Upgrade to Pro — share decks privately, control downloads, hide ads and more …

第八回 #渋谷java - Java 8 で造る認証系

KOMIYA Atsushi
September 20, 2014
Programming
10
5.4k

第八回 #渋谷java - Java 8 で造る認証系

第八回 #渋谷java http://shibuya-java.connpass.com/event/8212/ での発表資料です。 サンプル実装は https://gist.github.com/komiya-atsushi/6ffac79533c3bfad8bba こちらです。

KOMIYA Atsushi

September 20, 2014
Tweet

More Decks by KOMIYA Atsushi

See All by KOMIYA Atsushi
#JJUG Java における乱数生成器とのつき合い方
komiya_atsushi
5
5.1k
#JJUG Fork/Join フレームワークを効率的に正しく使いたい
komiya_atsushi
0
450
[#JSUG] SmartNews における container friendly な Spring Boot アプリケーション開発
komiya_atsushi
1
11k
Java のデータ圧縮ライブラリを極める #jjug_ccc #ccc_c7
komiya_atsushi
4
4.7k
#devsumi 自然言語処理・機械学習によるファクトチェック業務の支援
komiya_atsushi
1
4.3k
SmartNews Ads における機械学習の活用とその運用 #mlops
komiya_atsushi
3
19k
GBDT によるクリック率予測を高速化したい #オレシカナイト vol.4
komiya_atsushi
5
1.3k
Maven central repository の artifact をランキングする #渋谷java
komiya_atsushi
0
1.2k
確率的データ構造を Java で扱いたい! #JJUG
komiya_atsushi
6
2.2k

Other Decks in Programming

See All in Programming
Jakarta EE meets AI
ivargrimstad
0
240
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
260
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
What’s New in Compose Multiplatform - A Live Tour (droidcon London 2024)
zsmb
1
480
C++でシェーダを書く
fadis
6
4.1k
React への依存を最小にするフロントエンド設計
takonda
3
530
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
110
イベント駆動で成長して委員会
happymana
1
340
Arm移行タイムアタック
qnighy
0
340
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
200
Contemporary Test Cases
maaretp
0
140

Featured

See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900
4 Signs Your Business is Dying
shpigford
180
21k
Optimizing for Happiness
mojombo
376
70k
Automating Front-end Workflow
addyosmani
1366
200k
The Language of Interfaces
destraynor
154
24k
Designing for humans not robots
tammielis
250
25k
BBQ
matthewcrist
85
9.3k
Docker and Python
trallard
40
3.1k

Transcript

  1. Java 8 Ͱ଄Δೝূܥ ौ୩java #8 2014-09-20 at BizReach @komiya_atsushi

  2. ͓·ͩΕ

  3. ,0.*:""UTVTIJ !LPNJZB@BUTVTIJ

  4. None

  5. ʮੈքதͷྑ࣭ͳ৘ใΛඞཁͳਓʹૹΓಧ͚Δʯ ͨΊʹɺौ୩ɾࡩٰொͰ ೔ʑδϟόδϟό͍ͯ͠·͢

  6. ຊ೔ͷ͓࿩

  7. CZ+PTIVB/F⒎IUUQTqJDLSQDO"&T ͍͔Μͱ΋͠೉͍ཧ༝ʹΑΓ ೝূܥΛࣗ࡞͠ͳ͚Ε͹ ͳΒͳ͘ͳͬͯ͠·ͬͨ ʜΈ͍ͨͳέʔεΛ૝ఆ

  8. ೝূܥʁ

  9. ೝূܥʁ

  10. ͜Ε ೝূܥʁ

  11. ͍ΘΏΔϑΥʔϜೝূͬͯ΍ͭͰ͢ ͜Ε ೝূܥʁ

  12. μϝͳೝূܥ͋Δ͋Δ

  13. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏

  14. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ

  15. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ

  16. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ •

    ύεϫʔυΛ SHA-1 ͱ͔Ͱ୯७ʹϋογϡԽ

  17. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ •

    ύεϫʔυΛ SHA-1 ͱ͔Ͱ୯७ʹϋογϡԽ • ύεϫʔυ + ڞ௨ salt Λ SHA-1 ͰϋογϡԽ

  18. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ •

    ύεϫʔυΛ SHA-1 ͱ͔Ͱ୯७ʹϋογϡԽ • ύεϫʔυ + ڞ௨ salt Λ SHA-1 ͰϋογϡԽ • ύεϫʔυ + java.util.Random#nextBytes() Ͱੜ੒ͨ͠ݸผͷ salt Λ SHA-1 ͰϋογϡԽ

  19. Ͳ͏͢Ε͹͍͍ͷ͔ʁ

  20. ؾΛ͚ͭΔ΂͖͜ͱ

  21. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ

  22. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ

  23. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc.

  24. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc. • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ

  25. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc. • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ • MD5, SHA-1, SHA-512, etc.

