Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
認証のあれやこれや
Search
Toshiboumi Ohta
May 11, 2018
Technology
0
340
認証のあれやこれや
第十四回セキュリティ共有勉強会での発表
認証、FIDO
Toshiboumi Ohta
May 11, 2018
Tweet
Share
More Decks by Toshiboumi Ohta
See All by Toshiboumi Ohta
0727.pdf
bugbird
0
360
Other Decks in Technology
See All in Technology
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
Hands-on Gemini, the Google DeepMind LLM
meteatamel
1
110
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
520
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.6k
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
1.3k
JAWS-UG Bedrock Claude Night
yamahiro
3
600
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
390
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
190
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
270
require(ESM)とECMAScript仕様
uhyo
3
630
ServiceNow Knowledge Learning Rise up
manarobot
0
210
反実仮想機械学習とは何か
usaito
PRO
11
4.6k
Featured
See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Building a Modern Day E-commerce SEO Strategy
aleyda
17
6.4k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
A Tale of Four Properties
chriscoyier
151
22k
Optimising Largest Contentful Paint
csswizardry
8
2.4k
Code Review Best Practice
trishagee
55
15k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
274
13k
Transcript
ೝূͷ͋Ε͜Ε ୈ̍̐ճηΩϡϦςΟڞ༗ษڧձ
͓͠ͳ͕͖ ೝূͬͯͳΜ͚ͩͬʁ ύεʢϑϨʔζʛϫʔυʣʹ͍ͭͯ Ϧςϥγʔʹґଘ͠ͳ͍ೝূͬͯՄೳʁ FIDOೝূʹ͍ͭͯ
ೝূͬͯͳΜ͚ͩͬʁ
ʮೝূʯͷ͓͞Β͍ ୭Կʢ͍͔͢ʣ ʮ୭͔ʁʯ ໊Γ ʮࢁ།ܧͰ͢ʯ ೝূใΛ֬ೝͯ͠ೝূ ʮ໔ڐূͳͲࣸਅೖΓͰຊਓ֬ೝͰ͖ΔͷΛݟͤͯʯ
WebΞϓϦέʔγϣϯͷ߹ ϩάΠϯϑΥʔϜͷදࣔ ϢʔβIDʢ໊Γʣ ύεʢϑϨʔζʛϫʔυʣʢೝূใʣ র߹Ͱ͖ΕϩάΠϯʢೝՄʣ
WebΞϓϦέʔγϣϯͷೝূ Basicೝূ Digestೝূ ϑΥʔϜϕʔεೝূ TLSೝূʢΫϥΠΞϯτೝূʣ ΞϓϦέʔγϣϯ࿈ܞೝূ
ೝূใͱͯ͠͏ͷ ར༻ऀݻ༗ͷࣝ ύεʢϑϨʔζʛϫʔυʣͳͲ ར༻ऀͷॴ༗ ཚදɺϋʔυΣΞτʔΫϯͳͲ ར༻ऀͷಛੑ ੜମใʢࢦɺɺ੩຺ύλʔϯɺ࠼ etc…ʣ
ͦΕͧΕͷ ύεʢϑϨʔζʛϫʔυʣ ΕͨΒΞτ ॴ༗ ౪·ΕͨΓฆࣦͨ͠ΒΞτ ੜମใ ݸਓใͰ͋Γʮ͓ΘΓʯ͕Ͱ͖ͳ͍
ύεʢϑϨʔζʛϫʔυʣ ʹ͍ͭͯ͘ޠΖ͏
ύεʢϑϨʔζʛϫʔυʣ σόΠεΛඞཁͱ͠ͳ͍ ߈ܸੑϦςϥγʔґଘ ϢʔβͷϦςϥγʔ γεςϜӡ༻ऀͷϦςϥγʔ
ύεϫʔυͷఆظతߋ৽ ʮ૯ͨΓ߈ܸʯʹ༗ޮͩͬͨ…͔ʁ ଟ༷Խ͢Δύεϫʔυ߈ܸ ύεϫʔυɾεϓϨʔ߈ܸ ࣙॻ߈ܸ ϦετܕΞΧϯτ߈ܸ
ύεϫʔυɾεϓϨʔ߈ܸ a.k.a. ϦόʔεɾϒϧʔτϑΥʔε߈ܸ JAL / ANA ͷαΠτʢ2014ʣ ձһ൪߸͕7ܻʙ9ܻ ύεϫʔυ͕4ܻʙ6ܻ ϢʔβID͕؆୯ʹਪଌͰ͖Δ߹༗ޮ
ࣙॻ߈ܸ ଟ༻͞Ε͍ͯΔՄೳੑ͕͋Δ୯ޠΛࣙॻొ ਓͷߟ͑Δ͜ͱେମಉ͡ Dragon, letmein, qazwsx, etc… ʮ࣮ʯʹج͍ͮͯʑڧԽ͞Ε͍ͯΔ
ϦετܕΞΧϯτ߈ܸ ϢʔβIDͱύεϫʔυͷΈ߹ΘͤΛ͏ Ͳ͔͜ͷʮ΅͍ʯαʔϏε͕ʮ͓࿙Β͠ʯ WebΞϓϦέʔγϣϯͷ૿Ճ Ͳ͏͍ͯ͠·Θͨ͘͠ͳΔ ͔ͳΓʮώοτʯ͕ߴ͍w
ΞΧϯτϩοΫ༗ޮʁ ී௨༗ޮͰ͕͢… େنαΠτͩͱ͍͜ͱ͋Δ ී௨ϩʔυόϥϯα͍·͢Α…Ͷʁ ฒྻ߈ܸͰΞΧϯτϩοΫ͕ൃಈ͢Δલ ʹ200݅Ҏ্ͷࢼߦΛڐͯ͠ɺ৵ೖ͞ΕΔ
ڧ͍ύεʢϑϨʔζʛϫʔυʣ จࣈछΛ૿͢ ಉ͡จࣈͳΒจࣈछΛ૿͢ͷਖ਼ٛ ͨͩ͠US / JIS ΩʔϘʔυʹቕΔ https://xkcd.com/936/
ڧ͍ύεϑϨʔζ
ύεʢϑϨʔζʛϫʔυʣͷ ʮ֮͑ΒΕͳ͍ύεϫʔυʯʹҙຯ͕ͳ͍ Ϧςϥγʔ͕ඞཁ ֶతͳܮ ύεϫʔυΛ͍֮͑ͯΒΕΔهԱྗ ݁ہʮ͋ͳͨ·͔ͤʯͰ৴༻͢Δ͔͠ͳ͍
গ͠ͰϚγʹ͢Δ ύεϫʔυڧͷνΣοΧʔ จࣈ จࣈछͷࠞ߹Λཁٻ ΞΧϯτID ͱͷൺֱɹetc… ͰϢʔβϏϦςΟ͕ѱԽ͠·͢ΑͶʁ
͍ճ͠͞ΕΔͳΒ ͍ճͤΔΑ͏ʹ͢Εʁ
ΞϓϦέʔγϣϯ࿈ܞೝূ OAuth, OpenID, YConnect, SAML APIΛͬͯೝূʢೝՄʣΛ֎෦Ͱߦ͏ ೝূใͷཧ͕ෆཁʹͳΔ ೝূͱೝՄΛࠞಉ͍͚ͯ͠ͳ͍ http://d.hatena.ne.jp/ritou/20120206/1328484575
