client server security with flask and ios
TRANSCRIPT
![Page 1: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/1.jpg)
![Page 2: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/2.jpg)
CLIENT SERVER SECURITY
![Page 3: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/3.jpg)
AGENDA
3 Aspects of Security
Encryption
3 Practical Security Lessons
Implementing Security with Flask
![Page 4: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/4.jpg)
3 ASPECTS OF SECURITY
1. Authentication: Ensuring a user is who they claim to be (e.g.
checking a password)
2. Authorization: Defining rules for access and modification of
resources (e.g. users only allowed to delete their own posts)
3. Secure Coding: Ensuring that your application has no
security flaws that would allow attackers to access sensitive
data or manipulate your server
![Page 5: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/5.jpg)
INTERLUDE: CRYPTOGRAPHY
![Page 6: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/6.jpg)
ENCRYPTION AND HASHING
Symmetric encryption: There is one key for encryption
and decryption (secret key encryption)
Asymmetric encryption: One key is used for encryption
other key is used decryption (public key encryption)
Hashing: Generates an (almost) unique fixed length
output from an arbitrary input
![Page 7: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/7.jpg)
SYMMETRIC ENCRYPTION
One key for encryption and decryption:
“I like you!”sharedSecret
algorithm134$%Q
$ksg,mcdl
“I like you!”134$%Q$ksg,mcdl
Encryption
Decryption
sharedSecretalgorithm
![Page 8: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/8.jpg)
ASYMMETRIC ENCRYPTIONOne Key for encryption a different key for decryption
Anyone can encrypt content for a receiver
Only receiver can decrypt the content
“I like you!”sharedSecret
algorithm134$%Q
$ksg,mcdl
“I like you!”134$%Q$ksg,mcdl
Encryption
Decryption
sharedSecretalgorithm
Public Key
Private Key
![Page 9: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/9.jpg)
DIGITAL SIGNATUREUses asymmetric encryption
to verify identity
Only sender knows the
private key used to encrypt
a signature
Anyone can use a public
key to decrypt signature
Image Source: http://en.wikipedia.org/wiki/Digital_signature#mediaviewer/File:Digital_Signature_diagram.svg
![Page 10: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/10.jpg)
HASHINGHashing generates an (almost) unique fixed length output from
an arbitrary input
This is considered a one way operation, generating the content
from the hash is not possible (except by brute-force)
Let’s see if this actually works because this is a really amazing
algorithms that basically does not create any collisions between
different generated hashes
Hash AlgorithmSalt
0714b76586b8823707080083c1fa2ddd67dfbd2d
Hashing
![Page 11: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/11.jpg)
3 SECURITY LESSONS
![Page 12: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/12.jpg)
LESSON #1: HTTPS
![Page 13: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/13.jpg)
WHY USE HTTPS
You should (almost) always communicate with a server using HTTPS
HTTPS will encrypt the traffic between the client and the server so that network traffic cannot be read by other participants
When using HTTP instead of HTTPS messages between client and server are sent unencrypted; this allows attackers on the same network and attackers in connection points between client and server to read the entire communication (passwords and other private information)
![Page 14: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/14.jpg)
HOW DOES HTTPS WORK
Browsers and other applications accessing the web
have a pool of trusted authorities
These authorities issue certificates to websites
Authorities ensure identity of website host
Certificate is used to encrypt handshake between
client and server
![Page 15: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/15.jpg)
HOW DOES HTTPS WORK
This addresses two problems:
Authentication: We can be sure we we are talking
to the website we are wanting to talk to (not some
server pretending to be that website)
Secure Coding: Communication between Client
and Server is encrypted
![Page 16: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/16.jpg)
HTTPS HANDSHAKE
During handshake asymmetric encryption is used to arrange a
shared secret
During handshake client verifies Server Certificate (Certificate is
signed with private key of Certificate Authority (CA), Client has
public keys of trusted CAs that can be used to verify signature
After handshake Client and Server have a shared secret that is
used for symmetric encryption
![Page 17: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/17.jpg)
HTTPS HANDSHAKE (SIMPLIFIED) [1]
Client
Server
ClientHelloServerHelloCertificate
ServerHelloEnd
Client
Server
Premaster Secret (encrypted with public key
from certificate)randomNumberClient randomNumberServer
Client
Server
Master Secret = generateMaster(Premaster Secret,
randomNumberClient, randomNumberServer)
Client
Server
ChangeCipherSpec ChangeCipherSpecFinishedFinished
Encrypted with Master Secret
Encrypted with Master Secret
1 2 3 4
Client
Server
5
CommunicationEncrypted with Master Secret
CA
Check Certificate
Master Secret = generateMaster(Premaster Secret,
randomNumberClient, randomNumberServer)
HTTPS Handshake Symmetricly Encrypted Communication
![Page 18: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/18.jpg)
HOW DO I USE HTTPS?
Easy answer: get a certificate and use a cloud hosting service that
provides HTTPS
Hard answer: get a certificate and configure your server to use HTTPS with that certificate
Trick: Heroku apps can use the Heroku SSL certificate
![Page 19: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/19.jpg)
LESSON #2: STORING PASSWORDS
![Page 20: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/20.jpg)
LESSON #2: STORING PASSWORDS
Never ever store passwords!
Store hashes of passwords
If someone gets access to your DB you do not want them to be
able to read the users’ passwords
![Page 21: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/21.jpg)
LESSON #2: STORING PASSWORDS
Store passwords with the most secure considered hash algorithm
When a user signs up, hash the password and store it in the DB
When a user signs in, hash the password and compare it to the hashed
password in the DB
If a user forgot their password, send them a link to reset it - no secure
application should provide a way to retrieve the old password!
