Nelson Vides

Passwords, that nemesis of all users. Get a weak password, and it can be cracked. Store it plaintext, and it can be stolen. Store it hashed, and it can be brute-forced. Use the same in two different places, and stealing one means losing the other. Submit it deterministically, and the authentication can be replayed by an attacker.

Enter SCRAM, a:

Salted: no two usages of the same password can be matched

Challenge: exponentially slow down brute-force attacks.

Response: clients need to submit a different response on each authentication, hence solving replay attacks.

Authentication Mechanism: well, you guess what this means.

But mind you, the challenge needs to be a challenge for the client, not for the server!

In this talk I’ll introduce you to this authentication protocol, and to some implementation tricks that all evil attackers know but servers tend to forget. And to some very important insight on how to do this efficiently on the BEAM

OBJECTIVE

To introduce an authentication mechanism that is NIST approved, a ietf standard, and with plenty of open-source libraries ready to be plugged in your project: in particular, to present the most performant Erlang library for the protocol you can find.

AUDIENCE

If you’re authenticating clients to your services, or even so if you’re already using SCRAM, you should definitely join. If you’re concerned about security, authentication protocols, the performance of some cryptographic primitives like HMAC, and funny performance mistakes that popular crypto libraries have made, you will enjoy this.