Upgrade to Pro — share decks privately, control downloads, hide ads and more …

パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 20...

ritou
February 09, 2023

パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1

下記講演の資料です。
https://event.shoeisha.jp/devsumi/20230209/session/4146/

下記記事で内容解説を行っていますのでご覧ください。
https://zenn.dev/mixi/articles/fdf9236f86ea29

ritou

February 09, 2023
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. ҏ౦ ྒ (@ritou) • גࣜձࣾ MIXI - ΤϯδχΞ • OpenID

    ϑΝ΢ϯσʔγϣϯɾδϟύϯ - ΤόϯδΣϦετ • Digital Identityؔ࿈ͷϒϩάɺࣥචɺษڧձ… 2
  2. ύεϫʔυೝূ - Memorized Secrets • ೝূཁૉ : ஌ࣝ • ϢʔβʔɺαʔϏε͕ύεϫʔυΛڞ༗

    • Ϣʔβʔ͸هԱ͢Δ • αʔϏε͸҆શʹอଘ • Ϣʔβʔ͔ΒૹΒΕͨϢʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛ αʔϏε͕ݕূ͢Δํ๏͕Ұൠత 5
  3. ΞΧ΢ϯτϦΧόϦʔ • ͋ΔೝূํࣜͰ “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ผͷखஈͰ౰ਓೝূ / ਎ݩ֬ೝ +

    ઃఆมߋ • ผͷೝূํࣜ : SMS͕࢖͑ͳ͍ͷͰόοΫΞοϓίʔυΛར༻ • ొ࿥࣌ͷ਎ݩ֬ೝํ๏Λར༻ : PW࠶ઃఆ༻ͷURLΛϝʔϧૹ৴ • CSܦ༝ͷKYC : ఏग़ࡁΈͷ਎෼ূ໌ॻΛར༻ 7
  4. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ় • Ϣʔβʔͷཁ݅ • ύεϫʔυΛ๨Εͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍ • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ •

    αʔϏεͷཁ݅ • ύεϫʔυΛ҆શʹ؅ཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ 8 ਪଌՄೳͳύεϫʔυΛ ෳ਺αʔϏεͰ࢖͍ճ͢ ෮߸Մೳͳঢ়ଶͰ อଘ͍ͯͨ͠஋͕࿙Ӯ
  5. ύεϫʔυϦετ/ύεϫʔυεϓϨʔ ߈ܸ • ύεϫʔυϦετ߈ܸ : ଞαʔϏε͔Β࿙ӮɺϑΟογϯάͰऔಘ͞ Εͨ”(ϝʔϧΞυϨεͳͲؚΉ)Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ Θͤ”Λར༻ͯ͠ϩάΠϯࢼߦ • ύεϫʔυεϓϨʔ߈ܸ

    : “ϢʔβʔࣝผࢠͷϦετͱΑ͘࢖ΘΕ͍ͯ Δύεϫʔυ”ͷ૊Έ߹ΘͤͰϩάΠϯࢼߦ • ύεϫʔυҎ֎ͷೝূํࣜͱͷ૊Έ߹ΘͤʹΑΔରࡦ͕ඞཁ 9
  6. TOTP - Single-Factor OTP Device • ೝূཁૉ : ॴ༗ •

    Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ɺ • ϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰੜ੒ͨ͠OTP(RFC6238)Λར༻ • ۚ༥ػؔͳͲͰ͸ϋʔυ΢ΣΞτʔΫϯ͕ར༻͞Ε͍͕ͯͨɺ2010 ೥୅ʹGoogle͕Google Authenticatorͱͱ΋ʹ2ஈ֊ೝূΛఏڙͯ͠ ͔Βීٴ 10
  7. SMS OTP - Out-of-Band Devices • ೝূཁૉ : ॴ༗ •

    SMSܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻ • αʔϏε͸ొ࿥ࡁΈͷి࿩൪߸ʹOTPΛૹ৴ • Ϣʔβʔ͸ड৴ͨ͠OTPΛαʔϏεʹૹ৴ • Ϣʔβʔͷେྔొ࿥ରࡦͱͯ͠΋࢖ΘΕ͖ͯͨɻαʔϏεଆͷૹ৴ί ετɺ஗Ԇ΍ಧ͔ͳ͍ϦεΫͱ͍͏ϦεΫ΋ແࢹͰ͖ͳ͍ɻ 11
  8. Email OTP - Out-of-Band Devices • ೝূཁૉ : ॴ༗ (?)

    • Emailܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻ • αʔϏε͸ొ࿥ࡁΈͷϝʔϧΞυϨεʹOTPΛૹ৴ • Ϣʔβʔ͸ड৴ͨ͠OTPΛαʔϏεʹૹ৴ 12
  9. ೝূ༻ΞϓϦ - Out-of-Band Devices • ೝূཁૉ : ॴ༗ • ೝূ༻ͷ୺຤΍ϞόΠϧΞϓϦ΁ͷϓογϡ௨஌Λར༻

    • αʔϏε͸Ϣʔβʔʹඥ͚ͮΒΕͨ୺຤/ΞϓϦʹϓογϡ௨஌ • Ϣʔβʔ͸୺຤/ΞϓϦͰϩάΠϯ͢Δ͜ͱΛڐՄ • MFAർ࿑߈ܸ(MFA fatigue attacks) ͕࿩୊ʹ 13
  10. όοΫΞοϓίʔυ - Look-Up Secrets • ೝূཁૉ : ॴ༗ • ͋Β͔͡ΊϢʔβʔʹ഑෍ͨ͠୯Ұ΋͘͠͸ෳ਺ͷจࣈྻΛར༻

    • SMS͕ड৴Ͱ͖ͳ͍ • ೝূ༻ΞϓϦ͕ར༻Ͱ͖ͳ͍ • 2ཁૉ/2ஈ֊ೝূΛઃఆ͢Δࡍʹ߹Θͤͯઃఆͤ͞Δͷ͕Ұൠత 14
  11. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ় • Ϣʔβʔͷཁ݅ • ύεϫʔυΛ๨Εͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍ • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ •

    αʔϏεͷཁ݅ • ύεϫʔυΛ҆શʹ؅ཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ 15 ←ϑΟογϯάαΠτʹ ೖྗͯ͠͠·͏
  12. ϑΟογϯά߈ܸ • IPA ৘ใηΩϡϦςΟ10େڴҖ2023 ݸਓ޲͚1Ґ(2࿈೼த) • 2ஈ֊ೝূɺ2ཁૉೝূΛར༻ͯ͠΋ඃ֐ʹૺ͏Մೳੑ͕͋Δ • Adversary-in-the-MiddleʢAiTMʣ 16

    ग़య : ৘ใηΩϡϦςΟ10େڴҖ 2023ɿIPA ಠཱߦ੓๏ਓ ৘ใॲཧਪਐػߏ https://www.ipa.go.jp/security/vuln/10threats2023.html
  13. Adversary-in-the- MiddleʢAiTMʣ • ϑΟογϯάαΠτ͕தؒऀͱͳ Γਖ਼نͷαʔϏεʹϩάΠϯࢼߦ • ύεϫʔυ + SMS/Email OTP

    • ύεϫʔυ + ೝূΞϓϦ • ੒ޭ͢ΔͱϩάΠϯηογϣϯࣗ ମ(Cookie/Token)ΛऔಘՄೳ ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹ further fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from- cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/
  14. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 18 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ example.com example.net
  15. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 19 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن αʔϏεʹૹΔ example.com example.net
  16. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 20 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن αʔϏεʹૹΔ 50514.4051 ೖྗը໘Λදࣔ example.com example.net
  17. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 21 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن αʔϏεʹૹΔ 50514.4051 ೖྗը໘Λදࣔ 50514.4051Λ ਖ਼نαʔϏεʹૹΔ example.com example.net
  18. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 22 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن αʔϏεʹૹΔ 50514.4051 ೖྗը໘Λදࣔ 50514.4051Λ ਖ਼نαʔϏεʹૹΔ ϩάΠϯηογϣϯΛ औಘՄೳ example.com example.net
  19. Ϣʔβʔ/αʔϏε͕ͱΕΔϑΟογϯάରࡦ • Ϣʔβʔ͕ύεϫʔυϚωʔδϟʔͷར༻ : ύεϫʔυ΍TOTPઃఆΛ ΦϦδϯ(υϝΠϯ)ͱඥ෇͚ͯ؅ཧ͠ɺҰக͍ͯ͠Δ΋ͷ͕ϑΥʔϜ ೖྗ࣌ʹબ୒Մೳ • αʔϏε͕WebOTPͷ࠾༻ :

    ૹ৴ͨ͠SMSϝοηʔδʹؚ·ΕΔΦϦ δϯ(υϝΠϯ)ͱOTPͷೖྗΛଅ͍ͯ͠ΔURL͕Ұக͍ͯ͠Ε͹ड৴ ͨ͠SMSʹؚ·ΕΔOTPͷ஋͕ϑΥʔϜʹࣗಈೖྗ 23
  20. ύεϫʔυϚωʔδϟʔʹΑΔରࡦ 24 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ਖ਼نαʔϏεͷύεϫʔυ͕ ϑΟογϯάαʔϏεʹ͸ఏҊ͞Εͳ͍ example.com example.net
  21. WebOTPʹΑΔରࡦ 25 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن αʔϏεʹૹΔ 50514.4051 ೖྗը໘Λදࣔ ϑΟογϯάαʔϏεʹ͸051ࣗಈೖྗ͕ߦΘΕͳ͍ example.com example.net
  22. • ೝূཁૉ : ॴ༗ • ϋʔυ΢ΣΞσόΠε಺ʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ ূΛར༻ • ηΩϡϦςΟΩʔΛࢦ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩͰར༻Մೳ •

