Fixed #21253 -- PBKDF2 with cached HMAC key #1638
Conversation
This gives a 2x speed increase and removes the ability to DoS with large passwords. Sorry this is my hello world for Python, and I don't even know how to run it. It probably works but you should test it.
|
Hi @Sc00bz, thank you for you pull request, we are already aware of this. For the next time please report security sensitive stuff to security@djangoproject.com like outlined in https://djangoproject.com/security/ |
|
Just thought I would let you know that I benchmarked this code vs #1653 and this code is about 50% faster (84.6 ms vs 125 ms for 10,000 iterations). So you might want to reconsider this. Also I checked that it gives the same output. |
|
Hi Steve, thx will take a look at it. Could you provide your
|
|
Ok, I think the copy saves a few cpu cycles every round. That said, getting rid of _cached_hmac completely and unrolling it into the main function might be a bit faster too, I doubt that later is worth it though. I am waiting for feedback from our security guys to see if they can see any issues with your implementation (I personally can't find one) |
|
This takes around 20 seconds to run: http://pastebin.com/kaxN2pV3 The reason this is faster is with HMAC if you don't cache the results from the inner and outer pads those need to be recalculated each time. This does 20,002 SHA256 blocks vs 40,000 SHA256 blocks for 10,000 iterations of PBKDF2. |
|
Rebased to apply cleanly: #1724 |
This gives a 2x speed increase and removes the ability to DoS with large passwords.
Sorry this is my hello world for Python, and I don't even know how to run it. It probably works but you should test it.
https://code.djangoproject.com/ticket/21253