Slide 1

Slide 1 text

C޲͚αʔϏεͰ ࢖ΘΕ͍ͯΔೝূํࣜͱ ҆શͳ࢖͍ํ ritou @ Ͳ͔͜Ͱߦͳͬͨษڧձ

Slide 2

Slide 2 text

ൃදͷ಺༰ • C޲͚αʔϏεͰ࢖ΘΕ͍ͯΔϢʔβʔೝূํࣜͷ঺հ • ͦΕͧΕͷಛ௃ͱͳͥ࢖ΘΕ࢝Ί͔ͨ • ੈͷத͕ΑΓ҆શͰศརʹͳΔͨΊʹϢʔβʔ΍։ൃऀ͕ҙࣝ͢΂͖ ͜ͱ  2

Slide 3

Slide 3 text

ೝূํࣜʹ͍ͭͯҰ൪ࢀߟʹͳΔࢿྉ 
 NIST SP 800-63γϦʔζ • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3 • https://speakerdeck.com/kthrtty/ren-zheng- nimatuwarusekiyuriteifalsexin-chang-shi • NIST Special Publication 800-63B Digital Identity Guidelines (຋༁൛) • https://openid-foundation-japan.github.io/800-63-3- fi nal/ sp800-63b.ja.html

Slide 4

Slide 4 text

C޲͚Ϣʔβʔೝূͷྺ࢙

Slide 5

Slide 5 text

ᶃ ύεϫʔυೝূ

Slide 6

Slide 6 text

ύεϫʔυೝূ 
 (هԱγʔΫϨοτ, Memorized Secrets)  6 • ೝূཁૉ : ஌ࣝ • Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛݕূ • ಛఆσόΠεෆཁͷࢸߴͷೝূํࣜ

Slide 7

Slide 7 text

ύεϫʔυೝূͰ ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅  7 • Ϣʔβʔ • ύεϫʔυΛ๨Εͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ࢖͍·Θ͞ͳ͍ • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ • αʔϏε • ύεϫʔυΛ҆શʹ؅ཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ

Slide 8

Slide 8 text

ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  8 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

Slide 9

Slide 9 text

ΞΧ΢ϯτϦΧόϦʔ • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ಛఆͷೝূํ͕ࣜ࢖͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ • ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷ૊Έ߹Θ͕ͤҰൠత • ϝʔϧ΁ϦϯΫ΍ೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ • ੈͷதʹ͸ύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔ΋ଘࡏ͢Δ

Slide 10

Slide 10 text

ϝʔϧ/SMSʹΑΔOTP 
 (ܦ࿏֎ೝূ, Out-of-Band Devices)  10 • ೝূཁૉ : ॴ༗ • SMS΍ϝʔϧͰड͚औͬͨೝূίʔυΛݕূ • ϦϯΫૹ৴&ΫϦοΫ΋͜ΕΛ؆ུԽͨ͠΋ͷͱଊ͑ΒΕΔ • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜ ͱͰɺϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳ͍ͬͯͨ

Slide 11

Slide 11 text

ᶄ 2ஈ֊/ཁૉೝূͷීٴ

Slide 12

Slide 12 text

ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  12 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

Slide 13

Slide 13 text

ύεϫʔυϦετ߈ܸɺ ύεϫʔυεϓϨʔ߈ܸ  13 • ύεϫʔυϦετ߈ܸ • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ • ಉ͡ύεϫʔυΛ࢖͍ճ͍ͯͨ͠ΒΞ΢τ • ύεϫʔυεϓϨʔ߈ܸ • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞ΢τ • ͍ΘΏΔϩοΫΧ΢ϯλʹ͔͔Βͳ͍Α͏ʹ͏·͍͜ͱ߈ܸͯ͘͠Δ

Slide 14

Slide 14 text

ιϑτ΢ΣΞTOTP 
 (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)  14 • ೝূཁૉ : ॴ༗ • ϞόΠϧΞϓϦ౳Ͱੜ੒ͨ͠TOTP(RFC6238)Λݕূ • 2010೥Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google Authenticatorͱͱ ΋ʹTOTPೝূΛఏڙ։࢝ • ͦΕ·Ͱۚ༥ػؔͳͲͰ͸RSA/VerisignͳͲͷϋʔυ΢ΣΞτʔΫ ϯ͕࢖ΘΕ͍ͯͨ

Slide 15

Slide 15 text

ϞόΠϧΞϓϦ΁ͷpush௨஌ 
 (ܦ࿏֎ೝূ, Out-of-Band Devices)  15 • ೝূཁૉ : ॴ༗ • ϞόΠϧΞϓϦʹ௨஌ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK • MS Authenticator, GitHub, Okta Verify… • ܦ࿏ͷ҆શੑ͕ΩϞʹͳΔͷͰɺϞόΠϧΞϓϦ΁ͷ௨஌ͷ࢓૊Έͷ ํ͕SMS΍EϝʔϧΑΓ΋҆શͱ·ͰݴΘΕΔ

