SlideShare ist ein Scribd-Unternehmen logo

Client Server Security with Flask and iOS

Make School
Make School

Client Server Security with Flask and iOS

Software
1 von 43
Downloaden Sie, um offline zu lesen
CLIENT SERVER SECURITY
AGENDA 3 Aspects of Security Encryption 3 Practical Security Lessons Implementing Security with Flask
3 ASPECTS OF SECURITY 1. Authentication: Ensuring a user is who they claim to be (e.g. checking a password) 2. Authorization: Defining rules for access and modification of resources (e.g. users only allowed to delete their own posts) 3. Secure Coding: Ensuring that your application has no security flaws that would allow attackers to access sensitive data or manipulate your server
INTERLUDE: CRYPTOGRAPHY
ENCRYPTION AND HASHING Symmetric encryption: There is one key for encryption and decryption (secret key encryption) Asymmetric encryption: One key is used for encryption other key is used decryption (public key encryption) Hashing: Generates an (almost) unique fixed length output from an arbitrary input
SYMMETRIC ENCRYPTION One key for encryption and decryption: “I like you!” sharedSecret algorithm 134$%Q $ksg,mcdl “I like you!” 134$%Q $ksg,mcdl Encryption Decryption sharedSecret algorithm
ASYMMETRIC ENCRYPTION One Key for encryption a different key for decryption Anyone can encrypt content for a receiver Only receiver can decrypt the content “I like you!” sharedSecret algorithm 134$%Q $ksg,mcdl “I like you!” 134$%Q $ksg,mcdl Encryption Decryption sharedSecret algorithm Public Key Private Key
DIGITAL SIGNATURE Uses asymmetric encryption to verify identity Only sender knows the private key used to encrypt a signature Anyone can use a public key to decrypt signature Image Source: http://en.wikipedia.org/wiki/Digital_signature#mediaviewer/File:Digital_Signature_diagram.svg
HASHING Hashing generates an (almost) unique fixed length output from an arbitrary input This is considered a one way operation, generating the content from the hash is not possible (except by brute-force) Let’s see if this actually works because this is a really amazing algorithms that basically does not create any collisions between different generated hashes Hash Algorithm Salt 0714b76586b8823707080083c 1fa2ddd67dfbd2d Hashing
3 SECURITY LESSONS
LESSON #1: HTTPS
WHY USE HTTPS You should (almost) always communicate with a server using HTTPS HTTPS will encrypt the traffic between the client and the server so that network traffic cannot be read by other participants When using HTTP instead of HTTPS messages between client and server are sent unencrypted; this allows attackers on the same network and attackers in connection points between client and server to read the entire communication (passwords and other private information)
HOW DOES HTTPS WORK Browsers and other applications accessing the web have a pool of trusted authorities These authorities issue certificates to websites Authorities ensure identity of website host Certificate is used to encrypt handshake between client and server
HOW DOES HTTPS WORK This addresses two problems: Authentication: We can be sure we we are talking to the website we are wanting to talk to (not some server pretending to be that website) Secure Coding: Communication between Client and Server is encrypted
HTTPS HANDSHAKE During handshake asymmetric encryption is used to arrange a shared secret During handshake client verifies Server Certificate (Certificate is signed with private key of Certificate Authority (CA), Client has public keys of trusted CAs that can be used to verify signature After handshake Client and Server have a shared secret that is used for symmetric encryption
HTTPS HANDSHAKE (SIMPLIFIED) [1] Client Server ClientHello ServerHello Certificate ServerHelloEnd Client Server Premaster Secret (encrypted with public key from certificate)randomNumberClient randomNumberServer Client Server Master Secret = generateMaster(Premaster Secret, randomNumberClient, randomNumberServer) Client Server ChangeCipherSpec ChangeCipherSpec FinishedFinished Encrypted with Master Secret Encrypted with Master Secret 1 2 3 4 Client Server 5 Communication Encrypted with Master Secret CA Check Certificate Master Secret = generateMaster(Premaster Secret, randomNumberClient, randomNumberServer) HTTPS Handshake Symmetricly Encrypted Communication
HOW DO I USE HTTPS? Easy answer: get a certificate and use a cloud hosting service that provides HTTPS Hard answer: get a certificate and configure your server to use 
 HTTPS with that certificate Trick: Heroku apps can use the Heroku SSL certificate
LESSON #2: STORING PASSWORDS
LESSON #2: STORING PASSWORDS Never ever store passwords! Store hashes of passwords If someone gets access to your DB you do not want them to be able to read the users’ passwords
