Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, privacy, performance of next-generation transport protocols

kazuho
September 08, 2018
Technology
8
34k

Security, privacy, performance of next-generation transport protocols

Discusses the motivation behind QUIC encryption and TLS encrypted SNI.

kazuho

September 08, 2018
Tweet

More Decks by kazuho

See All by kazuho
HTTP優先度制御の今後とビデオ配信
kazuho
0
89
Encrypted SNI
kazuho
5
6k
TLS 1.3とその周辺の標準化動向
kazuho
0
7.9k
Fastlyのプログラマから見たCDN
kazuho
29
17k

Other Decks in Technology

See All in Technology
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
170
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.6k
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
570
Cracking the KubeCon CfP
inductor
2
250
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
240
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
170
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
0
200
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
250
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
210
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
130
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
310
Janus
bkuhlmann
1
490

Featured

See All Featured
The Cult of Friendly URLs
andyhume
74
5.7k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Product Roadmaps are Hard
iamctodd
44
9.7k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Building an army of robots
kneath
300
41k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Art, The Web, and Tiny UX
lynnandtonic
289
19k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k

Transcript

  1. 4FDVSJUZ QSJWBDZ QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ

  2. 4FDVSJUZ QSJWBDZ  QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ

  3.  • 1SJODJQBM044%FWFMPQFS!'BTUMZ • MFBEEFWFMPQFSPG – )0 )551 – QJDPUMT

    5-4 – RVJDMZ 26*$ • BVUIPSPG – 3'$r &BSMZ)JOUTGPS)551 – ESBGUJFUGIUUQCJTDBDIFEJHFTU – ESBGUJFUGUMTFTOJ 8IPBN*

  4.  ZFTUFSEBZ UPEBZ UPNPSSPX OBNFSFTPMVUJPO %/4 %/4PWFS)5514 USBOTQPSU 5$1 26*$

    5-4 TFDVSJUZ 5-4 5-4 BQQMJDBUJPOQSPUPDPM )551 5IFCJHQJDUVSF

  5.  • QFSWBTJWFNPOJUPSJOH • QFPQMFSFMZJOHNPSFPO QVCMJD XJGJ $BOXFUSVTUUIFOFUXPSL

  6.  • 5-4 • 4FDVSJUZPGBUSBOTQPSU • 26*$ – IBOETIBLF –

    QBDLFUOVNCFSFODSZQUJPO • &ODSZQUFE4/* "HFOEB

  7.  5-4

  8.  • FTTFOUJBMMZ5-4 • QVCMJTIFEBT3'$JO"VHVTU 5-4

  9.  • "&"%DJQIFST – XJUIPVUFYQMJDJUOPODF • GBTUFSIBOETIBLF UP355 • GPSXBSETFDSFDZ

    • CFUUFSQSJWBDZ – POFPGGTFTTJPOUJDLFUT – DFSUJGJDBUFTOPNPSFUSBOTNJUUFEJODMFBS 5-4

  10.  AES-CTR "&4($. AES ciphertext 1 plaintext 1 nonce ||

    0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag

  11.  AES-CTR "&"%JO5-4 VTJOH"&4($. AES ciphertext 1 plaintext 1 nonce

    || 0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag OPODFSFDPSEOVNCFSBEEEBUBSFDPSEIFBEFS

  12.  ClientHello ServerHello ServerCertificate ServerKeyExchange (ClientSertificate) ClientKeyExchange Finished Finished Application

    Data 5-4IBOETIBLFGMPX Client Server plaintext encrypted

  13.  5-4IBOETIBLFGMPX ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate

    Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)

  14.  %JGGFSFODFTCFUIBOETIBLFGMPXT • 5-4 – FYDIBOHFQBSBNFUFST JODMDFSUJGJDBUFT  UIFOFYDIBOHFUIFQVCMJDLFZT •

    5-4 – FYDIBOHFQVCMJDLFZTBTXFMMBTQBSBNFUFST • SFUSZUPVTFBOPUIFSQVCMJDLFZBMHPSJUIN – TFUVQFODSZQUFEDIBOOFMVTJOHUIF FYDIBOHFELFZT • VTFUIFDIBOOFMUPBVUIFOUJDBUF

  15.  • MFTTSPVOEUSJQT • JEFOUJUZPGUIFFOEQPJOUTBSFQSPUFDUFE – JFDFSUJGJDBUFT – DGUSBDLJOHEFWJDFTVTJOHDMJFOUDFSUBVUI •

    CVUUIFTFSWFSOBNF 4/* JTVOQSPUFDUFE – CFDBVTFJUJTQBSUPG$MJFOU)FMMP – XJMMDPWFSUIBUMBUFS 5IFCFOFGJUT

  16.  • NJEEMFCPYFTEJTSVQUJOH5-4IBOETIBLF – UIJOLTl5IJT5-4IBOETIBLFTVTQJDJPVT*U`TB GVMMIBOETIBLFCVUEPFTOPUDPOUBJOB DFSUJGJDBUFz UFSNJOBUFTUIFDPOOFDUJPO – SFBMJUZDFSUJGJDBUFJTFODSZQUFE

