なぜ、パスワードハッシュのソルトはハッシュと同じ場所に置いて良いのか

ͳͥɺύεϫʔυϋογϡͷιϧτ͸ ϋογϡͱಉ͡৔ॴʹஔ͍ͯྑ͍ͷ͔ 1)1ΧϯϑΝϨϯε໊ݹ԰ QIQDPO@OBHPZB ͔͔͋ͭ

ύεϫʔυɺ ϋογϡԽ͍ͯ͠·͔͢ʁ

ιϧτ͚͍ͭͯ·͔͢ʁ

ιϧτ͕ԿͷͨΊʹ͋ͬͯɺ Ͳ͜ʹอଘ͞Ε͍ͯΔʁ

ͦΜͳٙ໰ʹ౴͑ΒΕΔΑ͏ʹ ͳ͍ͬͯΔ͸ͣͰ͢

͓͠ͳ͕͖ w ࣗݾ঺հ w ϋογϡͱ͸ w ύεϫʔυೝূͷ࢓૊Έʢύλʔϯʣ w ιϧτͱ͸ w
͍͞͝ʹ w ·ͱΊ

͔͔͋ͭ w ੺௩ܒلʢ͔͔͖͋ͭ͋ͷΓʣ w 1)1FS!ਆށ w 1)1ΧϯϑΝϨϯεؔ੢࣮ߦҕһ௕ 𝕏 BLJ@BSUJTBO

1)1ΧϯϑΝϨϯεؔ੢ 🎉ୈճ🎉 ⚓ॳͷਆށ։࠵🚢 𝕏 QIQ@LBOTBJ

1)1ΧϯϑΝϨϯεؔ੢ 𝕏 QIQ@LBOTBJ PHPカンファレンス名古屋をお楽しみのみなさん！今すぐ宿取ろう！

ϋογϡͱ͸Կ͔

ϋογϡؔ਺ͱ͸ ) 1)1ΧϯϑΝϨϯε໊ݹ԰ bb331ec7eb4e43ceb1e32b 0ef65cf56e5fcf7ce1 ϋογϡ

ϋογϡؔ਺ͱ͸ ) BBBC f1abd73aa0858634f18d36 bf5666194958a8b7d2 ) BBBB 70c881d4a26984ddce795f 6f71817c9cf4480e79 )
BBBD 00b25f15212ed225d3389b 5f75369c82084b3a76 গ͠Ͱ΋ҧ͏σʔλΛೖྗ͢Δͱ͔ͳΓҧ͏ϋογϡ͕ग़ྗ͞ΕΔ

ϋογϡؔ਺ͱ͸ ) QBTTXPSE 5baa61e4c9b93f3f068225 0b6cf8331b7ee68fd8 ) QBTTXPSE 5baa61e4c9b93f3f068225 0b6cf8331b7ee68fd8 )
QBTTXPSE 5baa61e4c9b93f3f068225 0b6cf8331b7ee68fd8 ಉ͡σʔλΛೖྗ͢Δͱಉ͡ϋογϡ͕ग़ྗ͞ΕΔ

҉߸ֶతϋογϡؔ਺ CCFDFCFDFCF CFGDGFGDGDF m1 m2 H(m1) = H(m2)

ύεϫʔυೝূͷ࢓૊Έ

ύεϫʔυೝূͷ࢓૊Έʢ❌ϋογϡԽͳ͠ʣ JE FNBJM QBTTXPSE BBB!FYBNQMFDPN IMZQF BBC!FYBNQMFDPN ODCPLMC
BBD!FYBNQMFDPN LQNWQP 6TFS BBD!FYBNQMFDPN ϝʔϧΞυϨε ύεϫʔυ ৽نొ࿥ LQNWQP

BBD!FYBNQMFDPN ϝʔϧΞυϨε ύεϫʔυ ϩάΠϯ ύεϫʔυೝূͷ࢓૊Έʢ❌ϋογϡԽͳ͠ʣ JE FNBJM QBTTXPSE BBB!FYBNQMFDPN
IMZQF BBC!FYBNQMFDPN ODCPLMC BBD!FYBNQMFDPN LQNWQP 6TFS LQNWQP LQNWQP ൺֱ

