Upgrade to Pro — share decks privately, control downloads, hide ads and more …

認証のあれやこれや

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Toshiboumi Ohta Toshiboumi Ohta
May 11, 2018
Technology
0
360

 認証のあれやこれや

第十四回セキュリティ共有勉強会での発表
認証、FIDO

Avatar for Toshiboumi Ohta

Toshiboumi Ohta

May 11, 2018
Tweet

More Decks by Toshiboumi Ohta

See All by Toshiboumi Ohta
0727.pdf
Avatar for Toshiboumi Ohta bugbird
0
410

Other Decks in Technology

See All in Technology
SREのプラクティスを用いた3領域同時 マネジメントへの挑戦 〜SRE・情シス・セキュリティを統合した チーム運営術〜
Avatar for coconala_engineer coconala_engineer
2
670
Ruby版 JSXのRuxが気になる
Avatar for SansanTech sansantech
PRO
0
160
Red Hat OpenStack Services on OpenShift
Avatar for Tatsuya Amemiya tamemiya
0
120
SREチームをどう作り、どう育てるか ― Findy横断SREのマネジメント
Avatar for adachi.ryo rvirus0817
0
320
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
Avatar for kekke-n kekke_n
1
450
15 years with Rails and DDD (AI Edition)
Avatar for Andrzej Krzywda andrzejkrzywda
0
200
CDK対応したAWS DevOps Agentを試そう_20260201
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
1
350
StrandsとNeptuneを使ってナレッジグラフを構築する
Avatar for やくも yakumo
1
120
AIエージェントに必要なのはデータではなく文脈だった/ai-agent-context-graph-mybest
Avatar for Jun Naito jonnojun
0
110
Amazon Bedrock Knowledge Basesチャンキング解説!
Avatar for 野口碧生 aoinoguchi
0
150
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
Avatar for ktykogm 0gm
1
2.8k
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
Avatar for GENDA genda
4
1.3k

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
359
30k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
69
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.8k
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
9
660
Ethics towards AI in product and experience design
Avatar for Skipper Chong Warson skipperchong
2
200
Collaborative Software Design: How to facilitate domain modelling decisions
Avatar for Kenny Baas-Schwegler baasie
0
140
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
191
11k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
Avatar for Aleyda Solis aleyda
0
1.1k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
Avatar for Kenny Baas-Schwegler baasie
0
230
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
1
1.9k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
8.7k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k

Transcript

  1. ೝূͷ͋Ε΍͜Ε΍ ୈ̍̐ճηΩϡϦςΟڞ༗ษڧձ

  2. ͓͠ͳ͕͖ ೝূͬͯͳΜ͚ͩͬʁ ύεʢϑϨʔζʛϫʔυʣʹ͍ͭͯ Ϧςϥγʔʹґଘ͠ͳ͍ೝূͬͯՄೳʁ FIDOೝূʹ͍ͭͯ

  3. ೝূͬͯͳΜ͚ͩͬʁ

  4. ʮೝূʯͷ͓͞Β͍ ୭Կʢ͍͔͢ʣ ʮ୭͔ʁʯ ໊৐Γ ʮ෋ࢁ།ܧͰ͢ʯ ೝূ৘ใΛ֬ೝͯ͠ೝূ ʮ໔ڐূͳͲࣸਅೖΓͰຊਓ֬ೝͰ͖Δ΋ͷΛݟͤͯʯ

  5. WebΞϓϦέʔγϣϯͷ৔߹ ϩάΠϯϑΥʔϜͷදࣔ ϢʔβIDʢ໊৐Γʣ ύεʢϑϨʔζʛϫʔυʣʢೝূ৘ใʣ র߹Ͱ͖Ε͹ϩάΠϯʢೝՄʣ

  6. WebΞϓϦέʔγϣϯͷೝূ Basicೝূ Digestೝূ ϑΥʔϜϕʔεೝূ TLSೝূʢΫϥΠΞϯτೝূʣ ΞϓϦέʔγϣϯ࿈ܞೝূ

  7. ೝূ৘ใͱͯ͠࢖͏΋ͷ ར༻ऀݻ༗ͷ஌ࣝ ύεʢϑϨʔζʛϫʔυʣͳͲ ར༻ऀͷॴ༗෺ ཚ਺දɺϋʔυ΢ΣΞτʔΫϯͳͲ ར༻ऀͷಛੑ ੜମ৘ใʢࢦ໲ɺ੠໲ɺ੩຺ύλʔϯɺ೒࠼ etc…ʣ

