パスキーはユーザー認証を どう変えるのか？その特徴と導入における課題 @ devsumi 2023 9-C-1

Transcript

1. ύεΩʔ͸ϢʔβʔೝূΛ
   
   
   Ͳ͏ม͑Δͷ͔ʁ
   ͦͷಛ௃ͱಋೖʹ͓͚Δ՝୊
   ҏ౦ ྒ(@ritou) - Developers Summit 2023ʢ2023.02.09-10ʣ
   

   View Slide

2. ҏ౦ ྒ (@ritou)
   • גࣜձࣾ MIXI - ΤϯδχΞ
   
   
   • OpenID ϑΝ΢ϯσʔγϣϯɾδϟύϯ - ΤόϯδΣϦετ
   
   
   • Digital Identityؔ࿈ͷϒϩάɺࣥචɺษڧձ…
   2
   

   View Slide

3. ൃදͷ಺༰
   • ͜Ε·ͰͷϢʔβʔೝূ
   
   
   • ύεΩʔͷಛ௃
   
   
   • ύεΩʔಋೖͷϙΠϯτ
   3
   

   View Slide

4. ͜Ε·ͰͷϢʔβʔೝূ
   

   View Slide

5. ύεϫʔυೝূ - Memorized Secrets
   • ೝূཁૉ : ஌ࣝ
   
   
   • ϢʔβʔɺαʔϏε͕ύεϫʔυΛڞ༗
   
   
   • Ϣʔβʔ͸هԱ͢Δ
   
   
   • αʔϏε͸҆શʹอଘ
   
   
   • Ϣʔβʔ͔ΒૹΒΕͨϢʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛ
   αʔϏε͕ݕূ͢Δํ๏͕Ұൠత
   5
   

   View Slide

6. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ়
   • Ϣʔβʔͷཁ݅
   
   
   • ύεϫʔυΛ๨Εͳ͍
   
   
   • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍
   
   
   • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍
   
   
   • αʔϏεͷཁ݅
   
   
   • ύεϫʔυΛ҆શʹ؅ཧ͢Δ
   
   
   • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
   6
   ←๨ΕΔ
   

   View Slide

7. ΞΧ΢ϯτϦΧόϦʔ
   • ͋ΔೝূํࣜͰ “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮
   
   
   • ผͷखஈͰ౰ਓೝূ / ਎ݩ֬ೝ + ઃఆมߋ
   
   
   • ผͷೝূํࣜ : SMS͕࢖͑ͳ͍ͷͰόοΫΞοϓίʔυΛར༻
   
   
   • ొ࿥࣌ͷ਎ݩ֬ೝํ๏Λར༻ : PW࠶ઃఆ༻ͷURLΛϝʔϧૹ৴
   
   
   • CSܦ༝ͷKYC : ఏग़ࡁΈͷ਎෼ূ໌ॻΛར༻
   7
   

   View Slide

8. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ়
   • Ϣʔβʔͷཁ݅
   
   
   • ύεϫʔυΛ๨Εͳ͍
   
   
   • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍
   
   
   • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍
   
   
   • αʔϏεͷཁ݅
   
   
   • ύεϫʔυΛ҆શʹ؅ཧ͢Δ
   
   
   • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
   8
   ਪଌՄೳͳύεϫʔυΛ
   
   
   ෳ਺αʔϏεͰ࢖͍ճ͢
   ෮߸Մೳͳঢ়ଶͰ
   
   
   อଘ͍ͯͨ͠஋͕࿙Ӯ
   

   View Slide

9. ύεϫʔυϦετ/ύεϫʔυεϓϨʔ ߈ܸ
   • ύεϫʔυϦετ߈ܸ : ଞαʔϏε͔Β࿙ӮɺϑΟογϯάͰऔಘ͞
   Εͨ”(ϝʔϧΞυϨεͳͲؚΉ)Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹
   Θͤ”Λར༻ͯ͠ϩάΠϯࢼߦ
   
