Upgrade to Pro — share decks privately, control downloads, hide ads and more …

第八回 #渋谷java - Java 8 で造る認証系

KOMIYA Atsushi
September 20, 2014
Programming
10
5.1k

第八回 #渋谷java - Java 8 で造る認証系

第八回 #渋谷java http://shibuya-java.connpass.com/event/8212/ での発表資料です。 サンプル実装は https://gist.github.com/komiya-atsushi/6ffac79533c3bfad8bba こちらです。

KOMIYA Atsushi

September 20, 2014
Tweet

More Decks by KOMIYA Atsushi

See All by KOMIYA Atsushi
#JJUG Java における乱数生成器とのつき合い方
komiya_atsushi
5
4.8k
#JJUG Fork/Join フレームワークを効率的に正しく使いたい
komiya_atsushi
0
410
[#JSUG] SmartNews における container friendly な Spring Boot アプリケーション開発
komiya_atsushi
1
11k
Java のデータ圧縮ライブラリを極める #jjug_ccc #ccc_c7
komiya_atsushi
4
4.2k
#devsumi 自然言語処理・機械学習によるファクトチェック業務の支援
komiya_atsushi
1
4k
SmartNews Ads における機械学習の活用とその運用 #mlops
komiya_atsushi
3
19k
GBDT によるクリック率予測を高速化したい #オレシカナイト vol.4
komiya_atsushi
5
1.2k
Maven central repository の artifact をランキングする #渋谷java
komiya_atsushi
0
1.1k
確率的データ構造を Java で扱いたい! #JJUG
komiya_atsushi
6
2.1k

Other Decks in Programming

See All in Programming
Build with AI 2024 Seoul - 제로부터 시작하는 Flutter with Gemini 생활 - 박제창
itsmedreamwalker
0
200
Tailwind CSSを本気でカスタマイズする方法
fsubal
13
5k
PHPはいつから死んでいるかの調査
chiroruxx
1
320
Git Lint
bkuhlmann
4
750
SwiftUI Performance 不要なViewの再描画と更新を抑える
bigamitiongit
1
160
Elm 0.19.0 Changes
bkuhlmann
0
490
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
220
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
910
코틀린으로 멀티플랫폼 만들기
pangmoo
0
130
Rethinking UI building strategies @ SFI 2024
letelete
0
270
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
840
Snowflakeで眠ったデータを起こそう!
estie
0
110

Featured

See All Featured
Raft: Consensus for Rubyists
vanstee
132
6.3k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
Typedesign – Prime Four
hannesfritz
36
2.1k
The Brand Is Dead. Long Live the Brand.
mthomps
48
28k
Gamification - CAS2011
davidbonilla
76
4.6k
Optimizing for Happiness
mojombo
370
69k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Practical Orchestrator
shlominoach
181
9.7k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
5
1.5k
Scaling GitHub
holman
457
140k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k

Transcript

  1. Java 8 Ͱ଄Δೝূܥ ौ୩java #8 2014-09-20 at BizReach @komiya_atsushi

  2. ͓·ͩΕ

  3. ,0.*:""UTVTIJ !LPNJZB@BUTVTIJ

  4. None

  5. ʮੈքதͷྑ࣭ͳ৘ใΛඞཁͳਓʹૹΓಧ͚Δʯ ͨΊʹɺौ୩ɾࡩٰொͰ ೔ʑδϟόδϟό͍ͯ͠·͢

  6. ຊ೔ͷ͓࿩

  7. CZ+PTIVB/F⒎IUUQTqJDLSQDO"&T ͍͔Μͱ΋͠೉͍ཧ༝ʹΑΓ ೝূܥΛࣗ࡞͠ͳ͚Ε͹ ͳΒͳ͘ͳͬͯ͠·ͬͨ ʜΈ͍ͨͳέʔεΛ૝ఆ

  8. ೝূܥʁ

  9. ೝূܥʁ

  10. ͜Ε ೝূܥʁ

  11. ͍ΘΏΔϑΥʔϜೝূͬͯ΍ͭͰ͢ ͜Ε ೝূܥʁ

  12. μϝͳೝূܥ͋Δ͋Δ

  13. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏

  14. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ

  15. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ

  16. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ •

    ύεϫʔυΛ SHA-1 ͱ͔Ͱ୯७ʹϋογϡԽ

  17. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ •

    ύεϫʔυΛ SHA-1 ͱ͔Ͱ୯७ʹϋογϡԽ • ύεϫʔυ + ڞ௨ salt Λ SHA-1 ͰϋογϡԽ

  18. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ •

    ύεϫʔυΛ SHA-1 ͱ͔Ͱ୯७ʹϋογϡԽ • ύεϫʔυ + ڞ௨ salt Λ SHA-1 ͰϋογϡԽ • ύεϫʔυ + java.util.Random#nextBytes() Ͱੜ੒ͨ͠ݸผͷ salt Λ SHA-1 ͰϋογϡԽ

  19. Ͳ͏͢Ε͹͍͍ͷ͔ʁ

  20. ؾΛ͚ͭΔ΂͖͜ͱ

  21. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ

  22. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ

  23. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc.

  24. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc. • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ

  25. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc. • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ • MD5, SHA-1, SHA-512, etc.

