Upgrade to Pro — share decks privately, control downloads, hide ads and more …

役に立ちそうで役に立たない、少しだけ役に立つSSL/TLSまわりの話

Osumi, Yusuke
June 04, 2017
1.1k

 役に立ちそうで役に立たない、少しだけ役に立つSSL/TLSまわりの話

2017年6月4日に開催された、「ssmjpスペシャル」での発表資料です
http://ozuma.sakura.ne.jp/sumida/2017/06/ssmjp20170604.html

Osumi, Yusuke

June 04, 2017
Tweet

Transcript

  1. Agenda • [第一部] Certificate • 証明書再入門 • 証明書を鑑賞しよう • [第二部]

    証明書先生、さようなら • SSL/TLSに証明書は必須ではない • Anonymous DH, SRP, PSK 2 SSL/TLS 豆知識(初心者からマサカリまで)
  2. Agenda • [第一部] Certificate • 証明書再入門 • 証明書を鑑賞しよう • [第二部]

    証明書先生、さようなら • SSL/TLSに証明書は必須ではない • Anonymous DH, SRP, PSK 3 役に立ちそう 少しだけ役に立つ 役に立たない SSL/TLS 豆知識(初心者からマサカリまで)
  3. 5

  4. 6

  5. opensslコマンドで安心 12 $ echo Q | openssl s_client –connect www.cookpad.com:443

    | openssl x509 –text -noout connection張ってすぐ切る
  6. opensslコマンドで安心 13 $ echo Q | openssl s_client –connect www.cookpad.com:443

    | openssl x509 –text -noout -port とかじゃなくて :(コロン)なので注意
  7. opensslコマンドで安心 14 $ echo Q | openssl s_client –connect www.cookpad.com:443

    | openssl x509 –text -noout 証明書部分はawkなどで取り出さなくてだいじょうぶ (勝手にBEGIN Certificateを拾ってくれる) Human Readableな出力だけして、 証明書自体は出力しない
  8. Data: Version: 3 (0x2) Serial Number: 2f:7a:98:f8:78:3d:ab:61:bc:d9:6c:f9:f4:0f:f4:8b Signature Algorithm: sha256WithRSAEncryption

    Issuer: C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA - G3 Validity Not Before: May 12 00:00:00 2016 GMT Not After : Jun 11 23:59:59 2017 GMT Subject: CN=*.cookpad.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d3:db:94:5b:2f:a2:03:8b:ba:ad:93:d7:76:40: .......(省略)...... a6:eb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.cookpad.com, DNS:cookpad.com 15
  9. 16

  10. Subject Alternative Name(SAN) 18 18 DNS Name: *.google.com DNS Name:

    *.android.com DNS Name: *.appengine.google.com DNS Name: *.cloud.google.com DNS Name: *.g.co DNS Name: *.gcp.gvt2.com DNS Name: *.google-analytics.com DNS Name: *.google.ca DNS Name: *.google.cl DNS Name: *.google.co.in DNS Name: *.google.co.jp DNS Name: *.google.co.uk DNS Name: *.google.com.ar DNS Name: *.google.com.au DNS Name: *.google.com.br DNS Name: *.google.com.co ......... DNS Name: *.url.google.com DNS Name: *.youtube-nocookie.com DNS Name: *.youtube.com DNS Name: *.youtubeeducation.com DNS Name: *.yt.be DNS Name: *.ytimg.com DNS Name: g.co DNS Name: goo.gl DNS Name: google-analytics.com DNS Name: google.com DNS Name: googlecommerce.com DNS Name: source.android.google.cn DNS Name: urchin.com DNS Name: www.goo.gl DNS Name: youtu.be DNS Name: youtube.com DNS Name: youtubeeducation.com DNS Name: yt.be
  11. SNI(ServerName Indicator) 20 $ openssl s_client –connect www.cookpad.com:443 –servername www.cookpad.com

    •同一IPアドレスで複数のhttpsサイトをデリバリ するCDNでは必須 • Amazon CloudFrontとか • Akamaiとか
  12. SNI: httpsのVirtualHost的なモノ (1) 22 GET / HTTP/1.1 Host: aaa.example.com GET

