Introduction to Security#

This series of short chapters aims to showcase commonly used security concepts. In this document the foundational concepts are explained briefly and each chapter will extend them with code examples. There is an special focus on cryptography because it is the least known topic in my opinion, howeover, other security topics are covered as well.

The material is a work in progress, at the beginning of each chapter there is a list of ToDos to inform the reader what might change in a future version.

Why this material?#

The main objective of this material is to equip software developers, especially Python ones, with the sufficient knowledge to understand on a high level key security concepts along with examples and must-knows. This is an educational material and NONE of the code shown should be considered production-ready.

There are plently of resources online about security and cryptography in general, however this material has some features that may not be present elsewhere:

  • Quick Read: Each chapter is meant to be read in under 10 minutes.

  • Code-First: All the material is tiered towards a concrete code Implementation.

  • Example-First: All topics covered have examples.

  • Minimal-Dependencies: As much as possible the dependencies are kept to a minimum. Only PyCA Cryptography is needed as third party library.

  • No-Background needed: Only programming background (not necessarily in Python) is needed.

  • No-Math: The objective is to understand the methods on a high level, without low-level math.

How to use the material interactively#

If this icon is available, you have the following options to interact:

  • https://sebasguts.github.io/GAPDaysBinderTutorial/images/logo.png Generates the Binder of the current document (Only available in .ipynb files)

  • https://themachinelearners.com/wp-content/uploads/2020/05/colab_favicon_256px.png Generates the Google Colab of the current document (Only available in .ipynb files)

  • Generates interaction in the current document with Thebe - Click and wait until Binder is ready (message in the top of the current page).

Both Binder and Colab will open a new page while Thebe will update the current page without reloading. Keep in mind that it may take a few seconds to get everything ready.

Caveats#

This material follows a pragmatic approach and as such, some caveats should be taken into account:

  • Not expert-making material: Reading this material will not make you a security expert by any means.

  • Not In-Depth: Since topics are covered in a very high level, many details are skipped, after reading this you will only have a grasp of the concepts, follow the references for further learning.

  • Not a cookbook: This are not copy-paste examples one can add to a codebase, code is just for illustration purposes.

  • Unvalidated: The material has not been written by a security expert, some details might be wrong or outdated.

Basic Concepts#

Security is a key concept in all software related projects, properly understanding and applying security best practices is critical for the success of any project.

The following concepts summarized many of the goals of several security algorithms and techniques:

  • Privacy: the data is protected from reading/understanding of unintended parties.

  • Integrity: the data sent was the originally intented.

  • Authenticity: the received data is from the expected source.

  • Authentication: the receiver is the expected party to be sent data.

  • Non-Repudiation: the sender cannot deny that the data came from it.

Example#

An illustration to better understand the concepts might be:

Alice logs into an email provider, writes her username and password and then she writes an email, providing Bob’s email address as receipient and sending a bank statement downloaded from the bank Website.

This can be analysed from both perspectives:

From Alice Perspective: The email provider gives Privacy to Alice by ensuring her password is kept secret. They also provide Integrity by delivering to Bob’s email address the same content she wrote, without any modifications.

From Bob Perspective: The email provider gives Authentication by ensuring Bob is the only one who can read Alice’s email and Authenticity tells Bob the sender is Alice. Bob can also check the file, the bank website uses Non-Repudiation by digitally signing the file, that means that file could have only been generated by the bank, and no ones else.

There is however somo overlap between integrity and authenticity because “if one verifies the data is exactly the one intended, it implies it is from the expected source”. Moreover, even though the file pass through Alice before going to Bob, that did not altered the fact that the file came from the bank’s website, and since Alice did not tampered the file, Bob can be sure it is the original file.

In this examples all the concepts are intertwined, but that is exactly how it happens in real scenarios, a plethora of techniques and algorithms are used together to ensure these security features.

Techniques#

Depedending of the context, these features can be achieved by different means, in the software industry, computational tools are used to create solutions that provide one or more of the mentioned characteristics.

It is important to distinguish between a computational technique from a particular implementation, the former refers to the way in which some security aspect is guaranteed, whereas the later to which specific software/algorithm should be used to accomplish it.

The most common techniques are:

  • Checksums: to provide Integrity.

  • Message authentication codes: to provide Integrity and Authenticity.

  • Digital Signature: to provide Integrity, Authenticity and Non-Repudiation.

  • Cryptographic Hashes: to provide Privacy.

  • Encryption: to provide Integrity, Authenticity and Privacy.

Each of the upcoming chapters will examine these topics in detail with code examples.

Contribute#

This content is free and promotes both free and open source software, as well as monetary and intellectual accessibility. If you want to support it, please check out the privacy-first ad at the main site. Helping with fixing typos, suggesting edits, or leaving feedback in the comments is also valuable. If you like this content, please share it with others who might find it useful.

If you want to contribute financially, invite me a Ko-Fi or send me donation via PayPal. If you are in Argentina, you can invite me a Cafecito.

Disclaimer#

Any opinions expressed here are solely my own and do not express the views or opinions of my employer or its affiliates. See full disclaimer at the site