SlideShare ist ein Scribd-Unternehmen logo

Authentication in Node.js

Als PPTX, PDF herunterladen
Jason Pearson
Jason Pearson
TechnologieBildung
1 von 23
Authentication in Node.js @Jason_Pearson with code at github.com/kaeawc
About Me • Likes to run • Background in Scala & Node.js • Currently playing around with Spray and Android
I’m not a crypto expert
Covered In This Talk • low level http app – github.com/kaeawc/node-http-auth-example • express + passport app – github.com/kaeawc/node-express-auth-example
Authentication is not just a GUI
Don’t trust the client
Authentication Scheme • Given some request parameters over http
Storing Credentials • Some data store is required. • Any credential should never be stored as plaintext in the database. • They should be hashed with a unique salt. • Read more: (http://stackoverflow.com/questions/549/thedefinitive-guide-to-form-based-websiteauthentication#477579)
Authentication Scheme • Given some request parameters over http • Storing user information in some database with validated cryptographic algorithms
Load Balanced = Stateless • You cannot maintain state in an application server’s memory – App server memory needs to be reserved for processing requests. – This eventually results in moving state to a load balanced cache anyway.
How your app views requests
Authentication Scheme • Given some request parameters over http • Storing user information in some database • Application is load balanced over N servers, so every request must check.
PBKDF2 • Password-Based Key Derivation Function 2 • Recommended number of iterations is 10-20k http://en.wikipedia.org/wiki/PBKDF2
Lets Look at Some Code!
We Created a User!
About ECB vs CBC https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
ECB = Block Cipher • Block ciphers operate on individual blocks in the same way
CBC = Streaming Cipher • Takes an initialization vector, or “iv”, which is used with the password on the first block to encrypt and then produce the next vector for the next block.
GCM = Galois/Counter Mode • Example of Authenticated Encryption – Provides both data integrity and confidentiality – Depends on using a different vector with the same key – Can only be decrypted with the same key and vector Read more: http://x86overflow.blogspot.com/2013/01/authenticatedencryption-using-aes-gcm.html
Node & AES GCM • https://github.com/joyent/node/pull/6317 • Support is currently being added for GCM • Put a +1 on that issue.
So… CBC for Cookies!
We have Authentication!
References • github.com/kaeawc/node-http-auth-example • github.com/kaeawc/node-express-auth-example • http://stackoverflow.com/questions/549/the-definitiveguide-to-form-based-website-authentication#477579 • http://en.wikipedia.org/wiki/PBKDF2 • https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/ • http://x86overflow.blogspot.com/2013/01/authenticated -encryption-using-aes-gcm.html • https://github.com/joyent/node/pull/6317 • http://security.stackexchange.com/questions/3959/reco mmended-of-iterations-when-using-pkbdf2-sha256

Empfohlen

JSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data SecurityJSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data SecurityTim Messerschmidt
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data SecurityTim Messerschmidt
 
Node.js Authentication & Data Security
Node.js Authentication & Data SecurityNode.js Authentication & Data Security
Node.js Authentication & Data SecurityTim Messerschmidt
 
DWS Mobile Payments Workshop
DWS Mobile Payments WorkshopDWS Mobile Payments Workshop
DWS Mobile Payments WorkshopTim Messerschmidt
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend frameworkGeorge Mihailov
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
Implementing security routines with zf2
Implementing security routines with zf2Implementing security routines with zf2
Implementing security routines with zf2Er Galvão Abbott
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
 

Empfohlen

JSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data SecurityJSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data SecurityTim Messerschmidt
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data SecurityTim Messerschmidt
 
Node.js Authentication & Data Security
Node.js Authentication & Data SecurityNode.js Authentication & Data Security
Node.js Authentication & Data SecurityTim Messerschmidt
 
DWS Mobile Payments Workshop
DWS Mobile Payments WorkshopDWS Mobile Payments Workshop
DWS Mobile Payments WorkshopTim Messerschmidt
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend frameworkGeorge Mihailov
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
Implementing security routines with zf2
Implementing security routines with zf2Implementing security routines with zf2
Implementing security routines with zf2Er Galvão Abbott
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Skyrocketing Web APIs
Skyrocketing Web APIsSkyrocketing Web APIs
Skyrocketing Web APIsDaniel Cerecedo
 
