Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PerlでつくるフルスクラッチWebAuthn/パスキー認証 / Demonstration of full-scratch WebAuthn/Passkey Authentication written in Perl

mackee
February 10, 2024
1.8k

PerlでつくるフルスクラッチWebAuthn/パスキー認証 / Demonstration of full-scratch WebAuthn/Passkey Authentication written in Perl

YAPC::Hiroshima 2024

mackee

February 10, 2024
Tweet

More Decks by mackee

Transcript

  1. εϐʔΧʔ঺հ • X: @macopy • GitHub: @mackee • ໘ന๏ਓΧϠοΫ •

    Tonamel αʔόʔαΠυ ΤϯδχΞ • ޿ౡ޻ۀେֶग़਎
  2. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 <= ΠϚίί • WebAuthnͱPasskeyͷ֓ཁ

    15:05 ʙ 15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40
  3. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ

    15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40
  4. Passkeyͱ͸ • ݫີͳఆٛ: Discoverable CredentialΛ༻͍ΔWebAuthn • 伴ʹϢʔβʔ໊ͳͲΛηοτͰอଘ͢Δ • RP(αΠτ)ʹରͯ͠࢖༻ՄೳͳIDͱެ։伴ͷϖΞΛྻڍͰ͖Δ •

    Ϋϥ΢υಉظ΍Passkey Auto fi llɺੜମೝূΛհͨ͠MFAͳͲɺ WebAuthnΛศརʹ͢ΔUX΍ɺϢʔβʔʹWebAuthn͕࢖͑ΔϩάΠ ϯํࣜͰ͋Δ͜ͱΛ͢͞ݴ༿ͱͯ͠΋࢖ΘΕΔ
  5. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ

    15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40
  6. Registrationͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث αʔόʔ ᶅొ࿥ʹඞཁͳ ύϥϝʔλͩΑ ηογϣϯ challenge ᶃొ࿥͍ͨ͠

    ᶄ ᶆ͜ͷαΠτ༻ͷ 伴࡞ͬͯ ൿີ伴 ᶇ ᶈ࡞ͬͨ ެ։伴 ᶉ伴ͱchallengeͰ͢ ެ։伴 ᶊchallengeݕূ ᶋެ։伴Λอଘ
  7. Attestation Objectͷunpack • a32: 32όΠτ όΠφϦจࣈྻ • N: ϏοάΤϯσΟΞϯ 32bit

    unsigned int • n/a: 16bit unsigned intΛऔ্ͬͨͰͦΕΛ௕͞ͱΈͳͦ͠ͷόΠτ෼ΛͱΔ • a*: ࢒Γશ෦ όΠφϦจࣈྻ
  8. ίϥϜ `attStmt` • attStmt͸ެ։伴ͷॺ໊ݕূͳͲʹ༻͍ΒΕΔ৘ใ • YubikeyͳͲͷηΩϡϦςΟΩʔ͸fmtʹ` fi do-u2f`͕ઃఆ͞Ε͍ͯΔ • `attStmt`ʹॻ͔Εͨূ໌ॻͱॺ໊Ͱਖ਼نͷηΩϡϦςΟΩʔ͔Βൃߦ͞Εͨൿ

    ີ伴ɾެ։伴Ͱ͋Δ͜ͱ͕ݕূͰ͖Δ • ύεΩʔͰ͸none͕ઃఆ͞ΕΔ͜ͱ͕͋Δ • 1PasswordͰ͸none, iCloud KeychainͰ͸`packed`, Google Password ManagerͰ͸…, Windows HelloͰ͸tpm
  9. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ

    15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40
  10. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ

    15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40
  11. ·ͱΊ2 • ৭ʑෳࡶͳͷͰɺ͓࢓ࣄͰ͸ϥΠϒϥϦΛ࢖ͬͨํ͕ྑ͍ • Perlbatross͸SimpleWebAuthn + Authen::WebAuthn • ࠓճͷίʔυΛॻ͘ͱ͖΋طଘͷϥΠϒϥϦͷத਎Λͨ͘͞Μࢀর͠ ·ͨ͠

    • Specͷ͏͔ͪͳΓͷݕূΛͬ͢ඈ͹͍ͯ͠·͢ • ͚ͩͲ࢓૊ΈΛ஌͍ͬͯΔͱσόοά͕ḿΔͷͰɺҰ౓ॻ͍ͯΈΔͱཧղ ͕ਂ·Γ·͢
  12. ࢀߟจݙ • W3C Web Authentication: An API for accessing Public

    Key Credentials Level 2 https://www.w3.org/TR/webauthn-2/ • mdn ΢ΣϒೝূAPI https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API • mercari engineering: WebAuthn͜ͱ͸͡Ί https://engineering.mercari.com/blog/entry/ 2019-06-04-120000/ • WEB+DB Press Vol.136 ಛू2 ࣮ઓ౤ೖύεΩʔ • Digital Identityٕज़ษڧձ Advent Calendar 2023 https://qiita.com/advent-calendar/2023/ iddance