Upgrade to Pro — share decks privately, control downloads, hide ads and more …

C向けサービスで 使われている認証方式と安全な使い方

ritou
September 21, 2022

C向けサービスで 使われている認証方式と安全な使い方

どこかでこっそりやった勉強会の資料を公開します。

ritou

September 21, 2022
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. C޲͚αʔϏεͰ


    ࢖ΘΕ͍ͯΔೝূํࣜͱ


    ҆શͳ࢖͍ํ
    ritou @ Ͳ͔͜Ͱߦͳͬͨษڧձ

    View Slide

  2. ൃදͷ಺༰
    • C޲͚αʔϏεͰ࢖ΘΕ͍ͯΔϢʔβʔೝূํࣜͷ঺հ


    • ͦΕͧΕͷಛ௃ͱͳͥ࢖ΘΕ࢝Ί͔ͨ


    • ੈͷத͕ΑΓ҆શͰศརʹͳΔͨΊʹϢʔβʔ΍։ൃऀ͕ҙࣝ͢΂͖
    ͜ͱ

    2

    View Slide

  3. ೝূํࣜʹ͍ͭͯҰ൪ࢀߟʹͳΔࢿྉ

    NIST SP 800-63γϦʔζ
    • ೝূʹ·ͭΘΔηΩϡϦςΟͷ৽ৗࣝ rev3


    • https://speakerdeck.com/kthrtty/ren-zheng-
    nimatuwarusekiyuriteifalsexin-chang-shi


    • NIST Special Publication 800-63B Digital Identity Guidelines (຋༁൛)


    • https://openid-foundation-japan.github.io/800-63-3-
    fi
    nal/
    sp800-63b.ja.html

    View Slide

  4. C޲͚Ϣʔβʔೝূͷྺ࢙

    View Slide




  5. ύεϫʔυೝূ

    View Slide

  6. ύεϫʔυೝূ

    (هԱγʔΫϨοτ, Memorized Secrets)

    6
    • ೝূཁૉ : ஌ࣝ


    • Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛݕূ


    • ಛఆσόΠεෆཁͷࢸߴͷೝূํࣜ

    View Slide

  7. ύεϫʔυೝূͰ


    ϢʔβʔɺαʔϏεʹٻΊΒΕΔཁ݅

    7
    • Ϣʔβʔ


    • ύεϫʔυΛ๨Εͳ͍


    • ਪଌՄೳͳύεϫʔυΛආ͚ɺଞͷαʔϏεͰ࢖͍·Θ͞ͳ͍


    • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍


    • αʔϏε


    • ύεϫʔυΛ҆શʹ؅ཧ͢Δ


    • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ

    View Slide

  8. ύεϫʔυೝূʹ͓͚Δ


    ϢʔβʔɺαʔϏεͷݱঢ়

    8
    • Ϣʔβʔ


    • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏


    • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ


    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏


    • αʔϏε


    • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏


    • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

    View Slide

  9. ΞΧ΢ϯτϦΧόϦʔ
    • “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮


    • ಛఆͷೝূํ͕ࣜ࢖͑ͳ͍࣌ʹ٧·ͳ͍Α͏ʹᷖճ࿏Λ༻ҙ


    • ผͷํ๏ͰϢʔβʔೝূ(≠ϩάΠϯηογϣϯൃߦ) + ઃఆมߋ


    • ύεϫʔυೝূͱϝʔϧʹΑΔύεϫʔυϦηοτͷ૊Έ߹Θ͕ͤҰൠత


    • ϝʔϧ΁ϦϯΫ΍ೝূίʔυΛૹ৴ + ύεϫʔυ࠶ઃఆ


    • ੈͷதʹ͸ύεϫʔυΛ֮͑ͣʹຖճϦηοτ͢ΔϢʔβʔ΋ଘࡏ͢Δ

    View Slide

  10. ϝʔϧ/SMSʹΑΔOTP

    (ܦ࿏֎ೝূ, Out-of-Band Devices)

