Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TLS徹底演習

E2cf334c8ea8452a467efc8a0c64d883?s=47 Shigeki Ohtsu
August 10, 2016
Technology
74
19k

 TLS徹底演習

セキュリティ・キャンプ全国大会2016 集中講義

E2cf334c8ea8452a467efc8a0c64d883?s=128

Shigeki Ohtsu

August 10, 2016
Tweet

More Decks by Shigeki Ohtsu

See All by Shigeki Ohtsu
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
1
890
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
10
2.4k
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
0
350
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
0
870
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
7
2.7k
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
14
3.2k
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
3
830
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
4
590
E2cf334c8ea8452a467efc8a0c64d883?s=48 shigeki
11
4.5k

Other Decks in Technology

See All in Technology
076978ba3b6ec28940701c3aea2ddcab?s=48 ryomasumura
0
120
93c80c388fe9d8f9df7d030549a0ff0b?s=48 chaspy
6
1.3k
A1391fea7feb81a26c333c05f831dbf3?s=48 tosh2230
3
320
8a84268593355816432ceaf78777d585?s=48 dena_tech
1
760
A7944f54379373479a430eb9e9954587?s=48 will03
0
110
D7df6557c6b98f29ac546911e2b1a4d4?s=48 tnmt
3
260
23f4d5d797a91b6d17d627b90b5a42d9?s=48 kentaro
1
730
362e55239a0463356377118628470d15?s=48 mot_ai_tech
0
110
A645e7c3a6635ead8fa323c583769591?s=48 hololab
0
200
8a84268593355816432ceaf78777d585?s=48 dena_tech
0
180
70357f859596e494c8373be7a87966b1?s=48 1027kg
0
210
Db4af41c084fb66f56725d0b3b40fb09?s=48 go5paopao
4
540

Featured

See All Featured
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
255
20k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
3
610
24fc194843a71f10949be18d5a692682?s=48 gr2m
83
11k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
446
36k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
332
29k
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
342
26k
5f50f94346fbcb23706f0707169317a4?s=48 aarron
257
36k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
66
3k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
6
720
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
267
17k
245cee81a9c424266e5e401d844ea881?s=48 lara
172
9.6k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
328
36k

Transcript

  1. 5-4పఈԋश 4FDVSJUZ$BNQ **+େ௡ൟथ ೥݄೔ 7FS

  2. ࣗݾ঺հ w גࣜձࣾΠϯλʔωοτΠχγΞςΟϒ **+  w ܦӦاըຊ෦഑৴ࣄۀਪਐ෦ w ΦʔϓϯιʔεϓϩδΣΫτ/PEFKTͷ$PSF 5FDIOJDBM$PNNJUUFFϝϯόʔɺ5-4DSZQUPؔ

    ࿈ػೳͷٕज़୲౰ɻ

  3. ຊߨٛͷ໨త w 5-4Λపఈతʹཧղͯ͠΋Β͏ɻ w Ͱ΋5-4͸֤छηΩϡϦςΟٕज़ͷू߹ମɺͦΕͧΕ͕ਂ ͯ͘೉͍͠ɻ̔࣌ؒ͋ͬͯ΋શ෦͸ແཧɻ w ͦ͜Ͱ̏ͭʹ෼͚·ͨ͠ɻ  ࠲ֶɿٕज़ऀʹͱͬͯͳͥ͜Ε͔Β5-4͕ॏཁ͔

     ߨٛɾԋशɿ5-4ϋϯυγΣΠΫΛֶͿ  ߨٛɾԋशɿ5-4ٕज़ͷίΞɺ҉߸ٕज़ΛֶͿ

  4. ຊ೔ͷߨٛͷྲྀΕ w ߨٛɿ5-4ͷ֓ཁ w ߨٛɿ5-4Λཧղ͢Δ४උ ಛʹ"&"%  w ߨٛɾԋशɿ5-4ϋϯυγΣΠΫઆ໌ɺ5-4#PUͱ 5-4ϋϯυγΣΠΫ͠Α͏ɺϦΞϧ.BOJO5IF

    .JEEMF w ߨٛɾԋश$IB$IB1PMZͷ࣮૷

  5. 5-4ͷ֓ཁ

  6. ΠϯλʔωοτͷڴҖ ౪ௌ ύεϫʔυ΍ΫϨδο τΧʔυ൪߸Λ౪Έݟ

  7. ΠϯλʔωοτͷڴҖ վ͟Μ ௨৴్தͰσʔλΛॻ͖׵͑

  8. ΠϯλʔωοτͷڴҖ ͳΓ͢·͠ ϢʔβʹͳΓ͢· ͯ͠௨৴Λߦ͏

  9. ΠϯλʔωοτͷڴҖ ൱ೝ ͦΜͳ௨৴ͯ͠· ͤΜͱΩϟϯηϧ

  10. ΠϯλʔωοτͷڴҖ͔ΒकΔηΩϡϦςΟ ରࡦ ౪ௌ վ͟Μ ੒Γ͢ ·͠ ൱ೝ ҉߸Խ ׬શੑνΣοΫ ೝূ

    ॺ໊

  11. ֤ϨΠϠʔʹ͓͚ΔηΩϡϦςΟ௨৴ WPA IPsec TLS,DTLS,SSH S/MIME, PGP ແઢLAN IP TCP, UDP

    σʔλ ࠓ೔ͷओ୊

  12. TLSͷ໨త • TLSϓϩτίϧͷ࠷ॏཁͳΰʔϧ͸ɺ௨৴͢Δ̎ͭͷΞϓϦέʔγ ϣϯͷؒͰϓϥΠόγʔͱσʔλͷ׬શੑΛఏڙ͢Δ͜ͱͰ͢ɻ RFC5246: The Transport Layer Security (TLS)

    Protocol Version 1.2 1. Introduction The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications. ΞϓϦ ΞϓϦ ׬શੑ ϓϥΠόγʔ

  13. 5-4ͷ؆୯ͳྺ࢙ 44- ະൃද ೥ 44- ೥ 44- ೥ *&5'5-48(ελʔτ ೥

    5-4 ೥ 5-4 ೥ 5-4 ೥ 5-4ݕ౼ελʔτ ೥ 5-4࢓༷Խ׬ྃʁ 44-͸چωοτεέʔϓࣾ ͷࢲతϓϩτίϧ େਓͷࣄ৘Ͱ໊শมߋ 44-ͱجຊઃܭ͸େ͖͘ม͑ͣվྑ ༷ʑͳػೳ֦ு ۙ೔8(ϥετίʔϧΛ໨ඪ ·ͩΘ͔Γ·ͤΜ %308/ 100%-& #&"45

  14. 5-4ͷҐஔ෇͚ 5$1 5-4 *1 WW &UIFSOFU )551 )551ͷ࣌୅ ʙ 5-4ʙ

    5-4ʙ

  15. 5-4ͷҐஔ෇͚ 5$1 5-4 *1 WW &UIFSOFU )551ηϚϯςΟΫε 5$1 *1 WW

    &UIFSOFU 5-4 41%: )551ηϚϯςΟΫε )551 )551͔Β)551΁ ʙ ʙ ϒϥ΢β͸5-4௨ ৴ͷΈαϙʔτ Ͳͷ5-4όʔ δϣϯͰ΋0,

  16. 5-4ͷҐஔ෇͚ 26*$ *1 WW 5$1 6%1 5-4 &UIFSOFU )551ηϚϯςΟΫε )551

    26*$҉߸ϓϩτίϧ ʙ )551ʙ )551͔Β26*$΁ (PPHMFಠࣗ҉߸ ϓϩτίϧ

  17. 5-4ͷҐஔ෇͚ 26*$ *1 WW 5$1 6%1 &UIFSOFU 5-4 )551ηϚϯςΟΫε )551

    ʙʁ 26*$͔Β5-4΁ ʙ ౷Ұ͞ΕΔ༧ఆ

  18. ͳͥ5-4͕ॏཁ͔ʁ ৗ࣌5-4࣌୅ͷ౸དྷ

  19. 1FSWBTJWF4VSWFJMMBODF ޿ൣғͷ౪ௌߦҝ w ࠃՈతͳ૊৫ ถࠃ/4"ͱӳࠃ($)2ͳͲ ͕ലେͳ ༧ࢉͰߦ͏޿ൣғͷ౪ௌߦҝ w ೥݄ΤυϫʔυɾεϊʔσϯʹΑͬͯͦͷ ׆ಈ಺༰͕ϦʔΫ͞ΕΔɻ

