Tweet
Tweet

Slide 1

Slide 1 text

5-4పఈԋश 4FDVSJUZ$BNQ **+େ௡ൟथ ೥݄೔ 7FS

Slide 2

Slide 2 text

ࣗݾ঺հ w גࣜձࣾΠϯλʔωοτΠχγΞςΟϒ **+ w ܦӦاըຊ෦഑৴ࣄۀਪਐ෦ w ΦʔϓϯιʔεϓϩδΣΫτ/PEFKTͷ$PSF 5FDIOJDBM$PNNJUUFFϝϯόʔɺ5-4DSZQUPؔ ࿈ػೳͷٕज़୲౰ɻ

Slide 3

Slide 3 text

ຊߨٛͷ໨త w 5-4Λపఈతʹཧղͯ͠΋Β͏ɻ w Ͱ΋5-4͸֤छηΩϡϦςΟٕज़ͷू߹ମɺͦΕͧΕ͕ਂ ͯ͘೉͍͠ɻ̔࣌ؒ͋ͬͯ΋શ෦͸ແཧɻ w ͦ͜Ͱ̏ͭʹ෼͚·ͨ͠ɻ ࠲ֶɿٕज़ऀʹͱͬͯͳͥ͜Ε͔Β5-4͕ॏཁ͔ ߨٛɾԋशɿ5-4ϋϯυγΣΠΫΛֶͿ ߨٛɾԋशɿ5-4ٕज़ͷίΞɺ҉߸ٕज़ΛֶͿ

Slide 4

Slide 4 text

ຊ೔ͷߨٛͷྲྀΕ w ߨٛɿ5-4ͷ֓ཁ w ߨٛɿ5-4Λཧղ͢Δ४උ ಛʹ"&"% w ߨٛɾԋशɿ5-4ϋϯυγΣΠΫઆ໌ɺ5-4#PUͱ 5-4ϋϯυγΣΠΫ͠Α͏ɺϦΞϧ.BOJO5IF .JEEMF w ߨٛɾԋश$IB$IB1PMZͷ࣮૷

Slide 5

Slide 5 text

5-4ͷ֓ཁ

Slide 6

Slide 6 text

ΠϯλʔωοτͷڴҖ ౪ௌ ύεϫʔυ΍ΫϨδο τΧʔυ൪߸Λ౪Έݟ

Slide 7

Slide 7 text

ΠϯλʔωοτͷڴҖ վ͟Μ ௨৴్தͰσʔλΛॻ͖׵͑

Slide 8

Slide 8 text

ΠϯλʔωοτͷڴҖ ͳΓ͢·͠ ϢʔβʹͳΓ͢· ͯ͠௨৴Λߦ͏

Slide 9

Slide 9 text

ΠϯλʔωοτͷڴҖ ൱ೝ ͦΜͳ௨৴ͯ͠· ͤΜͱΩϟϯηϧ

Slide 10

Slide 10 text

ΠϯλʔωοτͷڴҖ͔ΒकΔηΩϡϦςΟ ରࡦ ౪ௌ վ͟Μ ੒Γ͢ ·͠ ൱ೝ ҉߸Խ ׬શੑνΣοΫ ೝূ ॺ໊

Slide 11

Slide 11 text

֤ϨΠϠʔʹ͓͚ΔηΩϡϦςΟ௨৴ WPA IPsec TLS,DTLS,SSH S/MIME, PGP ແઢLAN IP TCP, UDP σʔλ ࠓ೔ͷओ୊

Slide 12

Slide 12 text

TLSͷ໨త • TLSϓϩτίϧͷ࠷ॏཁͳΰʔϧ͸ɺ௨৴͢Δ̎ͭͷΞϓϦέʔγ ϣϯͷؒͰϓϥΠόγʔͱσʔλͷ׬શੑΛఏڙ͢Δ͜ͱͰ͢ɻ RFC5246: The Transport Layer Security (TLS) Protocol Version 1.2 1. Introduction The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications. ΞϓϦ ΞϓϦ ׬શੑ ϓϥΠόγʔ

Slide 13

Slide 13 text

5-4ͷ؆୯ͳྺ࢙ 44- ະൃද ೥ 44- ೥ 44- ೥ *&5'5-48(ελʔτ ೥ 5-4 ೥ 5-4 ೥ 5-4 ೥ 5-4ݕ౼ελʔτ ೥ 5-4࢓༷Խ׬ྃʁ 44-͸چωοτεέʔϓࣾ ͷࢲతϓϩτίϧ େਓͷࣄ৘Ͱ໊শมߋ 44-ͱجຊઃܭ͸େ͖͘ม͑ͣվྑ ༷ʑͳػೳ֦ு ۙ೔8(ϥετίʔϧΛ໨ඪ ·ͩΘ͔Γ·ͤΜ %308/ 100%-& #&"45

Slide 14

Slide 14 text

5-4ͷҐஔ෇͚ 5$1 5-4 *1 WW &UIFSOFU )551 )551ͷ࣌୅ ʙ 5-4ʙ 5-4ʙ

Slide 15

Slide 15 text

5-4ͷҐஔ෇͚ 5$1 5-4 *1 WW &UIFSOFU )551ηϚϯςΟΫε 5$1 *1 WW &UIFSOFU 5-4 41%: )551ηϚϯςΟΫε )551 )551͔Β)551΁ ʙ ʙ ϒϥ΢β͸5-4௨ ৴ͷΈαϙʔτ Ͳͷ5-4όʔ δϣϯͰ΋0,

Slide 16

Slide 16 text

5-4ͷҐஔ෇͚ 26*$ *1 WW 5$1 6%1 5-4 &UIFSOFU )551ηϚϯςΟΫε )551 26*$҉߸ϓϩτίϧ ʙ )551ʙ )551͔Β26*$΁ (PPHMFಠࣗ҉߸ ϓϩτίϧ

Slide 17

Slide 17 text

5-4ͷҐஔ෇͚ 26*$ *1 WW 5$1 6%1 &UIFSOFU 5-4 )551ηϚϯςΟΫε )551 ʙʁ 26*$͔Β5-4΁ ʙ ౷Ұ͞ΕΔ༧ఆ

Slide 18

Slide 18 text

ͳͥ5-4͕ॏཁ͔ʁ ৗ࣌5-4࣌୅ͷ౸དྷ

Slide 19

Slide 19 text

1FSWBTJWF4VSWFJMMBODF ޿ൣғͷ౪ௌߦҝ w ࠃՈతͳ૊৫ ถࠃ/4"ͱӳࠃ($)2ͳͲ ͕ലେͳ ༧ࢉͰߦ͏޿ൣғͷ౪ௌߦҝ w ೥݄ΤυϫʔυɾεϊʔσϯʹΑͬͯͦͷ ׆ಈ಺༰͕ϦʔΫ͞ΕΔɻ Πϯλʔωοτి࿩ͷ๣डɾ؂ࢹɺσʔληϯλʔ ಺௨৴౪ௌɺ҉߸ղಡɺ҉߸όοΫυΞɺαΠόʔ߈ ܸ౳

Slide 20

Slide 20 text

/4"ʹΑΔαΠόʔ߈ܸͷҰྫ 26"/56. '09"$*% IUUQXXXFYBNQMFDPN XXXFYBNQMFDPN Ϛϧ΢ΣΞΛૹΓࠐΉ ్தܦ࿏Ͱվ͟ΜίϯςϯπΛૹ৴ '09"$*%ʹ༠ಋ վ͟Μίϯςϯπ IUUQTXXXTDIOFJFSDPNCMPHBSDIJWFTIPX@UIF@OTB@BUUIUNM

Slide 21

Slide 21 text

ϓϩτίϧٕज़ऀͷ༕ྀ w ैདྷେن໛ͳઃඋͱ༧ࢉ͕ඞཁͰݱ࣮తʹ͸ແཧͱ ݟΒΕ͖ͯͨ߈ܸ͕࣮ࡍʹߦΘΕ͍ͯͨɻ w ެऺແઢ-"/ͷීٴͳͲ௨৴ͷ౪ௌɾվ͟Μ͕Մ ೳͳ؀ڥ͕޿͕͖͍ͬͯͯΔɻ w ޾͍࠷৽ͷٕज़Ͱ͔ͬ͠Γ҉߸Խ͞Εͨ௨৴·Ͱ͸ ·ͩഁΒΕ͓ͯΒͣɺ҆શͰ͋Ζ͏ɻ