    ύεϫʔυೝূͱ૊Έ߹Θͤͨ2ஈ֊ೝূͰͷར༻͕޿·ͬͨ 26 FIDO w/ User Presence - Single-Factor Cryptographic Device/Software
  23. FIDO w/ User Veri fi cation - Multi-Factor Cryptographic Software/Device

    • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ • ϋʔυ΢ΣΞσόΠε಺ʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ ূ ͱ ϩοΫղআͳͲͰ࢖ΘΕΔϩʔΧϧೝূ ͷ૊Έ߹Θͤ • ηΩϡϦςΟΩʔ + PIN • εϚʔτϑΥϯ / PC + ը໘ϩοΫղআ 27
  24. FIDOͷϑΟογϯά଱ੑ 29 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن αʔϏεʹૹΔ '*%0ʹΑΔ ௥ՃೝূΛཁٻ example.net example.com
  25. FIDOͷϑΟογϯά଱ੑ 30 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن αʔϏεʹૹΔ '*%0ʹΑΔ ௥ՃೝূΛཁٻ example.net ϑΟογϯάαΠτʹਖ਼نαʔϏεͷೝূ৘ใ͸ૹΒΕͳ͍ example.com
  26. ύεΩʔ : FIDO multi-device credentials • 伴؅ཧΛσόΠε͔ΒϢʔβʔʹ • ϓϥοτϑΥʔϜϢʔβʔͱඥ෇͚ :

    Apple, Google, MS Account • ύεϫʔυϚωʔδϟʔ : 1Password(༧ఆ) • ͜Ε·ͰͷFIDOʹ͋ͬͨ伴؅ཧͷݎ࿚ੑ͸ࣦΘΕΔ͕ɺόοΫΞο ϓΛՄೳʹ͢Δ͜ͱͰ “ϑΟογϯά଱ੑΛ࣋ͪརศੑͷߴ͍ೝূํ ࣜ” ͱͯ͠ීٴΛૂ͏ 33
  27. ύεΩʔͷڍಈ : https://webauthn.io 35 • ύεΩʔͰϩάΠϯ : ύεΩʔબ୒ը໘ -> ϩʔΧϧೝূ(ੜମ/PIN)

    ϩʔΧϧೝূ ੜମ 1*/ ύλʔϯ ผ୺຤͔Β΋ ಉ༷ʹར༻Մೳ
  28. ରԠ؀ڥ • “ύεΩʔରԠ؀ڥ” ≠ “FIDO multi-device credentials” ʹ஫ҙ͕ඞཁ • ϓϥοτϑΥʔϜɺ୺຤ɺϒϥ΢βͷ૊Έ߹ΘͤͰڍಈ͕ܾ·Δ

    • ύεΩʔ͕ಉظ͞ΕΔ΋ͷ : Safari on MacOS/iOS/iPadOS, Android + Chrome/Firefox • ύεΩʔ͕ಉظ͞Εͳ͍΋ͷ : Chrome on MacOS… 36
  29. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ύεΩʔͷొ࿥ • ͍ͭొ࿥ΛٻΊΔ͔ • Ϣʔβʔͷ৽نొ࿥ͷࡍʹཁٻʁಛఆػೳΛ࢖͏࣌ʁ೚ҙʁ • ొ࿥࣌ͷೝূڧ౓ •

    ॳճ͸ݱঢ়औΓ͏ΔೝূํࣜΛཁٻ͔ͯ͠Βʁ • 2ͭ໨Ҏ߱͸طʹొ࿥ࡁΈͷύεΩʔͰͷೝূΛٻΊΔʁ • ೝূڧ౓ʹറΓ͕ͳ͍ͳΒͦͷ··ʁ 43
  30. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ϩάΠϯ • ύεΩʔ͕ಉظ͞Ε͍ͯͳ͍؀ڥ • ผ୺຤ͰͷύεΩʔΛར༻ʁ : “hybrid transport”

    • ೝূڧ౓Λམͱͤͳ͍ͷͰͦͷ؀ڥͰ͸ར༻ෆՄೳʁ • ೚ҙͷಋೖͳͷͰผͷೝূํࣜΛར༻ʁ 44
  31. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ࠶ೝূ • ༗ޮظݶ੾Εɺॏཁͳॲཧͷલʹ࠶ೝূΛඞཁͱ͢Δ͔ • ࠷ऴϩάΠϯ͔ΒҰఆظؒܦͬͨΒύεΩʔʹΑΔ࠶ೝূΛཁٻʁ • ॏཁͳॲཧͷલʹ͸ຖճɺύεΩʔʹΑΔ࠶ೝূΛཁٻʁ •

    ύεΩʔͰ࠶ೝূͨ͠ΒҰఆظؒ͸࠶ೝূ͕লུʁ • ࠶ೝূ͕ඞཁͱͳΔΑ͏ͳॲཧ͸ଘࡏ͠ͳ͍͠ɺ༗ޮظݶ੾Εͷ৔ ߹͸ϩάΞ΢τঢ়ଶͱͯ͠ѻ͏ʁ 45