Upgrade to Pro — share decks privately, control downloads, hide ads and more …

パスワードの保存方法について Kanazawa.rb meetup #4

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Hitoshi Kurokawa Hitoshi Kurokawa
November 29, 2012
Programming
120
0

パスワードの保存方法について Kanazawa.rb meetup #4

Kanazawa.rb meetup #4
2012/11/29 金沢市文化ホール第5 会議室

Avatar for Hitoshi Kurokawa

Hitoshi Kurokawa

November 29, 2012

More Decks by Hitoshi Kurokawa

See All by Hitoshi Kurokawa
Docker + CentOS 6, 8 PHP 動作確認環境の構築
Avatar for Hitoshi Kurokawa krhitoshi
1
380
Rustで作るi386エミュレータ
Avatar for Hitoshi Kurokawa krhitoshi
0
290
Rails4とさくらのVPSとAWS S3によるスモールスタートWebサービス「ランチボックス」 Kanazawa.rb meetup #16
Avatar for Hitoshi Kurokawa krhitoshi
2
1.5k

Other Decks in Programming

See All in Programming
肥大化するレガシーコードに立ち向かうためのインターフェース分離と依存の逆転 / JJUG CCC 2026 Spring
Avatar for hirokuni-maeta hirokunimaeta
0
500
AI時代の仕事技芸論 — ソフトウェア開発で「遊ぶように働く」職人的熟達のすすめ
Avatar for Yoshihito Kuranuki / 倉貫義人 kuranuki
1
610
3Dシーンの圧縮
Avatar for Fadis fadis
1
650
Copilot CLI の継戦能力を高める コンテキスト管理
Avatar for Nozomuts nozomutu
1
1.2k
Webフレームワークの ベンチマークについて
Avatar for Yusuke Wada yusukebe
0
130
密結合なバックエンドから TypeScript のコードを生成する
Avatar for kemuridama kemuridama
1
740
Technical Debt: Understanding it Rightly, Engaging it Rightly #LaravelLiveJP
Avatar for shogogg shogogg
0
190
The NotImplementedError Problem in Ruby
Avatar for Koichi ITO koic
1
600
Spec Driven Development | AI Summit Lisbon
Avatar for Daniel Sogl danielsogl
PRO
0
150
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
Avatar for ギークプラス ソフトウェア事業部 geekplus_tech
0
300
さぁV100、メモリをお食べ・・・
Avatar for nilpe nilpe
0
130
プラグインで拡張される Context をtype-safe にする難しさと設計判断
Avatar for kazupon kazupon
2
590

Featured

See All Featured
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
Navigating Weather and Climate Data
Avatar for Ryan Abernathey rabernat
0
210
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
27k
[SF Ruby Conf 2025] Rails X
Avatar for Vladimir Dementyev palkan
2
1.1k
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.5k
How Fast Is Fast Enough? [PerfNow 2025]
Avatar for Tammy Everts tammyeverts
3
600
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
Avatar for Aleyda Solis aleyda
2
11k
Docker and Python
Avatar for Tania Allard trallard
47
3.9k
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
Avatar for Ines Montani inesmontani
PRO
3
2.3k
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
Avatar for Aleyda Solis aleyda
1
2.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
201
75k

Transcript

  1. ύεϫʔυͷอଘํ๏ʹ͍ͭͯ K a n a z w a . r

    b m e e t u p # 4 2 0 1 2 / 1 1 / 2 9 a t ۚ ୔ ࢢ จ Խ ϗ ʔ ϧ ୈ 5 ձ ٞ ࣨ ࠇ ઒ ɹ ਔ ( @ k r h i t o s h i )

  2. ࠇ઒ɹਔ (@krhitoshi) ϓϩάϥϚ/αʔόΤϯδχΞ Next SeeD (ݸਓࣄۀ) http://www.nextseed.jp/ ࠇ઒ਔͷจ۩ಊϒϩάࡾດ http://blog.bungu-do.jp/ ࣗݾ঺հ

  3. iOSΞϓϦ։ൃ ॕ೔ΧϨϯμʔ iPhone 170ԁ ໿360DL (2012೥9݄) ້૝(࠲ષ)λΠϚʔ iPhone/iPad (ӳޠରԠ) ແྉ

    ໿5,000DL (2012೥9݄) iPad App ϔϧεέΞ/ϑΟοτωε ࠷ߴ18Ґ(೔ຊ) ࠷ߴ122Ґ(ΞϝϦΧ) iศॴ δϣʔΫΞϓϦ Trychestͱڞಉ։ൃ ໿3ສ5,000DL (2011೥8݄) iPhone App ϥΠϑελΠϧ ࠷ߴ9Ґ