ͳͥύεϫʔυΛϋογϡԽ͢Δඞཁ͕͋Δͷ͔ w %#͕ྲྀग़ͨ࣌͠ʹଈ࠲ʹѱ༻͞Εͳ͍Α͏ʹ͢Δ w ύεϫʔυϦετ߈ܸͰଞαʔϏεʹ΋Өڹͯ͠͠·͏৔߹΋͋Δ w %#͕ྲྀग़͢Δͷ͸͋Γಘͳ͍ͱࢥ͏͔΋͠Εͳ͍͕ɺաڈʹ࿙Ӯࣄ݅͸ى͖ ͍ͯΔ w ୐;͍͊Δศ<>
w ໿ສ݅ͷฏจύεϫʔυ͕ྲྀग़ˠͦͷޙαʔϏεऴྃ w స͹͵ઌͷ伺ͱͯ͠ϋογϡԽ͸ඇৗʹॏཁ <>IUUQTXXXOJLLFJDPNBSUJDMF%(9.;07$"

ͦ͜Ͱϋογϡͷग़൪Ͱ͢ʂ w ϋογϡԽ͓͚ͯ͠͹ɺٯํ޲΁ͷม׵͕ࠔ೉ͳͷͰɺ ݩͷύεϫʔυ͕௚ͪʹ͸஌ΒΕͳ͍ w ѱ༻Λ๷͙͜ͱ͕Ͱ͖Δ CCFDFCFDFCF CFGDGFGDGDF

ύεϫʔυೝূͷ࢓૊Έʢ⚠ιϧτͳ͠ʣ JE FNBJM QBTTXPSE BBB!FYBNQMFDPN BFGF FDFCCDBBG BBC!FYBNQMFDPN
DCFB DGDFCDFBC BBD!FYBNQMFDPN GEEGBBBEDGEF ECECBFBC 6TFS BBD!FYBNQMFDPN ϝʔϧΞυϨε ύεϫʔυ ৽نొ࿥ GEEGBBBEDGEF ECECBFBC LQNWQP )

JE FNBJM QBTTXPSE BBB!FYBNQMFDPN BFGF FDFCCDBBG BBC!FYBNQMFDPN DCFB
DGDFCDFBC BBD!FYBNQMFDPN GEEGBBBEDGEF ECECBFBC 6TFS ύεϫʔυೝূͷ࢓૊Έʢ⚠ιϧτͳ͠ʣ GEEGBBBEDGEF ECECBFBC GEEGBBBEDGEF ECECBFBC ൺֱ BBD!FYBNQMFDPN ϝʔϧΞυϨε ύεϫʔυ ϩάΠϯ LQNWQP )

ʮϋογϡԽͷΈʯͷ໰୊఺ w Α͘஌ΒΕͨγϯϓϧͳύεϫʔυ΍୹͍ύεϫʔυͩͱɺ͙͢ʹݩͷ஋Λݟ ͚ͭΒΕͯ͠·͏ w ྫ͑͹ɺ࿙Εͨϋογϡ͕NE RXFSUZ ͷ݁ՌͱϚον͢Ε͹ɺύεϫ ʔυ͕RXFSUZͩͱΘ͔ΒΕͯ͠·͏ʢࣙॻ߈ܸʣ w
NE΍TIBͳͲͷ༗໊ͳϋογϡؔ਺Ͱ͸ɺϨΠϯϘʔςʔϒϧΛ࢖ͬͯ ݩͷύεϫʔυΛݟ͚ͭΒΕͯ͠·͏

ιϧτͱ͸

ιϧτͱ͸ w ϋογϡͷݩσʔλʹ෇Ճ͢Δจࣈྻ w 1)1Ͱ͸QBTTXPSE@IBTI Λ࢖͏͜ͱͰϥϯμϜͳιϧτΛ͚ͭͯ͘ΕΔ w ࠓ೔͸৮Εͳ͍͕ɺQBTTXPSE@IBTI͸QBTTXPSE@WFSJGZͱ૊Έ߹ΘͤΔ͜ ͱͰɺλΠϛϯά߈ܸʹରͯ͠΋༗ޮͳͷͰɺΑ΄Ͳͷࣄ৘͕ͳ͍ݶΓ͜Ε Λ࢖͏ͷ͕͓͢͢Ί

