SlideShare a Scribd company logo
1 of 35
Download to read offline
Node.js Authentication
and Data Security!
Jonathan LeBlanc !
Twitter: @jcleblanc !
Book: http://bit.ly/iddatasecurity!
Release Date:!
August 2016!
!
Book Details:!
http://bit.ly/iddatasecurity!
Identity & Data Security Book!
Security is Hard!
1: 123456 !
2: password !
3: 12345678 !
4: qwerty !
5: 12345 !
6: 123456789!
7: football!
8: 1234!
9: 1234567!
Top 25 Passwords of 2015!
10: baseball!
11: welcome!
12: 1234567890!
13: abc123!
14: 111111!
15: 1qaz2wsx!
16: dragon!
17: master!
18: monkey!
19: letmein!
20: login!
21: princess!
22: qwertyuiop!
23: solo!
24: passw0rd!
25: starwars!
Node.js Authentication and Data Security
Protecting Identity!
Password Attack Vectors!
Brute Force Attacks!
Calculate all key variations within a given length, then
trying each one until the password is guessed. !
Protect via: Key stretching, CAPTCHA, 2FA!
!
Dictionary Attacks!
Use a list of predetermined words/phrase to guess password.!
Protect via: Salting!
!
Rainbow Tables!
Use precalculated password hashes to break encryption.!
Protect via: Salting !
Protecting Against Password Attacks!
Salting and Peppering!
//hashing identical messages with no salt!
hash('mechagodzilla') = !
162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227!
hash('mechagodzilla') = !
162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227!
!
//hashing identical messages with random salt!
hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = !
f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6!
hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = !
7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866!
hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = !
6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e!
Hashing with and without salts!
Storing Salts!
Store alongside the hash!
!
Salt Reuse!
Salts should be be unique per password!
!
Salt Length!
Same size as hash? 64 bits? 128 bits?!
Considerations when using Salts!
bcrypt!
Designed for password security, based on the blowfish
cipher, CPU & RAM intensive.!
!
PBKDF2!
Comes from RSA laboratories, performs the HMAC (hash +
key) over a specific number of iterations.!
!
scrypt!
Designed to make it costly to perform large-scale
hardware attacks by requiring large amounts of memory!
Password Encryption Algorithms!
!
var bcrypt = require('bcrypt');!
!
app.post("/register", function(req, res){!
//capture user login information!
var username = req.body.username;!
var password = req.body.password;!
!
//generate salt, then hash!
bcrypt.genSalt(10, function(err, salt) {!
bcrypt.hash(password, salt, function(err, key) {!
console.log('key: ' + key.toString('hex'));!
console.log('salt: ' + salt.toString('hex'));!
});!
});!
});!
!
Hashing with bcrypt!
!
var bcrypt = require('bcrypt');!
!
app.post("/login", function(req, res){!
//capture user login information!
var username = req.body.username;!
var password = req.body.password;!
!
//fetch user record from database !
//required info: stored hash!
!
//compare password from login to stored user hash!
bcrypt.compare(password, hash, function(err, res){!
//returns true or false!
});!
});!
!
Login Hash Comparison with bcrypt!
!
var crypto = require('crypto');!
!
app.post("/register", function(req, res){!
//capture user login information!
var username = req.body.username;!
var password = req.body.password;!
!
//generate salt, then hash!
crypto.randomBytes(32, function(ex, salt){!
crypto.pbkdf2(password, salt, 4096, 512, 'sha256', function(err, key){!
if (err) throw err;!
//store username, hashed password, and salt in your database!
});!
});!
});!
!
Hashing with PBKDF2!
!
