Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Security, privacy, performance of next-generation transport protocols
kazuho
September 08, 2018
Technology
8
29k
Security, privacy, performance of next-generation transport protocols
Discusses the motivation behind QUIC encryption and TLS encrypted SNI.
kazuho
September 08, 2018
Tweet
Share
More Decks by kazuho
See All by kazuho
HTTP優先度制御の今後とビデオ配信
kazuho
0
64
Encrypted SNI
kazuho
5
5.4k
TLS 1.3とその周辺の標準化動向
kazuho
0
7.2k
Fastlyのプログラマから見たCDN
kazuho
29
16k
Other Decks in Technology
See All in Technology
Deep dive in Reserved Instance ~脳死推奨量購入からの脱却~
kzkmaeda
0
560
CUEとKubernetesカスタムオペレータを用いた新しいネットワークコントローラをつくってみた
hrk091
1
300
創業1年目のスタートアップでAWSコストを抑えるために取り組んでいること / How to Keep AWS Costs Down at a Startup
yuj1osm
3
2.2k
オンプレk8sとEKSの並行運用の実際
ch1aki
0
320
MarvelClient Upgrade 64bit クライアントへの自動アップグレード設定
mitsuru_katoh
0
220
NGINXENG JP#2 - 2-NGINXの動作の詳細
hiropo20
1
140
もし本番ネットワークをまるごと仮想環境に”コピー”できたらうれしいですか? / janog51
corestate55
0
400
「一通りできるようになった」その先の話
hitomi___kt
0
150
モバイルモーションキャプチャーデバイス「mocopi」を軽く試してみた / IoTLT vol.95 (新年会IoTLTラジオ)
you
0
100
Exploring MapStore Release 2022.02: improved 3DTiles support and more
simboss
PRO
0
400
230125 古いタブレットの活用 かーでぃさん
comucal
PRO
0
17k
NGINXENG JP#2 - 4-NGINX-エンジニアリング勉強会
hiropo20
0
130
Featured
See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k
GraphQLの誤解/rethinking-graphql
sonatard
39
7.8k
A Modern Web Designer's Workflow
chriscoyier
689
180k
Designing with Data
zakiwarfel
91
4.2k
Atom: Resistance is Futile
akmur
256
24k
Facilitating Awesome Meetings
lara
33
4.6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
10
1.3k
Navigating Team Friction
lara
177
12k
Visualization
eitanlees
129
12k
Documentation Writing (for coders)
carmenintech
51
2.9k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
Transcript
4FDVSJUZ QSJWBDZ QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ
4FDVSJUZ QSJWBDZ QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ
• 1SJODJQBM044%FWFMPQFS!'BTUMZ • MFBEEFWFMPQFSPG – )0 )551 – QJDPUMT
5-4 – RVJDMZ 26*$ • BVUIPSPG – 3'$r &BSMZ)JOUTGPS)551 – ESBGUJFUGIUUQCJTDBDIFEJHFTU – ESBGUJFUGUMTFTOJ 8IPBN*
ZFTUFSEBZ UPEBZ UPNPSSPX OBNFSFTPMVUJPO %/4 %/4PWFS)5514 USBOTQPSU 5$1 26*$
5-4 TFDVSJUZ 5-4 5-4 BQQMJDBUJPOQSPUPDPM )551 5IFCJHQJDUVSF
• QFSWBTJWFNPOJUPSJOH • QFPQMFSFMZJOHNPSFPO QVCMJD XJGJ $BOXFUSVTUUIFOFUXPSL
• 5-4 • 4FDVSJUZPGBUSBOTQPSU • 26*$ – IBOETIBLF –
QBDLFUOVNCFSFODSZQUJPO • &ODSZQUFE4/* "HFOEB
5-4
• FTTFOUJBMMZ5-4 • QVCMJTIFEBT3'$JO"VHVTU 5-4
• "&"%DJQIFST – XJUIPVUFYQMJDJUOPODF • GBTUFSIBOETIBLF UP355 • GPSXBSETFDSFDZ
• CFUUFSQSJWBDZ – POFPGGTFTTJPOUJDLFUT – DFSUJGJDBUFTOPNPSFUSBOTNJUUFEJODMFBS 5-4
AES-CTR "&4($. AES ciphertext 1 plaintext 1 nonce ||
0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag
AES-CTR "&"%JO5-4 VTJOH"&4($. AES ciphertext 1 plaintext 1 nonce
|| 0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag OPODFSFDPSEOVNCFSBEEEBUBSFDPSEIFBEFS
ClientHello ServerHello ServerCertificate ServerKeyExchange (ClientSertificate) ClientKeyExchange Finished Finished Application
Data 5-4IBOETIBLFGMPX Client Server plaintext encrypted
5-4IBOETIBLFGMPX ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate
Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
%JGGFSFODFTCFUIBOETIBLFGMPXT • 5-4 – FYDIBOHFQBSBNFUFST JODMDFSUJGJDBUFT UIFOFYDIBOHFUIFQVCMJDLFZT •
5-4 – FYDIBOHFQVCMJDLFZTBTXFMMBTQBSBNFUFST • SFUSZUPVTFBOPUIFSQVCMJDLFZBMHPSJUIN – TFUVQFODSZQUFEDIBOOFMVTJOHUIF FYDIBOHFELFZT • VTFUIFDIBOOFMUPBVUIFOUJDBUF
• MFTTSPVOEUSJQT • JEFOUJUZPGUIFFOEQPJOUTBSFQSPUFDUFE – JFDFSUJGJDBUFT – DGUSBDLJOHEFWJDFTVTJOHDMJFOUDFSUBVUI •
CVUUIFTFSWFSOBNF 4/* JTVOQSPUFDUFE – CFDBVTFJUJTQBSUPG$MJFOU)FMMP – XJMMDPWFSUIBUMBUFS 5IFCFOFGJUT
• NJEEMFCPYFTEJTSVQUJOH5-4IBOETIBLF – UIJOLTl5IJT5-4IBOETIBLFTVTQJDJPVT*U`TB GVMMIBOETIBLFCVUEPFTOPUDPOUBJOB DFSUJGJDBUFz UFSNJOBUFTUIFDPOOFDUJPO – SFBMJUZDFSUJGJDBUFJTFODSZQUFE
• TPMVUJPONBLF5-4IBOETIBLFMPPL MJLF5-4SFTVNQUJPO 5BDLMJOHPTTJGJDBUJPO
4FDVSJUZPGBUSBOTQPSU
• DPOGJEFOUJBMJUZ • JOUFHSJUZ • BWBJMBCJMJUZ 5IFTFDVSJUZUSJBE
• 5-4 – QSPWJEFTDPOGJEFOUJBMJUZ JOUFHSJUZ – VTJOHUIFFYDIBOHFELFZT • 5$1
– SFTQPOTJCMFGPSQSPWJEJOHBWBJMBCJMJUZ – CVUUIFQBDLFUTDBOCFUBNQFSFE 5-4PWFS5$1
• NJEEMFCPYJOKFDUT5$1SFTFUT – TFOEB5$1QBDLFUXJUI345CJUTFU • CMPDLBDDFTTUPDFSUBJOXFCTJUFT – CZPCTFSWJOHQMBJOUFYU FH
4/* • CMPDLDFSUBJOQSPUPDPMT FH11 3FTFUJOKFDUJPOBUUBDL
• POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT • NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT •
PGGQBUIBUUBDL – BUUBDLFSEPFTOPUIBWFBDDFTTUPQBDLFUT – OPUTPQSBDUJDBMGPS5$1 5ISFFUZQFTPGBUUBDLT
• POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT – FTTFOUJBMMZBTQFDJBMQVSQPTFSPVUFS • BEEJUJPOBMDPTUUPPCTFSWFUIFQBZMPBEPGUIF SPVUFEQBDLFUTJTUIFQSPCMFN
• NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT – BOPEFUIBUUBQTPOUIFOFUXPSL JOKFDUT QBDLFUTBUCFTUFGGPSU .BOPOUIFTJEFBUUBDLJTFBTZ
• JOKFDUJOHPOF 345QBDLFUUFSNJOBUFTB 5$1DPOOFDUJPO • FODSZQUFEUSBOTQPSUT FH %5-4 *1TFD
QSPWJEFSFTJTUBODFUPJOKFDUJPOBUUBDL – CZFODSZQUJOHFWFSZQBDLFUVTJOHUIF FYDIBOHFELFZT • FH QO cc"&
[email protected]
($. QO QBZMPBE BOEWFSZQSBDUJDBMGPS5$1
Packet type and flags (1 octet) Destination Connection ID
(0,4-18 octets) Encrypted Packet Number (1,2,4 octets) Encrypted Payload AEAD tag (16 octets or more) 26*$QBDLFU additional text • "&"% Ћ UPQSPUFDUFBDIQBDLFU AEAD payload encrypted???
26*$
• FODSZQUFEUSBOTQPSU – VTFT5-4GPSIBOETIBLF • IBOETIBLFJO35 – 5$1 5-4UBLFT35
• NVMUJQMFYJOHTUSFBNTJOUPPOFDPOOFDUJPO • GJYIFBEPGMJOFCMPDLJOHJO)551 – QSPDFTTPVUPGPSEFSQBDLFUTCFMPOHJOHUPB EJGGFSFOUTUSFBNT • NPCJMJUZ OFUXPSLNJHSBUJPO 'FBUVSFTPG26*$
26*$IBOETIBLF
stream 0 stream 4 stream 8 stream 16… 0SJHJOBMEFTJHO
HTTP request 1 TLS 1.3 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer 2 3… 9 10 11… obtain “exporter secret” ↓ derive server traffic key & client traffic key
• EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFBQQMJDBUJPOUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT
• BUUBDLWFDUPST – SFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL 0SJHJOBMEFTJHOJTTVFT
*TTVFVTFPGFODSZQUJPO stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key 2 3… 9 10 11… TLS 1.3
*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate
Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3
*TTVFSFTFUJOKFDUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 reset!