ύεϫʔυೝূͷྲྀΕʢ✅QBTTXPSE@IBTIʣ BBD!FYBNQMFDPN ϝʔϧΞυϨε ύεϫʔυ ৽نొ࿥ JE FNBJM QBTTXPSE BBB!FYBNQMFDPN
$2y$10$..De BBC!FYBNQMFDPN $2y$10$..Sa BBD!FYBNQMFDPN $2y$10$..VO 6TFS IBTIQBTTXPSE@IBTI QBTTXPSE 1"44803%@%&'"6-5 ZL%F268#7Q+QY7RU4RZFUV61Y+BQ$"QJ-CN7 O$0.W.;9I70

ύεϫʔυೝূͷྲྀΕʢ✅QBTTXPSE@IBTIʣ BBD!FYBNQMFDPN ϝʔϧΞυϨε ύεϫʔυ ৽نొ࿥ JE FNBJM QBTTXPSE BBB!FYBNQMFDPN
$2y$10$..De BBC!FYBNQMFDPN $2y$10$..Sa BBD!FYBNQMFDPN $2y$10$..VO 6TFS IBTIQBTTXPSE@IBTI QBTTXPSE 1"44803%@%&'"6-5 ZL%F268#7Q+QY7RU4RZFUV61Y+BQ$"QJ-CN7 O$0.W.;9I70 ZL%F268#7Q+QY7RU4RZFUV61Y+BQ$"QJ-CN7O$0.W.;9I70 ΞϧΰϦζϜ Φϓγϣϯ ιϧτ ϋογϡԽ͞Εͨύεϫʔυ ·ͱΊͯ%#ʹొ࿥͢Δʢಉ͡ͱ͜Ζʹஔ͘ʣ

JE FNBJM QBTTXPSE BBB!FYBNQMFDPN $2y$10$..De BBC!FYBNQMFDPN $2y$10$..Sa
BBD!FYBNQMFDPN $2y$10$..VO 6TFS ύεϫʔυೝূͷྲྀΕʢ✅QBTTXPSE@IBTIʣ BBD!FYBNQMFDPN ϝʔϧΞυϨε ύεϫʔυ ϩάΠϯ QBTTXPSE@WFSJGZ QBTTXPSE Z70 USVFͩͬͨΒɺೝূ੒ޭ

QBTTXPSE@IBTI QBTTXPSE@IBTI QBTTXPSE 1"44803%@#$3:15 $2y$10$.kDeQU9WBVpJpxVqtS4qyetuUPxJapCApiLbmVnCO6MvMZ6X14hVO w ZΞϧΰϦζϜ͕CDSZQU w ίετ͕
ճϋογϡԽ͢Δ w ιϧτ͸L%F268#7Q+QY7RU4RZF ຖճҧ͏݁Ռ͕ग़Δͷ͸ɺιϧτ͕ϥϯμϜ͔ͩΒ ιϧτͱΦϓγϣϯ͕ಉ͡ͳΒಉ͡ϋογϡ͕ಘΒΕΔ

QBTTXPSE@WFSJGZ IBTIQBTTXPSE@IBTI QBTTXPSE 1"44803%@#$3:15 $2y$10$.kDeQU9WBVpJpxVqtS4qyetuUPxJapCApiLbmVnCO6MvMZ6X14hVO SFTVMUQBTTXPSE@WFSJGZ QBTTXPSE
IBTI IBTIʹιϧτؚ͕·Ε͍ͯΔͷͰɺ QBTTXPSEʹ͍ͭͯ΋ಉ͡ιϧτͰϋογϡΛܭࢉ͢Δ͜ͱͰݕূ͕Մೳ