    Πϯλʔωοτి࿩ͷ๣डɾ؂ࢹɺσʔληϯλʔ ಺௨৴౪ௌɺ҉߸ղಡɺ҉߸όοΫυΞɺαΠόʔ߈ ܸ౳

  20. /4"ʹΑΔαΠόʔ߈ܸͷҰྫ 26"/56. '09"$*% IUUQXXXFYBNQMFDPN XXXFYBNQMFDPN Ϛϧ΢ΣΞΛૹΓࠐΉ ్தܦ࿏Ͱվ͟ΜίϯςϯπΛૹ৴ '09"$*%ʹ༠ಋ վ͟Μίϯςϯπ IUUQTXXXTDIOFJFSDPNCMPHBSDIJWFTIPX@UIF@OTB@BUUIUNM

  21. ϓϩτίϧٕज़ऀͷ༕ྀ w ैདྷେن໛ͳઃඋͱ༧ࢉ͕ඞཁͰݱ࣮తʹ͸ແཧͱ ݟΒΕ͖ͯͨ߈ܸ͕࣮ࡍʹߦΘΕ͍ͯͨɻ w ެऺແઢ-"/ͷීٴͳͲ௨৴ͷ౪ௌɾվ͟Μ͕Մ ೳͳ؀ڥ͕޿͕͖͍ͬͯͯΔɻ w ޾͍࠷৽ͷٕज़Ͱ͔ͬ͠Γ҉߸Խ͞Εͨ௨৴·Ͱ͸ ·ͩഁΒΕ͓ͯΒͣɺ҆શͰ͋Ζ͏ɻ

  22. ݕࡧαʔϏεձࣾͷ༕ྀ w ݕࡧͷϖʔδϥϯΫ͕ߴ͍αΠτѼͷฏจ௨৴͸ɺ߈ܸର ৅ͱͯ͠౰વૂΘΕΔɻ w ฏจ௨৴ͰϢʔβ͕ίϯςϯπվ͟Μ΍Ϛϧ΢ΣΞײછʹ Αͬͯ%%P4߈ܸͷҰ୺Λ୲͏ڪΕ΋͋Γ (JUIVC΁ͷ߈ ܸྫ ɻ

    w ωοτίϯςϯπͷ݈શੑͷ௿Լ͸ɺ௕ظతʹݕࡧαʔ Ϗε΁ͷ৴པੑΛଛͳ͏͜ͱʹͳΔɻ 4&0͸Ͳ͏ͳΔʁ

  23. *"# ʹΑΔΠϯλʔωοτͷ ৴པੑʹؔ͢Δએݴ  w ৽͘͠ϓϩτίϧΛઃܭ͢Δࡍʹ͸ɺ҉߸ԽػೳΛඞ ਢͱ͢΂͖ɻ w ωοτϫʔΫӡ༻ऀ΍αʔϏεఏڙऀʹ҉߸Խ௨৴ͷ ಋೖΛਪਐ͢ΔΑ͏ڧ͘ٻΊΔɻ

    w ίϯςϯπϑΟϧλʔ΍*%4౳ฏจ௨৴͕ඞཁͳػೳ ʹ͍ͭͯ͸কདྷతʹ୅ସٕज़ͷ։ൃʹऔΓ૊Ήɻ *OUFSOFU"SDIJUFDUVSF#PBSE IUUQTXXXJBCPSHJBCTUBUFNFOUPOJOUFSOFUDPOpEFOUJBMJUZ

  24. .P[JMMBʹΑΔ ҆શͰͳ͍)551ͷഇࢭએݴ  ͋Δ࣌ظ͔Β৽نػೳ͸ɺ)5514͚ͩར༻Ͱ͖ΔΑ͏ʹ͢ Δɻ  ݱࡏ)551 ฏจ௨৴ Ͱར༻Ͱ͖ΔػೳͰɺϢʔβͷηΩϡ ϦςΟ΍ϓϥΠόγʔʹϦεΫΛ༩͑Δ΋ͷΛ࡟আ͍ͯ͘͠

    IUUQTCMPHNP[JMMBPSHTFDVSJUZEFQSFDBUJOHOPOTFDVSFIUUQ

  25. $ISPNFͷ)551্ͷػೳഇࢭ $ISPNFͰ͸ɺԼهͷػೳΛ)551 ฏจ௨৴ Ͱར༻ېࢭ͢Δ༧ఆ w Ґஔ৘ใΛऔಘ ഇࢭࡁ  w σόΠεͷಈ͖΍ํ޲Λૢ࡞

    w ҉߸Խ͞ΕͨಈըԻ੠ͷ࠶ੜ w ΧϝϥɾϚΠΫͳͲͷૢ࡞ w ΞϓϦέʔγϣϯͷΩϟογϡ৘ใͷૢ࡞ IUUQTTJUFTHPPHMFDPNBDISPNJVNPSHEFW)PNFDISPNJVNTFDVSJUZEFQSFDBUJOHQPXFSGVMGFBUVSFTPOJOTFDVSFPSJHJOT

  26. ৗ࣌5-4΁ࢸΔಓ ৗ࣌5-4 ࠃՈϨϕϧͷ޿ൣғͳ౪ௌߦҝ ωοτίϯςϯπ ͷ݈શੑͷ֬อ )551 ฏจ௨৴ ্ͷ ϒϥ΢βͷػೳഇࢭ ҉߸Խલఏͷ

    ৽ٕज़։ൃ কདྷతͳ৽ٕज़͸5-4ར༻Λલఏͱ͢Δɻ ࠷ઌ୺ͷٕज़ऀ͸5-4Λආ͚ͯ௨Δ͜ͱ͸Ͱ͖ͳ͍ɻ ແྉূ໌ॻ

  27. 5-4Λཧղ͢Δ४උ

  28. TLSͷཁૉٕज़ X509ূ໌ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉߸ σδλϧ ॺ໊ ϝοηʔδೝূ

    ཚ਺ ੜ੒ TLS 伴ަ׵ Ұํ޲ϋογϡ TLSϓϩτίϧ͸ɺ͜ΕΒͷཁૉٕज़Λ૊Έ߹Θͤͯ ΞϓϦؒͷηΩϡΞ௨৴Λཱ֬͢ΔखॱΛܾΊΔ

  29. TLSཁૉٕज़ͷґଘੑ X509ূ໌ ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ

    ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ ຊདྷ͸͜ͷҰͭҰͭΛ͖ͪΜͱཧղ͢Δ͜ͱ͕ඞཁ

  30. TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ClientHello ServerHelloDone ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application

    Data ཚ਺ੜ੒ ରশ҉߸ɾ҉߸ϞʔυɾҰํ޲ϋογϡɾཚ਺ੜ੒ 1,*ɾ9ূ໌ॻɾσδλϧॺ໊ ཚ਺ੜ੒ ServerHello Certificate ClientKeyExchange ServerKeyExchange ཚ਺ੜ੒ɾ伴ަ׵ɾ ެ։伴҉߸ɾσδλϧॺ໊ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ཚ਺ੜ੒ɾ伴ަ׵ σδλϧॺ໊

  31. TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ཚ਺ੜ੒ $MJFOU4FSWFS)FMMPͷ/PODF 伴ϖΞͷੜ੒σʔλ҉߸Խͷ*7 1,* $"ʹΑΔαʔόূ໌ॻͷॺ໊ͱൃߦ 9ূ໌ॻ $FSUJpDBUFʹΑΔαʔόɾΫϥΠΞϯτͷೝূɾެ։伴ͷऔಘ ిࢠॺ໊ ূ໌ॻͷॺ໊ɾ伴ަ׵Ͱަ׵͢Δެ։伴ͷॺ໊