var crypto = require('crypto');!
!
app.post("/login", function(req, res){!
//capture user login information!
var username = req.body.username;!
var password = req.body.password;!
!
var dbsalt = 'USER RECORD SALT FROM YOUR DATABASE';!
var dbhash = 'USER RECORD KEY FROM YOUR DATABASE';!
!
//generate hash with login attempt, then compare to stored user hash!
crypto.pbkdf2(password, dbsalt, 4096, 512, 'sha256', function(err, comparehash){!
if (err) throw err;!
if (dbhash.toString('hex') === comparehash.toString('hex')){ !
//passwords match!
} else { !
//passwords don't match!
}!
});!
});!
!
Login Hash Comparison with PBKDF2!
Refreshing Hashes!
Protecting Data!
Ideal Scenario: SSL/TLS!
Domain Validation (DV)!
Certificate authority (CA) validates domain
access only!
Certificate Types!
Organization
Validation (OV)!
!
CA validates DV and
basic organization
information!
Certificate Types!
Extended Validation (EV)!
CA validates DV, OV, and legal existance of
the organization!
Certificate Types!
Node.js Authentication and Data Security
//generate private key and self-signed certificate valid for 1 year!
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out
server.crt!
Generate your self-signed certificate and private key!
//package requirements!
var fs = require('fs'),!
https = require('https'),!
querystring = require('querystring'),!
bodyParser = require('body-parser')!
app = require('express')();!
!
//support JSON & URL encoded bodies!
app.use(bodyParser.json()); !
app.use(bodyParser.urlencoded({ !
extended: true!
})); !
Setting up Express server for HTTPS traffic!
//handle all POST requests!
app.post('/', function (req, res){!
var message = req.body;!
res.send('Message received:' + querystring.stringify(message));!
});!
!
//set certificate options!
var options = {!
key: fs.readFileSync('server.key'),!
cert: fs.readFileSync('server.crt'),!
passphrase: 'YOUR KEY PASSWORD' !
};!
!
//create server with certificate options!
https.createServer(options, app).listen(3000, function () {!
console.log('Server started: Listening on port 3000');!
});!
Setting up Express server for HTTPS traffic!
Node.js Authentication and Data Security
Synchronous Cryptography!
Node.js Authentication and Data Security
Single User Environment!
Encryption (ECB, CBC, OFB, CFB, CTR)!
Data privacy and confidentiality mode. Attacker
cannot obtain info on the plaintext data.!
!
Authentication(CMAC)!
Data authenticity mode. Receiver can validate
whether cleartext came from intended sender.!
!
Authenticated Encryption (CCM, GCM, KW/KWP/TKW)!
Includes both data privacy and authenticity.!
Modes of Operation!
var crypto = require('crypto');!
!
var text = "Encryption Testing AES";!
var key = crypto.randomBytes(32); //256 bit shared secret!
var iv = crypto.randomBytes(16); //initialization vector - 16 bytes!
var algorithm = 'aes-256-ctr'; //cypher and mode of operation!
!
//encrypt!
var cipher = crypto.createCipher(algorithm, key, iv);!
var encrypted = cipher.update(text, 'utf8', 'hex');!
encrypted += cipher.final('hex');!
console.log("Encrypted: " + encrypted);!
Configuring and encrypting message!
//----!
// data sent to server: ciphertext (encrypted var)!
// data known by server: key!
//----!
!
//cypher and mode of operation!
var algorithm = 'aes-256-gcm'; !
!
//decrypt!
var decipher = crypto.createDecipher(algorithm, key, iv);!
var decrypted = decipher.update(encrypted, 'hex', 'utf8');!
decrypted += decipher.final('utf8');!
console.log("Decrypted: " + decrypted);!
Decrypting ciphertext!
Security Fundamentals Wrapup!
Thank You!!
!
Slides: http://slideshare.net/jcleblanc!
Jonathan LeBlanc !
Twitter: @jcleblanc !
Book: http://bit.ly/iddatasecurity!

