OUD - Slow Performance Using PBKDF2 Password Hashing Algorithm (Doc ID 2638407.1)

Last updated on FEBRUARY 12, 2024

Applies to:

Symptoms

To improve the security of hashed passwords, the PBKDF2-HMAC-512 storage scheme with 40K iterations and a 256bit salt was configured

It was noted with this configuration the performance of the multiple concurrent binds, response time plummets from single digit milliseconds to hundreds of milliseconds.

Internal reproduction with single bind:

Etime went up from 1 with SHA, 13 with PBKDF2 SHA 256, and 71 withPBKDF2-HMAC-512.  .

$ time ./ldapbind -p <PORT> -D <UID> -w <PASSWORD>
bind successful

real 0m0.169s
user 0m0.005s
sys 0m0.004s

$ tail -f access|grep -v SEARCH
[27/Jan/2020:10:56:23 -0700] CONNECT conn=29309 from=<IP>:<PORT> to=<IP>:<PORT> protocol=LDAP
[27/Jan/2020:10:56:23 -0700] BIND REQ conn=29309 op=0 msgID=1 type=SIMPLE dn="<DN>" version=3
[27/Jan/2020:10:56:23 -0700] BIND RES conn=29309 op=0 msgID=1 result=0 authDN="<DN>" etime=71
[27/Jan/2020:10:56:23 -0700] UNBIND REQ conn=29309 op=1 msgID=2
[27/Jan/2020:10:56:23 -0700] DISCONNECT conn=29309 reason="Client Disconnect"\

<DN>
{PBKDF2-HMAC-SHA512}<HASH> hashed password

ds-cfg-default-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Schemes,cn=config

dn: cn=PBKDF2 HMAC SHA-512,cn=Password Storage Schemes,cn=config
objectClass: top
objectClass: ds-cfg-password-storage-scheme
objectClass: ds-cfg-pbkdf2hmacsha512-password-storage-scheme
ds-cfg-enabled: true
cn: PBKDF2 HMAC SHA-512
ds-cfg-java-class: org.opends.server.extensions.PBKDF2HMACSHA512PasswordStorageScheme
ds-cfg-pbkdf2hmacsha-num-salt-bytes: 256
ds-cfg-pbkdf2hmacsha-iteration-count: 40000

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.