Slide 22

Slide 22 text

ݕࡧαʔϏεձࣾͷ༕ྀ w ݕࡧͷϖʔδϥϯΫ͕ߴ͍αΠτѼͷฏจ௨৴͸ɺ߈ܸର ৅ͱͯ͠౰વૂΘΕΔɻ w ฏจ௨৴ͰϢʔβ͕ίϯςϯπվ͟Μ΍Ϛϧ΢ΣΞײછʹ Αͬͯ%%P4߈ܸͷҰ୺Λ୲͏ڪΕ΋͋Γ (JUIVC΁ͷ߈ ܸྫ ɻ w ωοτίϯςϯπͷ݈શੑͷ௿Լ͸ɺ௕ظతʹݕࡧαʔ Ϗε΁ͷ৴པੑΛଛͳ͏͜ͱʹͳΔɻ 4&0͸Ͳ͏ͳΔʁ

Slide 23

Slide 23 text

*"# ʹΑΔΠϯλʔωοτͷ ৴པੑʹؔ͢Δએݴ w ৽͘͠ϓϩτίϧΛઃܭ͢Δࡍʹ͸ɺ҉߸ԽػೳΛඞ ਢͱ͢΂͖ɻ w ωοτϫʔΫӡ༻ऀ΍αʔϏεఏڙऀʹ҉߸Խ௨৴ͷ ಋೖΛਪਐ͢ΔΑ͏ڧ͘ٻΊΔɻ w ίϯςϯπϑΟϧλʔ΍*%4౳ฏจ௨৴͕ඞཁͳػೳ ʹ͍ͭͯ͸কདྷతʹ୅ସٕज़ͷ։ൃʹऔΓ૊Ήɻ *OUFSOFU"SDIJUFDUVSF#PBSE IUUQTXXXJBCPSHJBCTUBUFNFOUPOJOUFSOFUDPOpEFOUJBMJUZ

Slide 24

Slide 24 text

.P[JMMBʹΑΔ ҆શͰͳ͍)551ͷഇࢭએݴ ͋Δ࣌ظ͔Β৽نػೳ͸ɺ)5514͚ͩར༻Ͱ͖ΔΑ͏ʹ͢ Δɻ ݱࡏ)551 ฏจ௨৴ Ͱར༻Ͱ͖ΔػೳͰɺϢʔβͷηΩϡ ϦςΟ΍ϓϥΠόγʔʹϦεΫΛ༩͑Δ΋ͷΛ࡟আ͍ͯ͘͠ IUUQTCMPHNP[JMMBPSHTFDVSJUZEFQSFDBUJOHOPOTFDVSFIUUQ

Slide 25

Slide 25 text

$ISPNFͷ)551্ͷػೳഇࢭ $ISPNFͰ͸ɺԼهͷػೳΛ)551 ฏจ௨৴ Ͱར༻ېࢭ͢Δ༧ఆ w Ґஔ৘ใΛऔಘ ഇࢭࡁ w σόΠεͷಈ͖΍ํ޲Λૢ࡞ w ҉߸Խ͞ΕͨಈըԻ੠ͷ࠶ੜ w ΧϝϥɾϚΠΫͳͲͷૢ࡞ w ΞϓϦέʔγϣϯͷΩϟογϡ৘ใͷૢ࡞ IUUQTTJUFTHPPHMFDPNBDISPNJVNPSHEFW)PNFDISPNJVNTFDVSJUZEFQSFDBUJOHQPXFSGVMGFBUVSFTPOJOTFDVSFPSJHJOT

Slide 26

Slide 26 text

ৗ࣌5-4΁ࢸΔಓ ৗ࣌5-4 ࠃՈϨϕϧͷ޿ൣғͳ౪ௌߦҝ ωοτίϯςϯπ ͷ݈શੑͷ֬อ )551 ฏจ௨৴ ্ͷ ϒϥ΢βͷػೳഇࢭ ҉߸Խલఏͷ ৽ٕज़։ൃ কདྷతͳ৽ٕज़͸5-4ར༻Λલఏͱ͢Δɻ ࠷ઌ୺ͷٕज़ऀ͸5-4Λආ͚ͯ௨Δ͜ͱ͸Ͱ͖ͳ͍ɻ ແྉূ໌ॻ

Slide 27

Slide 27 text

5-4Λཧղ͢Δ४උ

Slide 28

Slide 28 text

TLSͷཁૉٕज़ X509ূ໌ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉߸ σδλϧ ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ TLS 伴ަ׵ Ұํ޲ϋογϡ TLSϓϩτίϧ͸ɺ͜ΕΒͷཁૉٕज़Λ૊Έ߹Θͤͯ ΞϓϦؒͷηΩϡΞ௨৴Λཱ֬͢ΔखॱΛܾΊΔ

Slide 29

Slide 29 text

TLSཁૉٕज़ͷґଘੑ X509ূ໌ ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ ຊདྷ͸͜ͷҰͭҰͭΛ͖ͪΜͱཧղ͢Δ͜ͱ͕ඞཁ

Slide 30

Slide 30 text

TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ClientHello ServerHelloDone ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application Data ཚ਺ੜ੒ ରশ҉߸ɾ҉߸ϞʔυɾҰํ޲ϋογϡɾཚ਺ੜ੒ 1,*ɾ9ূ໌ॻɾσδλϧॺ໊ ཚ਺ੜ੒ ServerHello Certificate ClientKeyExchange ServerKeyExchange ཚ਺ੜ੒ɾ伴ަ׵ɾ ެ։伴҉߸ɾσδλϧॺ໊ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ཚ਺ੜ੒ɾ伴ަ׵ σδλϧॺ໊

Slide 31

Slide 31 text

TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ཚ਺ੜ੒ $MJFOU4FSWFS)FMMPͷ/PODF 伴ϖΞͷੜ੒σʔλ҉߸Խͷ*7 1,* $"ʹΑΔαʔόূ໌ॻͷॺ໊ͱൃߦ 9ূ໌ॻ $FSUJpDBUFʹΑΔαʔόɾΫϥΠΞϯτͷೝূɾެ։伴ͷऔಘ ిࢠॺ໊ ূ໌ॻͷॺ໊ɾ伴ަ׵Ͱަ׵͢Δެ։伴ͷॺ໊ 伴ަ׵ 4FSWFS$MJFOU,FZ&YDIBOHFʹΑΔ &$ %)ެ։伴ͷަ׵ ެ։伴҉߸ 34"伴ަ׵࣌ʹ1SF.BTUFS4FDSFUͷ҉߸ૹ৴ Ұํ޲ϋογϡ $#$ͳͲͷ҉߸Ϟʔυར༻࣌ʹΞϓϦσʔλͷ."$ੜ੒ ϝοηʔδೝূ .BTUFS4FDSFUͷੜ੒ɺ'JOJTIFEʹΑΔϋϯυγΣΠΫσʔλͷ׬શ ੑݕূ ରশ҉߸ɾ҉߸Ϟʔυ $IBOHF$JQIFS4QFDҎ߱ͷϋϯυγΣΠΫͱΞϓϦέʔγϣϯσʔλͷ҉߸Խ ʢ஫ɿଞʹ΋ࡉ͔͍ͱ͜ΖͰ࢖ΘΕ͍ͯ·͢ɻ

Slide 32

Slide 32 text

ࠓճ࢖͏TLSཁૉٕज़ AEAD Poly1305 ChaCha20 ECDHE RSA SHA256 X509ূ໌ ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ LinuxͳΒ/dev/urandom+OpenSSLॲཧ ࠓ೔ͷԋश

