHP_EOL;
?>