Upgrade to Pro — share decks privately, control downloads, hide ads and more …

第八回 #渋谷java - Java 8 で造る認証系

KOMIYA Atsushi
September 20, 2014
Programming
10
5.3k

第八回 #渋谷java - Java 8 で造る認証系

第八回 #渋谷java http://shibuya-java.connpass.com/event/8212/ での発表資料です。 サンプル実装は https://gist.github.com/komiya-atsushi/6ffac79533c3bfad8bba こちらです。

KOMIYA Atsushi

September 20, 2014
Tweet

More Decks by KOMIYA Atsushi

See All by KOMIYA Atsushi
#JJUG Java における乱数生成器とのつき合い方
komiya_atsushi
5
5.1k
#JJUG Fork/Join フレームワークを効率的に正しく使いたい
komiya_atsushi
0
440
[#JSUG] SmartNews における container friendly な Spring Boot アプリケーション開発
komiya_atsushi
1
11k
Java のデータ圧縮ライブラリを極める #jjug_ccc #ccc_c7
komiya_atsushi
4
4.6k
#devsumi 自然言語処理・機械学習によるファクトチェック業務の支援
komiya_atsushi
1
4.3k
SmartNews Ads における機械学習の活用とその運用 #mlops
komiya_atsushi
3
19k
GBDT によるクリック率予測を高速化したい #オレシカナイト vol.4
komiya_atsushi
5
1.3k
Maven central repository の artifact をランキングする #渋谷java
komiya_atsushi
0
1.2k
確率的データ構造を Java で扱いたい! #JJUG
komiya_atsushi
6
2.2k

Other Decks in Programming

See All in Programming
Amazon Neptuneで始めてみるグラフDB -OpenSearchによるグラフの全文検索-
satoshi256kbyte
4
330
僕がつくった48個のWebサービス達
yusukebe
18
17k
PagerDuty を軸にした On-Call 構築と運用課題の解決 / PagerDuty Japan Community Meetup 4
horimislime
1
110
現場で役立つモデリング 超入門
masuda220
PRO
13
2.9k
Vue SFCのtemplateでTypeScriptの型を活用しよう
tsukkee
3
1.5k
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
23k
Progressive Web Apps für Desktop und Mobile mit Angular (Hands-on)
christianliebel
PRO
0
110
C#/.NETのこれまでのふりかえり
tomokusaba
1
160
Kubernetes for Data Engineers: Building Scalable, Reliable Data Pipelines
sucitw
1
200
Importmapを使ったJavaScriptの 読み込みとブラウザアドオンの影響
swamp09
4
1.3k
Identifying User Idenity
moro
6
7.9k
CSC509 Lecture 08
javiergs
PRO
0
110

Featured

See All Featured
4 Signs Your Business is Dying
shpigford
180
21k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
9
680
Being A Developer After 40
akosma
86
590k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Unsuck your backbone
ammeep
668
57k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
YesSQL, Process and Tooling at Scale
rocio
167
14k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Building Your Own Lightsaber
phodgson
102
6.1k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
790
BBQ
matthewcrist
85
9.3k

