 Good morning everyone. Thank you for coming I'm talking about the crystallization security invite on little introduction for for beginners and for intermediate users In my speaker deck space I Will I will load this presentation and in this in my in this space I have another presentation relationing with security in mobile and in web photography Before starting my presentation welcome back everyone for first no more talk of the day we've got Before stating this this presentation. I would like to mention other security conference in Spain One these are security conferences in Spain like Navajan era conference Routed con no con name or Hesit mines that This event it will be in Colonia in November this year If this is the index I will make I will make an introduction to cryptography The basic terms that we that we that will show Later I will show some libraries and tools like the crypto In third step, I will show some best practice For Django security and what kind of will know it is we can find in in Django and hope to How to resolve these will notice and lastly a little introduction to Stenography in Python with some libraries When we are we are when we are talking about cryptography we can Speak about basic terms the cipher the cipher test and we have algorithms like AS areas and Has funtions like md-phi and SHA Another of the algorithms that we see is the the key duration funtions for preventing Brute force attacks in in our power in our power for our power powers The key terms we can introduce in cryptography are the key. That's it information that allows and create or in order create our data the plain text that is the information we can we have to to hide or increase the result of the of the of the increase is the cipher text and And the algorithm is the the cipher the algorithm Converts the the plain text in the cipher text Another turns more advanced that I will mention ourselves that And in the solution vector the steps Allows a randomized the the generation of the keys and prevents in general Brute force attacks or or the tonight attacks one of the first algorithms that That we have for fit for shifting the information is the cipher safer This algorithm is the is one of those the first body in the in the Roman Segal and In this cipher we can we have a secret secret a secret message and the objective is replace each symbol in the cipher in the in the secret case with a symbol in the alphabet that we have and For example if we For this if we if we have to To cipher this in the space in the secret in the in the in the in the in the initial message we replace by the the person symbol and And it's a process it is or where we can replace With the with the alphabet Order of the functions that we have in cryptography has functions these functions The the use is For a calculate the chance of data verify the integrity of of of files generate passwords and Is used also for digital signature and authentication? some one of the most known of md5 and Sha variations in two or three In general has functions The idea is that you generate Output and this output the reverse the reverting the reversing process must be difficult and For example We have for example in md5 has function This function is Cryptographic broken and it's possible that we have hash collisions in this algorithm and My recommendation is used at least functions like Algorithms like SHA Variations two and three in Python. We have the library has lived this library is allows the one-way cryptography has seen Supports The basic the basic algorithm down the basic algorithms I mentioned another order functions as a comment is the check the check in the file integrity with md5 has function This function first for example, we pass as parameter The file name and retools the check soon of the of the file for for checking file integrity when we are for example is we have a site and we need to To store the credit and the user credentials in our database the useful is to generate the password of the user and Store the hash of the of this password, but I think the best is Generate This past this has of the of the password and Concatenate also a random shot this random allows as a comment Prevent or avoid Brute force or dictionary attacks and we and we generate this this password we storing more safe in the device for checking The hash we have tool lies like the hash in the file for checking the type of the hash and this is a Python script That checks the type of the hash we are we can we have to check one of the first system in Christian was The is This this system Has a circuit a shark a shark a foreign creed and Decreed the problem with this is that if we have an attacker in sniffing in the in the network with Ten is like money in the middle This K can be discovered by the by the attack and Lastly after we have The the the symmetry encryption Is known with the algorithm RSA RSA In this case we have to click to case the public key and the secret key The public key is used for in creed and the secret creed Is used for the creed the message in this example? We can see that if a Alice for example wants to send a message to to Bob it must use the Bob's public plate and Bob's for the creed the message needs to use his private key and this is a most secure that that the The the other method That we are starting where we are starting the game at this point We can differentiate those two kind of concepts the encryption we have seen before and designing the signing is another process for verifying the the signature or or That is to say your same your message or your data and we are in the in the receiver For checking this message that is integrity and is valid the message Use the public key The idea is that you have a message and for very creating the signature you use your your private key and for Validating this signature in the receiver message you use the the public key One of the main libraries that we have invited is pre-created this supports all hash operations This is the saloon the algorithms that's a command Supports a sign verify documents and it's easy to install with people they generate the The use of the all the hash Passwords the generator or the or the hash is similar to hash leap and the result is Is the same With is for simple we have is we want to include a message we have to use A key for the algorithm And we have to we use or their data like a Salt that is the random random value then installation vector and Use we can use one function like provide Generate the debate of the name of obtain Derived key from the password And in this case we can see that we can use