Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
パスワードの保存方法について Kanazawa.rb meetup #4
Search
Hitoshi Kurokawa
November 29, 2012
Programming
0
110
パスワードの保存方法について Kanazawa.rb meetup #4
Kanazawa.rb meetup #4
2012/11/29 金沢市文化ホール第5 会議室
Hitoshi Kurokawa
November 29, 2012
Tweet
Share
More Decks by Hitoshi Kurokawa
See All by Hitoshi Kurokawa
Docker + CentOS 6, 8 PHP 動作確認環境の構築
krhitoshi
1
330
Rustで作るi386エミュレータ
krhitoshi
0
250
Rails4とさくらのVPSとAWS S3によるスモールスタートWebサービス「ランチボックス」 Kanazawa.rb meetup #16
krhitoshi
2
1.5k
Other Decks in Programming
See All in Programming
なんとなくわかった気になるブロックテーマ入門/contents.nagoya 2025 6.28
chiilog
1
280
The Niche of CDK Grant オブジェクトって何者?/the-niche-of-cdk-what-isgrant-object
hassaku63
1
500
RailsGirls IZUMO スポンサーLT
16bitidol
0
190
AI時代のソフトウェア開発を考える(2025/07版) / Agentic Software Engineering Findy 2025-07 Edition
twada
PRO
97
34k
システム成長を止めない!本番無停止テーブル移行の全貌
sakawe_ee
1
220
Porting a visionOS App to Android XR
akkeylab
0
660
顧客の画像データをテラバイト単位で配信する 画像サーバを WebP にした際に起こった課題と その対応策 ~継続的な取り組みを添えて~
takutakahashi
1
310
Azure AI Foundryではじめてのマルチエージェントワークフロー
seosoft
0
190
Startups on Rails in Past, Present and Future–Irina Nazarova, RailsConf 2025
irinanazarova
0
200
Webの外へ飛び出せ NativePHPが切り拓くPHPの未来
takuyakatsusa
2
580
AIプログラマーDevinは PHPerの夢を見るか?
shinyasaita
1
240
「テストは愚直&&網羅的に書くほどよい」という誤解 / Test Smarter, Not Harder
munetoshi
0
190
Featured
See All Featured
Gamification - CAS2011
davidbonilla
81
5.4k
The Cost Of JavaScript in 2023
addyosmani
51
8.5k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
Producing Creativity
orderedlist
PRO
346
40k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
700
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
21k
What's in a price? How to price your products and services
michaelherold
246
12k
Testing 201, or: Great Expectations
jmmastey
43
7.6k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
181
54k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
107
19k
Transcript
ύεϫʔυͷอଘํ๏ʹ͍ͭͯ K a n a z w a . r
b m e e t u p # 4 2 0 1 2 / 1 1 / 2 9 a t ۚ ࢢ จ Խ ϗ ʔ ϧ ୈ 5 ձ ٞ ࣨ ࠇ ɹ ਔ ( @ k r h i t o s h i )
ࠇɹਔ (@krhitoshi) ϓϩάϥϚ/αʔόΤϯδχΞ Next SeeD (ݸਓࣄۀ) http://www.nextseed.jp/ ࠇਔͷจ۩ಊϒϩάࡾດ http://blog.bungu-do.jp/ ࣗݾհ
iOSΞϓϦ։ൃ ॕΧϨϯμʔ iPhone 170ԁ 360DL (20129݄) ້(࠲ષ)λΠϚʔ iPhone/iPad (ӳޠରԠ) ແྉ
5,000DL (20129݄) iPad App ϔϧεέΞ/ϑΟοτωε ࠷ߴ18Ґ(ຊ) ࠷ߴ122Ґ(ΞϝϦΧ) iศॴ δϣʔΫΞϓϦ Trychestͱڞಉ։ൃ 3ສ5,000DL (20118݄) iPhone App ϥΠϑελΠϧ ࠷ߴ9Ґ
