TLS徹底演習

5-4పఈԋश
4FDVSJUZ$BNQ
**+େ௡ൟथ
೥݄೔
7FS

View Slide

ࣗݾ঺հ
w גࣜձࣾΠϯλʔωοτΠχγΞςΟϒ **+

w ܦӦاըຊ෦഑৴ࣄۀਪਐ෦
w ΦʔϓϯιʔεϓϩδΣΫτ/PEFKTͷ$PSF
5FDIOJDBM$PNNJUUFFϝϯόʔɺ5-4DSZQUPؔ
࿈ػೳͷٕज़୲౰ɻ

View Slide

ຊߨٛͷ໨త
w 5-4Λపఈతʹཧղͯ͠΋Β͏ɻ
w Ͱ΋5-4͸֤छηΩϡϦςΟٕज़ͷू߹ମɺͦΕͧΕ͕ਂ
ͯ͘೉͍͠ɻ̔࣌ؒ͋ͬͯ΋શ෦͸ແཧɻ
w ͦ͜Ͱ̏ͭʹ෼͚·ͨ͠ɻ
࠲ֶɿٕज़ऀʹͱͬͯͳͥ͜Ε͔Β5-4͕ॏཁ͔
ߨٛɾԋशɿ5-4ϋϯυγΣΠΫΛֶͿ
ߨٛɾԋशɿ5-4ٕज़ͷίΞɺ҉߸ٕज़ΛֶͿ

View Slide

ຊ೔ͷߨٛͷྲྀΕ
w ߨٛɿ5-4ͷ֓ཁ
w ߨٛɿ5-4Λཧղ͢Δ४උ ಛʹ"&"%

w ߨٛɾԋशɿ5-4ϋϯυγΣΠΫઆ໌ɺ5-4#PUͱ
5-4ϋϯυγΣΠΫ͠Α͏ɺϦΞϧ.BOJO5IF
.JEEMF
w ߨٛɾԋश$IB$IB1PMZͷ࣮૷

View Slide

5-4ͷ֓ཁ

View Slide

ΠϯλʔωοτͷڴҖ
౪ௌ
ύεϫʔυ΍ΫϨδο
τΧʔυ൪߸Λ౪Έݟ

View Slide

վ͟Μ
௨৴్தͰσʔλΛॻ͖׵͑

View Slide

ͳΓ͢·͠
ϢʔβʹͳΓ͢·
ͯ͠௨৴Λߦ͏

View Slide

൱ೝ
ͦΜͳ௨৴ͯ͠·
ͤΜͱΩϟϯηϧ

View Slide

ΠϯλʔωοτͷڴҖ͔ΒकΔηΩϡϦςΟ
ରࡦ
౪ௌ
վ͟Μ ੒Γ͢
·͠
൱ೝ
҉߸Խ
׬શੑνΣοΫ ೝূ
ॺ໊

View Slide

֤ϨΠϠʔʹ͓͚ΔηΩϡϦςΟ௨৴
WPA
IPsec
TLS,DTLS,SSH
S/MIME, PGP
ແઢLAN
IP
TCP, UDP
σʔλ
ࠓ೔ͷओ୊

View Slide

TLSͷ໨త
• TLSϓϩτίϧͷ࠷ॏཁͳΰʔϧ͸ɺ௨৴͢Δ̎ͭͷΞϓϦέʔγ
ϣϯͷؒͰϓϥΠόγʔͱσʔλͷ׬શੑΛఏڙ͢Δ͜ͱͰ͢ɻ
RFC5246: The Transport Layer Security (TLS) Protocol Version 1.2
1. Introduction
The primary goal of the TLS protocol is to provide privacy and data
integrity between two communicating applications.
ΞϓϦ ΞϓϦ
׬શੑ
ϓϥΠόγʔ

View Slide

5-4ͷ؆୯ͳྺ࢙
44- ະൃද

೥ 44-
೥ 44-
೥ *&5'5-48(ελʔτ
೥ 5-4
೥ 5-4
೥ 5-4
೥ 5-4ݕ౼ελʔτ
೥ 5-4࢓༷Խ׬ྃʁ
44-͸چωοτεέʔϓࣾ
ͷࢲతϓϩτίϧ
େਓͷࣄ৘Ͱ໊শมߋ
44-ͱجຊઃܭ͸େ͖͘ม͑ͣվྑ
༷ʑͳػೳ֦ு
ۙ೔8(ϥετίʔϧΛ໨ඪ
·ͩΘ͔Γ·ͤΜ
%308/
100%-&
#&"45

View Slide

5-4ͷҐஔ෇͚
5$1
5-4
*1 WW

&UIFSOFU
)551
)551ͷ࣌୅
ʙ
5-4ʙ
5-4ʙ

View Slide

5-4ͷҐஔ෇͚
5$1
5-4
*1 WW

&UIFSOFU
)551ηϚϯςΟΫε
5$1
*1 WW

&UIFSOFU
5-4
41%:
)551ηϚϯςΟΫε
)551
)551͔Β)551΁
ʙ ʙ
ϒϥ΢β͸5-4௨
৴ͷΈαϙʔτ
Ͳͷ5-4όʔ
δϣϯͰ΋0,

View Slide

5-4ͷҐஔ෇͚
26*$
*1 WW

5$1
6%1
5-4
&UIFSOFU
)551ηϚϯςΟΫε
)551
26*$҉߸ϓϩτίϧ
ʙ
)551ʙ

)551͔Β26*$΁
(PPHMFಠࣗ҉߸
ϓϩτίϧ

View Slide

5-4ͷҐஔ෇͚
26*$
*1 WW

5$1
6%1
&UIFSOFU
5-4
)551ηϚϯςΟΫε
)551 ʙʁ
26*$͔Β5-4΁
ʙ
౷Ұ͞ΕΔ༧ఆ

View Slide

ͳͥ5-4͕ॏཁ͔ʁ
ৗ࣌5-4࣌୅ͷ౸དྷ

View Slide

1FSWBTJWF4VSWFJMMBODF
޿ൣғͷ౪ௌߦҝ
w ࠃՈతͳ૊৫ ถࠃ/4"ͱӳࠃ($)2ͳͲ
͕ലେͳ
༧ࢉͰߦ͏޿ൣғͷ౪ௌߦҝ
w ೥݄ΤυϫʔυɾεϊʔσϯʹΑͬͯͦͷ
׆ಈ಺༰͕ϦʔΫ͞ΕΔɻ
Πϯλʔωοτి࿩ͷ๣डɾ؂ࢹɺσʔληϯλʔ
಺௨৴౪ௌɺ҉߸ղಡɺ҉߸όοΫυΞɺαΠόʔ߈
ܸ౳

View Slide

/4"ʹΑΔαΠόʔ߈ܸͷҰྫ
26"/56.
'09"$*%
IUUQXXXFYBNQMFDPN
XXXFYBNQMFDPN
Ϛϧ΢ΣΞΛૹΓࠐΉ
్தܦ࿏Ͱվ͟ΜίϯςϯπΛૹ৴
'09"$*%ʹ༠ಋ
վ͟Μίϯςϯπ
IUUQTXXXTDIOFJFSDPNCMPHBSDIJWFTIPX@UIF@OTB@BUUIUNM

View Slide

ϓϩτίϧٕज़ऀͷ༕ྀ
w ैདྷେن໛ͳઃඋͱ༧ࢉ͕ඞཁͰݱ࣮తʹ͸ແཧͱ
ݟΒΕ͖ͯͨ߈ܸ͕࣮ࡍʹߦΘΕ͍ͯͨɻ
w ެऺແઢ-"/ͷීٴͳͲ௨৴ͷ౪ௌɾվ͟Μ͕Մ
ೳͳ؀ڥ͕޿͕͖͍ͬͯͯΔɻ
w ޾͍࠷৽ͷٕज़Ͱ͔ͬ͠Γ҉߸Խ͞Εͨ௨৴·Ͱ͸
·ͩഁΒΕ͓ͯΒͣɺ҆શͰ͋Ζ͏ɻ

