GET /api/v2/video/1381
HTTP 200 OK Vary: Accept Content-Type: text/html; charset=utf-8 Allow: GET, PUT, PATCH, HEAD, OPTIONS
{ "category": "DjangoCon 2012", "language": "English", "slug": "cryptography-for-django-applications", "speakers": [ "Erik Labianca" ], "tags": [ "cryptography", "django" ], "id": 1381, "state": 1, "title": "Cryptography for Django Applications", "summary": "A review of encryption in the context of a web application storing sensitive\ninformation. Topics covered include choosing whether to use crypto, selection\nof tools, proper usage (including examples), and operational considerations\nwith respect to security assessment.\n\n", "description": "# Introduction\n\nThe web is a hostile place, and isn't showing any signs of becoming less so.\nIn order to mitigate this, many developers turn to cryptography.\nUnfortunately, cryptography can be complicated, and is easily circumvented if\nnot properly handled. This presentation will provide an introduction to\ncryptographic tools available to Python/Django applications, appropriate use\ncases for each, proper usage, and operational concerns necessary to operate in\na certified environment. Finally, we will also demonstrate a reusable\napplication that wraps this all up, providing secure key-management\ncapabilities to a running Django environment via the Django admin.\n\n# Why Encrypt?\n\n# Rules of Encryption\n\n * Don't do it if you don't need it.\n * Don't write your own.\n * Understand what you're doing if you do.\n\n# When to encrypt?\n\n## Understand what you're protecting\n\n * Data\n * User records\n * Code\n * Systems\n\n## Understand your attack vectors\n\n * Data (backups, revision control)\n * Systems\n * Application\n * Transport\n * Client\n\n## Understand the types of encryption you might use:\n\n * Hashing\n\n### Passwords are a special case. Use a key derivation function\n\n * PBKDF2 \u2013 Upgrade to Django 1.4!\n\n### Algorithms\n\n * MD5 - fine as a checksum. not fine as a cryptographic hash.\n * SHA1 - fine as a checksum. becoming less fine as a cryptographic hash every day\n * SHA2 - so far so good. use as many bits as you can handle.\n\n## Symmetric Encryption\n\n * Fast\n * Reversible\n\n### Algorithms\n\n * Caesar Cipher (for fun puzzles)\n * DES (don't use)\n * AES (certified)\n * Blowfish\n\n## Asymmetric Encryption\n\n * Slow\n * One-way\n\n### Algorithms\n\n * RSA\n * DSA\n\n#### Uses\n\n##### Signing\n\n###### Web of Trust\n\n * PGP\n\n###### PKI\n\n##### Encryption\n\n * PGP\n * SSL\n * TLS\n\n# Doing it right\n\n## Use known-good algorithms\n\n * AES-256\n * SHA2\n * RSA\n * DSA\n\n## Use known-good implementations\n\n * Open Source is good\n\n## Extra Credit\n\n * FIPS 140 certified implementations\n * FIPS 140 / NIST configurations\n\n## Transport (always use HTTPS)\n\n * Use good algorithms AES-256\n\n## At Rest (insecure servers or backups)\n\n * Understand the ramifications of key management\n\n# Examples\n\n## Hashing\n\n * Use a key-derivation function\n\n### Don't be linked-in\n\n * Salt your hashes (with a secret). \n * Salt and pepper your hashes if possible (with a known unique value)\n\n## SSL\n\n * Forced connections\n * Making the application aware\n * Hardened cipher selection\n\n### Robust PKI\n\n * Client authentication\n * SSL Test Page\n\n## Asymmetric Encryption\n\n### Key Management\n\n * Using GPG Agent\n * GPG Manager App\n\n### PGP Files\n\n## Symmetric Encryption\n\n### Key Management\n\n * Use Asymmetric Encryption\n\n### Use a unique Initialization Vector if possible\n\n * LoopBack Devices\n\n", "quality_notes": "", "copyright_text": "Creative Commons Attribution license (reuse allowed", "embed": "<object width=\"640\" height=\"390\"><param name=\"movie\" value=\"http://youtube.com/v/pWCAADXd-DI?version=3&amp;hl=en_US\"></param><param name=\"allowFullScreen\" value=\"true\"></param><param name=\"allowscriptaccess\" value=\"always\"></param><embed src=\"http://youtube.com/v/pWCAADXd-DI?version=3&amp;hl=en_US\" type=\"application/x-shockwave-flash\" width=\"640\" height=\"390\" allowscriptaccess=\"always\" allowfullscreen=\"true\"></embed></object>", "thumbnail_url": "http://i.ytimg.com/vi/pWCAADXd-DI/hqdefault.jpg", "duration": null, "video_ogv_length": null, "video_ogv_url": null, "video_ogv_download_only": false, "video_mp4_length": null, "video_mp4_url": null, "video_mp4_download_only": false, "video_webm_length": null, "video_webm_url": null, "video_webm_download_only": false, "video_flv_length": null, "video_flv_url": null, "video_flv_download_only": false, "source_url": "http://www.youtube.com/watch?v=pWCAADXd-DI", "whiteboard": "", "recorded": "2012-09-05", "added": "2012-10-08T17:39:48", "updated": "2014-04-08T20:28:26.984" }