Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hazy Datagrams

Hazy Datagrams

Evaluating the security posture of Noise Protocol Framework. (OWASP Saitama MTG #10, talk #1)

Avatar for Takahiro Yoshimura

Takahiro Yoshimura

October 24, 2022
Tweet

More Decks by Takahiro Yoshimura

Other Decks in Technology

Transcript

  1. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) 
 https://keybase.io/alterakey

    ▸ Monolith Works Inc. 
 Co-founder, CTO 
 Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ 
 ٬һݚڀһ
  2. TEXT WHAT I DO ▸ Security research and development ▸

    iOS/Android Apps 
 →Financial, Games, IoT related, etc. (>200) 
 →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps 
 →POS, RAD tools etc. ▸ Network/Web penetration testing 
 →PCI-DSS etc. ▸ Search engine reconnaissance 
 (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis
  3. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

    METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ 
 DEF CON 25 Demo Labs (2017) 
 DEF CON 27 AI Village (2019) 
 CODE BLUE (2017, 2019) 
 CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0
  4. TEXT WHAT IS NOISE? ▸ ҉߸ϓϩτίϧΛ࡞ΔͨΊͷϑϨʔϜϫʔΫ ▸ ҉߸ϓϩτίϧ (n.): 


    ฏจνϟωϧʹ͓͍ͯɺൿಗੑɾ׬શੑ͕อূ ͞Εͨ௨৴νϟωϧͷߏஙΛ໨ࢦ͢ϓϩτίϧ 
 ʢe.g. TLS, IPsec, etc.ʣ
  5. TEXT WHAT IS NOISE? ▸ ߏ੒ཁૉΛϒϩοΫԽ ▸ s, e, ss,

    se, es, ee, pskΛ૊Έ߹Θͤͯઃܭ ▸ s: ௕ظ伴ͷެ։伴ૹ෇ 
 e: Ұ࣌伴ͷੜ੒ɾެ։伴ૹ෇ 
 ss/se/es/ee: Dif fi e-Hellman߹ҙܗ੒ 
 psk: Pre-shared keyద༻ Image by Eric Haines on flickr, CC-BY 2.0
  6. TEXT WHAT IS NOISE? ▸ ωΰγΤʔγϣϯػߏ͸ఏڙ͠ͳ͍ʢcf. TLSʣ ▸ ҉߸ܥΛݶఆʢcf. TLSʣ

    ▸ DH: Curve25519/Curve448 ▸ AEAD: ChaCha20-Poly1305/AES-GCM ▸ Hash: SHA256/512/BLAKE2s/BLAKE2d Image by plenty.r. on flickr, CC-BY-SA 2.0
  7. TEXT WHAT IS NOISE? ▸ ϑϨΩγϒϧ͕ͩݎݻͳ࣮૷͕ಘΒΕΔ ▸ ઌਐతͳಛ௃Λ࣋ͭϓϩτίϧઃܭʹ΋ରԠ ▸ 0-RTT

    ▸ Post-quantum resistance (i.e. PSK) etc. Image by Chris Elt on flickr, CC-BY-NC-ND 2.0
  8. TEXT WHAT IS NOISE? ▸ ࠾༻ྫ ▸ WireGuard ▸ WhatsApp

    ▸ Lightning Network ▸ I2P etc, etc.. Image by Patras Gagilas on flickr, CC-BY-SA 2.0
  9. TEXT SECURITY POSTURE ▸ ͜ΕΒ͸҆શͳͷ͔…ʁ ▸ ެࣜʹ͸24ύλʔϯఏ͍ࣔͯ͠Δ 
 xy; x:

    ૹ৴ଆ, y: ड৴ଆͱͯ͠, ௕ظ伴Λ… 
 N: ࣋ͨͳ͍, K: ط஌, 
 I: ଈ࣌ૹ৴, X: ਵ࣌ૹ৴ (identity hiding) 
 e.g. NN, IK, etc. ▸ IK(psk2): WireGuard ▸ IK/XX: WhatsApp Image by Joel Penner on flickr, CC-BY 2.0
  10. TEXT SECURITY POSTURE ▸ ࣗ࡞ͷ΋ͷ͸…ʁ ▸ υΩϡϝϯτ7.3߲ʹج४4఺ → ͜Εʹै͍ͬͯΕ͹… 


    https://noiseprotocol.org/noise.html#handshake- pattern-validity ▸ ૹ෇ճ਺ɺECDH߹ҙճ਺ن੍: γϯϓϧͳઃܭ ▸ ҉߸ԽʹઌཱͬͨECDH߹ҙڧ੍: 
 ɾECDH伴ͷ࠶ར༻ن੍ 
 ɾҰ࣌伴ʹΑΔForward-secrecy, key-compromise impersonation resistanceͷڧ੍
  11. TEXT FORMAL VERIFICATION ▸ Noise Explorer [Kobeissi18] ▸ Handshakeʹ͍ͭͯProVerifϞσϧੜ੒ 


