Authentication in Node.js

@Jason_Pearsonwith code at github.com/kaeawc

About Me

• Likes to run• Background in Scala & Node.js• Currently playing around with Spray and

Android

I’m not a crypto expert

Covered In This Talk

• low level http app– github.com/kaeawc/node-http-auth-example

• express + passport app– github.com/kaeawc/node-express-auth-example

Authentication is not just a GUI

Don’t trust the client

Authentication Scheme

• Given some request parameters over http

Storing Credentials

• Some data store is required.

• Any credential should never be stored as plaintext in the database.

• They should be hashed with a unique salt.

• Read more: (http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication#477579)

Authentication Scheme

• Given some request parameters over http

• Storing user information in some database with validated cryptographic algorithms

Load Balanced = Stateless

• You cannot maintain state in an application server’s memory– App server memory needs to be reserved for

processing requests.– This eventually results in moving state to a load

balanced cache anyway.

How your app views requests

Authentication Scheme

• Given some request parameters over http

• Storing user information in some database

• Application is load balanced over N servers, so every request must check.

PBKDF2

• Password-Based Key Derivation Function 2

• Recommended number of iterations is 10-20k

http://en.wikipedia.org/wiki/PBKDF2

Lets Look at Some Code!

We Created a User!

About ECB vs CBC

https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/

ECB = Block Cipher

• Block ciphers operate on individual blocks in the same way

CBC = Streaming Cipher

• Takes an initialization vector, or “iv”, which is used with the password on the first block to encrypt and then produce the next vector for the next block.

GCM = Galois/Counter Mode

• Example of Authenticated Encryption– Provides both data integrity and confidentiality– Depends on using a different vector with the same

key– Can only be decrypted with the same key and

vector

Read more: http://x86overflow.blogspot.com/2013/01/authenticated-encryption-using-aes-gcm.html

Node & AES GCM

• https://github.com/joyent/node/pull/6317

• Support is currently being added for GCM

• Put a +1 on that issue.

So… CBC for Cookies!

We have Authentication!

References

• github.com/kaeawc/node-http-auth-example• github.com/kaeawc/node-express-auth-example• http://stackoverflow.com/questions/549/the-definiti

ve-guide-to-form-based-website-authentication#477579

• http://en.wikipedia.org/wiki/PBKDF2• https://pthree.org/2012/02/17/ecb-vs-cbc-

encryption/• http://x86overflow.blogspot.com/2013/01/authentic

ated-encryption-using-aes-gcm.html• https://github.com/joyent/node/pull/6317• http://security.stackexchange.com/questions/3959/r

ecommended-of-iterations-when-using-pkbdf2-sha256