View Slide

ݕࡧαʔϏεձࣾͷ༕ྀ
w ݕࡧͷϖʔδϥϯΫ͕ߴ͍αΠτѼͷฏจ௨৴͸ɺ߈ܸର
৅ͱͯ͠౰વૂΘΕΔɻ
w ฏจ௨৴ͰϢʔβ͕ίϯςϯπվ͟Μ΍Ϛϧ΢ΣΞײછʹ
Αͬͯ%%P4߈ܸͷҰ୺Λ୲͏ڪΕ΋͋Γ (JUIVC΁ͷ߈
ܸྫ
ɻ
w ωοτίϯςϯπͷ݈શੑͷ௿Լ͸ɺ௕ظతʹݕࡧαʔ
Ϗε΁ͷ৴པੑΛଛͳ͏͜ͱʹͳΔɻ
4&0͸Ͳ͏ͳΔʁ

View Slide

*"#
ʹΑΔΠϯλʔωοτͷ
৴པੑʹؔ͢Δએݴ

w ৽͘͠ϓϩτίϧΛઃܭ͢Δࡍʹ͸ɺ҉߸ԽػೳΛඞ
ਢͱ͢΂͖ɻ
w ωοτϫʔΫӡ༻ऀ΍αʔϏεఏڙऀʹ҉߸Խ௨৴ͷ
ಋೖΛਪਐ͢ΔΑ͏ڧ͘ٻΊΔɻ
w ίϯςϯπϑΟϧλʔ΍*%4౳ฏจ௨৴͕ඞཁͳػೳ
ʹ͍ͭͯ͸কདྷతʹ୅ସٕज़ͷ։ൃʹऔΓ૊Ήɻ
*OUFSOFU"SDIJUFDUVSF#PBSE

IUUQTXXXJBCPSHJBCTUBUFNFOUPOJOUFSOFUDPOpEFOUJBMJUZ

View Slide

.P[JMMBʹΑΔ
҆શͰͳ͍)551ͷഇࢭએݴ
͋Δ࣌ظ͔Β৽نػೳ͸ɺ)5514͚ͩར༻Ͱ͖ΔΑ͏ʹ͢
Δɻ
ݱࡏ)551 ฏจ௨৴
Ͱར༻Ͱ͖ΔػೳͰɺϢʔβͷηΩϡ
ϦςΟ΍ϓϥΠόγʔʹϦεΫΛ༩͑Δ΋ͷΛ࡟আ͍ͯ͘͠
IUUQTCMPHNP[JMMBPSHTFDVSJUZEFQSFDBUJOHOPOTFDVSFIUUQ

View Slide

$ISPNFͷ)551্ͷػೳഇࢭ
$ISPNFͰ͸ɺԼهͷػೳΛ)551 ฏจ௨৴
Ͱར༻ېࢭ͢Δ༧ఆ
w Ґஔ৘ใΛऔಘ ഇࢭࡁ

w σόΠεͷಈ͖΍ํ޲Λૢ࡞
w ҉߸Խ͞ΕͨಈըԻ੠ͷ࠶ੜ
w ΧϝϥɾϚΠΫͳͲͷૢ࡞
w ΞϓϦέʔγϣϯͷΩϟογϡ৘ใͷૢ࡞
IUUQTTJUFTHPPHMFDPNBDISPNJVNPSHEFW)PNFDISPNJVNTFDVSJUZEFQSFDBUJOHQPXFSGVMGFBUVSFTPOJOTFDVSFPSJHJOT

View Slide

ৗ࣌5-4΁ࢸΔಓ
ৗ࣌5-4
ࠃՈϨϕϧͷ޿ൣғͳ౪ௌߦҝ
ωοτίϯςϯπ
ͷ݈શੑͷ֬อ
)551 ฏจ௨৴
্ͷ
ϒϥ΢βͷػೳഇࢭ
҉߸Խલఏͷ
৽ٕज़։ൃ
কདྷతͳ৽ٕज़͸5-4ར༻Λલఏͱ͢Δɻ
࠷ઌ୺ͷٕज़ऀ͸5-4Λආ͚ͯ௨Δ͜ͱ͸Ͱ͖ͳ͍ɻ
ແྉূ໌ॻ

View Slide

5-4Λཧղ͢Δ४උ

View Slide

TLSͷཁૉٕज़
X509ূ໌ॻ
PKI
ରশ
҉߸
҉߸Ϟʔυ
ެ։伴҉߸
σδλϧ
ॺ໊
ϝοηʔδೝূ
ཚ਺
ੜ੒
TLS
伴ަ׵
Ұํ޲ϋογϡ
TLSϓϩτίϧ͸ɺ͜ΕΒͷཁૉٕज़Λ૊Έ߹Θͤͯ
ΞϓϦؒͷηΩϡΞ௨৴Λཱ֬͢ΔखॱΛܾΊΔ

View Slide

TLSཁૉٕज़ͷґଘੑ
X509ূ໌
ॻ
PKI
ରশ
҉߸
҉߸Ϟʔυ
ެ։伴҉
߸
σδλϧ
ॺ໊
ϝοηʔδೝূ
ཚ਺
ੜ੒
伴ަ׵ Ұํ޲ϋογϡ
ຊདྷ͸͜ͷҰͭҰͭΛ͖ͪΜͱཧղ͢Δ͜ͱ͕ඞཁ

View Slide

TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ
ClientHello
ServerHelloDone
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
Application Data
Application Data
ཚ਺ੜ੒
ରশ҉߸ɾ҉߸ϞʔυɾҰํ޲ϋογϡɾཚ਺ੜ੒
1,*ɾ9ূ໌ॻɾσδλϧॺ໊
ཚ਺ੜ੒
ServerHello
Certificate
ClientKeyExchange
ServerKeyExchange
ཚ਺ੜ੒ɾ伴ަ׵ɾ
ެ։伴҉߸ɾσδλϧॺ໊
ϝοηʔδೝূ
ରশ҉߸ɾ҉߸Ϟʔυ
ϝοηʔδೝূ
ରশ҉߸ɾ҉߸Ϟʔυ
ཚ਺ੜ੒ɾ伴ަ׵
σδλϧॺ໊

View Slide

TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ
ཚ਺ੜ੒ $MJFOU4FSWFS)FMMPͷ/PODF 伴ϖΞͷੜ੒σʔλ҉߸Խͷ*7
1,* $"ʹΑΔαʔόূ໌ॻͷॺ໊ͱൃߦ
9ূ໌ॻ $FSUJpDBUFʹΑΔαʔόɾΫϥΠΞϯτͷೝূɾެ։伴ͷऔಘ
ిࢠॺ໊ ূ໌ॻͷॺ໊ɾ伴ަ׵Ͱަ׵͢Δެ։伴ͷॺ໊
伴ަ׵ 4FSWFS$MJFOU,FZ&YDIBOHFʹΑΔ &$
%)ެ։伴ͷަ׵
ެ։伴҉߸ 34"伴ަ׵࣌ʹ1SF.BTUFS4FDSFUͷ҉߸ૹ৴
Ұํ޲ϋογϡ $#$ͳͲͷ҉߸Ϟʔυར༻࣌ʹΞϓϦσʔλͷ."$ੜ੒
ϝοηʔδೝূ .BTUFS4FDSFUͷੜ੒ɺ'JOJTIFEʹΑΔϋϯυγΣΠΫσʔλͷ׬શ
ੑݕূ
ରশ҉߸ɾ҉߸Ϟʔυ $IBOHF$JQIFS4QFDҎ߱ͷϋϯυγΣΠΫͱΞϓϦέʔγϣϯσʔλͷ҉߸Խ
ʢ஫ɿଞʹ΋ࡉ͔͍ͱ͜ΖͰ࢖ΘΕ͍ͯ·͢ɻ

View Slide

ࠓճ࢖͏TLSཁૉٕज़
AEAD
Poly1305 ChaCha20
ECDHE
RSA
SHA256
X509ূ໌
ॻ
PKI
ରশ
҉߸
҉߸Ϟʔυ
ެ։伴҉
߸
σδλϧ
ॺ໊
ϝοηʔδೝূ
ཚ਺
ੜ੒
伴ަ׵ Ұํ޲ϋογϡ
LinuxͳΒ/dev/urandom+OpenSSLॲཧ
ࠓ೔ͷԋश

View Slide

ηοτϝχϡʔԽ͞ΕͨTLSͷཁૉٕज़
TLS CipherSuites
TLS_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9C}
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256={0xCC,0xA8}
ରশ
҉߸
҉߸Ϟʔ
υ
σδλϧ
ॺ໊
ϝοηʔδೝূ
(ϋογϡ)
伴ަ׵
TLS _ _ _WITH_ _ 伴௕ _ _
伴ަ׵ɾσδλϧॺ໊ʹRSA
ରশ҉߸ʹ128bit伴௕ͷAES
҉߸ϞʔυʹGCM(AEAD)
ϋογϡʹSHA256
伴ަ׵ʹECDHE
σδλϧॺ໊ʹRSA
ରশ҉߸ʹChaCha20
҉߸ϞʔυʹPoly1305(AEAD)
ϋογϡʹSHA256
൪߸ͱͯ͠0xCC,0xA8ΛׂΓ౰ͯ