*TTVF"$,QSPNPUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 ACK (8)
• DIBOHF5-4 4PMVUJPO
• DIBOHFUIFTVCQSPUPDPMPG 5-4 4PMVUJPO
#BDLHSPVOEMBZFSTPG5-4 segment segment TLS messages: TLS records: TCP segments:
plaintext HS 1RTT SH EE Certificate Fin NST
plaintext HS 1RTT SH EE Certificate Fin NST stream
0 stream 0 TLS messages: TLS records: QUIC frames: HS HS QUC packets: datagram datagram UDP datagrams: stream 0 1RTT -BZFSTJOUIFPSJHJOBMEFTJHO confidentiality injection resistance
SH EE Certificate Fin NST CRYPTO CRYPTO TLS messages:
QUIC frames: Initial HS QUC packets: datagram datagram UDP datagrams: CRYPTO 1RTT -BZFSTJOUIFSFGJOFEEFTJHO HS CRYPTO confidentiality injection resistance
• PSJHJOBMEFTJHO 5-4 – *0PGFODSZQUFEPDUFUT – BDDFTTUPlFYQPSUFSTFDSFUz •
SFGJOFEEFTJHO – *0PG5-4NFTTBHFT JOQMBJOUFYU – FWFOUTUPJOTUBMMUSBGGJDLFZT • 355 VOJEJSFDUJPOBM )4 CJ 355 CJ – OPUF%5-4SFRVJSFTTVDIBOJOUFSOBM"1* 3FRVJSFEDIBOHFTUP5-4TUBDL"1*
• TFQBSBUJPOPGDPODFSO – 5-4QSPWJEFTLFZTBOEBVUIFOUJDBUJPO – 26*$FODSZQUTUIFQBDLFUT • OPNPSFBNCJHVJUZ –
EJTUJODUTUSFBNTGPSFBDIFODSZQUJPOMFWFM – UISFFEJTUJODUQBDLFUOVNCFSTQBDF • JF *OJUJBM )BOETIBLF 355 • OPDIBODFPG"$,QSPNPUJPOBUUBDL 3FGJOFEEFTJHOUIFCFOFGJUT
• EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT
• BUUBDLWFDUPST – MFTTGSBHJMFUPSFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL *TTVFTSFTPMWFE BMNPTU
26*$QBDLFUOVNCFSFODSZQUJPO
• QBDLFUOVNCFS 1/ – JTVOJRVFGPSFBDIQBDLFUCFJOHTFOU – JODSFBTFTNPOPUPOJDBMMZ • UIFSFGPSF
DBOCFVTFEUPUSBDLBDMJFOU – $POOFDUJPO*%JTDIBOHFEXIFOBOFOEQPJOU NJHSBUFTUPBEJGGFSFOUOFUXPSL8IBU TIPVMEXFEPGPSQBDLFUOVNCFS 1BDLFUOVNCFSBOEQSJWBDZ
• KVNQ1/XIFOTXJUDIJOH$*% – QFFSTOFFEUPBHSFFPOUIFSBOEPNPGGTFU • TJODF1/ CJU JTSPVOEFEPOXJSFUP
CJUT • PGGTFUOFFETUPCFEJGGFSFOUGPSFBDIEJSFDUJPO – XIBUUPEPPOQBUIQSPCJOHFSSPS • EJGGFSFOU1/TQBDFGPSFBDI$*% – NFBOTIBWJOHFODSZQUJPOLFZTBOE"$, RVFVFGPSFBDI$*% $POTJEFSFEBQQSPBDIFT
• FODSZQUJOH1/JTTJNQMFSUIBO – JOTFSUJOHKVNQTIBWJOHNBOZLFZTTQBDFT 4PMVUJPOQBDLFUOVNCFSFODSZQUJPO
#VUIPX type CID PN payload 1 0/4-18 1/2/4 any
size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: ??? ↓ unencrypted encrypted
/BÏWFBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any
size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE+ciph. ciph. AEAD tag 1 0/4-18 16 any – 1/2/4 16 size: + PNE: AES ↓ unencrypted encrypted
"EPQUFEBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any
size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: AES_CTR(ciphertext, PN) ↓ unencrypted encrypted
