Cryptography for Django Applications

A Talk presented by Erik LaBianca
log in to bookmark.

Audience level

Novice

Category

Security

Time

September 5th, 1:30 p.m. – 2:10 p.m.


Description

A review of encryption in the context of a web application storing sensitive information. Topics covered include choosing whether to use crypto, selection of tools, proper usage (including examples), and operational considerations with respect to security assessment.


Abstract

Introduction

The web is a hostile place, and isn't showing any signs of becoming less so. In order to mitigate this, many developers turn to cryptography. Unfortunately, cryptography can be complicated, and is easily circumvented if not properly handled. This presentation will provide an introduction to cryptographic tools available to Python/Django applications, appropriate use cases for each, proper usage, and operational concerns necessary to operate in a certified environment. Finally, we will also demonstrate a reusable application that wraps this all up, providing secure key-management capabilities to a running Django environment via the Django admin.

Why Encrypt?

Rules of Encryption

When to encrypt?

Understand what you're protecting

Understand your attack vectors

Understand the types of encryption you might use:

Passwords are a special case. Use a key derivation function

Algorithms

Symmetric Encryption

Algorithms

Asymmetric Encryption

Algorithms

Uses

Signing
Web of Trust
PKI
Encryption

Doing it right

Use known-good algorithms

Use known-good implementations

Extra Credit

Transport (always use HTTPS)

At Rest (insecure servers or backups)

Examples

Hashing

Don't be linked-in

SSL

Robust PKI

Asymmetric Encryption

Key Management

PGP Files

Symmetric Encryption

Key Management

Use a unique Initialization Vector if possible