View Slide

ࠓ͸5-4ʹԿΛ࢖͏ʁ
伴ަ׵ 34"
'PSXBSE4FDSFDZ
%)& &$%)&
σδλϧॺ໊ 34"
%44
%4"

&$%4"
ର৅҉߸ %&4 3$ "&4 $IB$IB ͦͷଞ
҉߸Ϟʔυ $#$
"&"%
$$. ($. 1PMZ
ϝοηʔδೝূ
ʢϋογϡʣ
.% 4)" 4)" 4)"
੺ɿ࢖Θͳ͍ɺԫɿ஫ҙɺ྘ɿࠓͷͱ͜Ζ࢖ͬͯେৎ෉
஫ҙ͸ɺ҉߸ֶత஫ҙͱকདྷతʹීٴ͕ݟࠐ·Εͳ͍஫ҙ΋ؚ·Ε·͢

ͪͳΈʹɺ
ྔࢠίϯϐϡʔλͰ伴ަ׵ɺσδλ
ϧॺ໊͸શ෦Ξ΢τʂ

View Slide

ରশ҉߸
҉߸จ
ฏจ
ڞ௨伴 ڞ௨伴
ฏจ
ετϦʔϜ҉߸ɿσʔλΛஞ࣍҉߸Խ(RC4, Chacha20)
ϒϩοΫ҉߸ɿσʔλΛϒϩοΫຖʹ҉߸Խ(DES, AES)
ز͔ͭͷ҉߸Ͱ͸طʹةຆԽɿ
DES: 2005೥ NIST FPS46-3ن֨ͷഇࢭ(2030೥·Ͱ͸ڐ༰)
RC4: RFC7455: Prohibiting RC4 Cipher Suites
҉߸Խ ෮߸Խ
ϒϩοΫɺετϦʔϜͷ྆ऀͷҧ͍͸ݱࡏͳ͘ͳ͖͍ͬͯͯΔ
ϒϩοΫ҉߸ "&4
Λ҉߸Ϟʔυ ޙड़
ͰΧ΢ϯλʔϞʔυΛར༻͢Δ͜ͱʹΑΓશͯε
τϦʔϜ҉߸ͱͯ͠ར༻Ͱ͖·͢ɻ "&4($.͸ετϦʔϜ҉߸ॲཧ

View Slide

ରশ҉߸ AES
• 1997೥ΑΓϓϩδΣΫτ։࢝ɺ2000೥બఆɺ2001
೥࢓༷ൃߦ
• ϒϩοΫαΠζ 128bit
• 伴௕ɿ 128bits, 192bits, 256bits ͷ̏छྨ
• Intel/AMDͷCPUͰϋʔυ΢ΣΞॲཧͷαϙʔτ
(AES-NI)
̎̌̍̒೥ݱࡏ5-4௨৴ͷσϑΝΫτ
$IB$IB͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

View Slide

҉߸Ϟʔυ
• ϒϩοΫ҉߸͸ಉ͡σʔλΛಉ͡伴Ͱ҉߸Խ͢ΔͱຖճಉҰͷ҉
߸จʹͳΔɻ
• ϒϩοΫ௕ΑΓ௕͍σʔλΛ҉߸Խ͢Δ৔߹ʹ҉߸ϞʔυΛར༻
ͯ͠܁Γฦ͠Λආ͚Δɻ
• CBCɿʮ(ฏจ XOR ϕΫτϧ) Λ҉߸ԽʯΛଓ͚Δ
• CTRɿ ʮΧ΢ϯλʔΛ҉߸Խ XOR ฏจʯΛଓ͚Δ
࣮ࡍʹTLSͰར༻͢Δʹ͸վ͟Μݕ஌ͷͨΊͷMAC(ϝοηʔδೝূʣͱͷ૊Έ߹ΘͤΔ
(AEAD)ɻAES-GCM͕ࠓͷओྲྀɻ
͜Ε·Ͱͷ
ओྲྀ
$IB$IB1PMZ͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

View Slide

ೝূλά
AEADʢೝূ෇͖҉߸)
҉߸Խ͠ͳ͍͚Ͳվ͟Μ
w w w w w w w w w w w
๷ࢭ͕ඞཁͳσʔλ
w w w w w w w w w
ʢϔομ౳ʣ
w w w w
҉߸Խ͢Δฏจ
AEAD
҉߸Խ
҉߸จ
ڞ௨伴
ॳظϕΫτϧ
&ODSZQU5IFO."$ ҉߸Խͨ͠ޙͰϋογϡ஋Λऔಘ

View Slide

AEADʢೝূ෇͖҉߸)
ฏจ
AEAD
෮߸Խ
վ͟ΜνΣοΫ
҉߸Խ͠ͳ͍͚Ͳվ͟Μ๷
ࢭ͕ඞཁͳσʔλ
ʢϔομ౳ʣ
҉߸จ ೝূλά
ڞ௨伴
ॳظϕΫτϧ

View Slide

GCM
• GCM (Galois Counter Mode: ΨϩΞΧ΢ϯλʔ
Ϟʔυʣ
• CTRͱGHASHΛ૊Έ߹ΘͤͨAEAD
• ϋʔυ΢ΣΞॲཧͰߴ଎Խ͕Մೳ
• AESͱ૊Έ߹Θͤͯ AES-GCMͱͯ͠ར༻

View Slide

Ұํ޲ϋογϡ
σʔλ Ұํ޲
ϋογϡؔ਺
ϋογϡ஋
ϋογϡ஋Λൺֱ͢Δ͜ͱͰσʔλͷվ͟ΜΛνΣοΫ͢Δ͜ͱ͕Ͱ͖Δɻ

View Slide

҉߸ֶతϋογϡ
ɾݪ૾ܭࢉࠔ೉ੑ 1SFJNBHF3FTJTUBODF

ɾୈ̎ݪ૾ܭࢉࠔ೉ੑ OE1SFJNBHF3FTJTUBODF

ɾڧিಥ଱ੑ 4USPOH$PMMJTJPO3FTJTUBODF

ϋογϡ஋I͔Β΋ͱͷϝοηʔδNΛ୳͢ͷ͕ࠔ೉
̷ I)"4) N
ͷNΛݟ͚ͭΔ
ಛఆͷϝοηʔδNͱಉ͡ϋογϡ஋Λ࣋ͭNΛ୳͢ͷ͕ࠔ೉
I)"4) N
)"4) N
IͷNΛݟ͚ͭΔ
)"4) N
)"4) N
ͱͳΔNͱNΛݟ͚ͭΔͷ͕ࠔ೉

View Slide

Ұํ޲ϋογϡ
• md5
• SHA-1
• SHA-2(SHA-256ͳͲ6छ)
• SHA-3(SHA3-256ͳͲ6छ)
2018೥͙Β͍ʹ͸ݱ࣮తͳίετ
ͰিಥσʔλΛ୳ͤΔݟࠐΈ(*2)
طʹݱ࣮తͳ߈ܸख๏͕ଘࡏ
(*2) Cryptanalysis of SHA-1
https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
(*1) how to Break MD5 and Other Hash Functions
http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf
8/5ʹNISTΑΓਖ਼ࣜެ։

View Slide

"&"%Λࢥ͍ग़ͦ͏
ೝূλά
w w w w w w w w w
ʢϔομ౳ʣ
w w w w
҉߸Խ͢Δฏจ
AEAD
҉߸Խ
҉߸จ
ڞ௨伴
ॳظϕΫτϧ
ϋογϡ஋ͩʂ
($. 1PMZ͋Εͬɺ4)"ͱ͔͡Όͳ͍ɻͳͥʁ

