Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TLS徹底演習

Avatar for Shigeki Ohtsu Shigeki Ohtsu
August 10, 2016
Technology
74
20k

 TLS徹底演習

セキュリティ・キャンプ全国大会2016 集中講義

Avatar for Shigeki Ohtsu

Shigeki Ohtsu

August 10, 2016
Tweet

More Decks by Shigeki Ohtsu

See All by Shigeki Ohtsu
Privacy Sandboxとはなにか/Privacy Sandbox Explained
Avatar for Shigeki Ohtsu shigeki
5
1.8k
内定者向け黒帯トーク#4/Kuroobi-Talk for fresh persons #4
Avatar for Shigeki Ohtsu shigeki
3
2k
Signed HTTP Exchanges (SXG)とはなにか/SXG Explained
Avatar for Shigeki Ohtsu shigeki
10
3.5k
Webプロトコル最前線
Avatar for Shigeki Ohtsu shigeki
0
480
運用の観点から見たTLSプロトコルの動き
Avatar for Shigeki Ohtsu shigeki
0
1.5k
祝Node-v10リリース これまでのNodeの振り返り
Avatar for Shigeki Ohtsu shigeki
7
3.6k
運用の観点から見たTLSプロトコルの動き
Avatar for Shigeki Ohtsu shigeki
14
3.8k
IETF QUICに至るプロトコルの透過性問題とその対策
Avatar for Shigeki Ohtsu shigeki
3
1.2k
QUIC WG報告
Avatar for Shigeki Ohtsu shigeki
4
1.2k

Other Decks in Technology

See All in Technology
三視点LLMによる複数観点レビュー
Avatar for リリカル mhlyc
0
260
ClaudeCode_vs_GeminiCLI_Terraformで比較してみた
Avatar for t-kikuchi tkikuchi
1
3.8k
20150719_Amazon Nova Canvas Virtual try-onアプリ 作成裏話
Avatar for Rika.I riz3f7
0
110
Talk to Someone At Delta Airlines™️ USA Contact Numbers
Avatar for seahorse75930 travelcarecenter
0
170
Shadow DOM & Security - Exploring the boundary between light and shadow
Avatar for Masato Kinugawa masatokinugawa
0
600
AI時代にも変わらぬ価値を発揮したい: インフラ・クラウドを切り口にユーザー価値と非機能要件に向き合ってエンジニアとしての地力を培う
Avatar for Toshiaki Baba netmarkjp
0
190
How do i Get in Touch With QuickBooks Payroll Support®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for dadan connectquickbooks
0
100
[SRE NEXT 2025] すみずみまで暖かく照らすあなたの太陽でありたい
Avatar for Hiroshi Toda carnappopper
2
780
Digitization部 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
4.6k
Microsoft Fabric ガバナンス設計の一歩目を考える
Avatar for Ryoma Nagata ryomaru0825
1
160
How Do I Contact Jetblue Airlines® Reservation Number: Fast Support Guide
Avatar for John thejetblueairhelpsupport
0
220
スプリントレビューを効果的にするために
Avatar for Miho Nagase miholovesq
6
1.2k

Featured

See All Featured
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
28
3.9k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
It's Worth the Effort
Avatar for 3n 3n
185
28k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
18
1k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
35
2.4k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.4k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.7k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.8k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
53
7.7k

Transcript

  1. 5-4పఈԋश 4FDVSJUZ$BNQ **+େ௡ൟथ ೥݄೔ 7FS

  2. ࣗݾ঺հ w גࣜձࣾΠϯλʔωοτΠχγΞςΟϒ **+  w ܦӦاըຊ෦഑৴ࣄۀਪਐ෦ w ΦʔϓϯιʔεϓϩδΣΫτ/PEFKTͷ$PSF 5FDIOJDBM$PNNJUUFFϝϯόʔɺ5-4DSZQUPؔ

    ࿈ػೳͷٕज़୲౰ɻ

  3. ຊߨٛͷ໨త w 5-4Λపఈతʹཧղͯ͠΋Β͏ɻ w Ͱ΋5-4͸֤छηΩϡϦςΟٕज़ͷू߹ମɺͦΕͧΕ͕ਂ ͯ͘೉͍͠ɻ̔࣌ؒ͋ͬͯ΋શ෦͸ແཧɻ w ͦ͜Ͱ̏ͭʹ෼͚·ͨ͠ɻ  ࠲ֶɿٕज़ऀʹͱͬͯͳͥ͜Ε͔Β5-4͕ॏཁ͔

     ߨٛɾԋशɿ5-4ϋϯυγΣΠΫΛֶͿ  ߨٛɾԋशɿ5-4ٕज़ͷίΞɺ҉߸ٕज़ΛֶͿ

  4. ຊ೔ͷߨٛͷྲྀΕ w ߨٛɿ5-4ͷ֓ཁ w ߨٛɿ5-4Λཧղ͢Δ४උ ಛʹ"&"%  w ߨٛɾԋशɿ5-4ϋϯυγΣΠΫઆ໌ɺ5-4#PUͱ 5-4ϋϯυγΣΠΫ͠Α͏ɺϦΞϧ.BOJO5IF

