Nelson Vides

Self-taught programmer and core developer of MongooseIM

Nelson is the children of a multicultural journey. Born in Venezuela to a family of engineers and economists, grew up in Spain to study pure maths in university, and move to Poland to become a self-taught programmer. Now he's an Erlang enthusiast with an emphasis on performance and security, professional in the field of instant messaging and a core developer of MongooseIM. In his free time he's a sports addict, practising yoga and callisthenics, and also a history fanboy, devouring books every night.

Past Activities

Nelson Vides
Code BEAM V America
10 Mar 2021
11.10 - 11.50

SCRAM: Challenging your authentication in the BEAM

Passwords, that nemesis of all users. Get a weak password, and it can be cracked. Store it plaintext, and it can be stolen. Store it hashed, and it can be brute-forced. Use the same in two different places, and stealing one means losing the other. Submit it deterministically, and the authentication can be replayed by an attacker.


Enter SCRAM, a:

Salted: no two usages of the same password can be matched

Challenge: exponentially slow down brute-force attacks.

Response: clients need to submit a different response on each authentication, hence solving replay attacks.

Authentication Mechanism: well, you guess what this means.

But mind you, the challenge needs to be a challenge for the client, not for the server!

In this talk I’ll introduce you to this authentication protocol, and to some implementation tricks that all evil attackers know but servers tend to forget. And to some very important insight on how to do this efficiently on the BEAM



To introduce an authentication mechanism that is NIST approved, a ietf standard, and with plenty of open-source libraries ready to be plugged in your project: in particular, to present the most performant Erlang library for the protocol you can find.


If you’re authenticating clients to your services, or even so if you’re already using SCRAM, you should definitely join. If you’re concerned about security, authentication protocols, the performance of some cryptographic primitives like HMAC, and funny performance mistakes that popular crypto libraries have made, you will enjoy this.