    / HTTP/1.1 Host: bbb.example.com HTTPの場合(平文) aaa.example.comの コンテンツ bbb.example.comの コンテンツ
  13. SNI: httpsのVirtualHost的なモノ (2) 23 GET / HTTP/1.1 Host: aaa.example.com HTTPSの場合

    aaa.example.comの 証明書とコンテンツ bbb.example.comの 証明書とコンテンツ [ClientHello] ServerName: aaa.example.com GET / HTTP/1.1 Host: bbb.example.com [ClientHello] ServerName: bbb.example.com
  14. 24

  15. CRL, OCSP - 証明書失効検証 •CRL(Certificate Revocation List) • 失効した証明書のリスト •現実的に、まともに対応しているWebブラウザ

    はあんまり無い • EVだけちゃんと見ているケースが多い(気がする) •OCSP • その証明書が失効していないか、認証局がOCSPレス ポンダを用意 25
  16. 待望の –V オプション 35 $ openssl ciphers DHE -V 0x00,0xA3

    - DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 0x00,0x6A - DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 ......(省略)...... 暗号スイートのIDを利用して、OpenSSL名と RFCで対応させることが可能
  17. 36

  18. aNULL:認証なし(非推奨) 37 $ openssl ciphers aNULL -v AECDH-AES256-SHA SSLv3 Kx=ECDH

    Au=None .... ADH-AES256-SHA SSLv3 Kx=DH Au=None .... ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None .... AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None .... ....(省略).... 認証なしで鍵交換するCipherSuite、 Anonymous DHシリーズ(AECDHは楕円曲線) ※DH鍵交換は中間者攻撃できるため、 anonymous DHは一般的には使っては いけない
  19. ADHでつないでみるぞ 39 $ openssl s_client -connect 192.168.2.7:443 -cipher ADH CONNECTED(00000003)

    --- no peer certificate available --- No client certificate CA names sent Server Temp Key: DH, 512 bits --- SSL handshake has read 450 bytes and written 255 bytes --- New, TLSv1/SSLv3, Cipher is ADH-AES256-GCM-SHA384 Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ADH-AES256-GCM-SHA384 Session-ID: 94C14A01FE87C1D1999AC11128AA707E74CC798D8A73100FE8C791CC513EB71
  20. 42

  21. SRP:パスワード認証(非推奨) 43 $ openssl ciphers SRP -v SRP-AES-256-CBC-SHA SSLv3 Kx=SRP

    Au=None ... SRP-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=None ... SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=None ... https://tools.ietf.org/html/rfc5054 (古文書) Using the Secure Remote Password (SRP) Protocol for TLS Authentication Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract This memo presents a technique for using the Secure Remote Password protocol as an authentication method for the Transport Layer Security protocol.
  22. SRPでつないでみるぞ(サーバ側) 45 # openssl s_server -accept 443 -nocert -cipher SRP

    -srpvfile passwd 事前にサーバ側にパスワードファイルを作る $ touch passwd $ openssl srp -srpvfile passwd -add foo -userinfo "My name" CentOSなどsrpが無効化されているディストリビュー ションも多い。 試行錯誤してDebian 7.1で上手くいったぞ
  23. SRPでつないでみるぞ 46 $ openssl s_client -connect 192.168.2.7:443 -srpuser foo -cipher

    SRP CONNECTED(00000003) Enter pass phrase for SRP user: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 2407 bytes and written 1182 bytes --- New, TLSv1/SSLv3, Cipher is SRP-AES-256-CBC-SHA Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : SRP-AES-256-CBC-SHA Session-ID: 55ECA40133E278B39EF9C77A486281C9F54C07767B193F9B3D49B78B29DE966
  24. 49

  25. PSK:事前共有鍵認証 50 $ openssl ciphers PSK -v PSK-AES256-CBC-SHA SSLv3 Kx=PSK

    Au=PSK ... PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK ... PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK ... https://tools.ietf.org/html/rfc4279 Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) (省略) Abstract This document specifies three sets of new ciphersuites for the Transport Layer Security (TLS) protocol to support authentication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys, shared in advance among the communicating parties. The first set of ciphersuites uses only symmetric key operations for authentication. The second set uses a Diffie-Hellman exchange authenticated with a pre-shared key, and the third set combines
  26. PSKでつないでみるぞ 53 $ openssl s_client -connect 192.168.2.67:443 -psk deadbeef CONNECTED(00000003)

    --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 338 bytes and written 417 bytes --- New, TLSv1/SSLv3, Cipher is PSK-AES256-CBC-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : PSK-AES256-CBC-SHA Session-ID: 62B62F22B1FF510CB788FC22CFA73BB9A2C460B53C5869A852F5F0698C904716