Save 37% off PRO during our Black Friday Sale! »

AWS KMSの Encryption Contextを利用して より安全に暗号化する

351ad6de24f57760f9275bc0ad06e564?s=47 quiver
December 06, 2015

AWS KMSの Encryption Contextを利用して より安全に暗号化する

~JAWS-UG京王線 第4回 攻めと守りのセキュリティ&監視~2015/12/06
Keywords : AWS KMS, Encryption Context, Cryptography, AEAD, AE, AAD

351ad6de24f57760f9275bc0ad06e564?s=128

quiver

December 06, 2015
Tweet

Transcript

  1. "84,.4ͷ &ODSZQUJPO$POUFYUΛར༻ͯ͠ ΑΓ҆શʹ҉߸Խ͢Δ (JU)VC!RVJWFS

  2. ͓఻͍͑ͨ͜͠ͱ "84,.4Ͱ҉߸Խ͢Δͱ͖ʹ &ODSZQUJPO$POUFYUΛ࢖͏ͱ
 ʮൿಗʯʮ׬શʯʮೝূʯΛಉ࣌ʹ
 ຬͨ͢ೝূ෇͖҉߸ʹͳΔΑɻ
 ੵۃతʹ࢖͓͏ 

  3. ೝূ෇͖҉߸ͱ͸

  4. ೝূ෇͖҉߸ͱ͸ lೝূ෇͖҉߸ʢAE:Authenticated Encryption͋Δ͍͸AEAD:Authenticated Encryption with Associated Data ͱ͸ɺ σʔλͷൿಗੑɺ׬શੑɺ͓ΑͼೝূੑΛಉ࣌ʹ ఏڙ͢Δ҉߸ར༻ϞʔυͰ͋Δɻz

    IUUQTKBXJLJQFEJBPSHXJLJ&""%&"#$&##&%&"&'# ࣮ଶ͸ର৅҉߸ ൿಗੑ ͱϝοηʔδೝূίʔυ ׬શੑ ೝূੑ ͷ߹Θٕͤ 
  5. ೝূ෇͖҉߸ͱ͸ lೝূ෇͖҉߸ʢAE:Authenticated Encryption͋Δ͍͸AEAD:Authenticated Encryption with Associated Data ͱ͸ɺ σʔλͷൿಗੑɺ׬શੑɺ͓ΑͼೝূੑΛಉ࣌ʹ ఏڙ͢Δ҉߸ར༻ϞʔυͰ͋Δɻz

    IUUQTKBXJLJQFEJBPSHXJLJ&""%&"#$&##&%&"&'# ࣮ଶ͸ର৅҉߸ ൿಗੑ ͱϝοηʔδೝূίʔυ ׬શੑ ೝূੑ ͷ߹Θٕͤ 
  6. ༻ޠઆ໌ w ൿಗੑ Confidentiality  w ୈࡾऀͷ౪ௌΛ๷͙ɻผ໊ʮػີੑʯ w ׬શੑ Integrity

     w σʔλ͕ਖ਼ਅਖ਼໏ຊ෺ɻվ͟ΜΛ๷͙ɻผ໊ʮਖ਼ਅੑʯ w ೝূੑ Authenticity  w ຊਓͰ͋Δ͜ͱΛ֬ೝɻͳΓ͢·͠Λ๷͙ɻ 
  7. "84,.4Ͱ ೝূ෇͖҉߸Λ࢖͏

  8. ݩωλ ʰ"844PMVUJPOT"SDIJUFDUϒϩά
 "84,FZ.BOBHFNFOU4FSWJDFͱ &ODSZQUJPO$POUFYUΛར༻ͯ͠҉߸Խ
 σʔλͷ׬શੑΛอޢ͢Δํ๏ʱ IUUQBXTUZQFQBEDPNTBKQIPXUPQSPUFDUUIFJOUFHSJUZPGZPVSFODSZQUFEEBUBCZVTJOHBXTLFZNBOBHFNFOUIUNM 

  9. "84,.4ͱ͸ w σʔλͷ҉߸Խʹ࢖༻͞ΕΔ҉߸ԽΩʔͷ࡞੒ͱ؅ ཧΛ༰қʹ͢ΔϚωʔδυܕαʔϏε w "84,.4͕؅ཧ͢Δڞ௨伴Λ࢖ͬͯσʔλͷ҉߸ɾ ෮߸͕Ͱ͖Δ w ৄ͘͠͸ˠIUUQTBXTBNB[PODPNLNT 

