Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS KMSの Encryption Contextを利用して より安全に暗号化する

quiver
December 06, 2015

AWS KMSの Encryption Contextを利用して より安全に暗号化する

~JAWS-UG京王線 第4回 攻めと守りのセキュリティ&監視~2015/12/06
Keywords : AWS KMS, Encryption Context, Cryptography, AEAD, AE, AAD

quiver

December 06, 2015
Tweet

More Decks by quiver

Other Decks in Technology

Transcript

  1. "84,.4ͷ
    &ODSZQUJPO$POUFYUΛར༻ͯ͠
    ΑΓ҆શʹ҉߸Խ͢Δ
    (JU)VC!RVJWFS

    View full-size slide

  2. ͓఻͍͑ͨ͜͠ͱ
    "84,.4Ͱ҉߸Խ͢Δͱ͖ʹ
    &ODSZQUJPO$POUFYUΛ࢖͏ͱ

    ʮൿಗʯʮ׬શʯʮೝূʯΛಉ࣌ʹ

    ຬͨ͢ೝূ෇͖҉߸ʹͳΔΑɻ

    ੵۃతʹ࢖͓͏

    View full-size slide

  3. ೝূ෇͖҉߸ͱ͸

    View full-size slide

  4. ೝূ෇͖҉߸ͱ͸
    lೝূ෇͖҉߸ʢAE:Authenticated
    Encryption͋Δ͍͸AEAD:Authenticated
    Encryption with Associated Data
    ͱ͸ɺ
    σʔλͷൿಗੑɺ׬શੑɺ͓ΑͼೝূੑΛಉ࣌ʹ
    ఏڙ͢Δ҉߸ར༻ϞʔυͰ͋Δɻz
    IUUQTKBXJLJQFEJBPSHXJLJ&""%&"#$&##&%&"&'#
    ࣮ଶ͸ର৅҉߸ ൿಗੑ
    ͱϝοηʔδೝূίʔυ
    ׬શੑೝূੑ
    ͷ߹Θٕͤ

    View full-size slide

  5. ೝূ෇͖҉߸ͱ͸
    lೝূ෇͖҉߸ʢAE:Authenticated
    Encryption͋Δ͍͸AEAD:Authenticated
    Encryption with Associated Data
    ͱ͸ɺ
    σʔλͷൿಗੑɺ׬શੑɺ͓ΑͼೝূੑΛಉ࣌ʹ
    ఏڙ͢Δ҉߸ར༻ϞʔυͰ͋Δɻz
    IUUQTKBXJLJQFEJBPSHXJLJ&""%&"#$&##&%&"&'#
    ࣮ଶ͸ର৅҉߸ ൿಗੑ
    ͱϝοηʔδೝূίʔυ
    ׬શੑೝূੑ
    ͷ߹Θٕͤ

    View full-size slide

  6. ༻ޠઆ໌
    w ൿಗੑ Confidentiality

    w ୈࡾऀͷ౪ௌΛ๷͙ɻผ໊ʮػີੑʯ
    w ׬શੑ Integrity

    w σʔλ͕ਖ਼ਅਖ਼໏ຊ෺ɻվ͟ΜΛ๷͙ɻผ໊ʮਖ਼ਅੑʯ
    w ೝূੑ Authenticity

    w ຊਓͰ͋Δ͜ͱΛ֬ೝɻͳΓ͢·͠Λ๷͙ɻ

    View full-size slide

  7. "84,.4Ͱ
    ೝূ෇͖҉߸Λ࢖͏

    View full-size slide

  8. ݩωλ
    ʰ"844PMVUJPOT"SDIJUFDUϒϩά

    "84,FZ.BOBHFNFOU4FSWJDFͱ
    &ODSZQUJPO$POUFYUΛར༻ͯ͠҉߸Խ

    σʔλͷ׬શੑΛอޢ͢Δํ๏ʱ
    IUUQBXTUZQFQBEDPNTBKQIPXUPQSPUFDUUIFJOUFHSJUZPGZPVSFODSZQUFEEBUBCZVTJOHBXTLFZNBOBHFNFOUIUNM

    View full-size slide

  9. "84,.4ͱ͸
    w σʔλͷ҉߸Խʹ࢖༻͞ΕΔ҉߸ԽΩʔͷ࡞੒ͱ؅
    ཧΛ༰қʹ͢ΔϚωʔδυܕαʔϏε
    w "84,.4͕؅ཧ͢Δڞ௨伴Λ࢖ͬͯσʔλͷ҉߸ɾ
    ෮߸͕Ͱ͖Δ
    w ৄ͘͠͸ˠIUUQTBXTBNB[PODPNLNT