    伴ަ׵ 4FSWFS$MJFOU,FZ&YDIBOHFʹΑΔ &$ %)ެ։伴ͷަ׵ ެ։伴҉߸ 34"伴ަ׵࣌ʹ1SF.BTUFS4FDSFUͷ҉߸ૹ৴ Ұํ޲ϋογϡ $#$ͳͲͷ҉߸Ϟʔυར༻࣌ʹΞϓϦσʔλͷ."$ੜ੒ ϝοηʔδೝূ .BTUFS4FDSFUͷੜ੒ɺ'JOJTIFEʹΑΔϋϯυγΣΠΫσʔλͷ׬શ ੑݕূ ରশ҉߸ɾ҉߸Ϟʔυ $IBOHF$JQIFS4QFDҎ߱ͷϋϯυγΣΠΫͱΞϓϦέʔγϣϯσʔλͷ҉߸Խ ʢ஫ɿଞʹ΋ࡉ͔͍ͱ͜ΖͰ࢖ΘΕ͍ͯ·͢ɻ

  32. ࠓճ࢖͏TLSཁૉٕज़ AEAD Poly1305 ChaCha20 ECDHE RSA SHA256 X509ূ໌ ॻ PKI

    ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ LinuxͳΒ/dev/urandom+OpenSSLॲཧ ࠓ೔ͷԋश

  33. ηοτϝχϡʔԽ͞ΕͨTLSͷཁૉٕज़ TLS CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9C} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256={0xCC,0xA8} ରশ ҉߸ ҉߸Ϟʔ

    υ σδλϧ ॺ໊ ϝοηʔδೝূ (ϋογϡ) 伴ަ׵ TLS _ _ _WITH_ _ 伴௕ _ _ 伴ަ׵ɾσδλϧॺ໊ʹRSA ରশ҉߸ʹ128bit伴௕ͷAES ҉߸ϞʔυʹGCM(AEAD) ϋογϡʹSHA256 伴ަ׵ʹECDHE σδλϧॺ໊ʹRSA ରশ҉߸ʹChaCha20 ҉߸ϞʔυʹPoly1305(AEAD) ϋογϡʹSHA256 ൪߸ͱͯ͠0xCC,0xA8ΛׂΓ౰ͯ

  34. ࠓ͸5-4ʹԿΛ࢖͏ʁ 伴ަ׵ 34" 'PSXBSE4FDSFDZ %)& &$%)& σδλϧॺ໊ 34" %44 %4"

    &$%4" ର৅҉߸ %&4 3$ "&4 $IB$IB ͦͷଞ ҉߸Ϟʔυ $#$ "&"% $$. ($. 1PMZ ϝοηʔδೝূ ʢϋογϡʣ .% 4)" 4)" 4)" ੺ɿ࢖Θͳ͍ɺԫɿ஫ҙɺ྘ɿࠓͷͱ͜Ζ࢖ͬͯେৎ෉ ஫ҙ͸ɺ҉߸ֶత஫ҙͱকདྷతʹීٴ͕ݟࠐ·Εͳ͍஫ҙ΋ؚ·Ε·͢ ͪͳΈʹɺ ྔࢠίϯϐϡʔλͰ伴ަ׵ɺσδλ ϧॺ໊͸શ෦Ξ΢τʂ

  35. ରশ҉߸ ҉߸จ ฏจ ڞ௨伴 ڞ௨伴 ฏจ ετϦʔϜ҉߸ɿσʔλΛஞ࣍҉߸Խ(RC4, Chacha20) ϒϩοΫ҉߸ɿσʔλΛϒϩοΫຖʹ҉߸Խ(DES, AES)

    ز͔ͭͷ҉߸Ͱ͸طʹةຆԽɿ DES: 2005೥ NIST FPS46-3ن֨ͷഇࢭ(2030೥·Ͱ͸ڐ༰) RC4: RFC7455: Prohibiting RC4 Cipher Suites ҉߸Խ ෮߸Խ ϒϩοΫɺετϦʔϜͷ྆ऀͷҧ͍͸ݱࡏͳ͘ͳ͖͍ͬͯͯΔ ϒϩοΫ҉߸ "&4 Λ҉߸Ϟʔυ ޙड़ ͰΧ΢ϯλʔϞʔυΛར༻͢Δ͜ͱʹΑΓશͯε τϦʔϜ҉߸ͱͯ͠ར༻Ͱ͖·͢ɻ "&4($.͸ετϦʔϜ҉߸ॲཧ

  36. ରশ҉߸ AES • 1997೥ΑΓϓϩδΣΫτ։࢝ɺ2000೥બఆɺ2001 ೥࢓༷ൃߦ • ϒϩοΫαΠζ 128bit • 伴௕ɿ

    128bits, 192bits, 256bits ͷ̏छྨ • Intel/AMDͷCPUͰϋʔυ΢ΣΞॲཧͷαϙʔτ (AES-NI) ̎̌̍̒೥ݱࡏ5-4௨৴ͷσϑΝΫτ $IB$IB͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

  37. ҉߸Ϟʔυ • ϒϩοΫ҉߸͸ಉ͡σʔλΛಉ͡伴Ͱ҉߸Խ͢ΔͱຖճಉҰͷ҉ ߸จʹͳΔɻ • ϒϩοΫ௕ΑΓ௕͍σʔλΛ҉߸Խ͢Δ৔߹ʹ҉߸ϞʔυΛར༻ ͯ͠܁Γฦ͠Λආ͚Δɻ • CBCɿʮ(ฏจ XOR

    ϕΫτϧ) Λ҉߸ԽʯΛଓ͚Δ • CTRɿ ʮΧ΢ϯλʔΛ҉߸Խ XOR ฏจʯΛଓ͚Δ ࣮ࡍʹTLSͰར༻͢Δʹ͸վ͟Μݕ஌ͷͨΊͷMAC(ϝοηʔδೝূʣͱͷ૊Έ߹ΘͤΔ (AEAD)ɻAES-GCM͕ࠓͷओྲྀɻ ͜Ε·Ͱͷ ओྲྀ $IB$IB1PMZ͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

  38. ೝূλά AEADʢೝূ෇͖҉߸) ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w

    w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ &ODSZQU5IFO."$ ҉߸Խͨ͠ޙͰϋογϡ஋Λऔಘ

  39. AEADʢೝূ෇͖҉߸) ฏจ AEAD ෮߸Խ վ͟ΜνΣοΫ ҉߸Խ͠ͳ͍͚Ͳվ͟Μ๷ ࢭ͕ඞཁͳσʔλ ʢϔομ౳ʣ ҉߸จ ೝূλά

    ڞ௨伴 ॳظϕΫτϧ

  40. GCM • GCM (Galois Counter Mode: ΨϩΞΧ΢ϯλʔ Ϟʔυʣ • CTRͱGHASHΛ૊Έ߹ΘͤͨAEAD

    • ϋʔυ΢ΣΞॲཧͰߴ଎Խ͕Մೳ • AESͱ૊Έ߹Θͤͯ AES-GCMͱͯ͠ར༻

  41. Ұํ޲ϋογϡ σʔλ Ұํ޲ ϋογϡؔ਺ ϋογϡ஋ ϋογϡ஋Λൺֱ͢Δ͜ͱͰσʔλͷվ͟ΜΛνΣοΫ͢Δ͜ͱ͕Ͱ͖Δɻ

  42. ҉߸ֶతϋογϡ ɾݪ૾ܭࢉࠔ೉ੑ 1SFJNBHF3FTJTUBODF ɾୈ̎ݪ૾ܭࢉࠔ೉ੑ OE1SFJNBHF3FTJTUBODF ɾڧিಥ଱ੑ 4USPOH$PMMJTJPO3FTJTUBODF ϋογϡ஋I͔Β΋ͱͷϝοηʔδNΛ୳͢ͷ͕ࠔ೉ ̷ I)"4)

