Skip to content

SCryptPasswordEncoder Key Length Issue #4788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ebarlas opened this issue Nov 3, 2017 · 0 comments
Open

SCryptPasswordEncoder Key Length Issue #4788

ebarlas opened this issue Nov 3, 2017 · 0 comments
Labels
in: crypto An issue in spring-security-crypto type: enhancement A general enhancement

Comments

@ebarlas
Copy link

ebarlas commented Nov 3, 2017

Summary

During the matches operation, SCryptPasswordEncoder retains the instance keyLength rather than the target digest keyLength. It makes it very difficult to verify non-homogenous digests with different key lengths.

Why is that? A security consideration?

Actual Behavior

SCryptPasswordEncoder matches operation fails if instance keyLength differs from target digest key length.

Expected Behavior

SCryptPasswordEncoder matches operation ought to use the target digest key length.

Configuration

SCryptPasswordEncoder instance keyLength differs from target digest key length.

Version

4.2.3.RELEASE

Sample

Simple example prints true

SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(8192, 16, 1, 32, 32);
String raw = "password";
String digest = encoder.encode(raw);
System.out.println(encoder.matches(raw, digest));

Instance parameters differ from digest parameters, except key length - prints true

SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(8192, 16, 1, 32, 32);
SCryptPasswordEncoder tester = new SCryptPasswordEncoder(1024, 8, 1, 32, 24);
String raw = "password";
String digest = encoder.encode(raw);
System.out.println(tester.matches(raw, digest));

Only the key length differs - prints false

SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(8192, 16, 1, 32, 32);
SCryptPasswordEncoder tester = new SCryptPasswordEncoder(8192, 16, 1, 24, 32);
String raw = "password";
String digest = encoder.encode(raw);
System.out.println(tester.matches(raw, digest));
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@rwinch rwinch mentioned this issue Jun 8, 2022
Closed
@rwinch rwinch added in: crypto An issue in spring-security-crypto type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: crypto An issue in spring-security-crypto type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ebarlas @rwinch @spring-projects-issues