    • TPMVUJPONBLF5-4IBOETIBLFMPPL MJLF5-4SFTVNQUJPO 5BDLMJOHPTTJGJDBUJPO

  17.  4FDVSJUZPGBUSBOTQPSU

  18.  • DPOGJEFOUJBMJUZ • JOUFHSJUZ • BWBJMBCJMJUZ 5IFTFDVSJUZUSJBE

  19.  • 5-4 – QSPWJEFTDPOGJEFOUJBMJUZ JOUFHSJUZ – VTJOHUIFFYDIBOHFELFZT • 5$1

    – SFTQPOTJCMFGPSQSPWJEJOHBWBJMBCJMJUZ – CVUUIFQBDLFUTDBOCFUBNQFSFE 5-4PWFS5$1

  20.  • NJEEMFCPYJOKFDUT5$1SFTFUT – TFOEB5$1QBDLFUXJUI345CJUTFU • CMPDLBDDFTTUPDFSUBJOXFCTJUFT – CZPCTFSWJOHQMBJOUFYU FH

    4/* • CMPDLDFSUBJOQSPUPDPMT FH11 3FTFUJOKFDUJPOBUUBDL

  21.  • POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT • NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT •

    PGGQBUIBUUBDL – BUUBDLFSEPFTOPUIBWFBDDFTTUPQBDLFUT – OPUTPQSBDUJDBMGPS5$1 5ISFFUZQFTPGBUUBDLT

  22.  • POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT – FTTFOUJBMMZBTQFDJBMQVSQPTFSPVUFS • BEEJUJPOBMDPTUUPPCTFSWFUIFQBZMPBEPGUIF SPVUFEQBDLFUTJTUIFQSPCMFN

    • NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT – BOPEFUIBUUBQTPOUIFOFUXPSL JOKFDUT QBDLFUTBUCFTUFGGPSU .BOPOUIFTJEFBUUBDLJTFBTZ

  23.  • JOKFDUJOHPOF 345QBDLFUUFSNJOBUFTB 5$1DPOOFDUJPO • FODSZQUFEUSBOTQPSUT FH %5-4 *1TFD

     QSPWJEFSFTJTUBODFUPJOKFDUJPOBUUBDL – CZFODSZQUJOHFWFSZQBDLFUVTJOHUIF FYDIBOHFELFZT • FH QO cc"&4@($. QO QBZMPBE BOEWFSZQSBDUJDBMGPS5$1

  24.  Packet type and flags (1 octet) Destination Connection ID

    (0,4-18 octets) Encrypted Packet Number (1,2,4 octets) Encrypted Payload AEAD tag (16 octets or more) 26*$QBDLFU additional text • "&"% Ћ UPQSPUFDUFBDIQBDLFU AEAD payload encrypted???

  25.  26*$

  26.  • FODSZQUFEUSBOTQPSU – VTFT5-4GPSIBOETIBLF • IBOETIBLFJO35 – 5$1 5-4UBLFT35

    • NVMUJQMFYJOHTUSFBNTJOUPPOFDPOOFDUJPO • GJYIFBEPGMJOFCMPDLJOHJO)551 – QSPDFTTPVUPGPSEFSQBDLFUTCFMPOHJOHUPB EJGGFSFOUTUSFBNT • NPCJMJUZ OFUXPSLNJHSBUJPO 'FBUVSFTPG26*$

  27.  26*$IBOETIBLF

  28.  stream 0 stream 4 stream 8 stream 16… 0SJHJOBMEFTJHO

    HTTP request 1 TLS 1.3 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer 2 3… 9 10 11… obtain “exporter secret” ↓ derive server traffic key & client traffic key

  29.  • EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFBQQMJDBUJPOUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT

    • BUUBDLWFDUPST – SFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL 0SJHJOBMEFTJHOJTTVFT

  30.  *TTVFVTFPGFODSZQUJPO stream 0 stream 4 stream 8 stream 16…

    HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key 2 3… 9 10 11… TLS 1.3

  31.  *TTVFXIFOUPBDUJWBUFUSBGGJDLFZT ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate

    Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)

  32.  *TTVFXIFOUPBDUJWBUFUSBGGJDLFZT stream 0 stream 4 stream 8 stream 16…

    HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3

  33.  *TTVFSFTFUJOKFDUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…

    HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 reset!

