Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
パスワードの保存方法について Kanazawa.rb meetup #4
Search
Hitoshi Kurokawa
November 29, 2012
Programming
0
110
パスワードの保存方法について Kanazawa.rb meetup #4
Kanazawa.rb meetup #4
2012/11/29 金沢市文化ホール第5 会議室
Hitoshi Kurokawa
November 29, 2012
Tweet
Share
More Decks by Hitoshi Kurokawa
See All by Hitoshi Kurokawa
Docker + CentOS 6, 8 PHP 動作確認環境の構築
krhitoshi
1
290
Rustで作るi386エミュレータ
krhitoshi
0
220
Rails4とさくらのVPSとAWS S3によるスモールスタートWebサービス「ランチボックス」 Kanazawa.rb meetup #16
krhitoshi
2
1.5k
Other Decks in Programming
See All in Programming
競技プログラミングへのお誘い@阪大BOOSTセミナー
kotamanegi
0
360
Stackless и stackful? Корутины и асинхронность в Go
lamodatech
0
840
선언형 UI에서의 상태관리
l2hyunwoo
0
180
バグを見つけた?それAppleに直してもらおう!
uetyo
0
180
PSR-15 はあなたのための ものではない? - phpcon2024
myamagishi
0
140
Keeping it Ruby: Why Your Product Needs a Ruby SDK - RubyWorld 2024
envek
0
190
Androidアプリのモジュール分割における:x:commonを考える
okuzawats
1
140
テストケースの名前はどうつけるべきか?
orgachem
PRO
0
140
テストコード文化を0から作り、変化し続けた組織
kazatohiei
2
1.5k
短期間での新規プロダクト開発における「コスパの良い」Goのテスト戦略」 / kamakura.go
n3xem
2
170
Webエンジニア主体のモバイルチームの 生産性を高く保つためにやったこと
igreenwood
0
340
PHPUnitしか使ってこなかった 一般PHPerがPestに乗り換えた実録
mashirou1234
0
230
Featured
See All Featured
Building a Modern Day E-commerce SEO Strategy
aleyda
38
7k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
810
Unsuck your backbone
ammeep
669
57k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k
Why Our Code Smells
bkeepers
PRO
335
57k
Making the Leap to Tech Lead
cromwellryan
133
9k
Being A Developer After 40
akosma
87
590k
Faster Mobile Websites
deanohume
305
30k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
5
450
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Optimising Largest Contentful Paint
csswizardry
33
3k
Transcript
ύεϫʔυͷอଘํ๏ʹ͍ͭͯ K a n a z w a . r
b m e e t u p # 4 2 0 1 2 / 1 1 / 2 9 a t ۚ ࢢ จ Խ ϗ ʔ ϧ ୈ 5 ձ ٞ ࣨ ࠇ ɹ ਔ ( @ k r h i t o s h i )
ࠇɹਔ (@krhitoshi) ϓϩάϥϚ/αʔόΤϯδχΞ Next SeeD (ݸਓࣄۀ) http://www.nextseed.jp/ ࠇਔͷจ۩ಊϒϩάࡾດ http://blog.bungu-do.jp/ ࣗݾհ
iOSΞϓϦ։ൃ ॕΧϨϯμʔ iPhone 170ԁ 360DL (20129݄) ້(࠲ષ)λΠϚʔ iPhone/iPad (ӳޠରԠ) ແྉ
5,000DL (20129݄) iPad App ϔϧεέΞ/ϑΟοτωε ࠷ߴ18Ґ(ຊ) ࠷ߴ122Ґ(ΞϝϦΧ) iศॴ δϣʔΫΞϓϦ Trychestͱڞಉ։ൃ 3ສ5,000DL (20118݄) iPhone App ϥΠϑελΠϧ ࠷ߴ9Ґ
σʔλϕʔεʹอଘ͢Δ ύεϫʔυͷอଘํ๏
طଘͷΞϓϦ ͑͐ͱɾɾɾɾ ·͊ஔ͍͓͍ͯͯ
