My Oracle Support Banner

OUD - Slow Performance Using PBKDF2 Password Hashing Algorithm (Doc ID 2638407.1)

Last updated on FEBRUARY 26, 2020

Applies to:

Oracle Unified Directory - Version and later
Information in this document applies to any platform.


To improve the security of hashed passwords, the PBKDF2-HMAC-512 storage scheme with 40K iterations and a 256bit salt was configured

It was noted with this configuration the performance of the multiple concurrent binds, response time plummets from single digit milliseconds to hundreds of milliseconds.

Internal reproduction with single bind:

Etime went up from 1 with SHA, 13 with PBKDF2 SHA 256, and 71 withPBKDF2-HMAC-512.  .

$ time ./ldapbind -p <PORT> -D <UID> -w <PASSWORD>
bind successful

real 0m0.169s
user 0m0.005s
sys 0m0.004s

$ tail -f access|grep -v SEARCH
[27/Jan/2020:10:56:23 -0700] CONNECT conn=29309 from=<IP>:<PORT> to=<IP>:<PORT> protocol=LDAP
[27/Jan/2020:10:56:23 -0700] BIND REQ conn=29309 op=0 msgID=1 type=SIMPLE dn="<DN>" version=3
[27/Jan/2020:10:56:23 -0700] BIND RES conn=29309 op=0 msgID=1 result=0 authDN="<DN>" etime=71
[27/Jan/2020:10:56:23 -0700] UNBIND REQ conn=29309 op=1 msgID=2
[27/Jan/2020:10:56:23 -0700] DISCONNECT conn=29309 reason="Client Disconnect"\

{PBKDF2-HMAC-SHA512}<HASH> hashed password

ds-cfg-default-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Schemes,cn=config

dn: cn=PBKDF2 HMAC SHA-512,cn=Password Storage Schemes,cn=config
objectClass: top
objectClass: ds-cfg-password-storage-scheme
objectClass: ds-cfg-pbkdf2hmacsha512-password-storage-scheme
ds-cfg-enabled: true
ds-cfg-java-class: org.opends.server.extensions.PBKDF2HMACSHA512PasswordStorageScheme
ds-cfg-pbkdf2hmacsha-num-salt-bytes: 256
ds-cfg-pbkdf2hmacsha-iteration-count: 40000




To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.