Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
パスワードの保存方法について Kanazawa.rb meetup #4
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Hitoshi Kurokawa
November 29, 2012
Programming
120
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
パスワードの保存方法について Kanazawa.rb meetup #4
Kanazawa.rb meetup #4
2012/11/29 金沢市文化ホール第5 会議室
Hitoshi Kurokawa
November 29, 2012
More Decks by Hitoshi Kurokawa
See All by Hitoshi Kurokawa
Docker + CentOS 6, 8 PHP 動作確認環境の構築
krhitoshi
1
390
Rustで作るi386エミュレータ
krhitoshi
0
290
Rails4とさくらのVPSとAWS S3によるスモールスタートWebサービス「ランチボックス」 Kanazawa.rb meetup #16
krhitoshi
2
1.5k
Other Decks in Programming
See All in Programming
はてなアカウント基盤 State of the Union
cockscomb
1
1.3k
【やさしく解説 設計編 #0】DDDのコード、読めるのに分からない人へ
panda728
PRO
1
190
AIキャラアプリkaiwaの低遅延音声通話基盤をどう作ったか - AWS Gravitonで支える低遅延・低コストAI Agent基盤
mogamit
0
150
ADKを使って簡単にAIエージェントを作ってみよう
k1mu21
0
290
アルゴリズムは何を圧縮しているのか ─ Haskell から育った「圧縮代数」というメンタルモデル
naoya
8
970
PHPで使える日時の表現と、その知り方 #frontend_phpcon_do
o0h
PRO
0
290
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
250
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
geekplus_tech
0
430
音楽のための関数型プログラミング言語mimiumにおける多段階計算の活用
tomoyanonymous
1
220
Hatena Engineer Seminar #37「言語モデルの活用に関する研究」
slashnephy
0
470
ローカルLLMでどこまでコードが書けるか -縮小版 / How much code can be written on a local LLM Shortened
kishida
2
170
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
x5gtrn
PRO
0
1.3k
Featured
See All Featured
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
320
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
240
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
2k
Paper Plane
katiecoart
PRO
1
52k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.5k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
1
1.9k
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
72
40k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
davidcarrasco
3
180
Git: the NoSQL Database
bkeepers
PRO
432
67k
Marketing to machines
jonoalderson
1
5.5k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
6k
Fireside Chat
paigeccino
42
4k
Transcript
ύεϫʔυͷอଘํ๏ʹ͍ͭͯ K a n a z w a . r
b m e e t u p # 4 2 0 1 2 / 1 1 / 2 9 a t ۚ ࢢ จ Խ ϗ ʔ ϧ ୈ 5 ձ ٞ ࣨ ࠇ ɹ ਔ ( @ k r h i t o s h i )
ࠇɹਔ (@krhitoshi) ϓϩάϥϚ/αʔόΤϯδχΞ Next SeeD (ݸਓࣄۀ) http://www.nextseed.jp/ ࠇਔͷจ۩ಊϒϩάࡾດ http://blog.bungu-do.jp/ ࣗݾհ
iOSΞϓϦ։ൃ ॕΧϨϯμʔ iPhone 170ԁ 360DL (20129݄) ້(࠲ષ)λΠϚʔ iPhone/iPad (ӳޠରԠ) ແྉ
