Slide 1
Slide 1 text
(1) SSL/TLSͱ҉߸ٕज़
@ʰϓϩϑΣογϣφϧSSL/TLSʱಡ
ॻձ
Ryo Kajiwara (@s01), 5/12/2017
Slide 2
Slide 2 text
1.1 Transport Layer Security
(p.1-2)
TLSͷ4ͭͷඪ(্͔Βߴ༏ઌ):
• ҉߸ֶతͳηΩϡϦςΟ(Cryptographic security)
• ૬ޓӡ༻ੑ(Interoperability)
• ֦ுੑ(Extensibility)
• ޮੑ(Efficiency)
Slide 3
Slide 3 text
1.2 ωοτϫʔΫͷ֊
͍ΘΏΔOSIࢀরϞσϧͷɻTLS໊લͷ௨Γτϥϯεϙʔτ
(ୈ4 = TCP, UDP)ʹରͯ͠securityΛఏڙ͢ΔɻϓϨθϯςʔγϣ
ϯ=ୈ6ʹҐஔ͢Δɻ
TLS͕ͳͯ͘HTTP(=ୈ7)ʮػೳ͢Δʯɻ
Slide 4
Slide 4 text
1.3 ϓϩτίϧͷྺ࢙
• SSL2: 1994/11
• SSL 3.0: 1995ޙ
• TLS 1.0(RFC 2246): 1999/1
• ΄ͱΜͲSSL 3.0ͱࠩͳ͍͕ޓੑͳ͠
• TLS 1.1: 2006/4 (security fix, TLS֦ு(2003/6))
• TLS 1.2: 2008/4 (AEADରԠ)
• TLS 1.3: ongoing
Slide 5
Slide 5 text
1.4 ҉߸ٕज़
Ͳͷ͘Β͍҉߸ٕज़ʹ͠Έ͕͋Δ͔ʹΑͬͯಡΈඈ͠·͢ɻ
• ҉߸ֶͷจ͕ಡΊΔ/ॻ͚Δ: ৸ͯͯେৎ
• ʢͨͿΜ͜ͷؒͩͱࢥ͍·͢ʣ
• ύεϫʔυͬͯ҉߸Խͯ͠อଘ͞ΕΔΜͩΑͶʁ: Ώͬ͘ΓಡΉ
Slide 6
Slide 6 text
1.4.1 ཁૉٕज़ (p.5)
Kerckhoffsͷݪଇ
҉߸γεςϜɺ伴Ҏ֎ͷ͕ͯ͢߈ܸऀʹঠѲ͞Εͨͱͯ͠
҆શͰͳ͚ΕͳΒͳ͍ɻ
• ҉߸ΞϧΰϦζϜ͕ఢରऀʹ࿙Εͯ҆શͰ͋Δඞཁ͕͋Δ
• ༏Εͨ҉߸ΞϧΰϦζϜΛઃܭ͢Δͷ͍͠ɻͨ͘͞Μͷਓ
ͷʹ৮Εͯਫ਼ࠪ͞Εͨͷ΄Ͳ҆શɻ
ݱͷ҉߸ʮܭࢉྔత҆શੑʯʹͦͷࠜڌΛஔ͍͍ͯΔ
Slide 7
Slide 7 text
1.4.1 ཁૉٕज़ (p.7)
ετϦʔϜ҉߸
伴͔ΒϥϯμϜʹݟ͑ΔจࣈྻͰ͋Δ伴ετϦʔϜΛੜ͠ɺ
ͱͯ͠҉߸จΛಘΔɻ
ετϦʔϜ҉߸Ͱʮಉ͡伴Λ͍·Θ͞ͳ͍͜ͱʯ͕ඇৗʹॏ
ཁɻˠظؒʹΘͨͬͯར༻͢Δൿີ伴͔Βɺ௨৴ͷͨͼʹ1ճݶ
Γͷ伴ʢηογϣϯ伴ʣΛಋग़ͯ͠͏ɻ
RC4͕༗໊͕ͩऑ͕ΒΕ͍ͯΔɻECRYPT Stream Cipher Project