Slide 33

Slide 33 text

ηοτϝχϡʔԽ͞ΕͨTLSͷཁૉٕज़ TLS CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9C} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256={0xCC,0xA8} ରশ ҉߸ ҉߸Ϟʔ υ σδλϧ ॺ໊ ϝοηʔδೝূ (ϋογϡ) 伴ަ׵ TLS _ _ _WITH_ _ 伴௕ _ _ 伴ަ׵ɾσδλϧॺ໊ʹRSA ରশ҉߸ʹ128bit伴௕ͷAES ҉߸ϞʔυʹGCM(AEAD) ϋογϡʹSHA256 伴ަ׵ʹECDHE σδλϧॺ໊ʹRSA ରশ҉߸ʹChaCha20 ҉߸ϞʔυʹPoly1305(AEAD) ϋογϡʹSHA256 ൪߸ͱͯ͠0xCC,0xA8ΛׂΓ౰ͯ

Slide 34

Slide 34 text

ࠓ͸5-4ʹԿΛ࢖͏ʁ 伴ަ׵ 34" 'PSXBSE4FDSFDZ %)& &$%)& σδλϧॺ໊ 34" %44 %4" &$%4" ର৅҉߸ %&4 3$ "&4 $IB$IB ͦͷଞ ҉߸Ϟʔυ $#$ "&"% $$. ($. 1PMZ ϝοηʔδೝূ ʢϋογϡʣ .% 4)" 4)" 4)" ੺ɿ࢖Θͳ͍ɺԫɿ஫ҙɺ྘ɿࠓͷͱ͜Ζ࢖ͬͯେৎ෉ ஫ҙ͸ɺ҉߸ֶత஫ҙͱকདྷతʹීٴ͕ݟࠐ·Εͳ͍஫ҙ΋ؚ·Ε·͢ ͪͳΈʹɺ ྔࢠίϯϐϡʔλͰ伴ަ׵ɺσδλ ϧॺ໊͸શ෦Ξ΢τʂ

Slide 35

Slide 35 text

ରশ҉߸ ҉߸จ ฏจ ڞ௨伴 ڞ௨伴 ฏจ ετϦʔϜ҉߸ɿσʔλΛஞ࣍҉߸Խ(RC4, Chacha20) ϒϩοΫ҉߸ɿσʔλΛϒϩοΫຖʹ҉߸Խ(DES, AES) ز͔ͭͷ҉߸Ͱ͸طʹةຆԽɿ DES: 2005೥ NIST FPS46-3ن֨ͷഇࢭ(2030೥·Ͱ͸ڐ༰) RC4: RFC7455: Prohibiting RC4 Cipher Suites ҉߸Խ ෮߸Խ ϒϩοΫɺετϦʔϜͷ྆ऀͷҧ͍͸ݱࡏͳ͘ͳ͖͍ͬͯͯΔ ϒϩοΫ҉߸ "&4 Λ҉߸Ϟʔυ ޙड़ ͰΧ΢ϯλʔϞʔυΛར༻͢Δ͜ͱʹΑΓશͯε τϦʔϜ҉߸ͱͯ͠ར༻Ͱ͖·͢ɻ "&4($.͸ετϦʔϜ҉߸ॲཧ

Slide 36

Slide 36 text

ରশ҉߸ AES • 1997೥ΑΓϓϩδΣΫτ։࢝ɺ2000೥બఆɺ2001 ೥࢓༷ൃߦ • ϒϩοΫαΠζ 128bit • 伴௕ɿ 128bits, 192bits, 256bits ͷ̏छྨ • Intel/AMDͷCPUͰϋʔυ΢ΣΞॲཧͷαϙʔτ (AES-NI) ̎̌̍̒೥ݱࡏ5-4௨৴ͷσϑΝΫτ $IB$IB͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

Slide 37

Slide 37 text

҉߸Ϟʔυ • ϒϩοΫ҉߸͸ಉ͡σʔλΛಉ͡伴Ͱ҉߸Խ͢ΔͱຖճಉҰͷ҉ ߸จʹͳΔɻ • ϒϩοΫ௕ΑΓ௕͍σʔλΛ҉߸Խ͢Δ৔߹ʹ҉߸ϞʔυΛར༻ ͯ͠܁Γฦ͠Λආ͚Δɻ • CBCɿʮ(ฏจ XOR ϕΫτϧ) Λ҉߸ԽʯΛଓ͚Δ • CTRɿ ʮΧ΢ϯλʔΛ҉߸Խ XOR ฏจʯΛଓ͚Δ ࣮ࡍʹTLSͰར༻͢Δʹ͸վ͟Μݕ஌ͷͨΊͷMAC(ϝοηʔδೝূʣͱͷ૊Έ߹ΘͤΔ (AEAD)ɻAES-GCM͕ࠓͷओྲྀɻ ͜Ε·Ͱͷ ओྲྀ $IB$IB1PMZ͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

Slide 38

Slide 38 text

ೝূλά AEADʢೝূ෇͖҉߸) ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ &ODSZQU5IFO."$ ҉߸Խͨ͠ޙͰϋογϡ஋Λऔಘ

Slide 39

Slide 39 text

AEADʢೝূ෇͖҉߸) ฏจ AEAD ෮߸Խ վ͟ΜνΣοΫ ҉߸Խ͠ͳ͍͚Ͳվ͟Μ๷ ࢭ͕ඞཁͳσʔλ ʢϔομ౳ʣ ҉߸จ ೝূλά ڞ௨伴 ॳظϕΫτϧ

Slide 40

Slide 40 text

GCM • GCM (Galois Counter Mode: ΨϩΞΧ΢ϯλʔ Ϟʔυʣ • CTRͱGHASHΛ૊Έ߹ΘͤͨAEAD • ϋʔυ΢ΣΞॲཧͰߴ଎Խ͕Մೳ • AESͱ૊Έ߹Θͤͯ AES-GCMͱͯ͠ར༻

Slide 41

Slide 41 text

Ұํ޲ϋογϡ σʔλ Ұํ޲ ϋογϡؔ਺ ϋογϡ஋ ϋογϡ஋Λൺֱ͢Δ͜ͱͰσʔλͷվ͟ΜΛνΣοΫ͢Δ͜ͱ͕Ͱ͖Δɻ

Slide 42

Slide 42 text

҉߸ֶతϋογϡ ɾݪ૾ܭࢉࠔ೉ੑ 1SFJNBHF3FTJTUBODF ɾୈ̎ݪ૾ܭࢉࠔ೉ੑ OE1SFJNBHF3FTJTUBODF ɾڧিಥ଱ੑ 4USPOH$PMMJTJPO3FTJTUBODF ϋογϡ஋I͔Β΋ͱͷϝοηʔδNΛ୳͢ͷ͕ࠔ೉ ̷ I)"4) N ͷNΛݟ͚ͭΔ ಛఆͷϝοηʔδNͱಉ͡ϋογϡ஋Λ࣋ͭNΛ୳͢ͷ͕ࠔ೉ I)"4) N )"4) N IͷNΛݟ͚ͭΔ )"4) N )"4) N ͱͳΔNͱNΛݟ͚ͭΔͷ͕ࠔ೉

Slide 43

Slide 43 text

Ұํ޲ϋογϡ • md5 • SHA-1 • SHA-2(SHA-256ͳͲ6छ) • SHA-3(SHA3-256ͳͲ6छ) 2018೥͙Β͍ʹ͸ݱ࣮తͳίετ ͰিಥσʔλΛ୳ͤΔݟࠐΈ(*2) طʹݱ࣮తͳ߈ܸख๏͕ଘࡏ (*2) Cryptanalysis of SHA-1 https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html (*1) how to Break MD5 and Other Hash Functions http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf 8/5ʹNISTΑΓਖ਼ࣜެ։

Slide 44

Slide 44 text

"&"%Λࢥ͍ग़ͦ͏ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ ϋογϡ஋ͩʂ ($. 1PMZ͋Εͬɺ4)"ͱ͔͡Όͳ͍ɻͳͥʁ