5,000DL (20129݄) iPad App ϔϧεέΞ/ϑΟοτωε ࠷ߴ18Ґ(ຊ) ࠷ߴ122Ґ(ΞϝϦΧ) iศॴ δϣʔΫΞϓϦ Trychestͱڞಉ։ൃ 3ສ5,000DL (20118݄) iPhone App ϥΠϑελΠϧ ࠷ߴ9Ґ
σʔλϕʔεʹอଘ͢Δ ύεϫʔυͷอଘํ๏
طଘͷΞϓϦ ͑͐ͱɾɾɾɾ ·͊ஔ͍͓͍ͯͯ
ͱΓ͋͑ͣ ৽͍͠ΞϓϦͰ ԿͬͨΒ͍͍͔ͳͱ
ηΩϡϦςΟͱ͔ ҉߸ͱ͔ͷઐՈͰ͋Γ·ͤΜͷͰ ͔͋͠Βͣɾɾɾ
ฏจ plain text ϋογϡؔ hash function ύεϫʔυϋογϡ password hash ηΩϡϦςΟ
ڧ ऑ
ฏจ plain text
ؙݟ͑ password = “mypassword” if password == input_password puts “Authentication
succeeded” else puts “Authentication failed” end ཧऀɺ෦ͷਓ͕͙͢ʹͰѱ༻Ͱ͖ͯ͠·͏ ͪΖΜɺΫϥοΫ͞Εͨ߹
ϋογϡؔ hash function
ϋογϡͱ? άγϟ × ※উखͳΠϝʔδͰ͢ ͱʹͤͳ͍
Ұൠతͳϋογϡؔ MD5 SHA256 SHA512
MD5 % md5 -s XkzDusMQ4Q98 MD5 ("XkzDusMQ4Q98") = 313706cbd44dd9e9ff906a8f95b124d1 SHA256
% echo XkzDusMQ4Q98 | shasum -a 256 5fb39c611f7ec4297eaf63b70354577f8e862761c7bb497b7ef5d74229cf8af0 - ϋογϡؔΛͬͯΈΔ 32 จࣈ 64 จࣈ
େ͖͍ϑΝΠϧʹϋογϡؔ Λ͏༻్͕͋Δ http://ftp.riken.jp/Linux/centos/6.3/isos/x86_64/ a991defc0a602d04f064c43290df0131 CentOS-6.3-x86_64-bin-DVD1.iso 410c1c5188e6076d62d6107153738a15 CentOS-6.3-x86_64-bin-DVD2.iso 087713752fa88c03a5e8471c661ad1a2 CentOS-6.3-x86_64-minimal.iso 690138908de516b6e5d7d180d085c3f3
CentOS-6.3-x86_64-netinstall.iso 9953ff1cc2ef31da89a0e1f993ee6335 CentOS-6.3-x86_64-LiveCD.iso 0d28b5f9c9f562bd3a17c68ef05b3998 CentOS-6.3-x86_64-LiveDVD.iso 21157a19ec6a32b4fd71f0e45b9aa951 CentOS-6.3-x86_64-bin-DVD1to2.torrent 9015d02b4e22efd547a6bd8b19bce0ec CentOS-6.3-x86_64-LiveCD.torrent 3b9c1c463cfe8983c0835f46f2db39db CentOS-6.3-x86_64-LiveDVD.torrent 4dd1ff9a521823e033dde6b152196de7 CentOS-6.3-x86_64-minimal-EFI.iso c750ba06d83a38494dbf100bf33014d4 CentOS-6.3-x86_64-netinstall-EFI.iso
ϋογϡؔʹٻΊΒΕΔੑ࣭ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ (িಥ͠ͳ͍) ܭࢉ͕ൺֱత͍ େ͖ͳσʔλϋογϡԽͰ͖ΔΑ͏ʹ
http://en.yummy.stripper.jp/?eid=719489 ϋογϡΛͦͷ·· ฏจͷΘΓʹอଘ͞Εͨ࣌ظ͋ͬͨ
ʮϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ʯ ͱ͍ͬͨͷͰ͕͢ɾɾɾ
؆୯ͳϋογϡGoogleͰݟ ͔ͭΔɾɾɾ % md5 -s mypassword MD5 ("mypassword") = 34819d7beeabb9260a5c854bc85b3e44
ฏจ͕͢͞ʹϚζΠɾɾɾ ϋογϡؔΛͦͷ··͏ͷ2012࣌ Ͱ͏Φεεϝ͠ͳ͍ ύεϫʔυϋογϡΛ͍·͠ΐ͏ ·ͱΊ SHA-2 based (SHA256, SHA512) bcrypt
(Blowfish cipher based) ฏจ < ϋογϡؔ < ύεϫʔυϋογϡ
͓ɹΘɹΓ
ύεϫʔυͷอଘʹ͍ͭͯ ͦͷ2
ύεϫʔυϋογϡ passowrd hash Λ͍·͠ΐ͏ SHA-2 based (SHA256, SHA512) bcrypt (Blowfish
cipher based)
ύεϫʔυอଘ༻ʹ࡞Β Εͨϋογϡ
ύεϫʔυϋογϡͷಛ ϋογϡ͔ΒݩͷσʔλΛਪଌͰ͖ͳ͍ ϨΠϯϘʔςʔϒϧɺ͢Ͱʹ8จࣈͷରԠදͳͲ͕ചΒΕ͍ͯΔ saltͱݺΕΔϥϯμϜͳจࣈྻΛֻ͚߹ΘͤΔ͜ͱͰରԠ ೖྗσʔλ͕ҧ͑ϋογϡ͕ҧ͏ ܭࢉ͕ൺֱత͍ 1ඵؒʹࢼͤΔύεϫʔυͷ͕ଟ͍ ϒϧʔτϑΥʔε߈ܸ(૯ͨΓ߈ܸ) ࣙॻ߈ܸʹऑ͍ →
܁Γฦ͠ܭࢉ͍ͯͯ͘͠͠Δ ͗͢ΔͷͰ͋Ε͘͢Ε͍͍͡Όͳ͍͔??
