OUD - Slow Performance Using PBKDF2 Password Hashing Algorithm
(Doc ID 2638407.1)
Last updated on FEBRUARY 12, 2024
Applies to:
Oracle Unified Directory - Version 12.2.1.3.0 and laterInformation in this document applies to any platform.
Symptoms
To improve the security of hashed passwords, the PBKDF2-HMAC-512 storage scheme with 40K iterations and a 256bit salt was configured
It was noted with this configuration the performance of the multiple concurrent binds, response time plummets from single digit milliseconds to hundreds of milliseconds.
Internal reproduction with single bind:
Etime went up from 1 with SHA, 13 with PBKDF2 SHA 256, and 71 withPBKDF2-HMAC-512. .
$ time ./ldapbind -p <PORT> -D <UID> -w <PASSWORD>
bind successful
real 0m0.169s
user 0m0.005s
sys 0m0.004s
$ tail -f access|grep -v SEARCH
[27/Jan/2020:10:56:23 -0700] CONNECT conn=29309 from=<IP>:<PORT> to=<IP>:<PORT> protocol=LDAP
[27/Jan/2020:10:56:23 -0700] BIND REQ conn=29309 op=0 msgID=1 type=SIMPLE dn="<DN>" version=3
[27/Jan/2020:10:56:23 -0700] BIND RES conn=29309 op=0 msgID=1 result=0 authDN="<DN>" etime=71
[27/Jan/2020:10:56:23 -0700] UNBIND REQ conn=29309 op=1 msgID=2
[27/Jan/2020:10:56:23 -0700] DISCONNECT conn=29309 reason="Client Disconnect"\
<DN>
{PBKDF2-HMAC-SHA512}<HASH> hashed password
ds-cfg-default-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Schemes,cn=config
dn: cn=PBKDF2 HMAC SHA-512,cn=Password Storage Schemes,cn=config
objectClass: top
objectClass: ds-cfg-password-storage-scheme
objectClass: ds-cfg-pbkdf2hmacsha512-password-storage-scheme
ds-cfg-enabled: true
cn: PBKDF2 HMAC SHA-512
ds-cfg-java-class: org.opends.server.extensions.PBKDF2HMACSHA512PasswordStorageScheme
ds-cfg-pbkdf2hmacsha-num-salt-bytes: 256
ds-cfg-pbkdf2hmacsha-iteration-count: 40000
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |