Developer's Guide to JavaScript and Web Cryptography
Your SlideShare is downloading.
×
Check these out next
More Related Content
Slideshows for you (6)
Viewers also liked (20)
Similar to Node.js Authentication & Data Security (20)
More from Tim Messerschmidt (7)
Recently uploaded (20)
Node.js Authentication & Data Security
- 1. Tim Messerschmidt Head of Developer Relations, International Braintree @Braintree_Dev / @SeraAndroid Web European Conference Node.js Authentication & Data Security #NodeSecurity
- 2. @Braintree_Dev / @SeraAndroid#NodeSecurity + Braintree since 2013
- 3. @Braintree_Dev / @SeraAndroid#NodeSecurity 1. Introduction_ 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources Content
- 4. @Braintree_Dev / @SeraAndroid#NodeSecurity The Human Element
- 5. @Braintree_Dev / @SeraAndroid#NodeSecurity 1. 12345 2. password 3. 12345 4. 12345678 5. qwerty bit.ly/1xTwYiA Top 10 Passwords 2014 6. 123456789 7. 1234 8. baseball 9. dragon 10.football
- 6. @Braintree_Dev / @SeraAndroid#NodeSecurity 21. superman 24. batman Honorary Mention
- 7. @Braintree_Dev / @SeraAndroid#NodeSecurity Authentication & Authorization
- 8. @Braintree_Dev / @SeraAndroid#NodeSecurity 1. Introduction 2. Well-known security threats_ 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources Content
- 9. @Braintree_Dev / @SeraAndroid#NodeSecurity OWASP Top 10bit.ly/1a3Ytvg
- 10. @Braintree_Dev / @SeraAndroid#NodeSecurity 1. Injection
- 11. @Braintree_Dev / @SeraAndroid#NodeSecurity 2. Broken Authentication
- 12. @Braintree_Dev / @SeraAndroid#NodeSecurity 3. Cross-Site Scripting XSS
- 13. @Braintree_Dev / @SeraAndroid#NodeSecurity 4. Direct Object References
- 14. @Braintree_Dev / @SeraAndroid#NodeSecurity 5. Application Misconfigured
- 15. @Braintree_Dev / @SeraAndroid#NodeSecurity 6. Sensitive Data Exposed
- 16. @Braintree_Dev / @SeraAndroid#NodeSecurity 7. Access Level Control
- 17. @Braintree_Dev / @SeraAndroid#NodeSecurity 8. Cross-site Request Forgery CSRF / XSRF
- 18. @Braintree_Dev / @SeraAndroid#NodeSecurity 9. Vulnerable Code
- 19. @Braintree_Dev / @SeraAndroid#NodeSecurity 10. REDIRECTS / FORWARDS
- 20. @Braintree_Dev / @SeraAndroid#NodeSecurity 1. Introduction 2. Well-known security threats 3. Data Encryption_ 4. Hardening Express 5. Authentication middleware 6. Great resources Content
- 21. @Braintree_Dev / @SeraAndroid#NodeSecurity HashingMD5, SHA-1, SHA-2, SHA-3
- 22. http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
- 23. @Braintree_Dev / @SeraAndroid#NodeSecurity Efficient Hashingcrypt, scrypt, bcrypt, PBKDF2
- 24. @Braintree_Dev / @SeraAndroid#NodeSecurity 10.000 iterations user system total MD5 0.07 0.0 0.07 bcrypt 22.23 0.08 22.31 md5 vs bcrypt github.com/codahale/bcrypt-ruby
- 25. @Braintree_Dev / @SeraAndroid#NodeSecurity Hashing Using Saltalgorithm(data + salt) = hash
- 26. @Braintree_Dev / @SeraAndroid#NodeSecurity 1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express_ 5. Authentication middleware 6. Great resources Content
- 27. @Braintree_Dev / @SeraAndroid#NodeSecurity use strict
- 28. @Braintree_Dev / @SeraAndroid#NodeSecurity X-Powered-By
- 29. @Braintree_Dev / @SeraAndroid#NodeSecurity NODE-UUIDgithub.com/broofa/node-uuid
- 30. @Braintree_Dev / @SeraAndroid#NodeSecurity bcryptgithub.com/ncb000gt/node.bcrypt.js
- 31. @Braintree_Dev / @SeraAndroid#NodeSecurity A bcrypt generated Hash $2a$12$YKCxqK/QRgVfIIFeUtcPSOqyVGSorr1pHy5cZKsZuuc2g97bXgotS
- 32. @Braintree_Dev / @SeraAndroid#NodeSecurity bcrypt.hash('parmigiano', 12, function(err, hash) { // store hash }); bcrypt.compare('parmigiano', hash, function(err, res) { if (res === true) { // password matches } }); Generating a Hash using bcrypt
- 33. @Braintree_Dev / @SeraAndroid#NodeSecurity CSURFgithub.com/expressjs/csurf