    Go/RustʹΑΔ҆શͳ࣮૷ੜ੒ ▸ ެࣜʴ೿ੜ: શ57ύλʔϯʹରԠ ▸ ೚ҙύλʔϯʹ͍ͭͯ΋ରԠ ▸ ߈ܸγφϦΦ: active/passive྆ରԠ 
 ͨͩ… ๲େͳϧʔϧྔ
  12. TEXT FORMAL VERIFICATION ▸ ProVerif: INRIA੍࡞ͷ҉߸ϓϩτίϧݕূπʔϧ ▸ Dolev-YaoϞσϧʹ͓͚Δܥͷಛ௃Λূ໌ ▸ Secrecy

    (ൿಗੑ) ▸ Authenticity (ਅਖ਼ੑ) ▸ Strong secrecy (ڧ͍ൿಗੑ; ঢ়ଶมԽͷൿಗ) etc.
  13. TEXT FORMAL VERIFICATION ▸ ProVerif: INRIA੍࡞ͷ҉߸ϓϩτίϧݕূπʔϧ ▸ ཱূͰ͖ͳ͍৔߹൓ূʢi.e. ߈ܸखஈʣΛࣔ͢ 


    …͕ɺਖ਼͘͠ཧղ͢Δͷ͸େม ▸ ূ໌Λ࣌ʑؒҧ͏͕҆શଆʹ౗ͯ͋͠Δ 
 →࣮ߦෆೳͳ߈ܸΛཱҊͯ͘͠Δ৔߹͕͋Δ 
 →ಛҟ౓͕ߴ͍ઃܭ ▸ ࠓճDockerʹ·ͱΊͨ 
 https://gist.github.com/alterakey/ 9af9b6184ffce873f4d1e2eb0ac226c7
  14. TEXT FORMAL VERIFICATION ▸ Dolev-YaoϞσϧ ▸ ҉߸ܥ͸׬શ → CryptoVerif.. ▸

    τϥϑΟοΫ͸౪ௌվ᜵ِ଄Մೳ 
 (i.e. “attacker carries message.”) ▸ ϝοηʔδ಺༰͸ແ੍ݶ ▸ ແ੍ݶͷଟରଟ௨৴ ▸ ແ੍ݶͷଟॏηογϣϯ Image by Charlie Nguyen on flickr, CC-BY 2.0
  15. TEXT FORMAL VERIFICATION ▸ Dolev-YaoϞσϧ ▸ ܭࢉ࿦తϞσϧΑΓ͸ෆ׬શ ▸ ୅਺తख๏Λ࢖͑ΔͷͰΑΓѻ͍΍͍͢ ▸

    ϓϩτίϧΛഁΔͷʹ͸ద͍ͯ͠Δ 
 (NB. ٯʹ׬શੑͷݕূʹ͸޲͍͍ͯͳ͍) Image by Charlie Nguyen on flickr, CC-BY 2.0
  16. TEXT SECURITY POSTURE ▸ ͜ΕΒ͸҆શͳͷ͔…ʁ ▸ ެࣜʹ͸24ύλʔϯఏ͍ࣔͯ͠Δ 
 xy; x:

    ૹ৴ଆ, y: ड৴ଆͱͯ͠, ௕ظ伴Λ… 
 N: ࣋ͨͳ͍, K: ط஌, 
 I: ଈ࣌ૹ৴, X: ਵ࣌ૹ৴ (identity hiding) 
 e.g. NN, IK, etc. ▸ IK(psk2): WireGuard ▸ IK/XX: WhatsApp Image by Joel Penner on flickr, CC-BY 2.0
  17. TEXT CASE STUDY: NEVER-AND-NEVER ▸ NN: ૹ৴ऀ΋ड৴ऀ΋௕ظ伴Λ࣋ͨͳ͍…ʁ ▸ NN: 


    -> e 
 <- e, ee 
 -> ▸ ૹ৴ଆ͕Ұ࣌伴Λ࡞ͬͯૹΔ 
 ड৴ଆ΋Ұ࣌伴Λ࡞ͬͯૹΓɺDH߹ҙΛܗ੒ Image by SonnyandSandy on flickr, CC-BY-NC-ND 2.0
  18. TEXT CASE STUDY: NEVER-AND-NEVER ▸ NN: ૹ৴ऀ΋ड৴ऀ΋௕ظ伴Λ࣋ͨͳ͍ ▸ Anonymous DH