Slide 45

Slide 45 text

"&"%Ͱ͸҉߸ֶతϋογϡ ·Ͱ͸ඞཁͳ͍ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸จ &ODSZQU 5IFO."$ ϋογϡલͷϝοηʔδ͕ ݟ͑ͯΔ ݪ૾ܭࢉࠔ೉ੑ͸͍Βͳ͍ɻ ݟ͑ͯΔϝοηʔδͷվ͟Μݕ஌ ."$ ͕ॏཁɻ ୈ̎ݪ૾ܭࢉࠔ೉ੑͱߴ͍ڧিಥ଱ੑ͕ٻΊΒΕΔɻ ύέοτຖʹܭࢉ͢ΔͷͰߴ଎ੑೳେࣄɻ ($.1PMZ͸ɺ"&"%޲͚ʹಛԽͨ͠ߴ଎."$ΞϧΰϦζϜ

Slide 46

Slide 46 text

ϝοηʔδೝূ(HMAC) • ࣄલʹڞ௨伴Λڞ༗ • ڞ௨伴ͱσʔλΛ૊Έ߹Θͤͨϋογϡ஋Λ࡞੒ • σʔλͷ׬શੑͱϋογϡ࡞੒ऀΛೝূ͢Δ σʔλ Ұํ޲ ϋογϡؔ਺ ϋογϡ஋ ڞ௨伴

Slide 47

Slide 47 text

ެ։伴҉߸ 512bit RSAͷةݥੑ FREAK https://freakattack.com/ • ղΛٻΊΔͷ͕ࠔ೉ͳ਺ֶత໰୊Λར༻ͯ͠҉߸Λੜ੒ɻ • ެ։伴ͱൿີ伴ͷϖΞΛੜ੒ɻެ։伴͸͞Βͯ͠େৎ෉ɻ • ެ։伴Ͱ҉߸Խ͠ൿີ伴Ͱ෮߸Խɻ • RSA ૉҼ਺෼ղ • ECC(ପԁۂઢ҉߸ʣପԁۂઢ্ͷ཭ࢄର਺໰୊ ެ։伴 ൿີ伴 ҉߸Խ ෮߸Խ

Slide 48

Slide 48 text

伴ަ׵ • 2ऀؒͰ҆શʹ伴Λڞ༗͢Δ࢓૊Έ • ޓ͍ʹެ։伴Λަ׵͍͋͠ɺڞ༗伴Λੜ੒͢Δɻ • ௨৴ܦ࿏্Ͱڞ༗伴ͷ΍ΓऔΓ͕ͳ͍ɻ • DH (Diffie-Hellman) • ECDH(ପԁۂઢDH) ੬ऑੑɿDH Logjam https://weakdh.org/ ެ։伴 ެ։伴 ൿີ伴 ൿີ伴 Ұ࣌తͳ伴ަ׵͸& &QIFNFSBM ͷจࣈ͕෇͘ %)& &$%)&

Slide 49

Slide 49 text

σδλϧॺ໊ • σʔλͷ׬શੑͷνΣοΫ͕ՄೳͱͳΔɻ • σʔλͷૹ৴ݩͷೝূ͕ՄೳͱͳΔɻ • ެ։伴ͷ৴པੑͷൣғͰ൱ೝ๷ࢭ͕ՄೳͱͳΔɻ • RSA • DSA,ECDSA ެ։伴 ൿີ伴 σʔλʴσδλϧॺ໊ σʔλϋογϡ ஋Λ҉߸Խ͠ σδλϧॺ໊Λ ੜ੒ σδλϧॺ໊Λ෮߸Խɻ σʔλϋογϡ஋ͱൺ ֱ͠ݕূ͢Δ

Slide 50

Slide 50 text

1,*֓ཁ $" $FSUJpDBUF"VUIPSJUZ 7" 7BMJEBUJPO"VUIPSJUZ 3" 3FHJTUSBUJPO"VUIPSJUZ $3-0$41 $43 伴ϖΞ ࣮ࡏ֬ೝ αʔόূ໌ॻ IUUQTʙ ࣦޮ֬ೝ ࿦ཧతʹෳ਺ͷ໾ׂʹ෼͔Ε͍ͯΔ͕෺ཧతʹ̍ͭͰ΋Α͍ 3PPUূ໌ॻ 04ɾϒϥ΢β ϕϯμʔ

Slide 51

Slide 51 text

αʔόূ໌ॻ 9 w 5-4௨৴ͷ৴པੑΛ୲อ͢Δཁ w ϏϧτΠϯͷϧʔτূ໌ॻ͔Βαʔόূ ໌ॻ·Ͱূ໌ॻνΣʔϯͷॺ໊ݕূ w ΦϯϥΠϯҎ֎Ͱ৴པੑΛ୲อ 1,* ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ τϥετΞϯΧʔ

Slide 52

Slide 52 text

ূ໌ॻͷछྨ &7ূ໌ॻ &YUFOEFE 7BMJEBUJPO $"ڞ௨ͷݫ֨ͳ૊৫ͷ࣮ࡏূ໌ ෺ཧత࣮ࡏ ॻ໘΍σʔλ ޱ࠲औҾʹΑΔ࣮ࡏ৹ࠪɾॺ໊ ఏग़ɾి࿩֬ೝͳͲ ΞυϨεόʔ͕྘৭ 07ূ໌ॻ 0SHBOJ[BUJPO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨ૊৫ͷ࣮ࡏূ໌ ʢॻ໘΍σʔλ৹ࠪɾి࿩֬ೝͳͲ %7ূ໌ॻ %PNBJO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨυϝΠϯอ࣋ূ໌ ϝʔϧͷ౸ୡੑ֬ೝͳͲ -FU`T&ODSZQUͳͲ ແྉূ໌ॻ͕͋ΔΑ ωοτϫʔΫҎ֎ ͷ࣮ࡏূ໌

Slide 53

Slide 53 text

αʔόূ໌ॻͷத਎ όʔδϣϯɺγϦΞϧ൪߸ɺൃߦऀ৘ใɺ༗ޮظݶɺαʔό ࣝผࢠɺެ։伴৘ใɺ֦ு৘ใ ར༻༻్ɺผ໊΍ࣦޮ৘ใɾ ϙϦγʔࢀরઌ ɺσδλϧॺ໊

Slide 54

Slide 54 text

αʔόূ໌ॻͷ֬ೝ αʔόূ໌ॻͱൿີ伴ͷରԠ͕ؒҧ͍ͬͯͨΒ5-4 αʔό͸ىಈ͠ͳ͍ɻͳͷͰαʔόূ໌ॻͱൿີ伴 ͷެ։伴͕Ұக͢Δ͔ඞͣνΣοΫ͢Δɻ αʔό ূ໌ॻ ൿີ伴 PQFOTTMYQVCLFZJOTFSWFSDSUOPPVUTFSWFS@QVCLFZQFN PQFOTTMSTBQVCPVUJOQSJWBUFLFZPVUQSJWBUF@QVCLFZQFN ެ։伴 ެ։伴

Slide 55

Slide 55 text

5-4ηΩϡϦςΟͷ౔୆ 5-4ͷ ηΩϡϦςΟ ཚ਺ੜ੒ 1,* ൿີ伴ͷ ؅ཧ ҉߸ٕज़ Τϯ τϩϐʔෆ଍ ෆਖ਼ ൃߦ ࿙Ӯ ΞϧΰϦζϜɾ ڧ౓ͷةຆԽ 5-4͸ɺ͜ͷ̐ͭͷ֎෦ཁૉͷ্ͰΠϯλʔ ωοτͰ҆શͳ௨৴Λఏڙ͢Δ࢓૊ΈͰ͋Δɻ ٯʹݴ͑͹ɺͲΕ΄Ͳ׬ᘳͳ5-4ϓϩτίϧΛ࡞ͬͯ΋ ͜ͷ̐ͭͷ֎෦ཁૉ͕ഁΒΕͨΒ҆શΛ֬อͰ͖ͳ͍ɻ

