パスワードの保存方法について Kanazawa.rb meetup #4

Transcript

1. ύεϫʔυͷอଘํ๏ʹ͍ͭͯ K a n a z w a . r

   b m e e t u p # 4 2 0 1 2 / 1 1 / 2 9 a t ۚ ୔ ࢢ จ Խ ϗ ʔ ϧ ୈ 5 ձ ٞ ࣨ ࠇ ઒ ɹ ਔ ( @ k r h i t o s h i )

2. ࠇ઒ɹਔ (@krhitoshi) ϓϩάϥϚ/αʔόΤϯδχΞ Next SeeD (ݸਓࣄۀ) http://www.nextseed.jp/ ࠇ઒ਔͷจ۩ಊϒϩάࡾດ http://blog.bungu-do.jp/ ࣗݾ঺հ

3. iOSΞϓϦ։ൃ ॕ೔ΧϨϯμʔ iPhone 170ԁ ໿360DL (2012೥9݄) ້૝(࠲ષ)λΠϚʔ iPhone/iPad (ӳޠରԠ) ແྉ

   ໿5,000DL (2012೥9݄) iPad App ϔϧεέΞ/ϑΟοτωε ࠷ߴ18Ґ(೔ຊ) ࠷ߴ122Ґ(ΞϝϦΧ) iศॴ δϣʔΫΞϓϦ Trychestͱڞಉ։ൃ ໿3ສ5,000DL (2011೥8݄) iPhone App ϥΠϑελΠϧ ࠷ߴ9Ґ

4. σʔλϕʔεʹอଘ͢Δ ύεϫʔυͷอଘํ๏

5. طଘͷΞϓϦ͸ ͑͐ͱɾɾɾɾ ·͊ஔ͍͓͍ͯͯ

6. ͱΓ͋͑ͣ ৽͍͠ΞϓϦͰ͸ Կ࢖ͬͨΒ͍͍͔ͳͱ

7. ηΩϡϦςΟͱ͔ ҉߸ͱ͔ͷઐ໳ՈͰ͸͋Γ·ͤΜͷͰ ͔͋͠Βͣɾɾɾ

8. ฏจ plain text ϋογϡؔ਺ hash function ύεϫʔυϋογϡ password hash ηΩϡϦςΟ

   ڧ ऑ

9. ฏจ plain text

10. ؙݟ͑ password = “mypassword” if password == input_password puts “Authentication

    succeeded” else puts “Authentication failed” end ؅ཧऀɺ಺෦ͷਓ͕͙͢ʹͰ΋ѱ༻Ͱ͖ͯ͠·͏ ΋ͪΖΜɺΫϥοΫ͞Εͨ৔߹΋

11. ϋογϡؔ਺ hash function

12. ϋογϡͱ͸? άγϟ × ※উखͳΠϝʔδͰ͢ ΋ͱʹ໭ͤͳ͍

13. Ұൠతͳϋογϡؔ਺ MD5 SHA256 SHA512

14. MD5 % md5 -s XkzDusMQ4Q98 MD5 ("XkzDusMQ4Q98") = 313706cbd44dd9e9ff906a8f95b124d1 SHA256

    % echo XkzDusMQ4Q98 | shasum -a 256 5fb39c611f7ec4297eaf63b70354577f8e862761c7bb497b7ef5d74229cf8af0 - ϋογϡؔ਺Λ࢖ͬͯΈΔ 32 จࣈ 64 จࣈ

15. େ͖͍ϑΝΠϧʹ΋ϋογϡؔ ਺Λ࢖͏༻్͕͋Δ http://ftp.riken.jp/Linux/centos/6.3/isos/x86_64/ a991defc0a602d04f064c43290df0131 CentOS-6.3-x86_64-bin-DVD1.iso 410c1c5188e6076d62d6107153738a15 CentOS-6.3-x86_64-bin-DVD2.iso 087713752fa88c03a5e8471c661ad1a2 CentOS-6.3-x86_64-minimal.iso 690138908de516b6e5d7d180d085c3f3

    CentOS-6.3-x86_64-netinstall.iso 9953ff1cc2ef31da89a0e1f993ee6335 CentOS-6.3-x86_64-LiveCD.iso 0d28b5f9c9f562bd3a17c68ef05b3998 CentOS-6.3-x86_64-LiveDVD.iso 21157a19ec6a32b4fd71f0e45b9aa951 CentOS-6.3-x86_64-bin-DVD1to2.torrent 9015d02b4e22efd547a6bd8b19bce0ec CentOS-6.3-x86_64-LiveCD.torrent 3b9c1c463cfe8983c0835f46f2db39db CentOS-6.3-x86_64-LiveDVD.torrent 4dd1ff9a521823e033dde6b152196de7 CentOS-6.3-x86_64-minimal-EFI.iso c750ba06d83a38494dbf100bf33014d4 CentOS-6.3-x86_64-netinstall-EFI.iso

16. ϋογϡؔ਺ʹٻΊΒΕΔੑ࣭ ϋογϡ஋͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ೖྗσʔλ͕ҧ͑͹ϋογϡ஋͕ҧ͏ (িಥ͠ͳ͍) ܭࢉ͕ൺֱత଎͍ େ͖ͳσʔλ΋ϋογϡԽͰ͖ΔΑ͏ʹ

17. http://en.yummy.stripper.jp/?eid=719489 ϋογϡΛͦͷ·· ฏจͷ୅ΘΓʹอଘ͞Εͨ࣌ظ΋͋ͬͨ

18. ʮϋογϡ஋͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ʯ ͱ͍ͬͨͷͰ͕͢ɾɾɾ

19. ؆୯ͳϋογϡ͸GoogleͰݟ ͔ͭΔɾɾɾ % md5 -s mypassword MD5 ("mypassword") = 34819d7beeabb9260a5c854bc85b3e44

