Downloaded 203 times
![© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
SAML 2.0 연동
janedoe@Ubuntu64:/tmp$ ./samlapi.py
Username: ADjanedoe
Password: ****************
Please choose the role you would like to assume:
[ 0 ]: arn:aws:iam::012345678987:role/ADFS-Administrators
[ 1 ]: arn:aws:iam::012345678987:role/ADFS-Operators
Selection: 1
---------------------------------------------------------------
Your new access key pair has been stored in the aws configuration
file /home/janedoe/.aws/credentials under the saml profile.
Note that it will expire at 2015-05-26T17:16:20Z.
---------------------------------------------------------------](https://image.slidesharecdn.com/completeguidetoauthenticationindevelopingserverlessseonyongpark-180418130348/75/Serverless-AWS-Summit-Seoul-2018-6-2048.jpg)
![© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
IAM 정책 상세
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": ”Allow",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*”
},
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*"
}
]
}](https://image.slidesharecdn.com/completeguidetoauthenticationindevelopingserverlessseonyongpark-180418130348/75/Serverless-AWS-Summit-Seoul-2018-29-2048.jpg)
![© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
SRP 처리과정
Client Server
임시 비밀값 ‘a’생성
공개 A 생성 : A = ( g ^ a ) % N
N = 아주 큰 소수값
g = 2
K = hash(N, g)
LoginRequest (Username, A)
1. 유저DB 로부터 salt ’s’ verifier ‘v’가져옴
2. 임시 비밀 값 ‘b’를 생성
3. 공개 임시값 ‘B’를 생성
B = [ k * v + ( (g ^ b ) %N)] % N
4. 스크램블 값 ’u’ 생성
u = hash (A, B)
5. 세션 키 K 생성
S = [ ( A * (( v ^ u) % N)) ^b] % N
K= hash(S)
6. 다음 사용을 위해 [ A, B, K, s] 저장
LoginResponse(s, B)](https://image.slidesharecdn.com/completeguidetoauthenticationindevelopingserverlessseonyongpark-180418130348/75/Serverless-AWS-Summit-Seoul-2018-58-2048.jpg)
![© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
SRP 처리과정
Client Server
1. 스크램블 값 ’u’ 생성
u = hash (A, B)
2. 유저 개인 값 ‘x’생성
x= hash(s, password)
3. 세션 키 ‘K ‘계산
S = [ B - k * (g ^x % N)) ^ ( a + u * x)] % N
K = hash (S)
LoginResponse(s, B)
4. K 값 전달
M1 = hash (A, B, K)
1. M1 계산
M1 = hash(A, B, K)
2. 받은 M1과 계산한 M1이 같으면
유저는 인증
이후 통신은 암호화](https://image.slidesharecdn.com/completeguidetoauthenticationindevelopingserverlessseonyongpark-180418130348/75/Serverless-AWS-Summit-Seoul-2018-59-2048.jpg)
Uploaded byAmazon Web Services Korea
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
The document discusses different authentication methods for serverless applications on AWS, including Amazon Cognito User Pools, IAM authentication, and custom authorizers. It provides diagrams and explanations of how each method works, with Amazon Cognito User Pools involving authenticating through Cognito and getting JSON Web Tokens to call APIs, IAM authentication using temporary security credentials to access AWS resources, and custom authorizers using a Lambda function to validate tokens and policies.