    .JEEMF w ߨٛɾԋश$IB$IB1PMZͷ࣮૷

  5. 5-4ͷ֓ཁ

  6. ΠϯλʔωοτͷڴҖ ౪ௌ ύεϫʔυ΍ΫϨδο τΧʔυ൪߸Λ౪Έݟ

  7. ΠϯλʔωοτͷڴҖ վ͟Μ ௨৴్தͰσʔλΛॻ͖׵͑

  8. ΠϯλʔωοτͷڴҖ ͳΓ͢·͠ ϢʔβʹͳΓ͢· ͯ͠௨৴Λߦ͏

  9. ΠϯλʔωοτͷڴҖ ൱ೝ ͦΜͳ௨৴ͯ͠· ͤΜͱΩϟϯηϧ

  10. ΠϯλʔωοτͷڴҖ͔ΒकΔηΩϡϦςΟ ରࡦ ౪ௌ վ͟Μ ੒Γ͢ ·͠ ൱ೝ ҉߸Խ ׬શੑνΣοΫ ೝূ

    ॺ໊

  11. ֤ϨΠϠʔʹ͓͚ΔηΩϡϦςΟ௨৴ WPA IPsec TLS,DTLS,SSH S/MIME, PGP ແઢLAN IP TCP, UDP

    σʔλ ࠓ೔ͷओ୊

  12. TLSͷ໨త • TLSϓϩτίϧͷ࠷ॏཁͳΰʔϧ͸ɺ௨৴͢Δ̎ͭͷΞϓϦέʔγ ϣϯͷؒͰϓϥΠόγʔͱσʔλͷ׬શੑΛఏڙ͢Δ͜ͱͰ͢ɻ RFC5246: The Transport Layer Security (TLS)

    Protocol Version 1.2 1. Introduction The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications. ΞϓϦ ΞϓϦ ׬શੑ ϓϥΠόγʔ

  13. 5-4ͷ؆୯ͳྺ࢙ 44- ະൃද ೥ 44- ೥ 44- ೥ *&5'5-48(ελʔτ ೥

    5-4 ೥ 5-4 ೥ 5-4 ೥ 5-4ݕ౼ελʔτ ೥ 5-4࢓༷Խ׬ྃʁ 44-͸چωοτεέʔϓࣾ ͷࢲతϓϩτίϧ େਓͷࣄ৘Ͱ໊শมߋ 44-ͱجຊઃܭ͸େ͖͘ม͑ͣվྑ ༷ʑͳػೳ֦ு ۙ೔8(ϥετίʔϧΛ໨ඪ ·ͩΘ͔Γ·ͤΜ %308/ 100%-& #&"45

  14. 5-4ͷҐஔ෇͚ 5$1 5-4 *1 WW &UIFSOFU )551 )551ͷ࣌୅ ʙ 5-4ʙ

    5-4ʙ

  15. 5-4ͷҐஔ෇͚ 5$1 5-4 *1 WW &UIFSOFU )551ηϚϯςΟΫε 5$1 *1 WW

    &UIFSOFU 5-4 41%: )551ηϚϯςΟΫε )551 )551͔Β)551΁ ʙ ʙ ϒϥ΢β͸5-4௨ ৴ͷΈαϙʔτ Ͳͷ5-4όʔ δϣϯͰ΋0,

  16. 5-4ͷҐஔ෇͚ 26*$ *1 WW 5$1 6%1 5-4 &UIFSOFU )551ηϚϯςΟΫε )551

    26*$҉߸ϓϩτίϧ ʙ )551ʙ )551͔Β26*$΁ (PPHMFಠࣗ҉߸ ϓϩτίϧ

  17. 5-4ͷҐஔ෇͚ 26*$ *1 WW 5$1 6%1 &UIFSOFU 5-4 )551ηϚϯςΟΫε )551

    ʙʁ 26*$͔Β5-4΁ ʙ ౷Ұ͞ΕΔ༧ఆ

  18. ͳͥ5-4͕ॏཁ͔ʁ ৗ࣌5-4࣌୅ͷ౸དྷ

  19. 1FSWBTJWF4VSWFJMMBODF ޿ൣғͷ౪ௌߦҝ w ࠃՈతͳ૊৫ ถࠃ/4"ͱӳࠃ($)2ͳͲ ͕ലେͳ ༧ࢉͰߦ͏޿ൣғͷ౪ௌߦҝ w ೥݄ΤυϫʔυɾεϊʔσϯʹΑͬͯͦͷ ׆ಈ಺༰͕ϦʔΫ͞ΕΔɻ

    Πϯλʔωοτి࿩ͷ๣डɾ؂ࢹɺσʔληϯλʔ ಺௨৴౪ௌɺ҉߸ղಡɺ҉߸όοΫυΞɺαΠόʔ߈ ܸ౳

  20. /4"ʹΑΔαΠόʔ߈ܸͷҰྫ 26"/56. '09"$*% IUUQXXXFYBNQMFDPN XXXFYBNQMFDPN Ϛϧ΢ΣΞΛૹΓࠐΉ ్தܦ࿏Ͱվ͟ΜίϯςϯπΛૹ৴ '09"$*%ʹ༠ಋ վ͟Μίϯςϯπ IUUQTXXXTDIOFJFSDPNCMPHBSDIJWFTIPX@UIF@OTB@BUUIUNM