View Slide

"&"%Ͱ͸҉߸ֶతϋογϡ
·Ͱ͸ඞཁͳ͍
ೝূλά
w w w w w w w w w
ʢϔομ౳ʣ
w w w w
҉߸จ
&ODSZQU
5IFO."$
ϋογϡલͷϝοηʔδ͕
ݟ͑ͯΔ
ݪ૾ܭࢉࠔ೉ੑ͸͍Βͳ͍ɻ
ݟ͑ͯΔϝοηʔδͷվ͟Μݕ஌ ."$
͕ॏཁɻ
ୈ̎ݪ૾ܭࢉࠔ೉ੑͱߴ͍ڧিಥ଱ੑ͕ٻΊΒΕΔɻ
ύέοτຖʹܭࢉ͢ΔͷͰߴ଎ੑೳେࣄɻ
($.1PMZ͸ɺ"&"%޲͚ʹಛԽͨ͠ߴ଎."$ΞϧΰϦζϜ

View Slide

ϝοηʔδೝূ(HMAC)
• ࣄલʹڞ௨伴Λڞ༗
• ڞ௨伴ͱσʔλΛ૊Έ߹Θͤͨϋογϡ஋Λ࡞੒
• σʔλͷ׬શੑͱϋογϡ࡞੒ऀΛೝূ͢Δ
σʔλ Ұํ޲
ϋογϡؔ਺
ϋογϡ஋
ڞ௨伴

View Slide

ެ։伴҉߸
512bit RSAͷةݥੑ FREAK https://freakattack.com/
• ղΛٻΊΔͷ͕ࠔ೉ͳ਺ֶత໰୊Λར༻ͯ͠҉߸Λੜ੒ɻ
• ެ։伴ͱൿີ伴ͷϖΞΛੜ੒ɻެ։伴͸͞Βͯ͠େৎ෉ɻ
• ެ։伴Ͱ҉߸Խ͠ൿີ伴Ͱ෮߸Խɻ
• RSA ૉҼ਺෼ղ
• ECC(ପԁۂઢ҉߸ʣପԁۂઢ্ͷ཭ࢄର਺໰୊
ެ։伴 ൿີ伴
҉߸Խ ෮߸Խ

View Slide

伴ަ׵
• 2ऀؒͰ҆શʹ伴Λڞ༗͢Δ࢓૊Έ
• ޓ͍ʹެ։伴Λަ׵͍͋͠ɺڞ༗伴Λੜ੒͢Δɻ
• ௨৴ܦ࿏্Ͱڞ༗伴ͷ΍ΓऔΓ͕ͳ͍ɻ
• DH (Diffie-Hellman)
• ECDH(ପԁۂઢDH)
੬ऑੑɿDH Logjam https://weakdh.org/
ެ։伴
ެ։伴
ൿີ伴
ൿີ伴
Ұ࣌తͳ伴ަ׵͸& &QIFNFSBM
ͷจࣈ͕෇͘
%)&
&$%)&

View Slide

σδλϧॺ໊
• σʔλͷ׬શੑͷνΣοΫ͕ՄೳͱͳΔɻ
• σʔλͷૹ৴ݩͷೝূ͕ՄೳͱͳΔɻ
• ެ։伴ͷ৴པੑͷൣғͰ൱ೝ๷ࢭ͕ՄೳͱͳΔɻ
• RSA
• DSA,ECDSA
ެ։伴
ൿີ伴 σʔλʴσδλϧॺ໊
σʔλϋογϡ
஋Λ҉߸Խ͠
σδλϧॺ໊Λ
ੜ੒
σδλϧॺ໊Λ෮߸Խɻ
σʔλϋογϡ஋ͱൺ
ֱ͠ݕূ͢Δ

View Slide

1,*֓ཁ
$"
$FSUJpDBUF"VUIPSJUZ
7"
7BMJEBUJPO"VUIPSJUZ

3"
3FHJTUSBUJPO"VUIPSJUZ

$3-0$41
$43
伴ϖΞ
࣮ࡏ֬ೝ
αʔόূ໌ॻ
IUUQTʙ
ࣦޮ֬ೝ
࿦ཧతʹෳ਺ͷ໾ׂʹ෼͔Ε͍ͯΔ͕෺ཧతʹ̍ͭͰ΋Α͍
3PPUূ໌ॻ
04ɾϒϥ΢β
ϕϯμʔ

View Slide

αʔόূ໌ॻ 9

w 5-4௨৴ͷ৴པੑΛ୲อ͢Δཁ
w ϏϧτΠϯͷϧʔτূ໌ॻ͔Βαʔόূ
໌ॻ·Ͱূ໌ॻνΣʔϯͷॺ໊ݕূ
w ΦϯϥΠϯҎ֎Ͱ৴པੑΛ୲อ 1,*

ϏϧτΠϯͷ
ϧʔτূ໌ॻ
αʔόূ໌ॻ
தؒূ໌ॻ
ϏϧτΠϯͷ
ϧʔτূ໌ॻ
αʔόূ໌ॻ
தؒূ໌ॻ
τϥετΞϯΧʔ

View Slide

ূ໌ॻͷछྨ
&7ূ໌ॻ
&YUFOEFE
7BMJEBUJPO

$"ڞ௨ͷݫ֨ͳ૊৫ͷ࣮ࡏূ໌
෺ཧత࣮ࡏ ॻ໘΍σʔλ ޱ࠲औҾʹΑΔ࣮ࡏ৹ࠪɾॺ໊
ఏग़ɾి࿩֬ೝͳͲ

ΞυϨεόʔ͕྘৭
07ূ໌ॻ
0SHBOJ[BUJPO
7BMJEBUJPO

֤$"ϙϦγʔ $14
ʹैͬͨ૊৫ͷ࣮ࡏূ໌
ʢॻ໘΍σʔλ৹ࠪɾి࿩֬ೝͳͲ

%7ূ໌ॻ
%PNBJO
7BMJEBUJPO

֤$"ϙϦγʔ $14
ʹैͬͨυϝΠϯอ࣋ূ໌
ϝʔϧͷ౸ୡੑ֬ೝͳͲ

-FU`T&ODSZQUͳͲ
ແྉূ໌ॻ͕͋ΔΑ
ωοτϫʔΫҎ֎
ͷ࣮ࡏূ໌

View Slide

αʔόূ໌ॻͷத਎
όʔδϣϯɺγϦΞϧ൪߸ɺൃߦऀ৘ใɺ༗ޮظݶɺαʔό
ࣝผࢠɺެ։伴৘ใɺ֦ு৘ใ ར༻༻్ɺผ໊΍ࣦޮ৘ใɾ
ϙϦγʔࢀরઌ
ɺσδλϧॺ໊

View Slide

αʔόূ໌ॻͷ֬ೝ
αʔόূ໌ॻͱൿີ伴ͷରԠ͕ؒҧ͍ͬͯͨΒ5-4
αʔό͸ىಈ͠ͳ͍ɻͳͷͰαʔόূ໌ॻͱൿີ伴
ͷެ։伴͕Ұக͢Δ͔ඞͣνΣοΫ͢Δɻ
αʔό
ূ໌ॻ
ൿີ伴
PQFOTTMYQVCLFZJOTFSWFSDSUOPPVUTFSWFS@QVCLFZQFN
PQFOTTMSTBQVCPVUJOQSJWBUFLFZPVUQSJWBUF@QVCLFZQFN
ެ։伴
ެ։伴

View Slide

5-4ηΩϡϦςΟͷ౔୆
5-4ͷ
ηΩϡϦςΟ
ཚ਺ੜ੒
1,*
ൿີ伴ͷ
؅ཧ
҉߸ٕज़
Τϯ
τϩϐʔෆ଍
ෆਖ਼
ൃߦ
࿙Ӯ
ΞϧΰϦζϜɾ
ڧ౓ͷةຆԽ
5-4͸ɺ͜ͷ̐ͭͷ֎෦ཁૉͷ্ͰΠϯλʔ
ωοτͰ҆શͳ௨৴Λఏڙ͢Δ࢓૊ΈͰ͋Δɻ
ٯʹݴ͑͹ɺͲΕ΄Ͳ׬ᘳͳ5-4ϓϩτίϧΛ࡞ͬͯ΋
͜ͷ̐ͭͷ֎෦ཁૉ͕ഁΒΕͨΒ҆શΛ֬อͰ͖ͳ͍ɻ

View Slide

TLSϋϯυγΣΠΫ
஫ɿෳࡶ͞Λආ͚ΔͨΊΫϥΠΞϯτೝূػೳͷઆ໌͸লུ͠·͢ɻ
5-4#PUͱڙʹ

View Slide

ԋश
࣮ࡍʹ$IB$IBͷύέοτΛݟͯΈΔ
IUUQTDIBDIBUMTLPVMBZFSDPN
ʹ$ISPNFͰΞΫηεɺ%FWFMPQFS5PPMͰ֬ೝͯ͠ΈΔɻ
IUUQTDIBDIBUMTLPVMBZFSDPNDIBDIB@TBNQMFQDBQ
Λμ΢ϯϩʔυͯ͠ɺ&UIFSSFBMͰݟͯΈΑ͏ɻ