Slide 56

Slide 56 text

TLSϋϯυγΣΠΫ ஫ɿෳࡶ͞Λආ͚ΔͨΊΫϥΠΞϯτೝূػೳͷઆ໌͸লུ͠·͢ɻ 5-4#PUͱڙʹ

Slide 57

Slide 57 text

ԋश ࣮ࡍʹ$IB$IBͷύέοτΛݟͯΈΔ IUUQTDIBDIBUMTLPVMBZFSDPN ʹ$ISPNFͰΞΫηεɺ%FWFMPQFS5PPMͰ֬ೝͯ͠ΈΔɻ IUUQTDIBDIBUMTLPVMBZFSDPNDIBDIB@TBNQMFQDBQ Λμ΢ϯϩʔυͯ͠ɺ&UIFSSFBMͰݟͯΈΑ͏ɻ

Slide 58

Slide 58 text

4FD$BNQ5-4#PU w ίϚϯυϥΠϯͰ)&9ܗࣜͷ5-4ϑϨʔϜΛೖྗ͠ ͯ5-4ϋϯυγΣΠΫΛߦ͏#PU w 4FSWFS$MJFOU྆ํͰಈ͖·͢ɻ w $MJFOU͸࠷ॳʹ)FMMP3FRVFTUͷϑϨʔϜΛೖྗ͠ ͯ։࢝ɻ w /0%&@%(TFDDBNQͰग़ྗϑϨʔϜ ͷ+40/Λग़ྗ͠·͢ɻ

Slide 59

Slide 59 text

4FD$BNQ5-4#PU w OQNJOTUBMMTFDDBNQUMTFYFSDJTF w 4FSWFS$MJFOU#PUͷεΫϦϓτΛ࡞੒ DPOTU4FD$BNQSFRVJSF TFDDBNQUMTFYFSDJTF 4FD$BNQ5-4#PU GBMTF DMJFOU͸GBMTF Πϯετʔϧ͞ΕͨOPEF@NPEVMF͕ݟ͔ͭΕ͹ OPEF@NPEVMFTTFDDBNQUMTFYFSDJTFTBNQMFT ʹίʔυ͕͋Γ·͢ɻ IUUQTHJTUHJUIVCDPNTIJHFLJGBBCDCCGFEGBFCB ʹ΋͋Γ·͢ɻ

Slide 60

Slide 60 text

5-4#PU

Slide 61

Slide 61 text

5-4CPU%FCVHϞʔυ FYQPSU/0%&@%(TFDDBNQ

Slide 62

Slide 62 text

TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355ඞཁ

Slide 63

Slide 63 text

TLSϋϯυγΣΠΫ(resumption) ClientHello(session_id) ServerHello(session_id) ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ SessionIDʹΑΔTLSηογϣ ϯͷ࠶։ɻ 伴ަ׵΍ূ໌ॻૹ෇ΛεΩοϓɻ ࠓճ͸ԋशͷର৅֎Ͱ͢ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355Ͱ͢Ή

Slide 64

Slide 64 text

TLSϋϯυγΣΠΫͷҙຯ ClientHello/ServerHello/ServerHelloDone TLSͷͨΊͷ৘ใަ׵ όʔδϣϯɾཚ਺ɾ҉߸ํࣜɾ֦ு৘ใ Certificate ެ։伴৘ใͷૹ෇ ΤϯυϙΠϯτͷೝূ ClientKeyExchange/ServerKeyExchange ڞ༗伴ަ׵ ChangeCipherSpec ҉߸։࢝ͷ߹ਤ Finished ϋϯυγΣΠΫσʔλͷվ͟ΜνΣοΫ

Slide 65

Slide 65 text

TLS1.2ͷߏ଄ I P ϔ ο μ T C P ϔ ο μ TLS Record Layer (5όΠτ) λΠϓ ʢ̐छ ྨʣ (1byte) όʔδϣϯ (2byte) ௕͞ (2byte) Handshake (λΠϓ:0x16) msgλΠϓ ʢ̍̌छྨʣ ௕͞ ʢ3όΠτ௕ʣ ϋϯυγΣΠΫσʔλ Alert (λΠϓ:0x15) Ϩϕϧ ཧ༝ ChangeCipherSpec (λΠϓ:0x14) λΠϓ Application Data (λΠϓ:0x17) ҉߸Խ͞Εͨσʔλ msgλΠϓ ϋϯυγΣΠΫσʔλͷछྨ 0x00 HelloRequest 0x01 ClientHello 0x02 ServerHello 0x0b Certificate 0x0c ServerKeyExchange 0x0d CertificateRequest 0x0e ServerHelloDone 0x0f CertificateVerify 0x10 ClientKeyExchange 0x14 Finished TLS Record Layerσʔλʹ ଓ͍ͯɺ࣍ͷ̐छྨͷTLSσ ʔλͷ͍ͣΕ͔͕ଓ͘ɻ TLS Handshake͸ɺ͜ͷ ̍̌छྨʹ෼͔ΕΔɻ

Slide 66

Slide 66 text

5-4ϋϯυγΣΠΫϑϨʔϜΛಡΉ Record Layer Handshake (ClientHello) type protocol version length (2byte) msg type length (3byte) client version random major minor major minor 0x16 0x03 0x03 0x00 0x45 0x01 0x00 0x00 0x41 0x03 0x03 32 byte όΠτ όΠτ ҉߸Խ͞Εͳ͍ ҉߸Խ͞ΕΔ

Slide 67

Slide 67 text

ԋश w ̎ͭͷίϚϯυϥΠϯλʔϛφϧΛ։͍ͯҰͭ͸ UMT@DMJFOU@CPUɺ΋͏Ұͭ͸UMT@TFSWFS@CPUΛىಈ ͢Δɻ w UMT@DMJFOU@CPUʹ)FMMP3FRVFTUΛೖྗͯ͠ɺग़ྗ͠ ͨ$MJFOU)FMMPΛίϐʔͯ͠TFSWFSCPUʹೖྗ͠Α ͏ w /0%&@%(TFDDBNQͷઃఆΛͯ͠ +40/Λ֬ೝ͠Α͏ɻ

Slide 68

Slide 68 text

ClientHello ClientHello ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ

Slide 69

Slide 69 text

ClientHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ ใ client_version uint8 major, uint8 minor 2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1όΠτ෼ cipher_suites uint8 CipherSuite[2] <2..2^16-2> 2όΠτ෼ compression_ methods null(0) <1..2^8-1> 1όΠτ෼ extensions extension_type(65535), extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ Extension௕ Extensionsσʔλྫ

Slide 70

Slide 70 text

ClientHello Record Layer Handshake (ClientHello) type protocol version length (2byte ) msg type length (3byte) client version random sessi on id cipher suite comp ressi on Exte nsion majo r mino r major minor 0x16 0x03 0x03 ?? ?? 0x01 ?? ?? ?? 0x03 0x03 32 byte Մม Մม Մม Մม Version 0x03,0x00 = SSLv3 0x03,0x01= TLSv1.0 0x03,0x02=TLSv1.1 0x03,0x03=TLSv1.2 ΫϥΠΞϯτ͕ར༻Ͱ͖Δ ࠷ߴͷTLSόʔδϣϯΛࢦ ఆɺαʔό͕Ͳͷόʔδϣ ϯΛ࢖͏͔બ୒͢Δ

Slide 71

Slide 71 text

No content

Slide 72

Slide 72 text

ServerHello ClientHello ServerHello (੺จࣈ͸ϋϯυγΣΠΫʣ ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ

Slide 73

Slide 73 text

ServerHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ใ server_version uint8 major, uint8 minor 2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1 cipher_suite uint8 CipherSuite[2] 2 N/A compression_method null(0) 1 N/A extensions extension_type, extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ Record Layer(5bytes) Handshake (ServerHello) type protocol version length (2bytes) msg type length (3byte) server version random 32bytes session id cipher suite 2bytes compression majo r minor major minor 0x16 0x03 0x03 ? + 4 0x01 ? 0x03 0x03 ? ௕͞1byte 0x00,0x9c ௕͞2bytes

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

Certificate ClientHello ServerHello Certificate (੺จࣈ͸ϋϯυγΣΠΫʣ

Slide 76

Slide 76 text

Certificate ߲໨ ཁૉ αΠζ certificate_list ASN.1Cert<2^24-1> <0..2^24-1> શূ໌ॻ௕ ূ໌ॻ#1௕ ূ໌ॻσʔλ#1 ূ໌ॻ#2௕ ূ໌ॻσʔλ#2 ෳ਺ͷূ໌ॻσʔλΛૹ෇ ࠷ॳ͸ඞͣαʔόূ໌ॻ 2ͭ໨Ҏ߱͸தؒূ໌ॻͳͲ

