Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
パスワードの保存方法について Kanazawa.rb meetup #4
Search
Hitoshi Kurokawa
November 29, 2012
Programming
0
100
パスワードの保存方法について Kanazawa.rb meetup #4
Kanazawa.rb meetup #4
2012/11/29 金沢市文化ホール第5 会議室
Hitoshi Kurokawa
November 29, 2012
Tweet
Share
More Decks by Hitoshi Kurokawa
See All by Hitoshi Kurokawa
Docker + CentOS 6, 8 PHP 動作確認環境の構築
krhitoshi
1
230
Rustで作るi386エミュレータ
krhitoshi
0
160
Rails4とさくらのVPSとAWS S3によるスモールスタートWebサービス「ランチボックス」 Kanazawa.rb meetup #16
krhitoshi
2
1.4k
Other Decks in Programming
See All in Programming
try! Swift Tokyo 初参加報告LT
hinakko2
0
210
TYPO3 v13 – The road to LTS: What's new and new APIs
luisasofie_xoxo
0
190
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
1.1k
Semantic search with Django and pgvector
pauloxnet
0
240
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
110
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
910
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
22
15k
Folding Cheat Sheet #2
philipschwarz
PRO
0
120
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
520
Site Reliability Engineering for GMO
pyama86
7
1k
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
8
3.9k
Featured
See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
115
18k
The Cult of Friendly URLs
andyhume
74
5.7k
Building Applications with DynamoDB
mza
88
5.6k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Building Flexible Design Systems
yeseniaperezcruz
318
37k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
356
22k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Producing Creativity
orderedlist
PRO
336
39k
Bash Introduction
62gerente
604
210k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
5
1.5k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
Transcript
ύεϫʔυͷอଘํ๏ʹ͍ͭͯ K a n a z w a . r
b m e e t u p # 4 2 0 1 2 / 1 1 / 2 9 a t ۚ ࢢ จ Խ ϗ ʔ ϧ ୈ 5 ձ ٞ ࣨ ࠇ ɹ ਔ ( @ k r h i t o s h i )
ࠇɹਔ (@krhitoshi) ϓϩάϥϚ/αʔόΤϯδχΞ Next SeeD (ݸਓࣄۀ) http://www.nextseed.jp/ ࠇਔͷจ۩ಊϒϩάࡾດ http://blog.bungu-do.jp/ ࣗݾհ
iOSΞϓϦ։ൃ ॕΧϨϯμʔ iPhone 170ԁ 360DL (20129݄) ້(࠲ષ)λΠϚʔ iPhone/iPad (ӳޠରԠ) ແྉ
5,000DL (20129݄) iPad App ϔϧεέΞ/ϑΟοτωε ࠷ߴ18Ґ(ຊ) ࠷ߴ122Ґ(ΞϝϦΧ) iศॴ δϣʔΫΞϓϦ Trychestͱڞಉ։ൃ 3ສ5,000DL (20118݄) iPhone App ϥΠϑελΠϧ ࠷ߴ9Ґ
σʔλϕʔεʹอଘ͢Δ ύεϫʔυͷอଘํ๏
طଘͷΞϓϦ ͑͐ͱɾɾɾɾ ·͊ஔ͍͓͍ͯͯ