ʹ࠷৽ͷͷ͕͋ΔɻSalsa20/12SOSEMANUKͳͲɻ
Slide 8
Slide 8 text
1.4.1 ཁૉٕज़ (p.8)
ϒϩοΫ҉߸
ϒϩοΫ୯ҐͰ·ͱΊͯ҉߸Խɻଟ͘ͷํࣜͰ16byte͝ͱɻೖྗ
Λड͚ͱͬͯϥϯμϜʹݟ͑Δग़ྗΛฦؔ͢ɻ
ϒϩοΫ҉߸ҙͷ͞ͷσʔλΛ҉߸Խ͢ΔͨΊ҉߸ར༻Ϟ
ʔυͱΈ߹ΘͤͰ͏ɻ
ੈքͰ࠷Α͘ར༻͞Ε͍ͯΔͷAESɻ伴͕128bit/192bit/
256bitɺϒϩοΫ128bitݻఆɻ
Slide 9
Slide 9 text
1.4.1 ཁૉٕज़ (p.9)
ϋογϡؔ
• ݪ૾ܭࢉࠔੑ: ͋Δϋογϡʹର͠ɺಉ͡ϋογϡʹͳΔ
ϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭
• ୈ2ݪ૾ܭࢉࠔੑ(ऑিಥੑ): ͋Δϝοηʔδͱϋογϡ͔
Βɺಉ͡ϋογϡʹͳΔผͷϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔ
Ͱ͋Δੑ࣭
• িಥੑ(ڧিಥੑ): ಉ͡ϋογϡʹͳΔϝοηʔδͷΈ
߹ΘͤΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭
Slide 10
Slide 10 text
1.4.1 ཁૉٕज़ (p.9)
SHA1(160bit)͕Α͘ΘΕ͍ͯΔ͕SHA256ͷஔ͖͕͑ਪ͞
Ε͍ͯΔɻ
ϋογϡؔͷڧݪཧతʹʮੜͷύϥυοΫεʯ͔ΒΑ
ͯ͘ϋογϡͷ͞ͷɻn-bitͷϋογϡ2^(n/2)ճϋογ
ϡܭࢉ͢ΕিಥΛߴ֬Ͱݟ͚ͭΒΕΔɻ
Slide 11
Slide 11 text
1.4.1 ཁૉٕज़ (p.10)
MAC(Message Authentication Code) ͋Δ͍ 伴͖ϋογϡ(keyed-
hash):ϋογϡؔΛ֦ுͯ͠ೝূΛՄೳʹͨ͠ͷɻϋογϡ
ΛσʔλͱҰॹʹૹΔͱϋογϡͦͷͷվ͟Μ͞Ε͏Δͷ
Ͱͦͷରࡦʹ͏ɻ
Slide 12
Slide 12 text
1.4.1 ཁૉٕज़ (p.10-11)
҉߸ར༻Ϟʔυ
• ECB: ϒϩοΫ୯ҐͰݸผʹ҉߸Խɻ҉߸จʹฏจͷใ͕ݱΕ
ͯ͠·͏ͨΊ੬ऑɻ͏ཧ༝ͳ͠ɻ
• CBC: લͷϒϩοΫͷ҉߸Խ݁ՌͷXORΛͱ͔ͬͯΒ҉߸Խɻ
• ॳظԽϕΫτϧ(IV)ΛऔΔɻϥϯμϜͳΛ͏͜ͱͱɺ͜ͷ
Λ͍·Θ͞ͳ͍͜ͱ͕ॏཁɻ
• ଞ: CTRɺGCMɺOCBͳͲɻGCMͱOCBೝূ͖ͭ҉߸Λఏڙɻ
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
CTRϞʔυͷ߹ɺ҉߸Խ/෮߸Խ྆ํͰNonceͱcounterͷ҉߸Խ
