AWS KMSの Encryption Contextを利用して より安全に暗号化する

Transcript

1. "84
   ,.4ͷ
   &ODSZQUJPO
   $POUFYUΛར༻ͯ͠
   ΑΓ҆શʹ҉߸Խ͢Δ (JU)VC
   !RVJWFS

2. ͓఻͍͑ͨ͜͠ͱ "84
   ,.4Ͱ҉߸Խ͢Δͱ͖ʹ &ODSZQUJPO$POUFYU
   Λ࢖͏ͱ
 ʮൿಗʯʮ׬શʯʮೝূʯΛಉ࣌ʹ
 ຬͨ͢ೝূ෇͖҉߸ʹͳΔΑɻ
 ੵۃతʹ࢖͓͏ 

3. ೝূ෇͖҉߸ͱ͸

4. ೝূ෇͖҉߸ͱ͸ lೝূ෇͖҉߸ʢAE:Authenticated Encryption
   ͋Δ͍͸
   AEAD:Authenticated Encryption with Associated Data
   ͱ͸ɺ σʔλͷൿಗੑɺ׬શੑɺ͓ΑͼೝূੑΛಉ࣌ʹ ఏڙ͢Δ҉߸ར༻ϞʔυͰ͋Δɻz
   

   IUUQTKBXJLJQFEJBPSHXJLJ&""%&"#$&##&%&"&'#
   ࣮ଶ͸ର৅҉߸ ൿಗੑ ͱϝοηʔδೝূίʔυ
   ׬શੑ ೝূੑ ͷ߹Θٕͤ 

5. ೝূ෇͖҉߸ͱ͸ lೝূ෇͖҉߸ʢAE:Authenticated Encryption
   ͋Δ͍͸
   AEAD:Authenticated Encryption with Associated Data
   ͱ͸ɺ σʔλͷൿಗੑɺ׬શੑɺ͓ΑͼೝূੑΛಉ࣌ʹ ఏڙ͢Δ҉߸ར༻ϞʔυͰ͋Δɻz
   

   IUUQTKBXJLJQFEJBPSHXJLJ&""%&"#$&##&%&"&'#
   ࣮ଶ͸ର৅҉߸ ൿಗੑ ͱϝοηʔδೝূίʔυ
   ׬શੑ ೝূੑ ͷ߹Θٕͤ 

6. ༻ޠઆ໌ w ൿಗੑ Confidentiality
   w ୈࡾऀͷ౪ௌΛ๷͙ɻผ໊ʮػີੑʯ
   w ׬શੑ Integrity

   
   w σʔλ͕ਖ਼ਅਖ਼໏ຊ෺ɻվ͟ΜΛ๷͙ɻผ໊ʮਖ਼ਅੑʯ
   w ೝূੑ Authenticity
   w ຊਓͰ͋Δ͜ͱΛ֬ೝɻͳΓ͢·͠Λ๷͙ɻ 

7. "84
   ,.4Ͱ
   ೝূ෇͖҉߸Λ࢖͏

8. ݩωλ ʰ"84
   4PMVUJPOT
   "SDIJUFDU
   ϒϩά
   
   
 "84
   ,FZ
   .BOBHFNFOU
   4FSWJDF
   ͱ &ODSZQUJPO$POUFYUΛར༻ͯ͠҉߸Խ
 σʔλͷ׬શੑΛอޢ͢Δํ๏ʱ
   IUUQBXTUZQFQBEDPNTBKQIPXUPQSPUFDUUIFJOUFHSJUZPGZPVSFODSZQUFEEBUBCZVTJOHBXTLFZNBOBHFNFOUIUNM 

9. "84
   ,.4ͱ͸ w σʔλͷ҉߸Խʹ࢖༻͞ΕΔ҉߸ԽΩʔͷ࡞੒ͱ؅ ཧΛ༰қʹ͢ΔϚωʔδυܕαʔϏε
   w "84
   ,.4͕؅ཧ͢Δڞ௨伴Λ࢖ͬͯσʔλͷ҉߸ɾ ෮߸͕Ͱ͖Δ
   w ৄ͘͠͸ˠ
   IUUQTBXTBNB[PODPNLNT 

10. Α͋͘ΔΞϓϦέʔγϣϯ w σʔλϕʔεʹ҉߸Խͨ͠σʔλΛอଘ
    w σʔλͷ҉߸ɾ෮߸ʹ͸"84
    ,.4Λ࢖͏ 

11. φΠʔϒ࣮૷

12. ΍ͬͯΈͨ w ಉ͡伴Λ࢖ͬͯ
    kms::Encrypt
    Ͱ҉߸Խ  # Encrypt ciphertext = kms.encrypt( KeyId