View Slide

4FD$BNQ5-4#PU
w ίϚϯυϥΠϯͰ)&9ܗࣜͷ5-4ϑϨʔϜΛೖྗ͠
ͯ5-4ϋϯυγΣΠΫΛߦ͏#PU
w 4FSWFS$MJFOU྆ํͰಈ͖·͢ɻ
w $MJFOU͸࠷ॳʹ)FMMP3FRVFTUͷϑϨʔϜΛೖྗ͠
ͯ։࢝ɻ
w /0%&@%(TFDDBNQͰग़ྗϑϨʔϜ
ͷ+40/Λग़ྗ͠·͢ɻ

View Slide

4FD$BNQ5-4#PU
w OQNJOTUBMMTFDDBNQUMTFYFSDJTF
w 4FSWFS$MJFOU#PUͷεΫϦϓτΛ࡞੒
DPOTU4FD$BNQSFRVJSF TFDDBNQUMTFYFSDJTF

4FD$BNQ5-4#PU GBMTF
DMJFOU͸GBMTF
Πϯετʔϧ͞ΕͨOPEF@NPEVMF͕ݟ͔ͭΕ͹
OPEF@NPEVMFTTFDDBNQUMTFYFSDJTFTBNQMFT
ʹίʔυ͕͋Γ·͢ɻ
IUUQTHJTUHJUIVCDPNTIJHFLJGBBCDCCGFEGBFCB
ʹ΋͋Γ·͢ɻ

View Slide

5-4#PU

View Slide

5-4CPU%FCVHϞʔυ
FYQPSU/0%&@%(TFDDBNQ

View Slide

TLSϋϯυγΣΠΫ(full handshake)
ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
Application Data
Application Data
(੺จࣈ͸ϋϯυγΣΠΫʣ
ClientHelloͱServerHelloͷ
΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS
όʔδϣϯ΍҉߸ԽํࣜͳͲ
Λ߹ҙ͢Δɻ
҉߸Խͨ͠ΞϓϦ௨৴Λ
ߦ͏·Ͱ355ඞཁ

View Slide

TLSϋϯυγΣΠΫ(resumption)
ClientHello(session_id)
ServerHello(session_id)
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
Application Data
Application Data
SessionIDʹΑΔTLSηογϣ
ϯͷ࠶։ɻ
伴ަ׵΍ূ໌ॻૹ෇ΛεΩοϓɻ
ࠓճ͸ԋशͷର৅֎Ͱ͢
҉߸Խͨ͠ΞϓϦ௨৴Λ
ߦ͏·Ͱ355Ͱ͢Ή

View Slide

TLSϋϯυγΣΠΫͷҙຯ
ClientHello/ServerHello/ServerHelloDone
TLSͷͨΊͷ৘ใަ׵
όʔδϣϯɾཚ਺ɾ҉߸ํࣜɾ֦ு৘ใ
Certificate
ެ։伴৘ใͷૹ෇
ΤϯυϙΠϯτͷೝূ
ClientKeyExchange/ServerKeyExchange
ڞ༗伴ަ׵
ChangeCipherSpec
҉߸։࢝ͷ߹ਤ
Finished
ϋϯυγΣΠΫσʔλͷվ͟ΜνΣοΫ

View Slide

TLS1.2ͷߏ଄
I
P
ϔ
ο
μ
T
C
P
ϔ
ο
μ
TLS Record Layer
(5όΠτ)
λΠϓ
ʢ̐छ
ྨʣ
(1byte)
όʔδϣϯ
(2byte)
௕͞
(2byte)
Handshake (λΠϓ:0x16)
msgλΠϓ
ʢ̍̌छྨʣ
௕͞
ʢ3όΠτ௕ʣ
ϋϯυγΣΠΫσʔλ
Alert (λΠϓ:0x15)
Ϩϕϧ ཧ༝
ChangeCipherSpec (λΠϓ:0x14)
λΠϓ
Application Data
(λΠϓ:0x17)
҉߸Խ͞Εͨσʔλ
msgλΠϓ ϋϯυγΣΠΫσʔλͷछྨ
0x00 HelloRequest
0x01 ClientHello
0x02 ServerHello
0x0b Certificate
0x0c ServerKeyExchange
0x0d CertificateRequest
0x0e ServerHelloDone
0x0f CertificateVerify
0x10 ClientKeyExchange
0x14 Finished
TLS Record Layerσʔλʹ
ଓ͍ͯɺ࣍ͷ̐छྨͷTLSσ
ʔλͷ͍ͣΕ͔͕ଓ͘ɻ
TLS Handshake͸ɺ͜ͷ
̍̌छྨʹ෼͔ΕΔɻ

View Slide

5-4ϋϯυγΣΠΫϑϨʔϜΛಡΉ
Record Layer Handshake (ClientHello)
type protocol
version
length
(2byte)
msg
type
length
(3byte)
client
version
random
major minor major minor
0x16 0x03 0x03 0x00 0x45 0x01 0x00 0x00 0x41 0x03 0x03 32 byte
όΠτ όΠτ
҉߸Խ͞Εͳ͍ ҉߸Խ͞ΕΔ

View Slide

ԋश
w ̎ͭͷίϚϯυϥΠϯλʔϛφϧΛ։͍ͯҰͭ͸
UMT@DMJFOU@CPUɺ΋͏Ұͭ͸UMT@TFSWFS@CPUΛىಈ
͢Δɻ
w UMT@DMJFOU@CPUʹ)FMMP3FRVFTUΛೖྗͯ͠ɺग़ྗ͠
ͨ$MJFOU)FMMPΛίϐʔͯ͠TFSWFSCPUʹೖྗ͠Α
͏
w /0%&@%(TFDDBNQͷઃఆΛͯ͠
+40/Λ֬ೝ͠Α͏ɻ

View Slide

ClientHello
ClientHello
Λ߹ҙ͢Δɻ

View Slide

ClientHello
߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘
ใ
client_version uint8 major, uint8 minor 2 N/A
random uint32 gmt_unix_time, opaque
random_bytes[28]
4 + 28 N/A
session_id opaque SessionID <0..32> 1όΠτ෼
cipher_suites uint8 CipherSuite[2] <2..2^16-2> 2όΠτ෼
compression_
methods
null(0) <1..2^8-1> 1όΠτ෼
extensions extension_type(65535),
extension_data<0..2^16-1>
<0..2^16-1> 2όΠτ෼
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
type σʔ
λ௕
σʔλ type σʔ
λ௕
σʔλ type σʔ
λ௕
σʔλ
Extension௕ Extensionsσʔλྫ

View Slide

ClientHello
Record Layer Handshake (ClientHello)
type protocol
version
length
(2byte
)
msg
type
length
(3byte)
client
version
random sessi
on
id
cipher
suite
comp
ressi
on
Exte
nsion
majo
r
mino
r
major minor
0x16 0x03 0x03 ?? ?? 0x01 ?? ?? ?? 0x03 0x03 32 byte Մม Մม Մม Մม
Version
0x03,0x00 = SSLv3
0x03,0x01= TLSv1.0
0x03,0x02=TLSv1.1
0x03,0x03=TLSv1.2
ΫϥΠΞϯτ͕ར༻Ͱ͖Δ
࠷ߴͷTLSόʔδϣϯΛࢦ
ఆɺαʔό͕Ͳͷόʔδϣ
ϯΛ࢖͏͔બ୒͢Δ

View Slide

View Slide

ServerHello
ClientHello
ServerHello
Λ߹ҙ͢Δɻ

View Slide

ServerHello
߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ใ
server_version uint8 major, uint8 minor 2 N/A
random uint32 gmt_unix_time, opaque
random_bytes[28]
4 + 28 N/A
session_id opaque SessionID <0..32> 1
cipher_suite uint8 CipherSuite[2] 2 N/A
compression_method null(0) 1 N/A
extensions extension_type,
extension_data<0..2^16-1>
<0..2^16-1> 2όΠτ෼
Record Layer(5bytes) Handshake (ServerHello)
type protocol
version
length
(2bytes)
msg
type
length
(3byte)
server
version
random
32bytes
session id cipher
suite
2bytes
compression
majo
r
minor major minor
0x16 0x03 0x03 ? + 4 0x01 ? 0x03 0x03 ? ௕͞1byte 0x00,0x9c ௕͞2bytes

