Check if a password is hashed in Java Unit test

Question

Starting from a plain-text password and applying a BCrypt algorithm, how can I test if it has been hashed with the aim to perform a Java unit test?

Answer 1

Using the very loose interpretation of the "properties" of the cryptographic hash functions, if you have only the hashed value you will not be able to determine what kind of hash function was used to produce it.

For ciphers and MACs there is even a special "indistinguishability" property that can be loosely interpreted in the same way. More strictly speaking, it says that, given two input values, a cipher and an output value you can't identify whether the output corresponds to the first input or to the second input.

One of the ways to check whether the particular cryptographic function is implemented correctly, or whether the particular code used the specific cryptographic function is to have a test vector where each item completely describes all the input data and the expected output.

Applying all this to your use-case: prepare a vector of items in the form of {input, bcrypt(input)} using the trusted bcrypt implementation. Create a test that submits the inputs into your system and checks that the output is equal to the expected value.

If the test fails, you will know that either the bcrypt implementation used by your system-under-test is broken or that the system-under-test does not use bcrypt at all (uses some other hash function instead of bcrypt).

If the test passes, you will know that the system-under-test uses the proper bcrypt at least for the values from your test vector.