Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security, privacy, performance of next-generati...
Search
kazuho
September 08, 2018
Technology
8
39k
Security, privacy, performance of next-generation transport protocols
Discusses the motivation behind QUIC encryption and TLS encrypted SNI.
kazuho
September 08, 2018
Tweet
Share
More Decks by kazuho
See All by kazuho
HTTP優先度制御の今後とビデオ配信
kazuho
1
110
Encrypted SNI
kazuho
5
6.7k
TLS 1.3とその周辺の標準化動向
kazuho
0
9.4k
Fastlyのプログラマから見たCDN
kazuho
29
18k
Other Decks in Technology
See All in Technology
経験がないことを言い訳にしない、 AI時代の他領域への染み出し方
parayama0625
0
290
生成AIによる情報システムへのインパクト
taka_aki
1
230
「育てる」サーバーレス 〜チーム開発研修で学んだ、小さく始めて大きく拡張するAWS設計〜
yu_kod
1
230
2025-07-31: GitHub Copilot Agent mode at Vibe Coding Cafe (15min)
chomado
2
310
Microsoft Clarityでインサイトを見つけよう
nakasho
0
110
Gemini in Android Studio - Google I/O Bangkok '25
akexorcist
0
150
Perlアプリケーションで トレースを実装するまでの 工夫と苦労話
masayoshi
1
330
株式会社島津製作所_研究開発(集団協業と知的生産)の現場を支える、OSS知識基盤システムの導入
akahane92
1
1.3k
ファインディにおける Dataform ブランチ戦略
hiracky16
0
250
【2025 Japan AWS Jr. Champions Ignition】点から線、線から面へ〜僕たちが起こすコラボレーション・ムーブメント〜
amixedcolor
1
110
AWS re:Inforce 2025 re:Cap Update Pickup & AWS Control Tower の運用における考慮ポイント
htan
1
120
興味の胞子を育て 業務と技術に広がる”きのこ力”
fumiyasac0921
0
520
Featured
See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Automating Front-end Workflow
addyosmani
1370
200k
Unsuck your backbone
ammeep
671
58k
Become a Pro
speakerdeck
PRO
29
5.5k
Art, The Web, and Tiny UX
lynnandtonic
301
21k
Testing 201, or: Great Expectations
jmmastey
44
7.6k
Agile that works and the tools we love
rasmusluckow
329
21k
Optimizing for Happiness
mojombo
379
70k
The World Runs on Bad Software
bkeepers
PRO
70
11k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
730
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
Transcript
4FDVSJUZ QSJWBDZ QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ
4FDVSJUZ QSJWBDZ QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ
• 1SJODJQBM044%FWFMPQFS!'BTUMZ • MFBEEFWFMPQFSPG – )0 )551 – QJDPUMT
5-4 – RVJDMZ 26*$ • BVUIPSPG – 3'$r &BSMZ)JOUTGPS)551 – ESBGUJFUGIUUQCJTDBDIFEJHFTU – ESBGUJFUGUMTFTOJ 8IPBN*
ZFTUFSEBZ UPEBZ UPNPSSPX OBNFSFTPMVUJPO %/4 %/4PWFS)5514 USBOTQPSU 5$1 26*$
5-4 TFDVSJUZ 5-4 5-4 BQQMJDBUJPOQSPUPDPM )551 5IFCJHQJDUVSF
