syrup pay 인증 모듈 개발 사례
TRANSCRIPT
Syrup�Pay�인증�모듈�개발�사례
Syrup�Pay�개발에�관한�짧은�회고
임형태
2013�~����SK�PLANET�Fintech�Dev.�Team�
2006�~�2013����ESTsoft�알약서버�Dev.�Team�Leader
Syrup�Pay�is� 간편결제?
안전함�과�편리함� 100%�Pure�WEB
https://www.flickr.com/photos/11325321
개.�발.�일.�정 이라�쓰고�수팩스라�읽는다.�
https://www.flickr.com/photos/bionicteaching/6057415565
Syrup�Pay�at�NOW
• 총�361�만명�사용자�
• 총�24�개�가맹점�
• 일�5만6천여�건,�약�25억�원�결제�
2016.11.17�기준
목차
• 시럽페이의�패스워드�암호화�과정�
• 시럽페이의�암호화�도구�
https://www.flickr.com/photos/manchesterlibrary/3128145925
사용자�인증�with�ID/PW One�Password�Protocol�of�FF
https://www.flickr.com/photos/marcobellucci/3534516458
�translate�by�translate.google.com
“이�문서는�FxA�클라이언트�(FF�동기화�클라이언트�포함)와�https://github.com/mozilla/fxa-auth-server에서�구현�된�키�서버에�사용되는�프로토콜에�대해�설명합니다.�클라이언트는이�프로토콜을�사용하여�account�password에�대한�지식(knowledge)을�증명합니다.이�정보는�sessionToken을받으며�서명�된�BrowserID�인증서�(계정을�제어하는�후속�신뢰�당사자를�설득하는�데�사용할�수�있음)를�얻는�데�사용할�수�있습니다.�이�프로토콜은�또한�동기화�데이터를�암호화하는�데�사용될�암호화�키�쌍�(kA�및�kB)을�검색하는�데�사용됩니다.”
What�is�One�PW�Protocol 해치지�않아요
Password�Encryption�(as�One�PW�Protocol)
HMAC(Email,�Password) PBKDF2�+�Salt SHA512
Scrypt�+�Salt SHA512 Verify�Hash(saved)
via�SSL/TLS
Password�Encryption�(as�One�PW�Protocol)
HMAC_SHA256("", "") = 0xb613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad
HMAC_SHA256("key", "The quick brown fox jumps over the lazy dog") = 0xf7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8
Password�Encryption�(as�One�PW�Protocol)
HMAC_SHA256("Email", “Password")
MDN(MSISDN)�로그인 핸드폰�번호로도�로그인�할수�있게�기능�추가해주세요�
https://www.flickr.com/photos/yoshimov/45834378
Password�Encryption�(as�One�PW�Protocol)
HMAC_SHA256(“Email”, “Password")
{�� "password":�[{�� � "algorithm":�"WITH_INTEGRITY",�� � "digest":�"86bc634b816a4209407cfd4cf8fb5f97f0eb9e57a26dd28d64ca868acb9148f380883348c7c2d7dde2eb7c902268b930a84610d59f3b53af2383a7ecfd7f0e5e"�� },�{�� � "algorithm":�"WITHOUT_INTEGRITY",�� � "digest":�"234fcfdd69628cfc203e2630f7f4743dbfd0b3f903444124a99d00efbc736e35e4ceab4938412199dad65d48594cfdd6df10bf70096593764d9c7ebc3c85199b"�� }]�}
저기….
웹�페이지(클라이언트)에서도�비 번호를�해시�암호화�해야�하나요?
https://www.flickr.com/photos/135427078@N04/24004429616
기 성과�무결성 by�Cryptography
https://www.flickr.com/photos/tomicpasko/14970085833
Transport�Layer�Security Version�1.2
‘The five cryptographic operations -- digital signing, stream cipher encryption, block cipher encryption, authenticated encryption with additional data (AEAD) encryption, and public key encryption -- are designated digitally-signed, stream-ciphered, block-ciphered, aead- ciphered, and public-key-encrypted, respectively. A field's cryptographic processing is specified by prepending an appropriate key word designation before the field's type specification. Cryptographic keys are implied by the current session state’
– The Transport Layer Security (TLS) Protocol Section 4.7 Cryptographic Attributes
서버�개발자를�믿습니까?
‘사용자�로그인�로그에�남겨야지’�
‘임시적으로�글로벌�캐시에서�공유할까’�
‘메모리에�들고�있어야지’�
https://www.flickr.com/photos/jfgornet/4766586021
(아무도�안믿는)�시럽페이에서는? 조오시(?)�를�사용합니다.
https://www.flickr.com/photos/christawatson/4772884239
Javascript Object Signing and EncryptionWeb�Payment�Group�in�W3C
Javascript Object Signing and Encryption• JSON�Web�Algorithms�(JWA)�
• JSON�Web�Key�(JWK)�
• JSON�Web�Token�(JWT)�
• JSON�Web�Encryption�(JWE)�
• JSON�Web�Signature�(JWS)
JSON�Web�Algorithms�(JWA)
• This�specification�registers�cryptographic�algorithms�and�identifiers�to�be�used�with�the�JSON�Web�Signature�(JWS),�JSON�Web�Encryption�(JWE),�and�JSON�Web�Key�(JWK)�specifications.��It�defines�several�IANA�registries�for�these�identifiers.�
• �JWS�uses�cryptographic�algorithms�to�digitally�sign�or�create�a�MAC�of�the�contents�of�the�JWS�Protected�Header�and�the�JWS�Payload.�
• JWE�uses�cryptographic�algorithms�to�encrypt�or�determine�the�Content�Encryption�Key�(CEK).
https://tools.ietf.org/html/rfc7518
JWA 다음은?
