Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with lookups against encrypted fields #12

Open
alien8ion opened this issue Aug 3, 2022 · 2 comments
Open

Issues with lookups against encrypted fields #12

alien8ion opened this issue Aug 3, 2022 · 2 comments

Comments

@alien8ion
Copy link

I'm reasonably new to Django so this may be a fundamental misunderstanding on my part, but I'm unable to do query lookups against the encrypted fields I've defined.

The encrypted fields work as expected when saving or retrieving data from the database but not when I try to do a lookup, e.g. FieldClass.objects.filter(attribute='value')

I assume that this is because the lookup likely just does a low-level SQL query and doesn't pre-fetch/decrypt the data before the query is processed, but I don't know this for fact and haven't had much luck determining that with the Django documentation yet.

I have another project that uses encrypted fields with SQLAlchemy and the queries work as expected even with encrypted fields, so I think it should be able to be done, I'm just not sure if so within Django.

My environment is:
Python 3.9.13 (virtual env)
Django 4.0.6
sqlite3
django-fernet-encrypted-files 0.1.2

macOS 12.5

Please let me know if you need any further information.
Any and all help will be greatly appreciated.
@StevenMapes
Copy link
Contributor

You're right this project doesn't support that.

SQLAlchemy is probably using encrypted fields at the database level whereas this and other projects, like it using PBKDF2 hash at the the software level then saved the value value to the back-end. This allows them to work with database back-ends that would not normally support it. That's why you can't filter on the original value, you'd need to be filtering on the output at the time.

This means that the output of the encryption is unique every time it's run. For example if you save your model and look directly at the database, then save the model again and repeat you'll notice that the value in the database has changed. This is because the project uses "PBKDF2-with-HMAC-with-SHA256" to help protect against bruteforce attacks (PBKDF2 is a slow algorithm compared to SHA265 alone). - https://crypto.stackexchange.com/questions/35275/whats-the-difference-between-pbkdf-and-sha-and-why-use-them-together

So you'd need to filter on another property

@whyscream
Copy link

Maybe we can learn from and implement this? https://django-fernet-fields.readthedocs.io/en/latest/#indexes-constraints-and-lookups

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@whyscream @StevenMapes @alien8ion