  21. ϓϩτίϧٕज़ऀͷ༕ྀ w ैདྷେن໛ͳઃඋͱ༧ࢉ͕ඞཁͰݱ࣮తʹ͸ແཧͱ ݟΒΕ͖ͯͨ߈ܸ͕࣮ࡍʹߦΘΕ͍ͯͨɻ w ެऺແઢ-"/ͷීٴͳͲ௨৴ͷ౪ௌɾվ͟Μ͕Մ ೳͳ؀ڥ͕޿͕͖͍ͬͯͯΔɻ w ޾͍࠷৽ͷٕज़Ͱ͔ͬ͠Γ҉߸Խ͞Εͨ௨৴·Ͱ͸ ·ͩഁΒΕ͓ͯΒͣɺ҆શͰ͋Ζ͏ɻ

  22. ݕࡧαʔϏεձࣾͷ༕ྀ w ݕࡧͷϖʔδϥϯΫ͕ߴ͍αΠτѼͷฏจ௨৴͸ɺ߈ܸର ৅ͱͯ͠౰વૂΘΕΔɻ w ฏจ௨৴ͰϢʔβ͕ίϯςϯπվ͟Μ΍Ϛϧ΢ΣΞײછʹ Αͬͯ%%P4߈ܸͷҰ୺Λ୲͏ڪΕ΋͋Γ (JUIVC΁ͷ߈ ܸྫ ɻ

    w ωοτίϯςϯπͷ݈શੑͷ௿Լ͸ɺ௕ظతʹݕࡧαʔ Ϗε΁ͷ৴པੑΛଛͳ͏͜ͱʹͳΔɻ 4&0͸Ͳ͏ͳΔʁ

  23. *"# ʹΑΔΠϯλʔωοτͷ ৴པੑʹؔ͢Δએݴ  w ৽͘͠ϓϩτίϧΛઃܭ͢Δࡍʹ͸ɺ҉߸ԽػೳΛඞ ਢͱ͢΂͖ɻ w ωοτϫʔΫӡ༻ऀ΍αʔϏεఏڙऀʹ҉߸Խ௨৴ͷ ಋೖΛਪਐ͢ΔΑ͏ڧ͘ٻΊΔɻ

    w ίϯςϯπϑΟϧλʔ΍*%4౳ฏจ௨৴͕ඞཁͳػೳ ʹ͍ͭͯ͸কདྷతʹ୅ସٕज़ͷ։ൃʹऔΓ૊Ήɻ *OUFSOFU"SDIJUFDUVSF#PBSE IUUQTXXXJBCPSHJBCTUBUFNFOUPOJOUFSOFUDPOpEFOUJBMJUZ

  24. .P[JMMBʹΑΔ ҆શͰͳ͍)551ͷഇࢭએݴ  ͋Δ࣌ظ͔Β৽نػೳ͸ɺ)5514͚ͩར༻Ͱ͖ΔΑ͏ʹ͢ Δɻ  ݱࡏ)551 ฏจ௨৴ Ͱར༻Ͱ͖ΔػೳͰɺϢʔβͷηΩϡ ϦςΟ΍ϓϥΠόγʔʹϦεΫΛ༩͑Δ΋ͷΛ࡟আ͍ͯ͘͠

    IUUQTCMPHNP[JMMBPSHTFDVSJUZEFQSFDBUJOHOPOTFDVSFIUUQ

  25. $ISPNFͷ)551্ͷػೳഇࢭ $ISPNFͰ͸ɺԼهͷػೳΛ)551 ฏจ௨৴ Ͱར༻ېࢭ͢Δ༧ఆ w Ґஔ৘ใΛऔಘ ഇࢭࡁ  w σόΠεͷಈ͖΍ํ޲Λૢ࡞

    w ҉߸Խ͞ΕͨಈըԻ੠ͷ࠶ੜ w ΧϝϥɾϚΠΫͳͲͷૢ࡞ w ΞϓϦέʔγϣϯͷΩϟογϡ৘ใͷૢ࡞ IUUQTTJUFTHPPHMFDPNBDISPNJVNPSHEFW)PNFDISPNJVNTFDVSJUZEFQSFDBUJOHQPXFSGVMGFBUVSFTPOJOTFDVSFPSJHJOT

  26. ৗ࣌5-4΁ࢸΔಓ ৗ࣌5-4 ࠃՈϨϕϧͷ޿ൣғͳ౪ௌߦҝ ωοτίϯςϯπ ͷ݈શੑͷ֬อ )551 ฏจ௨৴ ্ͷ ϒϥ΢βͷػೳഇࢭ ҉߸Խલఏͷ

    ৽ٕज़։ൃ কདྷతͳ৽ٕज़͸5-4ར༻Λલఏͱ͢Δɻ ࠷ઌ୺ͷٕज़ऀ͸5-4Λආ͚ͯ௨Δ͜ͱ͸Ͱ͖ͳ͍ɻ ແྉূ໌ॻ

  27. 5-4Λཧղ͢Δ४උ

  28. TLSͷཁૉٕज़ X509ূ໌ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉߸ σδλϧ ॺ໊ ϝοηʔδೝূ

    ཚ਺ ੜ੒ TLS 伴ަ׵ Ұํ޲ϋογϡ TLSϓϩτίϧ͸ɺ͜ΕΒͷཁૉٕज़Λ૊Έ߹Θͤͯ ΞϓϦؒͷηΩϡΞ௨৴Λཱ֬͢ΔखॱΛܾΊΔ

  29. TLSཁૉٕज़ͷґଘੑ X509ূ໌ ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ

    ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ ຊདྷ͸͜ͷҰͭҰͭΛ͖ͪΜͱཧղ͢Δ͜ͱ͕ඞཁ

  30. TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ClientHello ServerHelloDone ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application