JSON�Web�Key�(JWK)
• A�JSON�Web�Key�(JWK)�is�a�JavaScript�Object�Notation�(JSON)�data�structure�that�represents�a�cryptographic�key.��This�specification�also�defines�a�JWK�Set�JSON�data�structure�that�represents�a�set�of�JWKs.��Cryptographic�algorithms�and�identifiers�for�use�with�this�specification�are�described�in�the�separate�JSON�Web�Algorithms�(JWA)�specification�and�IANA�registries�established�by�that�specification.
{�����"keys":��������[����������{"kty":"EC",�����������"crv":"P-256",�����������"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",�����������"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",�����������"use":"enc",�����������"kid":"1"},�
���������{"kty":"RSA",�����������"n":�"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx������4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs������tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2������QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI������SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb������w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",�����������"e":"AQAB",�����������"alg":"RS256",�����������"kid":"2011-04-29"}��������]�}
JSON�Web�Encryption�(JWE�Compact�Serialization)
• �Assemble�the�final�representation:�The�Compact�Serialization�of�this�result�is�the�string�BASE64URL(UTF8(JWE�Protected�Header))�||�'.'�||�BASE64URL(JWE�Encrypted�Key)�||�'.'�||�BASE64URL(JWE�Initialization�Vector)�||�'.'�||�BASE64URL(JWE�Ciphertext)�||�‘.'�||�BASE64URL(JWE�Authentication�Tag)�
• eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGeipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImGyFDbSv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaVmqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je81860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi6UklfCpIMfIjf7iGdXKHzg.48V1_ALb6US04U3b.5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6jiSdiwkIr3ajwQzaBtQD_A.XFBoMYUZodetZdvTiFvSkQ
JSON�Web�Signature�(JWS)
• JSON�Web�Signature�(JWS)�represents�content�secured�with�digital�signatures�or�Message�Authentication�Codes�(MACs)�using�JSON-based�data�structures.��Cryptographic�algorithms�and�identifiers�for�use�with�this�specification�are�described�in�the�separate�JSON�Web�Algorithms�(JWA)�specification�and�an�IANA�registry�defined�by�that�specification.��Related�encryption�capabilities�are�described�in�the�separate�JSON�Web�Encryption�(JWE)�specification.
JSON�Web�Signature�(JWS)
• BASE64URL(UTF8(JWS�Protected�Header))�||�'.'�||�BASE64URL(JWS�Payload)�||�'.'�||�BASE64URL(JWS�Signature)�
• eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.���eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
JSON�Web�Token�(JWT)
• JSON�Web�Token�(JWT)�is�a�compact,�URL-safe�means�of�representing�claims�to�be�transferred�between�two�parties.��The�claims�in�a�JWT�are�encoded�as�a�JSON�object�that�is�used�as�the�payload�of�a�JSON�Web�Signature�(JWS)�structure�or�as�the�plaintext�of�a�JSON�Web�Encryption�(JWE)�structure,�enabling�the�claims�to�be�digitally�signed�or�integrity�protected�with�a�Message�Authentication�Code�(MAC)�and/or�encrypted.
JSON�Web�Token�(JWT)
• "iss"�(Issuer)�
• "sub"�(Subject)�
• "aud"�(Audience)��
• "exp"�(Expiration�Time)�
• "nbf"�(Not�Before)�
• "iat"�(Issued�At)�
• "jti"�(JWT�ID)
JWT�with�Syrup�Pay
• Web�Communication�(MIME�:�application/jose,�JWE/JWS)�over�TLS�
• 결제�데이터�(JWS,�from�가맹점)�
• 서버�인증�(via�OAuth�2.0�JWT)�
• 결제�인증�데이터(JWS,�to�가맹점)�
• 임시�데이터(JWE,�in�글로벌�캐시)
여러분은�… 있는거�쓰세요�ㅠㅠ
https://jwt.io/ https://github.com/SKplanet/syruppay-java/tree/master/syruppay-jose
그리고�시럽페이는… 앗�시간이!!!
https://www.flickr.com/photos/saechang/7005515228/
with�Authentications
• HTTP�Basic�Authorization�
• 2�Factor�Authentication�����������(ARS,�SMS-OTP,�Email)�
• SSO�(Single�Sign�On�for�가맹점)��
• FIDO�
• OAuth2�(11st,�Google,�Facebook)
https://www.flickr.com/photos/oimax/3711838748/
감사합니다. And�Q&A
https://www.flickr.com/photos/orinrobertjohn/239595034