    10
    • ೝূཁૉ : ॴ༗


    • SMS΍ϝʔϧͰड͚औͬͨೝূίʔυΛݕূ


    • ϦϯΫૹ৴&ΫϦοΫ΋͜ΕΛ؆ུԽͨ͠΋ͷͱଊ͑ΒΕΔ


    • “ύεϫʔυೝূͷΈ”ͱ͍͍࣮࣭ͭͭ2ͭͷೝূํࣜΛఏڙ͢Δ͜
    ͱͰɺϦΧόϦʔػೳΛఏڙ͢Δͷ͕ఆੴͱͳ͍ͬͯͨ

    View Slide




  11. 2ஈ֊/ཁૉೝূͷීٴ

    View Slide

  12. ύεϫʔυೝূʹ͓͚Δ


    ϢʔβʔɺαʔϏεͷݱঢ়

    12
    • Ϣʔβʔ


    • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏


    • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ


    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏


    • αʔϏε


    • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏


    • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

    View Slide

  13. ύεϫʔυϦετ߈ܸɺ


    ύεϫʔυεϓϨʔ߈ܸ

    13
    • ύεϫʔυϦετ߈ܸ


    • Ϣʔβʔࣝผࢠ/ύεϫʔυͷϦετͰࢼߦ


    • ಉ͡ύεϫʔυΛ࢖͍ճ͍ͯͨ͠ΒΞ΢τ


    • ύεϫʔυεϓϨʔ߈ܸ


    • ϢʔβʔࣝผࢠͷϦετʹಉҰͷύεϫʔυͰࢼߦ


    • ਪଌՄೳͳύεϫʔυΛར༻͍ͯͨ͠ΒΞ΢τ


    • ͍ΘΏΔϩοΫΧ΢ϯλʹ͔͔Βͳ͍Α͏ʹ͏·͍͜ͱ߈ܸͯ͘͠Δ

    View Slide

  14. ιϑτ΢ΣΞTOTP

    (୯ҰཁૉOTPσόΠε, Single-Factor OTP Device)

    14
    • ೝূཁૉ : ॴ༗


    • ϞόΠϧΞϓϦ౳Ͱੜ੒ͨ͠TOTP(RFC6238)Λݕূ


    • 2010೥Ҏ߱ɺGoogle͕2ஈ֊ೝূͱͯ͠Google Authenticatorͱͱ
    ΋ʹTOTPೝূΛఏڙ։࢝


    • ͦΕ·Ͱۚ༥ػؔͳͲͰ͸RSA/VerisignͳͲͷϋʔυ΢ΣΞτʔΫ
    ϯ͕࢖ΘΕ͍ͯͨ

    View Slide

  15. ϞόΠϧΞϓϦ΁ͷpush௨஌

    (ܦ࿏֎ೝূ, Out-of-Band Devices)

    15
    • ೝূཁૉ : ॴ༗


    • ϞόΠϧΞϓϦʹ௨஌ΛૹͬͯϢʔβʔ͕֬ೝͨ͠ΒOK


    • MS Authenticator, GitHub, Okta Verify…


    • ܦ࿏ͷ҆શੑ͕ΩϞʹͳΔͷͰɺϞόΠϧΞϓϦ΁ͷ௨஌ͷ࢓૊Έͷ
    ํ͕SMS΍EϝʔϧΑΓ΋҆શͱ·ͰݴΘΕΔ

    View Slide

  16. όοΫΞοϓίʔυ

    (ϧοΫΞοϓγʔΫϨοτ, Look-Up Secrets)