   
   • ύεϫʔυεϓϨʔ߈ܸ : “ϢʔβʔࣝผࢠͷϦετͱΑ͘࢖ΘΕ͍ͯ
   Δύεϫʔυ”ͷ૊Έ߹ΘͤͰϩάΠϯࢼߦ
   
   
   • ύεϫʔυҎ֎ͷೝূํࣜͱͷ૊Έ߹ΘͤʹΑΔରࡦ͕ඞཁ
   9
   

   View Slide

10. TOTP - Single-Factor OTP Device
    • ೝূཁૉ : ॴ༗
    
    
    • Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ɺ
    
    
    • ϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰੜ੒ͨ͠OTP(RFC6238)Λར༻
    
    
    • ۚ༥ػؔͳͲͰ͸ϋʔυ΢ΣΞτʔΫϯ͕ར༻͞Ε͍͕ͯͨɺ2010
    ೥୅ʹGoogle͕Google Authenticatorͱͱ΋ʹ2ஈ֊ೝূΛఏڙͯ͠
    ͔Βීٴ
    10
    

    View Slide

11. SMS OTP - Out-of-Band Devices
    • ೝূཁૉ : ॴ༗
    
    
    • SMSܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻
    
    
    • αʔϏε͸ొ࿥ࡁΈͷి࿩൪߸ʹOTPΛૹ৴
    
    
    • Ϣʔβʔ͸ड৴ͨ͠OTPΛαʔϏεʹૹ৴
    
    
    • Ϣʔβʔͷେྔొ࿥ରࡦͱͯ͠΋࢖ΘΕ͖ͯͨɻαʔϏεଆͷૹ৴ί
    ετɺ஗Ԇ΍ಧ͔ͳ͍ϦεΫͱ͍͏ϦεΫ΋ແࢹͰ͖ͳ͍ɻ
    11
    

    View Slide

12. Email OTP - Out-of-Band Devices
    • ೝূཁૉ : ॴ༗ (?)
    
    
    • Emailܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻
    
    
    • αʔϏε͸ొ࿥ࡁΈͷϝʔϧΞυϨεʹOTPΛૹ৴
    
    
    • Ϣʔβʔ͸ड৴ͨ͠OTPΛαʔϏεʹૹ৴
    12
    

    View Slide

13. ೝূ༻ΞϓϦ - Out-of-Band Devices
    • ೝূཁૉ : ॴ༗
    
    
    • ೝূ༻ͷ୺຤΍ϞόΠϧΞϓϦ΁ͷϓογϡ௨஌Λར༻
    
    
    • αʔϏε͸Ϣʔβʔʹඥ͚ͮΒΕͨ୺຤/ΞϓϦʹϓογϡ௨஌
    
    
    • Ϣʔβʔ͸୺຤/ΞϓϦͰϩάΠϯ͢Δ͜ͱΛڐՄ
    
    
    • MFAർ࿑߈ܸ(MFA fatigue attacks) ͕࿩୊ʹ
    13
    

    View Slide

14. όοΫΞοϓίʔυ - Look-Up Secrets
    • ೝূཁૉ : ॴ༗
    
    
    • ͋Β͔͡ΊϢʔβʔʹ഑෍ͨ͠୯Ұ΋͘͠͸ෳ਺ͷจࣈྻΛར༻
    
    
    • SMS͕ड৴Ͱ͖ͳ͍
    
    
    • ೝূ༻ΞϓϦ͕ར༻Ͱ͖ͳ͍
    
    
    • 2ཁૉ/2ஈ֊ೝূΛઃఆ͢Δࡍʹ߹Θͤͯઃఆͤ͞Δͷ͕Ұൠత
    14
    

    View Slide

15. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ়
    • Ϣʔβʔͷཁ݅
    
    
    • ύεϫʔυΛ๨Εͳ͍
    
    
    • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍
    
    
    • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍
    
    
    • αʔϏεͷཁ݅
    
    
    • ύεϫʔυΛ҆શʹ؅ཧ͢Δ
    
    
    • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
    15
    ←ϑΟογϯάαΠτʹ
    
    
    ೖྗͯ͠͠·͏
    

    View Slide

16. ϑΟογϯά߈ܸ
    • IPA ৘ใηΩϡϦςΟ10େڴҖ2023 ݸਓ޲͚1Ґ(2࿈೼த)
    