More Related Content
![[금융고객을 위한 Resiliency in the Cloud] 최근 대규모 장애 사태 여파에 따른 DR 도...](https://cdn.slidesharecdn.com/ss_thumbnails/s1-230227012920-bbd694e0-thumbnail.jpg?width=640&height=640&fit=bounds)
![[AWS Builders] AWS 네트워크 서비스 소개 및 사용 방법 - 김기현, AWS 솔루션즈 아키텍트](https://cdn.slidesharecdn.com/ss_thumbnails/1network-191112092246-thumbnail.jpg?width=640&height=640&fit=bounds)
![[AKIBA.AWS] VGWのルーティング仕様](https://cdn.slidesharecdn.com/ss_thumbnails/akibaaws7-180524115259-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
![[AWS Builders] 실 적용 사례로 알아보는, AWS를 활용한 WAF 보안의 장점 - 삼성SDS 천준호 프로, 컨설팅그룹 (보안기획팀)](https://cdn.slidesharecdn.com/ss_thumbnails/3waf-191112092244-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D3T1S01] Gen AI를 위한 Amazon Aurora 활용 사례 방법](https://cdn.slidesharecdn.com/ss_thumbnails/d3t1s01genaiamazonaurora-240702042912-516e67f4-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Keynote] 슬기로운 AWS 데이터베이스 선택하기 - 발표자: 강민석, Korea Database SA Manager, WWSO, A...](https://cdn.slidesharecdn.com/ss_thumbnails/d3s01aws-230704014400-3eeae447-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D3T1S05] Aurora 혼합 구성 아키텍처를 사용하여 예상치 못한 트래픽 급증 대응하기](https://cdn.slidesharecdn.com/ss_thumbnails/d3t1s05aurora-240702042911-c7f3f22d-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D3T2S03] Data&AI Roadshow 2024 - Amazon DocumentDB 실습](https://cdn.slidesharecdn.com/ss_thumbnails/d3t2s03documentdbhandson-240702042224-047bbc2c-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D3T1S07] AWS S3 - 클라우드 환경에서 데이터베이스 보호하기](https://cdn.slidesharecdn.com/ss_thumbnails/d3t1s07-240702042911-cb134cd6-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D3T1S06] Neptune Analytics with Vector Similarity Search](https://cdn.slidesharecdn.com/ss_thumbnails/d3t1s06neptuneanalyticsvectorsilimliaritysearch-240702042912-94c41309-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D3T1S03] Amazon DynamoDB design puzzlers](https://cdn.slidesharecdn.com/ss_thumbnails/d3t1s03amazondynamodbdesignpuzzlers-240702042912-ad6df881-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D3T1S02] Aurora Limitless Database Introduction](https://cdn.slidesharecdn.com/ss_thumbnails/d3t1s02auroralimitlessdatabaseintroduction-240702042911-cb5552b7-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D3T1S04] Aurora PostgreSQL performance monitoring and troubleshooting by use...](https://cdn.slidesharecdn.com/ss_thumbnails/d3t1s04aurorapostgresqlperformancemonitoringandtroubleshooting-240702042912-5df626e3-thumbnail.jpg?width=640&height=640&fit=bounds)
![[D3T2S01] Amazon Aurora MySQL 메이저 버전 업그레이드 및 Amazon B/G Deployments 실습](https://cdn.slidesharecdn.com/ss_thumbnails/d3t2s01amazonaurorabluegreendeployment-240702042226-3ae36566-thumbnail.jpg?width=640&height=640&fit=bounds)
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
- 1. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Seon Yong Park Developer Specialist SA, APAC 서버리스 개발에서의 인증 완벽 가이드
- 2. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 본 강연에서는 AWS 는 어플리케이션이 작동하는 시스템에 따라 다양한 형태의 인증 방식을 지원합니다. 여러분에 모바일이나 자신이 서버의 어플리케이션에서 서버리스 서비스를 호출하는 경우 어떤 방식의 인증 방식이 적용될 수 있는지 살펴보고, 패스워드 보안을 위한 Cognito의 SRP 지원을 자세히 살펴봅니다.