LESSON #2: STORING PASSWORDS Store passwords with the most secure considered hash algorithm When a user signs up, hash the password and store it in the DB When a user signs in, hash the password and compare it to the hashed password in the DB If a user forgot their password, send them a link to reset it - no secure application should provide a way to retrieve the old password!
LESSON #2: STORING PASSWORDS Client Server Ben-G simplePW Client Server encrypt = Login OK encrypt Signup Login PW: 2eff28320f 77620a23 User: Ben-G PW: simplePW User: Ben-G PW: simplePW User: Ben-G PW: 2eff28320f 77620a23 User: Ben-G PW: 2eff28320f 77620a23 User: Ben-G
LESSON #3: SANITIZE 
 USER INPUT
LESSON #3: SANITIZE USER INPUT This is typically more relevant for web applications than for mobile applications Never allow a user to write an entire DB Request or a piece of executable code
LESSON #3: SANITIZE USER INPUT Examples: XSS: Cross-Site Scripting. If User Input is not sanitized it can be possible to inject JS code SQL Injections: Possible to send queries to DB Shellshock: Execute arbitrary code on target machine
IMPLEMENTING SECURITY WITH FLASK
USER SIGNUP
USER SIGNUP User should be a RESTful resource Signup means a POST request against that User Resource Encrypt the password and store along with username in database Recommended to use bcrypt with 12 rounds for encryption
BCRYPT The bcrypt library provides a convenient way to store a password securely It automatically generates a random salt for each stored password By generating an individual salt for each password, an attacker needs to brute force every password individually
BCRYPT We can define how many rounds the encryption algorithm runs to generate the encrypted password, as processors get faster this value can be increased The more rounds, the longer it takes to generate the encrypted key This means brute force attacks take longer as well!
ATTACKING ENCRYPTED PASSWORDS With no access to DB: Brute Force through web interface or API Can easily be prevented by rate-limiting API accesses With access to DB: Compare hashed passwords to a rainbow table [3] If you aren’t using a unique salt per entry, one compromised password means that all your users’ passwords are compromised
LOGIN / AUTHENTICATION
AUTHENTICATION Authentication should conform with HTTP standard → use a specified HTTP authentication method Authentication needs to conform with REST Webservice Design Patterns → Server needs to get the full information to fulfill a Client Request with each request → We need to send credentials with every request
HTTP BASIC AUTH Uses the Authorization header of an HTTPS Request 1. Username and password are combined into a string "username:password" 2. The resulting string is then encoded using Base64 3. The authorization method and a space i.e. "Basic " is then put before the encoded string Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
HTTP BASIC AUTH Client Server HTTP-Request Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== HTTP-Response
BASIC AUTH FLASK [2] from functools import wraps from flask import request, Response def check_auth(username, password): return username == 'admin' and password == 'secret' def requires_auth(f): @wraps(f) def decorated(*args, **kwargs): auth = request.authorization if not auth or not check_auth(auth.username, auth.password): message = {'error': 'Basic Auth Required.'} resp = jsonify(message) resp.status_code = 401 return resp return f(*args, **kwargs) return decorated
BASIC AUTH FLASK class Trip(Resource): @requires_auth def get(self, trip_id=None): if trip_id is None: … else: … Methods annotated with requires_auth will require the client to provide valid username and password
BASIC AUTH ON IOS // Thanks to Nate Cook: http://stackoverflow.com/questions/24379601/how-to-make-an-http-request-basic-auth-in-swift struct BasicAuth { static func generateBasicAuthHeader(username: String, password: String) -> String { let loginString = NSString(format: "%@:%@", username, password) let loginData: NSData = loginString.dataUsingEncoding(NSUTF8StringEncoding)! let base64LoginString = loginData.base64EncodedStringWithOptions(NSDataBase64EncodingOptions(rawValue: 0)) let authHeaderString = "Basic (base64LoginString)" return authHeaderString } }
PASSWORD RESET Send user an email that allows them to reset their password, only send to to email address that they used to sign up The password reset should only be possible for a certain amount of time, typically this is accomplished by providing an expiring token
REFERENCES
REFERENCES [1] First Few Milliseconds of HTTPS [2] Flask Basic Authentication [3] Wikipedia: Rainbow Table
ADDITIONAL RESOURCES
ADDITIONAL RESOURCES How does HTTPS actually work? XSS Example Everything you need to know about ShellShock Why SHA-1 should no longer be used as hash algorithm for TLS