    
    • 2ஈ֊ೝূɺ2ཁૉೝূΛར༻ͯ͠΋ඃ֐ʹૺ͏Մೳੑ͕͋Δ
    
    
    • Adversary-in-the-MiddleʢAiTMʣ
    16
    ग़య : ৘ใηΩϡϦςΟ10େڴҖ 2023ɿIPA ಠཱߦ੓๏ਓ ৘ใॲཧਪਐػߏ
    
    
    https://www.ipa.go.jp/security/vuln/10threats2023.html
    

    View Slide

17. Adversary-in-the-
    MiddleʢAiTMʣ
    • ϑΟογϯάαΠτ͕தؒऀͱͳ
    Γਖ਼نͷαʔϏεʹϩάΠϯࢼߦ
    
    
    • ύεϫʔυ + SMS/Email OTP
    
    
    • ύεϫʔυ + ೝূΞϓϦ
    
    
    • ੒ޭ͢ΔͱϩάΠϯηογϣϯࣗ
    ମ(Cookie/Token)ΛऔಘՄೳ
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹ
    further
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-
    cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    

    View Slide

18. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    18
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    example.com
    example.net
    

    View Slide

19. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    19
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    example.com
    example.net
    

    View Slide

20. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    20
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    50514.4051
    ೖྗը໘Λදࣔ
    example.com
    example.net
    

    View Slide

21. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    21
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    50514.4051
    ೖྗը໘Λදࣔ
    50514.4051Λ
    ਖ਼نαʔϏεʹૹΔ
    example.com
    example.net
    

    View Slide

22. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ
    22
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    50514.4051
    ೖྗը໘Λදࣔ
    50514.4051Λ
    ਖ਼نαʔϏεʹૹΔ
    ϩάΠϯηογϣϯΛ
    औಘՄೳ
    example.com
    example.net
    

    View Slide

23. Ϣʔβʔ/αʔϏε͕ͱΕΔϑΟογϯάରࡦ
    • Ϣʔβʔ͕ύεϫʔυϚωʔδϟʔͷར༻ : ύεϫʔυ΍TOTPઃఆΛ
    ΦϦδϯ(υϝΠϯ)ͱඥ෇͚ͯ؅ཧ͠ɺҰக͍ͯ͠Δ΋ͷ͕ϑΥʔϜ
    ೖྗ࣌ʹબ୒Մೳ
    
    
    • αʔϏε͕WebOTPͷ࠾༻ : ૹ৴ͨ͠SMSϝοηʔδʹؚ·ΕΔΦϦ
    δϯ(υϝΠϯ)ͱOTPͷೖྗΛଅ͍ͯ͠ΔURL͕Ұக͍ͯ͠Ε͹ड৴
    ͨ͠SMSʹؚ·ΕΔOTPͷ஋͕ϑΥʔϜʹࣗಈೖྗ
    23
    

    View Slide

24. ύεϫʔυϚωʔδϟʔʹΑΔରࡦ
    24
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ਖ਼نαʔϏεͷύεϫʔυ͕
    ϑΟογϯάαʔϏεʹ͸ఏҊ͞Εͳ͍
    example.com
    example.net
    

    View Slide

25. WebOTPʹΑΔରࡦ
    25
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    50514.4051
    ೖྗը໘Λදࣔ
    ϑΟογϯάαʔϏεʹ͸051ࣗಈೖྗ͕ߦΘΕͳ͍
    example.com
    example.net
    

