SlideShare ist ein Scribd-Unternehmen logo

Authentication in Node.js

Als PPTX, PDF herunterladen
Jason Pearson
Jason Pearson
TechnologieBildung
1 von 23
Authentication in Node.js @Jason_Pearson with code at github.com/kaeawc
About Me • Likes to run • Background in Scala & Node.js • Currently playing around with Spray and Android
I’m not a crypto expert
Covered In This Talk • low level http app – github.com/kaeawc/node-http-auth-example • express + passport app – github.com/kaeawc/node-express-auth-example
Authentication is not just a GUI
Don’t trust the client
Authentication Scheme • Given some request parameters over http
Storing Credentials • Some data store is required. • Any credential should never be stored as plaintext in the database. • They should be hashed with a unique salt. • Read more: (http://stackoverflow.com/questions/549/thedefinitive-guide-to-form-based-websiteauthentication#477579)
Authentication Scheme • Given some request parameters over http • Storing user information in some database with validated cryptographic algorithms
Load Balanced = Stateless • You cannot maintain state in an application server’s memory – App server memory needs to be reserved for processing requests. – This eventually results in moving state to a load balanced cache anyway.
How your app views requests
Authentication Scheme • Given some request parameters over http • Storing user information in some database • Application is load balanced over N servers, so every request must check.
PBKDF2 • Password-Based Key Derivation Function 2 • Recommended number of iterations is 10-20k http://en.wikipedia.org/wiki/PBKDF2
Lets Look at Some Code!
We Created a User!
About ECB vs CBC https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
ECB = Block Cipher • Block ciphers operate on individual blocks in the same way
CBC = Streaming Cipher • Takes an initialization vector, or “iv”, which is used with the password on the first block to encrypt and then produce the next vector for the next block.
GCM = Galois/Counter Mode • Example of Authenticated Encryption – Provides both data integrity and confidentiality – Depends on using a different vector with the same key – Can only be decrypted with the same key and vector Read more: http://x86overflow.blogspot.com/2013/01/authenticatedencryption-using-aes-gcm.html
Node & AES GCM • https://github.com/joyent/node/pull/6317 • Support is currently being added for GCM • Put a +1 on that issue.
So… CBC for Cookies!
We have Authentication!
References • github.com/kaeawc/node-http-auth-example • github.com/kaeawc/node-express-auth-example • http://stackoverflow.com/questions/549/the-definitiveguide-to-form-based-website-authentication#477579 • http://en.wikipedia.org/wiki/PBKDF2 • https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/ • http://x86overflow.blogspot.com/2013/01/authenticated -encryption-using-aes-gcm.html • https://github.com/joyent/node/pull/6317 • http://security.stackexchange.com/questions/3959/reco mmended-of-iterations-when-using-pkbdf2-sha256

Empfohlen

JSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data SecurityJSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data Security
Tim Messerschmidt
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
Tim Messerschmidt
 
Node.js Authentication & Data Security
Node.js Authentication & Data SecurityNode.js Authentication & Data Security
Node.js Authentication & Data Security
Tim Messerschmidt
 
DWS Mobile Payments Workshop
DWS Mobile Payments WorkshopDWS Mobile Payments Workshop
DWS Mobile Payments Workshop
Tim Messerschmidt
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
George Mihailov
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
Implementing security routines with zf2
Implementing security routines with zf2Implementing security routines with zf2
Implementing security routines with zf2
Er Galvão Abbott
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 

Empfohlen

JSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data SecurityJSConf Asia: Node.js Authentication and Data Security
JSConf Asia: Node.js Authentication and Data Security
Tim Messerschmidt
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
Tim Messerschmidt
 
Node.js Authentication & Data Security
Node.js Authentication & Data SecurityNode.js Authentication & Data Security
Node.js Authentication & Data Security
Tim Messerschmidt
 
