search

jazzband / django-fernet-encrypted-fields

MIT License
42 stars 9 forks source link

Issues with lookups against encrypted fields #12

Open alien8ion opened 1 year ago

alien8ion commented 1 year ago

I'm reasonably new to Django so this may be a fundamental misunderstanding on my part, but I'm unable to do query lookups against the encrypted fields I've defined.

The encrypted fields work as expected when saving or retrieving data from the database but not when I try to do a lookup, e.g. FieldClass.objects.filter(attribute='value')

I assume that this is because the lookup likely just does a low-level SQL query and doesn't pre-fetch/decrypt the data before the query is processed, but I don't know this for fact and haven't had much luck determining that with the Django documentation yet.

I have another project that uses encrypted fields with SQLAlchemy and the queries work as expected even with encrypted fields, so I think it should be able to be done, I'm just not sure if so within Django.

My environment is: Python 3.9.13 (virtual env) Django 4.0.6 sqlite3 django-fernet-encrypted-files 0.1.2

macOS 12.5

Please let me know if you need any further information. Any and all help will be greatly appreciated.

StevenMapes commented 1 year ago

You're right this project doesn't support that.

SQLAlchemy is probably using encrypted fields at the database level whereas this and other projects, like it using PBKDF2 hash at the the software level then saved the value value to the back-end. This allows them to work with database back-ends that would not normally support it. That's why you can't filter on the original value, you'd need to be filtering on the output at the time.

This means that the output of the encryption is unique every time it's run. For example if you save your model and look directly at the database, then save the model again and repeat you'll notice that the value in the database has changed. This is because the project uses "PBKDF2-with-HMAC-with-SHA256" to help protect against bruteforce attacks (PBKDF2 is a slow algorithm compared to SHA265 alone). - https://crypto.stackexchange.com/questions/35275/whats-the-difference-between-pbkdf-and-sha-and-why-use-them-together

So you'd need to filter on another property

whyscream commented 11 months ago

Maybe we can learn from and implement this? https://django-fernet-fields.readthedocs.io/en/latest/#indexes-constraints-and-lookups