Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Encrypted SNI

kazuho
June 11, 2019
Technology
5
5.4k

Encrypted SNI

kazuho

June 11, 2019
Tweet

More Decks by kazuho

See All by kazuho
HTTP優先度制御の今後とビデオ配信
kazuho
0
64
Security, privacy, performance of next-generation transport protocols
kazuho
8
30k
TLS 1.3とその周辺の標準化動向
kazuho
0
7.3k
Fastlyのプログラマから見たCDN
kazuho
29
16k

Other Decks in Technology

See All in Technology
権威DNSサービスへのDDoSと
ハイパフォーマンスなベンチマーカ / DNS Pseudo random subdomain attack and High performance Benchmarker
kazeburo
3
910
技育祭2023春 ちゅらデータ講演資料
foursue
1
630
C# と HTTP/2 と gRPC
nenonaninu
0
390
開幕LT
makamaka
0
360
Teamsコネクタについて(チーム、チャネル)
miyakemito
2
280
DevOpsの始め方講座 - 2023年度こそDevOpsを始めよう!
devops_vtj
0
110
チーム開発における様々なボトルネックの整理 / Organization of bottlenecks in Team Development
stefafafan
0
530
TryToUseCloudFlareTunnel_20230317.pdf
kenichirokimura
0
170
sue445とOSSと社内ツール #subcul_dev
sue445
PRO
0
460
Federated Learning 連合学習
regonn
1
360
自分のデータは自分で守る - あなたのCI/CDパイプラインをセキュアにする処方箋
jacopen
4
440
CDK使用歴1年の僕が現場でCDK導入するときに得たTips
miura55
0
290

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
117
7.7k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
Git: the NoSQL Database
bkeepers
PRO
419
60k
Visualization
eitanlees
129
12k
Designing Experiences People Love
moore
130
22k
Mobile First: as difficult as doing things right
swwweet
213
7.9k
A designer walks into a library…
pauljervisheath
199
16k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Docker and Python
trallard
30
2k
Music & Morning Musume
bryan
37
4.7k
Designing for Performance
lara
600
65k
Building Applications with DynamoDB
mza
86
5k

Transcript

  1. &ODSZQUFE4/*
    ,B[VIP0LV
    +VO

    View Slide


  2. • MFBEEFWFMPQFSPG
    – )0 )551

    – QJDPUMT 5-4

    – RVJDMZ 26*$

    • BVUIPSPG
    – 3'$r &BSMZ)JOUTGPS)551
    – ESBGUJFUGUMTFTOJ ˡ UIJT
    – ESBGULB[VIPRVJDBVUIFOUJDBUFEIBOETIBLF
    8IPBN*

    View Slide


  3. • *&5'5-48(XPSLJOHJUFN
    • BVUIPST
    – &SJD3FTDPSMB FLS!SUGNDPN

    – ,B[VIP0LV LB[VIPPLV!HNBJMDPN

    – /JDL4VMMJWBO OJDL!DMPVEGMBSFDPN

    – $ISJTUPQIFS"8PPE DBXPPE!BQQMFDPN

    ESBGUJFUGUMTFTOJ

    View Slide


  4. • 4FSWFS/BNF*OEJDBUJPO
    – QBSUPG$MJFOU)FMMP
    – VTFECZUIFTFSWFSUPTFMFDU
    • LFZBMHPSJUIN
    • TFSWFSDFSUJGJDBUF
    8IBUJT4/*
    ClientHello (w. pubkey)
    ServerHello (w. pubkey)
    EncryptedExtensions
    ServerCertificate
    Finished
    App. Data (server only)
    (ClientCertificate)
    Finished
    Application Data
    Client Server
    plaintext
    encrypted
    (unauthenticated)
    encrypted
    (authenticated)

    View Slide


  5. 8IZFODSZQU4/*

    View Slide


  6. • 3'$
    – l1FSWBTJWFNPOJUPSJOHJTBUFDIOJDBMBUUBDL
    UIBUTIPVMECFNJUJHBUFEJOUIFEFTJHOPG
    *&5'QSPUPDPMT XIFSFQPTTJCMFz
    • 3'$
    – l5IF*"#VSHFTQSPUPDPMEFTJHOFSTUPEFTJHO
    GPSDPOGJEFOUJBMPQFSBUJPOCZEFGBVMU8F
    TUSPOHMZFODPVSBHFEFWFMPQFSTUPJODMVEF
    FODSZQUJPOJOUIFJSJNQMFNFOUBUJPOTBOEUP
    NBLFUIFNFODSZQUFECZEFGBVMUz
    3BUJPOBMF

    View Slide


  7. • %/4SFTPMVUJPO
    • 4/*
    • TFSWFSDFSUJGJDBUF
    • TFSWFS*1BEESFTT
    • USBGGJDBOBMZTJT
    4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

    View Slide


  8. • %/4SFTPMVUJPO %P5%P)
    • 4/* ˡ UIJT
    • TFSWFSDFSUJGJDBUF 5-4
    • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ
    • USBGGJDBOBMZTJT
    4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