More Related Content

What's hot

Getting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkGetting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkSarah Sexton
 
Word Play in the Digital Age: Building Text Bots with Tracery
Word Play in the Digital Age: Building Text Bots with TraceryWord Play in the Digital Age: Building Text Bots with Tracery
Word Play in the Digital Age: Building Text Bots with TracerySarah Sexton
 
Automated Testing
Automated TestingAutomated Testing
Automated TestingSpeed FC
 
MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!Stennie Steneker
 
Cool usage of Encoding and Decoding a URI in Javascript
Cool usage of Encoding and Decoding a URI in JavascriptCool usage of Encoding and Decoding a URI in Javascript
Cool usage of Encoding and Decoding a URI in JavascriptIdeas2IT Technologies
 
DEF CON 23 - Phil Polstra - one device to pwn them all
DEF CON 23 - Phil Polstra - one device to pwn them allDEF CON 23 - Phil Polstra - one device to pwn them all
DEF CON 23 - Phil Polstra - one device to pwn them allFelipe Prado
 
Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)Oleg Zinchenko
 
NodeJS The edge of Reason - Lille fp#6
NodeJS The edge of Reason - Lille fp#6NodeJS The edge of Reason - Lille fp#6
NodeJS The edge of Reason - Lille fp#6Thomas Haessle
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
A bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AESA bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AEScgvwzq
 
WordPress Security @ Vienna WordPress + Drupal Meetup
WordPress Security @ Vienna WordPress + Drupal MeetupWordPress Security @ Vienna WordPress + Drupal Meetup
WordPress Security @ Vienna WordPress + Drupal MeetupVeselin Nikolov
 
Forbes MongoNYC 2011
Forbes MongoNYC 2011Forbes MongoNYC 2011
Forbes MongoNYC 2011djdunlop
 
DevLOVE ターミナル勉強会 zsh + screen
DevLOVE ターミナル勉強会 zsh + screenDevLOVE ターミナル勉強会 zsh + screen
DevLOVE ターミナル勉強会 zsh + screenYozo SATO
 
Craig Brown speaks on ElasticSearch
Craig Brown speaks on ElasticSearchCraig Brown speaks on ElasticSearch
Craig Brown speaks on ElasticSearchimarcticblue
 

What's hot (20)

Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'm
 
Talk NullByteCon 2015
Talk NullByteCon 2015Talk NullByteCon 2015
Talk NullByteCon 2015
 
Redis
RedisRedis
Redis
 
Getting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkGetting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot Framework
 
Word Play in the Digital Age: Building Text Bots with Tracery
Word Play in the Digital Age: Building Text Bots with TraceryWord Play in the Digital Age: Building Text Bots with Tracery
Word Play in the Digital Age: Building Text Bots with Tracery
 
Automated Testing
Automated TestingAutomated Testing
Automated Testing
 
MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!MongoDB shell games: Here be dragons .. and JavaScript!
MongoDB shell games: Here be dragons .. and JavaScript!
 
Cool usage of Encoding and Decoding a URI in Javascript
Cool usage of Encoding and Decoding a URI in JavascriptCool usage of Encoding and Decoding a URI in Javascript
Cool usage of Encoding and Decoding a URI in Javascript
 
DEF CON 23 - Phil Polstra - one device to pwn them all
DEF CON 23 - Phil Polstra - one device to pwn them allDEF CON 23 - Phil Polstra - one device to pwn them all
DEF CON 23 - Phil Polstra - one device to pwn them all
 
CGI.pm - 3ло?!
CGI.pm - 3ло?!CGI.pm - 3ло?!
CGI.pm - 3ло?!
 
Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)Keep It Simple Security (Symfony cafe 28-01-2016)
Keep It Simple Security (Symfony cafe 28-01-2016)
 
NodeJS The edge of Reason - Lille fp#6
NodeJS The edge of Reason - Lille fp#6NodeJS The edge of Reason - Lille fp#6
NodeJS The edge of Reason - Lille fp#6
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Human Talks Riot.js
Human Talks Riot.jsHuman Talks Riot.js
Human Talks Riot.js
 
A bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AESA bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AES
 
WordPress Security @ Vienna WordPress + Drupal Meetup
WordPress Security @ Vienna WordPress + Drupal MeetupWordPress Security @ Vienna WordPress + Drupal Meetup
WordPress Security @ Vienna WordPress + Drupal Meetup
 
