8. Storing Credentials
• Some data store is required.
• Any credential should never be stored as
plaintext in the database.
• They should be hashed with a unique salt.
• Read more:
(http://stackoverflow.com/questions/549/thedefinitive-guide-to-form-based-websiteauthentication#477579)
9. Authentication Scheme
• Given some request parameters over http
• Storing user information in some database
with validated cryptographic algorithms
10. Load Balanced = Stateless
• You cannot maintain state in an application
server’s memory
– App server memory needs to be reserved for
processing requests.
– This eventually results in moving state to a load
balanced cache anyway.
12. Authentication Scheme
• Given some request parameters over http
• Storing user information in some database
• Application is load balanced over N servers, so
every request must check.
13. PBKDF2
• Password-Based Key Derivation Function 2
• Recommended number of iterations is 10-20k
http://en.wikipedia.org/wiki/PBKDF2
16. About ECB vs CBC
https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
17. ECB = Block Cipher
• Block ciphers operate on individual blocks in
the same way
18. CBC = Streaming Cipher
• Takes an initialization vector, or “iv”, which is
used with the password on the first block to
encrypt and then produce the next vector for
the next block.
19. GCM = Galois/Counter Mode
• Example of Authenticated Encryption
– Provides both data integrity and confidentiality
– Depends on using a different vector with the same
key
– Can only be decrypted with the same key and
vector
Read more:
http://x86overflow.blogspot.com/2013/01/authenticatedencryption-using-aes-gcm.html
20. Node & AES GCM
• https://github.com/joyent/node/pull/6317
• Support is currently being added for GCM
• Put a +1 on that issue.