Authentication in Node.js
Download as PPTX, PDF4 likes3,675 views
The document discusses authentication in Node.js applications. It covers using HTTP authentication in a low-level HTTP app and Express with Passport. It emphasizes that authentication is about more than just the GUI and stresses not trusting the client. It discusses storing credentials with hashing and salts, keeping applications stateless when load balanced, and comparing authentication schemes like ECB, CBC, and GCM encryption. Code examples demonstrate creating a user and implementing authentication.
Authentication in Node.js
- 1. Authentication in Node.js @Jason_Pearson with code at github.com/kaeawc
- 2. About Me • Likes to run • Background in Scala & Node.js • Currently playing around with Spray and Android
- 3. I’m not a crypto expert
- 4. Covered In This Talk • low level http app – github.com/kaeawc/node-http-auth-example • express + passport app – github.com/kaeawc/node-express-auth-example
- 5. Authentication is not just a GUI
- 6. Don’t trust the client
- 7. Authentication Scheme • Given some request parameters over http
- 8. Storing Credentials • Some data store is required. • Any credential should never be stored as plaintext in the database. • They should be hashed with a unique salt. • Read more: (http://stackoverflow.com/questions/549/thedefinitive-guide-to-form-based-websiteauthentication#477579)
- 9. Authentication Scheme • Given some request parameters over http • Storing user information in some database with validated cryptographic algorithms
- 10. Load Balanced = Stateless • You cannot maintain state in an application server’s memory – App server memory needs to be reserved for processing requests. – This eventually results in moving state to a load balanced cache anyway.
- 11. How your app views requests
- 12. Authentication Scheme • Given some request parameters over http • Storing user information in some database • Application is load balanced over N servers, so every request must check.
- 13. PBKDF2 • Password-Based Key Derivation Function 2 • Recommended number of iterations is 10-20k http://en.wikipedia.org/wiki/PBKDF2
- 14. Lets Look at Some Code!
- 15. We Created a User!
- 16. About ECB vs CBC https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
- 17. ECB = Block Cipher • Block ciphers operate on individual blocks in the same way
- 18. CBC = Streaming Cipher • Takes an initialization vector, or “iv”, which is used with the password on the first block to encrypt and then produce the next vector for the next block.
- 19. GCM = Galois/Counter Mode • Example of Authenticated Encryption – Provides both data integrity and confidentiality – Depends on using a different vector with the same key – Can only be decrypted with the same key and vector Read more: http://x86overflow.blogspot.com/2013/01/authenticatedencryption-using-aes-gcm.html
- 20. Node & AES GCM • https://github.com/joyent/node/pull/6317 • Support is currently being added for GCM • Put a +1 on that issue.
- 21. So… CBC for Cookies!
- 23. References • github.com/kaeawc/node-http-auth-example • github.com/kaeawc/node-express-auth-example • http://stackoverflow.com/questions/549/the-definitiveguide-to-form-based-website-authentication#477579 • http://en.wikipedia.org/wiki/PBKDF2 • https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/ • http://x86overflow.blogspot.com/2013/01/authenticated -encryption-using-aes-gcm.html • https://github.com/joyent/node/pull/6317 • http://security.stackexchange.com/questions/3959/reco mmended-of-iterations-when-using-pkbdf2-sha256