ιϧτΛ͚ͭΔ͜ͱͷޮՌ w ιϧτΛ͚ͭΔ͜ͱͰϨΠϯϘʔςʔϒϧʹΑΔ߈ܸ͕ࠔ೉ʹͳΔ w ιϧτΛ෇Ճͨ͠ύεϫʔυʹର͢ΔϋογϡΛ͋Β͔͡Ί͓࣋ͬͯ͘ඞཁ ͕͋Δ w ௕͍ϝοηʔδʹର͢ΔϨΠϯϘʔςʔϒϧPSιϧτͷछྨ෼ͷϨΠϯϘʔ ςʔϒϧΛ༻ҙ͢Δඞཁ͕͋Γɺݱ࣮తͰͳ͍

ͳͥɺϋογϡͱಉ͡৔ॴʹஔ͍ͯྑ͍ͷ͔ w ϥϯμϜͳιϧτΛ͚ͭͯੜ੒ͨ͠ϋογϡʹରͯ͠ݩͷϝοηʔδΛಘΔͨ Ίʹ͸ɺιϧτͷ਺෼ςʔϒϧΛ༻ҙ͢Δඞཁ͕͋Δ w ιϧτ͕ϥϯμϜͰ͋ΔҎ্ɺܾΊ͏ͪͰςʔϒϧΛ࡞ΔΘ͚ʹ͍͔ͳ͍ w ߈ܸऀʹιϧτ͕෼͔ͬͨͱͯ͠΋ݩͷϝοηʔδΛݟ͚ͭΔͷ͕ࠔ೉ͳͷ Ͱɺผͷͱ͜Ζʹஔ͘ඞཁ͕ͳ͍ w
Ή͠ΖศརͳͷͰɺಉ͡ͱ͜Ζʹஔ͘͜ͱ͕ਪ঑͞Ε͍ͯΔ<> <>IUUQTXXXQIQOFUNBOVBMKBGBRQBTTXPSETQIQGBRQBTTXPSETUPSJOHTBMUT

ଞͷݴޠͱͷޓ׵ੑ w Zͷܗࣜͷύεϫʔυϋογϡ͸ଞͷݴޠͰ΋࢖͑Δ͜ͱ͕͋Δ w ͜ͷܗࣜΛ࢖͍ͬͯΕ͹ɺݴޠؒͷ৐Γ׵͑ͷ࣌ʹ໰୊ʹͳΓʹ͍͘ w ྫ͑͹HPMBOHͷCDSZQU(FOFSBUF'SPN1BTTXPSE w IUUQTHPEFWQMBZQCI7+ w
IUUQTHPEFWQMBZQLKI)R)K0%4R w QBTTXPSE@IBTI Λ࢖͓͏ʂʢେࣄͳ͜ͱͳͷͰճʣ

͍͞͝ʹ w ηΩϡϦςΟରࡦΛߟ͑Δ࣌ʹ͸ɺʮԿ͔ΒकΔͨΊʹԿΛ͢Δͷ͔ʯΛ஌ ͓ͬͯ͘͜ͱ͕େ੾ w ෆਖ਼ΞΫηεˠϋογϡԽ w ݪ૾߈ܸˠιϧτͱετϨονϯά w ରࡦͷத਎Λ஌͓͚ͬͯ͹ɺͦͷରࡦͷݶք΋Θ͔Δ
w ύεϫʔυΛϋογϡԽͯ͠΋ɺฏจύεϫʔυ͕ผͷܦ࿏ʢྫ͑͹ϑΟο γϯάʣͰ࿙ΕͨΒෆਖ਼ϩάΠϯΛڐͯ͠͠·͏ʂ

·ͱΊ

·ͱΊ w ύεϫʔυΛฏจͰอଘ͢Δͷ͸ةݥ w ϋογϡԽ͢Δ͚ͩͰ͸ϨΠϯϘʔςʔϒϧͰύεϫʔυΛݟ͚ͭΒΕͯ͠· ͏Մೳੑ͕͋Δ w 1)1ͰύεϫʔυೝূΛ͢Δ৔߹͸ɺQBTTXPSE@IBTIͱQBTTXPSE@WFSJGZΛ ༻͍Δͷ͕Α͍ w
ηΩϡϦςΟରࡦΛߟ͑Δ࣌ʹ͸ɺͲΜͳ߈ܸ͕͋ͬͯɺͳͥͦͷରࡦ͕ޮ͘ ͷ͔஌͓ͬͯ͘͜ͱ͕େ੾

