Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Syrup pay 인증 모듈 개발 사례

7,940 views

Published on

사용자 인증 시 고민하게 되는 비밀번호 암호화와 데이터 암호화 도구에 대해 순수 웹 결제 플랫폼을 지향하는 시럽페이에 반영된 One Password Protocol (by Mozilla)과 JOSE(by Web Payment Group in W3C) 기술에 대해 간략하게 설명합니다.

Published in: Technology
  • Login to see the comments

Syrup pay 인증 모듈 개발 사례

  1. 1. Syrup Pay 인증 모듈 개발 사례 Syrup Pay 개발에 관한 짧은 회고
  2. 2. 임형태 2013 ~ SK PLANET Fintech Dev. Team 2006 ~ 2013 ESTsoft 알약서버 Dev. Team Leader
  3. 3. Syrup Pay is 간편결제?
  4. 4. 안전함 과 편리함 100% Pure WEB https://www.flickr.com/photos/11325321
  5. 5. 개. 발. 일. 정 이라 쓰고 수팩스라 읽는다. https://www.flickr.com/photos/bionicteaching/6057415565
  6. 6. Syrup Pay at NOW • 총 361 만명 사용자 • 총 24 개 가맹점 • 일 5만6천여 건, 약 25억 원 결제 2016.11.17 기준
  7. 7. 목차 • 시럽페이의 패스워드 암호화 과정 • 시럽페이의 암호화 도구 https://www.flickr.com/photos/manchesterlibrary/3128145925
  8. 8. 사용자 인증 with ID/PW One Password Protocol of FF https://www.flickr.com/photos/marcobellucci/3534516458
  9. 9. ­ translate by translate.google.com “이 문서는 FxA 클라이언트 (FF 동기화 클라이언 트 포함)와 https://github.com/mozilla/fxa- auth-server에서 구현 된 키 서버에 사용되는 프 로토콜에 대해 설명합니다. 클라이언트는이 프로 토콜을 사용하여 account password에 대한 지 식(knowledge)을 증명합니다.이 정보는 sessionToken을받으며 서명 된 BrowserID 인증 서 (계정을 제어하는 후속 신뢰 당사자를 설득하 는 데 사용할 수 있음)를 얻는 데 사용할 수 있습 니다. 이 프로토콜은 또한 동기화 데이터를 암호 화하는 데 사용될 암호화 키 쌍 (kA 및 kB)을 검 색하는 데 사용됩니다.”
  10. 10. What is One PW Protocol 해치지 않아요
  11. 11. Password Encryption (as One PW Protocol) HMAC(Email, Password) PBKDF2 + Salt SHA512 Scrypt + Salt SHA512 Verify Hash(saved) via SSL/TLS
  12. 12. Password Encryption (as One PW Protocol) HMAC_SHA256("", "") = 0xb613679a0814d9ec772f95d778c35fc5ff1697c4937156 53c6c712144292c5ad HMAC_SHA256("key", "The quick brown fox jumps over the lazy dog") = 0xf7bc83f430538424b13298e6aa6fb143ef4d59a1494617 5997479dbc2d1a3cd8
  13. 13. Password Encryption (as One PW Protocol) HMAC_SHA256("Email", “Password")
  14. 14. MDN(MSISDN) 로그인 핸드폰 번호로도 로그인 할수 있게 기능 추가해주세요 https://www.flickr.com/photos/yoshimov/45834378
  15. 15. Password Encryption (as One PW Protocol) HMAC_SHA256(“Email”, “Password")
  16. 16. { "password": [{ "algorithm": "WITH_INTEGRITY", "digest": "86bc634b816a4209407cfd4cf8fb5f97f0eb9e57a26dd28d64ca868a cb9148f380883348c7c2d7dde2eb7c902268b930a84610d59f3b53a f2383a7ecfd7f0e5e" }, { "algorithm": "WITHOUT_INTEGRITY", "digest": "234fcfdd69628cfc203e2630f7f4743dbfd0b3f903444124a99d00ef bc736e35e4ceab4938412199dad65d48594cfdd6df10bf700965937 64d9c7ebc3c85199b" }] }
  17. 17. 저기…. 웹 페이지(클라이언트) 에서도 비밀번호를 해 시 암호화 해야 하나요? https://www.flickr.com/photos/135427078@N04/24004429616
  18. 18. 기밀성과 무결성 by Cryptography https://www.flickr.com/photos/tomicpasko/14970085833
  19. 19. Transport Layer Security Version 1.2
  20. 20. ‘The five cryptographic operations -- digital signing, stream cipher encryption, block cipher encryption, authenticated encryption with additional data (AEAD) encryption, and public key encryption -- are designated digitally-signed, stream-ciphered, block-ciphered, aead- ciphered, and public-key-encrypted, respectively. A field's cryptographic processing is specified by prepending an appropriate key word designation before the field's type specification. Cryptographic keys are implied by the current session state’ –TheTransport Layer Security (TLS) Protocol Section 4.7 Cryptographic Attributes
  21. 21. 서버 개발자를 믿습니까? ‘사용자 로그인 로그에 남겨야지’ ‘임시적으로 글로벌 캐시에서 공유할 까’ ‘메모리에 들고 있어야지’ https://www.flickr.com/photos/jfgornet/4766586021