![Page 22: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/22.jpg)
LESSON #2: STORING PASSWORDS
Client
Server
Ben-G
simplePW
Client
Server
encrypt
=
Login OK
encrypt
Signup Login
PW: 2eff28320f77620a23
User: Ben-G
PW: simplePWUser: Ben-G
PW: simplePWUser: Ben-G
PW: 2eff28320f77620a23
User: Ben-GPW: 2eff28320f
77620a23
User: Ben-G
![Page 23: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/23.jpg)
LESSON #3: SANITIZE USER INPUT
![Page 24: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/24.jpg)
LESSON #3: SANITIZE USER INPUT
This is typically more relevant for web applications than for mobile
applications
Never allow a user to write an entire DB Request or a piece of
executable code
![Page 25: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/25.jpg)
LESSON #3: SANITIZE USER INPUT
Examples:
XSS: Cross-Site Scripting. If User Input is not sanitized it can be
possible to inject JS code
SQL Injections: Possible to send queries to DB
Shellshock: Execute arbitrary code on target machine
![Page 26: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/26.jpg)
IMPLEMENTING SECURITY WITH FLASK
![Page 27: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/27.jpg)
USER SIGNUP
![Page 28: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/28.jpg)
USER SIGNUP
User should be a RESTful resource
Signup means a POST request against that User Resource
Encrypt the password and store along with username in database
Recommended to use bcrypt with 12 rounds for encryption
![Page 29: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/29.jpg)
BCRYPT
The bcrypt library provides a convenient way to store a password
securely
It automatically generates a random salt for each stored password
By generating an individual salt for each password, an attacker
needs to brute force every password individually
![Page 30: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/30.jpg)
BCRYPT
We can define how many rounds the encryption algorithm runs to
generate the encrypted password, as processors get faster this
value can be increased
The more rounds, the longer it takes to generate the encrypted key
This means brute force attacks take longer as well!
![Page 31: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/31.jpg)
ATTACKING ENCRYPTED PASSWORDSWith no access to DB:
Brute Force through web interface or API
Can easily be prevented by rate-limiting API accesses
With access to DB:
Compare hashed passwords to a rainbow table [3]
If you aren’t using a unique salt per entry, one compromised password
means that all your users’ passwords are compromised
![Page 32: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/32.jpg)
LOGIN / AUTHENTICATION
![Page 33: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/33.jpg)
AUTHENTICATIONAuthentication should conform with HTTP standard
→ use a specified HTTP authentication method
Authentication needs to conform with REST Webservice Design
Patterns
→ Server needs to get the full information to fulfill a Client Request
with each request → We need to send credentials with every
request
![Page 34: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/34.jpg)
HTTP BASIC AUTH
Uses the Authorization header of an HTTPS Request
1. Username and password are combined into a string "username:password"
2. The resulting string is then encoded using Base64
3. The authorization method and a space i.e. "Basic " is then put before the
encoded string
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
![Page 35: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/35.jpg)
HTTP BASIC AUTH
Client
Server
HTTP-Request
Authorization: Basic
QWxhZGRpbjpvcGVuIHNlc2FtZQ== HTTP-Response
![Page 36: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/36.jpg)
BASIC AUTH FLASK [2]from functools import wraps from flask import request, Response
def check_auth(username, password): return username == 'admin' and password == 'secret'
def requires_auth(f): @wraps(f) def decorated(*args, **kwargs): auth = request.authorization if not auth or not check_auth(auth.username, auth.password): message = {'error': 'Basic Auth Required.'} resp = jsonify(message) resp.status_code = 401 return resp
return f(*args, **kwargs) return decorated
![Page 37: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/37.jpg)
BASIC AUTH FLASK
class Trip(Resource):
@requires_auth def get(self, trip_id=None): if trip_id is None: … else: …
Methods annotated with requires_auth will require the client to provide valid
username and password
![Page 38: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/38.jpg)
BASIC AUTH ON IOS
// Thanks to Nate Cook: http://stackoverflow.com/questions/24379601/how-to-make-an-http-request-basic-auth-in-swift
struct BasicAuth { static func generateBasicAuthHeader(username: String, password: String) -> String { let loginString = NSString(format: "%@:%@", username, password) let loginData: NSData = loginString.dataUsingEncoding(NSUTF8StringEncoding)! let base64LoginString = loginData.base64EncodedStringWithOptions(NSDataBase64EncodingOptions(rawValue: 0)) let authHeaderString = "Basic \(base64LoginString)" return authHeaderString }}
![Page 39: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/39.jpg)
PASSWORD RESET
Send user an email that allows them to reset their password, only
send to to email address that they used to sign up
The password reset should only be possible for a certain amount
of time, typically this is accomplished by providing an expiring
token
![Page 40: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/40.jpg)
REFERENCES
![Page 41: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/41.jpg)
REFERENCES
[1] First Few Milliseconds of HTTPS
[2] Flask Basic Authentication
[3] Wikipedia: Rainbow Table
![Page 42: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/42.jpg)
ADDITIONAL RESOURCES
![Page 43: Client Server Security with Flask and iOS](https://reader033.vdocuments.site/reader033/viewer/2022051705/58a847c51a28ab210b8b465b/html5/thumbnails/43.jpg)
ADDITIONAL RESOURCES
How does HTTPS actually work?
XSS Example
Everything you need to know about ShellShock
Why SHA-1 should no longer be used as hash algorithm for TLS