• QFSWBTJWFNPOJUPSJOH • QFPQMFSFMZJOHNPSFPO QVCMJD XJGJ $BOXFUSVTUUIFOFUXPSL
• 5-4 • 4FDVSJUZPGBUSBOTQPSU • 26*$ – IBOETIBLF –
QBDLFUOVNCFSFODSZQUJPO • &ODSZQUFE4/* "HFOEB
5-4
• FTTFOUJBMMZ5-4 • QVCMJTIFEBT3'$JO"VHVTU 5-4
• "&"%DJQIFST – XJUIPVUFYQMJDJUOPODF • GBTUFSIBOETIBLF UP355 • GPSXBSETFDSFDZ
• CFUUFSQSJWBDZ – POFPGGTFTTJPOUJDLFUT – DFSUJGJDBUFTOPNPSFUSBOTNJUUFEJODMFBS 5-4
AES-CTR "&4($. AES ciphertext 1 plaintext 1 nonce ||
0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag
AES-CTR "&"%JO5-4 VTJOH"&4($. AES ciphertext 1 plaintext 1 nonce
|| 0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag OPODFSFDPSEOVNCFSBEEEBUBSFDPSEIFBEFS
ClientHello ServerHello ServerCertificate ServerKeyExchange (ClientSertificate) ClientKeyExchange Finished Finished Application
Data 5-4IBOETIBLFGMPX Client Server plaintext encrypted
5-4IBOETIBLFGMPX ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate
Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
%JGGFSFODFTCFUIBOETIBLFGMPXT • 5-4 – FYDIBOHFQBSBNFUFST JODMDFSUJGJDBUFT UIFOFYDIBOHFUIFQVCMJDLFZT •
5-4 – FYDIBOHFQVCMJDLFZTBTXFMMBTQBSBNFUFST • SFUSZUPVTFBOPUIFSQVCMJDLFZBMHPSJUIN – TFUVQFODSZQUFEDIBOOFMVTJOHUIF FYDIBOHFELFZT • VTFUIFDIBOOFMUPBVUIFOUJDBUF
• MFTTSPVOEUSJQT • JEFOUJUZPGUIFFOEQPJOUTBSFQSPUFDUFE – JFDFSUJGJDBUFT – DGUSBDLJOHEFWJDFTVTJOHDMJFOUDFSUBVUI •
CVUUIFTFSWFSOBNF 4/* JTVOQSPUFDUFE – CFDBVTFJUJTQBSUPG$MJFOU)FMMP – XJMMDPWFSUIBUMBUFS 5IFCFOFGJUT
• NJEEMFCPYFTEJTSVQUJOH5-4IBOETIBLF – UIJOLTl5IJT5-4IBOETIBLFTVTQJDJPVT*U`TB GVMMIBOETIBLFCVUEPFTOPUDPOUBJOB DFSUJGJDBUFz UFSNJOBUFTUIFDPOOFDUJPO – SFBMJUZDFSUJGJDBUFJTFODSZQUFE
• TPMVUJPONBLF5-4IBOETIBLFMPPL MJLF5-4SFTVNQUJPO 5BDLMJOHPTTJGJDBUJPO
4FDVSJUZPGBUSBOTQPSU
• DPOGJEFOUJBMJUZ • JOUFHSJUZ • BWBJMBCJMJUZ 5IFTFDVSJUZUSJBE
• 5-4 – QSPWJEFTDPOGJEFOUJBMJUZ JOUFHSJUZ – VTJOHUIFFYDIBOHFELFZT • 5$1
– SFTQPOTJCMFGPSQSPWJEJOHBWBJMBCJMJUZ – CVUUIFQBDLFUTDBOCFUBNQFSFE 5-4PWFS5$1
• NJEEMFCPYJOKFDUT5$1SFTFUT – TFOEB5$1QBDLFUXJUI345CJUTFU • CMPDLBDDFTTUPDFSUBJOXFCTJUFT – CZPCTFSWJOHQMBJOUFYU FH
4/* • CMPDLDFSUBJOQSPUPDPMT FH11 3FTFUJOKFDUJPOBUUBDL
• POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT • NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT •
PGGQBUIBUUBDL – BUUBDLFSEPFTOPUIBWFBDDFTTUPQBDLFUT – OPUTPQSBDUJDBMGPS5$1 5ISFFUZQFTPGBUUBDLT
• POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT – FTTFOUJBMMZBTQFDJBMQVSQPTFSPVUFS • BEEJUJPOBMDPTUUPPCTFSWFUIFQBZMPBEPGUIF SPVUFEQBDLFUTJTUIFQSPCMFN
• NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT – BOPEFUIBUUBQTPOUIFOFUXPSL JOKFDUT QBDLFUTBUCFTUFGGPSU .BOPOUIFTJEFBUUBDLJTFBTZ
• JOKFDUJOHPOF 345QBDLFUUFSNJOBUFTB 5$1DPOOFDUJPO • FODSZQUFEUSBOTQPSUT FH %5-4 *1TFD
QSPWJEFSFTJTUBODFUPJOKFDUJPOBUUBDL – CZFODSZQUJOHFWFSZQBDLFUVTJOHUIF FYDIBOHFELFZT • FH QO cc"&4@($. QO QBZMPBE BOEWFSZQSBDUJDBMGPS5$1
Packet type and flags (1 octet) Destination Connection ID
(0,4-18 octets) Encrypted Packet Number (1,2,4 octets) Encrypted Payload AEAD tag (16 octets or more) 26*$QBDLFU additional text • "&"% Ћ UPQSPUFDUFBDIQBDLFU AEAD payload encrypted???
26*$
• FODSZQUFEUSBOTQPSU – VTFT5-4GPSIBOETIBLF • IBOETIBLFJO35 – 5$1 5-4UBLFT35
• NVMUJQMFYJOHTUSFBNTJOUPPOFDPOOFDUJPO • GJYIFBEPGMJOFCMPDLJOHJO)551 – QSPDFTTPVUPGPSEFSQBDLFUTCFMPOHJOHUPB EJGGFSFOUTUSFBNT • NPCJMJUZ OFUXPSLNJHSBUJPO 'FBUVSFTPG26*$
26*$IBOETIBLF
stream 0 stream 4 stream 8 stream 16… 0SJHJOBMEFTJHO
HTTP request 1 TLS 1.3 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer 2 3… 9 10 11… obtain “exporter secret” ↓ derive server traffic key & client traffic key
• EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFBQQMJDBUJPOUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT
• BUUBDLWFDUPST – SFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL 0SJHJOBMEFTJHOJTTVFT
*TTVFVTFPGFODSZQUJPO stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key 2 3… 9 10 11… TLS 1.3
*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate
Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3
*TTVFSFTFUJOKFDUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 reset!
*TTVF"$,QSPNPUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 ACK (8)
• DIBOHF5-4 4PMVUJPO
• DIBOHFUIFTVCQSPUPDPMPG 5-4 4PMVUJPO
#BDLHSPVOEMBZFSTPG5-4 segment segment TLS messages: TLS records: TCP segments:
plaintext HS 1RTT SH EE Certificate Fin NST
plaintext HS 1RTT SH EE Certificate Fin NST stream
0 stream 0 TLS messages: TLS records: QUIC frames: HS HS QUC packets: datagram datagram UDP datagrams: stream 0 1RTT -BZFSTJOUIFPSJHJOBMEFTJHO confidentiality injection resistance