  22. 22. (아무도 안믿는) 시럽페이에서는? 조오시(?) 를 사용합니다. https://www.flickr.com/photos/christawatson/4772884239
  23. 23. Javascript Object Signing and Encryption Web Payment Group in W3C
  24. 24. Javascript Object Signing and Encryption • JSON Web Algorithms (JWA) • JSON Web Key (JWK) • JSON Web Token (JWT) • JSON Web Encryption (JWE) • JSON Web Signature (JWS)
  25. 25. JSON Web Algorithms (JWA) • This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers. • JWS uses cryptographic algorithms to digitally sign or create a MAC of the contents of the JWS Protected Header and the JWS Payload. • JWE uses cryptographic algorithms to encrypt or determine the Content Encryption Key (CEK). https://tools.ietf.org/html/rfc7518
  26. 26. JWA 다음은?
  27. 27. JSON Web Key (JWK) • A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.
  28. 28. { "keys": [ {"kty":"EC", "crv":"P-256", "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", "use":"enc", "kid":"1"}, {"kty":"RSA", "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2 QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", "e":"AQAB", "alg":"RS256", "kid":"2011-04-29"} ] }
  29. 29. JSON Web Encryption (JWE Compact Serialization) • Assemble the final representation: The Compact Serialization of this result is the string BASE64URL(UTF8(JWE Protected Header)) || '.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization Vector) || '.' || BASE64URL(JWE Ciphertext) || ‘.' || BASE64URL(JWE Authentication Tag) • eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.OKOawDo13g Rp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JG eipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d- StnImGyFDbSv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp 5XnZAYpQdb76FdIKLaVmqgfwX7XWRxv2322i- vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je81860ppamav o35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi6 UklfCpIMfIjf7iGdXKHzg.48V1_ALb6US04U3b. 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFSh S8iB7j6jiSdiwkIr3ajwQzaBtQD_A.XFBoMYUZodetZdvTiFvSkQ
  30. 30. JSON Web Signature (JWS) • JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.
  31. 31. JSON Web Signature (JWS) • BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature) • eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9. eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODA sDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ij p0cnVlfQ.dBjftJeZ4CVP- mB92K27uhbUJU1p1r_wW1gFWFOEjXk
  32. 32. JSON Web Token (JWT) • JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
  33. 33. JSON Web Token (JWT) • "iss" (Issuer) • "sub" (Subject) • "aud" (Audience) • "exp" (Expiration Time) • "nbf" (Not Before) • "iat" (Issued At) • "jti" (JWT ID)
  34. 34. JWT with Syrup Pay • Web Communication (MIME : application/jose, JWE/JWS) over TLS • 결제 데이터 (JWS, from 가맹점) • 서버 인증 (via OAuth 2.0 JWT) • 결제 인증 데이터(JWS, to 가맹 점) • 임시 데이터(JWE, in 글로벌 캐시)
  35. 35. 여러분은 … 있는거 쓰세요 ㅠㅠ
  36. 36. https://jwt.io/ https://github.com/SKplanet/syruppay-java/tree/master/ syruppay-jose
  37. 37. 그리고 시럽페이는… 앗 시간이!!! https://www.flickr.com/photos/saechang/7005515228/
  38. 38. with Authentications • HTTP Basic Authorization • 2 Factor Authentication
 (ARS, SMS-OTP, Email) • SSO (Single Sign On for 가맹점) • FIDO • OAuth2 (11st, Google, Facebook) https://www.flickr.com/photos/oimax/3711838748/
  39. 39. 감사합니다. And Q&A https://www.flickr.com/photos/orinrobertjohn/239595034

×