Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
パスワードの保存方法について Kanazawa.rb meetup #4
Search
Hitoshi Kurokawa
November 29, 2012
Programming
0
110
パスワードの保存方法について Kanazawa.rb meetup #4
Kanazawa.rb meetup #4
2012/11/29 金沢市文化ホール第5 会議室
Hitoshi Kurokawa
November 29, 2012
Tweet
Share
More Decks by Hitoshi Kurokawa
See All by Hitoshi Kurokawa
Docker + CentOS 6, 8 PHP 動作確認環境の構築
krhitoshi
1
320
Rustで作るi386エミュレータ
krhitoshi
0
250
Rails4とさくらのVPSとAWS S3によるスモールスタートWebサービス「ランチボックス」 Kanazawa.rb meetup #16
krhitoshi
2
1.5k
Other Decks in Programming
See All in Programming
第9回 情シス転職ミートアップ 株式会社IVRy(アイブリー)の紹介
ivry_presentationmaterials
1
200
GraphRAGの仕組みまるわかり
tosuri13
7
450
A comprehensive view of refactoring
marabesi
0
970
データベースコネクションプール(DBCP)の変遷と理解
fujikawa8
1
270
PHP 8.4の新機能「プロパティフック」から学ぶオブジェクト指向設計とリスコフの置換原則
kentaroutakeda
1
300
Haskell でアルゴリズムを抽象化する / 関数型言語で競技プログラミング
naoya
17
4.8k
[初登壇@jAZUG]アプリ開発者が気になるGoogleCloud/Azure+wasm/wasi
asaringo
0
130
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
tkikuc
11
2.8k
来たるべき 8.0 に備えて React 19 新機能と React Router 固有機能の取捨選択とすり合わせを考える
oukayuka
2
820
エンジニア向け採用ピッチ資料
inusan
0
140
『自分のデータだけ見せたい!』を叶える──Laravel × Casbin で複雑権限をスッキリ解きほぐす 25 分
akitotsukahara
1
320
Benchmark
sysong
0
230
Featured
See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
YesSQL, Process and Tooling at Scale
rocio
173
14k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
A Tale of Four Properties
chriscoyier
160
23k
We Have a Design System, Now What?
morganepeng
52
7.6k
Building a Modern Day E-commerce SEO Strategy
aleyda
41
7.3k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
490
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Designing Experiences People Love
moore
142
24k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.8k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Transcript
ύεϫʔυͷอଘํ๏ʹ͍ͭͯ K a n a z w a . r
b m e e t u p # 4 2 0 1 2 / 1 1 / 2 9 a t ۚ ࢢ จ Խ ϗ ʔ ϧ ୈ 5 ձ ٞ ࣨ ࠇ ɹ ਔ ( @ k r h i t o s h i )
ࠇɹਔ (@krhitoshi) ϓϩάϥϚ/αʔόΤϯδχΞ Next SeeD (ݸਓࣄۀ) http://www.nextseed.jp/ ࠇਔͷจ۩ಊϒϩάࡾດ http://blog.bungu-do.jp/ ࣗݾհ
iOSΞϓϦ։ൃ ॕΧϨϯμʔ iPhone 170ԁ 360DL (20129݄) ້(࠲ષ)λΠϚʔ iPhone/iPad (ӳޠରԠ) ແྉ
5,000DL (20129݄) iPad App ϔϧεέΞ/ϑΟοτωε ࠷ߴ18Ґ(ຊ) ࠷ߴ122Ґ(ΞϝϦΧ) iศॴ δϣʔΫΞϓϦ Trychestͱڞಉ։ൃ 3ສ5,000DL (20118݄) iPhone App ϥΠϑελΠϧ ࠷ߴ9Ґ
σʔλϕʔεʹอଘ͢Δ ύεϫʔυͷอଘํ๏