    N ͷNΛݟ͚ͭΔ ಛఆͷϝοηʔδNͱಉ͡ϋογϡ஋Λ࣋ͭNΛ୳͢ͷ͕ࠔ೉ I)"4) N )"4) N IͷNΛݟ͚ͭΔ )"4) N )"4) N ͱͳΔNͱNΛݟ͚ͭΔͷ͕ࠔ೉

  43. Ұํ޲ϋογϡ • md5 • SHA-1 • SHA-2(SHA-256ͳͲ6छ) • SHA-3(SHA3-256ͳͲ6छ) 2018೥͙Β͍ʹ͸ݱ࣮తͳίετ

    ͰিಥσʔλΛ୳ͤΔݟࠐΈ(*2) طʹݱ࣮తͳ߈ܸख๏͕ଘࡏ (*2) Cryptanalysis of SHA-1 https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html (*1) how to Break MD5 and Other Hash Functions http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf 8/5ʹNISTΑΓਖ਼ࣜެ։

  44. "&"%Λࢥ͍ग़ͦ͏ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w

    w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ ϋογϡ஋ͩʂ ($. 1PMZ͋Εͬɺ4)"ͱ͔͡Όͳ͍ɻͳͥʁ

  45. "&"%Ͱ͸҉߸ֶతϋογϡ ·Ͱ͸ඞཁͳ͍ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w

    w w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸จ &ODSZQU 5IFO."$ ϋογϡલͷϝοηʔδ͕ ݟ͑ͯΔ ݪ૾ܭࢉࠔ೉ੑ͸͍Βͳ͍ɻ ݟ͑ͯΔϝοηʔδͷվ͟Μݕ஌ ."$ ͕ॏཁɻ ୈ̎ݪ૾ܭࢉࠔ೉ੑͱߴ͍ڧিಥ଱ੑ͕ٻΊΒΕΔɻ ύέοτຖʹܭࢉ͢ΔͷͰߴ଎ੑೳେࣄɻ ($.1PMZ͸ɺ"&"%޲͚ʹಛԽͨ͠ߴ଎."$ΞϧΰϦζϜ

  46. ϝοηʔδೝূ(HMAC) • ࣄલʹڞ௨伴Λڞ༗ • ڞ௨伴ͱσʔλΛ૊Έ߹Θͤͨϋογϡ஋Λ࡞੒ • σʔλͷ׬શੑͱϋογϡ࡞੒ऀΛೝূ͢Δ σʔλ Ұํ޲ ϋογϡؔ਺

    ϋογϡ஋ ڞ௨伴

  47. ެ։伴҉߸ 512bit RSAͷةݥੑ FREAK https://freakattack.com/ • ղΛٻΊΔͷ͕ࠔ೉ͳ਺ֶత໰୊Λར༻ͯ͠҉߸Λੜ੒ɻ • ެ։伴ͱൿີ伴ͷϖΞΛੜ੒ɻެ։伴͸͞Βͯ͠େৎ෉ɻ •

    ެ։伴Ͱ҉߸Խ͠ൿີ伴Ͱ෮߸Խɻ • RSA ૉҼ਺෼ղ • ECC(ପԁۂઢ҉߸ʣପԁۂઢ্ͷ཭ࢄର਺໰୊ ެ։伴 ൿີ伴 ҉߸Խ ෮߸Խ

  48. 伴ަ׵ • 2ऀؒͰ҆શʹ伴Λڞ༗͢Δ࢓૊Έ • ޓ͍ʹެ։伴Λަ׵͍͋͠ɺڞ༗伴Λੜ੒͢Δɻ • ௨৴ܦ࿏্Ͱڞ༗伴ͷ΍ΓऔΓ͕ͳ͍ɻ • DH (Diffie-Hellman)

    • ECDH(ପԁۂઢDH) ੬ऑੑɿDH Logjam https://weakdh.org/ ެ։伴 ެ։伴 ൿີ伴 ൿີ伴 Ұ࣌తͳ伴ަ׵͸& &QIFNFSBM ͷจࣈ͕෇͘ %)& &$%)&

  49. σδλϧॺ໊ • σʔλͷ׬શੑͷνΣοΫ͕ՄೳͱͳΔɻ • σʔλͷૹ৴ݩͷೝূ͕ՄೳͱͳΔɻ • ެ։伴ͷ৴པੑͷൣғͰ൱ೝ๷ࢭ͕ՄೳͱͳΔɻ • RSA •

    DSA,ECDSA ެ։伴 ൿີ伴 σʔλʴσδλϧॺ໊ σʔλϋογϡ ஋Λ҉߸Խ͠ σδλϧॺ໊Λ ੜ੒ σδλϧॺ໊Λ෮߸Խɻ σʔλϋογϡ஋ͱൺ ֱ͠ݕূ͢Δ

  50. 1,*֓ཁ $" $FSUJpDBUF"VUIPSJUZ 7" 7BMJEBUJPO"VUIPSJUZ 3" 3FHJTUSBUJPO"VUIPSJUZ $3-0$41 $43 伴ϖΞ

    ࣮ࡏ֬ೝ αʔόূ໌ॻ IUUQTʙ ࣦޮ֬ೝ ࿦ཧతʹෳ਺ͷ໾ׂʹ෼͔Ε͍ͯΔ͕෺ཧతʹ̍ͭͰ΋Α͍ 3PPUূ໌ॻ 04ɾϒϥ΢β ϕϯμʔ

  51. αʔόূ໌ॻ 9 w 5-4௨৴ͷ৴པੑΛ୲อ͢Δཁ w ϏϧτΠϯͷϧʔτূ໌ॻ͔Βαʔόূ ໌ॻ·Ͱূ໌ॻνΣʔϯͷॺ໊ݕূ w ΦϯϥΠϯҎ֎Ͱ৴པੑΛ୲อ 1,*

    ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ τϥετΞϯΧʔ

  52. ূ໌ॻͷछྨ &7ূ໌ॻ &YUFOEFE 7BMJEBUJPO $"ڞ௨ͷݫ֨ͳ૊৫ͷ࣮ࡏূ໌ ෺ཧత࣮ࡏ ॻ໘΍σʔλ ޱ࠲औҾʹΑΔ࣮ࡏ৹ࠪɾॺ໊ ఏग़ɾి࿩֬ೝͳͲ 

    ΞυϨεόʔ͕྘৭ 07ূ໌ॻ 0SHBOJ[BUJPO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨ૊৫ͷ࣮ࡏূ໌ ʢॻ໘΍σʔλ৹ࠪɾి࿩֬ೝͳͲ %7ূ໌ॻ %PNBJO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨυϝΠϯอ࣋ূ໌ ϝʔϧͷ౸ୡੑ֬ೝͳͲ -FU`T&ODSZQUͳͲ ແྉূ໌ॻ͕͋ΔΑ ωοτϫʔΫҎ֎ ͷ࣮ࡏূ໌

  53. αʔόূ໌ॻͷத਎ όʔδϣϯɺγϦΞϧ൪߸ɺൃߦऀ৘ใɺ༗ޮظݶɺαʔό ࣝผࢠɺެ։伴৘ใɺ֦ு৘ใ ར༻༻్ɺผ໊΍ࣦޮ৘ใɾ ϙϦγʔࢀরઌ ɺσδλϧॺ໊

  54. αʔόূ໌ॻͷ֬ೝ αʔόূ໌ॻͱൿີ伴ͷରԠ͕ؒҧ͍ͬͯͨΒ5-4 αʔό͸ىಈ͠ͳ͍ɻͳͷͰαʔόূ໌ॻͱൿີ伴 ͷެ։伴͕Ұக͢Δ͔ඞͣνΣοΫ͢Δɻ αʔό ূ໌ॻ ൿີ伴 PQFOTTMYQVCLFZJOTFSWFSDSUOPPVUTFSWFS@QVCLFZQFN PQFOTTMSTBQVCPVUJOQSJWBUFLFZPVUQSJWBUF@QVCLFZQFN ެ։伴