Empfohlen

Building a Backend with Flask
Building a Backend with FlaskBuilding a Backend with Flask
Building a Backend with FlaskMake School
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web APIhabib_786
 
Day01 api
Day01 apiDay01 api
Day01 apiABDEL RAHMAN KARIM
 
Lecture 11 Firebase overview
Lecture 11 Firebase overviewLecture 11 Firebase overview
Lecture 11 Firebase overviewMaksym Davydov
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleEmiliano Pecis
 
ASP.NET 12 - State Management
ASP.NET 12 - State ManagementASP.NET 12 - State Management
ASP.NET 12 - State ManagementRandy Connolly
 
Web Api vs MVC
Web Api vs MVCWeb Api vs MVC
Web Api vs MVCChaowlert Chaisrichalermpol
 

Empfohlen

Building a Backend with Flask
Building a Backend with FlaskBuilding a Backend with Flask
Building a Backend with FlaskMake School
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web APIhabib_786
 
Day01 api
Day01 apiDay01 api
Day01 apiABDEL RAHMAN KARIM
 
Lecture 11 Firebase overview
Lecture 11 Firebase overviewLecture 11 Firebase overview
Lecture 11 Firebase overviewMaksym Davydov
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleEmiliano Pecis
 
ASP.NET 12 - State Management
ASP.NET 12 - State ManagementASP.NET 12 - State Management
ASP.NET 12 - State ManagementRandy Connolly
 
Web Api vs MVC
Web Api vs MVCWeb Api vs MVC
Web Api vs MVCChaowlert Chaisrichalermpol
 
Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best PracticesAWS Germany
 
Introduction about-ajax-framework
Introduction about-ajax-frameworkIntroduction about-ajax-framework
Introduction about-ajax-frameworkSakthi Bro
 
The ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersThe ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersKevin Hazzard
 
Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentalsarunv
 
Asp
AspAsp
AspKundan Kumar Pandey
 
Web Fundamental
Web FundamentalWeb Fundamental
Web FundamentalSiliconExpert Technologies
 
Restful Web Services
Restful Web ServicesRestful Web Services
Restful Web ServicesAngelin R
 
Web servers
Web serversWeb servers
Web serverswebhostingguy
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reesebuildacloud
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaEdureka!
 
Day03 api
Day03 apiDay03 api
Day03 apiABDEL RAHMAN KARIM
 
Asp.net.
Asp.net.Asp.net.
Asp.net.Naveen Sihag
 
Http and REST APIs.
Http and REST APIs.Http and REST APIs.
Http and REST APIs.Rahul Tanwani
 
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.Eric Shupps
 
Asp Net Advance Topics
Asp Net Advance TopicsAsp Net Advance Topics
Asp Net Advance TopicsAli Taki
 
Cics web interface new
Cics web interface newCics web interface new
Cics web interface newBalmukundb
 
Build an API the right way
Build an API the right wayBuild an API the right way
Build an API the right waySoftware Guru
 
Are you getting Sleepy. REST in SharePoint Apps
Are you getting Sleepy. REST in SharePoint AppsAre you getting Sleepy. REST in SharePoint Apps
Are you getting Sleepy. REST in SharePoint AppsLiam Cleary [MVP]
 
Jsf login logout project
Jsf login logout projectJsf login logout project
Jsf login logout projectGagandeep Singh
 
Web Servers (ppt)
Web Servers (ppt)Web Servers (ppt)
Web Servers (ppt)webhostingguy
 
iOS Layout Overview
iOS Layout OverviewiOS Layout Overview
iOS Layout OverviewMake School
 
Layout with Stack View, Table View, and Collection View
Layout with Stack View, Table View, and Collection ViewLayout with Stack View, Table View, and Collection View
Layout with Stack View, Table View, and Collection ViewMake School
 

Weitere ähnliche Inhalte

Was ist angesagt?

Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best PracticesAWS Germany
 
Introduction about-ajax-framework
Introduction about-ajax-frameworkIntroduction about-ajax-framework
Introduction about-ajax-frameworkSakthi Bro
 
The ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersThe ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersKevin Hazzard
 
Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentalsarunv
 
Restful Web Services
Restful Web ServicesRestful Web Services
Restful Web ServicesAngelin R
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reesebuildacloud
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaEdureka!
 