- 3. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 인증의 형태 서버리스 API 에서 인증 제 3자 인증 제공자와의 연동 NSRP와 SRP 정리 데모
- 4. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 인증의 형태
- 5. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 인증을 받아서 AWS 서비스 기능을 실행해야 하는 주체 온프림 서버 EC2 on AWS 모바일 Role Configure credentials SAML 2.0 MS AD Role Configure credentials SAML 2.0 MS AD Amazon Cognito Amazon Cognito 어플리케이션
- 6. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. SAML 2.0 연동 janedoe@Ubuntu64:/tmp$ ./samlapi.py Username: ADjanedoe Password: **************** Please choose the role you would like to assume: [ 0 ]: arn:aws:iam::012345678987:role/ADFS-Administrators [ 1 ]: arn:aws:iam::012345678987:role/ADFS-Operators Selection: 1 --------------------------------------------------------------- Your new access key pair has been stored in the aws configuration file /home/janedoe/.aws/credentials under the saml profile. Note that it will expire at 2015-05-26T17:16:20Z. ---------------------------------------------------------------
- 7. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 서버리스 API에서 인증
- 8. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Public API POST /locations GET /locations GET /locations/{locationId} DELETE /locations/{locationId} GET /locations/{locationId}/resources POST /locations/{locationId}/resources DELETE /locations/{locationId}/resources/{resourceId} GET /locations/{locationId}/resources/{resourceId}/bookings GET /users/{userId}/bookings POST /users/{userId}/bookings DELETE /users/{userId}/bookings/{bookingId}
- 9. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Public API Admin only Admin only Admin only Admin only POST /locations GET /locations GET /locations/{locationId} DELETE /locations/{locationId} GET /locations/{locationId}/resources POST /locations/{locationId}/resources DELETE /locations/{locationId}/resources/{resourceId} GET /locations/{locationId}/resources/{resourceId}/bookings GET /users/{userId}/bookings POST /users/{userId}/bookings DELETE /users/{userId}/bookings/{bookingId}
- 10. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. API 게이트웨이 : 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 11. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. API Gateway: 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 12. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app Amazon API Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function
- 13. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 1. Authenticate Amazon Cognito User Pools
- 14. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 2. JWT tokens Amazon API Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function
- 15. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 3. Call API Gateway resource Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools
- 16. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 4. Validate Identity token Mobile app Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools
- 17. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 5. Invoke API Call Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools
- 18. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 6. Access AWS Resources Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools
- 19. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. API 게이트웨이: 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 20. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 21. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management 1. Authenticate
- 22. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 2. JWT tokens Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 23. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 3. Request AWS credentials Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 24. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 4. Validate Id token Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 25. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 5. Temp AWS credentials Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 26. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 6. Call API Gateway resource Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 27. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 7. Check IAM policy Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 28. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 8. Invoke Lambda Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management Amazon DynamoDB
- 29. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. IAM 정책 상세 { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": ”Allow", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*” }, { "Action": "execute-api:Invoke", "Effect": "Deny", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*" } ] }
- 30. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. API 게이트웨이: 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 31. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Lambda function Amazon API Gateway Amazon DynamoDB
- 32. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Lambda function Amazon DynamoDB 1. Authenticate
- 33. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 2. Custom IdP Token(s) Lambda function Amazon DynamoDB
- 34. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 3. Call API Gateway resource Lambda function Amazon DynamoDB
- 35. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Mobile app Amazon API Gateway 4. Check policy cache Custom Authorizer Lambda function Lambda function Amazon DynamoDB
- 36. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Mobile app Amazon API Gateway 5.Validatetoken AWS Identity & Access Management Custom Authorizer Lambda function Lambda function Amazon DynamoDB
