PerlでつくるフルスクラッチWebAuthn/パスキー認証 / Demonstration of full-scratch WebAuthn/Passkey Authentication written in Perl

by mackee

Slide 1

Slide 1 text

PerlͰͭ͘ΔϑϧεΫϥον WebAuthn/ύεΩʔೝূ YAPC::Hiroshima 2024 ݫౡ 15:00ʙ @mackee_w a.k.a macopy

Slide 2

Slide 2 text

͜Μʹͪ͸ϚίϐʔͰ͢ʂ

Slide 3

Slide 3 text

εϐʔΧʔ঺հ • X: @macopy • GitHub: @mackee • ໘ന๏ਓΧϠοΫ • Tonamel αʔόʔαΠυ ΤϯδχΞ • ޿ౡ޻ۀେֶग़਎

Slide 4

Slide 4 text

ຊ೔ͷ”օ༷”ͷ໨ඪ WebAuthnͷ࢓૊Έ͕Θ͔ͬͨؾʹͳΔ

Slide 5

Slide 5 text

ͱΓ͋͑ͣ࢖ͬͯΈΔʹ͸ օ͞Μͷ͓੮ͷޙΖʹ͋Δ`Perlbatross`Ͱ͸WebAuthn͕࢖ΘΕ͍ͯ·͢

Slide 6

Slide 6 text

Θ͔ͬͨؾʹͳΔͨΊʹࢲ͕΍Δ͜ͱ • WebAuthnͷ࣮ࡍͷ࢓૊Έʹ͍ͭͯαʔόʔ࣮૷Λॻ͖ͳ͕Βઆ໌ • ͜ͷτʔΫ͸ϥΠϒίʔσΟϯάओମͰ͢ • ϋϓχϯά͕͋ͬͨΒԠԉ͍ͯͩ͘͠͞ • ͜ͷτʔΫͰॻ࣮͘૷͸৭ʑলུ͍ͯ͠·͢ • (Option)ؼͬͨΒ͋ͳͨ΋ॻ͍ͯΈ·͠ΐ͏ • (ͲΜͳʹ୹ͯ͘΋͍͍ͷͰ)ϒϩάͰײ૝͕͋Ε͹ࢲ͸͔ͳΓتͼ·͢

Slide 7

Slide 7 text

ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 <= ΠϚίί • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ 15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

Slide 8

Slide 8 text

ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ 15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

Slide 9

Slide 9 text

WebAuthnͱ͸ • ύεϫʔυϨεೝূΛ࣮ݱ͢ΔͨΊͷඪ४Web API • ެ։伴҉߸Λ࢖ͬͯిࢠॺ໊Ͱߦ͏ೝূํࣜ ύεϫʔυ

Slide 10

Slide 10 text

WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ΩʔϖΞ

Slide 11

Slide 11 text

WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ϩάΠϯ͍ͨ͠

Slide 12

Slide 12 text

WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 challengeʹ ॺ໊ͯ͠

Slide 13

Slide 13 text

WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 challengeʹ ॺ໊ͯ͠

Slide 14

Slide 14 text

WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ॺ໊ͨ͠Α

Slide 15

Slide 15 text

WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ॺ໊ͨ͠Α

Slide 16

Slide 16 text

WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ͋ͬͯͦ͏ʂOK ݕূ

Slide 17

Slide 17 text

WebAuthnͷσϝϦοτ • ൿີ伴͕σόΠε಺ʹด͍ͯ͡Δ • σόΠεΛ·͍ͨͩೝূΛͲ͏͢Δ͔ • CTAP2ͱ͍͏ൿີ伴͕ೖͬͨσόΠεͱBLEͳͲͰܨ͍Ͱೝূ͢ Δํࣜ΋ఆٛ͞Ε͍ͯΔ • ฆࣦͨ͠ΒͲ͏͢Δ͔ • => ༻్ͱͯ͠͸2FAͷ1͔ͭͭɺ͜Ε͚ͩͩͱ৺ڐͳ͍

Slide 18

Slide 18 text

Passkeyͱ͸ • ݫີͳఆٛ: Discoverable CredentialΛ༻͍ΔWebAuthn • 伴ʹϢʔβʔ໊ͳͲΛηοτͰอଘ͢Δ • RP(αΠτ)ʹରͯ͠࢖༻ՄೳͳIDͱެ։伴ͷϖΞΛྻڍͰ͖Δ • Ϋϥ΢υಉظ΍Passkey Auto fi llɺੜମೝূΛհͨ͠MFAͳͲɺ WebAuthnΛศརʹ͢ΔUX΍ɺϢʔβʔʹWebAuthn͕࢖͑ΔϩάΠ ϯํࣜͰ͋Δ͜ͱΛ͢͞ݴ༿ͱͯ͠΋࢖ΘΕΔ

Slide 19

Slide 19 text

ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ 15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

Slide 20

Slide 20 text

Registrationͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث αʔόʔ ᶅొ࿥ʹඞཁͳ ύϥϝʔλͩΑ ηογϣϯ challenge ᶃొ࿥͍ͨ͠ ᶄ ᶆ͜ͷαΠτ༻ͷ 伴࡞ͬͯ ൿີ伴 ᶇ ᶈ࡞ͬͨ ެ։伴 ᶉ伴ͱchallengeͰ͢ ެ։伴 ᶊchallengeݕূ ᶋެ։伴Λอଘ

Slide 21

Slide 21 text

Registrationͷϑϩʔ https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API

Slide 22

Slide 22 text

AttestationObject • ೝূث͕ൃߦ͢Δূ໌ॻͳͲؚ͕·ΕΔ৘ใ • CBORܗࣜͰΤϯίʔυ͞Ε͍ͯΔ • ·ͨɺূ໌ॻ͸ `authData` keyͷதʹόΠφϦͰؚ·Ε͍ͯΔ