    16
    • ೝূཁૉ : ॴ༗


    • Ϣʔβʔʹ୯Ұ͋Δ͍͸ෳ਺ͷจࣈྻΛൃߦ͓͖ͯ͠ɺͦͷ஋Λݕূ


    • TOTP͕࢖͑ͳ͍Α͏ͳέʔεͰ٧·ͳ͍ͨΊͷ࠷ޙͷखஈͱͯ͠͠
    Εͬͱ࠾༻͞Ε͍ͯΔ

    View Slide




  17. ϑΟογϯάʹڧ͍


    ೝূํࣜ

    View Slide

  18. ύεϫʔυೝূʹ͓͚Δ


    ϢʔβʔɺαʔϏεͷݱঢ়

    18
    • Ϣʔβʔ


    • ઃఆͨ͠ύεϫʔυΛ๨Εͯ͠·͏


    • ෳ਺αʔϏεͰ࢖͍ճͨ͠ΓɺਪଌՄೳͳจࣈྻΛར༻͢Δ


    • ϑΟογϯάαΠτʹύεϫʔυͳͲΛೖྗͯ͠͠·͏


    • αʔϏε


    • ෮߸ՄೳͳܗࣜͰอଘ͠ɺ࠷ऴతʹ࿙Ӯͤͯ͞͠·͏


    • ෆਖ਼ϩάΠϯରࡦʹίετΛ͔͚ΒΕͳ͍

    View Slide

  19. ݱ࣮

    19
    • ৘ใηΩϡϦςΟ10େڴҖ 2022 ʹͯݸਓ޲͚1Ґʂ


    • B޲͚Ͱ͸Microsoft ͕ଟཁૉೝূΛճආ͢ΔϑΟογϯά߈ܸ
    ʮAdversary-in-the-MiddleʢAiTMʣʯʹ͍ͭͯൃද


    • 2021೥9݄Ҏ߱ɺ1ສҎ্ͷ૊৫͕ඪతʹ

    View Slide

  20. ʮTOTPઃఆΛͯͨ͠Β


    ҆શͰ͸ͳ͍ͷͰ͔͢ʁʯ

    View Slide

  21. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/

    View Slide

  22. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012

    View Slide

  23. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    34356!"#$%&'()*12


    89:;<=:#$>[email protected]*ABC

    View Slide

  24. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    !"#$%&'()*+,-./012
    34356!"#$%&'()*12


    89:;<=:#$>[email protected]*ABC
    DEFGH


    I#$J%K#L.0MN

    View Slide

  25. ͜Ε·Ͱͷೝূํࣜ͸


    ϑΟογϯά଱ੑΛ࣋ͨͳ͍

    25
    • ͍ͣΕ΋ਓ͕ؒߦ͏൑அͷ෦෼͕ऑ఺ͱͳΔ


    • ύεϫʔυೝূ, TOTP, ϝʔϧ/SMSܦ༝ͷOTP: URLΛ֬ೝͤͣೖྗ


    • ެࣜΞϓϦͳͲ΁ͷPush௨஌&ಉҙ : URLΛ֬ೝͤͣʹಉҙ


    • ࣄલ֬ೝɺཤྺɺ௨஌ͱ͍ͬͨ࢓૊Έ͸͋Δ͕ࠜຊతͳରࡦͰ͸ͳ͍

    View Slide

  26. (͓·͚)͋ΔϝʔϧΞυϨε/ి࿩൪߸͕αʔϏεʹରͯ͠

    ొ࿥ࡁΈ͔Ͳ͏͔Λ஌ΒΕͯ͸͍͚ͳ͍ཧ༝

    26
    • ొ࿥ࡁΈͷ΋ͷ͚ͩΛ࢖ͬͯύεϫʔυϦετ/εϓϨʔ߈ܸɺඪత
    ܕ߈ܸ + ϑΟογϯά


    • ແବܸͪΛݮΒͤͯޮՌత


    • ϦετࣗମͷՁ஋޲্


    • ෳ਺αʔϏεͰར༻͍ͯ͠ΔϝʔϧΞυϨε/ి࿩൪߸͸Ձ஋͕ߴ͍

    View Slide

  27. FIDOೝূ w/ UserVeri
    fi
    cation

    (ଟཁૉ҉߸σόΠε, Multi-Factor Cryptographic Devices)

    27
    • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ


    • ެ։伴҉߸ + ϩʔΧϧೝূ


    • อޢ͞Εͨ҉߸伴Λ༻͍Δϋʔυ΢ΣΞσόΠεΛॴ༗͠ɺΞΫςΟ
    ϕʔτͷͨΊʹ2ཁૉ໨ͷೝূΛඞཁͱ͢Δ΋ͷ


    • ηΩϡϦςΟΩʔ : PINʹΑΔೝূ


    • εϚʔτϑΥϯ : ϩʔΧϧೝূ(ը໘ϩοΫղআ૬౰)