- 37. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 6.Generateandreturn userIAMpolicy Lambda function Amazon DynamoDB
- 38. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 7. Validate IAM permissions AWS Identity & Access Management Lambda function Amazon DynamoDB
- 39. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 8. Invoke Lambda function Amazon DynamoDB
- 40. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 람다 함수 예제 코드 var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions); testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*"); testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*"); callback(null, testPolicy.getPolicy());
- 41. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. API 게이트웨이: 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 42. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 제 3자 인증제공자와의 연동
- 43. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 어플리케이션 제3자 인증제공자 연동 Built-in, Customizable User Interface for Sign up / Sign in OAuth 2.0 SupportFederation with Facebook, Login with Amazon, Google, and SAML2 providers 1 2 3
- 44. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 소셜 인증제공자와의 연동 1. Initiate sign-in
- 45. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 소셜 인증제공자와의 연동 1. Initiate sign-in 2. Sign-in with 3rd party IdP
- 46. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 소셜 인증제공자와의 연동 1. Initiate sign-in Amazon Cognito User Pools 2. Sign-in with 3rd party IdP 3. Get user tokens
- 47. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 기업의 인증제공자와의 연동 1. Initiate sign-in
- 48. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 기업의 인증제공자와의 연동 1. Initiate sign-in 2. Sign-in with 3rd party IdP SAML Endpoint e.g. ADFS or Shibboleth Corporate Directory e.g. Active Directory or OpenLDAP
- 49. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 기업의 인증제공자와의 연동 1. Initiate sign-in Amazon Cognito User Pools 2. Sign-in with 3rd party IdP 3. Get user tokens SAML Endpoint e.g. ADFS or Shibboleth Corporate Directory e.g. Active Directory or OpenLDAP
- 50. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 기업의 인증제공자와의 연동
- 51. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. NSRP 와 SRP
- 52. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 Username Email Password beverly123 beverly123@example.com Password$123 pilotjane pilotjane@example.com a##eroplan3 sudhir1977 sudhir197@example.com mmd414997a 2. Sign-in 1. Sign-up 평범한 문자로 패스워드 저장하기
- 53. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 • Never store passwords in plaintext! • Vulnerable to rogue employees • A hacked DB results in all passwords being compromised Username Email Password beverly123 beverly123@example.com Password$123 pilotjane pilotjane@example.com a##eroplan3 sudhir1977 sudhir197@example.com mmd414997a 2. Sign-in 1. Sign-up
- 54. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 Username Email Hashed Password beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883 sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d 2. Sign-in 1. Sign-up 패스워드 해쉬 값으로 저장하기
- 55. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 • MD5/SHA1 collisions • Reverse Lookup Tables • Rainbow Tables • Dictionary attacks, brute-force (GPUs can compute billions of hashes/sec) Username Email Hashed Password beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883 sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d 2. Sign-in 1. Sign-up
- 56. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 Username Email Salted Hash beverly123 beverly123@example.com 1e66f9358530620b2bcae79dada717c… pilotjane pilotjane@example.com 88fccd9cf82377d11d2fede177457d47… sudhir1977 sudhir197@example.com 08a5981de4fecf04b1359a179962a48... 2. Sign-in 1. Sign-up • Incorporate app-specific salt + random user-specific salt • Use algorithm with configurable # of iterations (e.g. bcrypt, PBKDF2), to slow down brute force attacks
- 57. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign-in 1. Sign-up • Secure Remote Password (SRP) Protocol • Verifier-based protocol • Passwords never travel over the wire • Resistant to several attack vectors • Perfect Forward Secrecy
- 58. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. SRP 처리과정 Client Server 임시 비밀값 ‘a’생성 공개 A 생성 : A = ( g ^ a ) % N N = 아주 큰 소수값 g = 2 K = hash(N, g) LoginRequest (Username, A) 1. 유저DB 로부터 salt ’s’ verifier ‘v’가져옴 2. 임시 비밀 값 ‘b’를 생성 3. 공개 임시값 ‘B’를 생성 B = [ k * v + ( (g ^ b ) %N)] % N 4. 스크램블 값 ’u’ 생성 u = hash (A, B) 5. 세션 키 K 생성 S = [ ( A * (( v ^ u) % N)) ^b] % N K= hash(S) 6. 다음 사용을 위해 [ A, B, K, s] 저장 LoginResponse(s, B)
- 59. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. SRP 처리과정 Client Server 1. 스크램블 값 ’u’ 생성 u = hash (A, B) 2. 유저 개인 값 ‘x’생성 x= hash(s, password) 3. 세션 키 ‘K ‘계산 S = [ B - k * (g ^x % N)) ^ ( a + u * x)] % N K = hash (S) LoginResponse(s, B) 4. K 값 전달 M1 = hash (A, B, K) 1. M1 계산 M1 = hash(A, B, K) 2. 받은 M1과 계산한 M1이 같으면 유저는 인증 이후 통신은 암호화
- 60. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 유저 풀 NoSRP client SRP client
- 61. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저풀 인가 Mobile app Amazon Cognito User Pools server app SRP
- 62. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 정리
- 63. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. 인증/인가 • 인증이 필요한 어플리케이션이 동작하는 기기에 따라 인증 방식 구분 • Role for EC2 • Cognito 를 사용할 것 - UserPools - OpenidConnect - Synchronize - Federated Identity
- 64. © 2018, AmazonWeb Services, Inc. or Its Affiliates. All rights reserved. AWS Summit 모바일 앱과 QR코드를 통해 강연 평가 및 설문 조사에 참여해 주시기 바랍니다. 내년 Summit을 만들 여러분의 소중한 의견 부탁 드립니다. #AWSSummit 해시태그로 소셜 미디어에 여러분의 행사 소감을 올려주세요. 발표 자료 및 녹화 동영상은 AWS Korea 공식 소셜 채널로 공유될 예정입니다. 여러분의 피드백을 기다립니다!