Authentication using public-key cryptography with NodeJS — Part 1
Before we dive deep into the code 🤖, I will explain first what we currently use to grant the user access to a resource.
First, why do we do this?
Because we need to know that the connected user is who she claims to be (authentication) and whether or not the user should have access to a given resource (authorization)
Authentication
Authentication is the mechanism that confirms the identity of users trying to access a system. In order for users to be granted access to a resource, they must first prove that they are who they claim to be. Generally, this is handled by passing a key with each request often called an access token (ex: JWT JSON Web Token). The server verifies that the access token is genuine and that the user does indeed have the required privileges to access the requested resource. Only then is the request granted.
The most common way to grant a user an access token is a password challenge.
The current state of Passwords
Assuming passwords are stored with one-way encryption hash 🙃 and that the user is choosing long random characters for each app which is not the general case so that even if a malicious intruder obtains access to the users database, he won’t have access to user passwords easily.
Once your database is leaked passwords are vulnerable to multiple attacks:
- Rainbow tables
- Brute force
- Passwords stolen from thirds parties
Rainbow tables
Rainbow tables are pre-computed tables used to look up passwords using stolen hashes. There are rainbow tables that exist today that can discover almost every possible passwords up to 14 characters for hashing algorithms like MD5 or SHA-1!
One defense against rainbow tables is password salting.
A salt is a sequence of random characters that gets paired with a password during the hashing process.
Brute force
A brute force attack will attempt to crack a password by seeking a match using the combination of every possible character.
Moore’s law is alive and brute force has become a very real threat. Attackers are employing GPUs, super-computing clusters and Javascript botnets comprised of tens of thousands of browsers visiting infected websites.
One way to thwart brute force attacks is to programmatically lock a user’s account after a handful of failed login attempts.
However, this won’t protect passwords if an attacker already got access to the password database.
Another way to protect user account is to use Geolocation by simply saving users’ preferred locations along with their profile and ask them to authorize any new location attempts.
Stolen passwords
By far the biggest threat to password security is the fact that these tactics have already worked against other websites, and users have a tendency to reuse passwords across different sites.
Because of the threat of stolen passwords, any policy that relies solely on password protection is unsafe. In order to protect your system from intruders, another line of defense is necessary ⚔️
Multifactor Authentication
Multifactor authentication is an authentication strategy that requires the user to present authentication proof from two or more authentication factors:
- The knowledge factor (something only your user knows, like security questions…)
- The possession factor (something the user has, like a mobile phone
- The inherence factor (something the user is, like a fingerprint)
There’s a popular move toward the use of possession factor by using OTPs (one-time passwords) like Google Authenticator that generates one time passwords for mobile phone
And I think that the majority of users won’t go through all these security measures because it’s not funny and the so-called user experience has gone to the toilet 💩. So I decided to make a simple experiment using public-key cryptography.
Public-Key Cryptography
Public-key cryptography, or asymmetric cryptography, is an encryption scheme that uses two mathematically related, but not identical, keys (public key / private key).
Unlike symmetric key algorithms that rely on one key to both encrypt and decrypt a content.
Each key performs a unique function the public key is used to encrypt and the private key is used to decrypt a content.
The main business applications for public-key cryptography are:
- Digital signatures : content is digitally signed with an individual’s private key and is verified by the individual’s public key
- Encryption: content is encrypted using an individual’s public key and can only be decrypted with the individual’s private key
For more details on how public-key cryptography please check this great explanation by Tesla 809
In part 2, we will build an experiment that uses public-key cryptography and digital signature as a way to authenticate a user.