طଘͷΞϓϦ ͑͐ͱɾɾɾɾ ·͊ஔ͍͓͍ͯͯ
ͱΓ͋͑ͣ ৽͍͠ΞϓϦͰ ԿͬͨΒ͍͍͔ͳͱ
ηΩϡϦςΟͱ͔ ҉߸ͱ͔ͷઐՈͰ͋Γ·ͤΜͷͰ ͔͋͠Βͣɾɾɾ
ฏจ plain text ϋογϡؔ hash function ύεϫʔυϋογϡ password hash ηΩϡϦςΟ
ڧ ऑ
ฏจ plain text
ؙݟ͑ password = “mypassword” if password == input_password puts “Authentication
succeeded” else puts “Authentication failed” end ཧऀɺ෦ͷਓ͕͙͢ʹͰѱ༻Ͱ͖ͯ͠·͏ ͪΖΜɺΫϥοΫ͞Εͨ߹
ϋογϡؔ hash function
ϋογϡͱ? άγϟ × ※উखͳΠϝʔδͰ͢ ͱʹͤͳ͍
Ұൠతͳϋογϡؔ MD5 SHA256 SHA512
MD5 % md5 -s XkzDusMQ4Q98 MD5 ("XkzDusMQ4Q98") = 313706cbd44dd9e9ff906a8f95b124d1 SHA256
% echo XkzDusMQ4Q98 | shasum -a 256 5fb39c611f7ec4297eaf63b70354577f8e862761c7bb497b7ef5d74229cf8af0 - ϋογϡؔΛͬͯΈΔ 32 จࣈ 64 จࣈ
େ͖͍ϑΝΠϧʹϋογϡؔ Λ͏༻్͕͋Δ http://ftp.riken.jp/Linux/centos/6.3/isos/x86_64/ a991defc0a602d04f064c43290df0131 CentOS-6.3-x86_64-bin-DVD1.iso 410c1c5188e6076d62d6107153738a15 CentOS-6.3-x86_64-bin-DVD2.iso 087713752fa88c03a5e8471c661ad1a2 CentOS-6.3-x86_64-minimal.iso 690138908de516b6e5d7d180d085c3f3
CentOS-6.3-x86_64-netinstall.iso 9953ff1cc2ef31da89a0e1f993ee6335 CentOS-6.3-x86_64-LiveCD.iso 0d28b5f9c9f562bd3a17c68ef05b3998 CentOS-6.3-x86_64-LiveDVD.iso 21157a19ec6a32b4fd71f0e45b9aa951 CentOS-6.3-x86_64-bin-DVD1to2.torrent 9015d02b4e22efd547a6bd8b19bce0ec CentOS-6.3-x86_64-LiveCD.torrent 3b9c1c463cfe8983c0835f46f2db39db CentOS-6.3-x86_64-LiveDVD.torrent 4dd1ff9a521823e033dde6b152196de7 CentOS-6.3-x86_64-minimal-EFI.iso c750ba06d83a38494dbf100bf33014d4 CentOS-6.3-x86_64-netinstall-EFI.iso
ϋογϡؔʹٻΊΒΕΔੑ࣭ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ (িಥ͠ͳ͍) ܭࢉ͕ൺֱత͍ େ͖ͳσʔλϋογϡԽͰ͖ΔΑ͏ʹ
http://en.yummy.stripper.jp/?eid=719489 ϋογϡΛͦͷ·· ฏจͷΘΓʹอଘ͞Εͨ࣌ظ͋ͬͨ
ʮϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ʯ ͱ͍ͬͨͷͰ͕͢ɾɾɾ
؆୯ͳϋογϡGoogleͰݟ ͔ͭΔɾɾɾ % md5 -s mypassword MD5 ("mypassword") = 34819d7beeabb9260a5c854bc85b3e44
ฏจ͕͢͞ʹϚζΠɾɾɾ ϋογϡؔΛͦͷ··͏ͷ2012࣌ Ͱ͏Φεεϝ͠ͳ͍ ύεϫʔυϋογϡΛ͍·͠ΐ͏ ·ͱΊ SHA-2 based (SHA256, SHA512) bcrypt
(Blowfish cipher based) ฏจ < ϋογϡؔ < ύεϫʔυϋογϡ
͓ɹΘɹΓ
ύεϫʔυͷอଘʹ͍ͭͯ ͦͷ2
ύεϫʔυϋογϡ passowrd hash Λ͍·͠ΐ͏ SHA-2 based (SHA256, SHA512) bcrypt (Blowfish
cipher based)
ύεϫʔυอଘ༻ʹ࡞Β Εͨϋογϡ
ύεϫʔυϋογϡͷಛ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ϨΠϯϘʔςʔϒϧɺ͢Ͱʹ8จࣈͷରԠදͳͲ͕ചΒΕ͍ͯΔ saltͱݺΕΔϥϯμϜͳจࣈྻΛֻ͚߹ΘͤΔ͜ͱͰରԠ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ ܭࢉ͕ൺֱత͍ 1ඵؒʹࢼͤΔύεϫʔυͷ͕ଟ͍ ϒϧʔτϑΥʔε߈ܸ(૯ͨΓ߈ܸ) ࣙॻ߈ܸʹऑ͍ →
܁Γฦ͠ܭࢉ͍ͯͯ͘͠͠Δ ͗͢ΔͷͰ͋Ε͘͢Ε͍͍͡Όͳ͍͔??
