laravel-database-encryption icon indicating copy to clipboard operation
laravel-database-encryption copied to clipboard

Published 20 hours ago verified publisher icon elgiborsolution

Security Vulnerabilities

Open paragonie-security opened this issue 9 months ago • 0 comments

Insecure Key Management

This is not a secure way to derive a secret. You're hashing data using SHA256, hex-encoded, then only extracting 16 hex characters.

https://github.com/elgiborsolution/laravel-database-encryption/blob/8856e2eab1848709aec5d0de898e6001f250db1f/src/Providers/DBEncryptionServiceProvider.php#L84 https://github.com/elgiborsolution/laravel-database-encryption/blob/8856e2eab1848709aec5d0de898e6001f250db1f/src/Providers/DBEncryptionServiceProvider.php#L60

This gives you an output that is the square root of the security you expect.

This is also called a "salt" but it's actually an AES key, as we'll see in the next section.

Insecure Encryption

AES_ENCRYPT() encrypts data using ECB mode, and also exposes your key (called a "salt" per the previous section) to anyone capable of running SHOW PROCESSLIST on the server.

https://github.com/elgiborsolution/laravel-database-encryption/blob/8856e2eab1848709aec5d0de898e6001f250db1f/src/Providers/DBEncryptionServiceProvider.php#L67

https://github.com/elgiborsolution/laravel-database-encryption/blob/8856e2eab1848709aec5d0de898e6001f250db1f/src/Providers/DBEncryptionServiceProvider.php#L94

Recommendations

Fixing these vulnerabilities would require rearchitecting this library from the ground up with secure data encryption practices in mind. If you managed to make it secure, it would not be compatible with the current implementation. Therefore, you would be better off starting over from scratch.

We have an open source library that provides secure searchable field-level encryption that may be a better starting point than AES_ENCRYPT().

paragonie-security avatar May 08 '24 00:05 paragonie-security