PerlでつくるフルスクラッチWebAuthn/パスキー認証 / Demonstration of full-scratch WebAuthn/Passkey Authentication written in Perl

Transcript

1. PerlͰͭ͘ΔϑϧεΫϥον WebAuthn/ύεΩʔೝূ YAPC::Hiroshima 2024 ݫౡ 15:00ʙ @mackee_w a.k.a macopy

2. ͜Μʹͪ͸ϚίϐʔͰ͢ʂ

3. εϐʔΧʔ঺հ • X: @macopy • GitHub: @mackee • ໘ന๏ਓΧϠοΫ •

   Tonamel αʔόʔαΠυ ΤϯδχΞ • ޿ౡ޻ۀେֶग़਎

4. ຊ೔ͷ”օ༷”ͷ໨ඪ WebAuthnͷ࢓૊Έ͕Θ͔ͬͨؾʹͳΔ

5. ͱΓ͋͑ͣ࢖ͬͯΈΔʹ͸ օ͞Μͷ͓੮ͷޙΖʹ͋Δ`Perlbatross`Ͱ͸WebAuthn͕࢖ΘΕ͍ͯ·͢

6. Θ͔ͬͨؾʹͳΔͨΊʹࢲ͕΍Δ͜ͱ • WebAuthnͷ࣮ࡍͷ࢓૊Έʹ͍ͭͯαʔόʔ࣮૷Λॻ͖ͳ͕Βઆ໌ • ͜ͷτʔΫ͸ϥΠϒίʔσΟϯάओମͰ͢ • ϋϓχϯά͕͋ͬͨΒԠԉ͍ͯͩ͘͠͞ • ͜ͷτʔΫͰॻ࣮͘૷͸৭ʑলུ͍ͯ͠·͢ •

   (Option)ؼͬͨΒ͋ͳͨ΋ॻ͍ͯΈ·͠ΐ͏ • (ͲΜͳʹ୹ͯ͘΋͍͍ͷͰ)ϒϩάͰײ૝͕͋Ε͹ࢲ͸͔ͳΓتͼ·͢

7. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 <= ΠϚίί • WebAuthnͱPasskeyͷ֓ཁ

   15:05 ʙ 15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

8. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ

   15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

9. WebAuthnͱ͸ • ύεϫʔυϨεೝূΛ࣮ݱ͢ΔͨΊͷඪ४Web API • ެ։伴҉߸Λ࢖ͬͯిࢠॺ໊Ͱߦ͏ೝূํࣜ ύεϫʔυ

10. WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ΩʔϖΞ

11. WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ϩάΠϯ͍ͨ͠

12. WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 challengeʹ ॺ໊ͯ͠

13. WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 challengeʹ ॺ໊ͯ͠

14. WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ॺ໊ͨ͠Α

15. WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ॺ໊ͨ͠Α

16. WebAuthnͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث ൿີ伴 αʔόʔ ެ։伴 ͋ͬͯͦ͏ʂOK ݕূ

17. WebAuthnͷσϝϦοτ • ൿີ伴͕σόΠε಺ʹด͍ͯ͡Δ • σόΠεΛ·͍ͨͩೝূΛͲ͏͢Δ͔ • CTAP2ͱ͍͏ൿີ伴͕ೖͬͨσόΠεͱBLEͳͲͰܨ͍Ͱೝূ͢ Δํࣜ΋ఆٛ͞Ε͍ͯΔ • ฆࣦͨ͠ΒͲ͏͢Δ͔

    • => ༻్ͱͯ͠͸2FAͷ1͔ͭͭɺ͜Ε͚ͩͩͱ৺ڐͳ͍

18. Passkeyͱ͸ • ݫີͳఆٛ: Discoverable CredentialΛ༻͍ΔWebAuthn • 伴ʹϢʔβʔ໊ͳͲΛηοτͰอଘ͢Δ • RP(αΠτ)ʹରͯ͠࢖༻ՄೳͳIDͱެ։伴ͷϖΞΛྻڍͰ͖Δ •

    Ϋϥ΢υಉظ΍Passkey Auto fi llɺੜମೝূΛհͨ͠MFAͳͲɺ WebAuthnΛศརʹ͢ΔUX΍ɺϢʔβʔʹWebAuthn͕࢖͑ΔϩάΠ ϯํࣜͰ͋Δ͜ͱΛ͢͞ݴ༿ͱͯ͠΋࢖ΘΕΔ

19. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ

    15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

20. Registrationͷϑϩʔ Ϣʔβʔ ϒϥ΢β ೝূث αʔόʔ ᶅొ࿥ʹඞཁͳ ύϥϝʔλͩΑ ηογϣϯ challenge ᶃొ࿥͍ͨ͠

    ᶄ ᶆ͜ͷαΠτ༻ͷ 伴࡞ͬͯ ൿີ伴 ᶇ ᶈ࡞ͬͨ ެ։伴 ᶉ伴ͱchallengeͰ͢ ެ։伴 ᶊchallengeݕূ ᶋެ։伴Λอଘ

21. Registrationͷϑϩʔ https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API

22. AttestationObject • ೝূث͕ൃߦ͢Δূ໌ॻͳͲؚ͕·ΕΔ৘ใ • CBORܗࣜͰΤϯίʔυ͞Ε͍ͯΔ • ·ͨɺূ໌ॻ͸ `authData` keyͷதʹόΠφϦͰؚ·Ε͍ͯΔ

23. AttestationObject ެ։伴ؚ͕·Ε͍ͯΔͷ͸͜͜ https://www.w3.org/TR/webauthn-3/# fi g-attStructs

24. AttestationObjectΛόΠφϦΤσΟλͰ೷͘

25. Attestation Objectͷunpack • a32: 32όΠτ όΠφϦจࣈྻ • N: ϏοάΤϯσΟΞϯ 32bit

    unsigned int • n/a: 16bit unsigned intΛऔ্ͬͨͰͦΕΛ௕͞ͱΈͳͦ͠ͷόΠτ෼ΛͱΔ • a*: ࢒Γશ෦ όΠφϦจࣈྻ