    Data ཚ਺ੜ੒ ରশ҉߸ɾ҉߸ϞʔυɾҰํ޲ϋογϡɾཚ਺ੜ੒ 1,*ɾ9ূ໌ॻɾσδλϧॺ໊ ཚ਺ੜ੒ ServerHello Certificate ClientKeyExchange ServerKeyExchange ཚ਺ੜ੒ɾ伴ަ׵ɾ ެ։伴҉߸ɾσδλϧॺ໊ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ཚ਺ੜ੒ɾ伴ަ׵ σδλϧॺ໊

  31. TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ཚ਺ੜ੒ $MJFOU4FSWFS)FMMPͷ/PODF 伴ϖΞͷੜ੒σʔλ҉߸Խͷ*7 1,* $"ʹΑΔαʔόূ໌ॻͷॺ໊ͱൃߦ 9ূ໌ॻ $FSUJpDBUFʹΑΔαʔόɾΫϥΠΞϯτͷೝূɾެ։伴ͷऔಘ ిࢠॺ໊ ূ໌ॻͷॺ໊ɾ伴ަ׵Ͱަ׵͢Δެ։伴ͷॺ໊

    伴ަ׵ 4FSWFS$MJFOU,FZ&YDIBOHFʹΑΔ &$ %)ެ։伴ͷަ׵ ެ։伴҉߸ 34"伴ަ׵࣌ʹ1SF.BTUFS4FDSFUͷ҉߸ૹ৴ Ұํ޲ϋογϡ $#$ͳͲͷ҉߸Ϟʔυར༻࣌ʹΞϓϦσʔλͷ."$ੜ੒ ϝοηʔδೝূ .BTUFS4FDSFUͷੜ੒ɺ'JOJTIFEʹΑΔϋϯυγΣΠΫσʔλͷ׬શ ੑݕূ ରশ҉߸ɾ҉߸Ϟʔυ $IBOHF$JQIFS4QFDҎ߱ͷϋϯυγΣΠΫͱΞϓϦέʔγϣϯσʔλͷ҉߸Խ ʢ஫ɿଞʹ΋ࡉ͔͍ͱ͜ΖͰ࢖ΘΕ͍ͯ·͢ɻ

  32. ࠓճ࢖͏TLSཁૉٕज़ AEAD Poly1305 ChaCha20 ECDHE RSA SHA256 X509ূ໌ ॻ PKI

    ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ LinuxͳΒ/dev/urandom+OpenSSLॲཧ ࠓ೔ͷԋश

  33. ηοτϝχϡʔԽ͞ΕͨTLSͷཁૉٕज़ TLS CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9C} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256={0xCC,0xA8} ରশ ҉߸ ҉߸Ϟʔ

    υ σδλϧ ॺ໊ ϝοηʔδೝূ (ϋογϡ) 伴ަ׵ TLS _ _ _WITH_ _ 伴௕ _ _ 伴ަ׵ɾσδλϧॺ໊ʹRSA ରশ҉߸ʹ128bit伴௕ͷAES ҉߸ϞʔυʹGCM(AEAD) ϋογϡʹSHA256 伴ަ׵ʹECDHE σδλϧॺ໊ʹRSA ରশ҉߸ʹChaCha20 ҉߸ϞʔυʹPoly1305(AEAD) ϋογϡʹSHA256 ൪߸ͱͯ͠0xCC,0xA8ΛׂΓ౰ͯ

  34. ࠓ͸5-4ʹԿΛ࢖͏ʁ 伴ަ׵ 34" 'PSXBSE4FDSFDZ %)& &$%)& σδλϧॺ໊ 34" %44 %4"

    &$%4" ର৅҉߸ %&4 3$ "&4 $IB$IB ͦͷଞ ҉߸Ϟʔυ $#$ "&"% $$. ($. 1PMZ ϝοηʔδೝূ ʢϋογϡʣ .% 4)" 4)" 4)" ੺ɿ࢖Θͳ͍ɺԫɿ஫ҙɺ྘ɿࠓͷͱ͜Ζ࢖ͬͯେৎ෉ ஫ҙ͸ɺ҉߸ֶత஫ҙͱকདྷతʹීٴ͕ݟࠐ·Εͳ͍஫ҙ΋ؚ·Ε·͢ ͪͳΈʹɺ ྔࢠίϯϐϡʔλͰ伴ަ׵ɺσδλ ϧॺ໊͸શ෦Ξ΢τʂ

  35. ରশ҉߸ ҉߸จ ฏจ ڞ௨伴 ڞ௨伴 ฏจ ετϦʔϜ҉߸ɿσʔλΛஞ࣍҉߸Խ(RC4, Chacha20) ϒϩοΫ҉߸ɿσʔλΛϒϩοΫຖʹ҉߸Խ(DES, AES)

