Authentication in Node.js

2,817 views
2,473 views

Published on

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,817
On SlideShare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
12
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Authentication in Node.js

  1. 1. Authentication in Node.js @Jason_Pearson with code at github.com/kaeawc
  2. 2. About Me • Likes to run • Background in Scala & Node.js • Currently playing around with Spray and Android
  3. 3. I’m not a crypto expert
  4. 4. Covered In This Talk • low level http app – github.com/kaeawc/node-http-auth-example • express + passport app – github.com/kaeawc/node-express-auth-example
  5. 5. Authentication is not just a GUI
  6. 6. Don’t trust the client
  7. 7. Authentication Scheme • Given some request parameters over http
  8. 8. Storing Credentials • Some data store is required. • Any credential should never be stored as plaintext in the database. • They should be hashed with a unique salt. • Read more: (http://stackoverflow.com/questions/549/thedefinitive-guide-to-form-based-websiteauthentication#477579)
  9. 9. Authentication Scheme • Given some request parameters over http • Storing user information in some database with validated cryptographic algorithms
  10. 10. Load Balanced = Stateless • You cannot maintain state in an application server’s memory – App server memory needs to be reserved for processing requests. – This eventually results in moving state to a load balanced cache anyway.
  11. 11. How your app views requests
  12. 12. Authentication Scheme • Given some request parameters over http • Storing user information in some database • Application is load balanced over N servers, so every request must check.
  13. 13. PBKDF2 • Password-Based Key Derivation Function 2 • Recommended number of iterations is 10-20k http://en.wikipedia.org/wiki/PBKDF2
  14. 14. Lets Look at Some Code!
  15. 15. We Created a User!
  16. 16. About ECB vs CBC https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
  17. 17. ECB = Block Cipher • Block ciphers operate on individual blocks in the same way
  18. 18. CBC = Streaming Cipher • Takes an initialization vector, or “iv”, which is used with the password on the first block to encrypt and then produce the next vector for the next block.
  19. 19. GCM = Galois/Counter Mode • Example of Authenticated Encryption – Provides both data integrity and confidentiality – Depends on using a different vector with the same key – Can only be decrypted with the same key and vector Read more: http://x86overflow.blogspot.com/2013/01/authenticatedencryption-using-aes-gcm.html
  20. 20. Node & AES GCM • https://github.com/joyent/node/pull/6317 • Support is currently being added for GCM • Put a +1 on that issue.
  21. 21. So… CBC for Cookies!
  22. 22. We have Authentication!
  23. 23. References • github.com/kaeawc/node-http-auth-example • github.com/kaeawc/node-express-auth-example • http://stackoverflow.com/questions/549/the-definitiveguide-to-form-based-website-authentication#477579 • http://en.wikipedia.org/wiki/PBKDF2 • https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/ • http://x86overflow.blogspot.com/2013/01/authenticated -encryption-using-aes-gcm.html • https://github.com/joyent/node/pull/6317 • http://security.stackexchange.com/questions/3959/reco mmended-of-iterations-when-using-pkbdf2-sha256

×