20. ฏจ͸͕͢͞ʹϚζΠɾɾɾ ϋογϡؔ਺Λͦͷ··࢖͏ͷ΋2012೥࣌ ఺Ͱ͸΋͏Φεεϝ͠ͳ͍ ύεϫʔυϋογϡΛ࢖͍·͠ΐ͏ ·ͱΊ SHA-2 based (SHA256, SHA512) bcrypt

    (Blowfish cipher based) ฏจ < ϋογϡؔ਺ < ύεϫʔυϋογϡ

21. ͓ɹΘɹΓ

22. ύεϫʔυͷอଘʹ͍ͭͯ ͦͷ2

23. ύεϫʔυϋογϡ passowrd hash Λ࢖͍·͠ΐ͏ SHA-2 based (SHA256, SHA512) bcrypt (Blowfish

    cipher based)

24. ύεϫʔυอଘ༻ʹ࡞Β Εͨϋογϡ

25. ύεϫʔυϋογϡͷಛ௃ ϋογϡ஋͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ϨΠϯϘʔςʔϒϧɺ͢Ͱʹ8จࣈͷରԠදͳͲ͕ചΒΕ͍ͯΔ saltͱݺ͹ΕΔϥϯμϜͳจࣈྻΛֻ͚߹ΘͤΔ͜ͱͰରԠ ೖྗσʔλ͕ҧ͑͹ϋογϡ஋͕ҧ͏ ܭࢉ͕ൺֱత଎͍ 1ඵؒʹࢼͤΔύεϫʔυͷ਺͕ଟ͍ ϒϧʔτϑΥʔε߈ܸ(૯౰ͨΓ߈ܸ) ࣙॻ߈ܸʹऑ͍ →

    ܁Γฦ͠ܭࢉͯ͠஗͍ͯ͘͠Δ ଎͗͢ΔͷͰ͋Ε͹஗͘͢Ε͹͍͍͡Όͳ͍͔??

26. ओʹUNIXͷϢʔβೝূͰ ࢖ΘΕ͍ͯΔ΋ͷ͕༗໊ crypt(3)

27. /etc/passwd /etc/shadow /etc/master.passwd ࣗ෼͕؅ཧͯ͠Δαʔόͱ͔͋Ε͹ cat /etc/shadowͰͷ͍ͧͯΈͯͶ user:$6$Cabut58I$mnFd4wx30KCDgMrgfN..(ུ)...:15451:0:99999:7::: mysql:!!:15452:::::: apache:!!:15452::::::

28. UNIXͷϢʔβೝূ DES based extended DES based MD5 based SHA-2 based

    (SHA256, SHA512) bcrypt (Blowfish cipher based) ηΩϡϦςΟ ڧ ऑ CentOS 5ܥ·Ͱ࢖༻͞Ε͍ͯΔ CentOS 6ܥ͔Β࠾༻ OpenBSD, SUSE LinuxͰ࠾༻

29. ݱ࣌఺Ͱ͸bcrypt͕Αͦ͞͏ Ruby bcrypt-ruby (gem) https://github.com/codahale/bcrypt-ruby PHP PHP5.3.0Ҏ߱ͳΒbcryptΛ࢖༻Ͱ͖Δ ඪ४Ͱ๛෋ʹύεϫʔυϋογϡ $2a$10$XGxQvIrXr.Xf9ohqsjUuze6g4ZGewtV3Bx0Jjjbxvi2hBRI0Zliku Cost

    Salt (22จࣈ) Type 04 ͔Β 31

30. http://www.php.net/manual/ja/function.crypt.php PHP: crypt - Manual

31. PHPؤுͬͯΔͶ

32. http://gihyo.jp/dev/serial/01/php-security/0043

33. bcrypt $2a$ SHA256 based $5$ SHA512 based $6$ MD5 SHA256

    SHA512 MD5 based (MD5crypt) scrypt PBKDF2

34. $1$ 2012೥6݄ http://phk.freebsd.dk/sagas/md5crypt_eol.html

35. bcrypt 1999೥6݄ http://static.usenix.org/event/usenix99/provos.html http://static.usenix.org/event/usenix99/provos/provos_html/index.html

36. glibcͰ࠾༻͞Ε͍ͯΔ $5$ $6$ 2007೥9݄ http://www.akkadia.org/drepper/sha-crypt.html

37. phpass http://www.openwall.com/phpass/ WordPressʹ࠾༻͞Ε͍ͯΔ ύεϫʔυϋογϡ ϑϨʔϜϫʔΫ

38. ͦͷ࣌ʑͰ҆શͱࢥΘΕΔอଘ ํ๏Λબ୒͢Δ ύεϫʔυϋογϡͷ෼໺Ͱ͸ैདྷͷํ๏͕҆શͰ ͳ͘ͳΔ ͲΜͳํ๏΋100%҆શͱ͍͏͜ͱ͸ͳ͍ ৴པͰ͖ͦ͏ͳϑϨʔϜϫʔΫΛ࢖͏ phpass౳ ͲΜͳอଘํ๏΋ϒϧʔτϑΥʔε߈ܸɺࣙॻ߈ܸ ͸ආ͚ΒΕͳ͍ͷͰɺΞϓϦέγϣϯଆͰਪଌͰ͖ Δύεϫʔυ͸อଘͰ͖ͳ͍Α͏ʹ͢Δ͜ͱ΋େ੾

39. ͓ɹΘɹΓ