Laravel 5 Encryption - Different values for same string given?

Question

I'm using Laravel 5, and for a project, for which one of the tenants is that emails stored in the system must be encrypted. I am using Laravel 5's Crypt:: facade, and the relevant encrypt() and decrypt() methods.

The problem lies in that the encrypted value seems to differ, even if given the same string. At first I thought it could be to do with VARCHAR field max lengths, however both the hash values come back under the 255 length set on the field.

Take for example, this dump;

PHP

    $hash1 = 'eyJpdiI6InJFNTFkdktpVU9cL1wvRTJPVk94SURiUT09IiwidmFsdWUiOiJIZVh4Y1NyUGpVcTVFVTNSbWdUNnJCUWRHSGZTcnFTQWJKa1h0Q1wvMEVtZnFuM3dDeFwvXC9hdUs4enFXXC94dEJ0cSIsIm1hYyI6IjFjNjZjODFjMjI5NTQ0NmVhZDUwODQzODE0OTQ4NTdjMzAxNTQ5Y2ZjY2M4YzRiODU0ZjIwNDhmMDA0Yjc4OWQifQ';
    $hash2 = 'eyJpdiI6ImRBVWNKVTlJZVFmckk2T0c4cXNObFE9PSIsInZhbHVlIjoidElqcE5TMUFwVHZXeW12R3hKMFVFWlR0WmgxOFRBbW5cL2V3dUJ6VndsdktLYjVGR2JQQWpSUUNUWDBJbU5OQWEiLCJtYWMiOiI3MjM3ODNiMzc0NDJlNDVhYzFkOTBmMjhhOTk0MTUyM2FlNzM5ZGE4ODE3MTJlMDM5NWZiMzViZjM5OTA0MGRhIn0=';
    $dump = [
    'hash1' => $hash1,
    'hash2' => $hash2,
    'string1' => Crypt::decrypt($hash1),
    'string2' => Crypt::decrypt($hash2)
    ];
    return $dump;

Dumped Object

hash1: "eyJpdiI6InJFNTFkdktpVU9cL1wvRTJPVk94SURiUT09IiwidmFsdWUiOiJIZVh4Y1NyUGpVcTVFVTNSbWdUNnJCUWRHSGZTcnFTQWJKa1h0Q1wvMEVtZnFuM3dDeFwvXC9hdUs4enFXXC94dEJ0cSIsIm1hYyI6IjFjNjZjODFjMjI5NTQ0NmVhZDUwODQzODE0OTQ4NTdjMzAxNTQ5Y2ZjY2M4YzRiODU0ZjIwNDhmMDA0Yjc4OWQifQ"
hash2: "eyJpdiI6ImRBVWNKVTlJZVFmckk2T0c4cXNObFE9PSIsInZhbHVlIjoidElqcE5TMUFwVHZXeW12R3hKMFVFWlR0WmgxOFRBbW5cL2V3dUJ6VndsdktLYjVGR2JQQWpSUUNUWDBJbU5OQWEiLCJtYWMiOiI3MjM3ODNiMzc0NDJlNDVhYzFkOTBmMjhhOTk0MTUyM2FlNzM5ZGE4ODE3MTJlMDM5NWZiMzViZjM5OTA0MGRhIn0="
string1: "[email protected]"
string2: "[email protected]"

Dots are inputted in place of characters for privacy, but they are exactly the same. The only other thing I can possibly think about is maybe some kind of charset formatting?

Any help resolving this would be greatly appreciated!

Regards.

Answer 1

If I understand your question, it's why does the encrypted results differ, even with the same input and the same key?

(You mention these being hashes, but Crypt::encrypt() and decrypt() are for symmetric encryption)

Laravel Crypt uses CBC mode by default. That means it generates a random IV every time you encrypt something, to ensure the output is always different.

Without using a mode like CBC, you risk leaking information. If I know that [email protected] always encrypts to eyJpdiI6InJFNTFkdktpVU9cL1wvRTJPVk94SURiUT09IiwidmFsdWUiOiJIZVh4Y1NyUGpVcTVFVTNSbWdUNnJCUWRHSGZTcnFTQWJKa1h0Q1wvMEVtZnFuM3dDeFwvXC9hdUs4enFXXC94dEJ0cSIsIm1hYyI6IjFjNjZjODFjMjI5NTQ0NmVhZDUwODQzODE0OTQ4NTdjMzAxNTQ5Y2ZjY2M4YzRiODU0ZjIwNDhmMDA0Yjc4OWQifQ, then even without knowing your encryption key, I still know something about your messages (who it's being sent to, for example).

You can see a great example of the risk here.

Edit: If this is for password storage, you should not be using encrypt() and decrypt(). You should use bcrypt() or PBKDF2. Otherwise, assuming a compromise, an attacker could just decrypt all your users passwords.