SH EE Certificate Fin NST CRYPTO CRYPTO TLS messages:
QUIC frames: Initial HS QUC packets: datagram datagram UDP datagrams: CRYPTO 1RTT -BZFSTJOUIFSFGJOFEEFTJHO HS CRYPTO confidentiality injection resistance
• PSJHJOBMEFTJHO 5-4 – *0PGFODSZQUFEPDUFUT – BDDFTTUPlFYQPSUFSTFDSFUz •
SFGJOFEEFTJHO – *0PG5-4NFTTBHFT JOQMBJOUFYU – FWFOUTUPJOTUBMMUSBGGJDLFZT • 355 VOJEJSFDUJPOBM )4 CJ 355 CJ – OPUF%5-4SFRVJSFTTVDIBOJOUFSOBM"1* 3FRVJSFEDIBOHFTUP5-4TUBDL"1*
• TFQBSBUJPOPGDPODFSO – 5-4QSPWJEFTLFZTBOEBVUIFOUJDBUJPO – 26*$FODSZQUTUIFQBDLFUT • OPNPSFBNCJHVJUZ –
EJTUJODUTUSFBNTGPSFBDIFODSZQUJPOMFWFM – UISFFEJTUJODUQBDLFUOVNCFSTQBDF • JF *OJUJBM )BOETIBLF 355 • OPDIBODFPG"$,QSPNPUJPOBUUBDL 3FGJOFEEFTJHOUIFCFOFGJUT
• EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT
• BUUBDLWFDUPST – MFTTGSBHJMFUPSFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL *TTVFTSFTPMWFE BMNPTU
26*$QBDLFUOVNCFSFODSZQUJPO
• QBDLFUOVNCFS 1/ – JTVOJRVFGPSFBDIQBDLFUCFJOHTFOU – JODSFBTFTNPOPUPOJDBMMZ • UIFSFGPSF
DBOCFVTFEUPUSBDLBDMJFOU – $POOFDUJPO*%JTDIBOHFEXIFOBOFOEQPJOU NJHSBUFTUPBEJGGFSFOUOFUXPSL8IBU TIPVMEXFEPGPSQBDLFUOVNCFS 1BDLFUOVNCFSBOEQSJWBDZ
• KVNQ1/XIFOTXJUDIJOH$*% – QFFSTOFFEUPBHSFFPOUIFSBOEPNPGGTFU • TJODF1/ CJU JTSPVOEFEPOXJSFUP
CJUT • PGGTFUOFFETUPCFEJGGFSFOUGPSFBDIEJSFDUJPO – XIBUUPEPPOQBUIQSPCJOHFSSPS • EJGGFSFOU1/TQBDFGPSFBDI$*% – NFBOTIBWJOHFODSZQUJPOLFZTBOE"$, RVFVFGPSFBDI$*% $POTJEFSFEBQQSPBDIFT
• FODSZQUJOH1/JTTJNQMFSUIBO – JOTFSUJOHKVNQTIBWJOHNBOZLFZTTQBDFT 4PMVUJPOQBDLFUOVNCFSFODSZQUJPO
#VUIPX type CID PN payload 1 0/4-18 1/2/4 any
size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: ??? ↓ unencrypted encrypted
/BÏWFBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any
size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE+ciph. ciph. AEAD tag 1 0/4-18 16 any – 1/2/4 16 size: + PNE: AES ↓ unencrypted encrypted
"EPQUFEBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any
size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: AES_CTR(ciphertext, PN) ↓ unencrypted encrypted
• TPNFNPCJMFOFUXPSLTlGJYzPVUPGPSEFS EFMJWFSZCZMPPLJOHBU1/ – UPMFTTFOSFUSBOTNJUT – OPEPXOTJEFGPS5$1 – JTTVFGPS26*$
CFDBVTFXFDBOVTFQBDLFUT BSSJWJOHPVUPGPSEFS • 26*$XJMMCFPTTJGJFEPODFNJEEMFCPYFT TUBSUVTJOH1/JOQBSUJDVMBSXBZT 1/&UPQSFWFOUNJTVTFPG1/