    ز͔ͭͷ҉߸Ͱ͸طʹةຆԽɿ DES: 2005೥ NIST FPS46-3ن֨ͷഇࢭ(2030೥·Ͱ͸ڐ༰) RC4: RFC7455: Prohibiting RC4 Cipher Suites ҉߸Խ ෮߸Խ ϒϩοΫɺετϦʔϜͷ྆ऀͷҧ͍͸ݱࡏͳ͘ͳ͖͍ͬͯͯΔ ϒϩοΫ҉߸ "&4 Λ҉߸Ϟʔυ ޙड़ ͰΧ΢ϯλʔϞʔυΛར༻͢Δ͜ͱʹΑΓશͯε τϦʔϜ҉߸ͱͯ͠ར༻Ͱ͖·͢ɻ "&4($.͸ετϦʔϜ҉߸ॲཧ

  36. ରশ҉߸ AES • 1997೥ΑΓϓϩδΣΫτ։࢝ɺ2000೥બఆɺ2001 ೥࢓༷ൃߦ • ϒϩοΫαΠζ 128bit • 伴௕ɿ

    128bits, 192bits, 256bits ͷ̏छྨ • Intel/AMDͷCPUͰϋʔυ΢ΣΞॲཧͷαϙʔτ (AES-NI) ̎̌̍̒೥ݱࡏ5-4௨৴ͷσϑΝΫτ $IB$IB͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

  37. ҉߸Ϟʔυ • ϒϩοΫ҉߸͸ಉ͡σʔλΛಉ͡伴Ͱ҉߸Խ͢ΔͱຖճಉҰͷ҉ ߸จʹͳΔɻ • ϒϩοΫ௕ΑΓ௕͍σʔλΛ҉߸Խ͢Δ৔߹ʹ҉߸ϞʔυΛར༻ ͯ͠܁Γฦ͠Λආ͚Δɻ • CBCɿʮ(ฏจ XOR

    ϕΫτϧ) Λ҉߸ԽʯΛଓ͚Δ • CTRɿ ʮΧ΢ϯλʔΛ҉߸Խ XOR ฏจʯΛଓ͚Δ ࣮ࡍʹTLSͰར༻͢Δʹ͸վ͟Μݕ஌ͷͨΊͷMAC(ϝοηʔδೝূʣͱͷ૊Έ߹ΘͤΔ (AEAD)ɻAES-GCM͕ࠓͷओྲྀɻ ͜Ε·Ͱͷ ओྲྀ $IB$IB1PMZ͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

  38. ೝূλά AEADʢೝূ෇͖҉߸) ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w

    w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ &ODSZQU5IFO."$ ҉߸Խͨ͠ޙͰϋογϡ஋Λऔಘ

  39. AEADʢೝূ෇͖҉߸) ฏจ AEAD ෮߸Խ վ͟ΜνΣοΫ ҉߸Խ͠ͳ͍͚Ͳվ͟Μ๷ ࢭ͕ඞཁͳσʔλ ʢϔομ౳ʣ ҉߸จ ೝূλά

    ڞ௨伴 ॳظϕΫτϧ

  40. GCM • GCM (Galois Counter Mode: ΨϩΞΧ΢ϯλʔ Ϟʔυʣ • CTRͱGHASHΛ૊Έ߹ΘͤͨAEAD

    • ϋʔυ΢ΣΞॲཧͰߴ଎Խ͕Մೳ • AESͱ૊Έ߹Θͤͯ AES-GCMͱͯ͠ར༻

  41. Ұํ޲ϋογϡ σʔλ Ұํ޲ ϋογϡؔ਺ ϋογϡ஋ ϋογϡ஋Λൺֱ͢Δ͜ͱͰσʔλͷվ͟ΜΛνΣοΫ͢Δ͜ͱ͕Ͱ͖Δɻ

  42. ҉߸ֶతϋογϡ ɾݪ૾ܭࢉࠔ೉ੑ 1SFJNBHF3FTJTUBODF ɾୈ̎ݪ૾ܭࢉࠔ೉ੑ OE1SFJNBHF3FTJTUBODF ɾڧিಥ଱ੑ 4USPOH$PMMJTJPO3FTJTUBODF ϋογϡ஋I͔Β΋ͱͷϝοηʔδNΛ୳͢ͷ͕ࠔ೉ ̷ I)"4)

    N ͷNΛݟ͚ͭΔ ಛఆͷϝοηʔδNͱಉ͡ϋογϡ஋Λ࣋ͭNΛ୳͢ͷ͕ࠔ೉ I)"4) N )"4) N IͷNΛݟ͚ͭΔ )"4) N )"4) N ͱͳΔNͱNΛݟ͚ͭΔͷ͕ࠔ೉

  43. Ұํ޲ϋογϡ • md5 • SHA-1 • SHA-2(SHA-256ͳͲ6छ) • SHA-3(SHA3-256ͳͲ6छ) 2018೥͙Β͍ʹ͸ݱ࣮తͳίετ

    ͰিಥσʔλΛ୳ͤΔݟࠐΈ(*2) طʹݱ࣮తͳ߈ܸख๏͕ଘࡏ (*2) Cryptanalysis of SHA-1 https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html (*1) how to Break MD5 and Other Hash Functions http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf 8/5ʹNISTΑΓਖ਼ࣜެ։

  44. "&"%Λࢥ͍ग़ͦ͏ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w

    w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ ϋογϡ஋ͩʂ ($. 1PMZ͋Εͬɺ4)"ͱ͔͡Όͳ͍ɻͳͥʁ