Ϧςϥγʔʢʹґଘʛظʣ ͠ͳ͍ೝূͬͯͰ͖Δͷʁ
Ϧςϥγʹґଘ͠ͳ͍ೝূ ཚදɺτʔΫϯ ίετ͕ൃੜ ౪ɾฆࣦͷϦεΫ ੜମใೝূ ସ͕ޮ͔ͳ͍ ࿙Ӯ͕ى͖ͨΒΞτʢݸਓใʣ
ଟཁૉೝূ ֤छͷೝূΛΈ߹ΘͤΔ ύεʢϑϨʔζʛϫʔυʣͷґଘੑݮΔ ೝূͳͲΈ߹Θͤͷର CAPTCHA ϢʔβϏϦςΟམͪΔ
facebook ͷଟཁૉೝূ ύεϫʔυೝূ IP / Cookie ʹΑΔೝূ ίʔυδΣωϨʔλʢܞଳݶఆʣ ϝʔϧSMSʹΑΔ௨Λซ༻
WebαʔϏεͷೝূର Ϣʔβʔೝূ αʔόʔೝূʢvia TLSʣ αʔόʔূ໌ॻ ΫϥΠΞϯτೝূʢvia TLSʣ ΫϥΠΞϯτূ໌ॻ ΘΕ͍ͯͳ͔ͬͨ ͱ͍͏Մೳੑ͋Δʁ
ܞଳͷೝূͬͯ Ͳ͏ͳ͍͚ͬͯͨͬʁ
ܞଳͷಛ ෳࡶͳσʔλͷೖྗ͕໘ ը໘͕খ͍͞ʢใྔ͕গͳ͍ʣ ϑϦοΫೖྗͱ͔ͯ͠·͚͢Ͳ ϢʔβೝূͰͳ͘ೝূ
ܞଳͷೝূ UUIDʢUniversally Unique IDentifier) ຊདྷࢄॲཧͳͲͰͷ ID িಥճආ ʮதԝొॲཧʯ͕ෆཁ ࣌ؒใͳͲݻ༗ͷใ͔Βੜ͢Δ
ܞଳͷϢʔβೝূ ౪ɾฆࣦʹରԠ͢Δඞཁ͕͋Δ PINʢPersonal Identification Numberʣ εϫΠϓύλϯ ੜମใ ࢦɺإ etc…
ͦΕɺ͏গ͠ ͳΜͱ͔ͳΓ·ͤΜ͔ʁ
ʹґଘ͠ͳ͍ೝূ ʮϦςϥγʯʹґଘ͠ͳ͍ ৬ɺҠಈதɺࣗ Edge, Firefox, Chrome, Vivaldi PC, Tablet, Smart
phone etc…
FIDOೝূ Fast IDentity Online ೝূใΛ௨৴͠ͳ͍ ެ։伴҉߸ํࣜͷԠ༻ ϞδϡʔϧԽ͞ΕͯϕϯμʔϩοΫɾϑϦʔ ܧଓతೝূɺ҉తೝূɺίϯςΩετೝূ
FIDOೝূͷ֓ཁ ൿີ伴 ެ։伴 νϟϨϯδ ೝূ ൿີ伴Ͱॺ໊ͨ͠νϟϨϯδ ެ։伴Ͱ ॺ໊ͷଥੑ νΣοΫ ൿີͷڞ༗͕ඞཁͳ͍ʂ
ೝূͷํࣜʹґଘ͠ͳ͍ʂ ೝূث FIDOΫϥΠΞϯτ FIDOαʔόʔ
FIDO 2.0 FIDO 1.0 ͷೋͭͷೝূثΛ౷߹ UAFʢUniversal Authentication Frameworkʣ U2FʢUniversal Second
Factorʣ CTAP ͷಋೖ
WebAuthn ͱ CTAP WebAuthn FIDO ೝূثͷͻͱͭ ύεϫʔυʢa.k.a. εΩϧʣʹґଘ͍ͯ͠ͳ͍ ݱࡏ W3C
ͷ CRʢCandidate Recommendationʣ CTAPʢClient To Authenticator Protocolʣ
ͬͱৄ͘͠ʁ FIDOʹ͍ͭͯͷղઆʢຊޠʣ https://www.slideshare.net/FIDOAlliance/fido-83445442 https://fidoalliance.org/wp-content/uploads/FIDOTokyo- gomi-120816-ja.pdf W3Cͷใ https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.ja
Q&A?