    View Slide

26. • ೝূཁૉ : ॴ༗
    
    
    • ϋʔυ΢ΣΞσόΠε಺ʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ
    ূΛར༻
    
    
    • ηΩϡϦςΟΩʔΛࢦ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩͰར༻Մೳ
    
    
    • ύεϫʔυೝূͱ૊Έ߹Θͤͨ2ஈ֊ೝূͰͷར༻͕޿·ͬͨ
    26
    FIDO w/ User Presence
    
    
    - Single-Factor Cryptographic Device/Software
    

    View Slide

27. FIDO w/ User Veri
    fi
    cation
    
    
    - Multi-Factor Cryptographic Software/Device
    • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ
    
    
    • ϋʔυ΢ΣΞσόΠε಺ʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ
    ূ ͱ ϩοΫղআͳͲͰ࢖ΘΕΔϩʔΧϧೝূ ͷ૊Έ߹Θͤ
    
    
    • ηΩϡϦςΟΩʔ + PIN
    
    
    • εϚʔτϑΥϯ / PC + ը໘ϩοΫղআ
    27
    

    View Slide

28. FIDOͷϑΟογϯά଱ੑ
    • WebAuthn : WebΞϓϦέʔγϣϯͰFIDOΛར༻͢ΔͨΊͷϒϥ΢
    βAPI
    
    
    • ར༻αʔϏε͸ࣗ਎ͷΦϦδϯ(υϝΠϯ)Λࢦఆ
    
    
    • ϒϥ΢β͸ͦͷ஋Λݕূͯ͠ෆҰகͷ৔߹͸ೝূෆՄೳ
    
    
    • ϑΟογϯάαΠτͱਖ਼نαʔϏε͕γεςϜతʹ۠ผ͞ΕΔ
    28
    

    View Slide

29. FIDOͷϑΟογϯά଱ੑ
    29
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    '*%0ʹΑΔ
    ௥ՃೝূΛཁٻ
    example.net example.com
    

    View Slide

30. FIDOͷϑΟογϯά଱ੑ
    30
    ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
    fi
    nancial fraud - Microsoft Security Blog
    
    
    https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
    fi
    nancial-fraud/
    ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ
    '*%0ʹΑΔ
    ௥ՃೝূΛཁٻ
    example.net
    ϑΟογϯάαΠτʹਖ਼نαʔϏεͷೝূ৘ใ͸ૹΒΕͳ͍
    example.com
    

    View Slide

31. FIDOͷ՝୊
    • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊
    
    
    • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨɺແͨ͘͠ɺ
    ങ͍ସ͑ͨ৔߹ʹอଘ͞Ε͍ͯΔ҉߸伴͕ར༻Ͱ͖ͳ͘ͳΓɺશͯ
    ͷαʔϏεͰ࠶ొ࿥͕ඞཁ
    
    
    • όοΫΞοϓ
    
    
    • ೝূڧ౓Λམͱͣ͞ɺϑΟογϯά଱ੑΛอͭʹ͸ෳ਺ͷ
    Authenticatorͷొ࿥͕ඞཁ
    31
    

    View Slide

32. ύεΩʔͷಛ௃
    

    View Slide

33. ύεΩʔ : FIDO multi-device credentials
    • 伴؅ཧΛσόΠε͔ΒϢʔβʔʹ
    
    
    • ϓϥοτϑΥʔϜϢʔβʔͱඥ෇͚ : Apple, Google, MS Account
    
    
    • ύεϫʔυϚωʔδϟʔ : 1Password(༧ఆ)
    
    
    • ͜Ε·ͰͷFIDOʹ͋ͬͨ伴؅ཧͷݎ࿚ੑ͸ࣦΘΕΔ͕ɺόοΫΞο
    ϓΛՄೳʹ͢Δ͜ͱͰ “ϑΟογϯά଱ੑΛ࣋ͪརศੑͷߴ͍ೝূํ
    ࣜ” ͱͯ͠ීٴΛૂ͏
    33
    

    View Slide

34. ύεΩʔͷڍಈ : https://webauthn.io
    34
    • ύεΩʔͷొ࿥(ੜ੒) : ֬ೝը໘ -> ϩʔΧϧೝূ(ੜମ/PIN)
    ϩʔΧϧೝূ
    ੜମ
    1*/
    ύλʔϯ
    