  4. σʔλϕʔεʹอଘ͢Δ ύεϫʔυͷอଘํ๏

  5. طଘͷΞϓϦ͸ ͑͐ͱɾɾɾɾ ·͊ஔ͍͓͍ͯͯ

  6. ͱΓ͋͑ͣ ৽͍͠ΞϓϦͰ͸ Կ࢖ͬͨΒ͍͍͔ͳͱ

  7. ηΩϡϦςΟͱ͔ ҉߸ͱ͔ͷઐ໳ՈͰ͸͋Γ·ͤΜͷͰ ͔͋͠Βͣɾɾɾ

  8. ฏจ plain text ϋογϡؔ਺ hash function ύεϫʔυϋογϡ password hash ηΩϡϦςΟ

    ڧ ऑ

  9. ฏจ plain text

  10. ؙݟ͑ password = “mypassword” if password == input_password puts “Authentication

    succeeded” else puts “Authentication failed” end ؅ཧऀɺ಺෦ͷਓ͕͙͢ʹͰ΋ѱ༻Ͱ͖ͯ͠·͏ ΋ͪΖΜɺΫϥοΫ͞Εͨ৔߹΋

  11. ϋογϡؔ਺ hash function

  12. ϋογϡͱ͸? άγϟ × ※উखͳΠϝʔδͰ͢ ΋ͱʹ໭ͤͳ͍

  13. Ұൠతͳϋογϡؔ਺ MD5 SHA256 SHA512

  14. MD5 % md5 -s XkzDusMQ4Q98 MD5 ("XkzDusMQ4Q98") = 313706cbd44dd9e9ff906a8f95b124d1 SHA256

    % echo XkzDusMQ4Q98 | shasum -a 256 5fb39c611f7ec4297eaf63b70354577f8e862761c7bb497b7ef5d74229cf8af0 - ϋογϡؔ਺Λ࢖ͬͯΈΔ 32 จࣈ 64 จࣈ

  15. େ͖͍ϑΝΠϧʹ΋ϋογϡؔ ਺Λ࢖͏༻్͕͋Δ http://ftp.riken.jp/Linux/centos/6.3/isos/x86_64/ a991defc0a602d04f064c43290df0131 CentOS-6.3-x86_64-bin-DVD1.iso 410c1c5188e6076d62d6107153738a15 CentOS-6.3-x86_64-bin-DVD2.iso 087713752fa88c03a5e8471c661ad1a2 CentOS-6.3-x86_64-minimal.iso 690138908de516b6e5d7d180d085c3f3

    CentOS-6.3-x86_64-netinstall.iso 9953ff1cc2ef31da89a0e1f993ee6335 CentOS-6.3-x86_64-LiveCD.iso 0d28b5f9c9f562bd3a17c68ef05b3998 CentOS-6.3-x86_64-LiveDVD.iso 21157a19ec6a32b4fd71f0e45b9aa951 CentOS-6.3-x86_64-bin-DVD1to2.torrent 9015d02b4e22efd547a6bd8b19bce0ec CentOS-6.3-x86_64-LiveCD.torrent 3b9c1c463cfe8983c0835f46f2db39db CentOS-6.3-x86_64-LiveDVD.torrent 4dd1ff9a521823e033dde6b152196de7 CentOS-6.3-x86_64-minimal-EFI.iso c750ba06d83a38494dbf100bf33014d4 CentOS-6.3-x86_64-netinstall-EFI.iso

  16. ϋογϡؔ਺ʹٻΊΒΕΔੑ࣭ ϋογϡ஋͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ೖྗσʔλ͕ҧ͑͹ϋογϡ஋͕ҧ͏ (িಥ͠ͳ͍) ܭࢉ͕ൺֱత଎͍ େ͖ͳσʔλ΋ϋογϡԽͰ͖ΔΑ͏ʹ

  17. http://en.yummy.stripper.jp/?eid=719489 ϋογϡΛͦͷ·· ฏจͷ୅ΘΓʹอଘ͞Εͨ࣌ظ΋͋ͬͨ

  18. ʮϋογϡ஋͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ʯ ͱ͍ͬͨͷͰ͕͢ɾɾɾ

  19. ؆୯ͳϋογϡ͸GoogleͰݟ ͔ͭΔɾɾɾ % md5 -s mypassword MD5 ("mypassword") = 34819d7beeabb9260a5c854bc85b3e44

  20. ฏจ͸͕͢͞ʹϚζΠɾɾɾ ϋογϡؔ਺Λͦͷ··࢖͏ͷ΋2012೥࣌ ఺Ͱ͸΋͏Φεεϝ͠ͳ͍ ύεϫʔυϋογϡΛ࢖͍·͠ΐ͏ ·ͱΊ SHA-2 based (SHA256, SHA512) bcrypt

    (Blowfish cipher based) ฏจ < ϋογϡؔ਺ < ύεϫʔυϋογϡ

  21. ͓ɹΘɹΓ

  22. ύεϫʔυͷอଘʹ͍ͭͯ ͦͷ2

  23. ύεϫʔυϋογϡ passowrd hash Λ࢖͍·͠ΐ͏ SHA-2 based (SHA256, SHA512) bcrypt (Blowfish

    cipher based)