GWT
GWTGWT
GWTyuvalb
 
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...David Kaneda
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWebDave Bouwman
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone InteractivityEric Steele
 
Selenium for-ops
Selenium for-opsSelenium for-ops
Selenium for-opsŁukasz Proszek
 
AEM responsive
AEM responsiveAEM responsive
AEM responsiveDamien Antipa
 
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...IT Event
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
 
EnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend CodeEnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend CodeMarcel Birkner
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityJoe Walker
 
Building an HTML5 Video Player
Building an HTML5 Video PlayerBuilding an HTML5 Video Player
Building an HTML5 Video PlayerJim Jeffers
 
Javascript talk1
Javascript talk1Javascript talk1
Javascript talk1Pratik Kunpara
 
State of the resource timing api
State of the resource timing apiState of the resource timing api
State of the resource timing apiAaron Peters
 
Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...Andreas Bovens
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationDjangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationMasashi Shibata
 
Vaadin with Java EE 7
Vaadin with Java EE 7Vaadin with Java EE 7
Vaadin with Java EE 7Peter Lehto
 
High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)Nicholas Zakas
 
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.Ilse Michiels
 
At Begin, URL Handling and REST
At Begin, URL Handling and RESTAt Begin, URL Handling and REST
At Begin, URL Handling and RESTBrian Loomis
 

Weitere ähnliche Inhalte

Was ist angesagt?

Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...David Kaneda
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWebDave Bouwman
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone InteractivityEric Steele
 
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...IT Event
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
 
EnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend CodeEnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend CodeMarcel Birkner
 
Building an HTML5 Video Player
Building an HTML5 Video PlayerBuilding an HTML5 Video Player
Building an HTML5 Video PlayerJim Jeffers
 
State of the resource timing api
State of the resource timing apiState of the resource timing api
State of the resource timing apiAaron Peters
 
Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...Andreas Bovens
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationDjangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationMasashi Shibata
 
Vaadin with Java EE 7
Vaadin with Java EE 7Vaadin with Java EE 7
Vaadin with Java EE 7Peter Lehto
 
High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)Nicholas Zakas
 

Was ist angesagt? (20)

Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Skyrocketing Web APIs
Skyrocketing Web APIsSkyrocketing Web APIs
Skyrocketing Web APIs
 
GWT
GWTGWT
GWT
 
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
 
Selenium for-ops
Selenium for-opsSelenium for-ops
Selenium for-ops
 
AEM responsive
AEM responsiveAEM responsive
AEM responsive
 
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
 
EnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend CodeEnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend Code
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Building an HTML5 Video Player
Building an HTML5 Video PlayerBuilding an HTML5 Video Player
Building an HTML5 Video Player
 
Javascript talk1
Javascript talk1Javascript talk1
Javascript talk1
 
State of the resource timing api
State of the resource timing apiState of the resource timing api
State of the resource timing api
 
Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationDjangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django application
 
Vaadin with Java EE 7
Vaadin with Java EE 7Vaadin with Java EE 7
Vaadin with Java EE 7
 
High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)
 

Andere mochten auch

Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.Ilse Michiels
 
At Begin, URL Handling and REST
At Begin, URL Handling and RESTAt Begin, URL Handling and REST
At Begin, URL Handling and RESTBrian Loomis
 
Why vREST?
Why vREST?Why vREST?
Why vREST?vrest_io
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsVikash Singh
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficientlypostmanclient
 

Andere mochten auch (8)

Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
 
At Begin, URL Handling and REST
At Begin, URL Handling and RESTAt Begin, URL Handling and REST
At Begin, URL Handling and REST
 
The scaling story of Postman
The scaling story of PostmanThe scaling story of Postman
The scaling story of Postman
 
Why vREST?
Why vREST?Why vREST?
Why vREST?
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
 