    

    View Slide

35. ύεΩʔͷڍಈ : https://webauthn.io
    35
    • ύεΩʔͰϩάΠϯ : ύεΩʔબ୒ը໘ -> ϩʔΧϧೝূ(ੜମ/PIN)
    ϩʔΧϧೝূ
    ੜମ
    1*/
    ύλʔϯ
    
    ผ୺຤͔Β΋
    ಉ༷ʹར༻Մೳ
    

    View Slide

36. ରԠ؀ڥ
    • “ύεΩʔରԠ؀ڥ” ≠ “FIDO multi-device credentials” ʹ஫ҙ͕ඞཁ
    
    
    • ϓϥοτϑΥʔϜɺ୺຤ɺϒϥ΢βͷ૊Έ߹ΘͤͰڍಈ͕ܾ·Δ
    
    
    • ύεΩʔ͕ಉظ͞ΕΔ΋ͷ : Safari on MacOS/iOS/iPadOS,
    Android + Chrome/Firefox
    
    
    • ύεΩʔ͕ಉظ͞Εͳ͍΋ͷ : Chrome on MacOS…
    36
    

    View Slide

37. “hybrid” transport
    • “ผ୺຤ͷύεΩʔΛར༻ͯ͠ϩάΠϯ” ͕ՄೳʹͳΔ࢓૊Έ
    
    
    • QRίʔυ + BLE Ͱ઀ଓͨ͠୺຤ͷύεΩʔΛར༻Մೳ
    37
    

    View Slide

38. Conditional UI / Auto
    fi
    ll
    • Ϣʔβʔ໊/ϝʔϧΞυϨεೖྗϑΥʔϜʹར༻ՄೳͳύεΩʔ͕දࣔ
    ͞Εɺબ୒͢ΔͱύεΩʔͷೝূ͕࢝·Δ
    
    
    • طଘͷೝূํࣜͷUI͔Βͷ ”γϣʔτΧοτ” ͕Մೳ
    38
    

    View Slide

39. ύεΩʔಋೖͷϙΠϯτ
    

    View Slide

40. ύεΩʔಋೖʹΑΓ࣮ݱ͍ͨ͜͠ͱ
    • શମ/ಛఆϢʔβʔͷ҆શੑ޲্ʁ
    
    
    • ඞཁͳೝূڧ౓ɺରԠ؀ڥΛࡉ͔͘ҙࣝ͢Δඞཁ͋Γ
    
    
    • ೚ҙͰͷϑΟογϯά଱ੑͱརศੑ޲্ʁ
    
    
    • γϯϓϧʹೝূํࣜΛ”૿΍͢”ײ֮
    40
    

    View Slide

41. ID࿈ܞͱͷؔ܎
    • ID࿈ܞΛఏڙ/ར༻͢ΔଆͦΕͧΕʹύεΩʔରԠͷϝϦοτ͕͋Δ
    
    
    • Identity Provider(IdP) : ύεΩʔʹରԠ͢Δ͜ͱͰ࿈ܞ͢ΔRP΋ͦ
    ͷԸܙΛड͚ΒΕΔ
    
    
    • Relying Party(RP) : IdPʹґଘ͠ͳ͍҆શੑͱརศੑͷߴ͍ೝূํࣜ
    Λར༻Մೳ
    41
    

    View Slide

42. ಋೖύλʔϯ
    • ϝΠϯͷೝূํࣜͱͯ͠ಋೖɺಛఆػೳΛར༻͢ΔࡍʹඞਢԽ
    
    
    • Φϓγϣφϧͳೝূํࣜͱͯ͠ಋೖ
    
    
    • ௚઀ಋೖ͸͠ͳ͍͕ɺಋೖ͍ͯ͠ΔIdPͱID࿈ܞ
    
    
    • OpenID ConnectͰ͸IdPͰ࣮ࢪͨ͠ೝূํࣜͷछྨɺಛ௃Λ఻ୡ
    ͢Δύϥϝʔλ͕͋Δ