DWS Mobile Payments Workshop
DWS Mobile Payments WorkshopDWS Mobile Payments Workshop
DWS Mobile Payments Workshop
Tim Messerschmidt
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
George Mihailov
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
Implementing security routines with zf2
Implementing security routines with zf2Implementing security routines with zf2
Implementing security routines with zf2
Er Galvão Abbott
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Skyrocketing Web APIs
Skyrocketing Web APIsSkyrocketing Web APIs
Skyrocketing Web APIs
Daniel Cerecedo
 
GWT
GWTGWT
GWT
yuvalb
 
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
David Kaneda
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
Dave Bouwman
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
Eric Steele
 
Selenium for-ops
Selenium for-opsSelenium for-ops
Selenium for-ops
Łukasz Proszek
 
AEM responsive
AEM responsiveAEM responsive
AEM responsive
Damien Antipa
 
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
IT Event
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
Matt Raible
 
EnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend CodeEnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend Code
Marcel Birkner
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Joe Walker
 
Building an HTML5 Video Player
Building an HTML5 Video PlayerBuilding an HTML5 Video Player
Building an HTML5 Video Player
Jim Jeffers
 
Javascript talk1
Javascript talk1Javascript talk1
Javascript talk1
Pratik Kunpara
 
State of the resource timing api
State of the resource timing apiState of the resource timing api
State of the resource timing api
Aaron Peters
 
Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...
Andreas Bovens
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationDjangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Masashi Shibata
 
Vaadin with Java EE 7
Vaadin with Java EE 7Vaadin with Java EE 7
Vaadin with Java EE 7
Peter Lehto
 
High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)
Nicholas Zakas
 
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Ilse Michiels
 
At Begin, URL Handling and REST
At Begin, URL Handling and RESTAt Begin, URL Handling and REST
At Begin, URL Handling and REST
Brian Loomis
 

Weitere ähnliche Inhalte

Was ist angesagt?

Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
Dave Bouwman
 
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
IT Event
 
EnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend CodeEnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend Code
Marcel Birkner
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationDjangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Masashi Shibata
 
High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)
Nicholas Zakas
 

Was ist angesagt? (20)

Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Skyrocketing Web APIs
Skyrocketing Web APIsSkyrocketing Web APIs
Skyrocketing Web APIs
 
GWT
GWTGWT
GWT
 
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
How to Develop a Rich, Native-quality User Experience for Mobile Using Web St...
 
Usability in the GeoWeb
Usability in the GeoWebUsability in the GeoWeb
Usability in the GeoWeb
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
 
Selenium for-ops
Selenium for-opsSelenium for-ops
Selenium for-ops
 
AEM responsive
AEM responsiveAEM responsive
AEM responsive
 
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
Oleh Zasadnyy "Progressive Web Apps: line between web and native apps become ...
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
 
EnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend CodeEnterJS 2015 - Continuous Integration for Frontend Code
EnterJS 2015 - Continuous Integration for Frontend Code
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Building an HTML5 Video Player
Building an HTML5 Video PlayerBuilding an HTML5 Video Player
Building an HTML5 Video Player
 
Javascript talk1
Javascript talk1Javascript talk1
Javascript talk1
 
State of the resource timing api
State of the resource timing apiState of the resource timing api
State of the resource timing api
 
Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...Responsive design: techniques and tricks to prepare your websites for the mul...
Responsive design: techniques and tricks to prepare your websites for the mul...
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django applicationDjangoアプリのデプロイに関するプラクティス / Deploy django application
Djangoアプリのデプロイに関するプラクティス / Deploy django application
 
Vaadin with Java EE 7
Vaadin with Java EE 7Vaadin with Java EE 7
Vaadin with Java EE 7
 
High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)High Performance JavaScript (CapitolJS 2011)
High Performance JavaScript (CapitolJS 2011)
 

Andere mochten auch

Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Ilse Michiels
 

Andere mochten auch (8)

Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
Presentatie GVNL tijdens Leisure & Sport Totaal, 2009.
 