ओʹUNIXͷϢʔβೝূͰ ΘΕ͍ͯΔͷ͕༗໊ crypt(3)
/etc/passwd /etc/shadow /etc/master.passwd ͕ࣗཧͯ͠Δαʔόͱ͔͋Ε cat /etc/shadowͰͷ͍ͧͯΈͯͶ user:$6$Cabut58I$mnFd4wx30KCDgMrgfN..(ུ)...:15451:0:99999:7::: mysql:!!:15452:::::: apache:!!:15452::::::
UNIXͷϢʔβೝূ DES based extended DES based MD5 based SHA-2 based
(SHA256, SHA512) bcrypt (Blowfish cipher based) ηΩϡϦςΟ ڧ ऑ CentOS 5ܥ·Ͱ༻͞Ε͍ͯΔ CentOS 6ܥ͔Β࠾༻ OpenBSD, SUSE LinuxͰ࠾༻
ݱ࣌Ͱbcrypt͕Αͦ͞͏ Ruby bcrypt-ruby (gem) https://github.com/codahale/bcrypt-ruby PHP PHP5.3.0Ҏ߱ͳΒbcryptΛ༻Ͱ͖Δ ඪ४Ͱ๛ʹύεϫʔυϋογϡ $2a$10$XGxQvIrXr.Xf9ohqsjUuze6g4ZGewtV3Bx0Jjjbxvi2hBRI0Zliku Cost
Salt (22จࣈ) Type 04 ͔Β 31
http://www.php.net/manual/ja/function.crypt.php PHP: crypt - Manual
PHPؤுͬͯΔͶ
http://gihyo.jp/dev/serial/01/php-security/0043
bcrypt $2a$ SHA256 based $5$ SHA512 based $6$ MD5 SHA256
SHA512 MD5 based (MD5crypt) scrypt PBKDF2
$1$ 20126݄ http://phk.freebsd.dk/sagas/md5crypt_eol.html
bcrypt 19996݄ http://static.usenix.org/event/usenix99/provos.html http://static.usenix.org/event/usenix99/provos/provos_html/index.html
glibcͰ࠾༻͞Ε͍ͯΔ $5$ $6$ 20079݄ http://www.akkadia.org/drepper/sha-crypt.html
phpass http://www.openwall.com/phpass/ WordPressʹ࠾༻͞Ε͍ͯΔ ύεϫʔυϋογϡ ϑϨʔϜϫʔΫ
ͦͷ࣌ʑͰ҆શͱࢥΘΕΔอଘ ํ๏Λબ͢Δ ύεϫʔυϋογϡͷͰैདྷͷํ๏͕҆શͰ ͳ͘ͳΔ ͲΜͳํ๏100%҆શͱ͍͏͜ͱͳ͍ ৴པͰ͖ͦ͏ͳϑϨʔϜϫʔΫΛ͏ phpass ͲΜͳอଘํ๏ϒϧʔτϑΥʔε߈ܸɺࣙॻ߈ܸ ආ͚ΒΕͳ͍ͷͰɺΞϓϦέγϣϯଆͰਪଌͰ͖ ΔύεϫʔυอଘͰ͖ͳ͍Α͏ʹ͢Δ͜ͱେ
͓ɹΘɹΓ