1. javaee-security-spec@javaee.groups.io
Topics

Pbkdf2PasswordHashImpl generate() creates sometimes invalid result

Rudy De Busscher
 


yes indeed, somehow I mixed the output of the generate() method with the encoded password I created for the test cases.

I used the  com.sun.org.apache.xml.internal.security.utils.Base64 class instead of the java.util one;

I updated the pull request accordingly.

Rudy

On 27 July 2017 at 19:38, Will Hopkins <will.hopkins@...> wrote:
Just did a test, not seeing any line breaks after encoding a 1024-byte buffer of random data. The line breaks must be coming from somewhere else (not the Pbkdf2PasswordHash, AFAICT).

On 07/27/2017 01:33 PM, Will Hopkins wrote:
This should not be happening. I'm using the "Basic" encoder (Base64.getEncoder()), which, per the Base64 Javadoc, should not be inserting any line feed/line separator characters.

https://docs.oracle.com/javase/8/docs/api/java/util/Base64.html

Will

On 07/27/2017 06:31 AM, Rudy De Busscher wrote:
During the tests I was writing for Pbkdf2PasswordHashImpl, I saw that Pbkdf2PasswordHashImpl#generate() generates a result with line breaks in it.

PBKDF2WithHmacSHA512:1024:QRyYndGzgjmZ7DT51fQ4orSJp5b1IkEaY7qFp9o0Q8ZW4GuR7A7sOQN80Dtrqh1stXjK/VSj5+TY\nZClDbdM/wQ==:VNDmODrwU/geTRbtYaQXOrraPh1XP38qM1rRJtLts0OVLjpCq8Q5OYMdxR5whK7JgJpWQqMh1zIh\nYoTLatrXWA==

(the above example is when using a longer salt and longer key size, both 64)

This is due to the fact that the Base64 algorithm adds line breaks after every 76 character.

But these line breaks makes the Base64 invalid when we call the verify() method with this kind of values.

My proposal is to remove them (the line breaks)  during generation of the hash (generate() method) and also clean them out before base64 decoding (decode() method)

Rudy


-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803


-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803


Will Hopkins
 

Just did a test, not seeing any line breaks after encoding a 1024-byte buffer of random data. The line breaks must be coming from somewhere else (not the Pbkdf2PasswordHash, AFAICT).

On 07/27/2017 01:33 PM, Will Hopkins wrote:
This should not be happening. I'm using the "Basic" encoder (Base64.getEncoder()), which, per the Base64 Javadoc, should not be inserting any line feed/line separator characters.

https://docs.oracle.com/javase/8/docs/api/java/util/Base64.html

Will

On 07/27/2017 06:31 AM, Rudy De Busscher wrote:
During the tests I was writing for Pbkdf2PasswordHashImpl, I saw that Pbkdf2PasswordHashImpl#generate() generates a result with line breaks in it.

PBKDF2WithHmacSHA512:1024:QRyYndGzgjmZ7DT51fQ4orSJp5b1IkEaY7qFp9o0Q8ZW4GuR7A7sOQN80Dtrqh1stXjK/VSj5+TY\nZClDbdM/wQ==:VNDmODrwU/geTRbtYaQXOrraPh1XP38qM1rRJtLts0OVLjpCq8Q5OYMdxR5whK7JgJpWQqMh1zIh\nYoTLatrXWA==

(the above example is when using a longer salt and longer key size, both 64)

This is due to the fact that the Base64 algorithm adds line breaks after every 76 character.

But these line breaks makes the Base64 invalid when we call the verify() method with this kind of values.

My proposal is to remove them (the line breaks)  during generation of the hash (generate() method) and also clean them out before base64 decoding (decode() method)

Rudy


-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803


-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

Will Hopkins
 

This should not be happening. I'm using the "Basic" encoder (Base64.getEncoder()), which, per the Base64 Javadoc, should not be inserting any line feed/line separator characters.

https://docs.oracle.com/javase/8/docs/api/java/util/Base64.html

Will

On 07/27/2017 06:31 AM, Rudy De Busscher wrote:
During the tests I was writing for Pbkdf2PasswordHashImpl, I saw that Pbkdf2PasswordHashImpl#generate() generates a result with line breaks in it.

PBKDF2WithHmacSHA512:1024:QRyYndGzgjmZ7DT51fQ4orSJp5b1IkEaY7qFp9o0Q8ZW4GuR7A7sOQN80Dtrqh1stXjK/VSj5+TY\nZClDbdM/wQ==:VNDmODrwU/geTRbtYaQXOrraPh1XP38qM1rRJtLts0OVLjpCq8Q5OYMdxR5whK7JgJpWQqMh1zIh\nYoTLatrXWA==

(the above example is when using a longer salt and longer key size, both 64)

This is due to the fact that the Base64 algorithm adds line breaks after every 76 character.

But these line breaks makes the Base64 invalid when we call the verify() method with this kind of values.

My proposal is to remove them (the line breaks)  during generation of the hash (generate() method) and also clean them out before base64 decoding (decode() method)

Rudy


-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

Rudy De Busscher
 

During the tests I was writing for Pbkdf2PasswordHashImpl, I saw that Pbkdf2PasswordHashImpl#generate() generates a result with line breaks in it.

PBKDF2WithHmacSHA512:1024:QRyYndGzgjmZ7DT51fQ4orSJp5b1IkEaY7qFp9o0Q8ZW4GuR7A7sOQN80Dtrqh1stXjK/VSj5+TY\nZClDbdM/wQ==:VNDmODrwU/geTRbtYaQXOrraPh1XP38qM1rRJtLts0OVLjpCq8Q5OYMdxR5whK7JgJpWQqMh1zIh\nYoTLatrXWA==

(the above example is when using a longer salt and longer key size, both 64)

This is due to the fact that the Base64 algorithm adds line breaks after every 76 character.

But these line breaks makes the Base64 invalid when we call the verify() method with this kind of values.

My proposal is to remove them (the line breaks)  during generation of the hash (generate() method) and also clean them out before base64 decoding (decode() method)

Rudy
1 - 4 of 4