    ެ։伴

  55. 5-4ηΩϡϦςΟͷ౔୆ 5-4ͷ ηΩϡϦςΟ ཚ਺ੜ੒ 1,* ൿີ伴ͷ ؅ཧ ҉߸ٕज़ Τϯ τϩϐʔෆ଍

    ෆਖ਼ ൃߦ ࿙Ӯ ΞϧΰϦζϜɾ ڧ౓ͷةຆԽ 5-4͸ɺ͜ͷ̐ͭͷ֎෦ཁૉͷ্ͰΠϯλʔ ωοτͰ҆શͳ௨৴Λఏڙ͢Δ࢓૊ΈͰ͋Δɻ ٯʹݴ͑͹ɺͲΕ΄Ͳ׬ᘳͳ5-4ϓϩτίϧΛ࡞ͬͯ΋ ͜ͷ̐ͭͷ֎෦ཁૉ͕ഁΒΕͨΒ҆શΛ֬อͰ͖ͳ͍ɻ

  56. TLSϋϯυγΣΠΫ ஫ɿෳࡶ͞Λආ͚ΔͨΊΫϥΠΞϯτೝূػೳͷઆ໌͸লུ͠·͢ɻ 5-4#PUͱڙʹ

  57. ԋश ࣮ࡍʹ$IB$IBͷύέοτΛݟͯΈΔ IUUQTDIBDIBUMTLPVMBZFSDPN ʹ$ISPNFͰΞΫηεɺ%FWFMPQFS5PPMͰ֬ೝͯ͠ΈΔɻ IUUQTDIBDIBUMTLPVMBZFSDPNDIBDIB@TBNQMFQDBQ Λμ΢ϯϩʔυͯ͠ɺ&UIFSSFBMͰݟͯΈΑ͏ɻ

  58. 4FD$BNQ5-4#PU w ίϚϯυϥΠϯͰ)&9ܗࣜͷ5-4ϑϨʔϜΛೖྗ͠ ͯ5-4ϋϯυγΣΠΫΛߦ͏#PU w 4FSWFS$MJFOU྆ํͰಈ͖·͢ɻ w $MJFOU͸࠷ॳʹ)FMMP3FRVFTUͷϑϨʔϜΛೖྗ͠ ͯ։࢝ɻ w

    /0%&@%&#6(TFDDBNQͰग़ྗϑϨʔϜ ͷ+40/Λग़ྗ͠·͢ɻ

  59. 4FD$BNQ5-4#PU w OQNJOTUBMMTFDDBNQUMTFYFSDJTF w 4FSWFS$MJFOU#PUͷεΫϦϓτΛ࡞੒ DPOTU4FD$BNQSFRVJSF TFDDBNQUMTFYFSDJTF  4FD$BNQ5-4#PU GBMTF

    DMJFOU͸GBMTF Πϯετʔϧ͞ΕͨOPEF@NPEVMF͕ݟ͔ͭΕ͹ OPEF@NPEVMFTTFDDBNQUMTFYFSDJTFTBNQMFT ʹίʔυ͕͋Γ·͢ɻ IUUQTHJTUHJUIVCDPNTIJHFLJGBBCDCCGFEGBFCB ʹ΋͋Γ·͢ɻ

  60. 5-4#PU

  61. 5-4CPU%FCVHϞʔυ FYQPSU/0%&@%&#6(TFDDBNQ

  62. TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished

    ChangeCipherSpec Finished Application Data Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355ඞཁ

  63. TLSϋϯυγΣΠΫ(resumption) ClientHello(session_id) ServerHello(session_id) ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application

    Data (੺จࣈ͸ϋϯυγΣΠΫʣ SessionIDʹΑΔTLSηογϣ ϯͷ࠶։ɻ 伴ަ׵΍ূ໌ॻૹ෇ΛεΩοϓɻ ࠓճ͸ԋशͷର৅֎Ͱ͢ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355Ͱ͢Ή

  64. TLSϋϯυγΣΠΫͷҙຯ ClientHello/ServerHello/ServerHelloDone TLSͷͨΊͷ৘ใަ׵ όʔδϣϯɾཚ਺ɾ҉߸ํࣜɾ֦ு৘ใ Certificate ެ։伴৘ใͷૹ෇ ΤϯυϙΠϯτͷೝূ ClientKeyExchange/ServerKeyExchange ڞ༗伴ަ׵ ChangeCipherSpec

    ҉߸։࢝ͷ߹ਤ Finished ϋϯυγΣΠΫσʔλͷվ͟ΜνΣοΫ

  65. TLS1.2ͷߏ଄ I P ϔ ο μ T C P ϔ

    ο μ TLS Record Layer (5όΠτ) λΠϓ ʢ̐छ ྨʣ (1byte) όʔδϣϯ (2byte) ௕͞ (2byte) Handshake (λΠϓ:0x16) msgλΠϓ ʢ̍̌छྨʣ ௕͞ ʢ3όΠτ௕ʣ ϋϯυγΣΠΫσʔλ Alert (λΠϓ:0x15) Ϩϕϧ ཧ༝ ChangeCipherSpec (λΠϓ:0x14) λΠϓ Application Data (λΠϓ:0x17) ҉߸Խ͞Εͨσʔλ msgλΠϓ ϋϯυγΣΠΫσʔλͷछྨ 0x00 HelloRequest 0x01 ClientHello 0x02 ServerHello 0x0b Certificate 0x0c ServerKeyExchange 0x0d CertificateRequest 0x0e ServerHelloDone 0x0f CertificateVerify 0x10 ClientKeyExchange 0x14 Finished TLS Record Layerσʔλʹ ଓ͍ͯɺ࣍ͷ̐छྨͷTLSσ ʔλͷ͍ͣΕ͔͕ଓ͘ɻ TLS Handshake͸ɺ͜ͷ ̍̌छྨʹ෼͔ΕΔɻ

  66. 5-4ϋϯυγΣΠΫϑϨʔϜΛಡΉ Record Layer Handshake (ClientHello) type protocol version length (2byte)

    msg type length (3byte) client version random major minor major minor 0x16 0x03 0x03 0x00 0x45 0x01 0x00 0x00 0x41 0x03 0x03 32 byte όΠτ όΠτ ҉߸Խ͞Εͳ͍ ҉߸Խ͞ΕΔ

  67. ԋश w ̎ͭͷίϚϯυϥΠϯλʔϛφϧΛ։͍ͯҰͭ͸ UMT@DMJFOU@CPUɺ΋͏Ұͭ͸UMT@TFSWFS@CPUΛىಈ ͢Δɻ w UMT@DMJFOU@CPUʹ)FMMP3FRVFTUΛೖྗͯ͠ɺग़ྗ͠ ͨ$MJFOU)FMMPΛίϐʔͯ͠TFSWFSCPUʹೖྗ͠Α ͏ w

    /0%&@%&#6(TFDDBNQͷઃఆΛͯ͠ +40/Λ֬ೝ͠Α͏ɻ

  68. ClientHello ClientHello ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ

  69. ClientHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ ใ client_version uint8 major, uint8

    minor 2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1όΠτ෼ cipher_suites uint8 CipherSuite[2] <2..2^16-2> 2όΠτ෼ compression_ methods null(0) <1..2^8-1> 1όΠτ෼ extensions extension_type(65535), extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ Extension௕ Extensionsσʔλྫ

  70. ClientHello Record Layer Handshake (ClientHello) type protocol version length (2byte

    ) msg type length (3byte) client version random sessi on id cipher suite comp ressi on Exte nsion majo r mino r major minor 0x16 0x03 0x03 ?? ?? 0x01 ?? ?? ?? 0x03 0x03 32 byte Մม Մม Մม Մม Version 0x03,0x00 = SSLv3 0x03,0x01= TLSv1.0 0x03,0x02=TLSv1.1 0x03,0x03=TLSv1.2 ΫϥΠΞϯτ͕ར༻Ͱ͖Δ ࠷ߴͷTLSόʔδϣϯΛࢦ ఆɺαʔό͕Ͳͷόʔδϣ ϯΛ࢖͏͔બ୒͢Δ
  71. None