  26. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc. • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ • MD5, SHA-1, SHA-512, etc. • ετϨονϯά͢Δ

  27. Java 8 Ͱ΍ͬͯΈΑ͏

  28. Java Cryptography Architecture Oracle Providers Documentation • Java 7 :


    http://docs.oracle.com/javase/7/docs/ technotes/guides/security/SunProviders.html • Java 8 :
 http://docs.oracle.com/javase/8/docs/ technotes/guides/security/SunProviders.html

  29. ҉߸࿦తٖࣅཚ਺ੜ੒ثͰ salt Λੜ੒͢Δ

  30. SecureRandom#nextBytes()

  31. ҉߸࿦తٖࣅཚ਺ੜ੒ثͷ࣮૷ • Java 7 Ҏલ͔Βଘࡏ & શϓϥοτϑΥʔϜαϙʔτ • SHA1PRNG •

    Java 8 Ҏ߱ & Solaris / Linux / OS X ͷΈαϙʔτ • NativePRNG • NativePRNGBlocking • NativePRNGNonBlocking

  32. PBKDF2 ͰετϨονϯάͨ͠ϋογϡ஋ΛಘΔ

  33. new PBEKeySpec( ύεϫʔυ, ιϧτ, ܁Γฦ͠ճ਺, Ωʔ௕)

  34. new PBEKeySpec( ύεϫʔυ, ιϧτ, ܁Γฦ͠ճ਺, Ωʔ௕) ετϨονϯά

  35. ετϨονϯά • ܁Γฦ͠ճ਺ͷઃఆ • CPU ϦιʔεΛফඅ͢Δ͜ͱʹ஫ҙ • DoS ߈ܸͷखஈʹͳΓ͏Δ •

    ࢀߟ : 1Password • https://learn2.agilebits.com/1Password4/Security/PBKDF2- overview.html • 10,000 ճΒ͍͠

  36. SecretKeyFactory .getInstance()

  37. DES DESede PBEWithMD5AndDES PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBKDF2WithHmacSHA1 DES DESede PBEWithMD5AndDES

    PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBEWithSHA1AndRC2_128 PBEWithSHA1AndRC4_40 PBEWithSHA1AndRC4_128 PBKDF2WithHmacSHA1 PBKDF2WithHmacSHA224 PBKDF2WithHmacSHA256 PBKDF2WithHmacSHA384 PBKDF2WithHmacSHA512 PBEWithHmacSHA1AndAES_128 PBEWithHmacSHA224AndAES_128 PBEWithHmacSHA256AndAES_128 PBEWithHmacSHA384AndAES_128 PBEWithHmacSHA512AndAES_128 PBEWithHmacSHA1AndAES_256 PBEWithHmacSHA224AndAES_256 PBEWithHmacSHA256AndAES_256 PBEWithHmacSHA384AndAES_256 PBEWithHmacSHA512AndAES_256 +BWB +BWB

  38. DES DESede PBEWithMD5AndDES PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBKDF2WithHmacSHA1 DES DESede PBEWithMD5AndDES

    PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBEWithSHA1AndRC2_128 PBEWithSHA1AndRC4_40 PBEWithSHA1AndRC4_128 PBKDF2WithHmacSHA1 PBKDF2WithHmacSHA224 PBKDF2WithHmacSHA256 PBKDF2WithHmacSHA384 PBKDF2WithHmacSHA512 PBEWithHmacSHA1AndAES_128 PBEWithHmacSHA224AndAES_128 PBEWithHmacSHA256AndAES_128 PBEWithHmacSHA384AndAES_128 PBEWithHmacSHA512AndAES_128 PBEWithHmacSHA1AndAES_256 PBEWithHmacSHA224AndAES_256 PBEWithHmacSHA256AndAES_256 PBEWithHmacSHA384AndAES_256 PBEWithHmacSHA512AndAES_256 +BWB +BWB

  39. https://gist.github.com/ komiya-atsushi/ 6ffac79533c3bfad8bba

  40. ·ͱΊ

  41. ͜͜·Ͱॻ͍͓͍ͯͯͳΜͰ͕͢ • ೝূܥͷࣗ࡞͸΍Ί·͠ΐ͏ • ʮṷ͸ṷ԰ʯ • ʢ࢖ͬͨ͜ͱͳ͍Ͱ͕͢ʣApache Shiro ͱ͔ Spring

    Security ͱ͔࢖͏ͱ͍͍Μ͡Όͳ͍Ͱ͔͢Ͷʁ • “Apache Shiro Λ࢖ͬͯΈͨ”
 http://www.slideshare.net/chonaso/java-apache- shiro

  42. େਓͷࣄ৘ͰೝূܥΛࣗ࡞͠ͳ͖Ό ͍͚ͳ͍ͱ͖͸ • ҎԼΛ͖ͪΜͱҙࣝͯ͠࡞ΔΑ͏ʹ͠·͠ΐ͏ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث

    (CSPRNG) Ͱ salt Λੜ੒͢Δ • SecureRandom • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ • PBKDF2WithHmacSHA* • ετϨονϯά͢Δ • PBEKeySpec

  43. 5IBOLT

  44. None

  45. ৄ͘͠͸ҎԼͷ URL Ͱʂ http://www.smartnews.co.jp/recruit/ • iOS ΤϯδχΞ • Android ΤϯδχΞ

    • αʔόαΠυΤϯδχΞ • ػցֶशʗࣗવݴޠॲཧΤϯδχΞ • Web ΞϓϦέʔγϣϯΤϯδχΞ • ޿ࠂΤϯδχΞ • άϩʔεϋοΫΤϯδχΞ • ϓϩμΫςΟϏςΟΤϯδχΞ • αϙʔτΤϯδχΞ