  45. "&"%Ͱ͸҉߸ֶతϋογϡ ·Ͱ͸ඞཁͳ͍ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w

    w w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸จ &ODSZQU 5IFO."$ ϋογϡલͷϝοηʔδ͕ ݟ͑ͯΔ ݪ૾ܭࢉࠔ೉ੑ͸͍Βͳ͍ɻ ݟ͑ͯΔϝοηʔδͷվ͟Μݕ஌ ."$ ͕ॏཁɻ ୈ̎ݪ૾ܭࢉࠔ೉ੑͱߴ͍ڧিಥ଱ੑ͕ٻΊΒΕΔɻ ύέοτຖʹܭࢉ͢ΔͷͰߴ଎ੑೳେࣄɻ ($.1PMZ͸ɺ"&"%޲͚ʹಛԽͨ͠ߴ଎."$ΞϧΰϦζϜ

  46. ϝοηʔδೝূ(HMAC) • ࣄલʹڞ௨伴Λڞ༗ • ڞ௨伴ͱσʔλΛ૊Έ߹Θͤͨϋογϡ஋Λ࡞੒ • σʔλͷ׬શੑͱϋογϡ࡞੒ऀΛೝূ͢Δ σʔλ Ұํ޲ ϋογϡؔ਺

    ϋογϡ஋ ڞ௨伴

  47. ެ։伴҉߸ 512bit RSAͷةݥੑ FREAK https://freakattack.com/ • ղΛٻΊΔͷ͕ࠔ೉ͳ਺ֶత໰୊Λར༻ͯ͠҉߸Λੜ੒ɻ • ެ։伴ͱൿີ伴ͷϖΞΛੜ੒ɻެ։伴͸͞Βͯ͠େৎ෉ɻ •

    ެ։伴Ͱ҉߸Խ͠ൿີ伴Ͱ෮߸Խɻ • RSA ૉҼ਺෼ղ • ECC(ପԁۂઢ҉߸ʣପԁۂઢ্ͷ཭ࢄର਺໰୊ ެ։伴 ൿີ伴 ҉߸Խ ෮߸Խ

  48. 伴ަ׵ • 2ऀؒͰ҆શʹ伴Λڞ༗͢Δ࢓૊Έ • ޓ͍ʹެ։伴Λަ׵͍͋͠ɺڞ༗伴Λੜ੒͢Δɻ • ௨৴ܦ࿏্Ͱڞ༗伴ͷ΍ΓऔΓ͕ͳ͍ɻ • DH (Diffie-Hellman)

    • ECDH(ପԁۂઢDH) ੬ऑੑɿDH Logjam https://weakdh.org/ ެ։伴 ެ։伴 ൿີ伴 ൿີ伴 Ұ࣌తͳ伴ަ׵͸& &QIFNFSBM ͷจࣈ͕෇͘ %)& &$%)&

  49. σδλϧॺ໊ • σʔλͷ׬શੑͷνΣοΫ͕ՄೳͱͳΔɻ • σʔλͷૹ৴ݩͷೝূ͕ՄೳͱͳΔɻ • ެ։伴ͷ৴པੑͷൣғͰ൱ೝ๷ࢭ͕ՄೳͱͳΔɻ • RSA •

    DSA,ECDSA ެ։伴 ൿີ伴 σʔλʴσδλϧॺ໊ σʔλϋογϡ ஋Λ҉߸Խ͠ σδλϧॺ໊Λ ੜ੒ σδλϧॺ໊Λ෮߸Խɻ σʔλϋογϡ஋ͱൺ ֱ͠ݕূ͢Δ

  50. 1,*֓ཁ $" $FSUJpDBUF"VUIPSJUZ 7" 7BMJEBUJPO"VUIPSJUZ 3" 3FHJTUSBUJPO"VUIPSJUZ $3-0$41 $43 伴ϖΞ

    ࣮ࡏ֬ೝ αʔόূ໌ॻ IUUQTʙ ࣦޮ֬ೝ ࿦ཧతʹෳ਺ͷ໾ׂʹ෼͔Ε͍ͯΔ͕෺ཧతʹ̍ͭͰ΋Α͍ 3PPUূ໌ॻ 04ɾϒϥ΢β ϕϯμʔ

  51. αʔόূ໌ॻ 9 w 5-4௨৴ͷ৴པੑΛ୲อ͢Δཁ w ϏϧτΠϯͷϧʔτূ໌ॻ͔Βαʔόূ ໌ॻ·Ͱূ໌ॻνΣʔϯͷॺ໊ݕূ w ΦϯϥΠϯҎ֎Ͱ৴པੑΛ୲อ 1,*

    ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ τϥετΞϯΧʔ

  52. ূ໌ॻͷछྨ &7ূ໌ॻ &YUFOEFE 7BMJEBUJPO $"ڞ௨ͷݫ֨ͳ૊৫ͷ࣮ࡏূ໌ ෺ཧత࣮ࡏ ॻ໘΍σʔλ ޱ࠲औҾʹΑΔ࣮ࡏ৹ࠪɾॺ໊ ఏग़ɾి࿩֬ೝͳͲ 