Λߦ͏ɻΑͬͯCTRϞʔυʹద༻͢Δؔblock cipherͰͳ͘
pseudo-random functionͰेɻ
Slide 16
Slide 16 text
1.4.1 ཁૉٕज़ (p.11-12)
ެ։伴҉߸ํࣜ
҉߸Խʹ͏伴ͱ෮߸ʹ͏伴͕ผɻ
ެ։伴Λ҆શʹ͘ڞ༗Ͱ͖Ε͚͕ࣗͩಡΊΔϝοηʔδΛ
શһ͔ΒૹͬͯΒ͑ΔʢˠPKIɺୈ3ষʹͯʣɻ
ެ։伴҉߸ܭࢉʹ͕͔͔࣌ؒΔͷͰɺڞ༗伴ͷωΰγΤʔγϣ
ϯʹΘΕɺͦͷޙڞ༗伴Λͬͯରশ伴҉߸Λ͏ɻ
RSAɺElGamal(DH伴ަΛެ։伴҉߸ʹద༻ͨ͠ͷ)
Slide 17
Slide 17 text
1.4.1 ཁૉٕज़ (p.13)
ిࢠॺ໊
ిࢠϝοηʔδจॻͷਅਖ਼ੑ(authenticity)ΛݕূՄೳʹ͢Δ҉߸
ֶతͳखஈɻ
MACిࢠॺ໊ͷҰछ͕ͩMAC伴ͷڞ༗ͱ͍͏͕͋Δɻ
RSAΛٯํʹద༻͢Δ͜ͱͰిࢠॺ໊ΞϧΰϦζϜͱͯ͑͠
ΔɻҰํͰDSA/ECDSA҉߸ԽΞϧΰϦζϜͱͯ͑͠ͳ͍ɻ
Slide 18
Slide 18 text
1.4.1 ཁૉٕज़ (p.13)
ཚੜث
҉߸ʹ࣭ͷ͍͍ʢhigh entropyͳʣཚ͕ඞཁɻ
֎෦ஔͷׂΓࠐΈʹΑΔΤϯτϩϐʔͷऩू(=TRNG)Ͱ͍ͩͨ
͍ͷ߹ेͳΤϯτϩϐʔ͕ू·Βͳ͍ͷͰ࣮ࡍٙࣅཚੜ
ث(PRNG)Λ͏ɻ҉߸ʹ༻͍Δͷʹ෦ঢ়ଶͷ༧ଌෆՄೳ
ੑΛ࣋ͬͨCSPRNG͕ඞཁɻ
Slide 19
Slide 19 text
1.4.2 ϓϩτίϧ (p.14)
؆୯ͳ҉߸௨৴ϓϩτίϧͷྫΛ͍ࣔͯ͠Δɻ
• ·ͱ·ͬͨσʔλͷ҉߸ԽAESͰ
• վ͟Μʹରॲ͢ΔͨΊϝοηʔδʹMACΛ༩
• ϝοηʔδͷܽམ/ϦϓϨΠ߈ܸʹରॲ͢ΔͨΊ࿈൪Λ༩
• ձͷऴྃΛࣔ͢ಛघͳϝοηʔδ
• ձʹઌཱͬͯެ։伴҉߸ํࣜͰޓ͍Λೝূ
• 伴ަΞϧΰϦζϜͰ҉߸伴Λަ
Slide 20
Slide 20 text
1.4.2 ϓϩτίϧ (p.14)
TLSʹ͓͍ͯ
1. ೝূͱ伴ަΛؚΜͩϋϯυγΣΠΫ
2. ϋϯυγΣΠΫޙʹػີੑͱશੑͷ͋Δঢ়ଶͰσʔλΛަ
3. γϟοτμϯͷखॱͰऴྃ
Λߦ͏ɻ
Slide 21
Slide 21 text
1.4.3 ҉߸ٕज़ʹର͢Δ߈ܸ (p.15)
• ૯Γ߈ܸ
• ࣮ʢόάʣʹର͢Δ߈ܸ: λΠϛϯά߈ܸͳͲ͕Α͘ΒΕΔ
• αʔόʹ৵ೖͯ͠҉߸伴ΛऔΔ΄͏͕؆୯ͳ͜ͱ
΄ͱΜͲͷ߹ɺʮϓϩτίϧΛࣗͰઃܭ͠ͳ͍ʯʮ҉߸ॲཧ
ͷίʔυΛࣗͰ࣮͠ͳ͍ʯ΄͏͕҆શɻ
Slide 22
Slide 22 text
1.4.4 ҉߸ڧ (p.16-17)
