WebAuthnͰ࣮ݱ͢Δ ύεϫʔυϨεೝূ SecHack365 2019 ෱Ԭճ @ψʔϥϘຊࣾ3F 2019/8/22 @kasecato 1

2019೥8݄16೔ (ۚ) ࢲཱେ1೥ͷগ೥ ిࢠܭࢉػ࢖༻࠮ٗͱෆਖ਼ΞΫηεېࢭ๏ҧ൓ͷ༰ٙͰୁั େֶੜ4ਓΛಉ༰ٙͰॻྨૹݕ ͦͷखޱ͸… 2

3

ϑΟογϯά 1995೥ͷ AOLʢΠϯλωοτ αʔϏε ϓϩόΠμʣ AOLελοϑΛ૷͍ύεϫʔυΛෆਖ਼ʹૹ৴͔͕ͤͨͬͨ͞ɼ ؂ࢹ͞Ε͍ͯͨ νϟοτ ϧʔϜͷ؂ࢹϑΟϧλճආεΫϦϓτ͕ <>< ͩͬͨ <>< ͕ڕʹݟ͑ͨ fish (ڕ) + phreaking (ෆਖ਼ʹແྉͰి࿩Λ͔͚Δߦҝ) = Phishing 4

ϑΟογϯά͸… 1995೥͔Βະղܾ ηΩϡϦςΟٕज़ͷഊ๺ ೥ؒ5ઍԯԁͷӨڹ (2014೥) 2005೥ 2018೥ 17ສ݅ 104ສ݅ 5

2017೥ Googleࣾһ 8ສ5ઍਓͷϑΟογϯάඃ֐͕ ʹ θϩ݅ 6

7

FIDO U2F Google ͸શࣾһʹʮFIDO U2Fʯͷ࢖༻Λٛ຿෇͚ͨ FIDO U2F? Fast Identity Online = ૉૣ͍ΦϯϥΠϯೝূ Universal 2nd Factor = Ϣχόʔαϧͳ2ཁૉ ʢ໊લΛฉ͍ͯ΋Α͘Θ͔Βͳ͍ͱࢥͬͨʣ 2ཁૉೝূʹ෺ཧσόΠεΛ࢖༻͢Δ 1. ύεϫʔυೝূ = ஌ࣝͷཁૉ 2. ෺ཧσόΠε = ॴ༗ͷཁૉ ٛ຿Խ 8

ೝূͷ3ཁૉ 1975೥ Computer Security Guidelines for Implementing the Privacy Act of 1974 (1) Something the person knows; (2) Something the person has; (3) Something the person is. 712೥ ݹࣄهʹొ৔͢Δࡾछͷਆث = has ॴ༗ͷཁૉ 2019೥ͷࢲͨͪ͸ͳͥ2ஈ֊ೝূ͕… FIPS 41 9

ͳͥ Google ͕ FIDO ͰϑΟογϯάඃ֐Λ๾໓Ͱ͖ͨͷ͔ʁ 10

FIDO ͷجຊίϯηϓτ ެ։伴҉߸Λ༻͍ͨνϟϨϯδϨεϙϯεೝূ ೝূثΛ༻͍ͨൿີ伴ͷੜ੒ͱอޢ origin ʹඥͮ͘ೝূ৘ใͷ؅ཧ ϩʔΧϧͰͷϢʔβʔݕূ ग़య: ΋ͱ΄Μ΍, ʰ ʱ, p.9, (Oct, 2018). WebAuthn ຊ @watahani 11

12

ެ։伴҉߸Λ༻͍ͨνϟϨϯδϨεϙϯε 1976೥ Diffie ͱ Hellman ͕ެ։伴҉߸ԽͱೝূΛఏҊ 1977೥ Rivest, Shamir ͱ Adleman ͕ެ։伴҉߸ํࣜΛߏங 1985೥ Koblitz ͱ Miller ͕ପԁۂઢ҉߸ΛఏҊ RSA 2048 ϏοτΛ ECC 206 Ϗοτఔ౓Ͱ୲อ ૊ࠐΈ޲͚ = FIDO ͷೝূثͰ΋࢖༻ C ≡ (mod N) ME M ≡ (mod N) CD 13