RESTful API Design, Second Edition
RESTful API Design, Second EditionRESTful API Design, Second Edition
RESTful API Design, Second Edition
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently
 

Ähnlich wie Authentication in Node.js

Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetJ.D. Wade
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaJ.D. Wade
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008ClubHack
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes WorkloadsJim Bugwadia
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXKevin Jones
 
Ntu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & AsyncNtu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & AsyncAeshan Wijetunge
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
Building & Testing Scalable Rails Applications
Building & Testing Scalable Rails ApplicationsBuilding & Testing Scalable Rails Applications
Building & Testing Scalable Rails Applicationsevilmike
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescueMarko Heijnen
 
Open Policy Agent for governance as a code
Open Policy Agent for governance as a code Open Policy Agent for governance as a code
Open Policy Agent for governance as a code Alexander Tokarev
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 

Ähnlich wie Authentication in Node.js (20)

Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side Controls
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes Workloads
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
 
Ntu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & AsyncNtu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & Async
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Building & Testing Scalable Rails Applications
Building & Testing Scalable Rails ApplicationsBuilding & Testing Scalable Rails Applications
Building & Testing Scalable Rails Applications
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescue
 
Open Policy Agent for governance as a code
Open Policy Agent for governance as a code Open Policy Agent for governance as a code
Open Policy Agent for governance as a code
 
REST APIs
REST APIsREST APIs
REST APIs
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 

Kürzlich hochgeladen

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Kürzlich hochgeladen (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Authentication in Node.js

  • 2. About Me • Likes to run • Background in Scala & Node.js • Currently playing around with Spray and Android
  • 3. I’m not a crypto expert
  • 4. Covered In This Talk • low level http app – github.com/kaeawc/node-http-auth-example • express + passport app – github.com/kaeawc/node-express-auth-example
  • 7. Authentication Scheme • Given some request parameters over http
  • 8. Storing Credentials • Some data store is required. • Any credential should never be stored as plaintext in the database. • They should be hashed with a unique salt. • Read more: (http://stackoverflow.com/questions/549/thedefinitive-guide-to-form-based-websiteauthentication#477579)
  • 9. Authentication Scheme • Given some request parameters over http • Storing user information in some database with validated cryptographic algorithms
  • 10. Load Balanced = Stateless • You cannot maintain state in an application server’s memory – App server memory needs to be reserved for processing requests. – This eventually results in moving state to a load balanced cache anyway.
  • 11. How your app views requests
  • 12. Authentication Scheme • Given some request parameters over http • Storing user information in some database • Application is load balanced over N servers, so every request must check.
  • 13. PBKDF2 • Password-Based Key Derivation Function 2 • Recommended number of iterations is 10-20k http://en.wikipedia.org/wiki/PBKDF2
  • 14. Lets Look at Some Code!
  • 15. We Created a User!
  • 16. About ECB vs CBC https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
  • 17. ECB = Block Cipher • Block ciphers operate on individual blocks in the same way
  • 18. CBC = Streaming Cipher • Takes an initialization vector, or “iv”, which is used with the password on the first block to encrypt and then produce the next vector for the next block.
  • 19. GCM = Galois/Counter Mode • Example of Authenticated Encryption – Provides both data integrity and confidentiality – Depends on using a different vector with the same key – Can only be decrypted with the same key and vector Read more: http://x86overflow.blogspot.com/2013/01/authenticatedencryption-using-aes-gcm.html
  • 20. Node & AES GCM • https://github.com/joyent/node/pull/6317 • Support is currently being added for GCM • Put a +1 on that issue.
  • 21. So… CBC for Cookies!
  • 23. References • github.com/kaeawc/node-http-auth-example • github.com/kaeawc/node-express-auth-example • http://stackoverflow.com/questions/549/the-definitiveguide-to-form-based-website-authentication#477579 • http://en.wikipedia.org/wiki/PBKDF2 • https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/ • http://x86overflow.blogspot.com/2013/01/authenticated -encryption-using-aes-gcm.html • https://github.com/joyent/node/pull/6317 • http://security.stackexchange.com/questions/3959/reco mmended-of-iterations-when-using-pkbdf2-sha256