  72. ServerHello ClientHello ServerHello (੺จࣈ͸ϋϯυγΣΠΫʣ ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ

  73. ServerHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ใ server_version uint8 major, uint8 minor

    2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1 cipher_suite uint8 CipherSuite[2] 2 N/A compression_method null(0) 1 N/A extensions extension_type, extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ Record Layer(5bytes) Handshake (ServerHello) type protocol version length (2bytes) msg type length (3byte) server version random 32bytes session id cipher suite 2bytes compression majo r minor major minor 0x16 0x03 0x03 ? + 4 0x01 ? 0x03 0x03 ? ௕͞1byte 0x00,0x9c ௕͞2bytes
  74. None

  75. Certificate ClientHello ServerHello Certificate (੺จࣈ͸ϋϯυγΣΠΫʣ

  76. Certificate ߲໨ ཁૉ αΠζ certificate_list ASN.1Cert<2^24-1> <0..2^24-1> શূ໌ॻ௕ ূ໌ॻ#1௕ ূ໌ॻσʔλ#1

    ূ໌ॻ#2௕ ূ໌ॻσʔλ#2 ෳ਺ͷূ໌ॻσʔλΛૹ෇ ࠷ॳ͸ඞͣαʔόূ໌ॻ 2ͭ໨Ҏ߱͸தؒূ໌ॻͳͲ
  77. None

  78. Perfect Forward Secrecy(PFS) • લํൿಗੑ • ηογϣϯຖʹҰ࣌తͳ伴Λ࢖͏ɻ • ϋϯυγΣΠΫΛؚΉશ҉߸σʔλΛऔಘ͞Ε͍ͯΔΑ͏ͳঢ় گͰ΋ɺকདྷతͳൿີ伴࿙ӮͳͲͷϦεΫʹରԠ͢Δɻ

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Ephemeral:Ұ࣌తͳ 伴ަ׵ख๏

  79. %)&WT&$%)& w %)%J⒎F)FMMNBO཭ࢄର਺໰୊Λར༻ͨ͠伴ަ׵ H?Y NPE1 ?ZNPE1 H?Z NPE1 ?YNPE1H? YZ

    NPE1 ૉ਺1 δΣωϨʔλH ެ։伴 ੺ࣈɺ੨ࣈʣͳͲͷ৘ใΛަ׵ɻ&$%)& ΑΓܭࢉྔ͕ଟ͍ɻ w &$%)&ɿପԁؔ਺্Ͱͷ཭ࢄର਺ԋࢉΛར༻ͨ͠伴ަ׵ ପԁؔ਺ͷύϥϝʔλɾج఺Λ໊લͰنఆ TFDQ౳ ɺެ։伴 ପԁ ۂઢ্ͷ఺ Λަ׵ɻ%)ΑΓ伴௕ɾܭࢉྔ͕গͳͯ͘͢Ήɻ

  80. ECDHEͷϋϯυγΣΠΫ ClientHello + elliptic_curves + ec_point_formats ServerHello + ec_point_formats Certificate

    ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data (੺จࣈ͕௥Ճมߋ͞ΕΔͱ͜Ζʣ ClientHello֦ுΛ௥Ճ ServerHello֦ுΛ௥Ճ ପԁۂઢ໊ͱServer ͷެ։伴Λॺ໊෇͖ Ͱૹ෇ Clientͷެ։伴Λૹ෇ ପԁ఺ͷॻࣜΛ߹ҙ ࢖͑Δପԁۂઢ໊ͱପԁ఺ॻࣜΛ௨஌ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ެ։伴͸ຖճϥϯμϜʹੜ੒͞Ε·͢

  81. ECDHE ClientHello֦ு ΫϥΠΞϯτ͕αϙʔτ͍ͯ͠ΔପԁۂઢͷϦετΛαʔόଆʹ௨஌ɻαʔό͸ Ϧετͷத͔Βద੾ͳପԁۂઢΛબͼ ServerKeyExchange಺Ͱબ୒ͨ͠ପԁ ۂઢΛ௨஌͢Δ 0 1 2 3

    4 5 6 7 elliptic_curves(10) Ϧετ௕ σʔλ௕ secp256r1 (23) 0x00 0x0a 0x00 0x04 0x00 0x02 0x00 0x17

  82. ECDHE Client/Server Hello֦ு ପԁ҉߸ͷެ։伴ͷॻࣜ 0 1 2 3 4 5

    ec_point_formats(11) Ϧετ௕ σʔλ௕ uncompressed(0) 0x00 0x0b 0x00 0x02 0x01 0x00

  83. ServerKeyExchange ClientHello ServerHello Certificate ServerKeyExchange (੺จࣈ͸ϋϯυγΣΠΫʣ

  84. ECDHE ServerKeyExchange ServerECDHParams Signature ECParameters ECPoint algorithm signature curve_type named_curve

    ௕ ͞ public key (Hello֦ுࢦఆͷॻࣜʣ RSA-SHA256 (0x04,0x01) named_curve (3) secp256r1 (23) signature = sign(algorithm, ClientHello.random + ServerHello.random + ServerECDHParams); RSAൿີ伴ͰServerECDHParmsͱRandomΛॺ໊
  85. None

  86. ServerHelloDone ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone (੺จࣈ͸ϋϯυγΣΠΫʣ

  87. ServerHelloDone handshake type handshake௕ 0x0e 0x00 0x00 0x00 ServerHelloͷऴྃͷ߹ਤ ϋϯυγΣΠΫϔομͷΈ

    ͜͜Ͱ4FSWFS)FMMP͔Βଓ͘Ұ࿈ͷϋϯυγΣΠ Ϋͷલ൒͕ऴྃͨ͜͠ͱΛࠂ͛Δ߹ਤ
  88. None

  89. TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange (੺จࣈ͸ϋϯυγΣΠΫʣ

  90. ECDHE ClientKeyExchange ClientECDHParams ECPoint ௕͞ public key (Hello֦ுࢦఆͷॻࣜʣ ClientKeyExchange͸ॺ ໊ͷඞཁ͸ͳ͍

  91. None

  92. ࣭໰ɿ ECDHEެ։伴ͷकΒΕํͷҧ͍ • ServerKeyExchange: ެ։伴Λॺ໊ • ClientKeyExchange: ΍Γ͍ͨ์୊ Ͳ͏ͯ͠Ͱ͠ΐ͏ʁ

  93. PreMasterSecret/MasterSecret • TLSͰར༻͢ΔIV(ॳظϕΫτϧ)ɺڞ༗伴ɺMAC伴ͷσʔλݩ • MasterSecret͸48όΠτ௕ɻPreMasterSecretͷ௕͞͸伴ަ׵ํࣜʹґ ଘ͢Δɻ • MasterSecret͸ɺPreMasterSecretɺClientRandomɺ ServerRandomɺݻఆϥϕϧ͔Βੜ੒͢Δɻ •

    Clinet/ServerRandom͸શؙͯݟ͑ɻPreMasterSecret͸ɺඞͣࢮक͠ ͯकΒͳ͍ͱ͍͚ͳ͍ɻ͜Ε͕࿙͍͑͢ΔͱTLSͷ҆શੑ͸શ͓ͯ͡ΌΜɻ 'SFBL-PHKBN
  94. None

  95. ChangeCipherSpec Client->Server ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec (੺จࣈ͸ϋϯυγΣΠΫʣ

  96. ChangeCipherSpec ૹ৴ݩ͕҉߸։࢝Λએݴɻ͜ΕΛૹ৴ͨ͠ޙ͸҉߸ ௨৴Λߦ͏ɻ Record Layer ChangeCipherSpec ContentTy pe Version length

    (2byte) major minor 0x14 0x03 0x03 0x00 0x01 0x01
  97. None

  98. TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished

    (੺จࣈ͸ϋϯυγΣΠΫʣ

  99. Finished struct { opaque verify_data[verify_data_length]; } Finished; verify_data = PRF(master_secret,

    finished_label, Hash(handshake_messages))[0..11]; finished_label: ΫϥΠΞϯτ͸ɺ"client finished"ɺαʔό͸"server finished" 12όΠτݻఆ ͜Ε·ͰͷϋϯυγΣΠΫσʔλʢͨ ͩࣗ͠෼͸আ͘ʣͷϋογϡΛܭࢉ TLS1.2Ͱ͸ SHA256Λ࢖͏ FinishedΛड৴͢Δͱɺ͜Ε·Ͱૹड৴ͨ͠ϋϯυγΣΠΫσʔλ͔Βܭࢉͨ͠஋ͱൺֱɻ ϋϯυγΣΠΫσʔλ͕վ͟Μ͞Εͯͳ͍͜ͱΛ֬ೝ͢Δɻ
  100. None