ެ։伴҉߸Λ༻͍ͨνϟϨϯδϨεϙϯε 1979೥ࠒ Bob Bosen ͕νϟϨϯδϨεϙϯεೝূΛ࣮૷ TRS-80 ༻ͷήʔϜʮ80 Space Raidersʯͷίϐʔ๷ࢭػೳ ήʔϜىಈը໘ʹදࣔ͞ΕΔϥϯμϜͳ਺ = νϟϨϯδ ήʔϜ෇ଐͷදͰνϟϨϯδʹରԠ͢Δ਺Λೖྗ = Ϩεϙϯε M ≡ (mod N) CD C ≡ (mod N) ME 14

ެ։伴҉߸Λ༻͍ͨνϟϨϯδϨεϙϯε ొ࿥ ϒϥ΢β͸ RP ͔ΒνϟϨϯδΛऔಘ ೝূث͸伴ϖΞΛੜ੒ ൿີ伴ͰνϟϯϨϯδʹॺ໊ = Ϩεϙϯε RP ͸ެ։伴Ͱॺ໊Λݕূ ެ։伴Λొ࿥ 15

ެ։伴҉߸Λ༻͍ͨνϟϨϯδϨεϙϯε ೝূ ϒϥ΢β͸ RP ͔ΒνϟϨϯδΛऔಘ ೝূث͸ൿີ伴Λಋग़ ൿີ伴ͰνϟϨϯδʹॺ໊ = Ϩεϙϯε RP ͸ॺ໊Λݕূ ϢʔβΛೝূ 16

ೝূثΛ༻͍ͨൿີ伴ͷੜ੒ͱอޢ 1994೥ FIPS 140-1 2001೥ Security Requirements for Cryptographic Modules ଱λϯύੑ ϓϩʔϏϯά߈ܸ ϑΥʔϧτ߈ܸ αΠυνϟωϧ߈ܸ 2019೥9݄ FIPS 140-3 FIPS 140-2 17

origin ʹඥͮ͘ೝূ৘ใͷ؅ཧ AppID (rpId) = origin = υϝΠϯ໊ 伴ϖΞͷੜ੒ʹυϝΠϯؚ໊͕·ΕΔ 18

ϩʔΧϧͰͷϢʔβʔݕূ ϦϞʔτೝূ ύεϫʔυ͸ωοτϫʔΫ্ʹྲྀΕΔ ύεϫʔυ͸αʔόʹอଘ͞ΕΔ αʔό͔Βͷ৘ใ࿙͍͑ ύεϫʔυͷϦετܕ߈ܸ ϩʔΧϧೝূ ੜମೝূ΍ PIN ͸ωοτϫʔΫ্ʹྲྀΕͳ͍ ੜମ৘ใ΍ PIN ͸ϩʔΧϧͷσόΠεʹอଘ͞ΕΔ σόΠε͸଱λϯύੑ͕͋Δ 19

ͱ͸ Web Authentication: An API for accessing Public Key Credentials Level 1 ϒϥ΢βʹ࣮૷͞Εͨ 2 ͭͷ API ొ࿥ = navigator.credentials.create() ೝূ = navigator.credentials.get() ϒϥ΢βͱೝূث͕ձ࿩͢ΔͨΊͷ API ೝূث͔Β伴ϖΞΛੜ੒͢Δ ೝূث͔Βൿີ伴Ͱॺ໊Λੜ੒͢Δ WebAuthn 20

ొ࿥ = navigator.credentials.create() Relying Party Server Authenticator challenge, user info, relying party info relying party id , user info, relying party info, clientDataHash new public key, credential id, attestation clientDataJSON, attestationObject 1 2 5 4 3 user verification, new keypair, attestation attestationObject Browser RP JavaScript Application 6 0 server validation AuthenticatorAttestationResponse PublicKeyCredentialCreationOptions 21