    View Slide

  28. https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    OPQ4RSTUVWXYZ[\]^


    _`abcdefg*hijk


    lm='()n


    !"#$%&'()]


    ocp*qk


    rrcstuqv


    View Slide

  29. FIDOೝূͷ՝୊

    29
    • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊


    • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨΓͳ͘ͳͬͨ
    Β࠶ొ࿥͕ඞཁ


    • ෳ਺ͷAuthenticatorΛొ࿥͓ͯ͘͠ඞཁੑ?


    • ػछมߋ/୺຤ަ׵ͨ͠ΒαʔϏε୯Ґʹ࠶ొ࿥͕ඞཁ


    • ରԠαʔϏε͕͜Ε·ͰͷύεϫʔυೝূͷΑ͏ʹ૿͑ͨΒ…?

    View Slide

  30. Passkey

    30
    • ύεϫʔυ vs ύεΩʔ


    • σόΠεΑΓ΋Ϣʔβʔʹඥ͚ͮΒΕΔ伴৘ใ


    • ͜Ε·ͰFIDOͰਐΊ͖ͯͨݎ࿚ͳ伴؅ཧͱ͸ผ࿏ઢ


    • ϓϥοτϑΥʔϚʔʹΑΔಉظʹΑΔϦΧόϦʔ໰୊ͷվળ


    • खݩͷεϚʔτϑΥϯΛར༻ͨ͠UXվળ

    View Slide

  31. Passkey - ”FIDO multi-device credentials”

    31
    • ୯ҰϓϥοτϑΥʔϜͷྗΛ༻͍ͯύεΩʔΛಉظ


    1. Mac ͷ TouchIDΛ༻͍ͯPassKeyΛొ࿥


    2. ϩάΞ΢τͯ͠΋ɺTouchIDͷΈͰϩάΠϯͰ͖Δ(͜Ε·Ͱ௨Γ)


    3. iPhone͔ΒΞΫηεͨ͠ࡍʹʮอଘࡁΈͷPassKeyͰϩάΠϯʯΛ
    બ୒͢ΔͱFaceIDͳͲΛ༻͍ͯϩάΠϯͰ͖Δ


    • iCloud KeychainʹΑΔಉظ

    View Slide

  32. Passkey - ”FIDO multi-device credentials”

    32
    • ෳ਺ϓϥοτϑΥʔϜΛލ͙৔߹ͷUXվળ


    1. ࣄલʹAndroidͰύεΩʔΛొ࿥


    2. Mac͔ΒΞΫηε͠ɺQRίʔυΛಡΈࠐΜͰAndroidͰϩάΠϯ
    Մೳ (caBLEͱݺ͹ΕΔ઀ଓํ๏)


    3. ͦͷޙʹTouchID͕ཁٻ͞Εɺࠓޙ͸͜ͷ୺຤ͰTouchIDͷΈͰϩ
    άΠϯՄೳʹͳΔ

    View Slide




  33. ೝূํࣜΛ࣋ͨͳ͍ͱ͍͏બ୒ࢶ

    View Slide

  34. ID࿈ܞ

    34
    • Identity Provider(IdP)ͷϢʔβʔ৘ใΛར༻͢Δ


    • ୅දతͳϓϩτίϧ͕OpenID Connect, SAMLͳͲ


    • Ϣʔβʔࣝผࢠͷඥ෇͚Λ؅ཧ͢Δ͜ͱͰϩάΠϯʹར༻͢Δ


    • ଐੑ৘ใΛ׆༻ͯ͠UXΛ޲্ͤ͞Δ


    • ֬ೝࡁΈϝʔϧΞυϨεɺి࿩൪߸ɺຊਓ֬ೝ৘ใͳͲΛ৴༻͢Δ

    View Slide

  35. ID࿈ܞͷ՝୊

    35
    • IdPͱ৺த໰୊


    • ΞΧ΢ϯτBAN, ো֐࣌ʹ͸ͦΕΛར༻͢ΔαʔϏε΋࢖͑ͳ͘ͳ
    ΔՄೳੑ͕͋Δ


    • IdPͷΞΧ΢ϯτ͕৐ͬऔΒΕͯ͠·ͬͨΒαʔϏε΋ѱ༻͞ΕΔ

    View Slide

  36. Identity Wallet

    (ؔ࿈Ωʔϫʔυ: SSI, DID, Veri
    fi
    able Credentials)

