사용자 인증 시 고민하게 되는 비밀번호 암호화와 데이터 암호화 도구에 대해 순수 웹 결제 플랫폼을 지향하는 시럽페이에 반영된 One Password Protocol (by Mozilla)과 JOSE(by Web Payment Group in W3C) 기술에 대해 간략하게 설명합니다.
9. 사용자 인증 with ID/PW One Password Protocol of FF
https://www.flickr.com/photos/marcobellucci/3534516458
10. translate by translate.google.com
“이 문서는 FxA 클라이언트 (FF 동기화 클라이언
트 포함)와 https://github.com/mozilla/fxa-
auth-server에서 구현 된 키 서버에 사용되는 프
로토콜에 대해 설명합니다. 클라이언트는이 프로
토콜을 사용하여 account password에 대한 지
식(knowledge)을 증명합니다.이 정보는
sessionToken을받으며 서명 된 BrowserID 인증
서 (계정을 제어하는 후속 신뢰 당사자를 설득하
는 데 사용할 수 있음)를 얻는 데 사용할 수 있습
니다. 이 프로토콜은 또한 동기화 데이터를 암호
화하는 데 사용될 암호화 키 쌍 (kA 및 kB)을 검
색하는 데 사용됩니다.”
12. Password Encryption (as One PW Protocol)
HMAC(Email, Password) PBKDF2 + Salt SHA512
Scrypt + Salt SHA512 Verify Hash(saved)
via SSL/TLS
13. Password Encryption (as One PW Protocol)
HMAC_SHA256("", "") =
0xb613679a0814d9ec772f95d778c35fc5ff1697c4937156
53c6c712144292c5ad
HMAC_SHA256("key", "The quick brown fox jumps over
the lazy dog") =
0xf7bc83f430538424b13298e6aa6fb143ef4d59a1494617
5997479dbc2d1a3cd8
21. ‘The five cryptographic operations -- digital signing, stream
cipher encryption, block cipher encryption, authenticated
encryption with additional data (AEAD) encryption, and
public key encryption -- are designated digitally-signed,
stream-ciphered, block-ciphered, aead- ciphered, and
public-key-encrypted, respectively. A field's cryptographic
processing is specified by prepending an appropriate key
word designation before the field's type specification.
Cryptographic keys are implied by the current session
state’
–TheTransport Layer Security (TLS) Protocol
Section 4.7 Cryptographic Attributes
22. 서버 개발자를 믿습니까?
‘사용자 로그인 로그에 남겨야지’
‘임시적으로 글로벌 캐시에서 공유할
까’
‘메모리에 들고 있어야지’
https://www.flickr.com/photos/jfgornet/4766586021
23. (아무도 안믿는) 시럽페이에서는? 조오시(?) 를 사용합니다.
https://www.flickr.com/photos/christawatson/4772884239
25. Javascript Object Signing and Encryption
• JSON Web Algorithms (JWA)
• JSON Web Key (JWK)
• JSON Web Token (JWT)
• JSON Web Encryption (JWE)
• JSON Web Signature (JWS)
26. JSON Web Algorithms (JWA)
• This specification registers cryptographic algorithms
and identifiers to be used with the JSON Web
Signature (JWS), JSON Web Encryption (JWE), and
JSON Web Key (JWK) specifications. It defines
several IANA registries for these identifiers.
• JWS uses cryptographic algorithms to digitally sign
or create a MAC of the contents of the JWS
Protected Header and the JWS Payload.
• JWE uses cryptographic algorithms to encrypt or
determine the Content Encryption Key (CEK).
https://tools.ietf.org/html/rfc7518
28. JSON Web Key (JWK)
• A JSON Web Key (JWK) is a JavaScript Object
Notation (JSON) data structure that represents a
cryptographic key. This specification also defines a
JWK Set JSON data structure that represents a set of
JWKs. Cryptographic algorithms and identifiers for
use with this specification are described in the
separate JSON Web Algorithms (JWA) specification
and IANA registries established by that specification.
30. JSON Web Encryption (JWE Compact Serialization)
• Assemble the final representation: The Compact Serialization of this
result is the string BASE64URL(UTF8(JWE Protected Header)) || '.' ||
BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization
Vector) || '.' || BASE64URL(JWE Ciphertext) || ‘.' || BASE64URL(JWE
Authentication Tag)
• eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.OKOawDo13g
Rp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JG
eipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-
StnImGyFDbSv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp
5XnZAYpQdb76FdIKLaVmqgfwX7XWRxv2322i-
vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je81860ppamav
o35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi6
UklfCpIMfIjf7iGdXKHzg.48V1_ALb6US04U3b.
5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFSh
S8iB7j6jiSdiwkIr3ajwQzaBtQD_A.XFBoMYUZodetZdvTiFvSkQ
31.
32. JSON Web Signature (JWS)
• JSON Web Signature (JWS) represents content
secured with digital signatures or Message
Authentication Codes (MACs) using JSON-based
data structures. Cryptographic algorithms and
identifiers for use with this specification are
described in the separate JSON Web Algorithms
(JWA) specification and an IANA registry defined by
that specification. Related encryption capabilities are
described in the separate JSON Web Encryption
(JWE) specification.
36. JSON Web Token (JWT)
• JSON Web Token (JWT) is a compact, URL-safe
means of representing claims to be transferred
between two parties. The claims in a JWT are
encoded as a JSON object that is used as the payload
of a JSON Web Signature (JWS) structure or as the
plaintext of a JSON Web Encryption (JWE) structure,
enabling the claims to be digitally signed or integrity
protected with a Message Authentication Code
(MAC) and/or encrypted.
38. JWT with Syrup Pay
• Web Communication (MIME :
application/jose, JWE/JWS)
over TLS
• 결제 데이터 (JWS, from 가맹점)
• 서버 인증 (via OAuth 2.0 JWT)
• 결제 인증 데이터(JWS, to 가맹
점)
• 임시 데이터(JWE, in 글로벌 캐시)