ೝূ = navigator.credentials.get() Relying Party Server Authenticator challenge relying party id, clientDataHash authenticatorData signature clientDataJSON, authenticatorData, signature 1 2 5 4 3 user verification, create assertion Browser RP JavaScript Application 6 0 server validation AuthenticatorAssertionResponse PublicKeyCredentialRequestOptions WebAuthnAPI 22

·ͱΊ FIDO ͷجຊίϯηϓτ͕Θ͔ͬͨ ެ։伴҉߸Λ༻͍ͨνϟϨϯδϨεϙϯεೝূ Authenticator Λ༻͍ͨൿີ伴ͷੜ੒ͱอޢ origin ʹඥͮ͘ೝূ৘ใͷ؅ཧ ϩʔΧϧͰͷϢʔβʔݕূ WebAuthn ͸ϒϥ΢βʹ࣮૷͞Εͨ 2 ͭͷ API ొ࿥ navigator.credentials.create() ೝূ navigator.credentials.get() WebAuthn ͸ೝূثͱձ࿩͢ΔͨΊͷ API ύεϫʔυΛ࢖Θͣެ։伴ೝূج൫ͰϢʔβೝূͰ͖ͨ 23

ࢀߟϊʔτ ຖ೔৽ฉ, ʮωοτόϯΫෆਖ਼઀ଓͰݱۚ࠮औɹ༰ٙͷେֶੜ ୁัɹ໊ݹ԰ʯ, IPA, ʰ৘ใηΩϡϦςΟനॻ2019ʱ, p.20, (August, 2019) σʔϏουɾαϯΨʔ, ʰੈքͷ೼ݖ͕ҰؾʹมΘΔ αΠόʔ ׬શฌثʱ, pp.207-224, pp.152-157, (May, 2019) Wikipedia, "Early AOL phishing," https://mainichi.jp/articles/20190817/k00/00m/040/033000c https://en.wikipedia.org/wiki/Phishing#Early_AOL_phishing 24

ΪζϞʔυɾδϟύϯ, ʮGoogleࣾһͷϑΟογϯάΛ0ʹͨ͠෺ཧ Google, ʮTitan ηΩϡϦςΟ Ωʔʯ, FIDO, ʮFIDOΞϥΠΞϯεͷԊֵʯ, NIST, "Computer Security Guidelines for Implementing the Privacy A Richard E. Smithʰೝূٕज़ ύεϫʔυ͔Βެ։伴·Ͱʱ, p.399, p. security-keys.html https://cloud.google.com/titan https://fidoalliance.org/fido%e3%82%a2%e3%83%a9%e3%82%a4% lang=ja 25

൘૔੐உ, ֎઒੓෉, ʰωοτࣾձͱຊਓೝূ―ݪཧ͔ΒԠ༻· Ͱʱ, p.29, (July, 2010). ΋ͱ΄Μ΍, ʰWebAuthn ຊʱ, p.9, (Oct, 2018). ผ࡭೔ܦαΠΤϯεɼʮαΠόʔηΩϡϦςΟʔʯ, p.63, (April, 2016). 㟒ࢁҰஉ, ੁݪ݈, ཥཅ, ʰ҉߸ϋʔυ΢ΣΞͷηΩϡϦςΟʱ, p.39, pp.80-81, (June, 2019). 26

NIST, "Security Requirements for Cryptographic Modules," Wikipedia, "FIPS 140-3", Yubico, "Key generation," Yubico, "FIDO2/WebAuthn Overview," W3C, "Web Authentication: An API for accessing Public Key Creden https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf https://en.wikipedia.org/wiki/FIPS_140-3 https://developers.yubico.com/U2F/Protocol_details/Key_generatio https://developers.yubico.com/WebAuthn/WebAuthn_Developer_G https://www.w3.org/TR/webauthn/ 27