FIDO2をPHPで実装してみた

Transcript

1. FIDO2ΛPHPͰ࣮૷ͯ͠Έͨ 2020/04/08 koujimatsuda

2. ࣗݾ঺հ ➢দా߁࢘ʢ·ͭͩ͜͏͡ʣ ➢ؔ੢ͰΤϯδχΞ΍ͬͯ·͢ ➢Twitter:@koujimatsuda11 ➢facebook:kouji.matsuda.58

3. FIDO2ೝূͬͯԿʁ
 WEBαΠτͰ΋؆୯ʹࢦ໲ೝূ΍إೝূ͕Ͱ͖Δೝূ࢓༷ ύεϫʔυͷ͍Βͳ͍ੈք͕΍͖ͬͯ·͢ Android7.0ͷ࠷৽ͷChromeͰ͓ ࢼ͍ͩ͘͠͞ʢ2020೥2݄࣌఺ʣ

4. ύεϫʔυೝূ͸ɾɾɾ
 50ԯͷϢʔβ໊ͱύεϫʔυͷηοτ͕࿙Ӯ͍ͯ͠Δ (owasp asvs 4.0 v2ΑΓ) αΠτA αΠτB ID :

   [email protected] ύεϫʔυ : password IDͱύεϫʔυ͕౪·ΕΔ Ϣʔβ ߈ܸऀ ϩάΠϯ੒ޭ ύεϫʔυΛ࢖͍·Θ͍ͯ͠Δͱɾɾɾ

5. FIDO2ͷ࢓૊Έʢొ࿥ʣ
 Relyng Party ΫϥΠΞϯτ Authenticator ϩάΠϯID νϟϨϯδͳͲ νϟϨϯδɺRP৘ใͳͲ ࢦ໲ೝূ إೝূ

   ͳͲ 伴ϖΞ࡞੒ ެ։伴ͳͲ ެ։伴ͳͲ ݕূ ެ։伴ͷอଘ ެ։伴 ൿີ伴 νϟϨϯδͳͲ ੜ੒

6. FIDO2ͷ࢓૊Έʢొ࿥ʣ
 Relyng Party ΫϥΠΞϯτ Authenticator ϩάΠϯID νϟϨϯδͳͲ νϟϨϯδɺRP৘ใͳͲ ࢦ໲ೝূ إೝূ

   ͳͲ 伴ϖΞ࡞੒ ެ։伴ͳͲ ެ։伴ͳͲ ݕূ ެ։伴ͷอଘ ެ։伴 ൿີ伴 ࢦ໲৘ใ͸ෆཁ νϟϨϯδͳͲ ੜ੒

7. FIDO2ͷ࢓૊Έʢೝূʣ
 Relyng Party ΫϥΠΞϯτ Authenticator ϩάΠϯID νϟϨϯδͳͲ νϟϨϯδɺRP৘ใͳͲ ొ࿥࣌ͷೝূ ॺ໊

   ॺ໊ͳͲ ॺ໊ͳͲ ެ։伴Ͱݕূ ൿີ伴 νϟϨϯδͳͲ ੜ੒

8. σϞ

9. PHPͰ࣮૷͢ΔʢϥΠϒϥϦ࢖͏͚Ͳʣ

10. ࢖༻͢ΔϥΠϒϥϦ
 web-auth/webauthn-lib ▪Πϯετʔϧ ɹcomposer require web-auth/webauthn-lib ▪υΩϡϝϯτ https://webauthn-doc.spomky-labs.com/

11. FIDO2ͷ࢓૊Έʢొ࿥ʣ
 Relyng Party ΫϥΠΞϯτ Authenticator ϩάΠϯID νϟϨϯδͳͲ νϟϨϯδɺRP৘ใͳͲ ࢦ໲ೝূ إೝূ

    ͳͲ 伴ϖΞ࡞੒ ެ։伴ͳͲ ެ։伴ͳͲ ݕূ ެ։伴ͷอଘ ެ։伴 ൿີ伴 νϟϨϯδͳͲ ੜ੒ ࣮૷ൣғ API ϥΠϒϥϦ

12. FIDO2ͷ࢓૊Έʢೝূʣ
 Relyng Party ΫϥΠΞϯτ Authenticator ϩάΠϯID νϟϨϯδͳͲ νϟϨϯδɺRP৘ใͳͲ ొ࿥࣌ͷೝূ ॺ໊

    ॺ໊ͳͲ ॺ໊ͳͲ ެ։伴Ͱݕূ ൿີ伴 νϟϨϯδͳͲ ੜ੒ API ࣮૷ൣғ ϥΠϒϥϦ

13. ४උ͢Δ΋ͷ
 • طଘͷೝূػೳʢϩάΠϯIDͳͲʣɹ • PHPɹυΩϡϝϯτ͸7.2Ҏ্͕ͩɺ7.3.14Λ࢖ͬͨ • ެ։伴Λอଘ͢Δ΋ͷɹDBʹอଘͨ͠ • ηογϣϯػೳɹൃߦͨ͠νϟϨϯδΛอ؅͓ͯͨ͘͠Ί

14. ࣮૷ͷྲྀΕ
 1. ެ։伴Repositoryͷ࡞੒ 2. ϢʔβEntityͷ࡞੒ 3. RpServerͷ࡞੒ 4. ެ։伴Λొ࿥͢ΔͨΊʹAuthenticatorʹ౉͢optionΛ࡞੒ 5.

    Authenticator͔ΒϨεϙϯε͞ΕΔެ։伴Λอ؅͢Δ 6. ೝূΛ͢ΔͨΊʹAuthenticatorʹ౉͢optionΛ࡞੒ 7. Authenticator͔ΒϨεϙϯε͞ΕΔΛॺ໊Λݕূ͢Δ 8. طଘͷೝূʹ૊ΈࠐΉ ͜͜·ͰͰɺ4ʙ5ਓ೔͙Β͍͋Ε͹Ͱ͖Δ

15. ৄࡉ https://qiita.com/koujimatsuda11/items/47f00c9c4d6953377668

16. ·ͱΊ • ϥΠϒϥϦΛ͏·͘࢖͑͹ɺ؆୯ • ࢦ໲ೝূΛ࢖͑ΔσόΠε͸ݶఆతʢAndroidɺMacͳͲʣ • ѹ౗తϢʔβϏϦςΟʂʂʂ ਓྨ͕ύεϫʔυ͔Βղ์͞ΕΔະདྷΛ଴ͬͯ·͢ɻ