1

I'm pretty much sure I must be doing something completely wrong, but why is this test failing for the last two assertions?

Two relatively similar, but nevertheless different Strings (basically JWT) test ok with the hashes of the other?

@Test
public void testMoreHashing() {

    String longToken =  "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IkNZOXJ6VVloMDNQSzNrNkRKaWUwOWc9PSIsIm5iZiI6MTUxMzI4NzAzNCwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM0LCJpYXQiOjE1MTMyODcwMzQsImVtYWlsIjoiYUBiLmNvbSJ9.IYMKztYEIJxzYgHpUDhCHcG22h28OQAsMg7TEMBVYELSczeniwv8IKxgrSBub9Q0X14UT6LnQUu4yeeTofRYH2jRSwW42gfaW5uK8NJQVdluNdZwUsWHVG05gbaSM7ZeS4tH3-SVbUOO3uJ-N2sVcBF5AFLaIAu0GD9CzPU1CjYYc9JiAArztAS5j7pK-xGNTRCKvcoGLa9iG9nhvssTZkPH6kPOJj9RHFo30mgSnPIGSc6040h7n8X7LCUC4qfUe1sOknHomN_RKTQk4Q5FBL1snTyCTxcaErVwvjv__YK9FQ40pDfOboEsSk81CYW6SbqDIdVlyr09VrDzIwJpPA";
    String shortToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IlU3bFFoV09TUDBmMDdOZ1BWTkd3d0E9PSIsIm5iZiI6MTUxMzI4NzAzNSwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM1LCJpYXQiOjE1MTMyODcwMzUsImVtYWlsIjoiYUBiLmNvbSJ9.";

    String longTokenHash = BCrypt.hashpw(longToken, BCrypt.gensalt(13));
    assertTrue(BCrypt.checkpw(longToken, longTokenHash));

    String shortTokenHash = BCrypt.hashpw(shortToken, BCrypt.gensalt(13));
    assertTrue(BCrypt.checkpw(shortToken, shortTokenHash));

    assertFalse(longToken.equalsIgnoreCase(shortToken));
    assertFalse(longTokenHash.equalsIgnoreCase(shortTokenHash));
    assertFalse(longToken.contains(shortToken));

    assertFalse(BCrypt.checkpw(longToken, shortTokenHash));
    assertFalse(BCrypt.checkpw(shortToken, longTokenHash));
}

the used version of jBCrypt as copied from my pom.xml is

<dependency>
    <groupId>de.svenkubiak</groupId>
    <artifactId>jBCrypt</artifactId>
    <version>0.4</version>
</dependency>

junit is version 4.12

Thanks for helping :)

Alex
  • 101
  • 1
  • 1
  • 8
  • 1
    Does this function truncate the input data? – tadman Dec 14 '17 at 22:04
  • 1
    @tadman you might be right - just found this one https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length where it says that blowfish truncates with 72 characters, and if I see it right, the first 79 are identical... – Alex Dec 14 '17 at 22:15
  • It's worth adding that as an answer since I think you found confirmation. – tadman Dec 14 '17 at 22:17
  • don't you wanna post the answer? it was basically you pointing me in the right direction :) – Alex Dec 14 '17 at 22:20
  • The first 100 points is always the hardest, so what's wrong with a little help? – tadman Dec 14 '17 at 23:27

1 Answers1

2

as @tadman pointed out, the used blowfish algorithm is truncating passwords at 72 characters, and the differences in the used passwords only start at 79. see also https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length

Alex
  • 101
  • 1
  • 1
  • 8