View Slide

View Slide

Certificate
ClientHello
ServerHello
Certificate

View Slide

Certificate
߲໨ ཁૉ αΠζ
certificate_list ASN.1Cert<2^24-1> <0..2^24-1>
શূ໌ॻ௕ ূ໌ॻ#1௕ ূ໌ॻσʔλ#1 ূ໌ॻ#2௕ ূ໌ॻσʔλ#2
ෳ਺ͷূ໌ॻσʔλΛૹ෇
࠷ॳ͸ඞͣαʔόূ໌ॻ 2ͭ໨Ҏ߱͸தؒূ໌ॻͳͲ

View Slide

View Slide

Perfect Forward Secrecy(PFS)
• લํൿಗੑ
• ηογϣϯຖʹҰ࣌తͳ伴Λ࢖͏ɻ
• ϋϯυγΣΠΫΛؚΉશ҉߸σʔλΛऔಘ͞Ε͍ͯΔΑ͏ͳঢ়
گͰ΋ɺকདྷతͳൿີ伴࿙ӮͳͲͷϦεΫʹରԠ͢Δɻ
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ephemeral:Ұ࣌తͳ
伴ަ׵ख๏

View Slide

%)&WT&$%)&
w %)%J⒎F)FMMNBO཭ࢄର਺໰୊Λར༻ͨ͠伴ަ׵
H?Y
NPE1
?ZNPE1 H?Z
NPE1
?YNPE1H? YZ
NPE1
ૉ਺1 δΣωϨʔλH ެ։伴 ੺ࣈɺ੨ࣈʣͳͲͷ৘ใΛަ׵ɻ&$%)&
ΑΓܭࢉྔ͕ଟ͍ɻ
w &$%)&ɿପԁؔ਺্Ͱͷ཭ࢄର਺ԋࢉΛར༻ͨ͠伴ަ׵
ପԁؔ਺ͷύϥϝʔλɾج఺Λ໊લͰنఆ TFDQ౳
ɺެ։伴 ପԁ
ۂઢ্ͷ఺
Λަ׵ɻ%)ΑΓ伴௕ɾܭࢉྔ͕গͳͯ͘͢Ήɻ

View Slide

ECDHEͷϋϯυγΣΠΫ
ClientHello
+ elliptic_curves
+ ec_point_formats
ServerHello
+ ec_point_formats
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished ChangeCipherSpec
Finished
Application Data
(੺จࣈ͕௥Ճมߋ͞ΕΔͱ͜Ζʣ
ClientHello֦ுΛ௥Ճ
ServerHello֦ுΛ௥Ճ
ପԁۂઢ໊ͱServer
ͷެ։伴Λॺ໊෇͖
Ͱૹ෇
Clientͷެ։伴Λૹ෇
ପԁ఺ͷॻࣜΛ߹ҙ
࢖͑Δପԁۂઢ໊ͱପԁ఺ॻࣜΛ௨஌
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ެ։伴͸ຖճϥϯμϜʹੜ੒͞Ε·͢

View Slide

ECDHE ClientHello֦ு
ΫϥΠΞϯτ͕αϙʔτ͍ͯ͠ΔପԁۂઢͷϦετΛαʔόଆʹ௨஌ɻαʔό͸
Ϧετͷத͔Βద੾ͳପԁۂઢΛબͼ ServerKeyExchange಺Ͱબ୒ͨ͠ପԁ
ۂઢΛ௨஌͢Δ
0 1 2 3 4 5 6 7
elliptic_curves(10) Ϧετ௕ σʔλ௕ secp256r1 (23)
0x00 0x0a 0x00 0x04 0x00 0x02 0x00 0x17

View Slide

ECDHE Client/Server Hello֦ு
ପԁ҉߸ͷެ։伴ͷॻࣜ
0 1 2 3 4 5
ec_point_formats(11) Ϧετ௕ σʔλ௕ uncompressed(0)
0x00 0x0b 0x00 0x02 0x01 0x00

View Slide

ServerKeyExchange
ClientHello
ServerHello
Certificate
ServerKeyExchange

View Slide

ECDHE ServerKeyExchange
ServerECDHParams Signature
ECParameters ECPoint algorithm
signature
curve_type named_curve ௕
͞
public key
(Hello֦ுࢦఆͷॻࣜʣ
RSA-SHA256
(0x04,0x01)
named_curve (3) secp256r1 (23)
signature = sign(algorithm, ClientHello.random + ServerHello.random +
ServerECDHParams);
RSAൿີ伴ͰServerECDHParmsͱRandomΛॺ໊

View Slide

View Slide

ServerHelloDone
ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone

View Slide

ServerHelloDone
handshake
type
handshake௕
0x0e 0x00 0x00 0x00
ServerHelloͷऴྃͷ߹ਤ
ϋϯυγΣΠΫϔομͷΈ
͜͜Ͱ4FSWFS)FMMP͔Βଓ͘Ұ࿈ͷϋϯυγΣΠ
Ϋͷલ൒͕ऴྃͨ͜͠ͱΛࠂ͛Δ߹ਤ

View Slide

View Slide

ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange

View Slide

ECDHE ClientKeyExchange
ClientECDHParams
ECPoint
௕͞ public key
(Hello֦ுࢦఆͷॻࣜʣ
ClientKeyExchange͸ॺ
໊ͷඞཁ͸ͳ͍

View Slide

View Slide

࣭໰ɿ ECDHEެ։伴ͷकΒΕํͷҧ͍
• ServerKeyExchange: ެ։伴Λॺ໊
• ClientKeyExchange: ΍Γ͍ͨ์୊
Ͳ͏ͯ͠Ͱ͠ΐ͏ʁ

View Slide

PreMasterSecret/MasterSecret
• TLSͰར༻͢ΔIV(ॳظϕΫτϧ)ɺڞ༗伴ɺMAC伴ͷσʔλݩ
• MasterSecret͸48όΠτ௕ɻPreMasterSecretͷ௕͞͸伴ަ׵ํࣜʹґ
ଘ͢Δɻ
• MasterSecret͸ɺPreMasterSecretɺClientRandomɺ
ServerRandomɺݻఆϥϕϧ͔Βੜ੒͢Δɻ
• Clinet/ServerRandom͸શؙͯݟ͑ɻPreMasterSecret͸ɺඞͣࢮक͠
ͯकΒͳ͍ͱ͍͚ͳ͍ɻ͜Ε͕࿙͍͑͢ΔͱTLSͷ҆શੑ͸શ͓ͯ͡ΌΜɻ
'SFBL-PHKBN

View Slide

View Slide

ChangeCipherSpec
Client->Server
ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec

View Slide

ChangeCipherSpec
ૹ৴ݩ͕҉߸։࢝Λએݴɻ͜ΕΛૹ৴ͨ͠ޙ͸҉߸
௨৴Λߦ͏ɻ
Record Layer ChangeCipherSpec
ContentTy
pe
Version length
(2byte)
major minor
0x14 0x03 0x03 0x00 0x01 0x01

View Slide

View Slide

ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished

View Slide

Finished
struct {
opaque verify_data[verify_data_length];
} Finished;
verify_data = PRF(master_secret, finished_label,
Hash(handshake_messages))[0..11];
finished_label: ΫϥΠΞϯτ͸ɺ"client finished"ɺαʔό͸"server finished"
12όΠτݻఆ
͜Ε·ͰͷϋϯυγΣΠΫσʔλʢͨ
ͩࣗ͠෼͸আ͘ʣͷϋογϡΛܭࢉ
TLS1.2Ͱ͸ SHA256Λ࢖͏
FinishedΛड৴͢Δͱɺ͜Ε·Ͱૹड৴ͨ͠ϋϯυγΣΠΫσʔλ͔Βܭࢉͨ͠஋ͱൺֱɻ
ϋϯυγΣΠΫσʔλ͕վ͟Μ͞Εͯͳ͍͜ͱΛ֬ೝ͢Δɻ

View Slide

View Slide

ChangeCipherSpec
Server -> Client
ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec

View Slide

View Slide

ServerFinished
ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished

View Slide

View Slide

Application Data
ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
Application Data