Slide 23

Slide 23 text

AttestationObject ެ։伴ؚ͕·Ε͍ͯΔͷ͸͜͜ https://www.w3.org/TR/webauthn-3/# fi g-attStructs

Slide 24

Slide 24 text

AttestationObjectΛόΠφϦΤσΟλͰ೷͘

Slide 25

Slide 25 text

Attestation Objectͷunpack • a32: 32όΠτ όΠφϦจࣈྻ • N: ϏοάΤϯσΟΞϯ 32bit unsigned int • n/a: 16bit unsigned intΛऔ্ͬͨͰͦΕΛ௕͞ͱΈͳͦ͠ͷόΠτ෼ΛͱΔ • a*: ࢒Γશ෦ όΠφϦจࣈྻ

Slide 26

Slide 26 text

COSEͷத਎ https://zenn.dev/macopy/scraps/8f50c18 fb 0b164

Slide 27

Slide 27 text

ొ࿥࣌ʹαʔόʔ͕΍Δݕূ https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API ஫ҙ: ͜ͷϥΠϒίʔσΟϯάͰ͸iiiͷҰ෦Λলུ͍ͯ͠·͢

Slide 28

Slide 28 text

ίϥϜ `attStmt` • attStmt͸ެ։伴ͷॺ໊ݕূͳͲʹ༻͍ΒΕΔ৘ใ • YubikeyͳͲͷηΩϡϦςΟΩʔ͸fmtʹ` fi do-u2f`͕ઃఆ͞Ε͍ͯΔ • `attStmt`ʹॻ͔Εͨূ໌ॻͱॺ໊Ͱਖ਼نͷηΩϡϦςΟΩʔ͔Βൃߦ͞Εͨൿ ີ伴ɾެ։伴Ͱ͋Δ͜ͱ͕ݕূͰ͖Δ • ύεΩʔͰ͸none͕ઃఆ͞ΕΔ͜ͱ͕͋Δ • 1PasswordͰ͸none, iCloud KeychainͰ͸`packed`, Google Password ManagerͰ͸…, Windows HelloͰ͸tpm

Slide 29

Slide 29 text

ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ 15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

Slide 30

Slide 30 text

Loginͷϑϩʔ https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API

Slide 31

Slide 31 text

AuthenticatorData https://www.w3.org/TR/webauthn-3/# fi g-authData

Slide 32

Slide 32 text

Կʹॺ໊Λߦͳ͍ͬͯΔ͔ • authenticatorData + sha256(clientDataJSON) https://www.w3.org/TR/webauthn-3/# fi g-signature

Slide 33

Slide 33 text

ೝূ࣌ʹαʔόʔ͕΍Δݕূ https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API

Slide 34

Slide 34 text

ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ 15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

Slide 35

Slide 35 text

·ͱΊ • WebAuthn͸ެ։伴҉߸ͷੑ࣭Λར༻ͯ͠ύεϫʔυೝূͷམͱ݀͠ Λ௵͍ͯ͠Δ • ެ։伴͕࿙Ӯͯ͠΋ॺ໊Λੜ੒͢Δ͜ͱ͕Ͱ͖ͳ͍ • ੬ऑͳύεϫʔυ(=֮͑΍͍͢ύεϫʔυ)͸࢖༻Ͱ͖ͳ͍ • ࢖͍ճ͕͠Ͱ͖ͳ͍ • SpecΛಡΊ͹PerlͰ΋࣮૷Ͱ͖Δͧ

Slide 36

Slide 36 text

·ͱΊ2 • ৭ʑෳࡶͳͷͰɺ͓࢓ࣄͰ͸ϥΠϒϥϦΛ࢖ͬͨํ͕ྑ͍ • Perlbatross͸SimpleWebAuthn + Authen::WebAuthn • ࠓճͷίʔυΛॻ͘ͱ͖΋طଘͷϥΠϒϥϦͷத਎Λͨ͘͞Μࢀর͠ ·ͨ͠ • Specͷ͏͔ͪͳΓͷݕূΛͬ͢ඈ͹͍ͯ͠·͢ • ͚ͩͲ࢓૊ΈΛ஌͍ͬͯΔͱσόοά͕ḿΔͷͰɺҰ౓ॻ͍ͯΈΔͱཧղ ͕ਂ·Γ·͢

Slide 37

Slide 37 text

ࢀߟจݙ • W3C Web Authentication: An API for accessing Public Key Credentials Level 2 https://www.w3.org/TR/webauthn-2/ • mdn ΢ΣϒೝূAPI https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API • mercari engineering: WebAuthn͜ͱ͸͡Ί https://engineering.mercari.com/blog/entry/ 2019-06-04-120000/ • WEB+DB Press Vol.136 ಛू2 ࣮ઓ౤ೖύεΩʔ • Digital Identityٕज़ษڧձ Advent Calendar 2023 https://qiita.com/advent-calendar/2023/ iddance

Slide 38

Slide 38 text

See also • ImHexͰWebAuthnͷAttestationObjectΛύʔε͢Δ https:// zenn.dev/macopy/scraps/8f50c18fb0b164 • PerlͷCBOR::PPͱunpackͰWebAuthnͷAttestation ObjectΛύʔε ͢Δ https://zenn.dev/macopy/scraps/e042aa351a57a7 • ࠓճͷ࣮૷ https://github.com/mackee/yapchiroshima2024

Slide 39

Slide 39 text

ϒϩάͰײ૝͓଴͓ͪͯ͠Γ·͢ʂ 🙏