σʔλϕʔεʹอଘ͢Δ ύεϫʔυͷอଘํ๏
طଘͷΞϓϦ ͑͐ͱɾɾɾɾ ·͊ஔ͍͓͍ͯͯ
ͱΓ͋͑ͣ ৽͍͠ΞϓϦͰ ԿͬͨΒ͍͍͔ͳͱ
ηΩϡϦςΟͱ͔ ҉߸ͱ͔ͷઐՈͰ͋Γ·ͤΜͷͰ ͔͋͠Βͣɾɾɾ
ฏจ plain text ϋογϡؔ hash function ύεϫʔυϋογϡ password hash ηΩϡϦςΟ
ڧ ऑ
ฏจ plain text
ؙݟ͑ password = “mypassword” if password == input_password puts “Authentication
succeeded” else puts “Authentication failed” end ཧऀɺ෦ͷਓ͕͙͢ʹͰѱ༻Ͱ͖ͯ͠·͏ ͪΖΜɺΫϥοΫ͞Εͨ߹
ϋογϡؔ hash function
ϋογϡͱ? άγϟ × ※উखͳΠϝʔδͰ͢ ͱʹͤͳ͍
Ұൠతͳϋογϡؔ MD5 SHA256 SHA512
MD5 % md5 -s XkzDusMQ4Q98 MD5 ("XkzDusMQ4Q98") = 313706cbd44dd9e9ff906a8f95b124d1 SHA256
% echo XkzDusMQ4Q98 | shasum -a 256 5fb39c611f7ec4297eaf63b70354577f8e862761c7bb497b7ef5d74229cf8af0 - ϋογϡؔΛͬͯΈΔ 32 จࣈ 64 จࣈ
େ͖͍ϑΝΠϧʹϋογϡؔ Λ͏༻్͕͋Δ http://ftp.riken.jp/Linux/centos/6.3/isos/x86_64/ a991defc0a602d04f064c43290df0131 CentOS-6.3-x86_64-bin-DVD1.iso 410c1c5188e6076d62d6107153738a15 CentOS-6.3-x86_64-bin-DVD2.iso 087713752fa88c03a5e8471c661ad1a2 CentOS-6.3-x86_64-minimal.iso 690138908de516b6e5d7d180d085c3f3
CentOS-6.3-x86_64-netinstall.iso 9953ff1cc2ef31da89a0e1f993ee6335 CentOS-6.3-x86_64-LiveCD.iso 0d28b5f9c9f562bd3a17c68ef05b3998 CentOS-6.3-x86_64-LiveDVD.iso 21157a19ec6a32b4fd71f0e45b9aa951 CentOS-6.3-x86_64-bin-DVD1to2.torrent 9015d02b4e22efd547a6bd8b19bce0ec CentOS-6.3-x86_64-LiveCD.torrent 3b9c1c463cfe8983c0835f46f2db39db CentOS-6.3-x86_64-LiveDVD.torrent 4dd1ff9a521823e033dde6b152196de7 CentOS-6.3-x86_64-minimal-EFI.iso c750ba06d83a38494dbf100bf33014d4 CentOS-6.3-x86_64-netinstall-EFI.iso
ϋογϡؔʹٻΊΒΕΔੑ࣭ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ (িಥ͠ͳ͍) ܭࢉ͕ൺֱత͍ େ͖ͳσʔλϋογϡԽͰ͖ΔΑ͏ʹ
http://en.yummy.stripper.jp/?eid=719489 ϋογϡΛͦͷ·· ฏจͷΘΓʹอଘ͞Εͨ࣌ظ͋ͬͨ
ʮϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ʯ ͱ͍ͬͨͷͰ͕͢ɾɾɾ
؆୯ͳϋογϡGoogleͰݟ ͔ͭΔɾɾɾ % md5 -s mypassword MD5 ("mypassword") = 34819d7beeabb9260a5c854bc85b3e44
ฏจ͕͢͞ʹϚζΠɾɾɾ ϋογϡؔΛͦͷ··͏ͷ2012࣌ Ͱ͏Φεεϝ͠ͳ͍ ύεϫʔυϋογϡΛ͍·͠ΐ͏ ·ͱΊ SHA-2 based (SHA256, SHA512) bcrypt
(Blowfish cipher based) ฏจ < ϋογϡؔ < ύεϫʔυϋογϡ
͓ɹΘɹΓ
ύεϫʔυͷอଘʹ͍ͭͯ ͦͷ2
ύεϫʔυϋογϡ passowrd hash Λ͍·͠ΐ͏ SHA-2 based (SHA256, SHA512) bcrypt (Blowfish
cipher based)
ύεϫʔυอଘ༻ʹ࡞Β Εͨϋογϡ
ύεϫʔυϋογϡͷಛ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ϨΠϯϘʔςʔϒϧɺ͢Ͱʹ8จࣈͷରԠදͳͲ͕ചΒΕ͍ͯΔ saltͱݺΕΔϥϯμϜͳจࣈྻΛֻ͚߹ΘͤΔ͜ͱͰରԠ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ ܭࢉ͕ൺֱత͍ 1ඵؒʹࢼͤΔύεϫʔυͷ͕ଟ͍ ϒϧʔτϑΥʔε߈ܸ(૯ͨΓ߈ܸ) ࣙॻ߈ܸʹऑ͍ →
܁Γฦ͠ܭࢉ͍ͯͯ͘͠͠Δ ͗͢ΔͷͰ͋Ε͘͢Ε͍͍͡Όͳ͍͔??