Forbes MongoNYC 2011
Forbes MongoNYC 2011Forbes MongoNYC 2011
Forbes MongoNYC 2011
 
DevLOVE ターミナル勉強会 zsh + screen
DevLOVE ターミナル勉強会 zsh + screenDevLOVE ターミナル勉強会 zsh + screen
DevLOVE ターミナル勉強会 zsh + screen
 
Craig Brown speaks on ElasticSearch
Craig Brown speaks on ElasticSearchCraig Brown speaks on ElasticSearch
Craig Brown speaks on ElasticSearch
 
One Size Fits All
One Size Fits AllOne Size Fits All
One Size Fits All
 

Similar to Node.js Authentication and Data Security

I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Penetration Testing with Improved Input Vector Identification
Penetration Testing with Improved Input Vector IdentificationPenetration Testing with Improved Input Vector Identification
Penetration Testing with Improved Input Vector IdentificationShauvik Roy Choudhary, Ph.D.
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security Joel Lord
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridasFrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridasLoiane Groner
 
Webinar AWS 201 Delivering apps without servers
Webinar AWS 201 Delivering apps without serversWebinar AWS 201 Delivering apps without servers
Webinar AWS 201 Delivering apps without serversAmazon Web Services
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
(Web Application Design track) "Liquid Stream Processing across Web Browsers ...
(Web Application Design track) "Liquid Stream Processing across Web Browsers ...(Web Application Design track) "Liquid Stream Processing across Web Browsers ...
(Web Application Design track) "Liquid Stream Processing across Web Browsers ...icwe2015
 
Roll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaRoll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaJon Moore
 
CIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECloudIDSummit
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
KazooCon 2014 - Introduction to Kazoo APIs!
KazooCon 2014 - Introduction to Kazoo APIs!KazooCon 2014 - Introduction to Kazoo APIs!
KazooCon 2014 - Introduction to Kazoo APIs!2600Hz
 
Maximize your Cache for No Cash
Maximize your Cache for No CashMaximize your Cache for No Cash
Maximize your Cache for No CashYorick Phoenix
 
Building a real life application in node js
Building a real life application in node jsBuilding a real life application in node js
Building a real life application in node jsfakedarren
 
Going realtime with Socket.IO
Going realtime with Socket.IOGoing realtime with Socket.IO
Going realtime with Socket.IOChristian Joudrey
 
Finding Restfulness - Madrid.rb April 2014
Finding Restfulness - Madrid.rb April 2014Finding Restfulness - Madrid.rb April 2014
Finding Restfulness - Madrid.rb April 2014samlown
 

Similar to Node.js Authentication and Data Security (20)

I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Penetration Testing with Improved Input Vector Identification
Penetration Testing with Improved Input Vector IdentificationPenetration Testing with Improved Input Vector Identification
Penetration Testing with Improved Input Vector Identification
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridasFrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
 
Webinar AWS 201 Delivering apps without servers
Webinar AWS 201 Delivering apps without serversWebinar AWS 201 Delivering apps without servers
Webinar AWS 201 Delivering apps without servers
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
(Web Application Design track) "Liquid Stream Processing across Web Browsers ...
(Web Application Design track) "Liquid Stream Processing across Web Browsers ...(Web Application Design track) "Liquid Stream Processing across Web Browsers ...
(Web Application Design track) "Liquid Stream Processing across Web Browsers ...
 
Roll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaRoll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and Lua
 
CIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSE
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
KazooCon 2014 - Introduction to Kazoo APIs!
KazooCon 2014 - Introduction to Kazoo APIs!KazooCon 2014 - Introduction to Kazoo APIs!
KazooCon 2014 - Introduction to Kazoo APIs!
 
