Slide 1
Slide 1 text
Messaging Layer
Security, and other
security related stuff
Ryo Kajiwara @ lepidum
IETF105 Report Session, ISOC-JP
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
Messaging Layer
Security (mls)
Slide 4
Slide 4 text
աڈʹͨ͠ࢿྉʹ͍ͭͯ
ݕࡧͯ͠ग़ͯ͘Δࢿྉʹࢲ͕2018/8ʹͨ͠ࢿྉ͕ग़͖ͯ·͢
͕ɺ۩ମతͳํࣜʹ͔ؔͯ͠ͳΓଟ͘ͷΞοϓσʔτ͕ೖͬͯ
͍·͢ɻ֓આ෦ʹؔͯ͠एׯͦΕΛྲྀ༻͍ͯ͠·͢ɻ
https:/
/speakerdeck.com/sylph01/messaging-layer-security
۩ମతʹݴ͏ͱɺ17൪ͷεϥΠυҎ߱ͷ༰΄ͱΜͲݱࡏͷ
υϥϑτʹ͍ͬͯ·ͤΜɻπϦʔͷܭࢉʹؔͯ͠Asynchronous
Ratchet Treeͷ֓೦͚ͩࠓͷυϥϑτͰ͋Δఔ௨༻͠·͢ɻ
Slide 5
Slide 5 text
͜ΕԿʁ
ෳਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ
ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draft -> Working Groupɻ
͘͢͝ฏ͍ͨ͘͏ͱɺάϧʔϓνϟοτΛEnd-to-End҉߸Խ͢Δ
ํ๏Λඪ४Խ͠Α͏ͥɺͱ͍͏༰ɻ
Slide 6
Slide 6 text
ηΩϡΞϝοηʔδϯάʁ
࠷ۙͷϝοηʔδϯάαʔϏεEnd-to-End҉߸Խ͕ී௨Ͱ͢ɻ
• Signalʢ͕͜͜͠Γʣ
• Facebook Messenger
• WhatsApp
• LINE
ͳͲEnd-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ
Slide 7
Slide 7 text
WG Charter͔Βཁ
ҎԼͷੑ࣭Λ࣋ͭάϧʔϓ伴ͷ߹ҙɾϝοηʔδอޢΛඞཁͱ͢
ΔΞϓϦέʔγϣϯ͕ଟ͘ଘࡏ͢ΔͨΊɺͦΕΛ࣮ݱ͍ͨ͠:
ϝοηʔδͷൿີੑɺϝοηʔδͷશੑɾೝূɺϝϯόʔͷೝ
ূɺඇಉظੑɺForward SecrecyɺPost-Compromise Securityɺε
έʔϥϏϦςΟ
Slide 8
Slide 8 text
είʔϓʹ͍ͭͯ
• ֤ϕϯμʔಠࣗϓϩτίϧͰ࣮ݱ͍ͯ͠ΔͨΊɺࣗͷϓϩ
τίϧɾελοΫΛಠཱʹҡ࣋ཧ͢Δඞཁ͕͋Γɺ݁Ռͱ͠
ͯಠཱʹ࣭อূΛ͢Δඞཁ͕͋Δɻ
• MLSϝοηʔδͷηΩϡϦςΟ෦ʹ͍ͭͯڞ௨ͷํ๏Λఏ
ࣔ͢Δ͜ͱͰɺϓϩτίϧͷਖ਼ੑɾ҆શੑͷݕূ݁ՌΛڞ༗
Ͱ͖Δ͜ͱΛࢦ͢(shared validation of the protocol)ɻ
• 伴߹ҙҎ্ͷϝοηʔδϯάΞϓϦέʔγϣϯͷ
interoperability/federationΛఏڙ͢ΔͷͰͳ͍
Slide 9
Slide 9 text
ඇಉظੑ(asynchronous
usage)
͜͜Ͱ͍͏ʮඇಉظੑʯͱɺ2ਓͷϢʔβʔ͕ಉ࣌ʹΦϯϥΠϯ
Ͱ͋Δ͜ͱΛཁٻ͢ΔΑ͏ͳMLSͷoperation͕ଘࡏ͍͚ͯ͠ͳ
͍ɺͱ͍͏ੑ࣭ͷ͜ͱɻ
Slide 10
Slide 10 text
Forward Secrecy
௨৴ϓϩτίϧͷੑ࣭Ͱɺظ伴(long-term key)ͷ࿐ʹΑͬͯա
ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ
ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο
ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ࿐ʹ͑