• TPNFNPCJMFOFUXPSLTlGJYzPVUPGPSEFS EFMJWFSZCZMPPLJOHBU1/ – UPMFTTFOSFUSBOTNJUT – OPEPXOTJEFGPS5$1 – JTTVFGPS26*$
CFDBVTFXFDBOVTFQBDLFUT BSSJWJOHPVUPGPSEFS • 26*$XJMMCFPTTJGJFEPODFNJEEMFCPYFT TUBSUVTJOH1/JOQBSUJDVMBSXBZT 1/&UPQSFWFOUNJTVTFPG1/
• 5$1 5-4 – BEESFTTFTDPOGJEFOUJBMJUZ JOUFHSJUZ • JOBEEJUJPO 26*$
5-4 – JNQSPWFTBWBJMBCJMJUZ – QSFTFSWFTVTFSQSJWBDZ – QSFWFOUTPTTJGJDBUJPO – PQUJNJ[FTGPSQFSGPSNBODF • TFUVQJO35 35JO5$1 5-4 • VTFPGQBDLFUTBSSJWJOHPVUPGPSEFS 5IFJNQSPWFNFOUT
• FODSZQUJPOJTUIFUBTLPG26*$ – IBOETIBLFEPOFCZ5-4 • BMNPTUFWFSZUIJOHJTFODSZQUFE – POMZQBDLFUUZQF $*%
QSPUPDPMWFSTJPOBSF WJTJCMFPOUIFXJSF • XIBUUPFYQPTFJTEFDJEFEFYQMJDJUMZ – FH lTQJOCJUzFYQFSJNFOU 26*$BOEFODSZQUJPO
&ODSZQUFE4/*
• 4FSWFS/BNF*OEJDBUJPO – QBSUPG$MJFOU)FMMP – VTFECZUIFTFSWFSUPTFMFDU • LFZBMHPSJUIN •
TFSWFSDFSUJGJDBUF 8IBUJT4/* ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
• %/4SFTPMVUJPO • 4/* • TFSWFSDFSUJGJDBUF • TFSWFS*1BEESFTT •
USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
• %/4SFTPMVUJPO %P) • 4/* ˡ UIJT • TFSWFSDFSUJGJDBUF
5-4 • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
• ESBGUSFTDPSMBUMTFTOJ – UPCFDPNFESBGUJFUGUMTFTOJ • LFZJEFB – VTFQVCMJDLFZDSZQUPUPFODSZQU4/* –
VTF%/4UPEJTUSJCVUFUIFQVCMJDLFZ 4PMVUJPOFODSZQUFE4/*
)PXJUXPSLT example.com? _esni.example.com? example.com=192.0.2.1 _esni.example.com=pubkey ClientHello {ESNI=encrypt("example.com")} DoH recursor
HTTPS server DNS authoritative server
TUSVDU\ VJOUDIFDLTVN<> ,FZ4IBSF&OUSZ LFZT? QVCMJDLFZT $JQIFS4VJUF
[email protected]
? VJOU
[email protected]
VJOU
[email protected]
VJOU
[email protected]
&YUFOTJPOFYUFOTJPOT? ^&4/*,FZT @FTOJFTOJFYBNQFOFU*/595 E8[B2#'"#D"225S+CP;Z:YD1:P6IPOISW/YWKGQSKB;CK/#/ .Y %ZDE%7W#+P),0.I ,[BWE*N03*""*5"2&&"""""'T (E."""""89"H"" &4/*SFDPSE
• &4/*SFDPSEJTOPUTJHOFE – TPUIBUJUDBOCFTNBMM – BUUBDLFSDBOTQPPGUIFN • CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1BEESFTTPG FYBNQMFDPN
– BDDFTTUPUIFBEESFTTSFWFBMTUIF4/* • UPTVNNBSJ[F &4/* – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS BUUBDL 4FDVSJUZBTQFDUT
• 355BQQMJDBUJPOEBUBJOGVMM IBOETIBLF – OFFEUPEJTUSJCVUFTJHOFEQVCLFZ BOE DFSUJGJDBUFDIBJOVTJOH%/4 • QSPUFDUJOHJOJUJBMFYDIBOHFGSPN
JOKFDUJPOBUUBDL 6TJOH&4/*QVCMJDLFZGPSPUIFSQVSQPTFT
3FDBQJUVMBUJPO
• OFBSMZDPNQMFUFUPGJYJOHQSJWBDZMFBLT • FODSZQUJPOJTBMTPVTFEGPS – QSPWJEJOHBWBJMBCJMJUZ – QSFWFOUJOHPTTJGJDBUJPO •
GPSGVSUIFSFWPMVUJPOJOUIFGVUVSF • BMNPTUFWFSZUIJOHJTFODSZQUFEJO26*$ – FODSZQUFWFONPSFJOVQDPNJOHQSPUPDPMT – XFEFCBUFBOEEFDJEFXIBUUPFYQPTFUPUIF OFUXPSL 0VSTUBUVT