• 5$1 5-4 – BEESFTTFTDPOGJEFOUJBMJUZ JOUFHSJUZ • JOBEEJUJPO 26*$
5-4 – JNQSPWFTBWBJMBCJMJUZ – QSFTFSWFTVTFSQSJWBDZ – QSFWFOUTPTTJGJDBUJPO – PQUJNJ[FTGPSQFSGPSNBODF • TFUVQJO35 35JO5$1 5-4 • VTFPGQBDLFUTBSSJWJOHPVUPGPSEFS 5IFJNQSPWFNFOUT
• FODSZQUJPOJTUIFUBTLPG26*$ – IBOETIBLFEPOFCZ5-4 • BMNPTUFWFSZUIJOHJTFODSZQUFE – POMZQBDLFUUZQF $*%
QSPUPDPMWFSTJPOBSF WJTJCMFPOUIFXJSF • XIBUUPFYQPTFJTEFDJEFEFYQMJDJUMZ – FH lTQJOCJUzFYQFSJNFOU 26*$BOEFODSZQUJPO
&ODSZQUFE4/*
• 4FSWFS/BNF*OEJDBUJPO – QBSUPG$MJFOU)FMMP – VTFECZUIFTFSWFSUPTFMFDU • LFZBMHPSJUIN •
TFSWFSDFSUJGJDBUF 8IBUJT4/* ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
• %/4SFTPMVUJPO • 4/* • TFSWFSDFSUJGJDBUF • TFSWFS*1BEESFTT •
USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
• %/4SFTPMVUJPO %P) • 4/* ˡ UIJT • TFSWFSDFSUJGJDBUF
5-4 • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
• ESBGUSFTDPSMBUMTFTOJ – UPCFDPNFESBGUJFUGUMTFTOJ • LFZJEFB – VTFQVCMJDLFZDSZQUPUPFODSZQU4/* –
VTF%/4UPEJTUSJCVUFUIFQVCMJDLFZ 4PMVUJPOFODSZQUFE4/*
)PXJUXPSLT example.com? _esni.example.com? example.com=192.0.2.1 _esni.example.com=pubkey ClientHello {ESNI=encrypt("example.com")} DoH recursor
HTTPS server DNS authoritative server
TUSVDU\ VJOUDIFDLTVN<> ,FZ4IBSF&OUSZ LFZT? QVCMJDLFZT $JQIFS4VJUF DJQIFS@TVJUFT? VJOUQBEEFE@MFOHUI VJOUOPU@CFGPSF
VJOUOPU@BGUFS &YUFOTJPOFYUFOTJPOT? ^&4/*,FZT @FTOJFTOJFYBNQFOFU*/595 E8[B2#'"#D"225S+CP;Z:YD1:P6IPOISW/YWKGQSKB;CK/#/ .Y %ZDE%7W#+P),0.I ,[BWE*N03*""*5"2&&"""""'T (E."""""89"H"" &4/*SFDPSE
• &4/*SFDPSEJTOPUTJHOFE – TPUIBUJUDBOCFTNBMM – BUUBDLFSDBOTQPPGUIFN • CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1BEESFTTPG FYBNQMFDPN
– BDDFTTUPUIFBEESFTTSFWFBMTUIF4/* • UPTVNNBSJ[F &4/* – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS BUUBDL 4FDVSJUZBTQFDUT
• 355BQQMJDBUJPOEBUBJOGVMM IBOETIBLF – OFFEUPEJTUSJCVUFTJHOFEQVCLFZ BOE DFSUJGJDBUFDIBJOVTJOH%/4 • QSPUFDUJOHJOJUJBMFYDIBOHFGSPN
JOKFDUJPOBUUBDL 6TJOH&4/*QVCMJDLFZGPSPUIFSQVSQPTFT
3FDBQJUVMBUJPO
• OFBSMZDPNQMFUFUPGJYJOHQSJWBDZMFBLT • FODSZQUJPOJTBMTPVTFEGPS – QSPWJEJOHBWBJMBCJMJUZ – QSFWFOUJOHPTTJGJDBUJPO •
GPSGVSUIFSFWPMVUJPOJOUIFGVUVSF • BMNPTUFWFSZUIJOHJTFODSZQUFEJO26*$ – FODSZQUFWFONPSFJOVQDPNJOHQSPUPDPMT – XFEFCBUFBOEEFDJEFXIBUUPFYQPTFUPUIF OFUXPSL 0VSTUBUVT