  34.  *TTVF"$,QSPNPUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…

    HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 ACK (8)

  35.  • DIBOHF5-4 4PMVUJPO

  36.  • DIBOHFUIFTVCQSPUPDPMPG 5-4 4PMVUJPO

  37.  #BDLHSPVOEMBZFSTPG5-4 segment segment TLS messages: TLS records: TCP segments:

    plaintext HS 1RTT SH EE Certificate Fin NST

  38.  plaintext HS 1RTT SH EE Certificate Fin NST stream

    0 stream 0 TLS messages: TLS records: QUIC frames: HS HS QUC packets: datagram datagram UDP datagrams: stream 0 1RTT -BZFSTJOUIFPSJHJOBMEFTJHO confidentiality injection resistance

  39.  SH EE Certificate Fin NST CRYPTO CRYPTO TLS messages:

    QUIC frames: Initial HS QUC packets: datagram datagram UDP datagrams: CRYPTO 1RTT -BZFSTJOUIFSFGJOFEEFTJHO HS CRYPTO confidentiality injection resistance

  40.  • PSJHJOBMEFTJHO 5-4  – *0PGFODSZQUFEPDUFUT – BDDFTTUPlFYQPSUFSTFDSFUz •

    SFGJOFEEFTJHO – *0PG5-4NFTTBHFT JOQMBJOUFYU – FWFOUTUPJOTUBMMUSBGGJDLFZT • 355 VOJEJSFDUJPOBM )4 CJ 355 CJ – OPUF%5-4SFRVJSFTTVDIBOJOUFSOBM"1* 3FRVJSFEDIBOHFTUP5-4TUBDL"1*

  41.  • TFQBSBUJPOPGDPODFSO – 5-4QSPWJEFTLFZTBOEBVUIFOUJDBUJPO – 26*$FODSZQUTUIFQBDLFUT • OPNPSFBNCJHVJUZ –

    EJTUJODUTUSFBNTGPSFBDIFODSZQUJPOMFWFM – UISFFEJTUJODUQBDLFUOVNCFSTQBDF • JF *OJUJBM )BOETIBLF 355 • OPDIBODFPG"$,QSPNPUJPOBUUBDL 3FGJOFEEFTJHOUIFCFOFGJUT

  42.  • EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT

    • BUUBDLWFDUPST – MFTTGSBHJMFUPSFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL *TTVFTSFTPMWFE BMNPTU

  43.  26*$QBDLFUOVNCFSFODSZQUJPO

  44.  • QBDLFUOVNCFS 1/ – JTVOJRVFGPSFBDIQBDLFUCFJOHTFOU – JODSFBTFTNPOPUPOJDBMMZ • UIFSFGPSF

    DBOCFVTFEUPUSBDLBDMJFOU – $POOFDUJPO*%JTDIBOHFEXIFOBOFOEQPJOU NJHSBUFTUPBEJGGFSFOUOFUXPSL8IBU TIPVMEXFEPGPSQBDLFUOVNCFS 1BDLFUOVNCFSBOEQSJWBDZ

  45.  • KVNQ1/XIFOTXJUDIJOH$*% – QFFSTOFFEUPBHSFFPOUIFSBOEPNPGGTFU • TJODF1/ CJU JTSPVOEFEPOXJSFUP 

     CJUT • PGGTFUOFFETUPCFEJGGFSFOUGPSFBDIEJSFDUJPO – XIBUUPEPPOQBUIQSPCJOHFSSPS • EJGGFSFOU1/TQBDFGPSFBDI$*% – NFBOTIBWJOHFODSZQUJPOLFZTBOE"$, RVFVFGPSFBDI$*% $POTJEFSFEBQQSPBDIFT

  46.  • FODSZQUJOH1/JTTJNQMFSUIBO – JOTFSUJOHKVNQTIBWJOHNBOZLFZTTQBDFT 4PMVUJPOQBDLFUOVNCFSFODSZQUJPO

  47.  #VUIPX type CID PN payload 1 0/4-18 1/2/4 any

    size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: ??? ↓ unencrypted encrypted

  48.  /BÏWFBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any

    size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE+ciph. ciph. AEAD tag 1 0/4-18 16 any – 1/2/4 16 size: + PNE: AES ↓ unencrypted encrypted

  49.  "EPQUFEBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any

    size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: AES_CTR(ciphertext, PN) ↓ unencrypted encrypted

  50.  • TPNFNPCJMFOFUXPSLTlGJYzPVUPGPSEFS EFMJWFSZCZMPPLJOHBU1/ – UPMFTTFOSFUSBOTNJUT – OPEPXOTJEFGPS5$1 – JTTVFGPS26*$

    CFDBVTFXFDBOVTFQBDLFUT BSSJWJOHPVUPGPSEFS • 26*$XJMMCFPTTJGJFEPODFNJEEMFCPYFT TUBSUVTJOH1/JOQBSUJDVMBSXBZT 1/&UPQSFWFOUNJTVTFPG1/