    View full-size slide

  10. Α͋͘ΔΞϓϦέʔγϣϯ
    w σʔλϕʔεʹ҉߸Խͨ͠σʔλΛอଘ
    w σʔλͷ҉߸ɾ෮߸ʹ͸"84,.4Λ࢖͏

    View full-size slide

  11. φΠʔϒ࣮૷

    View full-size slide

  12. ΍ͬͯΈͨ
    w ಉ͡伴Λ࢖ͬͯkms::EncryptͰ҉߸Խ

    # Encrypt
    ciphertext = kms.encrypt(
    KeyId = KEYID,
    Plaintext = plaintext)['CiphertextBlob']
    # Decrypt
    decrypted = kms.decrypt(
    CiphertextBlob = ciphertext)['Plaintext']

    View full-size slide

  13. ҉߸෮߸ͷྲྀΕ

    View full-size slide

  14. σʔλ͕ॻ͖׵͑ΒΕͨΒʁ

    View full-size slide

  15. ໰୊఺
    w 伴͕ಉ͡ͳͷͰ෮߸Մೳ
    w ରশ伴҉߸୯ମͰ͸σʔλ͕ॻ͖׵Θ͍ͬͯΔ͜ͱ
    վ͟Μ
    ʹؾ͔ͮͳ͍ˠ*OUFHSJUZ ׬શੑ
    Λຬͨͤ
    ͯͳ͍

    View full-size slide

  16. &ODSZQUJPO$POUFYU
    Ͱվ͟Μ๷ࢭ࣮ͨ͠૷

    View full-size slide

  17. &ODSZQUJPO$POUFYUͱ͸
    w ҉߸ɾ෮߸࣌ʹ౉͢ΩʔɾόϦϡʔϖΞ
    w "EEJUJPOBM"VUIFOUJDBUFE%BUB ""%
    ͱͯ͠
    ϝοηʔδೝূίʔυ ."$
    ͷੜ੒ʹར༻
    w ."$͸ʮ׬શੑʯͱʮೝূੑʯΛอূ
    w &ODSZQUJPO$POUFYU͸ೝূ͖ͭ҉߸ͷ,.4࣮૷
    IUUQEPDTBXTBNB[PODPNLNTMBUFTUEFWFMPQFSHVJEFDSZQUP@BVUIFOIUNM

    IUUQEPDTBXTBNB[PODPNLNTMBUFTUEFWFMPQFSHVJEFFODSZQUJPODPOUFYUIUNM

    View full-size slide

  18. ΍ͬͯΈͨ
    w ҉߸࣌ʹEncryptionContextΛ౉͢

    # Encrypt
    ciphertext = kms.encrypt(
    KeyId = KEYID,
    EncryptionContext={'user': '1234'},
    Plaintext = plaintext)['CiphertextBlob']
    # Decrypt
    decrypted = kms.decrypt(
    EncryptionContext={'user': '1234'},
    CiphertextBlob = ciphertext)['Plaintext']

    View full-size slide

  19. σʔλ͕ॻ͖׵͑ΒΕͨΒ
    w &ODSZQUJPO$POUFYU 㲈."$஋
    ͕Ұக͠ͳ͚Ε͹
    InvalidCiphertextException͕ൃੜ

    # Decrypt
    decrypted = kms.decrypt(
    EncryptionContext={'user': '1235'},
    CiphertextBlob = ciphertext)[‘Plaintext']

    {"__type":"InvalidCiphertextException"}

    View full-size slide

  20. &ODSZQUJPO$POUFYUͷ஫ҙ఺
    w &ODSZQUJPO$POUFYU͸҉߸Խ͞Εͳ͍
    w ηϯγςΟϒͳσʔλ͸ར༻͠ͳ͍
    w $MPVE5SBJMͷϩάΛ༗ޮʹ͍ͯ͠ΔͱɺฏจͰ4
    ʹอଘ͞ΕΔ
    w ϢʔβʔσʔλͰ͋Ε͹Ϣʔβʔ*%ͷΑ͏ʹσʔλ
    ʹඥ෇͍ͨ৘ใΛར༻͢Δ

    View full-size slide

  21. "84ͷར༻ྫ
    w "84αʔϏεͷ,.4αʔόʔαΠυ҉߸Ͱ͸
    &ODSZQUJPO$POUFYUΛ׆༻

    "844FSWJDF &ODSZQUJPO$POUFYU

    "encryptionContext": { "aws:ebs:id":
    "vol-2cfb133e" }
    4
    "encryptionContext": { "aws:s3:arn":
    "arn:aws:s3:::bucket_name/file_name"}

    View full-size slide

  22. ͓఻͍͑ͨ͜͠ͱ
    "84,.4Ͱ҉߸Խ͢Δͱ͖ʹ
    &ODSZQUJPO$POUFYUΛ࢖͏ͱ

    ʮൿಗʯʮ׬શʯʮೝূʯΛಉ࣌ʹ

    ຬͨ͢ೝূ෇͖҉߸ʹͳΔΑɻ

    ੵۃతʹ࢖͓͏

    View full-size slide