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.Eric Shupps
 
Asp Net Advance Topics
Asp Net Advance TopicsAsp Net Advance Topics
Asp Net Advance TopicsAli Taki
 
Cics web interface new
Cics web interface newCics web interface new
Cics web interface newBalmukundb
 
Build an API the right way
Build an API the right wayBuild an API the right way
Build an API the right waySoftware Guru
 
Are you getting Sleepy. REST in SharePoint Apps
Are you getting Sleepy. REST in SharePoint AppsAre you getting Sleepy. REST in SharePoint Apps
Are you getting Sleepy. REST in SharePoint AppsLiam Cleary [MVP]
 
Jsf login logout project
Jsf login logout projectJsf login logout project
Jsf login logout projectGagandeep Singh
 

Was ist angesagt? (20)

Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best Practices
 
Introduction about-ajax-framework
Introduction about-ajax-frameworkIntroduction about-ajax-framework
Introduction about-ajax-framework
 
The ASP.NET Web API for Beginners
The ASP.NET Web API for BeginnersThe ASP.NET Web API for Beginners
The ASP.NET Web API for Beginners
 
Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentals
 
Asp
AspAsp
Asp
 
Web Fundamental
Web FundamentalWeb Fundamental
Web Fundamental
 
Restful Web Services
Restful Web ServicesRestful Web Services
Restful Web Services
 
Web servers
Web serversWeb servers
Web servers
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reese
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | Edureka
 
Day03 api
Day03 apiDay03 api
Day03 api
 
Asp.net.
Asp.net.Asp.net.
Asp.net.
 
Http and REST APIs.
Http and REST APIs.Http and REST APIs.
Http and REST APIs.
 
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
 
Asp Net Advance Topics
Asp Net Advance TopicsAsp Net Advance Topics
Asp Net Advance Topics
 
Cics web interface new
Cics web interface newCics web interface new
Cics web interface new
 
Build an API the right way
Build an API the right wayBuild an API the right way
Build an API the right way
 
Are you getting Sleepy. REST in SharePoint Apps
Are you getting Sleepy. REST in SharePoint AppsAre you getting Sleepy. REST in SharePoint Apps
Are you getting Sleepy. REST in SharePoint Apps
 
Jsf login logout project
Jsf login logout projectJsf login logout project
Jsf login logout project
 
Web Servers (ppt)
Web Servers (ppt)Web Servers (ppt)
Web Servers (ppt)
 

Andere mochten auch

iOS Layout Overview
iOS Layout OverviewiOS Layout Overview
iOS Layout OverviewMake School
 
Layout with Stack View, Table View, and Collection View
Layout with Stack View, Table View, and Collection ViewLayout with Stack View, Table View, and Collection View
Layout with Stack View, Table View, and Collection ViewMake School
 
Persistence on iOS
Persistence on iOSPersistence on iOS
Persistence on iOSMake School
 
Intro to Core Data
Intro to Core DataIntro to Core Data
Intro to Core DataMake School
 
Make School 2017 - Mastering iOS Development
Make School 2017 - Mastering iOS DevelopmentMake School 2017 - Mastering iOS Development
Make School 2017 - Mastering iOS DevelopmentMake School
 
Advanced Core Data
Advanced Core DataAdvanced Core Data
Advanced Core DataMake School
 
Standard libraries on iOS
Standard libraries on iOSStandard libraries on iOS
Standard libraries on iOSMake School
 
Error Handling in Swift
Error Handling in SwiftError Handling in Swift
Error Handling in SwiftMake School
 
Localization and Accessibility on iOS
Localization and Accessibility on iOSLocalization and Accessibility on iOS
Localization and Accessibility on iOSMake School
 
Multithreading on iOS
Multithreading on iOSMultithreading on iOS
Multithreading on iOSMake School
 
Intro to iOS Application Architecture
Intro to iOS Application ArchitectureIntro to iOS Application Architecture
Intro to iOS Application ArchitectureMake School
 
Distributing information on iOS
Distributing information on iOSDistributing information on iOS
Distributing information on iOSMake School
 
Core Data presentation
Core Data presentationCore Data presentation
Core Data presentationjoaopmaia
 
