Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS KMSの Encryption Contextを利用して より安全に暗号化する

quiver
December 06, 2015
Technology
1
32k

AWS KMSの Encryption Contextを利用して より安全に暗号化する

~JAWS-UG京王線 第4回 攻めと守りのセキュリティ&監視~2015/12/06
Keywords : AWS KMS, Encryption Context, Cryptography, AEAD, AE, AAD

quiver

December 06, 2015
Tweet

More Decks by quiver

See All by quiver
GopherのMakefile愛はどこからきているのか教えてほしい #fukuokago/Gophers love Makefile
quiver
2
250
AWSの初級者向けAI・ML資格『AWS Certified AI Practitioner』の傾向と対策/So You Want To Pass AWS Certified AI Practitioner
quiver
1
2k
AWSクラウド活用の 強力な味方 AWSサポートの使い方 | Classmethod Odyssey 2024/Effective AWS Support
quiver
0
350
RAGだけじゃない! 古くて新しいベクトル検索の世界 | DevelopersIO 2024 福岡
quiver
3
1.8k
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
590
AWSクラウドでコンピュータ将棋を動かそう! : DevelopersIO 2021 Decade
quiver
0
2.7k
目指せ、爆速サイト!Cloudinaryで始める画像最適化|Developers IO 2020 Connect
quiver
0
2.2k
パルコミュージアムに画像センシングIoTを導入して客層分析してみた
quiver
0
3.6k
クラスメソッド(株)のIoT事例とバックエンド技術の変遷
quiver
3
3.3k

Other Decks in Technology

See All in Technology
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
290
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.3k
複雑なState管理からの脱却
sansantech
PRO
1
140
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
3
200
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
100
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
94
13k
Typedesign – Prime Four
hannesfritz
40
2.4k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Documentation Writing (for coders)
carmenintech
65
4.4k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
The Pragmatic Product Professional
lauravandoore
31
6.3k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Six Lessons from altMBA
skipperchong
27
3.5k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Build your cross-platform service in a week with App Engine
jlugia
229
18k

Transcript

  1. "84,.4ͷ &ODSZQUJPO$POUFYUΛར༻ͯ͠ ΑΓ҆શʹ҉߸Խ͢Δ (JU)VC!RVJWFS

  2. ͓఻͍͑ͨ͜͠ͱ "84,.4Ͱ҉߸Խ͢Δͱ͖ʹ &ODSZQUJPO$POUFYUΛ࢖͏ͱ
 ʮൿಗʯʮ׬શʯʮೝূʯΛಉ࣌ʹ
 ຬͨ͢ೝূ෇͖҉߸ʹͳΔΑɻ
 ੵۃతʹ࢖͓͏ 

  3. ೝূ෇͖҉߸ͱ͸

  4. ೝূ෇͖҉߸ͱ͸ lೝূ෇͖҉߸ʢAE:Authenticated Encryption͋Δ͍͸AEAD:Authenticated Encryption with Associated Data ͱ͸ɺ σʔλͷൿಗੑɺ׬શੑɺ͓ΑͼೝূੑΛಉ࣌ʹ ఏڙ͢Δ҉߸ར༻ϞʔυͰ͋Δɻz

    IUUQTKBXJLJQFEJBPSHXJLJ&""%&"#$&##&%&"&'# ࣮ଶ͸ର৅҉߸ ൿಗੑ ͱϝοηʔδೝূίʔυ ׬શੑ ೝূੑ ͷ߹Θٕͤ 

  5. ೝূ෇͖҉߸ͱ͸ lೝূ෇͖҉߸ʢAE:Authenticated Encryption͋Δ͍͸AEAD:Authenticated Encryption with Associated Data ͱ͸ɺ σʔλͷൿಗੑɺ׬શੑɺ͓ΑͼೝূੑΛಉ࣌ʹ ఏڙ͢Δ҉߸ར༻ϞʔυͰ͋Δɻz

    IUUQTKBXJLJQFEJBPSHXJLJ&""%&"#$&##&%&"&'# ࣮ଶ͸ର৅҉߸ ൿಗੑ ͱϝοηʔδೝূίʔυ ׬શੑ ೝূੑ ͷ߹Θٕͤ 

  6. ༻ޠઆ໌ w ൿಗੑ Confidentiality  w ୈࡾऀͷ౪ௌΛ๷͙ɻผ໊ʮػີੑʯ w ׬શੑ Integrity

     w σʔλ͕ਖ਼ਅਖ਼໏ຊ෺ɻվ͟ΜΛ๷͙ɻผ໊ʮਖ਼ਅੑʯ w ೝূੑ Authenticity  w ຊਓͰ͋Δ͜ͱΛ֬ೝɻͳΓ͢·͠Λ๷͙ɻ 

  7. "84,.4Ͱ ೝূ෇͖҉߸Λ࢖͏

  8. ݩωλ ʰ"844PMVUJPOT"SDIJUFDUϒϩά
 "84,FZ.BOBHFNFOU4FSWJDFͱ &ODSZQUJPO$POUFYUΛར༻ͯ͠҉߸Խ
 σʔλͷ׬શੑΛอޢ͢Δํ๏ʱ IUUQBXTUZQFQBEDPNTBKQIPXUPQSPUFDUUIFJOUFHSJUZPGZPVSFODSZQUFEEBUBCZVTJOHBXTLFZNBOBHFNFOUIUNM 