ओʹUNIXͷϢʔβೝূͰ ΘΕ͍ͯΔͷ͕༗໊ crypt(3)
/etc/passwd /etc/shadow /etc/master.passwd ͕ࣗཧͯ͠Δαʔόͱ͔͋Ε cat /etc/shadowͰͷ͍ͧͯΈͯͶ user:$6$Cabut58I$mnFd4wx30KCDgMrgfN..(ུ)...:15451:0:99999:7::: mysql:!!:15452:::::: apache:!!:15452::::::
UNIXͷϢʔβೝূ DES based extended DES based MD5 based SHA-2 based
(SHA256, SHA512) bcrypt (Blowfish cipher based) ηΩϡϦςΟ ڧ ऑ CentOS 5ܥ·Ͱ༻͞Ε͍ͯΔ CentOS 6ܥ͔Β࠾༻ OpenBSD, SUSE LinuxͰ࠾༻
ݱ࣌Ͱbcrypt͕Αͦ͞͏ Ruby bcrypt-ruby (gem) https://github.com/codahale/bcrypt-ruby PHP PHP5.3.0Ҏ߱ͳΒbcryptΛ༻Ͱ͖Δ ඪ४Ͱ๛ʹύεϫʔυϋογϡ $2a$10$XGxQvIrXr.Xf9ohqsjUuze6g4ZGewtV3Bx0Jjjbxvi2hBRI0Zliku Cost
Salt (22จࣈ) Type 04 ͔Β 31
http://www.php.net/manual/ja/function.crypt.php PHP: crypt - Manual
PHPؤுͬͯΔͶ
http://gihyo.jp/dev/serial/01/php-security/0043
bcrypt $2a$ SHA256 based $5$ SHA512 based $6$ MD5 SHA256
SHA512 MD5 based (MD5crypt) scrypt PBKDF2
$1$ 20126݄ http://phk.freebsd.dk/sagas/md5crypt_eol.html
bcrypt 19996݄ http://static.usenix.org/event/usenix99/provos.html http://static.usenix.org/event/usenix99/provos/provos_html/index.html
glibcͰ࠾༻͞Ε͍ͯΔ $5$ $6$ 20079݄ http://www.akkadia.org/drepper/sha-crypt.html
phpass http://www.openwall.com/phpass/ WordPressʹ࠾༻͞Ε͍ͯΔ ύεϫʔυϋογϡ ϑϨʔϜϫʔΫ
ͦͷ࣌ʑͰ҆શͱࢥΘΕΔอଘ ํ๏Λબ͢Δ ύεϫʔυϋογϡͷͰैདྷͷํ๏͕҆શͰ ͳ͘ͳΔ ͲΜͳํ๏100%҆શͱ͍͏͜ͱͳ͍ ৴པͰ͖ͦ͏ͳϑϨʔϜϫʔΫΛ͏ phpass ͲΜͳอଘํ๏ϒϧʔτϑΥʔε߈ܸɺࣙॻ߈ܸ ආ͚ΒΕͳ͍ͷͰɺΞϓϦέγϣϯଆͰਪଌͰ͖ ΔύεϫʔυอଘͰ͖ͳ͍Α͏ʹ͢Δ͜ͱେ
͓ɹΘɹΓ