  101. ChangeCipherSpec Server -> Client ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange

    ChangeCipherSpec Finished ChangeCipherSpec (੺จࣈ͸ϋϯυγΣΠΫʣ
  102. None

  103. ServerFinished ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec

    Finished (੺จࣈ͸ϋϯυγΣΠΫʣ
  104. None

  105. Application Data ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished

    ChangeCipherSpec Finished Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ
  106. None

  107. ԋश 5-4#PUΛ࢖ͬͨ̍ର̍5-4 w ೋਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU ໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ w αΠϘ΢ζͰσʔλΛ΍ΓऔΓ͠·͢ɻ૬ޓͰ҉߸จͷ෮ ߸Խ͕Ͱ͖Δ͜ͱΛ֬ೝ͠·͢ɻ 5-4҉߸௨৴ 5-44FSWFSGDBCEDCGBBCDG

    "QQMJDBUJPO%BUBIPHF #PU #PU

  108. ԋश ϦΞϧ.BO*O5IF.JEEMF w ̏ਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU໾ɺ ѱਓ໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ w ѱਓ໾Λհͯ͠5-4ϋϯυγΣΠΫΛߦ͍·͢ɻ·ͣ͸ѱਓ͸ͦ ͷ··ӈ͔Βࠨʹड͚ྲྀ͠·͢ɻ w ࣍ʹѱਓ໾Ͱ4FSWFS$MJFOUͷ#PUΛͨͯͯͳΓ͢·͠௨৴Λ͠·

    ͠ΐ͏ɻ

  109. $IB$IB1PMZ ೥݄̒ʹ࢓༷Խ׬ྃ 3'$ ͨ͠ 5-4ͷ৽͍͠҉߸ํࣜ ࢲ͸҉߸ઐ໳ՈͰ͸ͳ͍ͷͰ҆ શੑͷ͓࿩͸εΩοϓ͠·͢ɻ

  110. $IB$IB1PMZ w $IB$IB%+#FSOTUFJO EKC ࢯ͕ߟҊͨ͠҉ ߸ํࣜ ࠷ॳʹ4BMTBΛൃදɺ$IB$IBʹվྑ  w 1PMZEKCࢯ͕ߟҊͨ͠."$ํࣜ

    "&4ͱ૊Έ ߹Θͤͨ"&41PMZͰൃද  جຊ྆ऀ͸ಠཱͨ͠΋ͷɻ(PPHMFͷ"EBN-BOHMFZ ࢯ͕$IB$IB1PMZͱͯ͠ʹυϥϑ τ࢓༷Λެ։

  111.  1PMZ࿦จൃද ࠷ऴ൛  $IB$IB࿦จൃද ࠷ऴ൛  4BMTB͕F4USFBNͷ'JOBMJTUʹબఆ  $IB$IBΛ࢖ͬͨ#-",&͕4)"ͷ࠷ऴީิʹબఆ

     ESBGUBHMUMTDIBDIBQPMZެ։  $ISPNF͕$IB$IB1PMZΛ࣮૷ɻ(PPHMFαʔϏεͰར༻։࢝ 0QFO44)͕$IB$IB1PMZΛ࣮૷  5-48(͔Β$'3(΁$IB$IB1PMZͷ࢓༷ݕ౼ΛਐΊΔ͜ͱΛཁ੥  -JCSF44-͕GPSLɻ$IB$IB1PMZΛ࣮૷  #PSJOH44-͕GPSLɻ$IB$IB1PMZΛ࣮૷  $MPVE'MBSF͕$IB$IB1PZͷར༻։࢝ɻ0QFO44-༻ύονެ։  3'$ $IB$IB1PMZ࢓༷ ͕ެ։  0QFO44- BMQIB ͕$IB$IB1PMZΛ࣮૷  'JSFGPY͕$IB$IB1PZΛ࣮૷  3'$$IB$IB1PMZ$JQIFS4VJUFTGPS5SBOTQPSU-BZFS4FDVSJUZ 5-4 $IB$IB1PMZ͜Ε·ͰͷาΈ  4OPXEFOࣄ݅

  112. "&4ͱ$IB$IBͷൺֱ "&4 $IB$IB ํࣜ ϒϩοΫ CJUT   ετϦʔϜ ೖྗ

    伴௕  CJUT 伴௕CJUT /PODFͳ͠ ॳظΧ΢ϯλʔͳ͠ /PODFCJUT EKC࿦จͰ͸CJUT  ॳظΧ΢ϯλʔCJUT ඪ४ /*45'*14 3'$   4BMTB͸FTUSFBNιϑτ΢ΣΞ1Iબఆ ੑೳಛੑ "&4/*ͳͲઐ༻ϋʔυ΢ΣΞʹΑΔߴ଎ ॲཧ͕Մೳ ࣄલܭࢉ΍4#09͕ඞཁͳ͘ɺλΠϛϯά߈ܸ͕ൃੜ͠ʹ ͍͘ɻ4*.%Λ࢖ͬͨߴ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ ΩϟογϡλΠϛϯάͳͲαΠυνϟωϧ ߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ /PODFΛ࠶ར༻͠ͳ͍͜ͱ %+#ͷ࿦จIUUQDSZQUPDIBDIBDIBDIBQEG͕ΞϧΰϦζϜنఆͷࢀরઌ Χ΢ϯλʔϞʔυͱ૊Έ߹ΘͤͯετϦʔϜ҉߸ͱͯ͠ར༻͕Մೳ

  113. 2VBSUFS3PVOE B C D E   B C E?B

    E  D E C?D C  B C E?B E  D E C?D C B C D E͸CJUVOTJHOFEJOU Y Z͸ Y Z NPE? ?͸903 O͸OϏοτࠨϩʔςγϣϯ B C D Eʹରͯ͠ɺશͯճ ԋࢉ͕ߦΘΕ͍ͯΔɻ $IB$IBϥ΢ϯυԋࢉ ৐ࢉ͕ͳ͘ݻఆ௕ԋࢉ $POTUBOU5JNF B C D E

  114. ՝୊ɾԋश TVEPOQNHJOTUBMMTFDDBNQDIBDIBXPSLTIPQQFS ຊ೔ͷ՝୊ ࣄલֶश

  115. B B B B B B B B B B

    B B B B B B C C C C C C C C C C C C C C C C C C C C C C B B B B B B B B B B B B B B B B C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C D D D D D D D D D D D D D D D D όΠτY ྻϥ΢ϯυ ର֯ϥ΢ϯυ 2VBSUFS3PVOE όΠτ όΠτ όΠτ όΠτ छྨͷ$IB$IBϥ΢ϯυ ԋश

  116.  F E C LFZ LFZ LFZ LFZ LFZ LFZ

    LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T ྻϥ΢ϯυ ର֯ϥ΢ϯυ Yճ ॳظ$IB$IB4UBUF $IB$IB4UBUF ఆ਺஋ ࣮͸ҎԼͷจࣈྻ  FYQBOECZUFL 伴 όΠτ௕ /PODF όΠτ௕ ͔Β࢝·ΔΧ΢ϯλʔ όΠτ௕ $IB$IB4USFBN4UBUF ϥ΢ϯυ

  117. $IB$IB4UBUFͷ &OEJBOʹ஫ҙ        

            L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<>  F E C L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> LFZ LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF όΠτຖʹ۠੾ͬ ͨ-JUUMF&OEJBO ͜ͷΑ͏ͳॱ൪Ͱσʔ λॲཧΛ͢Δ࣌͸஫ҙɻݟ͔ ͚#JH&OEJBOɻ

