authentication in node.js
TRANSCRIPT
Authentication in Node.js
@Jason_Pearsonwith code at github.com/kaeawc
About Me
• Likes to run• Background in Scala & Node.js• Currently playing around with Spray and
Android
I’m not a crypto expert
Covered In This Talk
• low level http app– github.com/kaeawc/node-http-auth-example
• express + passport app– github.com/kaeawc/node-express-auth-example
Authentication is not just a GUI
Don’t trust the client
Authentication Scheme
• Given some request parameters over http
Storing Credentials
• Some data store is required.
• Any credential should never be stored as plaintext in the database.
• They should be hashed with a unique salt.
• Read more: (http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication#477579)
Authentication Scheme
• Given some request parameters over http
• Storing user information in some database with validated cryptographic algorithms
Load Balanced = Stateless
• You cannot maintain state in an application server’s memory– App server memory needs to be reserved for
processing requests.– This eventually results in moving state to a load
balanced cache anyway.
How your app views requests
Authentication Scheme
• Given some request parameters over http
• Storing user information in some database
• Application is load balanced over N servers, so every request must check.
PBKDF2
• Password-Based Key Derivation Function 2
• Recommended number of iterations is 10-20k
http://en.wikipedia.org/wiki/PBKDF2
Lets Look at Some Code!
We Created a User!
About ECB vs CBC
https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
ECB = Block Cipher
• Block ciphers operate on individual blocks in the same way
CBC = Streaming Cipher
• Takes an initialization vector, or “iv”, which is used with the password on the first block to encrypt and then produce the next vector for the next block.
GCM = Galois/Counter Mode
• Example of Authenticated Encryption– Provides both data integrity and confidentiality– Depends on using a different vector with the same
key– Can only be decrypted with the same key and
vector
Read more: http://x86overflow.blogspot.com/2013/01/authenticated-encryption-using-aes-gcm.html
Node & AES GCM
• https://github.com/joyent/node/pull/6317
• Support is currently being added for GCM
• Put a +1 on that issue.
So… CBC for Cookies!
We have Authentication!
References
• github.com/kaeawc/node-http-auth-example• github.com/kaeawc/node-express-auth-example• http://stackoverflow.com/questions/549/the-definiti
ve-guide-to-form-based-website-authentication#477579
• http://en.wikipedia.org/wiki/PBKDF2• https://pthree.org/2012/02/17/ecb-vs-cbc-
encryption/• http://x86overflow.blogspot.com/2013/01/authentic
ated-encryption-using-aes-gcm.html• https://github.com/joyent/node/pull/6317• http://security.stackexchange.com/questions/3959/r
ecommended-of-iterations-when-using-pkbdf2-sha256