    ΞυϨεόʔ͕྘৭ 07ূ໌ॻ 0SHBOJ[BUJPO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨ૊৫ͷ࣮ࡏূ໌ ʢॻ໘΍σʔλ৹ࠪɾి࿩֬ೝͳͲ %7ূ໌ॻ %PNBJO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨυϝΠϯอ࣋ূ໌ ϝʔϧͷ౸ୡੑ֬ೝͳͲ -FU`T&ODSZQUͳͲ ແྉূ໌ॻ͕͋ΔΑ ωοτϫʔΫҎ֎ ͷ࣮ࡏূ໌

  53. αʔόূ໌ॻͷத਎ όʔδϣϯɺγϦΞϧ൪߸ɺൃߦऀ৘ใɺ༗ޮظݶɺαʔό ࣝผࢠɺެ։伴৘ใɺ֦ு৘ใ ར༻༻్ɺผ໊΍ࣦޮ৘ใɾ ϙϦγʔࢀরઌ ɺσδλϧॺ໊

  54. αʔόূ໌ॻͷ֬ೝ αʔόূ໌ॻͱൿີ伴ͷରԠ͕ؒҧ͍ͬͯͨΒ5-4 αʔό͸ىಈ͠ͳ͍ɻͳͷͰαʔόূ໌ॻͱൿີ伴 ͷެ։伴͕Ұக͢Δ͔ඞͣνΣοΫ͢Δɻ αʔό ূ໌ॻ ൿີ伴 PQFOTTMYQVCLFZJOTFSWFSDSUOPPVUTFSWFS@QVCLFZQFN PQFOTTMSTBQVCPVUJOQSJWBUFLFZPVUQSJWBUF@QVCLFZQFN ެ։伴

    ެ։伴

  55. 5-4ηΩϡϦςΟͷ౔୆ 5-4ͷ ηΩϡϦςΟ ཚ਺ੜ੒ 1,* ൿີ伴ͷ ؅ཧ ҉߸ٕज़ Τϯ τϩϐʔෆ଍

    ෆਖ਼ ൃߦ ࿙Ӯ ΞϧΰϦζϜɾ ڧ౓ͷةຆԽ 5-4͸ɺ͜ͷ̐ͭͷ֎෦ཁૉͷ্ͰΠϯλʔ ωοτͰ҆શͳ௨৴Λఏڙ͢Δ࢓૊ΈͰ͋Δɻ ٯʹݴ͑͹ɺͲΕ΄Ͳ׬ᘳͳ5-4ϓϩτίϧΛ࡞ͬͯ΋ ͜ͷ̐ͭͷ֎෦ཁૉ͕ഁΒΕͨΒ҆શΛ֬อͰ͖ͳ͍ɻ

  56. TLSϋϯυγΣΠΫ ஫ɿෳࡶ͞Λආ͚ΔͨΊΫϥΠΞϯτೝূػೳͷઆ໌͸লུ͠·͢ɻ 5-4#PUͱڙʹ

  57. ԋश ࣮ࡍʹ$IB$IBͷύέοτΛݟͯΈΔ IUUQTDIBDIBUMTLPVMBZFSDPN ʹ$ISPNFͰΞΫηεɺ%FWFMPQFS5PPMͰ֬ೝͯ͠ΈΔɻ IUUQTDIBDIBUMTLPVMBZFSDPNDIBDIB@TBNQMFQDBQ Λμ΢ϯϩʔυͯ͠ɺ&UIFSSFBMͰݟͯΈΑ͏ɻ

  58. 4FD$BNQ5-4#PU w ίϚϯυϥΠϯͰ)&9ܗࣜͷ5-4ϑϨʔϜΛೖྗ͠ ͯ5-4ϋϯυγΣΠΫΛߦ͏#PU w 4FSWFS$MJFOU྆ํͰಈ͖·͢ɻ w $MJFOU͸࠷ॳʹ)FMMP3FRVFTUͷϑϨʔϜΛೖྗ͠ ͯ։࢝ɻ w

    /0%&@%&#6(TFDDBNQͰग़ྗϑϨʔϜ ͷ+40/Λग़ྗ͠·͢ɻ

  59. 4FD$BNQ5-4#PU w OQNJOTUBMMTFDDBNQUMTFYFSDJTF w 4FSWFS$MJFOU#PUͷεΫϦϓτΛ࡞੒ DPOTU4FD$BNQSFRVJSF TFDDBNQUMTFYFSDJTF  4FD$BNQ5-4#PU GBMTF

    DMJFOU͸GBMTF Πϯετʔϧ͞ΕͨOPEF@NPEVMF͕ݟ͔ͭΕ͹ OPEF@NPEVMFTTFDDBNQUMTFYFSDJTFTBNQMFT ʹίʔυ͕͋Γ·͢ɻ IUUQTHJTUHJUIVCDPNTIJHFLJGBBCDCCGFEGBFCB ʹ΋͋Γ·͢ɻ

  60. 5-4#PU

  61. 5-4CPU%FCVHϞʔυ FYQPSU/0%&@%&#6(TFDDBNQ

  62. TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished

    ChangeCipherSpec Finished Application Data Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355ඞཁ

  63. TLSϋϯυγΣΠΫ(resumption) ClientHello(session_id) ServerHello(session_id) ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application

    Data (੺จࣈ͸ϋϯυγΣΠΫʣ SessionIDʹΑΔTLSηογϣ ϯͷ࠶։ɻ 伴ަ׵΍ূ໌ॻૹ෇ΛεΩοϓɻ ࠓճ͸ԋशͷର৅֎Ͱ͢ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355Ͱ͢Ή

