WL#8126: Assert that MySQL uses Advanced Encryption Standard (AES)

Status: Complete   —   Priority: Medium

Executive Summary


This worklog is created to deprecate functions which use following encryption technologies for encryption/decryption in favor of Advanced Encryption Standard (AES) because AES provides better security:

- Encryption/Decryption based on Data Encryption Standard(DES) - Encryption based on Unix crypt() system call

R1. DES_ENCRYPT()/DES_DECRYPT() should be deprecated. Alternatives should be AES_ENCRYPT()/AES_DECRYPT().

R2. ENCRYPT() should be deprecated. Alternative should be AES_ENCRYPT()

  • I1: Following table lists functions to be deprecated. A deprecation warning will be thrown whenever one of these functions are called. Table also lists replacements for each of these functions and same will be displayed in the warning.
Function to be deprecated Replacement
DES_ENCRYPT AES_ENCRYPT
DES_DECRYPT AES_ENCRYPT
ENCRYPT AES_ENCRYPT

Note : Functions MD5 and SHA/SHA1 can be used in scenarios unrelated to security where performance is important. e.g. generating SQL statement digest. This functions are not deprecated. RAND() does not use PRNG provided by ssl libraries. However, RAND() is deterministic and is useful because replays are possible. MySQL provides RANDOM_BYTES() which uses PRNG provided by ssl libraries.