  9. "84,.4ͱ͸ w σʔλͷ҉߸Խʹ࢖༻͞ΕΔ҉߸ԽΩʔͷ࡞੒ͱ؅ ཧΛ༰қʹ͢ΔϚωʔδυܕαʔϏε w "84,.4͕؅ཧ͢Δڞ௨伴Λ࢖ͬͯσʔλͷ҉߸ɾ ෮߸͕Ͱ͖Δ w ৄ͘͠͸ˠIUUQTBXTBNB[PODPNLNT 

  10. Α͋͘ΔΞϓϦέʔγϣϯ w σʔλϕʔεʹ҉߸Խͨ͠σʔλΛอଘ w σʔλͷ҉߸ɾ෮߸ʹ͸"84,.4Λ࢖͏ 

  11. φΠʔϒ࣮૷

  12. ΍ͬͯΈͨ w ಉ͡伴Λ࢖ͬͯkms::EncryptͰ҉߸Խ  # Encrypt ciphertext = kms.encrypt( KeyId

    = KEYID, Plaintext = plaintext)['CiphertextBlob'] # Decrypt decrypted = kms.decrypt( CiphertextBlob = ciphertext)['Plaintext']

  13. ҉߸෮߸ͷྲྀΕ 

  14. σʔλ͕ॻ͖׵͑ΒΕͨΒʁ 

  15. ໰୊఺ w 伴͕ಉ͡ͳͷͰ෮߸Մೳ w ରশ伴҉߸୯ମͰ͸σʔλ͕ॻ͖׵Θ͍ͬͯΔ͜ͱ վ͟Μ ʹؾ͔ͮͳ͍ˠ*OUFHSJUZ ׬શੑ Λຬͨͤ ͯͳ͍

    

  16. &ODSZQUJPO$POUFYU Ͱվ͟Μ๷ࢭ࣮ͨ͠૷

  17. &ODSZQUJPO$POUFYUͱ͸ w ҉߸ɾ෮߸࣌ʹ౉͢ΩʔɾόϦϡʔϖΞ w "EEJUJPOBM"VUIFOUJDBUFE%BUB ""% ͱͯ͠ ϝοηʔδೝূίʔυ ."$ ͷੜ੒ʹར༻

    w ."$͸ʮ׬શੑʯͱʮೝূੑʯΛอূ w &ODSZQUJPO$POUFYU͸ೝূ͖ͭ҉߸ͷ,.4࣮૷ IUUQEPDTBXTBNB[PODPNLNTMBUFTUEFWFMPQFSHVJEFDSZQUP@BVUIFOIUNM
 IUUQEPDTBXTBNB[PODPNLNTMBUFTUEFWFMPQFSHVJEFFODSZQUJPODPOUFYUIUNM 

  18. ΍ͬͯΈͨ w ҉߸࣌ʹEncryptionContextΛ౉͢  # Encrypt ciphertext = kms.encrypt( KeyId

    = KEYID, EncryptionContext={'user': '1234'}, Plaintext = plaintext)['CiphertextBlob'] # Decrypt decrypted = kms.decrypt( EncryptionContext={'user': '1234'}, CiphertextBlob = ciphertext)['Plaintext']

  19. σʔλ͕ॻ͖׵͑ΒΕͨΒ w &ODSZQUJPO$POUFYU 㲈."$஋ ͕Ұக͠ͳ͚Ε͹ InvalidCiphertextException͕ൃੜ  # Decrypt decrypted

    = kms.decrypt( EncryptionContext={'user': '1235'}, CiphertextBlob = ciphertext)[‘Plaintext'] ⇒ {"__type":"InvalidCiphertextException"}

  20. &ODSZQUJPO$POUFYUͷ஫ҙ఺ w &ODSZQUJPO$POUFYU͸҉߸Խ͞Εͳ͍ w ηϯγςΟϒͳσʔλ͸ར༻͠ͳ͍ w $MPVE5SBJMͷϩάΛ༗ޮʹ͍ͯ͠ΔͱɺฏจͰ4 ʹอଘ͞ΕΔ w ϢʔβʔσʔλͰ͋Ε͹Ϣʔβʔ*%ͷΑ͏ʹσʔλ

    ʹඥ෇͍ͨ৘ใΛར༻͢Δ 

  21. "84ͷར༻ྫ w "84αʔϏεͷ,.4αʔόʔαΠυ҉߸Ͱ͸ &ODSZQUJPO$POUFYUΛ׆༻  "844FSWJDF &ODSZQUJPO$POUFYU &#4 "encryptionContext": {

    "aws:ebs:id": "vol-2cfb133e" } 4 "encryptionContext": { "aws:s3:arn": "arn:aws:s3:::bucket_name/file_name"}

  22. ·ͱΊ

  23. ͓఻͍͑ͨ͜͠ͱ "84,.4Ͱ҉߸Խ͢Δͱ͖ʹ &ODSZQUJPO$POUFYUΛ࢖͏ͱ
 ʮൿಗʯʮ׬શʯʮೝূʯΛಉ࣌ʹ
 ຬͨ͢ೝূ෇͖҉߸ʹͳΔΑɻ
 ੵۃతʹ࢖͓͏