  26. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc. • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ • MD5, SHA-1, SHA-512, etc. • ετϨονϯά͢Δ

  27. Java 8 Ͱ΍ͬͯΈΑ͏

  28. Java Cryptography Architecture Oracle Providers Documentation • Java 7 :


    http://docs.oracle.com/javase/7/docs/ technotes/guides/security/SunProviders.html • Java 8 :
 http://docs.oracle.com/javase/8/docs/ technotes/guides/security/SunProviders.html

  29. ҉߸࿦తٖࣅཚ਺ੜ੒ثͰ salt Λੜ੒͢Δ

  30. SecureRandom#nextBytes()

  31. ҉߸࿦తٖࣅཚ਺ੜ੒ثͷ࣮૷ • Java 7 Ҏલ͔Βଘࡏ & શϓϥοτϑΥʔϜαϙʔτ • SHA1PRNG •

    Java 8 Ҏ߱ & Solaris / Linux / OS X ͷΈαϙʔτ • NativePRNG • NativePRNGBlocking • NativePRNGNonBlocking

  32. PBKDF2 ͰετϨονϯάͨ͠ϋογϡ஋ΛಘΔ

  33. new PBEKeySpec( ύεϫʔυ, ιϧτ, ܁Γฦ͠ճ਺, Ωʔ௕)

  34. new PBEKeySpec( ύεϫʔυ, ιϧτ, ܁Γฦ͠ճ਺, Ωʔ௕) ετϨονϯά

  35. ετϨονϯά • ܁Γฦ͠ճ਺ͷઃఆ • CPU ϦιʔεΛফඅ͢Δ͜ͱʹ஫ҙ • DoS ߈ܸͷखஈʹͳΓ͏Δ •

    ࢀߟ : 1Password • https://learn2.agilebits.com/1Password4/Security/PBKDF2- overview.html • 10,000 ճΒ͍͠

  36. SecretKeyFactory .getInstance()

  37. DES DESede PBEWithMD5AndDES PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBKDF2WithHmacSHA1 DES DESede PBEWithMD5AndDES

    PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBEWithSHA1AndRC2_128 PBEWithSHA1AndRC4_40 PBEWithSHA1AndRC4_128 PBKDF2WithHmacSHA1 PBKDF2WithHmacSHA224 PBKDF2WithHmacSHA256 PBKDF2WithHmacSHA384 PBKDF2WithHmacSHA512 PBEWithHmacSHA1AndAES_128 PBEWithHmacSHA224AndAES_128 PBEWithHmacSHA256AndAES_128 PBEWithHmacSHA384AndAES_128 PBEWithHmacSHA512AndAES_128 PBEWithHmacSHA1AndAES_256 PBEWithHmacSHA224AndAES_256 PBEWithHmacSHA256AndAES_256 PBEWithHmacSHA384AndAES_256 PBEWithHmacSHA512AndAES_256 +BWB +BWB

  38. DES DESede PBEWithMD5AndDES PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBKDF2WithHmacSHA1 DES DESede PBEWithMD5AndDES

    PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBEWithSHA1AndRC2_128 PBEWithSHA1AndRC4_40 PBEWithSHA1AndRC4_128 PBKDF2WithHmacSHA1 PBKDF2WithHmacSHA224 PBKDF2WithHmacSHA256 PBKDF2WithHmacSHA384 PBKDF2WithHmacSHA512 PBEWithHmacSHA1AndAES_128 PBEWithHmacSHA224AndAES_128 PBEWithHmacSHA256AndAES_128 PBEWithHmacSHA384AndAES_128 PBEWithHmacSHA512AndAES_128 PBEWithHmacSHA1AndAES_256 PBEWithHmacSHA224AndAES_256 PBEWithHmacSHA256AndAES_256 PBEWithHmacSHA384AndAES_256 PBEWithHmacSHA512AndAES_256 +BWB +BWB

  39. https://gist.github.com/ komiya-atsushi/ 6ffac79533c3bfad8bba

  40. ·ͱΊ

  41. ͜͜·Ͱॻ͍͓͍ͯͯͳΜͰ͕͢ • ೝূܥͷࣗ࡞͸΍Ί·͠ΐ͏ • ʮṷ͸ṷ԰ʯ • ʢ࢖ͬͨ͜ͱͳ͍Ͱ͕͢ʣApache Shiro ͱ͔ Spring

    Security ͱ͔࢖͏ͱ͍͍Μ͡Όͳ͍Ͱ͔͢Ͷʁ • “Apache Shiro Λ࢖ͬͯΈͨ”
 http://www.slideshare.net/chonaso/java-apache- shiro

  42. େਓͷࣄ৘ͰೝূܥΛࣗ࡞͠ͳ͖Ό ͍͚ͳ͍ͱ͖͸ • ҎԼΛ͖ͪΜͱҙࣝͯ͠࡞ΔΑ͏ʹ͠·͠ΐ͏ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث

    (CSPRNG) Ͱ salt Λੜ੒͢Δ • SecureRandom • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ • PBKDF2WithHmacSHA* • ετϨονϯά͢Δ • PBEKeySpec

  43. 5IBOLT

  44. None

  45. ৄ͘͠͸ҎԼͷ URL Ͱʂ http://www.smartnews.co.jp/recruit/ • iOS ΤϯδχΞ • Android ΤϯδχΞ

    • αʔόαΠυΤϯδχΞ • ػցֶशʗࣗવݴޠॲཧΤϯδχΞ • Web ΞϓϦέʔγϣϯΤϯδχΞ • ޿ࠂΤϯδχΞ • άϩʔεϋοΫΤϯδχΞ • ϓϩμΫςΟϏςΟΤϯδχΞ • αϙʔτΤϯδχΞ