- 34. @Braintree_Dev / @SeraAndroid#NodeSecurity var csrf = require('csurf'); var csrfProtection = csrf({ cookie: false }); app.get('/form', csrfProtection, function(req, res) { res.render('form', { csrfToken: req.csrfToken() }); }); app.post('/login', csrfProtection, function(req, res) { // safe to continue }); Using Csurf as middleware
- 35. @Braintree_Dev / @SeraAndroid#NodeSecurity extends layout block content h1 CSRF protection using csurf form(action="/login" method="POST") input(type="text", name="username=", value="Username") input(type="password", name="password", value="Password") input(type="hidden", name="_csrf", value="#{csrfToken}") button(type="submit") Submit Using the token in your template
- 36. @Braintree_Dev / @SeraAndroid#NodeSecurity Helmetgithub.com/HelmetJS/Helmet
- 37. @Braintree_Dev / @SeraAndroid#NodeSecurity var helmet = require(‘helmet’); app.use(helmet.noCache()); app.use(helmet.frameguard()); app.use(helmet.xssFilter()); … // .. or use the default initialization app.use(helmet()); Using Helmet with default options
- 38. @Braintree_Dev / @SeraAndroid#NodeSecurity var helmet = require(‘helmet’); app.use(helmet.noCache()); app.use(helmet.frameguard()); app.use(helmet.xssFilter()); … // .. or use the default initialization app.use(helmet()); Using Helmet with default options
- 39. @Braintree_Dev / @SeraAndroid#NodeSecurity Luscagithub.com/krakenjs/lusca
- 40. @Braintree_Dev / @SeraAndroid#NodeSecurity var lusca = require('lusca'); app.use(lusca({ csrf: true, csp: { /* ... */}, xframe: 'SAMEORIGIN', p3p: 'ABCDEF', xssProtection: true })); Applying Lusca as middleware
- 41. @Braintree_Dev / @SeraAndroid#NodeSecurity 1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware_ 6. Great resources Content
- 42. @Braintree_Dev / @SeraAndroid#NodeSecurity 1. Application-level 2. Route-level 3. Error-handling Types of Express Middleware
- 43. @Braintree_Dev / @SeraAndroid#NodeSecurity var authenticate = function(req, res, next) { // check the request and modify response }; app.get('/form', authenticate, function(req, res) { // assume that the user is authenticated } // … or use the middleware for certain routes app.use('/admin', authenticate); Writing Custom Middleware
- 44. @Braintree_Dev / @SeraAndroid#NodeSecurity Passportgithub.com/jaredhanson/passport
- 45. @Braintree_Dev / @SeraAndroid#NodeSecurity passport.use(new LocalStrategy(function(username, password, done) { User.findOne({ username: username }, function (err, user) { if (err) { return done(err); } if (!user) { return done(null, false, { message: 'Incorrect username.' }); } if (!user.validPassword(password)) { return done(null, false, { message: 'Incorrect password.' }); } return done(null, user); }); })); Setting up a passport strategy
- 46. @Braintree_Dev / @SeraAndroid#NodeSecurity // Simple authentication app.post('/login', passport.authenticate(‘local'), function(req, res) { // req.user contains the authenticated user res.redirect('/user/' + req.user.username); }); // Using redirects app.post('/login', passport.authenticate('local', { successRedirect: ‘/', failureRedirect: ‘/login’, failureFlash: true })); Using Passport Strategies for Authentication
- 47. @Braintree_Dev / @SeraAndroid#NodeSecurity 1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources_ Content
- 48. @Braintree_Dev / @SeraAndroid#NodeSecurity Passwordless Authmedium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb
- 49. @Braintree_Dev / @SeraAndroid#NodeSecurity OWASP Node Goatgithub.com/OWASP/NodeGoat
- 50. @Braintree_Dev / @SeraAndroid#NodeSecurity Fast Identity Onlinefidoalliance.org
- 51. @Braintree_Dev / @SeraAndroid#NodeSecurity Security Beyond Current Mechanisms 1. Something you have 2. Something you know 3. Something you are
- 52. @Braintree_Dev / @SeraAndroid#NodeSecurity Favor security too much over the experience and you’ll make the website a pain to use. smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form
- 53. @SeraAndroid tim@getbraintree.com slideshare.com/paypal braintreepayments.com/developers Grazie mille!
