Cryptography for Django Applications

A Talk presented by Erik LaBianca

Audience level

Novice

Time

September 5th, 1:30 p.m. – 2:10 p.m.

Description

A review of encryption in the context of a web application storing sensitive information. Topics covered include choosing whether to use crypto, selection of tools, proper usage (including examples), and operational considerations with respect to security assessment.

Abstract

Introduction

The web is a hostile place, and isn't showing any signs of becoming less so. In order to mitigate this, many developers turn to cryptography. Unfortunately, cryptography can be complicated, and is easily circumvented if not properly handled. This presentation will provide an introduction to cryptographic tools available to Python/Django applications, appropriate use cases for each, proper usage, and operational concerns necessary to operate in a certified environment. Finally, we will also demonstrate a reusable application that wraps this all up, providing secure key-management capabilities to a running Django environment via the Django admin.

Why Encrypt?

Rules of Encryption

Don't do it if you don't need it.
Don't write your own.
Understand what you're doing if you do.

When to encrypt?

Understand what you're protecting

Data
User records
Code
Systems

Understand your attack vectors

Data (backups, revision control)
Systems
Application
Transport
Client

Understand the types of encryption you might use:

Hashing

Passwords are a special case. Use a key derivation function

PBKDF2 – Upgrade to Django 1.4!

Algorithms

MD5 - fine as a checksum. not fine as a cryptographic hash.
SHA1 - fine as a checksum. becoming less fine as a cryptographic hash every day
SHA2 - so far so good. use as many bits as you can handle.

Symmetric Encryption

Fast
Reversible

Algorithms

Caesar Cipher (for fun puzzles)
DES (don't use)
AES (certified)
Blowfish

Asymmetric Encryption

Slow
One-way

Algorithms

Uses

Signing

Web of Trust

PKI

Encryption

Doing it right

Use known-good algorithms

AES-256
SHA2
RSA
DSA

Use known-good implementations

Open Source is good

Extra Credit

FIPS 140 certified implementations
FIPS 140 / NIST configurations

Transport (always use HTTPS)

Use good algorithms AES-256

At Rest (insecure servers or backups)

Understand the ramifications of key management

Examples

Hashing

Use a key-derivation function

Don't be linked-in

Salt your hashes (with a secret).
Salt and pepper your hashes if possible (with a known unique value)

SSL

Forced connections
Making the application aware
Hardened cipher selection

Robust PKI

Client authentication
SSL Test Page

Asymmetric Encryption

Key Management

Using GPG Agent
GPG Manager App

PGP Files

Symmetric Encryption

Key Management

Use Asymmetric Encryption

Use a unique Initialization Vector if possible

LoopBack Devices

Cryptography for Django Applications

Audience level

Category

Time

Description

Abstract

Introduction

Why Encrypt?

Rules of Encryption

When to encrypt?

Understand what you're protecting

Understand your attack vectors

Understand the types of encryption you might use:

Passwords are a special case. Use a key derivation function

Algorithms

Symmetric Encryption

Algorithms

Asymmetric Encryption

Algorithms

Uses

Signing

Web of Trust

PKI

Encryption

Doing it right

Use known-good algorithms

Use known-good implementations

Extra Credit

Transport (always use HTTPS)

At Rest (insecure servers or backups)

Examples

Hashing

Don't be linked-in

SSL

Robust PKI

Asymmetric Encryption

Key Management

PGP Files

Symmetric Encryption

Key Management

Use a unique Initialization Vector if possible