I cann't achieve decoding of the value stored as such in MariaDB:
INSERT INTO tbl
(password)
VALUES (AES_ENCRYPT(%s,UNHEX(SHA2(%s,0))),$pass,"abcde");
using PHP script.
The code I'm using to decode the value is:
$enc = dibi::fetchSingle('
SELECT password
FROM cred
WHERE *conditions*');
$password = dibi::fetchSingle('
SELECT AES_DECRYPT(%bin,UNHEX(SHA2(%s,0))),$enc,'abcde');
Binary value is retrieved successfully in $enc but when I'm trying to var_dump a $password variable I'm getting a NULL result.
Please suggest possible problems, why the value is not decoded properly? Is it a way to apply an AES_DECODE function on the fly, in the same SELECT statement?
The scheme of encrypting a hash of a password is not secure. Instead simply use the PHP functions password_hash and password_verify, it is simple and secure.
Just using a hash function is not sufficient and just adding a salt does little to improve the security.
Encrypt passwords fails when the attacker gains access to the DB he also gets the encryption key.
Instead iIterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2, Rfc2898DeriveBytes, password_hash, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.