    42
    

    View Slide

43. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ύεΩʔͷొ࿥
    • ͍ͭొ࿥ΛٻΊΔ͔
    
    
    • Ϣʔβʔͷ৽نొ࿥ͷࡍʹཁٻʁಛఆػೳΛ࢖͏࣌ʁ೚ҙʁ
    
    
    • ొ࿥࣌ͷೝূڧ౓
    
    
    • ॳճ͸ݱঢ়औΓ͏ΔೝূํࣜΛཁٻ͔ͯ͠Βʁ
    
    
    • 2ͭ໨Ҏ߱͸طʹొ࿥ࡁΈͷύεΩʔͰͷೝূΛٻΊΔʁ
    
    
    • ೝূڧ౓ʹറΓ͕ͳ͍ͳΒͦͷ··ʁ
    43
    

    View Slide

44. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ϩάΠϯ
    • ύεΩʔ͕ಉظ͞Ε͍ͯͳ͍؀ڥ
    
    
    • ผ୺຤ͰͷύεΩʔΛར༻ʁ : “hybrid transport”
    
    
    • ೝূڧ౓Λམͱͤͳ͍ͷͰͦͷ؀ڥͰ͸ར༻ෆՄೳʁ
    
    
    • ೚ҙͷಋೖͳͷͰผͷೝূํࣜΛར༻ʁ
    44
    

    View Slide

45. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ࠶ೝূ
    • ༗ޮظݶ੾Εɺॏཁͳॲཧͷલʹ࠶ೝূΛඞཁͱ͢Δ͔
    
    
    • ࠷ऴϩάΠϯ͔ΒҰఆظؒܦͬͨΒύεΩʔʹΑΔ࠶ೝূΛཁٻʁ
    
    
    • ॏཁͳॲཧͷલʹ͸ຖճɺύεΩʔʹΑΔ࠶ೝূΛཁٻʁ
    
    
    • ύεΩʔͰ࠶ೝূͨ͠ΒҰఆظؒ͸࠶ೝূ͕লུʁ
    
    
    • ࠶ೝূ͕ඞཁͱͳΔΑ͏ͳॲཧ͸ଘࡏ͠ͳ͍͠ɺ༗ޮظݶ੾Εͷ৔
    ߹͸ϩάΞ΢τঢ়ଶͱͯ͠ѻ͏ʁ
    45
    

    View Slide

46. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ϦΧόϦʔ
    • ύεΩʔ͕࢖͑ͳ͍ঢ়گʹ͓͍ͯɺϢʔβʔʹԿΛཁٻ͠ɺԿΛ෮چ
    ͢Δ͔
    
    
    • ໰͍߹Θ͔ͤΒͷKYCͳͲͰϢʔβʔΛ֬ೝ͠ɺ࠶౓ύεΩʔΛొ
    ࿥ͤ͞Δʁ
    
    
    • ผͷೝূํࣜΛ࢖͍ɺύεΩʔΛ࠶౓ొ࿥ʁ
    46
    

    View Slide

47. ·ͱΊ
    

    View Slide

48. ·ͱΊ
    • ݱঢ়࢖ΘΕ͍ͯΔϢʔβʔೝূํࣜͰ͸ϑΟογϯά଱ੑ͕՝୊
    
    
    • ύεΩʔ͸FIDO(WebAuthn)ͷϑΟογϯά଱ੑɺϩʔΧϧೝূͷར
    ศੑΛอͪͭͭɺϦΧόϦʔͷ՝୊Λվળͨ͠࢓૊Έ
    
    
    • ύεΩʔͷಋೖύλʔϯɺಋೖʹ͋ͨΓߟྀ͢΂͖ϙΠϯτ͕͋Δ
    48
    

    View Slide

49. ׬
    
    
    ҙݟɺײ૝ɺ࣭໰
    
    
    ͓଴͓ͪͯ͠Γ·͢ɻ
    

    View Slide