1 Reply Latest reply on May 5, 2011 6:33 PM by danielfjb

    HMAC_SHA1 encryption using TOTP (javax.crypto.MAC) performance problems in SPARC


      Hi, I'm trying to implement a method to synchronize TOTP cards. In case the server clock and the card clock were different. So I generate a lot of TOTP keys in case to compare it with the real key so at the end I get both of the times in the server. That works in x86 (Sunfire x2200) perfectly and does not take a lot of time doing that (like 2 minutes generating 800000 keys). But when I test it on Oracle BM SPARC (T1000 LDOM 1.1) takes I lot of time. I did all kind of profiling stuff but all point to the method of the generation the TOTP in the HMAC_SHA1.


      here is the code (based on JBoss 6 OTP implementation)


      public synchronized static String generateTOTP(String key, String time,  int returnDigits, String crypto) throws GeneralSecurityException {

                          String result = null;

                          byte[] hash;

                          // Using the counter

                          // First 8 bytes are for the movingFactor

                          // Complaint with base RFC 4226 (HOTP)

                          while(time.length() < 16 ) {

                                    time = "0" + time;


                          // Get the HEX in a Byte[]

                          byte[] msg = hexStr2Bytes(time);

                          // Adding one byte to get the right conversion

                          byte[] k = hexStr2Bytes(key);

                          hash = hmac_sha1(crypto, k, msg);

                          // put selected bytes into result int

                          int offset = hash[hash.length - 1] & 0xf;

                          int binary =

                                    ((hash[offset] & 0x7f) << 24) |

                                    ((hash[offset + 1] & 0xff) << 16) |

                                    ((hash[offset + 2] & 0xff) << 8) |

                                    (hash[offset + 3] & 0xff);

                          int otp = binary % DIGITS_POWER[ returnDigits ];

                          result = Integer.toString(otp);

                          while (result.length() < returnDigits ) {

                                    result = "0" + result;


                          return result;





      private static byte[] hmac_sha1(String crypto, byte[] keyBytes, byte[] text) throws GeneralSecurityException {

                          Mac hmac;

                          hmac = Mac.getInstance(crypto);

                          SecretKeySpec macKey = new SecretKeySpec(keyBytes, "RAW");


                          return hmac.doFinal(text);




      I need help either to use another library or finding the right configuration for the SPARC.



      It is supposed the code runs max. one time per user in production, that depends in the synchronization between the server clock and the OTP card clock.

      Basically the algorithm takes two consecutive keys (each 30 seconds the password changes) from the user, saving the time (server clock) for each one when the user clicks next. With both keys the server look up at what time (in server clock) the key has been generated. Performing a simple subtraction I can get the difference of times when the user generates the otp and when the server generates it.


      The algorithm simply look up five days ago, and five days further the same key each 30 simulated seconds, and reports the time when it founds an equal key. It's a brute force search, but in this case I really don't know how to do it differently.


      So the problem is in the type of server, because in the x86 runs the synchronization in 3 minutes or less, but in the SPARC takes 30 minutes or maybe more. It should be some native code that has problems with this implementation of javax.crypto.Mac


      Hope I do make my self clear


      Thanks in advance to everybody.

        • 1. HMAC_SHA1 encryption using TOTP (javax.crypto.MAC) performance problems in SPARC

          I found the problem.


          In the SPARC the java.security (jre/lib/security) the priority encryption provider has performance problems. I put that with the less priority of the list. Run it again and it works just like in the x86.



          Actually they have a configuration file related to the security Provider listing some algotithms, excluding them for performance problems. They need to add the HMAC_SHA1