Upgrade to Pro — share decks privately, control downloads, hide ads and more …

そのQRコード、安全ですか? / Cross Device Flow

Avatar for ritou ritou
August 22, 2024

そのQRコード、安全ですか? / Cross Device Flow

Avatar for ritou

ritou

August 22, 2024
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. Cross-Device Flows: Security Best Current Practice (Draft 08) • https://datatracker.ietf.org/doc/html/draft-ietf-oauth-cross-device-

    security • ΫϩεσόΠεϑϩʔʹؔ͢ΔڴҖɺରࡦ(؇࿨ࡦ)ɺϓϩτίϧબ୒ ͷΨΠμϯεɺܗࣜ෼ੳͷ֓ཁ 13
  2. ొ৔͢Δϓϩτίϧ • IETF OAuth 2.0 Device Authorization Grant [RFC8628] •

    ೖྗػೳʹ੍ݶ͕͋ΔσόΠε΁ϦιʔεΞΫηεΛڐՄ • OpenID Foundation Client Initiated Back-Channel Authentication (CIBA) • Ϣʔβʔ΁ͷ௨஌Λϕʔεͱͨ͠ΫϩεσόΠεͳID࿈ܞ • FIDO2 / WebAuthn (hybrid transports) • ΫϩεσόΠεͳύεΩʔೝূ 14
  3. ΫϩεσόΠεϑϩʔύλʔϯ • ΫϩεσόΠεೝՄ(ೝূ) • ফඅσόΠε͔ΒೝՄσόΠε΁Ϣʔβʔ͕ೝՄϦΫΤετΛసૹ: OAuth 2.0 AuthZ Grant •

    ফඅσόΠε͔ΒೝՄσόΠε΁ೝՄϦΫΤετ͕όοΫνϟϯωϧͰసૹ: CIBA • ೝՄσόΠε͔ΒফඅσόΠε΁Ϣʔβʔ͕ೝՄϨεϙϯεΛసૹ: OAuth 1.0 (callback = oob) • σόΠεؒͷηογϣϯసૹ • ೝՄσόΠε͔ΒফඅσόΠε΁Ϣʔβʔ͕ηογϣϯΛసૹ: OID4VCI 16
  4. ΫϩεσόΠεϑϩʔͷѱ༻ • ୈ̏ऀͷಉҙΛಘ֤ͯछτʔΫϯΛऔಘ͢Δ͜ͱ: Cross-Device Consent Phishing(CDCP) • ߈ܸऀ͸ೝূ͞Ε͍ͯͳ͍νϟϯωϧΛར༻ͯ͠ɺϢʔβʔίϯςΩετΛ ඃ֐ऀͷ΋ͷʹมߋ͢Δ •

    ୈ̏ऀͷϩάΠϯηογϣϯΛऔಘ͢Δ͜ͱ: Cross-Device Session Phishing(CDSP) • ߈ܸऀ͸ೝূ͞Ε͍ͯͳ͍νϟϯωϧΛར༻ͯࣗ͠਎ͷσόΠεʹඃ֐ऀ ͷηογϣϯΛసૹͤ͞Δ 17
  5. ؇࿨ࡦ(2) • ϦιʔεΞΫηεʹඞཁͳτʔΫϯͷ੍ݶ(είʔϓ΍༗ޮظݶ) • Ϩʔτ੍ݶ • Sender-Constrained ͳτʔΫϯ • UXɺϢʔβʔڭҭ

    • ೝূ͔ͯ͠Β։࢝ • ϦΫΤετ։࢝ͷݕূɺOOBσʔλΛ༻͍ͨϦΫΤετόΠϯσΟϯά 25