ͱΓ͋͑ͣ ৽͍͠ΞϓϦͰ ԿͬͨΒ͍͍͔ͳͱ
ηΩϡϦςΟͱ͔ ҉߸ͱ͔ͷઐՈͰ͋Γ·ͤΜͷͰ ͔͋͠Βͣɾɾɾ
ฏจ plain text ϋογϡؔ hash function ύεϫʔυϋογϡ password hash ηΩϡϦςΟ
ڧ ऑ
ฏจ plain text
ؙݟ͑ password = “mypassword” if password == input_password puts “Authentication
succeeded” else puts “Authentication failed” end ཧऀɺ෦ͷਓ͕͙͢ʹͰѱ༻Ͱ͖ͯ͠·͏ ͪΖΜɺΫϥοΫ͞Εͨ߹
ϋογϡؔ hash function
ϋογϡͱ? άγϟ × ※উखͳΠϝʔδͰ͢ ͱʹͤͳ͍
Ұൠతͳϋογϡؔ MD5 SHA256 SHA512
MD5 % md5 -s XkzDusMQ4Q98 MD5 ("XkzDusMQ4Q98") = 313706cbd44dd9e9ff906a8f95b124d1 SHA256
% echo XkzDusMQ4Q98 | shasum -a 256 5fb39c611f7ec4297eaf63b70354577f8e862761c7bb497b7ef5d74229cf8af0 - ϋογϡؔΛͬͯΈΔ 32 จࣈ 64 จࣈ
େ͖͍ϑΝΠϧʹϋογϡؔ Λ͏༻్͕͋Δ http://ftp.riken.jp/Linux/centos/6.3/isos/x86_64/ a991defc0a602d04f064c43290df0131 CentOS-6.3-x86_64-bin-DVD1.iso 410c1c5188e6076d62d6107153738a15 CentOS-6.3-x86_64-bin-DVD2.iso 087713752fa88c03a5e8471c661ad1a2 CentOS-6.3-x86_64-minimal.iso 690138908de516b6e5d7d180d085c3f3
CentOS-6.3-x86_64-netinstall.iso 9953ff1cc2ef31da89a0e1f993ee6335 CentOS-6.3-x86_64-LiveCD.iso 0d28b5f9c9f562bd3a17c68ef05b3998 CentOS-6.3-x86_64-LiveDVD.iso 21157a19ec6a32b4fd71f0e45b9aa951 CentOS-6.3-x86_64-bin-DVD1to2.torrent 9015d02b4e22efd547a6bd8b19bce0ec CentOS-6.3-x86_64-LiveCD.torrent 3b9c1c463cfe8983c0835f46f2db39db CentOS-6.3-x86_64-LiveDVD.torrent 4dd1ff9a521823e033dde6b152196de7 CentOS-6.3-x86_64-minimal-EFI.iso c750ba06d83a38494dbf100bf33014d4 CentOS-6.3-x86_64-netinstall-EFI.iso
ϋογϡؔʹٻΊΒΕΔੑ࣭ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ (িಥ͠ͳ͍) ܭࢉ͕ൺֱత͍ େ͖ͳσʔλϋογϡԽͰ͖ΔΑ͏ʹ
http://en.yummy.stripper.jp/?eid=719489 ϋογϡΛͦͷ·· ฏจͷΘΓʹอଘ͞Εͨ࣌ظ͋ͬͨ
ʮϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ʯ ͱ͍ͬͨͷͰ͕͢ɾɾɾ
؆୯ͳϋογϡGoogleͰݟ ͔ͭΔɾɾɾ % md5 -s mypassword MD5 ("mypassword") = 34819d7beeabb9260a5c854bc85b3e44
ฏจ͕͢͞ʹϚζΠɾɾɾ ϋογϡؔΛͦͷ··͏ͷ2012࣌ Ͱ͏Φεεϝ͠ͳ͍ ύεϫʔυϋογϡΛ͍·͠ΐ͏ ·ͱΊ SHA-2 based (SHA256, SHA512) bcrypt
(Blowfish cipher based) ฏจ < ϋογϡؔ < ύεϫʔυϋογϡ
͓ɹΘɹΓ
ύεϫʔυͷอଘʹ͍ͭͯ ͦͷ2
ύεϫʔυϋογϡ passowrd hash Λ͍·͠ΐ͏ SHA-2 based (SHA256, SHA512) bcrypt (Blowfish
cipher based)
ύεϫʔυอଘ༻ʹ࡞Β Εͨϋογϡ
ύεϫʔυϋογϡͷಛ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ϨΠϯϘʔςʔϒϧɺ͢Ͱʹ8จࣈͷରԠදͳͲ͕ചΒΕ͍ͯΔ saltͱݺΕΔϥϯμϜͳจࣈྻΛֻ͚߹ΘͤΔ͜ͱͰରԠ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ ܭࢉ͕ൺֱత͍ 1ඵؒʹࢼͤΔύεϫʔυͷ͕ଟ͍ ϒϧʔτϑΥʔε߈ܸ(૯ͨΓ߈ܸ) ࣙॻ߈ܸʹऑ͍ →
܁Γฦ͠ܭࢉ͍ͯͯ͘͠͠Δ ͗͢ΔͷͰ͋Ε͘͢Ε͍͍͡Όͳ͍͔??