a Sal for for random the sequence A link for the for the key and internally the algorithm needs the number of iterations for generating the key in RSA we have to generate a set Two case the public and the and the and the secret and the and with This is the The result where when we try to generate This this this two case in format A pen format for the for the certificate. This is like a certificate Which two case the parade and the public for increase in RSA? We have to use the public key and for the creed we we have to use the the secret key And for seeing a verify the data that we have is The process the process is the same we have to import the key we have to generate in the step previews and update the information with that provide In the pattern in the the function in the within the parameter This is an example that we can we can see that we sign a message with this With this algorithm and We check that the we check that the message is valid and is Integrity and has integrity with the regarding to the to the To the to the sender When when the sender is sending the information for the best practice we can use for cryptography is avoid as soon as possible the functions like md5 or HHA in one variation and use at least H8 H8 in variation two and three for as I command for avoid brute force or the turnary attacks Another recommendations that we have is we use techniques like a street team for for generating a strong strong passwords these techniques For for generating the password we can we have to we have any iterations and in each iterations we generate We concatenate the password and the cell generated with the key and in each iteration is generate is update the key with the new information and in this in this form we can preventing a brute force or the turnary attacks Another or the or the or the libraries that we have is cryptography cryptography The main advantage does is that supports Python 3? and it has it has a better performance is regarding to to by crypto and supports and more than algorithms like AES, JBC, JCM and so on this library has the same practically the same methods that by crypto and is Hey use the hey use he uses is more is more is more comfortable that that that by crypto The this library also supports a system encryption and asymmetric encryption as I as I say before well with Regarding to security in Django These are the questions that we have to to make when we are developing a site and When we are testing our the security of our site We have to check for example if we are use SSL currently in configuration for example What what kind of ciphers we are using in our site for generating the passwords? It was using cookies for for users for example and what kind of information are we are storing in the database It was storing secret case or or Confucian information of the user well for checking this this security in Django we have frameworks that we can help for for implementing For not for not have race for not drag for not have security race in our site They are frameworks like like that's the pie Django response war or web machine. Also, we have Secure package Django the Django secure package that allows Rick the that our site Was secure in in SSL records What provides these frameworks these frameworks provide? protection against No polarities that we can have in our site that while Cross-site scripting Second injection like hijacking and so on this framework Supports is still with the protocol HTTPS and Supports also data validation in we have for example User for for loading this This framework supports data validation for the for the forms in our site and also supports and also have support for algorithms like HHA in variant 2 and Or the or the algorithm that I show before that this buys in the in the catering cateration function but Yeah, I will mention after For checking the security of our site We can use this This site the pony checkup this site provide Help for checking the security of our site for simple if we have the HTTPS activate or We have some book in in our site and Provide information if we have an error provide information about the the error that we have and Offers information about a solution That we can let for resolver resolve the the problem some of the best practice and security for example we are using with Confidence and information always use at HTTPS And verify that The protocol is is ill is using correctly For example verify the the service certificate Enforced the use of the of the protocol in the entire domain of the site and if we have Leans for example in the side with that that That safe a Confidence and information we can read X to to enforce HTTPS And for simple if we if we are using cookies we can Configure configure the the the site with With session cookies over HTTPS with a flag in the settings of the site In the settings configuration on the site other best practice that we can have is the Is the secret case keeps secret in Keep keep the secret keys and cresials in in in the story in in the database in a secret mode and If we have the site in production put the book the flag the book To falls in the settings configuration And another point that is critical is the flag always host for example if we have In production the site This this flag Can be must be revised because if we for by default is it has an Anastasys in in the value and If we have an asterisk this allows to all All aspects to all the old the site to all to all requests in in any In any 90 for that for I for from an any domain any domain and if we we have to limit The access to the to the site For any for sample we have to change the value for IP of your of your network for example for by word storage for work by word storage is Is one of the point and the point more more critical is when we are working in when we are working with credential users for example and In by default Django has this configuration is used the key the brief the key the brief function with the combination with the algorithm HHA variant 2 one and two two five two hundred fifty fifty-five six beats if We go to the hazards that is the That is the the that is an example that we can found in the g-hab in Django configuration And we can see that used for the encoded the password of the user is using this function the the key derivation function and Use as I have seen before set the cells and iterations and With the function generates the hash for that is storing after in the in the database well for interesting to to To to phone vulnerabilities in our site We have the webs the webs is a set of a practice that we have we have