View Slide

View Slide

ԋश
5-4#PUΛ࢖ͬͨ̍ର̍5-4
w ೋਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU
໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ
w αΠϘ΢ζͰσʔλΛ΍ΓऔΓ͠·͢ɻ૬ޓͰ҉߸จͷ෮
߸Խ͕Ͱ͖Δ͜ͱΛ֬ೝ͠·͢ɻ
5-4҉߸௨৴
5-44FSWFSGDBCEDCGBBCDG
"QQMJDBUJPO%BUBIPHF
#PU #PU

View Slide

ԋश
ϦΞϧ.BO*O5IF.JEEMF
w ̏ਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU໾ɺ
ѱਓ໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ
w ѱਓ໾Λհͯ͠5-4ϋϯυγΣΠΫΛߦ͍·͢ɻ·ͣ͸ѱਓ͸ͦ
ͷ··ӈ͔Βࠨʹड͚ྲྀ͠·͢ɻ
w ࣍ʹѱਓ໾Ͱ4FSWFS$MJFOUͷ#PUΛͨͯͯͳΓ͢·͠௨৴Λ͠·
͠ΐ͏ɻ

View Slide

$IB$IB1PMZ
೥݄̒ʹ࢓༷Խ׬ྃ 3'$
ͨ͠
5-4ͷ৽͍͠҉߸ํࣜ
ࢲ͸҉߸ઐ໳ՈͰ͸ͳ͍ͷͰ҆
શੑͷ͓࿩͸εΩοϓ͠·͢ɻ

View Slide

$IB$IB1PMZ
w $IB$IB%+#FSOTUFJO EKC
ࢯ͕ߟҊͨ͠҉
߸ํࣜ ࠷ॳʹ4BMTBΛൃදɺ$IB$IBʹվྑ

w 1PMZEKCࢯ͕ߟҊͨ͠."$ํࣜ "&4ͱ૊Έ
߹Θͤͨ"&41PMZͰൃද

جຊ྆ऀ͸ಠཱͨ͠΋ͷɻ(PPHMFͷ"EBN-BOHMFZ
ࢯ͕$IB$IB1PMZͱͯ͠ʹυϥϑ
τ࢓༷Λެ։

View Slide

1PMZ࿦จൃද ࠷ऴ൛

$IB$IB࿦จൃද ࠷ऴ൛

4BMTB͕F4USFBNͷ'JOBMJTUʹબఆ
$IB$IBΛ࢖ͬͨ#-",&͕4)"ͷ࠷ऴީิʹબఆ
ESBGUBHMUMTDIBDIBQPMZެ։

$ISPNF͕$IB$IB1PMZΛ࣮૷ɻ(PPHMFαʔϏεͰར༻։࢝
0QFO44)͕$IB$IB1PMZΛ࣮૷
5-48(͔Β$'3(΁$IB$IB1PMZͷ࢓༷ݕ౼ΛਐΊΔ͜ͱΛཁ੥
-JCSF44-͕GPSLɻ$IB$IB1PMZΛ࣮૷
#PSJOH44-͕GPSLɻ$IB$IB1PMZΛ࣮૷
$MPVE'MBSF͕$IB$IB1PZͷར༻։࢝ɻ0QFO44-༻ύονެ։
3'$ $IB$IB1PMZ࢓༷
͕ެ։
0QFO44- BMQIB
͕$IB$IB1PMZΛ࣮૷
'JSFGPY͕$IB$IB1PZΛ࣮૷
3'$$IB$IB1PMZ$JQIFS4VJUFTGPS5SBOTQPSU-BZFS4FDVSJUZ 5-4

$IB$IB1PMZ͜Ε·ͰͷาΈ

4OPXEFOࣄ݅

View Slide

"&4ͱ$IB$IBͷൺֱ
"&4 $IB$IB
ํࣜ ϒϩοΫ CJUT

ετϦʔϜ
ೖྗ
伴௕ CJUT 伴௕CJUT
/PODFͳ͠
ॳظΧ΢ϯλʔͳ͠
/PODFCJUT EKC࿦จͰ͸CJUT

ॳظΧ΢ϯλʔCJUT
ඪ४ /*45'*14
3'$

4BMTB͸FTUSFBNιϑτ΢ΣΞ1Iબఆ

ੑೳಛੑ "&4/*ͳͲઐ༻ϋʔυ΢ΣΞʹΑΔߴ଎
ॲཧ͕Մೳ
ࣄલܭࢉ΍4#09͕ඞཁͳ͘ɺλΠϛϯά߈ܸ͕ൃੜ͠ʹ
͍͘ɻ4*.%Λ࢖ͬͨߴ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ
஫ҙࣄ߲ ΩϟογϡλΠϛϯάͳͲαΠυνϟωϧ
߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ
/PODFΛ࠶ར༻͠ͳ͍͜ͱ
%+#ͷ࿦จIUUQDSZQUPDIBDIBDIBDIBQEG͕ΞϧΰϦζϜنఆͷࢀরઌ

Χ΢ϯλʔϞʔυͱ૊Έ߹ΘͤͯετϦʔϜ҉߸ͱͯ͠ར༻͕Մೳ

View Slide

2VBSUFS3PVOE B C D E

BC E?B E
DE C?D C
BC E?B E
DE C?D C
B C D E͸CJUVOTJHOFEJOU
YZ͸ YZ
NPE? ?͸903 O͸OϏοτࠨϩʔςγϣϯ
B C D Eʹରͯ͠ɺશͯճ
ԋࢉ͕ߦΘΕ͍ͯΔɻ
$IB$IBϥ΢ϯυԋࢉ
৐ࢉ͕ͳ͘ݻఆ௕ԋࢉ
$POTUBOU5JNF
B
C
D
E

View Slide

՝୊ɾԋश
TVEPOQNHJOTUBMMTFDDBNQDIBDIBXPSLTIPQQFS
ຊ೔ͷ՝୊
ࣄલֶश

View Slide

B B B B
B B B B
B B B B
B B B B
C C C C
C C C C C
C C C C C C
C C C C C C C
B B B B
B B B B
B B B B
B B B B
C C C C
C C C C
C C C C
C C C C
C C C C
C C C C
C C C C
C C C C
D D D D
D D D D
D D D D
D D D D
όΠτY
ྻϥ΢ϯυ
ର֯ϥ΢ϯυ
2VBSUFS3PVOE
όΠτ όΠτ
όΠτ όΠτ
छྨͷ$IB$IBϥ΢ϯυ
ԋश

View Slide

F E C
LFZ LFZ LFZ LFZ
LFZ LFZ LFZ LFZ
DPVOUFS OPODF OPODF OPODF
T T T T
T T T T
T T T T
T T T T
ྻϥ΢ϯυର֯ϥ΢ϯυ
Yճ
ॳظ$IB$IB4UBUF
$IB$IB4UBUF
ఆ਺஋ ࣮͸ҎԼͷจࣈྻ

FYQBOECZUFL
伴 όΠτ௕

/PODF όΠτ௕

͔Β࢝·ΔΧ΢ϯλʔ όΠτ௕

$IB$IB4USFBN4UBUF
ϥ΢ϯυ

View Slide

$IB$IB4UBUFͷ
&OEJBOʹ஫ҙ

L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<>
F E C
L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<>
LFZ LFZ LFZ LFZ
όΠτຖʹ۠੾ͬ
ͨ-JUUMF&OEJBO
͜ͷΑ͏ͳॱ൪Ͱσʔ
λॲཧΛ͢Δ࣌͸஫ҙɻݟ͔
͚#JH&OEJBOɻ

View Slide

$IB$IB#MPDL'VODUJPO
F E C
LFZ LFZ LFZ LFZ
LFZ LFZ LFZ LFZ
T T T T
T T T T
T T T T
T T T T

৒༨࿨

ॳظ$IB$IBTUBUF 3PVOE$IB$IBTUBUF
'JOBM$IB$IB4UBUF

View Slide

ԋश
$IB$IB2VBUFS3PVOE
$IB$IB#MPDL'VODUJPO

View Slide

$IB$IB,FZ4USFBN
CB GFED
CB GFED
CB GFED
CB GFED
BCDEFGBCDEFG
BCDEFGBCDEFG
̐όΠτ୯Ґͷ֤ཁૉΛ-JUUMF&OEJBOͰฒͼସ͑
,FZ4USFBNͱฏจͷ903Λऔͬͯ҉߸จΛੜ੒͢Δɻ

