Search and Sort on Encrypted Fields

manawar · November 20, 2014, 6:26pm

I have to encrypt at rest a lastname field and firstname field

I user beforeSave and afterFind decrypt/encrypt

My problem is I cannot search on these fields in their native, at-rest encrypted form

Any suggestions on how to do this with a search Model?

Here is my attempt

public function search($params)

{


    &#036;query = Patient::find();





    &#036;dataProvider = new ActiveDataProvider([


        'query' =&gt; &#036;query,


    ]);





    if (&#33;(&#036;this-&gt;load(&#036;params) &amp;&amp; &#036;this-&gt;validate())) {


        return &#036;dataProvider;


    }





    &#036;query-&gt;andFilterWhere([


        'id' =&gt; &#036;this-&gt;id,


        'birthdate' =&gt; &#036;this-&gt;birthdate,


        'surgeon' =&gt; &#036;this-&gt;surgeon,


        'office' =&gt; &#036;this-&gt;office,


        'referral' =&gt; &#036;this-&gt;referral,


        'dbowner' =&gt; &#036;this-&gt;dbowner,


        'user_id' =&gt; &#036;this-&gt;user_id,


        'created' =&gt; &#036;this-&gt;created,


        'updated' =&gt; &#036;this-&gt;updated,


        'edited_by' =&gt; &#036;this-&gt;edited_by,


    ]);





    &#036;query-&gt;andFilterWhere(['like', 'chartid', &#036;this-&gt;chartid])


        -&gt;andFilterWhere(['like', 'lastname', base64_decode(Yii::&#036;app-&gt;getSecurity()-&gt;decryptByKey(&#036;this-&gt;lastname,Patient::KEY))])


        -&gt;andFilterWhere(['like', 'firstname',base64_decode(Yii::&#036;app-&gt;getSecurity()-&gt;decryptByKey(&#036;this-&gt;firstname,Patient::KEY))])


        -&gt;andFilterWhere(['like', 'mi', &#036;this-&gt;mi])


        -&gt;andFilterWhere(['like', 'sex', &#036;this-&gt;sex])


        -&gt;andFilterWhere(['like', 'ethnicity', &#036;this-&gt;ethnicity])


        -&gt;andFilterWhere(['like', 'phone', base64_decode(Yii::&#036;app-&gt;getSecurity()-&gt;decryptByKey(&#036;this-&gt;phone,Patient::KEY))]);





    return &#036;dataProvider;


}

}

JFReyes · December 18, 2017, 2:59pm

I have the same issue. This old post is still unanswered and I found it (along with other suggestions) while searching. I hope that someone can help.

Anyways, your code won’t work because you’re decrypting/base64 decoding the user input instead of the table column. Yii2 translates the statement


->andFilterWhere(['like', 'lastname', base64_decode(Yii::$app->getSecurity()->decryptByKey($this->lastname,Patient::KEY))])

into:


WHERE ('lastname' LIKE '%whatever the user entered and you decrypted%)

and what you want is:


WHERE ('decrypted column value' LIKE '%whatever the user entered in cleartext%)

Getting that decrypted column value is the problem. I’ve tried:

using a stored procedure. It works by itself but MySQL won’t accept a CALL command in the WHERE clause;
MySQL also doesn’t like a dbExpression such as (AES_DECRYPT(FROM_BASE64(‘column’)) on the WHERE clause;
looked into MySQL’s (5.7.6+) generated virtual columns with the above expression but couldn’t get it to work;

I read that using FindAll() along with an ArrayDataprovider (instead of ActiveDataProvider) would work but didn’t see any sample code that would point me in the right direction.

Any help is greatly appreciated.

softark · December 18, 2017, 4:36pm

I think there should be no practical solution for it at all.

Only the searching of exact match can be possible with a reasonable performance like the following:




$rawWord = 'some-word';

$encWord = encrypt($rawWord);

$results = [];

foreach($encDatasas $encData) {

    if ($encData->word == $encWord) {

        echo "Found the word (" . $rawWord . ").";

        $resulsts[] = $encData;

    }

}

You need to call "encrypt" method just once.

But when it comes to partial match, then it will cost a lot of CPU time:




$rawWord = 'some-word';

$results = [];

foreach($encDatasas $encData) {

    $word = decrypt($encData->word);

    if (strpos($word, $rawWord) !== false) {

        echo "Found the word (" . $rawWord . ").";

        $resulsts[] = $encData;

    }

}

Note that you have to call "decrypt" method for each and every data.

Both encryption and decryption are very time consuming job. While the former sample only execute encrypt() one time, the latter need to call decrypt() as many times as there are many data. The more there are data to be processed, the more time you have to spend.

Also the sorting requires that all the data be fully decrypted beforehand.

JFReyes · December 18, 2017, 4:54pm

Thank you for the prompt reply, @softark. I realize that for searching/sorting inside a GridView I would need the data already decrypted. Perhaps my best bet would be using a SqlDataProvider where I can decrypt it using SQL. Another approach I’ll look into is the generated virtual column available in MySQL 5.7.6+. I’ll post back after my trials.

Thanks,

softark · December 18, 2017, 10:06pm

Something like the following may work when the count of rows is considerably small.




$objects = MyModel::find()->all();

foreach ($objects as $obj) {

    $obj->field = decrypt($obj->field);

}


$dp = new ArrayDataProvider([

    'allModels' => $objects,

    ...

]);

[EDIT]

Ah, we could improve the performance a little.

Assuming that the table has a non-encrypted column that can be used for filtering:




$objects = MyModel::find()

    ->andFilterWhere(['attr1' => $this->attr1])

    ->all();

...

We have to try to make the result of ‘all()’ as small as possible before we give it to the ArrayDataProvider.

JFReyes · December 19, 2017, 1:32pm

Thank you for the guidance, @softark; your code makes sense. I’ll take a look at the possible complications you mentioned because it seems that it will consume a lot of resources (CPU/RAM) and I don’t know yet the size of the data set.

Regards,

kongoon · October 2, 2020, 4:36am

Same problem, how to resolve this?