    = KEYID, Plaintext = plaintext)['CiphertextBlob'] # Decrypt decrypted = kms.decrypt( CiphertextBlob = ciphertext)['Plaintext']

13. ҉߸෮߸ͷྲྀΕ 

14. σʔλ͕ॻ͖׵͑ΒΕͨΒʁ 

15. ໰୊఺ w 伴͕ಉ͡ͳͷͰ෮߸Մೳ
    w ରশ伴҉߸୯ମͰ͸σʔλ͕ॻ͖׵Θ͍ͬͯΔ͜ͱ վ͟Μ ʹؾ͔ͮͳ͍ˠ*OUFHSJUZ ׬શੑ Λຬͨͤ ͯͳ͍

    

16. &ODSZQUJPO
    $POUFYU
    Ͱվ͟Μ๷ࢭ࣮ͨ͠૷

17. &ODSZQUJPO
    $POUFYUͱ͸ w ҉߸ɾ෮߸࣌ʹ౉͢ΩʔɾόϦϡʔϖΞ
    w "EEJUJPOBM
    "VUIFOUJDBUFE
    %BUB ""% ͱͯ͠ ϝοηʔδೝূίʔυ ."$ ͷੜ੒ʹར༻
    

    w ."$͸ʮ׬શੑʯͱʮೝূੑʯΛอূ
    w &ODSZQUJPO$POUFYU͸ೝূ͖ͭ҉߸ͷ,.4࣮૷
    IUUQEPDTBXTBNB[PODPNLNTMBUFTUEFWFMPQFSHVJEFDSZQUP@BVUIFOIUNM
    
 IUUQEPDTBXTBNB[PODPNLNTMBUFTUEFWFMPQFSHVJEFFODSZQUJPODPOUFYUIUNM 

18. ΍ͬͯΈͨ w ҉߸࣌ʹ
    EncryptionContext
    Λ౉͢  # Encrypt ciphertext = kms.encrypt( KeyId

    = KEYID, EncryptionContext={'user': '1234'}, Plaintext = plaintext)['CiphertextBlob'] # Decrypt decrypted = kms.decrypt( EncryptionContext={'user': '1234'}, CiphertextBlob = ciphertext)['Plaintext']

19. σʔλ͕ॻ͖׵͑ΒΕͨΒ w &ODSZQUJPO$POUFYU 㲈."$஋ ͕Ұக͠ͳ͚Ε͹
    InvalidCiphertextException
    ͕ൃੜ  # Decrypt decrypted

    = kms.decrypt( EncryptionContext={'user': '1235'}, CiphertextBlob = ciphertext)[‘Plaintext'] ⇒ {"__type":"InvalidCiphertextException"}

20. &ODSZQUJPO$POUFYUͷ஫ҙ఺ w &ODSZQUJPO$POUFYU͸҉߸Խ͞Εͳ͍
    w ηϯγςΟϒͳσʔλ͸ར༻͠ͳ͍
    w $MPVE5SBJMͷϩάΛ༗ޮʹ͍ͯ͠ΔͱɺฏจͰ4 ʹอଘ͞ΕΔ
    w ϢʔβʔσʔλͰ͋Ε͹Ϣʔβʔ*%ͷΑ͏ʹσʔλ

    ʹඥ෇͍ͨ৘ใΛར༻͢Δ 

21. "84ͷར༻ྫ w "84αʔϏεͷ,.4αʔόʔαΠυ҉߸Ͱ͸
    &ODSZQUJPO
    $POUFYUΛ׆༻  "84
    4FSWJDF &ODSZQUJPO
    $POUFYU &#4 "encryptionContext": {

    "aws:ebs:id": "vol-2cfb133e" } 4 "encryptionContext": { "aws:s3:arn": "arn:aws:s3:::bucket_name/file_name"}

22. ·ͱΊ

23. ͓఻͍͑ͨ͜͠ͱ "84
    ,.4Ͱ҉߸Խ͢Δͱ͖ʹ &ODSZQUJPO$POUFYU
    Λ࢖͏ͱ
 ʮൿಗʯʮ׬શʯʮೝূʯΛಉ࣌ʹ
 ຬͨ͢ೝূ෇͖҉߸ʹͳΔΑɻ
 ੵۃతʹ࢖͓͏