    36
    • IdPʹґଘ͢ΔͷͰ͸ͳ͘ɺݸਓ͕ࣗ෼ͷ৘ใΛ؅ཧ͢ΔελΠϧ


    • Ծ૝௨՟͋ͨΓͰ໨ʹ͢Δ໾ׂ෼୲


    • Issuer : Ϣʔβʔ৘ใͷఏڙɺূ໌ॻͷൃߦ


    • Holder(Wallet) : Ϣʔβʔ৘ใΛ؅ཧ͢ΔΞϓϦ΍ϒϥ΢βػೳ


    • Veri
    fi
    er : Holder ʹ৘ใΛཁٻ͠ɺऔಘͨ͠৘ใΛݕূͯ͠ར༻


    • Open Wallet Foundation͕ઃཱ͞Εͯ࣌୅͕ਐΜͰ͍͘ؾ഑

    View Slide

  37. ҆શ&ศརʹར༻͢ΔͨΊʹ


    Ϣʔβʔ/αʔϏε͕Ͱ͖Δ͜ͱ

    View Slide

  38. ՝୊

    38
    • ೝূํࣜࣗମͷऑΈΛͲ͏ΧόʔͰ͖Δ͔


    • ϑΟογϯά଱ੑ : FIDOҎ֎ͷطଘͷೝূํࣜ


    • རศੑ


    • εϚʔτϑΥϯҎ֎Λ࢖͏ͷ͸͠ΜͲ͍


    • εϚʔτϑΥϯͷѻ͍


    • “εϚʔτϑΥϯ͚ͩͰͰ͖Δ”ʹدͤͭͭɺ”མͱͨ͠ΒऴΘΓ”ΛέΞ͢Δ
    ඞཁ͕͋Δ

    View Slide

  39. (Ϣʔβʔ)


    ύεϫʔυϚωʔδϟʔͷར༻

    39
    • ύεϫʔυؚΊͨΫϨσϯγϟϧΛ”શ෦ॴ༗”͢Δײ֮


    • ύεϫʔυ, TOTPͷγʔΫϨοτ؅ཧ&TOTPੜ੒, όοΫΞοϓ
    ίʔυ؅ཧ


    • υϝΠϯ൑ఆΛ೚ͤΔ͜ͱͰϑΟογϯά଱ੑΛ࣋ͭ


    • Ϛελʔύεϫʔυͷ؅ཧʹ໋Λ஫͙ελΠϧ

    View Slide

  40. (αʔϏε)


    ʮεϚʔτϑΥϯ͕͋Ε͹ʯελΠϧͷීٴ

    40
    • खݩͷεϚʔτϑΥϯΛར༻͢ΔUX


    • Cross-device WebOTP : AndroidͰड͚औͬͨೝূίʔυΛPCͷ
    Chromeͷը໘ʹసૹՄೳ


    • ެࣜΞϓϦ΁ͷϓογϡ௨஌


    • Passkey


    • εϚϗ͕ͳ͘ͳͬͨ৔߹ͷϦΧόϦʔʹ͔͔͍ͬͯΔελΠϧ

    View Slide

  41. ·ͱΊ

    41
    • ೝূํࣜ੔ཧ


    • ύεϫʔυೝূ -> 2ஈ֊ೝূ


    • FIDO -> Passkey


    • ID࿈ܞ -> Identity Wallet?


    • ҆શͰศརͳ࢖͍ํ

    View Slide

  42. ऴΘΓ

    View Slide