ͱΓ͋͑ͣ ৽͍͠ΞϓϦͰ ԿͬͨΒ͍͍͔ͳͱ
ηΩϡϦςΟͱ͔ ҉߸ͱ͔ͷઐՈͰ͋Γ·ͤΜͷͰ ͔͋͠Βͣɾɾɾ
ฏจ plain text ϋογϡؔ hash function ύεϫʔυϋογϡ password hash ηΩϡϦςΟ
ڧ ऑ
ฏจ plain text
ؙݟ͑ password = “mypassword” if password == input_password puts “Authentication
succeeded” else puts “Authentication failed” end ཧऀɺ෦ͷਓ͕͙͢ʹͰѱ༻Ͱ͖ͯ͠·͏ ͪΖΜɺΫϥοΫ͞Εͨ߹
ϋογϡؔ hash function
ϋογϡͱ? άγϟ × ※উखͳΠϝʔδͰ͢ ͱʹͤͳ͍
Ұൠతͳϋογϡؔ MD5 SHA256 SHA512
MD5 % md5 -s XkzDusMQ4Q98 MD5 ("XkzDusMQ4Q98") = 313706cbd44dd9e9ff906a8f95b124d1 SHA256
% echo XkzDusMQ4Q98 | shasum -a 256 5fb39c611f7ec4297eaf63b70354577f8e862761c7bb497b7ef5d74229cf8af0 - ϋογϡؔΛͬͯΈΔ 32 จࣈ 64 จࣈ
େ͖͍ϑΝΠϧʹϋογϡؔ Λ͏༻్͕͋Δ http://ftp.riken.jp/Linux/centos/6.3/isos/x86_64/ a991defc0a602d04f064c43290df0131 CentOS-6.3-x86_64-bin-DVD1.iso 410c1c5188e6076d62d6107153738a15 CentOS-6.3-x86_64-bin-DVD2.iso 087713752fa88c03a5e8471c661ad1a2 CentOS-6.3-x86_64-minimal.iso 690138908de516b6e5d7d180d085c3f3
CentOS-6.3-x86_64-netinstall.iso 9953ff1cc2ef31da89a0e1f993ee6335 CentOS-6.3-x86_64-LiveCD.iso 0d28b5f9c9f562bd3a17c68ef05b3998 CentOS-6.3-x86_64-LiveDVD.iso 21157a19ec6a32b4fd71f0e45b9aa951 CentOS-6.3-x86_64-bin-DVD1to2.torrent 9015d02b4e22efd547a6bd8b19bce0ec CentOS-6.3-x86_64-LiveCD.torrent 3b9c1c463cfe8983c0835f46f2db39db CentOS-6.3-x86_64-LiveDVD.torrent 4dd1ff9a521823e033dde6b152196de7 CentOS-6.3-x86_64-minimal-EFI.iso c750ba06d83a38494dbf100bf33014d4 CentOS-6.3-x86_64-netinstall-EFI.iso
ϋογϡؔʹٻΊΒΕΔੑ࣭ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ (িಥ͠ͳ͍) ܭࢉ͕ൺֱత͍ େ͖ͳσʔλϋογϡԽͰ͖ΔΑ͏ʹ
http://en.yummy.stripper.jp/?eid=719489 ϋογϡΛͦͷ·· ฏจͷΘΓʹอଘ͞Εͨ࣌ظ͋ͬͨ
ʮϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ʯ ͱ͍ͬͨͷͰ͕͢ɾɾɾ
؆୯ͳϋογϡGoogleͰݟ ͔ͭΔɾɾɾ % md5 -s mypassword MD5 ("mypassword") = 34819d7beeabb9260a5c854bc85b3e44
ฏจ͕͢͞ʹϚζΠɾɾɾ ϋογϡؔΛͦͷ··͏ͷ2012࣌ Ͱ͏Φεεϝ͠ͳ͍ ύεϫʔυϋογϡΛ͍·͠ΐ͏ ·ͱΊ SHA-2 based (SHA256, SHA512) bcrypt
(Blowfish cipher based) ฏจ < ϋογϡؔ < ύεϫʔυϋογϡ
͓ɹΘɹΓ
ύεϫʔυͷอଘʹ͍ͭͯ ͦͷ2
ύεϫʔυϋογϡ passowrd hash Λ͍·͠ΐ͏ SHA-2 based (SHA256, SHA512) bcrypt (Blowfish
cipher based)
ύεϫʔυอଘ༻ʹ࡞Β Εͨϋογϡ
ύεϫʔυϋογϡͷಛ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ϨΠϯϘʔςʔϒϧɺ͢Ͱʹ8จࣈͷରԠදͳͲ͕ചΒΕ͍ͯΔ saltͱݺΕΔϥϯμϜͳจࣈྻΛֻ͚߹ΘͤΔ͜ͱͰରԠ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ ܭࢉ͕ൺֱత͍ 1ඵؒʹࢼͤΔύεϫʔυͷ͕ଟ͍ ϒϧʔτϑΥʔε߈ܸ(૯ͨΓ߈ܸ) ࣙॻ߈ܸʹऑ͍ →
܁Γฦ͠ܭࢉ͍ͯͯ͘͠͠Δ ͗͢ΔͷͰ͋Ε͘͢Ε͍͍͡Όͳ͍͔??