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

Perfect Forward Secrecy(PFS) • લํൿಗੑ • ηογϣϯຖʹҰ࣌తͳ伴Λ࢖͏ɻ • ϋϯυγΣΠΫΛؚΉશ҉߸σʔλΛऔಘ͞Ε͍ͯΔΑ͏ͳঢ় گͰ΋ɺকདྷతͳൿີ伴࿙ӮͳͲͷϦεΫʹରԠ͢Δɻ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Ephemeral:Ұ࣌తͳ 伴ަ׵ख๏

Slide 79

Slide 79 text

%)&WT&$%)& w %)%J⒎F)FMMNBO཭ࢄର਺໰୊Λར༻ͨ͠伴ަ׵ H?Y NPE1 ?ZNPE1 H?Z NPE1 ?YNPE1H? YZ NPE1 ૉ਺1 δΣωϨʔλH ެ։伴 ੺ࣈɺ੨ࣈʣͳͲͷ৘ใΛަ׵ɻ&$%)& ΑΓܭࢉྔ͕ଟ͍ɻ w &$%)&ɿପԁؔ਺্Ͱͷ཭ࢄର਺ԋࢉΛར༻ͨ͠伴ަ׵ ପԁؔ਺ͷύϥϝʔλɾج఺Λ໊લͰنఆ TFDQ౳ ɺެ։伴 ପԁ ۂઢ্ͷ఺ Λަ׵ɻ%)ΑΓ伴௕ɾܭࢉྔ͕গͳͯ͘͢Ήɻ

Slide 80

Slide 80 text

ECDHEͷϋϯυγΣΠΫ ClientHello + elliptic_curves + ec_point_formats ServerHello + ec_point_formats Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data (੺จࣈ͕௥Ճมߋ͞ΕΔͱ͜Ζʣ ClientHello֦ுΛ௥Ճ ServerHello֦ுΛ௥Ճ ପԁۂઢ໊ͱServer ͷެ։伴Λॺ໊෇͖ Ͱૹ෇ Clientͷެ։伴Λૹ෇ ପԁ఺ͷॻࣜΛ߹ҙ ࢖͑Δପԁۂઢ໊ͱପԁ఺ॻࣜΛ௨஌ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ެ։伴͸ຖճϥϯμϜʹੜ੒͞Ε·͢

Slide 81

Slide 81 text

ECDHE ClientHello֦ு ΫϥΠΞϯτ͕αϙʔτ͍ͯ͠ΔପԁۂઢͷϦετΛαʔόଆʹ௨஌ɻαʔό͸ Ϧετͷத͔Βద੾ͳପԁۂઢΛબͼ ServerKeyExchange಺Ͱબ୒ͨ͠ପԁ ۂઢΛ௨஌͢Δ 0 1 2 3 4 5 6 7 elliptic_curves(10) Ϧετ௕ σʔλ௕ secp256r1 (23) 0x00 0x0a 0x00 0x04 0x00 0x02 0x00 0x17

Slide 82

Slide 82 text

ECDHE Client/Server Hello֦ு ପԁ҉߸ͷެ։伴ͷॻࣜ 0 1 2 3 4 5 ec_point_formats(11) Ϧετ௕ σʔλ௕ uncompressed(0) 0x00 0x0b 0x00 0x02 0x01 0x00

Slide 83

Slide 83 text

ServerKeyExchange ClientHello ServerHello Certificate ServerKeyExchange (੺จࣈ͸ϋϯυγΣΠΫʣ

Slide 84

Slide 84 text

ECDHE ServerKeyExchange ServerECDHParams Signature ECParameters ECPoint algorithm signature curve_type named_curve ௕ ͞ public key (Hello֦ுࢦఆͷॻࣜʣ RSA-SHA256 (0x04,0x01) named_curve (3) secp256r1 (23) signature = sign(algorithm, ClientHello.random + ServerHello.random + ServerECDHParams); RSAൿີ伴ͰServerECDHParmsͱRandomΛॺ໊

Slide 85

Slide 85 text

No content

Slide 86

Slide 86 text

ServerHelloDone ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone (੺จࣈ͸ϋϯυγΣΠΫʣ

Slide 87

Slide 87 text

ServerHelloDone handshake type handshake௕ 0x0e 0x00 0x00 0x00 ServerHelloͷऴྃͷ߹ਤ ϋϯυγΣΠΫϔομͷΈ ͜͜Ͱ4FSWFS)FMMP͔Βଓ͘Ұ࿈ͷϋϯυγΣΠ Ϋͷલ൒͕ऴྃͨ͜͠ͱΛࠂ͛Δ߹ਤ

Slide 88

Slide 88 text

No content

Slide 89

Slide 89 text

TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange (੺จࣈ͸ϋϯυγΣΠΫʣ

Slide 90

Slide 90 text

ECDHE ClientKeyExchange ClientECDHParams ECPoint ௕͞ public key (Hello֦ுࢦఆͷॻࣜʣ ClientKeyExchange͸ॺ ໊ͷඞཁ͸ͳ͍

Slide 91

Slide 91 text

No content

Slide 92

Slide 92 text

࣭໰ɿ ECDHEެ։伴ͷकΒΕํͷҧ͍ • ServerKeyExchange: ެ։伴Λॺ໊ • ClientKeyExchange: ΍Γ͍ͨ์୊ Ͳ͏ͯ͠Ͱ͠ΐ͏ʁ

Slide 93

Slide 93 text

PreMasterSecret/MasterSecret • TLSͰར༻͢ΔIV(ॳظϕΫτϧ)ɺڞ༗伴ɺMAC伴ͷσʔλݩ • MasterSecret͸48όΠτ௕ɻPreMasterSecretͷ௕͞͸伴ަ׵ํࣜʹґ ଘ͢Δɻ • MasterSecret͸ɺPreMasterSecretɺClientRandomɺ ServerRandomɺݻఆϥϕϧ͔Βੜ੒͢Δɻ • Clinet/ServerRandom͸શؙͯݟ͑ɻPreMasterSecret͸ɺඞͣࢮक͠ ͯकΒͳ͍ͱ͍͚ͳ͍ɻ͜Ε͕࿙͍͑͢ΔͱTLSͷ҆શੑ͸શ͓ͯ͡ΌΜɻ 'SFBL-PHKBN

Slide 94

Slide 94 text

No content

Slide 95

Slide 95 text

ChangeCipherSpec Client->Server ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec (੺จࣈ͸ϋϯυγΣΠΫʣ

Slide 96

Slide 96 text

ChangeCipherSpec ૹ৴ݩ͕҉߸։࢝Λએݴɻ͜ΕΛૹ৴ͨ͠ޙ͸҉߸ ௨৴Λߦ͏ɻ Record Layer ChangeCipherSpec ContentTy pe Version length (2byte) major minor 0x14 0x03 0x03 0x00 0x01 0x01

Slide 97

Slide 97 text

No content

Slide 98

Slide 98 text

TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished (੺จࣈ͸ϋϯυγΣΠΫʣ

Slide 99

Slide 99 text

Finished struct { opaque verify_data[verify_data_length]; } Finished; verify_data = PRF(master_secret, finished_label, Hash(handshake_messages))[0..11]; finished_label: ΫϥΠΞϯτ͸ɺ"client finished"ɺαʔό͸"server finished" 12όΠτݻఆ ͜Ε·ͰͷϋϯυγΣΠΫσʔλʢͨ ͩࣗ͠෼͸আ͘ʣͷϋογϡΛܭࢉ TLS1.2Ͱ͸ SHA256Λ࢖͏ FinishedΛड৴͢Δͱɺ͜Ε·Ͱૹड৴ͨ͠ϋϯυγΣΠΫσʔλ͔Βܭࢉͨ͠஋ͱൺֱɻ ϋϯυγΣΠΫσʔλ͕վ͟Μ͞Εͯͳ͍͜ͱΛ֬ೝ͢Δɻ