Swift Objective-C Interop
Swift Objective-C InteropSwift Objective-C Interop
Swift Objective-C InteropMake School
 
Xcode Project Infrastructure
Xcode Project InfrastructureXcode Project Infrastructure
Xcode Project InfrastructureMake School
 
Dependency Management on iOS
Dependency Management on iOSDependency Management on iOS
Dependency Management on iOSMake School
 
Client Server Communication on iOS
Client Server Communication on iOSClient Server Communication on iOS
Client Server Communication on iOSMake School
 
Client Server Synchronization iOS
Client Server Synchronization iOSClient Server Synchronization iOS
Client Server Synchronization iOSMake School
 
Memory Management on iOS
Memory Management on iOSMemory Management on iOS
Memory Management on iOSMake School
 

Andere mochten auch (20)

iOS Layout Overview
iOS Layout OverviewiOS Layout Overview
iOS Layout Overview
 
Layout with Stack View, Table View, and Collection View
Layout with Stack View, Table View, and Collection ViewLayout with Stack View, Table View, and Collection View
Layout with Stack View, Table View, and Collection View
 
Persistence on iOS
Persistence on iOSPersistence on iOS
Persistence on iOS
 
Intro to Core Data
Intro to Core DataIntro to Core Data
Intro to Core Data
 
Make School 2017 - Mastering iOS Development
Make School 2017 - Mastering iOS DevelopmentMake School 2017 - Mastering iOS Development
Make School 2017 - Mastering iOS Development
 
Advanced Core Data
Advanced Core DataAdvanced Core Data
Advanced Core Data
 
Standard libraries on iOS
Standard libraries on iOSStandard libraries on iOS
Standard libraries on iOS
 
Error Handling in Swift
Error Handling in SwiftError Handling in Swift
Error Handling in Swift
 
Localization and Accessibility on iOS
Localization and Accessibility on iOSLocalization and Accessibility on iOS
Localization and Accessibility on iOS
 
Multithreading on iOS
Multithreading on iOSMultithreading on iOS
Multithreading on iOS
 
Intro to iOS Application Architecture
Intro to iOS Application ArchitectureIntro to iOS Application Architecture
Intro to iOS Application Architecture
 
Distributing information on iOS
Distributing information on iOSDistributing information on iOS
Distributing information on iOS
 
Core Data presentation
Core Data presentationCore Data presentation
Core Data presentation
 
Swift Objective-C Interop
Swift Objective-C InteropSwift Objective-C Interop
Swift Objective-C Interop
 
Xcode Project Infrastructure
Xcode Project InfrastructureXcode Project Infrastructure
Xcode Project Infrastructure
 
Dependency Management on iOS
Dependency Management on iOSDependency Management on iOS
Dependency Management on iOS
 
Swift 2 intro
Swift 2 introSwift 2 intro
Swift 2 intro
 
Client Server Communication on iOS
Client Server Communication on iOSClient Server Communication on iOS
Client Server Communication on iOS
 
Client Server Synchronization iOS
Client Server Synchronization iOSClient Server Synchronization iOS
Client Server Synchronization iOS
 
Memory Management on iOS
Memory Management on iOSMemory Management on iOS
Memory Management on iOS
 

Ähnlich wie Client Server Security with Flask and iOS

Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systemsAbdulaziz Mohd
 
Efficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodEfficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodIJCERT
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfGumanSingh10
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Wail Hassan
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
Network Security Practices-IP Security
Network Security Practices-IP SecurityNetwork Security Practices-IP Security
Network Security Practices-IP SecurityGayathridevi120
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets LayerNascenia IT
 

Ähnlich wie Client Server Security with Flask and iOS (20)

Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
 
Efficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodEfficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication Method
 
Lecture17
Lecture17Lecture17
Lecture17
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
SSL-image
SSL-imageSSL-image
SSL-image
 
SSL
SSLSSL
SSL
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdf
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
The last picks
The last picksThe last picks
The last picks
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
 
Network Security Practices-IP Security
Network Security Practices-IP SecurityNetwork Security Practices-IP Security
Network Security Practices-IP Security
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
ssl
sslssl
ssl
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 

Kürzlich hochgeladen

Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 

Kürzlich hochgeladen (20)

Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 

Client Server Security with Flask and iOS

  • 1.
  • 3. AGENDA 3 Aspects of Security Encryption 3 Practical Security Lessons Implementing Security with Flask
  • 4. 3 ASPECTS OF SECURITY 1. Authentication: Ensuring a user is who they claim to be (e.g. checking a password) 2. Authorization: Defining rules for access and modification of resources (e.g. users only allowed to delete their own posts) 3. Secure Coding: Ensuring that your application has no security flaws that would allow attackers to access sensitive data or manipulate your server
  • 6. ENCRYPTION AND HASHING Symmetric encryption: There is one key for encryption and decryption (secret key encryption) Asymmetric encryption: One key is used for encryption other key is used decryption (public key encryption) Hashing: Generates an (almost) unique fixed length output from an arbitrary input
  • 7. SYMMETRIC ENCRYPTION One key for encryption and decryption: “I like you!” sharedSecret algorithm 134$%Q $ksg,mcdl “I like you!” 134$%Q $ksg,mcdl Encryption Decryption sharedSecret algorithm
  • 8. ASYMMETRIC ENCRYPTION One Key for encryption a different key for decryption Anyone can encrypt content for a receiver Only receiver can decrypt the content “I like you!” sharedSecret algorithm 134$%Q $ksg,mcdl “I like you!” 134$%Q $ksg,mcdl Encryption Decryption sharedSecret algorithm Public Key Private Key
  • 9. DIGITAL SIGNATURE Uses asymmetric encryption to verify identity Only sender knows the private key used to encrypt a signature Anyone can use a public key to decrypt signature Image Source: http://en.wikipedia.org/wiki/Digital_signature#mediaviewer/File:Digital_Signature_diagram.svg
  • 10. HASHING Hashing generates an (almost) unique fixed length output from an arbitrary input This is considered a one way operation, generating the content from the hash is not possible (except by brute-force) Let’s see if this actually works because this is a really amazing algorithms that basically does not create any collisions between different generated hashes Hash Algorithm Salt 0714b76586b8823707080083c 1fa2ddd67dfbd2d Hashing
  • 13. WHY USE HTTPS You should (almost) always communicate with a server using HTTPS HTTPS will encrypt the traffic between the client and the server so that network traffic cannot be read by other participants When using HTTP instead of HTTPS messages between client and server are sent unencrypted; this allows attackers on the same network and attackers in connection points between client and server to read the entire communication (passwords and other private information)
  • 14. HOW DOES HTTPS WORK Browsers and other applications accessing the web have a pool of trusted authorities These authorities issue certificates to websites Authorities ensure identity of website host Certificate is used to encrypt handshake between client and server
  • 15. HOW DOES HTTPS WORK This addresses two problems: Authentication: We can be sure we we are talking to the website we are wanting to talk to (not some server pretending to be that website) Secure Coding: Communication between Client and Server is encrypted
  • 16. HTTPS HANDSHAKE During handshake asymmetric encryption is used to arrange a shared secret During handshake client verifies Server Certificate (Certificate is signed with private key of Certificate Authority (CA), Client has public keys of trusted CAs that can be used to verify signature After handshake Client and Server have a shared secret that is used for symmetric encryption
  • 17. HTTPS HANDSHAKE (SIMPLIFIED) [1] Client Server ClientHello ServerHello Certificate ServerHelloEnd Client Server Premaster Secret (encrypted with public key from certificate)randomNumberClient randomNumberServer Client Server Master Secret = generateMaster(Premaster Secret, randomNumberClient, randomNumberServer) Client Server ChangeCipherSpec ChangeCipherSpec FinishedFinished Encrypted with Master Secret Encrypted with Master Secret 1 2 3 4 Client Server 5 Communication Encrypted with Master Secret CA Check Certificate Master Secret = generateMaster(Premaster Secret, randomNumberClient, randomNumberServer) HTTPS Handshake Symmetricly Encrypted Communication
  • 18. HOW DO I USE HTTPS? Easy answer: get a certificate and use a cloud hosting service that provides HTTPS Hard answer: get a certificate and configure your server to use 
 HTTPS with that certificate Trick: Heroku apps can use the Heroku SSL certificate
  • 20. LESSON #2: STORING PASSWORDS Never ever store passwords! Store hashes of passwords If someone gets access to your DB you do not want them to be able to read the users’ passwords