҉߸ͷڧ = ҉߸ΞϧΰϦζϜΛഁΔͷʹඞཁͳૢ࡞ͷճɺ͜
ΕΛϏοτ҆શੑͱ͍͏ɻ
҉߸ԽํࣜʹΑͬͯϏοτ҆શੑͷॏΈ͕ҟͳΔͷͰɺଞͷํࣜ
ͷͲͷϨϕϧͱՁ͔ɺͱ͍͏มද͕͋Δɻ
2012࣌Ͱʮ30ͷ߈ܸʹର͢Δอޢʯɿڞ௨伴҉߸Խʹ͓͚
Δ128Ϗοτ૬
Slide 23
Slide 23 text
1.4.4 ҉߸ڧ (p.16-17)
NIST SP800-57 Part1 Rev.3 ͷp.64ʹ͋ΔՁ҆શੑͷද1
ڞ௨伴҉߸ RSA/DSA/DH ପԁۂઢ҉߸ ϋογϡ
80 1024 160 160
112 2048 224 224
128 3072 256 256
256 15360 512 512
1 ୯ҐͦΕͧΕbit
Slide 24
Slide 24 text
1.4.5 MITM߈ܸ (p.17-21)
ΞΫηεͷୣऔ
• ARP spoofing: MACΞυϨεͱIPΞυϨεͷؔ࿈͚Λশ͢Δ
͜ͱͰϩʔΧϧωοτϫʔΫʹ͓͚Δܦ࿏ใΛশ͢Δ
• WPAD(Web Proxy Auto-Discovery) hijacking: ِͷϓϩΩγʹ༠ಋ
• DNS hijacking, DNS cache poisoning: ِͷDNSใΛ༩͑Δ͜ͱͰ
υϝΠϯʹ͔͏τϥϑΟοΫΛͬऔΔɻ
• BGP route hijacking: Πϯλʔωοτ্ͷϧʔλ͕ෆਖ਼ͳܦ࿏Λ
ࢦఆ͢Δ͜ͱͰ௨৴͕߈ܸऀͷͱ͜ΖΛ௨Δ
Slide 25
Slide 25 text
1.4.5 MITM߈ܸ (p.17-21)
डಈత߈ܸ
• ҉߸Խ͞Ε͍ͯͳ͍τϥϑΟοΫΛܧଓతʹϞχλϦϯά
• ҉߸Խ͞ΕͨτϥϑΟοΫͰظؒอଘͯ͠҉߸͕ഁΒΕΔ
ͷΛͯΑ͍
• Perfect Forward Secrecy2ͷॏཁੑɻಉ͡伴Λͬͯաڈʹ͞
͔ͷ΅ͬͯ௨৴͕෮ݩͰ͖ΔͱϚζ͍ɻ
2 Perfect Forward SecrecyͱForward Secrecyಉٛɻ
Slide 26
Slide 26 text
1.4.5 MITM߈ܸ (p.17-21)
ೳಈతͳ߈ܸ
ैདྷͷMITM߈ܸ: Mallory͕ʮBobͱ͍ͯ͠Δ͔ͷΑ͏ʹAliceʹࢥ
͍ࠐ·ͤΔʯʹೝূΛλʔήοτʹͨ͠ͷɻ
௨ৗͷDH伴ަͰೝূ͕ఏڙ͞Εͳ͍ͷͰ͜Ε͕Մೳɻ
Slide 27
Slide 27 text
1.4.5 MITM߈ܸ (p.17-21)
ೳಈతͳ߈ܸ
TLSͷ߹ɺAlice͕༗ޮͳͷͱͯ͠ड͚औΔΑ͏ͳূ໌ॻΛ
Mallory͕ఏࣔ͢Δ͜ͱ͕ཧతͳ߈ܸɻ
αʔϏεΛὃͯ͠ূ໌ॻΛೖख͢Δํ๏4ষɺ༗ޮʹݟ͑Δূ໌
ॻΛߏ͢Δ߈ܸ6ষʹͯɻܯࠂΛແࢹ͢Δ͜ͱΛظͯ͠ෆਖ਼