ओʹUNIXͷϢʔβೝূͰ ΘΕ͍ͯΔͷ͕༗໊ crypt(3)
/etc/passwd /etc/shadow /etc/master.passwd ͕ࣗཧͯ͠Δαʔόͱ͔͋Ε cat /etc/shadowͰͷ͍ͧͯΈͯͶ user:$6$Cabut58I$mnFd4wx30KCDgMrgfN..(ུ)...:15451:0:99999:7::: mysql:!!:15452:::::: apache:!!:15452::::::
UNIXͷϢʔβೝূ DES based extended DES based MD5 based SHA-2 based
(SHA256, SHA512) bcrypt (Blowfish cipher based) ηΩϡϦςΟ ڧ ऑ CentOS 5ܥ·Ͱ༻͞Ε͍ͯΔ CentOS 6ܥ͔Β࠾༻ OpenBSD, SUSE LinuxͰ࠾༻
ݱ࣌Ͱbcrypt͕Αͦ͞͏ Ruby bcrypt-ruby (gem) https://github.com/codahale/bcrypt-ruby PHP PHP5.3.0Ҏ߱ͳΒbcryptΛ༻Ͱ͖Δ ඪ४Ͱ๛ʹύεϫʔυϋογϡ $2a$10$XGxQvIrXr.Xf9ohqsjUuze6g4ZGewtV3Bx0Jjjbxvi2hBRI0Zliku Cost
Salt (22จࣈ) Type 04 ͔Β 31
http://www.php.net/manual/ja/function.crypt.php PHP: crypt - Manual
PHPؤுͬͯΔͶ
http://gihyo.jp/dev/serial/01/php-security/0043
bcrypt $2a$ SHA256 based $5$ SHA512 based $6$ MD5 SHA256
SHA512 MD5 based (MD5crypt) scrypt PBKDF2
$1$ 20126݄ http://phk.freebsd.dk/sagas/md5crypt_eol.html
bcrypt 19996݄ http://static.usenix.org/event/usenix99/provos.html http://static.usenix.org/event/usenix99/provos/provos_html/index.html
glibcͰ࠾༻͞Ε͍ͯΔ $5$ $6$ 20079݄ http://www.akkadia.org/drepper/sha-crypt.html
phpass http://www.openwall.com/phpass/ WordPressʹ࠾༻͞Ε͍ͯΔ ύεϫʔυϋογϡ ϑϨʔϜϫʔΫ
ͦͷ࣌ʑͰ҆શͱࢥΘΕΔอଘ ํ๏Λબ͢Δ ύεϫʔυϋογϡͷͰैདྷͷํ๏͕҆શͰ ͳ͘ͳΔ ͲΜͳํ๏100%҆શͱ͍͏͜ͱͳ͍ ৴པͰ͖ͦ͏ͳϑϨʔϜϫʔΫΛ͏ phpass ͲΜͳอଘํ๏ϒϧʔτϑΥʔε߈ܸɺࣙॻ߈ܸ ආ͚ΒΕͳ͍ͷͰɺΞϓϦέγϣϯଆͰਪଌͰ͖ ΔύεϫʔυอଘͰ͖ͳ͍Α͏ʹ͢Δ͜ͱେ
͓ɹΘɹΓ