Slide 16

Slide 16 text

όοΫΞοϓίʔυ 
 (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)  16 • ೝূཁૉ : ॴ༗ • Ϣʔβʔʹ୯Ұ͋Δ͍͸ෳ਺ͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷ஋Λݕূ • TOTP͕࢖͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷ࠷ޙͷखஈͱͯ͠͠ Εͬͱ࠾༻͞Ε͍ͯΔ

Slide 17

Slide 17 text

ᶅ ϑΟογϯάʹڧ͍ ೝূํࣜ

Slide 18

Slide 18 text

ύεϫʔυೝূʹ͓͚Δ ϢʔβʔɺαʔϏεͷݱঢ়  18 • Ϣʔβʔ • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏ • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏ • αʔϏε • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏ • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

Slide 19

Slide 19 text

ݱ࣮  19 • ৘ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ޲͚1Ґʂ • B޲͚Ͱ͸Microsoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද • 2021೥9݄Ҏ߱ɺ1ສҎ্ͷ૊৫͕ඪతʹ

Slide 20

Slide 20 text

ʮTOTPઃఆΛͯͨ͠Β ҆શͰ͸ͳ͍ͷͰ͔͢ʁʯ

Slide 21

Slide 21 text

https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/

Slide 22

Slide 22 text

https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012

Slide 23

Slide 23 text

https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 34356!"#$%&'()*12 89:;<=:#$>?@*ABC

Slide 24

Slide 24 text

https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ !"#$%&'()*+,-./012 34356!"#$%&'()*12 89:;<=:#$>?@*ABC DEFGH I#$J%K#L.0MN

Slide 25

Slide 25 text

͜Ε·Ͱͷೝূํࣜ͸ ϑΟογϯά଱ੑΛ࣋ͨͳ͍  25 • ͍ͣΕ΋ਓ͕ؒߦ͏൑அͷ෦෼͕ऑ఺ͱͳΔ • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP: URLΛ֬ೝͤͣೖྗ • ެࣜΞϓϦͳͲ΁ͷPush௨஌&ಉҙ : URLΛ֬ೝͤͣʹಉҙ • ࣄલ֬ೝɺཤྺɺ௨஌ͱ͍ͬͨ࢓૊Έ͸͋Δ͕ࠜຊతͳରࡦͰ͸ͳ͍

Slide 26

Slide 26 text

(͓·͚)͋ΔϝʔϧΞυϨε/ి࿩൪߸͕αʔϏεʹରͯ͠ 
 ొ࿥ࡁΈ͔Ͳ͏͔Λ஌ΒΕͯ͸͍͚ͳ͍ཧ༝  26 • ొ࿥ࡁΈͷ΋ͷ͚ͩΛ࢖ͬͯύεϫʔυϦετ/εϓϨʔ߈ܸɺඪత ܕ߈ܸ + ϑΟογϯά • ແବܸͪΛݮΒͤͯޮՌత • ϦετࣗମͷՁ஋޲্ • ෳ਺αʔϏεͰར༻͍ͯ͠ΔϝʔϧΞυϨε/ి࿩൪߸͸Ձ஋͕ߴ͍

Slide 27

Slide 27 text

FIDOೝূ w/ UserVeri fi cation 
 (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)  27 • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ • ެ։伴҉߸ + ϩʔΧϧೝূ • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛॴ༗͠ɺΞΫςΟ ϕʔτͷͨΊʹ2ཁૉ໨ͷೝূΛඞཁͱ͢Δ΋ͷ • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬౰)

Slide 28

Slide 28 text

https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ OPQ4RSTUVWXYZ[\]^ _`abcdefg*hijk lm='()n !"#$%&'()] ocp*qk rrcstuqv

Slide 29

Slide 29 text

FIDOೝূͷ՝୊  29 • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊ • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨΓͳ͘ͳͬͨ Β࠶ొ࿥͕ඞཁ • ෳ਺ͷAuthenticatorΛొ࿥͓ͯ͘͠ඞཁੑ? • ػछมߋ/୺຤ަ׵ͨ͠ΒαʔϏε୯Ґʹ࠶ొ࿥͕ඞཁ • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?

Slide 30

Slide 30 text

Passkey  30 • ύεϫʔυ vs ύεΩʔ • σόΠεΑΓ΋Ϣʔβʔʹඥ͚ͮΒΕΔ伴৘ใ • ͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴؅ཧͱ͸ผ࿏ઢ • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔ໰୊ͷվળ • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ

Slide 31

Slide 31 text

Passkey - ”FIDO multi-device credentials”  31 • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ 1. Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ࿥ 2. ϩάΞ΢τͯ͠΋ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ) 3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ બ୒͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ • iCloud KeychainʹΑΔಉظ

Slide 32

Slide 32 text

Passkey - ”FIDO multi-device credentials”  32 • ෳ਺ϓϥοτϑΥʔϜΛލ͙৔߹ͷUXվળ 1. ࣄલʹAndroidͰύεΩʔΛొ࿥ 2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ Մೳ (caBLEͱݺ͹ΕΔ઀ଓํ๏) 3. ͦͷޙʹTouchID͕ཁٻ͞Εɺࠓޙ͸͜ͷ୺຤ͰTouchIDͷΈͰϩ άΠϯՄೳʹͳΔ