  • 21. LESSON #2: STORING PASSWORDS Store passwords with the most secure considered hash algorithm When a user signs up, hash the password and store it in the DB When a user signs in, hash the password and compare it to the hashed password in the DB If a user forgot their password, send them a link to reset it - no secure application should provide a way to retrieve the old password!
  • 22. LESSON #2: STORING PASSWORDS Client Server Ben-G simplePW Client Server encrypt = Login OK encrypt Signup Login PW: 2eff28320f 77620a23 User: Ben-G PW: simplePW User: Ben-G PW: simplePW User: Ben-G PW: 2eff28320f 77620a23 User: Ben-G PW: 2eff28320f 77620a23 User: Ben-G
  • 23. LESSON #3: SANITIZE 
 USER INPUT
  • 24. LESSON #3: SANITIZE USER INPUT This is typically more relevant for web applications than for mobile applications Never allow a user to write an entire DB Request or a piece of executable code
  • 25. LESSON #3: SANITIZE USER INPUT Examples: XSS: Cross-Site Scripting. If User Input is not sanitized it can be possible to inject JS code SQL Injections: Possible to send queries to DB Shellshock: Execute arbitrary code on target machine
  • 28. USER SIGNUP User should be a RESTful resource Signup means a POST request against that User Resource Encrypt the password and store along with username in database Recommended to use bcrypt with 12 rounds for encryption
  • 29. BCRYPT The bcrypt library provides a convenient way to store a password securely It automatically generates a random salt for each stored password By generating an individual salt for each password, an attacker needs to brute force every password individually
  • 30. BCRYPT We can define how many rounds the encryption algorithm runs to generate the encrypted password, as processors get faster this value can be increased The more rounds, the longer it takes to generate the encrypted key This means brute force attacks take longer as well!
  • 31. ATTACKING ENCRYPTED PASSWORDS With no access to DB: Brute Force through web interface or API Can easily be prevented by rate-limiting API accesses With access to DB: Compare hashed passwords to a rainbow table [3] If you aren’t using a unique salt per entry, one compromised password means that all your users’ passwords are compromised
  • 33. AUTHENTICATION Authentication should conform with HTTP standard → use a specified HTTP authentication method Authentication needs to conform with REST Webservice Design Patterns → Server needs to get the full information to fulfill a Client Request with each request → We need to send credentials with every request
  • 34. HTTP BASIC AUTH Uses the Authorization header of an HTTPS Request 1. Username and password are combined into a string "username:password" 2. The resulting string is then encoded using Base64 3. The authorization method and a space i.e. "Basic " is then put before the encoded string Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
  • 35. HTTP BASIC AUTH Client Server HTTP-Request Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== HTTP-Response
  • 36. BASIC AUTH FLASK [2] from functools import wraps from flask import request, Response def check_auth(username, password): return username == 'admin' and password == 'secret' def requires_auth(f): @wraps(f) def decorated(*args, **kwargs): auth = request.authorization if not auth or not check_auth(auth.username, auth.password): message = {'error': 'Basic Auth Required.'} resp = jsonify(message) resp.status_code = 401 return resp return f(*args, **kwargs) return decorated
  • 37. BASIC AUTH FLASK class Trip(Resource): @requires_auth def get(self, trip_id=None): if trip_id is None: … else: … Methods annotated with requires_auth will require the client to provide valid username and password
  • 38. BASIC AUTH ON IOS // Thanks to Nate Cook: http://stackoverflow.com/questions/24379601/how-to-make-an-http-request-basic-auth-in-swift struct BasicAuth { static func generateBasicAuthHeader(username: String, password: String) -> String { let loginString = NSString(format: "%@:%@", username, password) let loginData: NSData = loginString.dataUsingEncoding(NSUTF8StringEncoding)! let base64LoginString = loginData.base64EncodedStringWithOptions(NSDataBase64EncodingOptions(rawValue: 0)) let authHeaderString = "Basic (base64LoginString)" return authHeaderString } }
  • 39. PASSWORD RESET Send user an email that allows them to reset their password, only send to to email address that they used to sign up The password reset should only be possible for a certain amount of time, typically this is accomplished by providing an expiring token
  • 41. REFERENCES [1] First Few Milliseconds of HTTPS [2] Flask Basic Authentication [3] Wikipedia: Rainbow Table
  • 43. ADDITIONAL RESOURCES How does HTTPS actually work? XSS Example Everything you need to know about ShellShock Why SHA-1 should no longer be used as hash algorithm for TLS