  8. ͦΕͧΕͷ໰୊఺ ύεʢϑϨʔζʛϫʔυʣ ๨ΕͨΒΞ΢τ ॴ༗෺ ౪·ΕͨΓฆࣦͨ͠ΒΞ΢τ ੜମ৘ใ ݸਓ৘ใͰ͋Γʮ͓୅ΘΓʯ͕Ͱ͖ͳ͍

  9. ύεʢϑϨʔζʛϫʔυʣ ʹ͍ͭͯ೤͘ޠΖ͏

  10. ύεʢϑϨʔζʛϫʔυʣ σόΠεΛඞཁͱ͠ͳ͍ ߈ܸ଱ੑ͸Ϧςϥγʔґଘ ϢʔβͷϦςϥγʔ γεςϜӡ༻ऀͷϦςϥγʔ

  11. ύεϫʔυͷఆظతߋ৽໰୊ ʮ૯౰ͨΓ߈ܸʯʹ͸༗ޮͩͬͨ…͔΋ʁ ଟ༷Խ͢Δύεϫʔυ߈ܸ ύεϫʔυɾεϓϨʔ߈ܸ ࣙॻ߈ܸ ϦετܕΞΧ΢ϯτ߈ܸ

  12. ύεϫʔυɾεϓϨʔ߈ܸ a.k.a. ϦόʔεɾϒϧʔτϑΥʔε߈ܸ JAL / ANA ͷαΠτʢ2014೥ʣ ձһ൪߸͕7ܻʙ9ܻ ύεϫʔυ͕4ܻʙ6ܻ ϢʔβID͕؆୯ʹਪଌͰ͖Δ৔߹༗ޮ

  13. ࣙॻ߈ܸ ଟ༻͞Ε͍ͯΔՄೳੑ͕͋Δ୯ޠΛࣙॻొ࿥ ਓͷߟ͑Δ͜ͱ͸େମಉ͡ Dragon, letmein, qazwsx, etc… ʮ࣮੷ʯʹج͍ͮͯ೔ʑڧԽ͞Ε͍ͯΔ

  14. ϦετܕΞΧ΢ϯτ߈ܸ ϢʔβIDͱύεϫʔυͷ૊Έ߹ΘͤΛ࢖͏ Ͳ͔͜ͷʮ΁΅͍ʯαʔϏε͕ʮ͓࿙Β͠ʯ WebΞϓϦέʔγϣϯͷ૿Ճ Ͳ͏ͯ͠΋࢖͍·Θͨ͘͠ͳΔ ͔ͳΓʮώοτ཰ʯ͕ߴ͍w

  15. ΞΧ΢ϯτϩοΫ͸༗ޮʁ ී௨͸༗ޮͰ͕͢… େن໛αΠτͩͱ΍͹͍͜ͱ΋͋Δ ී௨ϩʔυόϥϯα࢖͍·͢Α…Ͷʁ ฒྻ߈ܸͰΞΧ΢ϯτϩοΫ͕ൃಈ͢Δલ ʹ200݅Ҏ্ͷࢼߦΛڐͯ͠ɺ৵ೖ͞ΕΔ

  16. ڧ͍ύεʢϑϨʔζʛϫʔυʣ จࣈछΛ૿΍͢ ಉ͡จࣈ਺ͳΒจࣈछΛ૿΍͢ͷ͸ਖ਼ٛ ͨͩ͠US / JIS ΩʔϘʔυ໰୊ʹቕΔ https://xkcd.com/936/

  17. ڧ͍ύεϑϨʔζ

  18. ύεʢϑϨʔζʛϫʔυʣͷ໰୊఺ ʮ֮͑ΒΕͳ͍ύεϫʔυʯʹ͸ҙຯ͕ͳ͍ Ϧςϥγʔ͕ඞཁ ਺ֶతͳ଄ܮ ύεϫʔυΛ͍֮͑ͯΒΕΔهԱྗ ݁ہʮ͋ͳͨ·͔ͤʯͰ৴༻͢Δ͔͠ͳ͍

  19. গ͠Ͱ΋Ϛγʹ͢Δ޻෉ ύεϫʔυڧ౓ͷνΣοΧʔ จࣈ਺ จࣈछͷࠞ߹Λཁٻ ΞΧ΢ϯτID ͱͷൺֱɹetc… Ͱ΋ϢʔβϏϦςΟ͕ѱԽ͠·͢ΑͶʁ

  20. ࢖͍ճ͠͞ΕΔͳΒ
 ࢖͍ճͤΔΑ͏ʹ͢Ε͹ʁ

  21. ΞϓϦέʔγϣϯ࿈ܞೝূ OAuth, OpenID, YConnect, SAML APIΛ࢖ͬͯೝূʢೝՄʣΛ֎෦Ͱߦ͏ ೝূ৘ใͷ؅ཧ͕ෆཁʹͳΔ ೝূͱೝՄΛࠞಉͯ͠͸͍͚ͳ͍ http://d.hatena.ne.jp/ritou/20120206/1328484575