to let for to follow for Better for half a better security in our in our site We can have vulnerabilities like as well as like as I comment after a SQL injection or cross-site scripting and this this guy offers best practice for for this this this kind of of issues The two main vulnerabilities that I call I will comment are SQL injection and cross-site scripting in general SQL injection is It's a problem that we can found where We are making our requests over the database And we are not escaping the parameter the parameters Correctly and we can inject some parameters in the in the select for example and obtain An access of all of the data in our database and In Django, unfortunately, we have Functions that Generates this Properly that generates properly scar different these parameters we can use for example, we are making a Select a request over that over the database. We can use the the cursor method and Binding the parameters for avoid this vulnerability and other solutions that we have in Django is use Django or RM that is objects relational mapping in this case we We create We use we are we use objects for Automatically Django Gives you an extraction that allows a create retrieve with it or delete these objects in the database In this example in this example, we can see that we have an object a block and For a story for store for persistent this block this item in the database We use the safe method that provide the model That is the that provides the model class of in Django the big package Other tools that we have for checking this kind of group variety is a queen SQL map SQL map allows checking the For example the the parameters making an injection of one parameter and tells and Makes makes and tells you in more info about is Decide if the database can be a vulnerability can be vulnerable to this attack And we have with this tool we can make Check we can check for example the Passwords That stores in the in the database in it checks The hash of the password that has stored in the database and tells you and tells you is the hash can be Can be weak too for for a dictionary or Brute for a through odd or brute force attack The other reality that we have is cross-site scripting this allows an attacker to obtain the sensor information this is used or this is used in for example a In fishing site for example For how a script we have we can an attacker can execute Java script remotely and affects the The session information of the user for preventing this We have in Django the rendered templates that automatically escape or variable values in HTML in general When we are working with forms in Django the most important The most important issues always the post method for that With force with spot methods the data goes in the headers Another best practice is use the Django force package for better Validation and security in the in the forms and use the meta fields in model forms well for for finishing The story of it the story of it is a technique that allows hiding the data takes or image or whatever we want Hide this data in image and the question is what is stored data? but well the data is stored in the pixels in the error RGB components in the image in each pixel in the image in the In the least significant bit it is stored The information that we have that we that we have to to to hide in Python we have for For stenography we have some libraries For example, we have a step pick that is the pick for provide some fun functions that Pass a parameter day in the image and a secret message for example we save this message in the image and For we can increase the message and decrease the message Other libraries that we have is a Steano Steano the function is the same with In this case, we can hide text and image in the in the in the same image and we can hide and Reveal the the message that we hide And another tool that we have is pre capital opinion here. That is an scribe And The base there is the same This is an example that we can That we have a height attacks in an image using the the least significant bit And we can see that in in each pixel in the image We store the information that we we have we Want to to hide and the processing process Is Is the same but We have to charate over the image and obtain the the secret key with Accelerating At this at this At this bit We can hide An image in say another image for example In this example, we can we can see that we have an image and we have we have to to To increase an image we obtain the result The result of the image is The last that we see in the in the slide and We can hide and extract the image That is hide in the in the in the message and finally In my g-hub repository We can found some of the other symbols that have That we have seen That's all and this finally this book is interesting because it introduced to to in terms of in Python and is free and it's online and we can see in St. Paul's Like we can see in in this presentation And that's all thank you Yes, rather command and a question about the password stuff Django does it by default mostly correctly but I'm not sure if they have this old single hashes still in the list Maybe you want to even remove those simple hashes and just use PBKDF to And if you use anything else than Django, you really want to use pass lip P-a-s-s-l-e be It does a lot of stuff with password storage and Offers b-crypt offers s-crypt offers PBKDF to you never want to write your own simple hash Plus sold password code. That's mostly wrong Thank you. I have another comment That's sometimes it is very useful to use HTTPS Even when I will have only public information to protect from Modifying your data in transit Including malicious scripts In many of the middle attack sense. Yeah, I can be a problem. I'm attacks mind in the middle or before attacks And probably we can have problems with this with this algorithm I got a related comment to the HTTPS You recommended that it's good to redirect from HTTP to HTTPS And that is actually not that true as the attacker can easily strip SSL or Continue to work on HTTP because he can modify the the redirect request So kind of a better solution is to use HSTS HTTP strict transport security it gets its own flaws, but it's a slightly better concept of making Force forcing user to access the HTTPS. I Have no phone another solution Or all the means the the frameworks that I command that Provide a security is all this is all the I have seen and later the dingo the dingo a secure package The has this has this feature and Have problems, but it's the only solution that I've seen Okay. Thank you very much. Thank you