pbkdf2_hmac takes a long time in django

Question

I'm doing some profiling of a django rest framework API, and using a profiling middleware based on cProfile, I've got the following output:

Sat Mar  2 23:55:13 2019    /var/folders/jr/something

41224 function calls (40529 primitive calls) in 0.182 seconds

Ordered by: internal time

ncalls  tottime  percall  cumtime  percall filename:lineno(function)

    1    0.124    0.124    0.124    0.124 {built-in method _hashlib.pbkdf2_hmac}

   11    0.006    0.001    0.007    0.001 {method 'execute' of 'psycopg2.extensions.cursor' objects}

  252    0.003    0.000    0.003    0.000 {built-in method posix.stat}

   11    0.002    0.000    0.009    0.001 /Users/my-local-user/.pyenv/versions/3.7.0/lib/python3.7/traceback.py:312(extract)

Based on this, calling _hashlib.pbkdf2_hmac once takes almost 70% of my total execution time for a single request!

I haven't found a ton of information on this, except that it's used in openSSL - but I'm running locally without ssl.

Why is so much of my time being spent in a cryptographic function for a simple API request?

Answer 1

pbkdf2 is designed to run slow. It is by purpose hard to compute, so brute-forcing it takes a lot of time.

If you want to have profiling data without that slowness, you can tune down the number of iterations taken by this computation. See Password management in Django for more details. Remember to tune it down only for tests and profiling, because running it on low iterations count in a production environment is a security risk!