Slide 33

Slide 33 text

ᶆ ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બ୒ࢶ

Slide 34

Slide 34 text

ID࿈ܞ  34 • Identity Provider(IdP)ͷϢʔβʔ৘ใΛར༻͢Δ • ୅දతͳϓϩτίϧ͕OpenID Connect, SAMLͳͲ • Ϣʔβʔࣝผࢠͷඥ෇͚Λ؅ཧ͢Δ͜ͱͰϩάΠϯʹར༻͢Δ • ଐੑ৘ใΛ׆༻ͯ͠UXΛ޲্ͤ͞Δ • ֬ೝࡁΈϝʔϧΞυϨεɺి࿩൪߸ɺຊਓ֬ೝ৘ใͳͲΛ৴༻͢Δ

Slide 35

Slide 35 text

ID࿈ܞͷ՝୊  35 • IdPͱ৺த໰୊ • ΞΧ΢ϯτBAN, ো֐࣌ʹ͸ͦΕΛར༻͢ΔαʔϏε΋࢖͑ͳ͘ͳ ΔՄೳੑ͕͋Δ • IdPͷΞΧ΢ϯτ͕৐ͬऔΒΕͯ͠·ͬͨΒαʔϏε΋ѱ༻͞ΕΔ

Slide 36

Slide 36 text

Identity Wallet 
 (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri fi able Credentials)  36 • IdPʹґଘ͢ΔͷͰ͸ͳ͘ɺݸਓ͕ࣗ෼ͷ৘ใΛ؅ཧ͢ΔελΠϧ • Ծ૝௨՟͋ͨΓͰ໨ʹ͢Δ໾ׂ෼୲ • Issuer : Ϣʔβʔ৘ใͷఏڙɺূ໌ॻͷൃߦ • Holder(Wallet) : Ϣʔβʔ৘ใΛ؅ཧ͢ΔΞϓϦ΍ϒϥ΢βػೳ • Veri fi er : Holder ʹ৘ใΛཁٻ͠ɺऔಘͨ͠৘ใΛݕূͯ͠ར༻ • Open Wallet Foundation͕ઃཱ͞Εͯ࣌୅͕ਐΜͰ͍͘ؾ഑

Slide 37

Slide 37 text

҆શ&ศརʹར༻͢ΔͨΊʹ Ϣʔβʔ/αʔϏε͕Ͱ͖Δ͜ͱ

Slide 38

Slide 38 text

՝୊  38 • ೝূํࣜࣗମͷऑΈΛͲ͏ΧόʔͰ͖Δ͔ • ϑΟογϯά଱ੑ : FIDOҎ֎ͷطଘͷೝূํࣜ • རศੑ • εϚʔτϑΥϯҎ֎Λ࢖͏ͷ͸͠ΜͲ͍ • εϚʔτϑΥϯͷѻ͍ • “εϚʔτϑΥϯ͚ͩͰͰ͖Δ”ʹدͤͭͭɺ”མͱͨ͠ΒऴΘΓ”ΛέΞ͢Δ ඞཁ͕͋Δ

Slide 39

Slide 39 text

(Ϣʔβʔ) ύεϫʔυϚωʔδϟʔͷར༻  39 • ύεϫʔυؚΊͨΫϨσϯγϟϧΛ”શ෦ॴ༗”͢Δײ֮ • ύεϫʔυ, TOTPͷγʔΫϨοτ؅ཧ&TOTPੜ੒, όοΫΞοϓ ίʔυ؅ཧ • υϝΠϯ൑ఆΛ೚ͤΔ͜ͱͰϑΟογϯά଱ੑΛ࣋ͭ • Ϛελʔύεϫʔυͷ؅ཧʹ໋Λ஫͙ελΠϧ

Slide 40

Slide 40 text

(αʔϏε) ʮεϚʔτϑΥϯ͕͋Ε͹ʯελΠϧͷීٴ  40 • खݩͷεϚʔτϑΥϯΛར༻͢ΔUX • Cross-device WebOTP : AndroidͰड͚औͬͨೝূίʔυΛPCͷ Chromeͷը໘ʹసૹՄೳ • ެࣜΞϓϦ΁ͷϓογϡ௨஌ • Passkey • εϚϗ͕ͳ͘ͳͬͨ৔߹ͷϦΧόϦʔʹ͔͔͍ͬͯΔελΠϧ

Slide 41

Slide 41 text

·ͱΊ  41 • ೝূํࣜ੔ཧ • ύεϫʔυೝূ -> 2ஈ֊ೝূ • FIDO -> Passkey • ID࿈ܞ -> Identity Wallet? • ҆શͰศརͳ࢖͍ํ

Slide 42

Slide 42 text

ऴΘΓ