0
Authentication in Node.js
@Jason_Pearson
with code at github.com/kaeawc
About Me
• Likes to run
• Background in Scala & Node.js
• Currently playing around with Spray and
Android
I’m not a crypto expert
Covered In This Talk
• low level http app
– github.com/kaeawc/node-http-auth-example

• express + passport app
– github.co...
Authentication is not just a GUI
Don’t trust the client
Authentication Scheme
• Given some request parameters over http
Storing Credentials
• Some data store is required.
• Any credential should never be stored as
plaintext in the database.

...
Authentication Scheme
• Given some request parameters over http
• Storing user information in some database
with validated...
Load Balanced = Stateless
• You cannot maintain state in an application
server’s memory
– App server memory needs to be re...
How your app views requests
Authentication Scheme
• Given some request parameters over http
• Storing user information in some database
• Application ...
PBKDF2
• Password-Based Key Derivation Function 2
• Recommended number of iterations is 10-20k

http://en.wikipedia.org/wi...
Lets Look at Some Code!
We Created a User!
About ECB vs CBC

https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
ECB = Block Cipher
• Block ciphers operate on individual blocks in
the same way
CBC = Streaming Cipher
• Takes an initialization vector, or “iv”, which is
used with the password on the first block to
en...
GCM = Galois/Counter Mode
• Example of Authenticated Encryption
– Provides both data integrity and confidentiality
– Depen...
Node & AES GCM
• https://github.com/joyent/node/pull/6317
• Support is currently being added for GCM
• Put a +1 on that is...
So… CBC for Cookies!
We have Authentication!
References
• github.com/kaeawc/node-http-auth-example
• github.com/kaeawc/node-express-auth-example
• http://stackoverflow...
Upcoming SlideShare
Loading in...5
×

Authentication in Node.js

2,227

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,227
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Authentication in Node.js"

  1. 1. Authentication in Node.js @Jason_Pearson with code at github.com/kaeawc
  2. 2. About Me • Likes to run • Background in Scala & Node.js • Currently playing around with Spray and Android
  3. 3. I’m not a crypto expert
  4. 4. Covered In This Talk • low level http app – github.com/kaeawc/node-http-auth-example • express + passport app – github.com/kaeawc/node-express-auth-example
  5. 5. Authentication is not just a GUI
  6. 6. Don’t trust the client
  7. 7. Authentication Scheme • Given some request parameters over http
  8. 8. Storing Credentials • Some data store is required. • Any credential should never be stored as plaintext in the database. • They should be hashed with a unique salt. • Read more: (http://stackoverflow.com/questions/549/thedefinitive-guide-to-form-based-websiteauthentication#477579)
  9. 9. Authentication Scheme • Given some request parameters over http • Storing user information in some database with validated cryptographic algorithms
  10. 10. Load Balanced = Stateless • You cannot maintain state in an application server’s memory – App server memory needs to be reserved for processing requests. – This eventually results in moving state to a load balanced cache anyway.
  11. 11. How your app views requests
  12. 12. Authentication Scheme • Given some request parameters over http • Storing user information in some database • Application is load balanced over N servers, so every request must check.
  13. 13. PBKDF2 • Password-Based Key Derivation Function 2 • Recommended number of iterations is 10-20k http://en.wikipedia.org/wiki/PBKDF2
  14. 14. Lets Look at Some Code!
  15. 15. We Created a User!
  16. 16. About ECB vs CBC https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
  17. 17. ECB = Block Cipher • Block ciphers operate on individual blocks in the same way
  18. 18. CBC = Streaming Cipher • Takes an initialization vector, or “iv”, which is used with the password on the first block to encrypt and then produce the next vector for the next block.
  19. 19. GCM = Galois/Counter Mode • Example of Authenticated Encryption – Provides both data integrity and confidentiality – Depends on using a different vector with the same key – Can only be decrypted with the same key and vector Read more: http://x86overflow.blogspot.com/2013/01/authenticatedencryption-using-aes-gcm.html
  20. 20. Node & AES GCM • https://github.com/joyent/node/pull/6317 • Support is currently being added for GCM • Put a +1 on that issue.
  21. 21. So… CBC for Cookies!
  22. 22. We have Authentication!
  23. 23. References • github.com/kaeawc/node-http-auth-example • github.com/kaeawc/node-express-auth-example • http://stackoverflow.com/questions/549/the-definitiveguide-to-form-based-website-authentication#477579 • http://en.wikipedia.org/wiki/PBKDF2 • https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/ • http://x86overflow.blogspot.com/2013/01/authenticated -encryption-using-aes-gcm.html • https://github.com/joyent/node/pull/6317 • http://security.stackexchange.com/questions/3959/reco mmended-of-iterations-when-using-pkbdf2-sha256
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×