Slide 100

Slide 100 text

No content

Slide 101

Slide 101 text

ChangeCipherSpec Server -> Client ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec (੺จࣈ͸ϋϯυγΣΠΫʣ

Slide 102

Slide 102 text

No content

Slide 103

Slide 103 text

ServerFinished ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished (੺จࣈ͸ϋϯυγΣΠΫʣ

Slide 104

Slide 104 text

No content

Slide 105

Slide 105 text

Application Data ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ

Slide 106

Slide 106 text

No content

Slide 107

Slide 107 text

ԋश 5-4#PUΛ࢖ͬͨ̍ର̍5-4 w ೋਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU ໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ w αΠϘ΢ζͰσʔλΛ΍ΓऔΓ͠·͢ɻ૬ޓͰ҉߸จͷ෮ ߸Խ͕Ͱ͖Δ͜ͱΛ֬ೝ͠·͢ɻ 5-4҉߸௨৴ 5-44FSWFSGDBCEDCGBBCDG "QQMJDBUJPO%BUBIPHF #PU #PU

Slide 108

Slide 108 text

ԋश ϦΞϧ.BO*O5IF.JEEMF w ̏ਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU໾ɺ ѱਓ໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ w ѱਓ໾Λհͯ͠5-4ϋϯυγΣΠΫΛߦ͍·͢ɻ·ͣ͸ѱਓ͸ͦ ͷ··ӈ͔Βࠨʹड͚ྲྀ͠·͢ɻ w ࣍ʹѱਓ໾Ͱ4FSWFS$MJFOUͷ#PUΛͨͯͯͳΓ͢·͠௨৴Λ͠· ͠ΐ͏ɻ

Slide 109

Slide 109 text

$IB$IB1PMZ ೥݄̒ʹ࢓༷Խ׬ྃ 3'$ ͨ͠ 5-4ͷ৽͍͠҉߸ํࣜ ࢲ͸҉߸ઐ໳ՈͰ͸ͳ͍ͷͰ҆ શੑͷ͓࿩͸εΩοϓ͠·͢ɻ

Slide 110

Slide 110 text

$IB$IB1PMZ w $IB$IB%+#FSOTUFJO EKC ࢯ͕ߟҊͨ͠҉ ߸ํࣜ ࠷ॳʹ4BMTBΛൃදɺ$IB$IBʹվྑ w 1PMZEKCࢯ͕ߟҊͨ͠."$ํࣜ "&4ͱ૊Έ ߹Θͤͨ"&41PMZͰൃද جຊ྆ऀ͸ಠཱͨ͠΋ͷɻ(PPHMFͷ"EBN-BOHMFZ ࢯ͕$IB$IB1PMZͱͯ͠ʹυϥϑ τ࢓༷Λެ։

Slide 111

Slide 111 text

1PMZ࿦จൃද ࠷ऴ൛ $IB$IB࿦จൃද ࠷ऴ൛ 4BMTB͕F4USFBNͷ'JOBMJTUʹબఆ $IB$IBΛ࢖ͬͨ#-",&͕4)"ͷ࠷ऴީิʹબఆ ESBGUBHMUMTDIBDIBQPMZެ։ $ISPNF͕$IB$IB1PMZΛ࣮૷ɻ(PPHMFαʔϏεͰར༻։࢝ 0QFO44)͕$IB$IB1PMZΛ࣮૷ 5-48(͔Β$'3(΁$IB$IB1PMZͷ࢓༷ݕ౼ΛਐΊΔ͜ͱΛཁ੥ -JCSF44-͕GPSLɻ$IB$IB1PMZΛ࣮૷ #PSJOH44-͕GPSLɻ$IB$IB1PMZΛ࣮૷ $MPVE'MBSF͕$IB$IB1PZͷར༻։࢝ɻ0QFO44-༻ύονެ։ 3'$ $IB$IB1PMZ࢓༷ ͕ެ։ 0QFO44- BMQIB ͕$IB$IB1PMZΛ࣮૷ 'JSFGPY͕$IB$IB1PZΛ࣮૷ 3'$$IB$IB1PMZ$JQIFS4VJUFTGPS5SBOTQPSU-BZFS4FDVSJUZ 5-4 $IB$IB1PMZ͜Ε·ͰͷาΈ 4OPXEFOࣄ݅

Slide 112

Slide 112 text

"&4ͱ$IB$IBͷൺֱ "&4 $IB$IB ํࣜ ϒϩοΫ CJUT ετϦʔϜ ೖྗ 伴௕ CJUT 伴௕CJUT /PODFͳ͠ ॳظΧ΢ϯλʔͳ͠ /PODFCJUT EKC࿦จͰ͸CJUT ॳظΧ΢ϯλʔCJUT ඪ४ /*45'*14 3'$ 4BMTB͸FTUSFBNιϑτ΢ΣΞ1Iબఆ ੑೳಛੑ "&4/*ͳͲઐ༻ϋʔυ΢ΣΞʹΑΔߴ଎ ॲཧ͕Մೳ ࣄલܭࢉ΍4#09͕ඞཁͳ͘ɺλΠϛϯά߈ܸ͕ൃੜ͠ʹ ͍͘ɻ4*.%Λ࢖ͬͨߴ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ ΩϟογϡλΠϛϯάͳͲαΠυνϟωϧ ߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ /PODFΛ࠶ར༻͠ͳ͍͜ͱ %+#ͷ࿦จIUUQDSZQUPDIBDIBDIBDIBQEG͕ΞϧΰϦζϜنఆͷࢀরઌ Χ΢ϯλʔϞʔυͱ૊Έ߹ΘͤͯετϦʔϜ҉߸ͱͯ͠ར༻͕Մೳ

Slide 113

Slide 113 text

2VBSUFS3PVOE B C D E BC E?B E DE C?D C BC E?B E DE C?D C B C D E͸CJUVOTJHOFEJOU YZ͸ YZ NPE? ?͸903 O͸OϏοτࠨϩʔςγϣϯ B C D Eʹରͯ͠ɺશͯճ ԋࢉ͕ߦΘΕ͍ͯΔɻ $IB$IBϥ΢ϯυԋࢉ ৐ࢉ͕ͳ͘ݻఆ௕ԋࢉ $POTUBOU5JNF B C D E

Slide 114

Slide 114 text

՝୊ɾԋश TVEPOQNHJOTUBMMTFDDBNQDIBDIBXPSLTIPQQFS ຊ೔ͷ՝୊ ࣄલֶश

Slide 115

Slide 115 text

B B B B B B B B B B B B B B B B C C C C C C C C C C C C C C C C C C C C C C B B B B B B B B B B B B B B B B C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C D D D D D D D D D D D D D D D D όΠτY ྻϥ΢ϯυ ର֯ϥ΢ϯυ 2VBSUFS3PVOE όΠτ όΠτ όΠτ όΠτ छྨͷ$IB$IBϥ΢ϯυ ԋश

Slide 116

Slide 116 text

F E C LFZ LFZ LFZ LFZ LFZ LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T ྻϥ΢ϯυର֯ϥ΢ϯυ Yճ ॳظ$IB$IB4UBUF $IB$IB4UBUF ఆ਺஋ ࣮͸ҎԼͷจࣈྻ FYQBOECZUFL 伴 όΠτ௕ /PODF όΠτ௕ ͔Β࢝·ΔΧ΢ϯλʔ όΠτ௕ $IB$IB4USFBN4UBUF ϥ΢ϯυ

Slide 117

Slide 117 text

$IB$IB4UBUFͷ &OEJBOʹ஫ҙ L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> F E C L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> LFZ LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF όΠτຖʹ۠੾ͬ ͨ-JUUMF&OEJBO ͜ͷΑ͏ͳॱ൪Ͱσʔ λॲཧΛ͢Δ࣌͸஫ҙɻݟ͔ ͚#JH&OEJBOɻ

Slide 118

Slide 118 text

$IB$IB#MPDL'VODUJPO F E C LFZ LFZ LFZ LFZ LFZ LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T ৒༨࿨ ॳظ$IB$IBTUBUF 3PVOE$IB$IBTUBUF 'JOBM$IB$IB4UBUF