26. COSEͷத਎ https://zenn.dev/macopy/scraps/8f50c18 fb 0b164

27. ొ࿥࣌ʹαʔόʔ͕΍Δݕূ https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API ஫ҙ: ͜ͷϥΠϒίʔσΟϯάͰ͸iiiͷҰ෦Λলུ͍ͯ͠·͢

28. ίϥϜ `attStmt` • attStmt͸ެ։伴ͷॺ໊ݕূͳͲʹ༻͍ΒΕΔ৘ใ • YubikeyͳͲͷηΩϡϦςΟΩʔ͸fmtʹ` fi do-u2f`͕ઃఆ͞Ε͍ͯΔ • `attStmt`ʹॻ͔Εͨূ໌ॻͱॺ໊Ͱਖ਼نͷηΩϡϦςΟΩʔ͔Βൃߦ͞Εͨൿ

    ີ伴ɾެ։伴Ͱ͋Δ͜ͱ͕ݕূͰ͖Δ • ύεΩʔͰ͸none͕ઃఆ͞ΕΔ͜ͱ͕͋Δ • 1PasswordͰ͸none, iCloud KeychainͰ͸`packed`, Google Password ManagerͰ͸…, Windows HelloͰ͸tpm

29. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ

    15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

30. Loginͷϑϩʔ https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API

31. AuthenticatorData https://www.w3.org/TR/webauthn-3/# fi g-authData

32. Կʹॺ໊Λߦͳ͍ͬͯΔ͔ • authenticatorData + sha256(clientDataJSON) https://www.w3.org/TR/webauthn-3/# fi g-signature

33. ೝূ࣌ʹαʔόʔ͕΍Δݕূ https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API

34. ຊ೔ͷνϟʔτ • ࣗݾ঺հͳͲ 15:00 ʙ 15:05 • WebAuthnͱPasskeyͷ֓ཁ 15:05 ʙ

    15:10 • Registration࣮૷ 15:10ʙ15:25 • Login࣮૷ 15:25ʙ15:35 • ·ͱΊ(όοϑΝ) 15:35ʙ15:40

35. ·ͱΊ • WebAuthn͸ެ։伴҉߸ͷੑ࣭Λར༻ͯ͠ύεϫʔυೝূͷམͱ݀͠ Λ௵͍ͯ͠Δ • ެ։伴͕࿙Ӯͯ͠΋ॺ໊Λੜ੒͢Δ͜ͱ͕Ͱ͖ͳ͍ • ੬ऑͳύεϫʔυ(=֮͑΍͍͢ύεϫʔυ)͸࢖༻Ͱ͖ͳ͍ • ࢖͍ճ͕͠Ͱ͖ͳ͍

    • SpecΛಡΊ͹PerlͰ΋࣮૷Ͱ͖Δͧ

36. ·ͱΊ2 • ৭ʑෳࡶͳͷͰɺ͓࢓ࣄͰ͸ϥΠϒϥϦΛ࢖ͬͨํ͕ྑ͍ • Perlbatross͸SimpleWebAuthn + Authen::WebAuthn • ࠓճͷίʔυΛॻ͘ͱ͖΋طଘͷϥΠϒϥϦͷத਎Λͨ͘͞Μࢀর͠ ·ͨ͠

    • Specͷ͏͔ͪͳΓͷݕূΛͬ͢ඈ͹͍ͯ͠·͢ • ͚ͩͲ࢓૊ΈΛ஌͍ͬͯΔͱσόοά͕ḿΔͷͰɺҰ౓ॻ͍ͯΈΔͱཧղ ͕ਂ·Γ·͢

37. ࢀߟจݙ • W3C Web Authentication: An API for accessing Public

    Key Credentials Level 2 https://www.w3.org/TR/webauthn-2/ • mdn ΢ΣϒೝূAPI https://developer.mozilla.org/ja/docs/Web/API/Web_Authentication_API • mercari engineering: WebAuthn͜ͱ͸͡Ί https://engineering.mercari.com/blog/entry/ 2019-06-04-120000/ • WEB+DB Press Vol.136 ಛू2 ࣮ઓ౤ೖύεΩʔ • Digital Identityٕज़ษڧձ Advent Calendar 2023 https://qiita.com/advent-calendar/2023/ iddance

38. See also • ImHexͰWebAuthnͷAttestationObjectΛύʔε͢Δ https:// zenn.dev/macopy/scraps/8f50c18fb0b164 • PerlͷCBOR::PPͱunpackͰWebAuthnͷAttestation ObjectΛύʔε ͢Δ

    https://zenn.dev/macopy/scraps/e042aa351a57a7 • ࠓճͷ࣮૷ https://github.com/mackee/yapchiroshima2024

39. ϒϩάͰײ૝͓଴͓ͪͯ͠Γ·͢ʂ 🙏