  10. Α͋͘ΔΞϓϦέʔγϣϯ w σʔλϕʔεʹ҉߸Խͨ͠σʔλΛอଘ w σʔλͷ҉߸ɾ෮߸ʹ͸"84,.4Λ࢖͏ 

  11. φΠʔϒ࣮૷

  12. ΍ͬͯΈͨ w ಉ͡伴Λ࢖ͬͯkms::EncryptͰ҉߸Խ  # Encrypt ciphertext = kms.encrypt( KeyId

    = KEYID, Plaintext = plaintext)['CiphertextBlob'] # Decrypt decrypted = kms.decrypt( CiphertextBlob = ciphertext)['Plaintext']
  13. ҉߸෮߸ͷྲྀΕ 

  14. σʔλ͕ॻ͖׵͑ΒΕͨΒʁ 

  15. ໰୊఺ w 伴͕ಉ͡ͳͷͰ෮߸Մೳ w ରশ伴҉߸୯ମͰ͸σʔλ͕ॻ͖׵Θ͍ͬͯΔ͜ͱ վ͟Μ ʹؾ͔ͮͳ͍ˠ*OUFHSJUZ ׬શੑ Λຬͨͤ ͯͳ͍

    
  16. &ODSZQUJPO$POUFYU Ͱվ͟Μ๷ࢭ࣮ͨ͠૷

  17. &ODSZQUJPO$POUFYUͱ͸ w ҉߸ɾ෮߸࣌ʹ౉͢ΩʔɾόϦϡʔϖΞ w "EEJUJPOBM"VUIFOUJDBUFE%BUB ""% ͱͯ͠ ϝοηʔδೝূίʔυ ."$ ͷੜ੒ʹར༻

    w ."$͸ʮ׬શੑʯͱʮೝূੑʯΛอূ w &ODSZQUJPO$POUFYU͸ೝূ͖ͭ҉߸ͷ,.4࣮૷ IUUQEPDTBXTBNB[PODPNLNTMBUFTUEFWFMPQFSHVJEFDSZQUP@BVUIFOIUNM
 IUUQEPDTBXTBNB[PODPNLNTMBUFTUEFWFMPQFSHVJEFFODSZQUJPODPOUFYUIUNM 
  18. ΍ͬͯΈͨ w ҉߸࣌ʹEncryptionContextΛ౉͢  # Encrypt ciphertext = kms.encrypt( KeyId

    = KEYID, EncryptionContext={'user': '1234'}, Plaintext = plaintext)['CiphertextBlob'] # Decrypt decrypted = kms.decrypt( EncryptionContext={'user': '1234'}, CiphertextBlob = ciphertext)['Plaintext']
  19. σʔλ͕ॻ͖׵͑ΒΕͨΒ w &ODSZQUJPO$POUFYU 㲈."$஋ ͕Ұக͠ͳ͚Ε͹ InvalidCiphertextException͕ൃੜ  # Decrypt decrypted

    = kms.decrypt( EncryptionContext={'user': '1235'}, CiphertextBlob = ciphertext)[‘Plaintext'] ⇒ {"__type":"InvalidCiphertextException"}
  20. &ODSZQUJPO$POUFYUͷ஫ҙ఺ w &ODSZQUJPO$POUFYU͸҉߸Խ͞Εͳ͍ w ηϯγςΟϒͳσʔλ͸ར༻͠ͳ͍ w $MPVE5SBJMͷϩάΛ༗ޮʹ͍ͯ͠ΔͱɺฏจͰ4 ʹอଘ͞ΕΔ w ϢʔβʔσʔλͰ͋Ε͹Ϣʔβʔ*%ͷΑ͏ʹσʔλ

    ʹඥ෇͍ͨ৘ใΛར༻͢Δ 
  21. "84ͷར༻ྫ w "84αʔϏεͷ,.4αʔόʔαΠυ҉߸Ͱ͸ &ODSZQUJPO$POUFYUΛ׆༻  "844FSWJDF &ODSZQUJPO$POUFYU &#4 "encryptionContext": {

    "aws:ebs:id": "vol-2cfb133e" } 4 "encryptionContext": { "aws:s3:arn": "arn:aws:s3:::bucket_name/file_name"}
  22. ·ͱΊ

  23. ͓఻͍͑ͨ͜͠ͱ "84,.4Ͱ҉߸Խ͢Δͱ͖ʹ &ODSZQUJPO$POUFYUΛ࢖͏ͱ
 ʮൿಗʯʮ׬શʯʮೝূʯΛಉ࣌ʹ
 ຬͨ͢ೝূ෇͖҉߸ʹͳΔΑɻ
 ੵۃతʹ࢖͓͏