  24. ύεϫʔυอଘ༻ʹ࡞Β Εͨϋογϡ

  25. ύεϫʔυϋογϡͷಛ௃ ϋογϡ஋͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ϨΠϯϘʔςʔϒϧɺ͢Ͱʹ8จࣈͷରԠදͳͲ͕ചΒΕ͍ͯΔ saltͱݺ͹ΕΔϥϯμϜͳจࣈྻΛֻ͚߹ΘͤΔ͜ͱͰରԠ ೖྗσʔλ͕ҧ͑͹ϋογϡ஋͕ҧ͏ ܭࢉ͕ൺֱత଎͍ 1ඵؒʹࢼͤΔύεϫʔυͷ਺͕ଟ͍ ϒϧʔτϑΥʔε߈ܸ(૯౰ͨΓ߈ܸ) ࣙॻ߈ܸʹऑ͍ →

    ܁Γฦ͠ܭࢉͯ͠஗͍ͯ͘͠Δ ଎͗͢ΔͷͰ͋Ε͹஗͘͢Ε͹͍͍͡Όͳ͍͔??

  26. ओʹUNIXͷϢʔβೝূͰ ࢖ΘΕ͍ͯΔ΋ͷ͕༗໊ crypt(3)

  27. /etc/passwd /etc/shadow /etc/master.passwd ࣗ෼͕؅ཧͯ͠Δαʔόͱ͔͋Ε͹ cat /etc/shadowͰͷ͍ͧͯΈͯͶ user:$6$Cabut58I$mnFd4wx30KCDgMrgfN..(ུ)...:15451:0:99999:7::: mysql:!!:15452:::::: apache:!!:15452::::::

  28. UNIXͷϢʔβೝূ DES based extended DES based MD5 based SHA-2 based

    (SHA256, SHA512) bcrypt (Blowfish cipher based) ηΩϡϦςΟ ڧ ऑ CentOS 5ܥ·Ͱ࢖༻͞Ε͍ͯΔ CentOS 6ܥ͔Β࠾༻ OpenBSD, SUSE LinuxͰ࠾༻

  29. ݱ࣌఺Ͱ͸bcrypt͕Αͦ͞͏ Ruby bcrypt-ruby (gem) https://github.com/codahale/bcrypt-ruby PHP PHP5.3.0Ҏ߱ͳΒbcryptΛ࢖༻Ͱ͖Δ ඪ४Ͱ๛෋ʹύεϫʔυϋογϡ $2a$10$XGxQvIrXr.Xf9ohqsjUuze6g4ZGewtV3Bx0Jjjbxvi2hBRI0Zliku Cost

    Salt (22จࣈ) Type 04 ͔Β 31

  30. http://www.php.net/manual/ja/function.crypt.php PHP: crypt - Manual

  31. PHPؤுͬͯΔͶ

  32. http://gihyo.jp/dev/serial/01/php-security/0043

  33. bcrypt $2a$ SHA256 based $5$ SHA512 based $6$ MD5 SHA256

    SHA512 MD5 based (MD5crypt) scrypt PBKDF2

  34. $1$ 2012೥6݄ http://phk.freebsd.dk/sagas/md5crypt_eol.html

  35. bcrypt 1999೥6݄ http://static.usenix.org/event/usenix99/provos.html http://static.usenix.org/event/usenix99/provos/provos_html/index.html

  36. glibcͰ࠾༻͞Ε͍ͯΔ $5$ $6$ 2007೥9݄ http://www.akkadia.org/drepper/sha-crypt.html

  37. phpass http://www.openwall.com/phpass/ WordPressʹ࠾༻͞Ε͍ͯΔ ύεϫʔυϋογϡ ϑϨʔϜϫʔΫ

  38. ͦͷ࣌ʑͰ҆શͱࢥΘΕΔอଘ ํ๏Λબ୒͢Δ ύεϫʔυϋογϡͷ෼໺Ͱ͸ैདྷͷํ๏͕҆શͰ ͳ͘ͳΔ ͲΜͳํ๏΋100%҆શͱ͍͏͜ͱ͸ͳ͍ ৴པͰ͖ͦ͏ͳϑϨʔϜϫʔΫΛ࢖͏ phpass౳ ͲΜͳอଘํ๏΋ϒϧʔτϑΥʔε߈ܸɺࣙॻ߈ܸ ͸ආ͚ΒΕͳ͍ͷͰɺΞϓϦέγϣϯଆͰਪଌͰ͖ Δύεϫʔυ͸อଘͰ͖ͳ͍Α͏ʹ͢Δ͜ͱ΋େ੾

  39. ͓ɹΘɹΓ