1

I'm developing some REST API that requires a HTTP basic auth to access. The APIs are written in Django, and the auth is based on Django auth middleware that is: it checks against the DB, the username and password. The password is stored with the pbkdf2.

As you can imagine, every request takes time as it is hitting the DB (even with polls and so). Thus, I thought to cache (using memcache) the credentials to check them before asking the DB. The idea is to derive a key based on the BasicAuth data sent in such a way that I can query the cache and retrieve the User Info.

So far I came up with below ideas. I've the base64 basicauth string and I can:

  1. Use the value as is as key for the memcache.
  2. Use a SHA1 to hash the base64 string and use that.
  3. Derive Username:Password and as key use the pbkdf2(p,u,iterations) where I encrypt the password using the username as salt. Here, I've to be careful with the iterations, otherwise it may require too much time. Empirically the iterations are < 100 to make it fast enough, which sounds a bit too low.

Even thought the cache is volatile (120s), the best solution (in term of trade-off between security and speed) is number 3 to me. Any inputs Or can I assume that cache is safe enough and I can use the number 1 or 2 even if they are far from being safe?

Anyone that has a better/smarter solution?

Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
EsseTi
  • 643
  • 1
  • 5
  • 8
  • Is basic auth a hard requirement, or can you use a more standard system like user/pass, token-based, or OAuth? – Xiong Chiamiov Feb 21 '17 at 16:42
  • well, basic auth is user/pass . I'also have Oauth for some calls. Anyway, I don't think that the auth methodo changes much in the context of the solution. no? – EsseTi Feb 21 '17 at 16:52

0 Answers0