View Slide

伴ɾ/PODF
Χ΢ϯλʔ
903
ʹ
ฏจ
҉߸จ
ॳظ$IB$IB
4UBUF
伴ɾ/PODF
Χ΢ϯλʔ
903
ʹ
ฏจ
҉߸จ
ॳظ$IB$IB
4UBUF
伴ɾ/PODF
Χ΢ϯλʔ
903
ʹ
ฏจ
҉߸จ
$IB$IB4UBUF
,FZ4USFBN
ॳظ$IB$IB
4UBUF
伴ɾ/PODF
Χ΢ϯλʔ
903
ϥ΢ϯυॳظঢ়ଶ
ʹ
ฏจ
҉߸จ
ॳظ$IB$IB
4UBUF
όΠτ
$IB$IBฏจͷ҉߸Խ
ϥ΢ϯυॳظঢ়ଶ ϥ΢ϯυॳظঢ়ଶ ϥ΢ϯυॳظঢ়ଶ
$IB$IB4UBUF
,FZ4USFBN
$IB$IB4UBUF
,FZ4USFBN
$IB$IB4UBUF
,FZ4USFBN
෮߸Խ΋,FZ4USFBNͱ҉߸จΛ903͢Δ͚ͩ
ͳͷͰखॱ͸΄΅ಉҰ

View Slide

ԋश
$IB$IB,FZ4USFBN
$IB$IB&ODSZQUJPO

View Slide

1PMZ
ͪ͜Β͸গʑ೉͍͠ͷͰઆ໌͕ओͰ͢

View Slide

ͳͥNFTTBHF
BVUIFOUJDBUPS͕ඞཁ͔ʁ
IUUQTXXXFYBNQMFDPN
903ͨ͠վ͟Μσʔλ
Ϩίʔυ *7 ҉߸จ λά
Ϩίʔυ *7 վ͟Μ҉߸จ λά
)FMMP8PSME
)FMMP$SBDLFE
ܭࢉ͢Δͱ
λά͕ҧ͏ʂ
վ͟Μ
͞ΕͯΔΘʂ
λάͷ࠶ܭࢉʹ͸ൿີ伴͕ඞཁ

View Slide

()"4)ͱ1PMZ
()"4) 1PMZ
ܭࢉํࣜ
8FHNBO$BSUFS$POTUSVDUJPO
CJOBSZpFME YYYY
QSJNFpFME

伴௕ CJUT "&4ͱ૊Έ߹Θͤͨ࣌
CJUT
."$௕ CJUT ར༻໨తʹԠͯ͡੾Γ٧ΊΔ
CJUT
ඪ४ /*4541% "&4($.
3'$

ੑೳಛੑ 1$-.6-2%2*ͳͲಛఆܭࢉ༻ϋʔυ΢ΣΞ
ʹΑΔߴ଎ॲཧ͕Մೳ
ࣄલܭࢉςʔϒϧ͕ඞཁͳ͘ɺ4*.%Λ࢖ͬͨߴ
଎ͳιϑτ΢ΣΞॲཧ͕Մೳ
஫ҙࣄ߲ w 伴ɺ*7 /PODF
Λ࠶ར༻͠ͳ͍͜ͱ
w ."$௕͸CJUTҎ্Λར༻͢Δ͜ͱ
w 伴ɺ*7 /PODF
Λ࠶ར༻͠ͳ͍͜ͱ
w λΠϛϯά߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ
"&4ͱ૊Έ߹Θͤͨ%+#ͷ࿦จIUUQDSZQUPNBDQPMZQEG͕ΞϧΰϦζϜنఆͷࢀরઌ

View Slide

1PMZOPNJBMFWBMVBUJPO
ೝূ͢Δσʔλ
$ $ $ $O $O
ʜ
G S
$SO$SO$SOʜ$OS$OS
ʜ $S$
S$
Sʜ$O
S$O
S
෼ղͨ͠ϝοηʔδΛ܎਺
ͱͨ͠ଟ߲ࣜͷ஋ͰධՁ
ϗʔφʔ๏Λ࢖ͬͯ৐ࢉ
ԋࢉΛݮΒͯ͠ܭࢉ
伴 S

View Slide

8FHNBO$BSUFS$POTUSVDUJPO
GPS1PMZ
ೝূ͢Δσʔλ
$ $ $ $O $O
ʜ
伴 S
伴 T
ૉ਺Q
$SO$SO$SOʜ$OS$OSNPEQT
Ϣχόʔαϧϋογϡ0OF5JNF伴
w ਺ֶతʹڧ౓͕ূ໌Ͱ͖͍ͯΔ
w 4)"ͳͲͷ)."$ΑΓߴ଎

View Slide

1PMZ
$SO$SO$SMʜ$OS$OSNPET
NPE
ೝূ͢Δσʔλ 伴 S

$ $ $ $O $O
ʜ
όΠτ௕Ͱ෼ׂɻ಄ʹ̍όΠτ
෼෇Ճͯ̍̓͠όΠτ௕ʹ
όΠτ
伴 T

όΠτ
࠷ऴతʹόΠτ௕
ʹ੾Γ٧ΊΔ
CJU෼ؒҾ͖
ઈົ
ͳαΠζͷૉ਺

View Slide

ೝূ͢Δσʔλ
$
όΠτ௕
$
όΠτ௕
$

όΠτ௕
ʴ $
όΠτ௕
$

1PMZVQEBUF
ʴ
1PMZpOBM
1PMZʹΑΔ."$σʔλͷੜ੒
όΠτ௕
CJU௕
಄ͷCJU࡟আ ."$
όΠτ௕
ʴ
όΠτ௕
."$
࠷ऴతͳೝূίʔυ
伴S CJUؒҾ͖

伴 S
伴 T

$IB$IB
Χ΢ϯλʔ
LFZ OPODF

伴 T

伴S CJUؒҾ͖

伴S CJUؒҾ͖

ԼҐόΠτ
ԼҐόΠτ ্ҐόΠτ
෦෼৒༨஋
෦෼৒༨஋
1PMZVQEBUF

View Slide

ԋश
1PMZ."$
͕͢͞ʹ୹࣌ؒͰ࣮૷ͯ͠΋Β͏ͷ͸ਏ͍ͷͰϥΠ
ϒϥϦΛ࢖ͬͯ΋Β͍·͢ɻ

View Slide

"&"%
$IB$IB1PMZ
Λ࡞Δ

View Slide

5-4޲͚"&4($.ͱ$IB$IB1PMZ
"&4($. $IB$IB1PMZ
ඪ४ 3'$ 3'$ 3'$
ESBGUJFUGUMTDIBDIBQPMZ
࣌఺*&5'-BTU$BMMத

ରশ҉߸ "&4 "&4 $IB$IB
伴ަ׵ 34" %) %)& &$%)& &$%)&%)&
ೝূ 34" &$%4" 14,
13'
4") "&4

4)" "&4

4)"
໌ࣔత*7 CZUFT ͳ͠
/PODF
$MJFOU4FSWFS8SJUF*7 CZUFT
໌
ࣔత*7 CZUFT

ύουͨ͠4FR/VN CZUFT

903$MJFOU4FSWFS8SJUF*7 CZUFT

λά௕ CZUFT CZUFT
࠷খ҉߸Խ௕ CZUFT CZUFT

View Slide

ॳظΧ΢ϯλʔ ॳظΧ΢ϯλʔ
JODS
ฏจ
$IB$IB,FZ4USFBN
LFZ OPODF
1PMZ
伴S 伴T
҉߸จ
ೝূλά
MFO ฏจ
ccMFO ҉߸จ

"VUI%BUB ̌1BE ̌1BE
҉߸จ

伴S 伴T
$IB$IB,FZ4USFBN
LFZ OPODF
MFO
จࣈྻ௕ɺCJUɺMJUUMFFOEJBOදه
$IB$IB1PMZʹΑΔ"&"%ੜ੒
$IB$IBΛ࢖ͬͯ
1PMZͷ伴Λੜ੒

View Slide

ԋश
1PMZ,FZ(FOFSBUJPO
$IB$IB1PMZ&ODSZQUJPO

View Slide

΋͕࣌ؒ͠༨ͬͨΒ
ڈ೥ͷԋश΍ͬͯΈ·͠ΐ͏ɻ
TVEPOQNHJOTUBMMTFDDBNQDSZQUPXPSLTIPQQFS

View Slide

TLS徹底演習

TLS徹底演習

Shigeki Ohtsu

More Decks by Shigeki Ohtsu

Other Decks in Technology

Featured

Transcript