ओʹUNIXͷϢʔβೝূͰ ΘΕ͍ͯΔͷ͕༗໊ crypt(3)
/etc/passwd /etc/shadow /etc/master.passwd ͕ࣗཧͯ͠Δαʔόͱ͔͋Ε cat /etc/shadowͰͷ͍ͧͯΈͯͶ user:$6$Cabut58I$mnFd4wx30KCDgMrgfN..(ུ)...:15451:0:99999:7::: mysql:!!:15452:::::: apache:!!:15452::::::
UNIXͷϢʔβೝূ DES based extended DES based MD5 based SHA-2 based
(SHA256, SHA512) bcrypt (Blowfish cipher based) ηΩϡϦςΟ ڧ ऑ CentOS 5ܥ·Ͱ༻͞Ε͍ͯΔ CentOS 6ܥ͔Β࠾༻ OpenBSD, SUSE LinuxͰ࠾༻
ݱ࣌Ͱbcrypt͕Αͦ͞͏ Ruby bcrypt-ruby (gem) https://github.com/codahale/bcrypt-ruby PHP PHP5.3.0Ҏ߱ͳΒbcryptΛ༻Ͱ͖Δ ඪ४Ͱ๛ʹύεϫʔυϋογϡ $2a$10$XGxQvIrXr.Xf9ohqsjUuze6g4ZGewtV3Bx0Jjjbxvi2hBRI0Zliku Cost
Salt (22จࣈ) Type 04 ͔Β 31
http://www.php.net/manual/ja/function.crypt.php PHP: crypt - Manual
PHPؤுͬͯΔͶ
http://gihyo.jp/dev/serial/01/php-security/0043
bcrypt $2a$ SHA256 based $5$ SHA512 based $6$ MD5 SHA256
SHA512 MD5 based (MD5crypt) scrypt PBKDF2
$1$ 20126݄ http://phk.freebsd.dk/sagas/md5crypt_eol.html
bcrypt 19996݄ http://static.usenix.org/event/usenix99/provos.html http://static.usenix.org/event/usenix99/provos/provos_html/index.html
glibcͰ࠾༻͞Ε͍ͯΔ $5$ $6$ 20079݄ http://www.akkadia.org/drepper/sha-crypt.html
phpass http://www.openwall.com/phpass/ WordPressʹ࠾༻͞Ε͍ͯΔ ύεϫʔυϋογϡ ϑϨʔϜϫʔΫ
ͦͷ࣌ʑͰ҆શͱࢥΘΕΔอଘ ํ๏Λબ͢Δ ύεϫʔυϋογϡͷͰैདྷͷํ๏͕҆શͰ ͳ͘ͳΔ ͲΜͳํ๏100%҆શͱ͍͏͜ͱͳ͍ ৴པͰ͖ͦ͏ͳϑϨʔϜϫʔΫΛ͏ phpass ͲΜͳอଘํ๏ϒϧʔτϑΥʔε߈ܸɺࣙॻ߈ܸ ආ͚ΒΕͳ͍ͷͰɺΞϓϦέγϣϯଆͰਪଌͰ͖ ΔύεϫʔυอଘͰ͖ͳ͍Α͏ʹ͢Δ͜ͱେ
͓ɹΘɹΓ