ओʹUNIXͷϢʔβೝূͰ ΘΕ͍ͯΔͷ͕༗໊ crypt(3)
/etc/passwd /etc/shadow /etc/master.passwd ͕ࣗཧͯ͠Δαʔόͱ͔͋Ε cat /etc/shadowͰͷ͍ͧͯΈͯͶ user:$6$Cabut58I$mnFd4wx30KCDgMrgfN..(ུ)...:15451:0:99999:7::: mysql:!!:15452:::::: apache:!!:15452::::::
UNIXͷϢʔβೝূ DES based extended DES based MD5 based SHA-2 based
(SHA256, SHA512) bcrypt (Blowfish cipher based) ηΩϡϦςΟ ڧ ऑ CentOS 5ܥ·Ͱ༻͞Ε͍ͯΔ CentOS 6ܥ͔Β࠾༻ OpenBSD, SUSE LinuxͰ࠾༻
ݱ࣌Ͱbcrypt͕Αͦ͞͏ Ruby bcrypt-ruby (gem) https://github.com/codahale/bcrypt-ruby PHP PHP5.3.0Ҏ߱ͳΒbcryptΛ༻Ͱ͖Δ ඪ४Ͱ๛ʹύεϫʔυϋογϡ $2a$10$XGxQvIrXr.Xf9ohqsjUuze6g4ZGewtV3Bx0Jjjbxvi2hBRI0Zliku Cost
Salt (22จࣈ) Type 04 ͔Β 31
http://www.php.net/manual/ja/function.crypt.php PHP: crypt - Manual
PHPؤுͬͯΔͶ
http://gihyo.jp/dev/serial/01/php-security/0043
bcrypt $2a$ SHA256 based $5$ SHA512 based $6$ MD5 SHA256
SHA512 MD5 based (MD5crypt) scrypt PBKDF2
$1$ 20126݄ http://phk.freebsd.dk/sagas/md5crypt_eol.html
bcrypt 19996݄ http://static.usenix.org/event/usenix99/provos.html http://static.usenix.org/event/usenix99/provos/provos_html/index.html
glibcͰ࠾༻͞Ε͍ͯΔ $5$ $6$ 20079݄ http://www.akkadia.org/drepper/sha-crypt.html
phpass http://www.openwall.com/phpass/ WordPressʹ࠾༻͞Ε͍ͯΔ ύεϫʔυϋογϡ ϑϨʔϜϫʔΫ
ͦͷ࣌ʑͰ҆શͱࢥΘΕΔอଘ ํ๏Λબ͢Δ ύεϫʔυϋογϡͷͰैདྷͷํ๏͕҆શͰ ͳ͘ͳΔ ͲΜͳํ๏100%҆શͱ͍͏͜ͱͳ͍ ৴པͰ͖ͦ͏ͳϑϨʔϜϫʔΫΛ͏ phpass ͲΜͳอଘํ๏ϒϧʔτϑΥʔε߈ܸɺࣙॻ߈ܸ ආ͚ΒΕͳ͍ͷͰɺΞϓϦέγϣϯଆͰਪଌͰ͖ ΔύεϫʔυอଘͰ͖ͳ͍Α͏ʹ͢Δ͜ͱେ
͓ɹΘɹΓ