Δɺͱ͍͏ੑ࣭͔ͩΒɻ
TLSͷจ຺ͰͷFSͱಉٛɻ·ͨɺ"Perfect" Forward Secrecyͱ
Forward SecrecyҰൠʹಉٛɻ
Slide 11
Slide 11 text
Post-Compromise Security
ݫີͳఆٛͱͯ͠ "On Ends-to-Ends Encryption: Asynchronous
Group Messaging with Strong Security Guarantees" (Cohn-Gordon et
al., 2017) ͷ(3.0.2)ͱ(3.1)ɺ
άϧʔϓϝϯόʔͷશͳঢ়ଶ(ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴)
͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ
ϓͷձ͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost-
compromise securityΛ࣋ͭɺͱ͍͏ɻ
FS/PCSmls-architectureͷ3.2.2.1Ͱఆٛ͞Ε͍ͯΔɻ
Slide 12
Slide 12 text
Documents
• draft-ietf-mls-architecture-02
• draft-ietf-mls-protocol-07
• draft-omara-mls-federation-00
Slide 13
Slide 13 text
mls-architecture
Slide 14
Slide 14 text
લఏ
• full messaging protocolͷ࣮Λҙਤ͍ͯ͠ͳ͍ (<-> XMPP)
• wire encodingͷఆٛͰͳ͘ɺநతͳσʔλߏͷΈΛఆٛ
• άϧʔϓͷنas large as thousands
Slide 15
Slide 15 text
ׂ
Messaging Service2ͭͷabstract serviceΛఏڙ͢Δ:
• Authentication Service: long-term identityͷཧ
• long-term identity keyͷσΟεΧόϦʔαʔϏε
• Delivery Service: ϝοηʔδͷड৴ͱ࠶
• ϝοηʔδͦͷͷͷϒϩʔυΩϟετͷ΄͔ɺάϧʔϓ伴
߹ҙʹඞཁͳkeying materialͷͷׂߦ͏
ಉҰαʔόʔͰΑ͍͕ɺׂ͕ҧ͏ͷͰจষ্۠ผ͞ΕΔ
Slide 16
Slide 16 text
ηΩϡϦςΟલఏͷิ
2.3.5:
ΦϑϥΠϯͷϝϯόʔ͕ݹ͍伴Λ͍࣋ͬͯͨΒForward Secrecy/
Post-Compromise SecurityͷલఏͰ͋Δkeying materialͷআ/ஔ
ෆՄೳɻMLS͜ͷͷରԠߦΘͳ͍(࣮Ͱղܾ͠Ζɺ
ͱ͍͏͜ͱ͔)ɻ
Slide 17
Slide 17 text
ཁ݅
(Ұ෦ൈਮ)
• ಉ࣌ΦϯϥΠϯΛཁٻ͠ͳ͍ (asynchronous)
• एׯͷϝοηʔδϩε͕ൃੜͯ͠permanent exclusionʹͭͳ
͕Βͳ͍
• ϚϧνσόΠεରԠ
• ཤྺͷ෮ݩFS/PCSͷલఏΛ่͢ͷͰϓϩτίϧϨϕϧͰ
ڐՄ͠ͳ͍͕ଞͷํࣜͰΔ͜ͱߟ͑ΒΕΔ
Slide 18
Slide 18 text
ཁ݅
(Ұ෦ൈਮɺଓ͖)
• ϖΠϩʔυͷϑΥʔϚοτΛԾఆ͠ͳ͍
• ෳͷMLS࣮͕federation͢Δ͜ͱ͋ΓಘΔ
• ͕charterͱͯ͠είʔϓ֎ɺmls-federationͰ͍ͬͯΔ
༷
• কདྷόʔδϣϯͱͷޓੑ
Slide 19
Slide 19 text
ηΩϡϦςΟཁ݅
• ΫϥΠΞϯτͱαʔόʔͷؒͷ௨৴TLSͳͲͰ҉߸Խ͞Ε͍ͯ
Δ͜ͱΛԾఆ͢Δ͕ɺτϥϯεϙʔτͷcompromiseʹASʹ
