Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#25395 closed Cleanup/optimization (needsinfo)

Add an optional dependency on python-fastpbkdf2

Reported by: Terry Chia Owned by: nobody
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Someday/Maybe
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I maintain python-fastpbkdf2, a hashlib.pbkdf2_hmac compatible interface that's around 3 times faster on CPython and more than 10x faster on PyPy.

This is the benchmark I use:

#!/usr/bin/bash

echo "Benchmark hashlib..."
python -m timeit -n 100 -s "from hashlib import pbkdf2_hmac" "pbkdf2_hmac('sha1', b'password', b'salt', 100000)"

echo "Benchmark fastpbkdf2..."
python -m timeit -n 100 -s "from fastpbkdf2 import pbkdf2_hmac" "pbkdf2_hmac('sha1', b'password', b'salt', 100000)"

On CPython 3.4.1,

$ ./bench.sh
Benchmark hashlib...
100 loops, best of 3: 60.2 msec per loop
Benchmark fastpbkdf2...
100 loops, best of 3: 20.3 msec per loop

On PyPy 2.6.0:

$ ./bench.sh
Benchmark hashlib...
100 loops, best of 3: 242 msec per loop
Benchmark fastpbkdf2...
100 loops, best of 3: 19.2 msec per loop

A faster PBKDF2 implementation improves security because a higher work factor can be used for the same amount of computing power.

I propose adding an optional dependency on python-fastpbkdf2 ala how Django depends on bcrypt and modifying the code to prefer python-fastpbkdf2's implementation whenever it's available with a fallback on the current hashlib.pbkdf2_hmac and pure Python code.

If this idea seems favourable to the Django maintainers, I have a patch ready for review.

Change History (5)

comment:1 Changed 6 years ago by Tim Graham

Has patch: unset

Are your improvements suitable for inclusion in Python itself? It seems better to pursue that course of action to me. My initial reaction is reluctance to add a dependency in a security sensitive area, especially for a project which is only 1 month old. You can write to the DevelopersMailingList to get more feedback.

comment:2 in reply to:  1 Changed 6 years ago by Terry Chia

Replying to timgraham:

Are your improvements suitable for inclusion in Python itself? It seems better to pursue that course of action to me. My initial reaction is reluctance to add a dependency in a security sensitive area, especially for a project which is only 1 month old. You can write to the DevelopersMailingList to get more feedback.

I'm not sure if it's suitable for inclusions into Python itself as I'm not a core dev. Even if it is, it won't benefit Python 2.7 or PyPy users (who gains the most from this library).

I understand the hesitation to add a dependency on a new project. If it's any help, I take test coverage very seriously and the project is currently at 100% coverage and are tested against the standard PBKDF2 vectors. The bindings rely on CFFI which is what the bcrypt dependency also currently using. The C library itself about 400 or so lines of pretty readable C if anyone would like to review it.

I'll write to the list seeking further feedback in a few days.

comment:3 Changed 6 years ago by Tim Graham

Triage Stage: UnreviewedSomeday/Maybe

comment:4 Changed 6 years ago by Tim Graham

Resolution: needsinfo
Status: newclosed

I think the follow up on the mailing list hasn't happened yet.

Note: See TracTickets for help on using tickets.
Back to Top