Slide 119

Slide 119 text

ԋश $IB$IB2VBUFS3PVOE $IB$IB#MPDL'VODUJPO

Slide 120

Slide 120 text

$IB$IB,FZ4USFBN CB GFED CB GFED CB GFED CB GFED BCDEFGBCDEFG BCDEFGBCDEFG ̐όΠτ୯Ґͷ֤ཁૉΛ-JUUMF&OEJBOͰฒͼସ͑ ,FZ4USFBNͱฏจͷ903Λऔͬͯ҉߸จΛੜ੒͢Δɻ

Slide 121

Slide 121 text

伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ $IB$IB4UBUF ,FZ4USFBN ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ϥ΢ϯυॳظঢ়ଶ ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF όΠτ $IB$IBฏจͷ҉߸Խ ϥ΢ϯυॳظঢ়ଶ ϥ΢ϯυॳظঢ়ଶ ϥ΢ϯυॳظঢ়ଶ $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN ෮߸Խ΋,FZ4USFBNͱ҉߸จΛ903͢Δ͚ͩ ͳͷͰखॱ͸΄΅ಉҰ

Slide 122

Slide 122 text

ԋश $IB$IB,FZ4USFBN $IB$IB&ODSZQUJPO

Slide 123

Slide 123 text

1PMZ ͪ͜Β͸গʑ೉͍͠ͷͰઆ໌͕ओͰ͢

Slide 124

Slide 124 text

ͳͥNFTTBHF BVUIFOUJDBUPS͕ඞཁ͔ʁ IUUQTXXXFYBNQMFDPN 903ͨ͠վ͟Μσʔλ Ϩίʔυ *7 ҉߸จ λά Ϩίʔυ *7 վ͟Μ҉߸จ λά )FMMP8PSME )FMMP$SBDLFE ܭࢉ͢Δͱ λά͕ҧ͏ʂ վ͟Μ ͞ΕͯΔΘʂ λάͷ࠶ܭࢉʹ͸ൿີ伴͕ඞཁ

Slide 125

Slide 125 text

()"4)ͱ1PMZ ()"4) 1PMZ ܭࢉํࣜ 8FHNBO$BSUFS$POTUSVDUJPO CJOBSZpFME YYYY QSJNFpFME 伴௕ CJUT "&4ͱ૊Έ߹Θͤͨ࣌ CJUT ."$௕ CJUT ར༻໨తʹԠͯ͡੾Γ٧ΊΔ CJUT ඪ४ /*4541% "&4($. 3'$ ੑೳಛੑ 1$-.6-2%2*ͳͲಛఆܭࢉ༻ϋʔυ΢ΣΞ ʹΑΔߴ଎ॲཧ͕Մೳ ࣄલܭࢉςʔϒϧ͕ඞཁͳ͘ɺ4*.%Λ࢖ͬͨߴ ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w ."$௕͸CJUTҎ্Λར༻͢Δ͜ͱ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w λΠϛϯά߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ "&4ͱ૊Έ߹Θͤͨ%+#ͷ࿦จIUUQDSZQUPNBDQPMZQEG͕ΞϧΰϦζϜنఆͷࢀরઌ

Slide 126

Slide 126 text

1PMZOPNJBMFWBMVBUJPO ೝূ͢Δσʔλ $ $ $ $O $O ʜ G S $SO$SO$SOʜ$OS$OS ʜ $S$ S$ Sʜ$O S$O S ෼ղͨ͠ϝοηʔδΛ܎਺ ͱͨ͠ଟ߲ࣜͷ஋ͰධՁ ϗʔφʔ๏Λ࢖ͬͯ৐ࢉ ԋࢉΛݮΒͯ͠ܭࢉ 伴 S

Slide 127

Slide 127 text

8FHNBO$BSUFS$POTUSVDUJPO GPS1PMZ ೝূ͢Δσʔλ $ $ $ $O $O ʜ 伴 S 伴 T ૉ਺Q $SO$SO$SOʜ$OS$OSNPEQT Ϣχόʔαϧϋογϡ0OF5JNF伴 w ਺ֶతʹڧ౓͕ূ໌Ͱ͖͍ͯΔ w 4)"ͳͲͷ)."$ΑΓߴ଎

Slide 128

Slide 128 text

1PMZ $SO$SO$SMʜ$OS$OSNPET NPE ೝূ͢Δσʔλ 伴 S $ $ $ $O $O ʜ όΠτ௕Ͱ෼ׂɻ಄ʹ̍όΠτ ෼෇Ճͯ̍̓͠όΠτ௕ʹ όΠτ 伴 T όΠτ ࠷ऴతʹόΠτ௕ ʹ੾Γ٧ΊΔ CJU෼ؒҾ͖ ઈົ ͳαΠζͷૉ਺

Slide 129

Slide 129 text

ೝূ͢Δσʔλ $ όΠτ௕ $ όΠτ௕ $ όΠτ௕ ʴ $ όΠτ௕ $ 1PMZVQEBUF ʴ 1PMZpOBM 1PMZʹΑΔ."$σʔλͷੜ੒ όΠτ௕ CJU௕ ಄ͷCJU࡟আ ."$ όΠτ௕ ʴ όΠτ௕ ."$ ࠷ऴతͳೝূίʔυ 伴S CJUؒҾ͖ 伴 S 伴 T $IB$IB Χ΢ϯλʔ LFZ OPODF 伴 T 伴S CJUؒҾ͖ 伴S CJUؒҾ͖ ԼҐόΠτ ԼҐόΠτ ্ҐόΠτ ෦෼৒༨஋ ෦෼৒༨஋ 1PMZVQEBUF

Slide 130

Slide 130 text

ԋश 1PMZ."$ ͕͢͞ʹ୹࣌ؒͰ࣮૷ͯ͠΋Β͏ͷ͸ਏ͍ͷͰϥΠ ϒϥϦΛ࢖ͬͯ΋Β͍·͢ɻ

Slide 131

Slide 131 text

"&"% $IB$IB1PMZ Λ࡞Δ

Slide 132

Slide 132 text

5-4޲͚"&4($.ͱ$IB$IB1PMZ "&4($. $IB$IB1PMZ ඪ४ 3'$ 3'$ 3'$ ESBGUJFUGUMTDIBDIBQPMZ ࣌఺*&5'-BTU$BMMத ରশ҉߸ "&4 "&4 $IB$IB 伴ަ׵ 34" %) %)& &$%)& &$%)&%)& ೝূ 34" &$%4" 14, 13' 4") "&4 4)" "&4 4)" ໌ࣔత*7 CZUFT ͳ͠ /PODF $MJFOU4FSWFS8SJUF*7 CZUFT ໌ ࣔత*7 CZUFT ύουͨ͠4FR/VN CZUFT 903$MJFOU4FSWFS8SJUF*7 CZUFT λά௕ CZUFT CZUFT ࠷খ҉߸Խ௕ CZUFT CZUFT

Slide 133

Slide 133 text

ॳظΧ΢ϯλʔ ॳظΧ΢ϯλʔ JODS ฏจ $IB$IB,FZ4USFBN LFZ OPODF 1PMZ 伴S 伴T ҉߸จ ೝূλά MFO ฏจ ccMFO ҉߸จ "VUI%BUB ̌1BE ̌1BE ҉߸จ 伴S 伴T $IB$IB,FZ4USFBN LFZ OPODF MFO จࣈྻ௕ɺCJUɺMJUUMFFOEJBOදه $IB$IB1PMZʹΑΔ"&"%ੜ੒ $IB$IBΛ࢖ͬͯ 1PMZͷ伴Λੜ੒

Slide 134

Slide 134 text

ԋश 1PMZ,FZ(FOFSBUJPO $IB$IB1PMZ&ODSZQUJPO

Slide 135

Slide 135 text

΋͕࣌ؒ͠༨ͬͨΒ ڈ೥ͷԋश΍ͬͯΈ·͠ΐ͏ɻ TVEPOQNHJOTUBMMTFDDBNQDSZQUPXPSLTIPQQFS