Transcript

  1. Java 8 Ͱ଄Δೝূܥ ौ୩java #8 2014-09-20 at BizReach @komiya_atsushi

  2. ͓·ͩΕ

  3. ,0.*:""UTVTIJ !LPNJZB@BUTVTIJ

  4. None

  5. ʮੈքதͷྑ࣭ͳ৘ใΛඞཁͳਓʹૹΓಧ͚Δʯ ͨΊʹɺौ୩ɾࡩٰொͰ ೔ʑδϟόδϟό͍ͯ͠·͢

  6. ຊ೔ͷ͓࿩

  7. CZ+PTIVB/F⒎IUUQTqJDLSQDO"&T ͍͔Μͱ΋͠೉͍ཧ༝ʹΑΓ ೝূܥΛࣗ࡞͠ͳ͚Ε͹ ͳΒͳ͘ͳͬͯ͠·ͬͨ ʜΈ͍ͨͳέʔεΛ૝ఆ

  8. ೝূܥʁ

  9. ೝূܥʁ

  10. ͜Ε ೝূܥʁ

  11. ͍ΘΏΔϑΥʔϜೝূͬͯ΍ͭͰ͢ ͜Ε ೝূܥʁ

  12. μϝͳೝূܥ͋Δ͋Δ

  13. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏

  14. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ

  15. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ

  16. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ •

    ύεϫʔυΛ SHA-1 ͱ͔Ͱ୯७ʹϋογϡԽ

  17. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ •

    ύεϫʔυΛ SHA-1 ͱ͔Ͱ୯७ʹϋογϡԽ • ύεϫʔυ + ڞ௨ salt Λ SHA-1 ͰϋογϡԽ

  18. μϝͳೝূܥ͋Δ͋Δ • ύεϫʔυΛฏจͷ·· DB ʹอଘͪ͠Ό͏ • ύεϫʔυΛ෮ݩՄೳͳ҉߸ԽΞϧΰϦζϜͰ҉߸Խ • ύεϫʔυΛΦϨΦϨϋογϡؔ਺ͰϋογϡԽ •

    ύεϫʔυΛ SHA-1 ͱ͔Ͱ୯७ʹϋογϡԽ • ύεϫʔυ + ڞ௨ salt Λ SHA-1 ͰϋογϡԽ • ύεϫʔυ + java.util.Random#nextBytes() Ͱੜ੒ͨ͠ݸผͷ salt Λ SHA-1 ͰϋογϡԽ

  19. Ͳ͏͢Ε͹͍͍ͷ͔ʁ

  20. ؾΛ͚ͭΔ΂͖͜ͱ

  21. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ

  22. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ

  23. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc.

  24. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc. • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ

  25. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc. • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ • MD5, SHA-1, SHA-512, etc.

  26. ؾΛ͚ͭΔ΂͖͜ͱ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث (CSPRNG) Ͱ salt

    Λੜ੒͢Δ • /dev/random, /dev/urandom, etc. • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ • MD5, SHA-1, SHA-512, etc. • ετϨονϯά͢Δ

  27. Java 8 Ͱ΍ͬͯΈΑ͏

  28. Java Cryptography Architecture Oracle Providers Documentation • Java 7 :


    http://docs.oracle.com/javase/7/docs/ technotes/guides/security/SunProviders.html • Java 8 :
 http://docs.oracle.com/javase/8/docs/ technotes/guides/security/SunProviders.html

  29. ҉߸࿦తٖࣅཚ਺ੜ੒ثͰ salt Λੜ੒͢Δ

  30. SecureRandom#nextBytes()

  31. ҉߸࿦తٖࣅཚ਺ੜ੒ثͷ࣮૷ • Java 7 Ҏલ͔Βଘࡏ & શϓϥοτϑΥʔϜαϙʔτ • SHA1PRNG •

    Java 8 Ҏ߱ & Solaris / Linux / OS X ͷΈαϙʔτ • NativePRNG • NativePRNGBlocking • NativePRNGNonBlocking

  32. PBKDF2 ͰετϨονϯάͨ͠ϋογϡ஋ΛಘΔ

  33. new PBEKeySpec( ύεϫʔυ, ιϧτ, ܁Γฦ͠ճ਺, Ωʔ௕)

  34. new PBEKeySpec( ύεϫʔυ, ιϧτ, ܁Γฦ͠ճ਺, Ωʔ௕) ετϨονϯά

  35. ετϨονϯά • ܁Γฦ͠ճ਺ͷઃఆ • CPU ϦιʔεΛফඅ͢Δ͜ͱʹ஫ҙ • DoS ߈ܸͷखஈʹͳΓ͏Δ •

    ࢀߟ : 1Password • https://learn2.agilebits.com/1Password4/Security/PBKDF2- overview.html • 10,000 ճΒ͍͠

  36. SecretKeyFactory .getInstance()

  37. DES DESede PBEWithMD5AndDES PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBKDF2WithHmacSHA1 DES DESede PBEWithMD5AndDES

    PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBEWithSHA1AndRC2_128 PBEWithSHA1AndRC4_40 PBEWithSHA1AndRC4_128 PBKDF2WithHmacSHA1 PBKDF2WithHmacSHA224 PBKDF2WithHmacSHA256 PBKDF2WithHmacSHA384 PBKDF2WithHmacSHA512 PBEWithHmacSHA1AndAES_128 PBEWithHmacSHA224AndAES_128 PBEWithHmacSHA256AndAES_128 PBEWithHmacSHA384AndAES_128 PBEWithHmacSHA512AndAES_128 PBEWithHmacSHA1AndAES_256 PBEWithHmacSHA224AndAES_256 PBEWithHmacSHA256AndAES_256 PBEWithHmacSHA384AndAES_256 PBEWithHmacSHA512AndAES_256 +BWB +BWB

  38. DES DESede PBEWithMD5AndDES PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBKDF2WithHmacSHA1 DES DESede PBEWithMD5AndDES

    PBEWithMD5AndTripleDES PBEWithSHA1AndDESede PBEWithSHA1AndRC2_40 PBEWithSHA1AndRC2_128 PBEWithSHA1AndRC4_40 PBEWithSHA1AndRC4_128 PBKDF2WithHmacSHA1 PBKDF2WithHmacSHA224 PBKDF2WithHmacSHA256 PBKDF2WithHmacSHA384 PBKDF2WithHmacSHA512 PBEWithHmacSHA1AndAES_128 PBEWithHmacSHA224AndAES_128 PBEWithHmacSHA256AndAES_128 PBEWithHmacSHA384AndAES_128 PBEWithHmacSHA512AndAES_128 PBEWithHmacSHA1AndAES_256 PBEWithHmacSHA224AndAES_256 PBEWithHmacSHA256AndAES_256 PBEWithHmacSHA384AndAES_256 PBEWithHmacSHA512AndAES_256 +BWB +BWB

  39. https://gist.github.com/ komiya-atsushi/ 6ffac79533c3bfad8bba

  40. ·ͱΊ

  41. ͜͜·Ͱॻ͍͓͍ͯͯͳΜͰ͕͢ • ೝূܥͷࣗ࡞͸΍Ί·͠ΐ͏ • ʮṷ͸ṷ԰ʯ • ʢ࢖ͬͨ͜ͱͳ͍Ͱ͕͢ʣApache Shiro ͱ͔ Spring

    Security ͱ͔࢖͏ͱ͍͍Μ͡Όͳ͍Ͱ͔͢Ͷʁ • “Apache Shiro Λ࢖ͬͯΈͨ”
 http://www.slideshare.net/chonaso/java-apache- shiro

  42. େਓͷࣄ৘ͰೝূܥΛࣗ࡞͠ͳ͖Ό ͍͚ͳ͍ͱ͖͸ • ҎԼΛ͖ͪΜͱҙࣝͯ͠࡞ΔΑ͏ʹ͠·͠ΐ͏ • ΞΧ΢ϯτݸผʹ salt Λ༻ҙ͢Δ • ҉߸࿦తٖࣅཚ਺ੜ੒ث

    (CSPRNG) Ͱ salt Λੜ੒͢Δ • SecureRandom • ҉߸ֶతϋογϡؔ਺Λར༻͢Δ • PBKDF2WithHmacSHA* • ετϨονϯά͢Δ • PBEKeySpec

  43. 5IBOLT

  44. None

  45. ৄ͘͠͸ҎԼͷ URL Ͱʂ http://www.smartnews.co.jp/recruit/ • iOS ΤϯδχΞ • Android ΤϯδχΞ

    • αʔόαΠυΤϯδχΞ • ػցֶशʗࣗવݴޠॲཧΤϯδχΞ • Web ΞϓϦέʔγϣϯΤϯδχΞ • ޿ࠂΤϯδχΞ • άϩʔεϋοΫΤϯδχΞ • ϓϩμΫςΟϏςΟΤϯδχΞ • αϙʔτΤϯδχΞ