ΑΔidentity keys͕దʹೝূ͞Ε͍ͯΔݶΓ͑Δ
• DSάϧʔϓͷprivate contentͷΞΫηεΛ࣋ͨͳ͍(ཧऀ
͕ϝοηʔδΛ͖ݟΔ͜ͱͰ͖ͳ͍)
• ϝϯόʔͷՃ/আ: MLSଞͷϝϯόʔʹΒͤΔ͜ͱͳ͘ϝ
ϯόʔͷՃ/আΛߦ͏͜ͱΛڐՄ͠ͳ͍(ϓϩτίϧͷΈ
্ͦ͏ͳ͍ͬͯΔ)
Slide 20
Slide 20 text
mls-protocol
Slide 21
Slide 21 text
(എܠ)2 partiesͷ߹ղܾࡁΈ
Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ
"Ratchet"ʮҰਐΜͩΒΒͳ͍ʯͷͷྫ͑Ͱɺ҉߸ʹ
͓͚Δ"Ratchet"ͱϋογϡؔΛͬͯʮ৽͍͔͠Βաڈͷ
ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢ΔʯΈͷ͜ͱɻ
ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ
Slide 22
Slide 22 text
(എܠ)ʮͨ͘͞ΜʯͷࢀՃऀͷ߹͠
ΜͲ͍
Α͘औΒΕΔํ๏ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠
ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀͦͷʮsender
keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏ͷɻ
"hash ratchet"Λ͏͜ͱͰForward Secrecy࣮ݱͰ͖Δ͕ɺҰ
伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏ΛΘͳͯ͘ͳΒ
ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ
Slide 23
Slide 23 text
Ͳ͏࣮ͬͯݱ͢Δʁ
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
Ͳ͏ͬͯάϧʔϓͷڞ༗ൿ
ີΛ҆શʹڞ༗͢Δʁ
ެ։伴҉߸(Diffie-Hellman)Ͱɺʮࣗͷൿີ伴ʯʴʮଞͷϝϯόʔ
ͷൿີ伴ʯΛͬͯڞ༗ൿີΛಋग़͢Δɻશһͷൿີ伴Λ͍͍ͪ
ͪ͏ͱܭࢉίετ͕ߴ͍ͷͰπϦʔߏΛऔ͍ͬͯΔɻ
Asynchronous Ratchet Treeͱ͍͏Έ͕͜Εʹ૬͢Δ͕ɺҰൠ
ੑΛอͭͨΊdraft-01͔Β"Ratchet Tree"ͱ͍͏ޠʹมߋ͞Ε͍ͯ
Δɻ
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
WG activity @ IETF 105
Slide 31
Slide 31 text
User Authentication Within
Groups
https:/
/datatracker.ietf.org/meeting/105/materials/slides-105-mls-
sessa-user-authentication-within-groups-00.pdf
SignalͰظ伴͔ΒϩάΠϯ༻QRίʔυΛੜ͍ͯ͠Δɻ͜ΕͰ
Post-Compromise Security͕ͳ͍ɻ
Epoch-Level Authenticationʢಛఆͷ࣌ͰͷΈ༗ޮͳϩάΠϯ༻
QRίʔυΛੜʣͷಋೖͱͦͷํ๏ͷఏҊɻ
Slide 32
Slide 32 text
Protocol Enhancements
• group secretͷߋ৽ΛͰ͖ΔݶΓdefer͍ͨ͠
• ݱࡏgroupͷՃͷࡍʹϝοηʔδϯάͷ༗ແʹؔΘΒͣ
group secretͷߋ৽͕ߦΘΕɺ݁ՌେྔͷDHԋࢉ͕ൃੜ͢Δ
• add/update/removeఆ࣌ؒͰࡁΉΑ͏ʹͳΔ͚ΕͲ