  22. Ϧςϥγʔʢʹґଘʛظ଴ʣ ͠ͳ͍ೝূͬͯͰ͖Δͷʁ

  23. Ϧςϥγʹґଘ͠ͳ͍ೝূ ཚ਺දɺτʔΫϯ ίετ͕ൃੜ ౪೉ɾฆࣦͷϦεΫ ੜମ৘ใೝূ ୅ସ͕ޮ͔ͳ͍ ࿙Ӯ͕ى͖ͨΒΞ΢τʢݸਓ৘ใʣ

  24. ଟཁૉೝূ ֤छͷೝূΛ૊Έ߹ΘͤΔ ύεʢϑϨʔζʛϫʔυʣ΁ͷґଘੑ͸ݮΔ ୺຤ೝূͳͲ΋૊Έ߹Θͤͷର৅ CAPTCHA ϢʔβϏϦςΟ͸མͪΔ

  25. facebook ͷଟཁૉೝূ ύεϫʔυೝূ IP / Cookie ʹΑΔ୺຤ೝূ ίʔυδΣωϨʔλʢܞଳ୺຤ݶఆʣ ϝʔϧ΍SMSʹΑΔ௨஌Λซ༻

  26. WebαʔϏεͷೝূର৅ Ϣʔβʔೝূ αʔόʔೝূʢvia TLSʣ αʔόʔূ໌ॻ ΫϥΠΞϯτೝূʢvia TLSʣ ΫϥΠΞϯτূ໌ॻ ࢖ΘΕ͍ͯͳ͔ͬͨ ͱ͍͏Մೳੑ͋Δʁ

  27. ܞଳ୺຤ͷೝূͬͯ
 Ͳ͏ͳ͍͚ͬͯͨͬʁ

  28. ܞଳ୺຤ͷಛ௃ ෳࡶͳσʔλͷೖྗ͕໘౗ ը໘͕খ͍͞ʢ৘ใྔ͕গͳ͍ʣ ϑϦοΫೖྗͱ͔޻෉͸ͯ͠·͚͢Ͳ ϢʔβೝূͰ͸ͳ͘୺຤ೝূ

  29. ܞଳ୺຤ͷ୺຤ೝূ UUIDʢUniversally Unique IDentifier) ຊདྷ͸෼ࢄॲཧͳͲͰͷ ID িಥճආ ʮதԝొ࿥ॲཧʯ͕ෆཁ ࣌ؒ৘ใͳͲݻ༗ͷ৘ใ͔Βੜ੒͢Δ

  30. ܞଳ୺຤ͷϢʔβೝূ ౪೉ɾฆࣦʹରԠ͢Δඞཁ͕͋Δ PINʢPersonal Identification Numberʣ εϫΠϓύλϯ ੜମ৘ใ ࢦ໲ɺإ etc…

  31. ͦΕɺ΋͏গ͠ ͳΜͱ͔ͳΓ·ͤΜ͔ʁ

  32. ୺຤ʹґଘ͠ͳ͍ೝূ ʮϦςϥγʯʹ΋ґଘ͠ͳ͍ ৬৔ɺҠಈதɺࣗ୐ Edge, Firefox, Chrome, Vivaldi PC, Tablet, Smart

    phone etc…

  33. FIDOೝূ Fast IDentity Online ೝূ৘ใΛ௨৴͠ͳ͍ ެ։伴҉߸ํࣜͷԠ༻ ϞδϡʔϧԽ͞ΕͯϕϯμʔϩοΫɾϑϦʔ ܧଓతೝূɺ҉໧తೝূɺίϯςΩετೝূ

  34. FIDOೝূͷ֓ཁ ൿີ伴 ެ։伴 νϟϨϯδ ೝূ ൿີ伴Ͱॺ໊ͨ͠νϟϨϯδ ެ։伴Ͱ ॺ໊ͷଥ౰ੑ νΣοΫ ൿີͷڞ༗͕ඞཁͳ͍ʂ

    ೝূͷํࣜʹґଘ͠ͳ͍ʂ ೝূث FIDOΫϥΠΞϯτ FIDOαʔόʔ

  35. FIDO 2.0 FIDO 1.0 ͷೋͭͷೝূثΛ౷߹ UAFʢUniversal Authentication Frameworkʣ U2FʢUniversal Second

    Factorʣ CTAP ͷಋೖ

  36. WebAuthn ͱ CTAP WebAuthn FIDO ೝূثͷͻͱͭ ύεϫʔυʢa.k.a. εΩϧʣʹґଘ͍ͯ͠ͳ͍ ݱࡏ W3C

    ͷ CRʢCandidate Recommendationʣ CTAPʢClient To Authenticator Protocolʣ

  37. ΋ͬͱৄ͘͠ʁ FIDOʹ͍ͭͯͷղઆʢ೔ຊޠʣ https://www.slideshare.net/FIDOAlliance/fido-83445442 https://fidoalliance.org/wp-content/uploads/FIDOTokyo- gomi-120816-ja.pdf W3Cͷ৘ใ https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.ja

  38. Q&A?