Table Of ContentCryptography, TLS, and attack resistance
Dennis Byrne
M A N N I N G
302
Encryption Key generation User registration User login
Cryptographic Authentication
Hashing foundations and authorization Permissions
Digital signatures Password reset
Full Stack
Python Security
XSS Shell injection
Remote code
Timing attacks
execution
Attack
resistance
Open redirects Clickjacking
Memory bombs CSRF
SQL injection Man-in-the-middle Password cracking Privilege escalation
Core concepts of Full Stack Python Security
Full Stack Python Security
Cryptography, TLS, and attack resistance
ii
Full Stack Python
Security
CRYPTOGRAPHY, TLS, AND ATTACK RESISTANCE
DENNIS BYRNE
MAN NING
SHELTER ISLAND
For online information and ordering of this and other Manning books, please visit
www.manning.com. The publisher offers discounts on this book when ordered in quantity.
For more information, please contact
Special Sales Department
Manning Publications Co.
20 Baldwin Road
PO Box 761
Shelter Island, NY 11964
Email: orders@manning.com
©2021 by Manning Publications Co. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in
any form or by means electronic, mechanical, photocopying, or otherwise, without prior written
permission of the publisher.
Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in the book, and Manning
Publications was aware of a trademark claim, the designations have been printed in initial caps
or all caps.
Recognizing the importance of preserving what has been written, it is Manning’s policy to have
the books we publish printed on acid-free paper, and we exert our best efforts to that end.
Recognizing also our responsibility to conserve the resources of our planet, Manning books
are printed on paper that is at least 15 percent recycled and processed without the use of
elemental chlorine.
Manning Publications Co. Development editor: Toni Arritola
20 Baldwin Road Technical development editor: Michael Jensen
PO Box 761 Review editor: Aleks Dragosavljevic´
Shelter Island, NY 11964 Production editor: Andy Marinkovich
Copy editor: Sharon Wilkey
Proofreader: Jason Everett
Technical proofreader: Ninoslav Cerkez
Typesetter: Marija Tudor
Cover designer: Marija Tudor
ISBN 9781617298820
Printed in the United States of America
contents
preface xi
acknowledgments xiii
about this book xiv
about the author xvii
about the cover illustration xviii
1 Defense in depth 1
1.1 Attack surface 2
1.2 Defense in depth 3
Security standards 4 ■ Best practices 5 ■ Security
fundamentals 6
1.3 Tools 8
Staying practical 11
PART 1 CRYPTOGRAPHIC FOUNDATIONS ..................... 13
2 Hashing 15
2.1 What is a hash function? 15
Cryptographic hash function properties 17
2.2 Archetypal characters 19
2.3 Data integrity 20
v
vi CONTENTS
2.4 Choosing a cryptographic hash function 21
Which hash functions are safe? 21 ■ Which hash functions
are unsafe? 22
2.5 Cryptographic hashing in Python 23
2.6 Checksum functions 25
3 Keyed hashing 28
3.1 Data authentication 28
Key generation 29 ■ Keyed hashing 32
3.2 HMAC functions 33
Data authentication between parties 35
3.3 Timing attacks 36
4 Symmetric encryption 39
4.1 What is encryption? 39
Package management 40
4.2 The cryptography package 41
Hazardous materials layer 42 ■ Recipes layer 42
Key rotation 44
4.3 Symmetric encryption 45
Block ciphers 45 ■ Stream ciphers 47 ■ Encryption modes 47
5 Asymmetric encryption 51
5.1 Key-distribution problem 51
5.2 Asymmetric encryption 52
RSA public-key encryption 53
5.3 Nonrepudiation 56
Digital signatures 56 ■ RSA digital signatures 57 ■ RSA
digital signature verification 58 ■ Elliptic-curve digital
signatures 60
6 Transport Layer Security 62
6.1 SSL? TLS? HTTPS? 63
6.2 Man-in-the-middle attack 63
6.3 The TLS handshake 65
Cipher suite negotiation 65 ■ Key exchange 66 ■ Server
authentication 68
CONTENTS vii
6.4 HTTP with Django 72
The DEBUG setting 74
6.5 HTTPS with Gunicorn 74
Self-signed public-key certificates 75 ■ The Strict-Transport-
Security response header 77 ■ HTTPS redirects 77
6.6 TLS and the requests package 78
6.7 TLS and database connections 79
6.8 TLS and email 80
Implicit TLS 81 ■ Email client authentication 81
SMTP authentication credentials 81
PART 2 AUTHENTICATION AND AUTHORIZATION ........ 83
7 HTTP session management 85
7.1 What are HTTP sessions? 85
7.2 HTTP cookies 87
Secure directive 87 ■ Domain directive 88 ■ Max-Age
directive 88 ■ Browser-length sessions 89 ■ Setting cookies
programmatically 89
7.3 Session-state persistence 90
The session serializer 90 ■ Simple cache-based sessions 91
Write-through cache-based sessions 94 ■ Database-based
session engine 94 ■ File-based session engine 94
Cookie-based session engine 94
8 User authentication 100
8.1 User registration 101
Templates 104 ■ Bob registers his account 107
8.2 User authentication 108
Built-in Django views 109 ■ Creating a Django app 110
Bob logs into and out of his account 112
8.3 Requiring authentication concisely 114
8.4 Testing authentication 114
9 User password management 117
9.1 Password-change workflow 118
Custom password validation 120
viii CONTENTS
9.2 Password storage 122
Salted hashing 125 ■ Key derivation functions 127
9.3 Configuring password hashing 130
Native password hashers 131 ■ Custom password hashers 131
Argon2 password hashing 132 ■ Migrating password
hashers 133
9.4 Password-reset workflow 136
10 Authorization 139
10.1 Application-level authorization 140
Permissions 141 ■ User and group administration 142
10.2 Enforcing authorization 147
The low-level hard way 147 ■ The high-level easy way 149
Conditional rendering 151 ■ Testing authorization 152
10.3 Antipatterns and best practices 153
11 OAuth 2 155
11.1 Grant types 157
Authorization code flow 157
11.2 Bob authorizes Charlie 161
Requesting authorization 162 ■ Granting authorization 162
Token exchange 162 ■ Accessing protected resources 163
11.3 Django OAuth Toolkit 164
Authorization server responsibilities 165 ■ Resource server
responsibilities 168
11.4 requests-oauthlib 172
OAuth client responsibilities 173
PART 3 ATTACK RESISTANCE .................................... 177
12 Working with the operating system 179
12.1 Filesystem-level authorization 180
Asking for permission 180 ■ Working with temp files 181
Working with filesystem permissions 182
12.2 Invoking external executables 184
Bypassing the shell with internal APIs 185 ■ Using the
subprocess module 187
