Nelson Vides
Self-taught programmer and core developer of MongooseIM
Nelson is the children of a multicultural journey. Born in Venezuela to a family of engineers and economists, grew up in Spain to study pure maths in university, and move to Poland to become a self-taught programmer. Now he's an Erlang enthusiast with an emphasis on performance and security, professional in the field of instant messaging and a core developer of MongooseIM. In his free time he's a sports addict, practising yoga and callisthenics, and also a history fanboy, devouring books every night.
Past Activities
Code BEAM V America
11.10 - 11.50
SCRAM: Challenging your authentication in the BEAM
Passwords, that nemesis of all users. Get a weak password, and it can be cracked. Store it plaintext, and it can be stolen. Store it hashed, and it can be brute-forced. Use the same in two different places, and stealing one means losing the other. Submit it deterministically, and the authentication can be replayed by an attacker.
Enter SCRAM, a:
Salted: no two usages of the same password can be matched
Challenge: exponentially slow down brute-force attacks.
Response: clients need to submit a different response on each authentication, hence solving replay attacks.
Authentication Mechanism: well, you guess what this means.
But mind you, the challenge needs to be a challenge for the client, not for the server!
In this talk I’ll introduce you to this authentication protocol, and to some implementation tricks that all evil attackers know but servers tend to forget. And to some very important insight on how to do this efficiently on the BEAM
OBJECTIVE
To introduce an authentication mechanism that is NIST approved, a ietf standard, and with plenty of open-source libraries ready to be plugged in your project: in particular, to present the most performant Erlang library for the protocol you can find.
AUDIENCE
If you’re authenticating clients to your services, or even so if you’re already using SCRAM, you should definitely join. If you’re concerned about security, authentication protocols, the performance of some cryptographic primitives like HMAC, and funny performance mistakes that popular crypto libraries have made, you will enjoy this.