  51.  • 5$1 5-4 – BEESFTTFTDPOGJEFOUJBMJUZ JOUFHSJUZ • JOBEEJUJPO 26*$

    5-4 – JNQSPWFTBWBJMBCJMJUZ – QSFTFSWFTVTFSQSJWBDZ – QSFWFOUTPTTJGJDBUJPO – PQUJNJ[FTGPSQFSGPSNBODF • TFUVQJO35 35JO5$1 5-4 • VTFPGQBDLFUTBSSJWJOHPVUPGPSEFS 5IFJNQSPWFNFOUT

  52.  • FODSZQUJPOJTUIFUBTLPG26*$ – IBOETIBLFEPOFCZ5-4 • BMNPTUFWFSZUIJOHJTFODSZQUFE – POMZQBDLFUUZQF $*%

    QSPUPDPMWFSTJPOBSF WJTJCMFPOUIFXJSF • XIBUUPFYQPTFJTEFDJEFEFYQMJDJUMZ – FH lTQJOCJUzFYQFSJNFOU 26*$BOEFODSZQUJPO

  53.  &ODSZQUFE4/*

  54.  • 4FSWFS/BNF*OEJDBUJPO – QBSUPG$MJFOU)FMMP – VTFECZUIFTFSWFSUPTFMFDU • LFZBMHPSJUIN •

    TFSWFSDFSUJGJDBUF 8IBUJT4/* ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)

  55.  • %/4SFTPMVUJPO • 4/* • TFSWFSDFSUJGJDBUF • TFSWFS*1BEESFTT •

    USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

  56.  • %/4SFTPMVUJPO %P) • 4/* ˡ UIJT • TFSWFSDFSUJGJDBUF

    5-4 • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

  57.  • ESBGUSFTDPSMBUMTFTOJ – UPCFDPNFESBGUJFUGUMTFTOJ • LFZJEFB – VTFQVCMJDLFZDSZQUPUPFODSZQU4/* –

    VTF%/4UPEJTUSJCVUFUIFQVCMJDLFZ 4PMVUJPOFODSZQUFE4/*

  58.  )PXJUXPSLT example.com? _esni.example.com? example.com=192.0.2.1 _esni.example.com=pubkey ClientHello {ESNI=encrypt("example.com")} DoH recursor

    HTTPS server DNS authoritative server

  59.  TUSVDU\ VJOUDIFDLTVN<> ,FZ4IBSF&OUSZ LFZT? QVCMJDLFZT $JQIFS4VJUF DJQIFS@TVJUFT? VJOUQBEEFE@MFOHUI VJOUOPU@CFGPSF

    VJOUOPU@BGUFS &YUFOTJPOFYUFOTJPOT? ^&4/*,FZT @FTOJFTOJFYBNQFOFU*/595 E8[B2#'"#D"225S+CP;Z:YD1:P6IPOISW/YWKGQSKB;CK/#/ .Y %ZDE%7W#+P),0.I ,[BWE*N03*""*5"2&&"""""'T (E."""""89"H"" &4/*SFDPSE

  60.  • &4/*SFDPSEJTOPUTJHOFE – TPUIBUJUDBOCFTNBMM – BUUBDLFSDBOTQPPGUIFN • CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1BEESFTTPG FYBNQMFDPN

    – BDDFTTUPUIFBEESFTTSFWFBMTUIF4/* • UPTVNNBSJ[F &4/* – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS BUUBDL 4FDVSJUZBTQFDUT

  61.  • 355BQQMJDBUJPOEBUBJOGVMM IBOETIBLF – OFFEUPEJTUSJCVUFTJHOFEQVCLFZ BOE DFSUJGJDBUFDIBJOVTJOH%/4 • QSPUFDUJOHJOJUJBMFYDIBOHFGSPN

    JOKFDUJPOBUUBDL 6TJOH&4/*QVCMJDLFZGPSPUIFSQVSQPTFT

  62.  3FDBQJUVMBUJPO

  63.  • OFBSMZDPNQMFUFUPGJYJOHQSJWBDZMFBLT • FODSZQUJPOJTBMTPVTFEGPS – QSPWJEJOHBWBJMBCJMJUZ – QSFWFOUJOHPTTJGJDBUJPO •

    GPSGVSUIFSFWPMVUJPOJOUIFGVUVSF • BMNPTUFWFSZUIJOHJTFODSZQUFEJO26*$ – FODSZQUFWFONPSFJOVQDPNJOHQSPUPDPMT – XFEFCBUFBOEEFDJEFXIBUUPFYQPTFUPUIF OFUXPSL 0VSTUBUVT