ratchetʢsecretͷߋ৽ʣͷίετ͕ߴ͍ɺͱ͍͏τϨʔυΦ
ϑ͕͋Δ
Slide 33
Slide 33 text
Protocol Enhancements
• Server-Initiated Add
• LazinessΛಋೖͨ͠Βαʔόʔ͕AddΛ࡞ΕΔΑ͏ʹͳΔ
(Welcomeinit secretΛؚΉͷͰෆՄೳ)
• ݱࡏUser-Initiated AddͱGroup-Initiated AddผͷΈΛ
͍ͬͯΔ͕ɺinit secretඇಉظԽͰ͖Ε౷ҰͰ͖Δ͠ɺ
ೝূ͞ΕͨϝϯόʔWelcomeΛ߹Ͱ͖ΔΑ͏ʹͳΔ
• ͨͩ͠DH-like constructionͷϩοΫΠϯ͕༗Γಘͦ͏ͳͷ
ʹՃ͑ͯݕূ͕͠ΜͲͦ͏
Slide 34
Slide 34 text
ਐḿ
mls-protocol
• draft-08: 10݄ͷinterim
• draft-09: 11݄ͷIETF 106
• WGLCΛࢦ͢ͱͷ͜ͱ
Slide 35
Slide 35 text
ࠓޙಈͷupdateΛ
ใࠂ͍͚ͯ͠Εͱࢥ
͍·͢
͋ͱάϧʔϓ伴߹ҙʹ͍ͭͯݹయతͳconstructionҎ֎Λ༻͍Δํ
๏͋Γͦ͏…ʁ
Slide 36
Slide 36 text
No content
Slide 37
Slide 37 text
Other Security Related
Topics
Slide 38
Slide 38 text
IoTؔͷ(teep, suit,
rats)ଞͷํ͕͠Ό
Δͱࢥ͏ͷͰলུ
Slide 39
Slide 39 text
oauth.xyz
(࣮ࡍʹ͜ͷ໊લΛURLόʔʹಥͬࠐΉͱαΠτ͕ग़ͯ͘Δ)
OAuth 2.0ଟ͘ͷϢʔεέʔεΛΧόʔͨ͠ΓηΩϡϦςΟ্ͷ
ΛΧόʔ͢ΔͨΊʹଟ͘ͷ֦ு͕ग़͖͚ͯͨΕͲɺಉ͡
Λෳͷํ๏Ͱղܾ͢ΔΑ͏ͳෳࡶੑΛੜΈग़ͯ͠͠·ͬͨɻ
τϥϯβΫγϣϯϞσϧ(Ұͭͷtransaction IDΛத৺ʹɺػೳΛ
͚͍ͯ͘͠߹τϥϯβΫγϣϯʹ伴ΛՃ͍ͯ͘͠ɺͱ͍
͏ํࣜ)Ͱཧ͠ͳ͓ͦ͏ɺͱ͍͏ࢼΈɻ
Slide 40
Slide 40 text
Dragonblood
ANRWͷinvited talkɻWPA3ͷDragonflyϋϯυγΣΠΫʹαΠυ
νϟωϧ߈ܸ੬ऑੑ͕͋Γ·͢ɺͱ͍͏ɻ
ύεϫʔυΛପԁۂઢ͋Δ͍༗ݶମ্ͷཁૉʹม͢Δࡍ(hash-
to-curve/group)ͷ࣮͕·ͣ͘ɺύεϫʔυʹΑͬͯࢼߦճ͕ม
Θͬͯ͠·͏ͨΊɺ࣮ߦ࣌ؒΛଌఆ͢Δ͜ͱͰύεϫʔυಛఆͷ
ͨΊͷใΛऔΓग़ͤΔɻ
ͳ͓ɺ͜ͷൃදͷ͋ͱ͞ΒʹՃͰCVE-2019-13377/13456͕ಉ
ҰஶऀʹΑΓൃද͞Εͨɻ
Slide 41
Slide 41 text
TLS 1.3 Impact on Network
Based Security Solutions
TLS 1.3ͰϛυϧϘοΫε͕ఏڙ͍ͯͨ͠ηΩϡϦςΟػೳ͕Ͳ͏
յΕΔ͔ͷ·ͱΊɻյΕΔ͔Βͤɺͱ͍͏ओுͰͳ͘ɺӨڹ
ൣғΛ໌Β͔ʹ͢Δ͜ͱΛతͱ͍ͯ͠Δͷɻʢͱ͍͑ɺଟ
ͦ͏͍͏ؚ·Ε͍ͯͦ͏ͩΑͳ͋…ʣInformational RFCͱ͢
Δ͜ͱΛࢦ͍ͯ͠Δɻ
https:/
/datatracker.ietf.org/meeting/105/materials/slides-105-tls-
sessb-tls-impact-on-network-security-00
Slide 42
Slide 42 text
ଟೖΓ͖Βͳ͍ͱࢥ͏DNS
ؔࠓճׂѪ
• ANRW: Oblivious DNS, Who Is Answering My Queries (DNS
interceptionͷଌఆ), What Can You Learn from an IP?
• dnsop
• add (Applications Doing DNS)
Ͳ͔͜Ͱެ։༧ఆʁ