ͳূ໌ॻΛఏࣔ͢Δ͜ͱɻϒϥβʹ҉߸ԽΛແޮԽ͢ΔΑ͏
ͳϦΫΤετΛૹ৴͢Δ߈ܸɻ7ষʹͯɻ
ίετ͕ߴ͍ͨΊେنʹߦΘͣಛఆͷରʹରͯ͠ߦ͏ɻ
Slide 28
Slide 28 text
No content
Slide 29
Slide 29 text
ิ
ຊʹࡌͬͯͳ͍͚Ͳؔ࿈͢Δ·ͱΊɻ
1. ετϦʔϜ҉߸ͱOne-Time Pad
2. িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ
3. HMACͷఆٛ
4. DH伴ަʹ͓͚Δதؒऀ߈ܸ
Slide 30
Slide 30 text
ετϦʔϜ҉߸ͱOne-Time Pad
One-Time Pad(Vernam҉߸)Ͱฏจͱಉ͡͞ͷཚྻΛ伴ͱ͠
ͯ ͷΑ͏ʹ҉߸จΛಘΔɻOne-Time Pad
ฏจͷใΛҰ҉߸จʹ͞ͳ͍ใྔతʹperfectly secret
ͳ҉߸͕ͩݱ࣮తͰͳ͍ͷͰɺݱ࣮ʹ͍伴͔Β伴ετϦʔϜ
Λੜ͢Δɻ
Slide 31
Slide 31 text
িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ
SHA1SHAtteredͰڧিಥੑʢʹ1ͭͷিಥ͢ΔϖΞΛ࡞Γग़͢
͜ͱʣಥഁ͞Ε͕ͨɺऑিಥੑʢʹ͋Δจࣈྻʹର͢Δϋο
γϡͱಉ͡ϋογϡΛ༩͑ΔผͷจࣈྻΛࣔ͢ʣ·ͩಥഁ
͞Ε͍ͯͳ͍ͷͰɺ͜Ε͚ͩͰͬͯʮύεϫʔυϋογϡͱͯ͠
ෆద֨ʯͱ͍͏ͷιɻͬͱɺଞͷબࢶ͕ͬͱ༏लͳ
ͷͰSHA256bcryptΛ͍·͠ΐ͏ɻ
Slide 32
Slide 32 text
HMACͷఆٛ
ϋογϡؔHͱ伴KΛͬͯɺ
ipad = Kͷ͞ͷ0x36
opad = Kͷ͞ͷ0x5c
ʢ || ࿈݁Λද͢ɻͳͷͰɺ ͱtextΛ͚ͬͭͨ͘ͷͷϋ
ογϡΛɺ ͷޙΖʹ͚ͬͭͯ͘ɺͦͷϋογϡΛऔ
Δɺͱ͍͏͜ͱʣ
Slide 33
Slide 33 text
DH伴ަʹ͓͚Δதؒऀ߈ܸ
(ECͰͳ͍)DH伴ަ:
• ެ։ͷ
• p ͷେ͖ͳૉ
• g ͷੜݩ
• ൿີͷ:
• ૬खʹૹΒΕΔ:
Slide 34
Slide 34 text
No content
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
DH伴ަʹ͓͚Δதؒऀ߈ܸ
தؒऀEve͕ ͷΛड͚औΓɺ ͱಉ༷ͷੑ࣭Λ࣋ͭ
Λੜ͠ɺҎԼͷΛ૬खʹΘΓʹ͢:
Slide 37
Slide 37 text
DH伴ަʹ͓͚Δதؒऀ߈ܸ
ͦ͏͢ΔͱAliceͱBobҎԼͷΛܭࢉ͢Δ:
͜ͷͱ͖ɺAliceͱEveɺEveͱBobͷؒʹڞ௨伴ͷਃ͠߹Θཱ͕ͤ
͢Δʢલऀ ɺޙऀ ʣɻ