ebook img

Full Stack Python Security: Cryptography, TLS, and attack resistance PDF

305 Pages·2021·3.426 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Full Stack Python Security: Cryptography, TLS, and attack resistance

Cryptography, TLS, and attack resistance Dennis Byrne M A N N I N G 302 Encryption Key generation User registration User login Cryptographic Authentication Hashing foundations and authorization Permissions Digital signatures Password reset Full Stack Python Security XSS Shell injection Remote code Timing attacks execution Attack resistance Open redirects Clickjacking Memory bombs CSRF SQL injection Man-in-the-middle Password cracking Privilege escalation Core concepts of Full Stack Python Security Full Stack Python Security Cryptography, TLS, and attack resistance ii Full Stack Python Security CRYPTOGRAPHY, TLS, AND ATTACK RESISTANCE DENNIS BYRNE MAN NING SHELTER ISLAND For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: [email protected] ©2021 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine. Manning Publications Co. Development editor: Toni Arritola 20 Baldwin Road Technical development editor: Michael Jensen PO Box 761 Review editor: Aleks Dragosavljevic´ Shelter Island, NY 11964 Production editor: Andy Marinkovich Copy editor: Sharon Wilkey Proofreader: Jason Everett Technical proofreader: Ninoslav Cerkez Typesetter: Marija Tudor Cover designer: Marija Tudor ISBN 9781617298820 Printed in the United States of America contents preface xi acknowledgments xiii about this book xiv about the author xvii about the cover illustration xviii 1 Defense in depth 1 1.1 Attack surface 2 1.2 Defense in depth 3 Security standards 4 ■ Best practices 5 ■ Security fundamentals 6 1.3 Tools 8 Staying practical 11 PART 1 CRYPTOGRAPHIC FOUNDATIONS ..................... 13 2 Hashing 15 2.1 What is a hash function? 15 Cryptographic hash function properties 17 2.2 Archetypal characters 19 2.3 Data integrity 20 v vi CONTENTS 2.4 Choosing a cryptographic hash function 21 Which hash functions are safe? 21 ■ Which hash functions are unsafe? 22 2.5 Cryptographic hashing in Python 23 2.6 Checksum functions 25 3 Keyed hashing 28 3.1 Data authentication 28 Key generation 29 ■ Keyed hashing 32 3.2 HMAC functions 33 Data authentication between parties 35 3.3 Timing attacks 36 4 Symmetric encryption 39 4.1 What is encryption? 39 Package management 40 4.2 The cryptography package 41 Hazardous materials layer 42 ■ Recipes layer 42 Key rotation 44 4.3 Symmetric encryption 45 Block ciphers 45 ■ Stream ciphers 47 ■ Encryption modes 47 5 Asymmetric encryption 51 5.1 Key-distribution problem 51 5.2 Asymmetric encryption 52 RSA public-key encryption 53 5.3 Nonrepudiation 56 Digital signatures 56 ■ RSA digital signatures 57 ■ RSA digital signature verification 58 ■ Elliptic-curve digital signatures 60 6 Transport Layer Security 62 6.1 SSL? TLS? HTTPS? 63 6.2 Man-in-the-middle attack 63 6.3 The TLS handshake 65 Cipher suite negotiation 65 ■ Key exchange 66 ■ Server authentication 68 CONTENTS vii 6.4 HTTP with Django 72 The DEBUG setting 74 6.5 HTTPS with Gunicorn 74 Self-signed public-key certificates 75 ■ The Strict-Transport- Security response header 77 ■ HTTPS redirects 77 6.6 TLS and the requests package 78 6.7 TLS and database connections 79 6.8 TLS and email 80 Implicit TLS 81 ■ Email client authentication 81 SMTP authentication credentials 81 PART 2 AUTHENTICATION AND AUTHORIZATION ........ 83 7 HTTP session management 85 7.1 What are HTTP sessions? 85 7.2 HTTP cookies 87 Secure directive 87 ■ Domain directive 88 ■ Max-Age directive 88 ■ Browser-length sessions 89 ■ Setting cookies programmatically 89 7.3 Session-state persistence 90 The session serializer 90 ■ Simple cache-based sessions 91 Write-through cache-based sessions 94 ■ Database-based session engine 94 ■ File-based session engine 94 Cookie-based session engine 94 8 User authentication 100 8.1 User registration 101 Templates 104 ■ Bob registers his account 107 8.2 User authentication 108 Built-in Django views 109 ■ Creating a Django app 110 Bob logs into and out of his account 112 8.3 Requiring authentication concisely 114 8.4 Testing authentication 114 9 User password management 117 9.1 Password-change workflow 118 Custom password validation 120 viii CONTENTS 9.2 Password storage 122 Salted hashing 125 ■ Key derivation functions 127 9.3 Configuring password hashing 130 Native password hashers 131 ■ Custom password hashers 131 Argon2 password hashing 132 ■ Migrating password hashers 133 9.4 Password-reset workflow 136 10 Authorization 139 10.1 Application-level authorization 140 Permissions 141 ■ User and group administration 142 10.2 Enforcing authorization 147 The low-level hard way 147 ■ The high-level easy way 149 Conditional rendering 151 ■ Testing authorization 152 10.3 Antipatterns and best practices 153 11 OAuth 2 155 11.1 Grant types 157 Authorization code flow 157 11.2 Bob authorizes Charlie 161 Requesting authorization 162 ■ Granting authorization 162 Token exchange 162 ■ Accessing protected resources 163 11.3 Django OAuth Toolkit 164 Authorization server responsibilities 165 ■ Resource server responsibilities 168 11.4 requests-oauthlib 172 OAuth client responsibilities 173 PART 3 ATTACK RESISTANCE .................................... 177 12 Working with the operating system 179 12.1 Filesystem-level authorization 180 Asking for permission 180 ■ Working with temp files 181 Working with filesystem permissions 182 12.2 Invoking external executables 184 Bypassing the shell with internal APIs 185 ■ Using the subprocess module 187

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.