  118. $IB$IB#MPDL'VODUJPO  F E C LFZ LFZ LFZ LFZ LFZ

    LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T  ৒༨࿨ ॳظ$IB$IBTUBUF 3PVOE$IB$IBTUBUF 'JOBM$IB$IB4UBUF

  119. ԋश $IB$IB2VBUFS3PVOE $IB$IB#MPDL'VODUJPO

  120. $IB$IB,FZ4USFBN   CB GFED   CB GFED 

     CB GFED   CB GFED BCDEFGBCDEFG BCDEFGBCDEFG ̐όΠτ୯Ґͷ֤ཁૉΛ-JUUMF&OEJBOͰฒͼସ͑ ,FZ4USFBNͱฏจͷ903Λऔͬͯ҉߸จΛੜ੒͢Δɻ

  121. 伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ

    903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ $IB$IB4UBUF ,FZ4USFBN ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ϥ΢ϯυ ॳظঢ়ଶ ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF όΠτ $IB$IBฏจͷ҉߸Խ ϥ΢ϯυ ॳظঢ়ଶ ϥ΢ϯυ ॳظঢ়ଶ ϥ΢ϯυ ॳظঢ়ଶ $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN ෮߸Խ΋,FZ4USFBNͱ҉߸จΛ903͢Δ͚ͩ ͳͷͰखॱ͸΄΅ಉҰ

  122. ԋश $IB$IB,FZ4USFBN $IB$IB&ODSZQUJPO

  123. 1PMZ ͪ͜Β͸গʑ೉͍͠ͷͰઆ໌͕ओͰ͢

  124. ͳͥNFTTBHF BVUIFOUJDBUPS͕ඞཁ͔ʁ IUUQTXXXFYBNQMFDPN 903ͨ͠վ͟Μσʔλ Ϩίʔυ *7 ҉߸จ λά Ϩίʔυ *7

    վ͟Μ҉߸จ λά )FMMP8PSME )FMMP$SBDLFE ܭࢉ͢Δͱ λά͕ҧ͏ʂ վ͟Μ ͞ΕͯΔΘʂ λάͷ࠶ܭࢉʹ͸ൿີ伴͕ඞཁ

  125. ()"4)ͱ1PMZ ()"4) 1PMZ ܭࢉํࣜ 8FHNBO$BSUFS$POTUSVDUJPO CJOBSZpFME Y Y Y Y

     QSJNFpFME  伴௕ CJUT "&4ͱ૊Έ߹Θͤͨ࣌ CJUT ."$௕ CJUT ར༻໨తʹԠͯ͡੾Γ٧ΊΔ CJUT ඪ४ /*4541% "&4($. 3'$ ੑೳಛੑ 1$-.6-2%2*ͳͲಛఆܭࢉ༻ϋʔυ΢ΣΞ ʹΑΔߴ଎ॲཧ͕Մೳ ࣄલܭࢉςʔϒϧ͕ඞཁͳ͘ɺ4*.%Λ࢖ͬͨߴ ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w ."$௕͸CJUTҎ্Λར༻͢Δ͜ͱ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w λΠϛϯά߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ "&4ͱ૊Έ߹Θͤͨ%+#ͷ࿦จIUUQDSZQUPNBDQPMZQEG͕ΞϧΰϦζϜنఆͷࢀরઌ

  126. 1PMZOPNJBMFWBMVBUJPO ೝূ͢Δσʔλ $ $ $ $O $O ʜ G S

    $SO $SO $SO ʜ $OS $OS ʜ $S $ S $ S ʜ $O S $O S ෼ղͨ͠ϝοηʔδΛ܎਺ ͱͨ͠ଟ߲ࣜͷ஋ͰධՁ ϗʔφʔ๏Λ࢖ͬͯ৐ࢉ ԋࢉΛݮΒͯ͠ܭࢉ 伴 S

  127. 8FHNBO$BSUFS$POTUSVDUJPO GPS1PMZ ೝূ͢Δσʔλ $ $ $ $O $O ʜ 伴

    S 伴 T ૉ਺Q $SO $SO $SO ʜ $OS $OSNPEQ T Ϣχόʔαϧϋογϡ 0OF5JNF伴 w ਺ֶతʹڧ౓͕ূ໌Ͱ͖͍ͯΔ w 4)"ͳͲͷ)."$ΑΓߴ଎

  128. 1PMZ $SO $SO $SM ʜ $OS $OSNPE T NPE ೝূ͢Δσʔλ

    伴 S $ $ $ $O $O ʜ όΠτ௕Ͱ෼ׂɻ಄ʹ̍όΠτ ෼෇Ճͯ̍̓͠όΠτ௕ʹ όΠτ 伴 T όΠτ ࠷ऴతʹόΠτ௕ ʹ੾Γ٧ΊΔ CJU෼ؒҾ͖ ઈົ ͳαΠζͷૉ਺

  129. ೝূ͢Δσʔλ $  όΠτ௕ $  όΠτ௕ $  

    όΠτ௕ ʴ $  όΠτ௕ $   1PMZVQEBUF ʴ 1PMZpOBM 1PMZʹΑΔ."$σʔλͷੜ੒ όΠτ௕ CJU௕ ಄ͷCJU࡟আ ."$ όΠτ௕ ʴ όΠτ௕ ."$ ࠷ऴతͳೝূίʔυ 伴S CJUؒҾ͖ 伴 S 伴 T $IB$IB Χ΢ϯλʔ LFZ OPODF 伴 T 伴S CJUؒҾ͖ 伴S CJUؒҾ͖ ԼҐόΠτ ԼҐόΠτ ্ҐόΠτ ෦෼৒༨஋ ෦෼৒༨஋ 1PMZVQEBUF

  130. ԋश 1PMZ."$ ͕͢͞ʹ୹࣌ؒͰ࣮૷ͯ͠΋Β͏ͷ͸ਏ͍ͷͰϥΠ ϒϥϦΛ࢖ͬͯ΋Β͍·͢ɻ

  131. "&"% $IB$IB1PMZ Λ࡞Δ

  132. 5-4޲͚"&4($.ͱ$IB$IB1PMZ "&4($. $IB$IB1PMZ ඪ४ 3'$ 3'$ 3'$  ESBGUJFUGUMTDIBDIBQPMZ ࣌఺*&5'-BTU$BMMத

    ରশ҉߸ "&4 "&4 $IB$IB 伴ަ׵ 34" %) %)& &$%)& &$%)&%)& ೝূ 34" &$%4" 14, 13' 4") "&4  4)" "&4 4)" ໌ࣔత*7 CZUFT ͳ͠ /PODF $MJFOU4FSWFS8SJUF*7 CZUFT  ໌ ࣔత*7 CZUFT ύουͨ͠4FR/VN CZUFT  903$MJFOU4FSWFS8SJUF*7 CZUFT λά௕ CZUFT CZUFT ࠷খ҉߸Խ௕ CZUFT CZUFT

  133. ॳظΧ΢ϯλʔ ॳظΧ΢ϯλʔ JODS ฏจ $IB$IB,FZ4USFBN LFZ OPODF 1PMZ 伴S 伴T

    ҉߸จ ೝূλά MFO ฏจ ccMFO ҉߸จ  "VUI%BUB ̌1BE ̌1BE ҉߸จ 伴S 伴T $IB$IB,FZ4USFBN LFZ OPODF MFO จࣈྻ௕ɺCJUɺMJUUMFFOEJBOදه $IB$IB1PMZʹΑΔ"&"%ੜ੒ $IB$IBΛ࢖ͬͯ 1PMZͷ伴Λੜ੒

  134. ԋश 1PMZ,FZ(FOFSBUJPO $IB$IB1PMZ&ODSZQUJPO

  135. ΋͕࣌ؒ͠༨ͬͨΒ ڈ೥ͷԋश΍ͬͯΈ·͠ΐ͏ɻ TVEPOQNHJOTUBMMTFDDBNQDSZQUPXPSLTIPQQFS