These functions allow encryption/decryption of data using the official
AES (Advanced Encryption Standard) algorithm, previously known as Rijndael.
Encoding with a 128-bit key length is used, but you can extend it up to
256 bits by modifying the source. We chose 128 bits because it is much
faster and it is usually secure enough.
The input arguments may be any length. If either argument is NULL,
the result of this function is also NULL.
As AES is a block-level algorithm, padding is used to encode uneven length
strings and so the result string length may be calculated as
16*(trunc(string_length/16)+1).
If AES_DECRYPT() detects invalid data or incorrect padding, it
returns NULL. However, it is possible for AES_DECRYPT()
to return a non-NULL value (possibly garbage) if the input data or
the key are invalid.
You can use the AES functions to store data in an encrypted form by
modifying your queries:
INSERT INTO t VALUES (1,AES_ENCRYPT('text','password'));
You can get even more security by not transferring the key over the
connection for each query, which can be accomplished by storing it in a
server side variable at connection time:
SELECT @password:='my password';
INSERT INTO t VALUES (1,AES_ENCRYPT('text',@password));
AES_ENCRYPT() and AES_DECRYPT() were added in version 4.0.2,
and can be considered the most cryptographically secure encryption
functions currently available in MySQL.
DECODE(crypt_str,pass_str)
Descrypts the encrypted string crypt_str using pass_str as the
password. crypt_str should be a string returned from
ENCODE().
ENCODE(str,pass_str)
Encrypt str using pass_str as the password.
To decrypt the result, use DECODE().
The results is a binary string of the same length as string.
If you want to save it in a column, use a BLOB column type.
DES_DECRYPT(string_to_decrypt [, key_string])
Decrypts a string encrypted with DES_ENCRYPT().
Note that this function only works if MySQL has been configured with
SSL support. See Secure connections.
If no key_string argument is given, DES_DECRYPT() examines
the first byte of the encrypted string to determine the DES key number
that was used to encrypt the original string, then reads the key
from the des-key-file to decrypt the message. For this to work
the user must have the SUPER privilege.
If you pass this function a key_string argument, that string
is used as the key for decrypting the message.
If the string_to_decrypt doesn't look like an encrypted string, MySQL
will return the given string_to_decrypt.
On error, this function returns NULL.
Encrypts the string with the given key using the Triple-DES algorithm.
Note that this function only works if MySQL has been configured with
SSL support. See Secure connections.
The encryption key to use is chosen the following way:
Argument
Description
Only one argument
The first key from des-key-file is used.
key number
The given key (0-9) from the des-key-file is used.
string
The given key_string will be used to crypt string_to_encrypt.
ENCRYPT(str[,salt])
Encrypt str using the Unix crypt() system call. The
salt argument should be a string with two characters.
(As of MySQL Version 3.22.16, salt may be longer than two characters.)
ENCRYPT() ignores all but the first 8 characters of str, at
least on some systems. This behavior is determined by the implementation
of the underlying crypt() system call.
If crypt() is not available on your system, ENCRYPT() always
returns NULL. Because of this we recommend that you use MD5()
or SHA1() instead; these two functions exist on all platforms.
MD5(string)
Calculates an MD5 128-bit checksum for the string. The value is returned
as a 32-digit hex number that may, for example, be used as a hash key:
This is the "RSA Data Security, Inc. MD5 Message-Digest Algorithm".
PASSWORD(str)
, OLD_PASSWORD(str)
Calculates a password string from the plaintext password str. This is
the function that is used for encrypting MySQL passwords for storage
in the Password column of the user grant table:
PASSWORD() encryption is non-reversible.
PASSWORD() does not perform password encryption in the same way that
Unix passwords are encrypted. See ENCRYPT().
Note:
The PASSWORD() function is used by the authentication system in
MySQL Server, you should NOT use it in your own applications.
For that purpose, use MD5() or SHA1() instead.
Also see RFC-2195 for more information about handling passwords
and authentication securely in your application.
SHA1(string)
, SHA(string)
Calculates an SHA1 160-bit checksum for the string, as described in
RFC 3174 (Secure Hash Algorithm). The value is returned as a 40-digit
hex number, or NULL in case the input argument was NULL.
One of the possible uses for this function is as a hash key. You can
also use it as cryptographically safe function for storing passwords.