At Begin, URL Handling and REST
At Begin, URL Handling and RESTAt Begin, URL Handling and REST
At Begin, URL Handling and REST
 
The scaling story of Postman
The scaling story of PostmanThe scaling story of Postman
The scaling story of Postman
 
Why vREST?
Why vREST?Why vREST?
Why vREST?
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
 
RESTful API Design, Second Edition
RESTful API Design, Second EditionRESTful API Design, Second Edition
RESTful API Design, Second Edition
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently40+ tips to use Postman more efficiently
40+ tips to use Postman more efficiently
 

Ähnlich wie Authentication in Node.js

SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
ClubHack
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
Kevin Jones
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
J.D. Wade
 
Building & Testing Scalable Rails Applications
Building & Testing Scalable Rails ApplicationsBuilding & Testing Scalable Rails Applications
Building & Testing Scalable Rails Applications
evilmike
 

Ähnlich wie Authentication in Node.js (20)

Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side Controls
 
Securing Kubernetes Workloads
Securing Kubernetes WorkloadsSecuring Kubernetes Workloads
Securing Kubernetes Workloads
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
 
Ntu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & AsyncNtu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & Async
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Building & Testing Scalable Rails Applications
Building & Testing Scalable Rails ApplicationsBuilding & Testing Scalable Rails Applications
Building & Testing Scalable Rails Applications
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescue
 
Open Policy Agent for governance as a code
Open Policy Agent for governance as a code Open Policy Agent for governance as a code
Open Policy Agent for governance as a code
 
REST APIs
REST APIsREST APIs
REST APIs
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 

Kürzlich hochgeladen

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
UXDXConf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
UXDXConf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 

Kürzlich hochgeladen (20)

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 

Authentication in Node.js

  • 2. About Me • Likes to run • Background in Scala & Node.js • Currently playing around with Spray and Android
  • 3. I’m not a crypto expert
  • 4. Covered In This Talk • low level http app – github.com/kaeawc/node-http-auth-example • express + passport app – github.com/kaeawc/node-express-auth-example
  • 7. Authentication Scheme • Given some request parameters over http
  • 8. Storing Credentials • Some data store is required. • Any credential should never be stored as plaintext in the database. • They should be hashed with a unique salt. • Read more: (http://stackoverflow.com/questions/549/thedefinitive-guide-to-form-based-websiteauthentication#477579)
  • 9. Authentication Scheme • Given some request parameters over http • Storing user information in some database with validated cryptographic algorithms
  • 10. Load Balanced = Stateless • You cannot maintain state in an application server’s memory – App server memory needs to be reserved for processing requests. – This eventually results in moving state to a load balanced cache anyway.
  • 11. How your app views requests
  • 12. Authentication Scheme • Given some request parameters over http • Storing user information in some database • Application is load balanced over N servers, so every request must check.
  • 13. PBKDF2 • Password-Based Key Derivation Function 2 • Recommended number of iterations is 10-20k http://en.wikipedia.org/wiki/PBKDF2
  • 14. Lets Look at Some Code!
  • 15. We Created a User!
  • 16. About ECB vs CBC https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
  • 17. ECB = Block Cipher • Block ciphers operate on individual blocks in the same way
  • 18. CBC = Streaming Cipher • Takes an initialization vector, or “iv”, which is used with the password on the first block to encrypt and then produce the next vector for the next block.
  • 19. GCM = Galois/Counter Mode • Example of Authenticated Encryption – Provides both data integrity and confidentiality – Depends on using a different vector with the same key – Can only be decrypted with the same key and vector Read more: http://x86overflow.blogspot.com/2013/01/authenticatedencryption-using-aes-gcm.html
  • 20. Node & AES GCM • https://github.com/joyent/node/pull/6317 • Support is currently being added for GCM • Put a +1 on that issue.
  • 21. So… CBC for Cookies!
  • 23. References • github.com/kaeawc/node-http-auth-example • github.com/kaeawc/node-express-auth-example • http://stackoverflow.com/questions/549/the-definitiveguide-to-form-based-website-authentication#477579 • http://en.wikipedia.org/wiki/PBKDF2 • https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/ • http://x86overflow.blogspot.com/2013/01/authenticated -encryption-using-aes-gcm.html • https://github.com/joyent/node/pull/6317 • http://security.stackexchange.com/questions/3959/reco mmended-of-iterations-when-using-pkbdf2-sha256