    View Slide


  9. ESBGUJFUGUMTFTOJ

    View Slide


  10. • r ESBGULB[VIPQSPUFDUFETOJ

    • r ESBGUSFTDPSMBUMTFTOJ
    • r ESBGUJFUGUMTFTOJ
    • r ESBGUJFUGUMTFTOJ
    • r ESBGUJFUGUMTFTOJ
    )JTUPSZ

    View Slide


  11. • VTF%/4UPEJTUSJCVUFQVCMJDLFZ
    • UIBUJTVTFEGPSFODSZQUJOHUIF4/*
    ,FZJEFB

    View Slide


  12. )PXJUXPSLT
    example.com A?
    example.com ESNI?
    example.com A=192.0.2.1
    example.com ESNI=pubkey
    ClientHello {ESNI=encrypt("example.com")}
    DoH recursor
    HTTPS server
    DNS authoritative
    server

    View Slide


  13. TUSVDU\
    VJOU WFSTJPO
    VJOU DIFDLTVN>
    PQBRVF [email protected]? QMBJOUFYU4/*WBMVF
    ,FZ4IBSF&OUSZ LFZT? QVCMJDLFZT
    $JQIFS4VJUF [email protected]?
    VJOU [email protected]
    VJOU [email protected]
    VJOU [email protected]
    &YUFOTJPO FYUFOTJPOT?
    ^&4/*,FZT
    FYBNQFOFU*/&4/*FTOJLFZT JOCJOBSZ
    &4/*SFDPSE

    View Slide


  14. • TPUIBUJUDBOCFTNBMM
    • EPXOTJEFBUUBDLFSDBOTQPPG
    – CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1
    BEESFTTPGFYBNQMFDPN
    • BDDFTTUPUIFBEESFTTSFWFBMTUIF4/*
    • UPSFQISBTF &4/*
    – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ
    – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS
    BUUBDL
    &4/*SFDPSEJTOPUTJHOFE

    View Slide


  15. • #PSJOH44-
    • $MPVEGMBSF
    • .P[JMMB'JSFGPY
    • QJDPUMT
    *NQMFNFOUFECZ

    View Slide


  16. 3FDFOUMZBEEFEGFBUVSFT

    View Slide


  17. • 8IBUIBQQFOTXIFOUIF&4/*LFZ
    EJTUSJCVUFEVTJOH%/4BOEUIFLFZPO
    UIFTFSWFSCFDPNFTPVUPGTZOD
    • 3FDPWFSZJTCFUUFSUIBOIBSEGBJM
    – MFUUIFTFSWFSSFQMBDFUIF&4/*LFZVTFECZ
    UIFDMJFOU
    *NQSPWF&4/*SPCVTUOFTT

    View Slide


  18. • )PXJUXPSLT
    – QVCMJDOBNFBOEQVCMJDLFZJO&4/*3FDPSE
    – DMJFOUPGGFSTQMBJOUFYU4/* QVCMJDOBNF

    BOE&4/* FODSZQUFEOBNF

    – XIFOTFSWFSSFDFJWFTBDPSSVQU&4/* JU
    • GJOJTIFTUIF5-4IBOETIBLFBTlQVCMJDOBNFz
    • TFOETBOVQEBUFE&4/*LFZ
    – DMJFOUSFDPOOFDUTVTJOHUIFVQEBUFE&4/*
    LFZ
    *NQSPWF&4/*SPCVTUOFTT

    View Slide


  19. • 5IFJTTVF
    – BXFCTJUFDBOVTFNVMUJQMF$%/T
    – FWFSZ$%/XJMMIBWFEJGGFSFOU&4/*LFZT
    – XIBUIBQQFOTJGDMJFOUPCUBJOT"SFDPSEGPS
    $%/" BOE&4/*SFDPSEGPS$%/#
    • QVCMJDOBNFDBOOPUGJYUIFJTTVF CFDBVTFQVCMJD
    OBNFXJMMCFEJGGFSFOUGPSFBDI$%/&4/*
    SFDPSE
    l$PNCJOFE3FDPSEzFYUFOTJPO

    View Slide


  20. • 4PMVUJPO
    – DSFBUFBGBUSFDPSE DPOUBJOJOHCPUI&4/*
    LFZTBOE *1BEESFTTFT
    l$PNCJOFE3FDPSEzFYUFOTJPO

    View Slide


  21. 5IF*OUFSOFUJTGPSFOEVTFST

    View Slide


  22. • QSJWBDZJTUPQMFWFMQSJPSJUZ
    • MFTTlJNQMJDJUTJHOBMzFYQPTFEUPOFUXPSL
    – FODSZQUFE%/4USBGGJD
    – FODSZQUFE4/*
    – FODSZQUFEUSBOTQPSU 26*$

    • lFYQMJDJUTJHOBMzSFRVJSFTTUBOEBSEJ[BUJPO
    – 26*$TQJOCJU
    5IF*OUFSOFUJTGPSFOEVTFST

    View Slide


  23. • 3'$
    • 3'$
    • ESBGUJFUGUMT
    • ESBGUOPUUJOHIBNGPSUIFVTFST
    3FGFSFODFT

    View Slide