த਎Λ஌ͬͯɺ ҆શͳ։ൃϥΠϑΛʂ

͓͢͢Ίࢿྉ w 1)1ύεϫʔυͷϋογϡ.BOVBM w ϋογϡͱ҉߸͸ҧ͏ͧʂ1)1ΧϯϑΝϨϯεؔ੢)BTIPS &ODSZQUJPO w ମܥతʹֶͿ҆શͳ8FCΞϓϦέʔγϣϯͷ࡞Γํୈ൛੬ऑੑ͕ੜ·Ε Δݪཧͱରࡦͷ࣮ફ

͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ ϕετεϐʔΧʔ౤ථΑΖ͓͘͠ئ͍͠·͢🥺

͕࣌ؒ͋Ε͹༨ஊू

QBTTXPSE@IBTIͷσϑΥϧτΦϓγϣϯ w 1)1͔ΒɺίετͷσϑΥϧτ஋͕͔ΒʹมΘ͍ͬͯͨ w υΩϡϝϯτ͕ͷ··ͩͬͨͷͰ֬ೝ͢Δͱʜ

DSZQUʢιϧτΛࢦఆͯ͠ϋογϡΛܭࢉʣ $2y$10$.kDeQU9WBVpJpxVqtS4qyetuUPxJapCApiLbmVnCO6MvMZ6X14hVO DSZQU ZL%F268#7Q+QY7RU4RZF QBTTXPSE $2y$10$.kDeQU9WBVpJpxVqtS4qyetuUPxJapCApiLbmVnCO6MvMZ6X14hVO

DSZQUʢιϧτΛࢦఆͯ͠ϋογϡΛܭࢉʣ $2y$10$.kDeQU9WBVpJpxVqtS4qyetuUPxJapCApiLbmVnCO6MvMZ6X14hVO DSZQU ZL%F268#7Q+QY7RU4RZF QBTTXPSE $2y$10$.kDeQU9WBVpJpxVqtS4qyetuUPxJapCApiLbmVnCO6MvMZ6X14hVO Ұக ιϧτͱΦϓγϣϯ͕ಉ͡ͳΒಉ͡ϋογϡ͕ੜ੒͞ΕΔ͜ͱ͕֬ೝͰ͖ͨ

DSZQUΛ࢖ͬͯϋογϡΛ࠶ݱ͢Δ %&.0͋Γ <?php $password = 'password'; $password_hash = password_hash($password, PASSWORD_DEFAULT);
$algo = substr($password_hash, 0, 7); // $2y$10$ $salt = substr($password_hash, 7, 22); $hash = substr($password_hash, 29); var_dump($password_hash, $algo, $salt, $hash); // password_verifyΛ࢖Θͣʹݕূͯ͠ΈΔ $password_hash_by_crypt = crypt($password, $algo . $salt); var_dump($password_hash, $password_hash_by_crypt); var_dump(hash_equals($password_hash, $password_hash_by_crypt));

1"44803%@%&'"6-5ͷਖ਼ମ w WBS@EVNQ 1"44803%@%&'"6-5 w TUSJOH Z w
ZͷZ w ࣮͸Z͸1)1ʹ͔͠ͳ͍ w ͕CMPX fi TIΞϧΰϦζϜͰB C Y Zͷόʔδϣϯ͕͋Δ w YͱZ͸1)1ͷࣄ৘ʹΑͬͯ௥Ճ͞Εͨόʔδϣϯ w ଞݴޠͰ΋ݕূ͚ͩ͸ରԠ͍ͯ͠Δ৔߹΋͋Δ HPMBOHͷ#DSZQU

なぜ、パスワードハッシュのソルトはハッシュと同じ場所に置いて良いのか

なぜ、パスワードハッシュのソルトはハッシュと同じ場所に置いて良いのか

More Decks by Akinori Takigawa

Featured

Transcript