    
 Passive: secrecyͷΈ (forward secrecyࠐΈ) 
 Active: Կͷอޢ΋ఏڙ͠ͳ͍ʢʂʣ ▸ NoiseΛ࢖͍ͬͯΔ͔Βͱݴͬͯࣗಈతʹ҆શʹ ͳΔΘ͚Ͱ͸ͳ͍ྫ Image by SonnyandSandy on flickr, CC-BY-NC-ND 2.0
  19. TEXT CASE STUDY: IMMEDIATE-TO-KNOWN ▸ IKpsk2: WireGuardͷ৔߹ ▸ Passive ▸

    Msg A: forward secrecy͸ͳ͘͸ͳ͍ 
 Msg B..D: ໰୊ͳ͠
  20. TEXT CASE STUDY: IMMEDIATE-TO-KNOWN ▸ IKpsk2: WireGuardͷ৔߹ ▸ Active ▸

    Msg A: forward secrecy͸ͳ͘͸ͳ͍ 
 Msg B: forward secrecy͸·͋ऑ͍͔ͳ 
 Msg C..D: ໰୊ͳ͠
  21. TEXT CASE STUDY: IMMEDIATE-TO-KNOWN ▸ IKpsk2: WireGuardͷ৔߹ ▸ Passive/ActiveͰܦա͕ҧ͏͕… ▸

    HandshakeશମΛݟΔݶΓ͸҆શ ▸ ൿಗੑ: Ωʔ͸࿙Εͳ͍ɺ·ͨҰ࣌Ωʔׂ͕Ε ͨ৔߹Ͱ΋ͦΕҎલͷ௨৴಺༰͸ղಡͰ͖ͳ͍ ▸ ਅਖ਼ੑ: ΋ͱ΋ͱ௕ظΩʔ͕compromise͞Ε ͍ͯͳ͍ݶΓ͸໰୊͕ͳ͍ Image by pfly on flickr, CC-BY-SA 2.0
  22. TEXT TAKEAWAYS ▸ Noise͸҉߸ϓϩτίϧϑϨʔϜϫʔΫ ▸ ߏ੒ཁૉΛݫબɾϒϩοΫԽɾύλʔϯԽ 
 →৽نʹ௥Ճ΋Ͱ͖Δ͕… ▸ ୯७ɾߴ଎ɾ҆શͳϓϩτίϧઃܭʹد༩

    
 →ઌਐతಛੑΛ࣋ͭϓϩτίϧઃܭʹ΋ରԠ 
 (0-RTT, post-quantum resistanceͳͲ) ▸ ূ໌ՄೳੑΛ։͍ͨͱ΋ݴ͑Δ… Image by Daisuke Matsumura on flickr, CC-BY-NC 2.0
  23. TEXT TAKEAWAYS ▸ Noise Explorer: KobeissiΒʹΑΔઃܭɾϞσϦϯ άܥ [Kobeissi18] ▸ ެࣜ57ύλʔϯͷΈͳΒͣ೚ҙઃܭʹରͯ͠΋

    ProVerifϞσϧΛੜ੒Մೳ ▸ ProVerif: INRIA੍࡞ͷ҉߸ϓϩτίϧݕূπʔϧ 
 ߈ܸతωοτϫʔΫʢDolev-YaoϞσϧʣԼʹ͓ ͍ͯܥͷ࣋ͭ҆શੑΛ୅਺తʹূ໌ ▸ ূ໌Մೳͳ҆શੑ͕͔ͳΓaccessibleʹͳͬͨ
  24. TEXT TAKEAWAYS ▸ NoiseΛ࢖༻͍ͯ͠Δ͔Βͱ͍ͬͯશ͕ͯ҆શͳ Θ͚Ͱ͸ͳ͍ ▸ ྫ: NN (= anonymous

    DHͱ౳Ձ) ▸ ࣗ࡞͢Δ৔߹: 
 υΩϡϝϯτ7.3߲ͷΨΠυϥΠϯʹै͏ଞʹɺ 
 Ͱ͖ΔݶΓূ໌Λߦ͏ Image by SonnyandSandy on flickr, CC-BY-NC-ND 2.0
  25. TEXT REFERENCES ▸ Noise: https://noiseprotocol.org/ ▸ Noise Explorer: https://noiseexplorer.com/ ▸

    ProVerif: https://bblanche.gitlabpages.inria.fr/proverif/ ▸ Docker fi le: https://gist.github.com/alterakey/ 9af9b6184ffce873f4d1e2eb0ac226c7