JavaScript Promise
JavaScript PromiseJavaScript Promise
JavaScript Promise
 
Maximize your Cache for No Cash
Maximize your Cache for No CashMaximize your Cache for No Cash
Maximize your Cache for No Cash
 
Es.next
Es.nextEs.next
Es.next
 
Transforming WebSockets
Transforming WebSocketsTransforming WebSockets
Transforming WebSockets
 
Building a real life application in node js
Building a real life application in node jsBuilding a real life application in node js
Building a real life application in node js
 
Going realtime with Socket.IO
Going realtime with Socket.IOGoing realtime with Socket.IO
Going realtime with Socket.IO
 
Finding Restfulness - Madrid.rb April 2014
Finding Restfulness - Madrid.rb April 2014Finding Restfulness - Madrid.rb April 2014
Finding Restfulness - Madrid.rb April 2014
 

More from Jonathan LeBlanc

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsJonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessJonathan LeBlanc
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with BoxJonathan LeBlanc
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer WorkshopJonathan LeBlanc
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security PracticesJonathan LeBlanc
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI ElementsJonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingJonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyJonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityJonathan LeBlanc
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsJonathan LeBlanc
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesJonathan LeBlanc
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and TrendsJonathan LeBlanc
 

More from Jonathan LeBlanc (20)

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
 
BattleHack Los Angeles
BattleHack Los Angeles BattleHack Los Angeles
BattleHack Los Angeles
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with Beacons
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & Wearables
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and Trends
 
Rebuilding Commerce
Rebuilding CommerceRebuilding Commerce
Rebuilding Commerce
 

Recently uploaded

Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 

Recently uploaded (20)

Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 

Node.js Authentication and Data Security

  • 1. Node.js Authentication and Data Security! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
  • 2. Release Date:! August 2016! ! Book Details:! http://bit.ly/iddatasecurity! Identity & Data Security Book!
  • 4. 1: 123456 ! 2: password ! 3: 12345678 ! 4: qwerty ! 5: 12345 ! 6: 123456789! 7: football! 8: 1234! 9: 1234567! Top 25 Passwords of 2015! 10: baseball! 11: welcome! 12: 1234567890! 13: abc123! 14: 111111! 15: 1qaz2wsx! 16: dragon! 17: master! 18: monkey! 19: letmein! 20: login! 21: princess! 22: qwertyuiop! 23: solo! 24: passw0rd! 25: starwars!
  • 8. Brute Force Attacks! Calculate all key variations within a given length, then trying each one until the password is guessed. ! Protect via: Key stretching, CAPTCHA, 2FA! ! Dictionary Attacks! Use a list of predetermined words/phrase to guess password.! Protect via: Salting! ! Rainbow Tables! Use precalculated password hashes to break encryption.! Protect via: Salting ! Protecting Against Password Attacks!
  • 10. //hashing identical messages with no salt! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! ! //hashing identical messages with random salt! hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6! hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866! hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e! Hashing with and without salts!
  • 11. Storing Salts! Store alongside the hash! ! Salt Reuse! Salts should be be unique per password! ! Salt Length! Same size as hash? 64 bits? 128 bits?! Considerations when using Salts!
  • 12. bcrypt! Designed for password security, based on the blowfish cipher, CPU & RAM intensive.! ! PBKDF2! Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations.! ! scrypt! Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory! Password Encryption Algorithms!
  • 13. ! var bcrypt = require('bcrypt');! ! app.post("/register", function(req, res){! //capture user login information! var username = req.body.username;! var password = req.body.password;! ! //generate salt, then hash! bcrypt.genSalt(10, function(err, salt) {! bcrypt.hash(password, salt, function(err, key) {! console.log('key: ' + key.toString('hex'));! console.log('salt: ' + salt.toString('hex'));! });! });! });! ! Hashing with bcrypt!
  • 14. ! var bcrypt = require('bcrypt');! ! app.post("/login", function(req, res){! //capture user login information! var username = req.body.username;! var password = req.body.password;! ! //fetch user record from database ! //required info: stored hash! ! //compare password from login to stored user hash! bcrypt.compare(password, hash, function(err, res){! //returns true or false! });! });! ! Login Hash Comparison with bcrypt!
  • 15. ! var crypto = require('crypto');! ! app.post("/register", function(req, res){! //capture user login information! var username = req.body.username;! var password = req.body.password;! ! //generate salt, then hash! crypto.randomBytes(32, function(ex, salt){! crypto.pbkdf2(password, salt, 4096, 512, 'sha256', function(err, key){! if (err) throw err;! //store username, hashed password, and salt in your database! });! });! });! ! Hashing with PBKDF2!
  • 16. ! var crypto = require('crypto');! ! app.post("/login", function(req, res){! //capture user login information! var username = req.body.username;! var password = req.body.password;! ! var dbsalt = 'USER RECORD SALT FROM YOUR DATABASE';! var dbhash = 'USER RECORD KEY FROM YOUR DATABASE';! ! //generate hash with login attempt, then compare to stored user hash! crypto.pbkdf2(password, dbsalt, 4096, 512, 'sha256', function(err, comparehash){! if (err) throw err;! if (dbhash.toString('hex') === comparehash.toString('hex')){ ! //passwords match! } else { ! //passwords don't match! }! });! });! ! Login Hash Comparison with PBKDF2!
  • 20. Domain Validation (DV)! Certificate authority (CA) validates domain access only! Certificate Types!
  • 21. Organization Validation (OV)! ! CA validates DV and basic organization information! Certificate Types!
  • 22. Extended Validation (EV)! CA validates DV, OV, and legal existance of the organization! Certificate Types!
  • 24. //generate private key and self-signed certificate valid for 1 year! openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt! Generate your self-signed certificate and private key!
  • 25. //package requirements! var fs = require('fs'),! https = require('https'),! querystring = require('querystring'),! bodyParser = require('body-parser')! app = require('express')();! ! //support JSON & URL encoded bodies! app.use(bodyParser.json()); ! app.use(bodyParser.urlencoded({ ! extended: true! })); ! Setting up Express server for HTTPS traffic!
  • 26. //handle all POST requests! app.post('/', function (req, res){! var message = req.body;! res.send('Message received:' + querystring.stringify(message));! });! ! //set certificate options! var options = {! key: fs.readFileSync('server.key'),! cert: fs.readFileSync('server.crt'),! passphrase: 'YOUR KEY PASSWORD' ! };! ! //create server with certificate options! https.createServer(options, app).listen(3000, function () {! console.log('Server started: Listening on port 3000');! });! Setting up Express server for HTTPS traffic!
  • 31. Encryption (ECB, CBC, OFB, CFB, CTR)! Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.! ! Authentication(CMAC)! Data authenticity mode. Receiver can validate whether cleartext came from intended sender.! ! Authenticated Encryption (CCM, GCM, KW/KWP/TKW)! Includes both data privacy and authenticity.! Modes of Operation!
  • 32. var crypto = require('crypto');! ! var text = "Encryption Testing AES";! var key = crypto.randomBytes(32); //256 bit shared secret! var iv = crypto.randomBytes(16); //initialization vector - 16 bytes! var algorithm = 'aes-256-ctr'; //cypher and mode of operation! ! //encrypt! var cipher = crypto.createCipher(algorithm, key, iv);! var encrypted = cipher.update(text, 'utf8', 'hex');! encrypted += cipher.final('hex');! console.log("Encrypted: " + encrypted);! Configuring and encrypting message!
  • 33. //----! // data sent to server: ciphertext (encrypted var)! // data known by server: key! //----! ! //cypher and mode of operation! var algorithm = 'aes-256-gcm'; ! ! //decrypt! var decipher = crypto.createDecipher(algorithm, key, iv);! var decrypted = decipher.update(encrypted, 'hex', 'utf8');! decrypted += decipher.final('utf8');! console.log("Decrypted: " + decrypted);! Decrypting ciphertext!
  • 35. Thank You!! ! Slides: http://slideshare.net/jcleblanc! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!