1 / 35

Node.js Authentication and Data Security

The arena of proper auth & data security standards is often some of the most misunderstood, confusing, and tricky aspects of building Node apps. Using open source auth techniques and proper data encryption standards, we’ll learn how to make intelligent decisions on creating a solid infrastructure to protect our users and data. We’ll dive into auth systems, data attack vectors, how to protect your systems, and common security pitfalls in Node.

jcleblanc
Download Presentation

Node.js Authentication and Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Node.js Authentication and Data Security? Jonathan LeBlanc ? Twitter: @jcleblanc ? Book: http://bit.ly/iddatasecurity?

  2. Identity & Data Security Book? Release Date:? August 2016? ? Book Details:? http://bit.ly/iddatasecurity?

  3. Security is Hard?

  4. Top 25 Passwords of 2015? 1: 123456 ? 2: password ? 3: 12345678 ? 4: qwerty ? 5: 12345 ? 6: 123456789? 7: football? 8: 1234? 9: 1234567? 10: baseball? 11: welcome? 12: 1234567890? 13: abc123? 14: 111111? 15: 1qaz2wsx? 16: dragon? 17: master? 18: monkey? 19: letmein? 20: login? 21: princess? 22: qwertyuiop? 23: solo? 24: passw0rd? 25: starwars?

  5. Protecting Identity?

  6. Password Attack Vectors?

  7. Protecting Against Password Attacks? Brute Force Attacks? Calculate all key variations within a given length, then trying each one until the password is guessed. ? Protect via: Key stretching, CAPTCHA, 2FA? ? Dictionary Attacks? Use a list of predetermined words/phrase to guess password.? Protect via: Salting? ? Rainbow Tables? Use precalculated password hashes to break encryption.? Protect via: Salting?

  8. Salting and Peppering?

  9. Hashing with and without salts? //hashing identical messages with no salt? hash('mechagodzilla') = ? 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227? hash('mechagodzilla') = ? 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227? ? //hashing identical messages with random salt? hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ? f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6? hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ? 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866? hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ? 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e?

  10. Considerations when using Salts? Storing Salts? Store alongside the hash? ? Salt Reuse? Salts should be be unique per password? ? Salt Length? Same size as hash? 64 bits? 128 bits??

  11. Password Encryption Algorithms? bcrypt? Designed for password security, based on the blowfish cipher, CPU & RAM intensive.? ? PBKDF2? Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations.? ? scrypt? Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory?

  12. Hashing with bcrypt? ? var bcrypt = require('bcrypt');? ? app.post("/register", function(req, res){? //capture user login information? var username = req.body.username;? var password = req.body.password;? ? //generate salt, then hash? bcrypt.genSalt(10, function(err, salt) {? bcrypt.hash(password, salt, function(err, key) {? console.log('key: ' + key.toString('hex'));? console.log('salt: ' + salt.toString('hex'));? });? });? });? ?

  13. Login Hash Comparison with bcrypt? ? var bcrypt = require('bcrypt');? ? app.post("/login", function(req, res){? //capture user login information? var username = req.body.username;? var password = req.body.password;? ? //fetch user record from database ? //required info: stored hash? ? //compare password from login to stored user hash? bcrypt.compare(password, hash, function(err, res){? //returns true or false? });? });? ?

  14. Hashing with PBKDF2? ? var crypto = require('crypto');? ? app.post("/register", function(req, res){? //capture user login information? var username = req.body.username;? var password = req.body.password;? ? //generate salt, then hash? crypto.randomBytes(32, function(ex, salt){? crypto.pbkdf2(password, salt, 4096, 512, 'sha256', function(err, key){? if (err) throw err;? //store username, hashed password, and salt in your database? });? });? });? ?

  15. ? Login Hash Comparison with PBKDF2? var crypto = require('crypto');? ? app.post("/login", function(req, res){? //capture user login information? var username = req.body.username;? var password = req.body.password;? ? var dbsalt = 'USER RECORD SALT FROM YOUR DATABASE';? var dbhash = 'USER RECORD KEY FROM YOUR DATABASE';? ? //generate hash with login attempt, then compare to stored user hash? crypto.pbkdf2(password, dbsalt, 4096, 512, 'sha256', function(err, comparehash){? if (err) throw err;? if (dbhash.toString('hex') === comparehash.toString('hex')){ ? //passwords match? } else { ? //passwords don't match? }? });? });? ?

  16. Refreshing Hashes?

  17. Protecting Data?

  18. Ideal Scenario: SSL/TLS?

  19. Certificate Types? Domain Validation (DV)? Certificate authority (CA) validates domain access only?

  20. Certificate Types? Organization Validation (OV)? ? CA validates DV and basic organization information?

  21. Certificate Types? Extended Validation (EV)? CA validates DV, OV, and legal existance of the organization?

  22. Generate your self-signed certificate and private key? //generate private key and self-signed certificate valid for 1 year? openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt?

  23. Setting up Express server for HTTPS traffic? //package requirements? var fs = require('fs'),? https = require('https'),? querystring = require('querystring'),? bodyParser = require('body-parser')? app = require('express')();? ? //support JSON & URL encoded bodies? app.use(bodyParser.json()); ? app.use(bodyParser.urlencoded({ ? extended: true? })); ?

  24. Setting up Express server for HTTPS traffic? //handle all POST requests? app.post('/', function (req, res){? var message = req.body;? res.send('Message received:' + querystring.stringify(message));? });? ? //set certificate options? var options = {? key: fs.readFileSync('server.key'),? cert: fs.readFileSync('server.crt'),? passphrase: 'YOUR KEY PASSWORD' ? };? ? //create server with certificate options? https.createServer(options, app).listen(3000, function () {? console.log('Server started: Listening on port 3000');? });?

  25. Synchronous Cryptography?

  26. Single User Environment?

  27. Modes of Operation? Encryption (ECB, CBC, OFB, CFB, CTR)? Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.? ? Authentication(CMAC)? Data authenticity mode. Receiver can validate whether cleartext came from intended sender.? ? Authenticated Encryption (CCM, GCM, KW/KWP/TKW)? Includes both data privacy and authenticity.?

  28. Configuring and encrypting message? var crypto = require('crypto');? ? var text = "Encryption Testing AES";? var key = crypto.randomBytes(32); //256 bit shared secret? var iv = crypto.randomBytes(16); //initialization vector - 16 bytes? var algorithm = 'aes-256-ctr'; //cypher and mode of operation? ? //encrypt? var cipher = crypto.createCipher(algorithm, key, iv);? var encrypted = cipher.update(text, 'utf8', 'hex');? encrypted += cipher.final('hex');? console.log("Encrypted: " + encrypted);?

  29. Decrypting ciphertext? //----? // data sent to server: ciphertext (encrypted var)? // data known by server: key? //----? ? //cypher and mode of operation? var algorithm = 'aes-256-gcm'; ? ? //decrypt? var decipher = crypto.createDecipher(algorithm, key, iv);? var decrypted = decipher.update(encrypted, 'hex', 'utf8');? decrypted += decipher.final('utf8');? console.log("Decrypted: " + decrypted);?

  30. Security Fundamentals Wrapup?

  31. Thank You!? ? Slides: http://slideshare.net/jcleblanc? Jonathan LeBlanc ? Twitter: @jcleblanc ? Book: http://bit.ly/iddatasecurity?

More Related