  64. TLSϋϯυγΣΠΫͷҙຯ ClientHello/ServerHello/ServerHelloDone TLSͷͨΊͷ৘ใަ׵ όʔδϣϯɾཚ਺ɾ҉߸ํࣜɾ֦ு৘ใ Certificate ެ։伴৘ใͷૹ෇ ΤϯυϙΠϯτͷೝূ ClientKeyExchange/ServerKeyExchange ڞ༗伴ަ׵ ChangeCipherSpec

    ҉߸։࢝ͷ߹ਤ Finished ϋϯυγΣΠΫσʔλͷվ͟ΜνΣοΫ

  65. TLS1.2ͷߏ଄ I P ϔ ο μ T C P ϔ

    ο μ TLS Record Layer (5όΠτ) λΠϓ ʢ̐छ ྨʣ (1byte) όʔδϣϯ (2byte) ௕͞ (2byte) Handshake (λΠϓ:0x16) msgλΠϓ ʢ̍̌छྨʣ ௕͞ ʢ3όΠτ௕ʣ ϋϯυγΣΠΫσʔλ Alert (λΠϓ:0x15) Ϩϕϧ ཧ༝ ChangeCipherSpec (λΠϓ:0x14) λΠϓ Application Data (λΠϓ:0x17) ҉߸Խ͞Εͨσʔλ msgλΠϓ ϋϯυγΣΠΫσʔλͷछྨ 0x00 HelloRequest 0x01 ClientHello 0x02 ServerHello 0x0b Certificate 0x0c ServerKeyExchange 0x0d CertificateRequest 0x0e ServerHelloDone 0x0f CertificateVerify 0x10 ClientKeyExchange 0x14 Finished TLS Record Layerσʔλʹ ଓ͍ͯɺ࣍ͷ̐छྨͷTLSσ ʔλͷ͍ͣΕ͔͕ଓ͘ɻ TLS Handshake͸ɺ͜ͷ ̍̌छྨʹ෼͔ΕΔɻ

  66. 5-4ϋϯυγΣΠΫϑϨʔϜΛಡΉ Record Layer Handshake (ClientHello) type protocol version length (2byte)

    msg type length (3byte) client version random major minor major minor 0x16 0x03 0x03 0x00 0x45 0x01 0x00 0x00 0x41 0x03 0x03 32 byte όΠτ όΠτ ҉߸Խ͞Εͳ͍ ҉߸Խ͞ΕΔ

  67. ԋश w ̎ͭͷίϚϯυϥΠϯλʔϛφϧΛ։͍ͯҰͭ͸ UMT@DMJFOU@CPUɺ΋͏Ұͭ͸UMT@TFSWFS@CPUΛىಈ ͢Δɻ w UMT@DMJFOU@CPUʹ)FMMP3FRVFTUΛೖྗͯ͠ɺग़ྗ͠ ͨ$MJFOU)FMMPΛίϐʔͯ͠TFSWFSCPUʹೖྗ͠Α ͏ w

    /0%&@%&#6(TFDDBNQͷઃఆΛͯ͠ +40/Λ֬ೝ͠Α͏ɻ

  68. ClientHello ClientHello ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ

  69. ClientHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ ใ client_version uint8 major, uint8

    minor 2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1όΠτ෼ cipher_suites uint8 CipherSuite[2] <2..2^16-2> 2όΠτ෼ compression_ methods null(0) <1..2^8-1> 1όΠτ෼ extensions extension_type(65535), extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ Extension௕ Extensionsσʔλྫ

  70. ClientHello Record Layer Handshake (ClientHello) type protocol version length (2byte

    ) msg type length (3byte) client version random sessi on id cipher suite comp ressi on Exte nsion majo r mino r major minor 0x16 0x03 0x03 ?? ?? 0x01 ?? ?? ?? 0x03 0x03 32 byte Մม Մม Մม Մม Version 0x03,0x00 = SSLv3 0x03,0x01= TLSv1.0 0x03,0x02=TLSv1.1 0x03,0x03=TLSv1.2 ΫϥΠΞϯτ͕ར༻Ͱ͖Δ ࠷ߴͷTLSόʔδϣϯΛࢦ ఆɺαʔό͕Ͳͷόʔδϣ ϯΛ࢖͏͔બ୒͢Δ
  71. None

  72. ServerHello ClientHello ServerHello (੺จࣈ͸ϋϯυγΣΠΫʣ ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ

  73. ServerHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ใ server_version uint8 major, uint8 minor

    2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1 cipher_suite uint8 CipherSuite[2] 2 N/A compression_method null(0) 1 N/A extensions extension_type, extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ Record Layer(5bytes) Handshake (ServerHello) type protocol version length (2bytes) msg type length (3byte) server version random 32bytes session id cipher suite 2bytes compression majo r minor major minor 0x16 0x03 0x03 ? + 4 0x01 ? 0x03 0x03 ? ௕͞1byte 0x00,0x9c ௕͞2bytes
  74. None

  75. Certificate ClientHello ServerHello Certificate (੺จࣈ͸ϋϯυγΣΠΫʣ

  76. Certificate ߲໨ ཁૉ αΠζ certificate_list ASN.1Cert<2^24-1> <0..2^24-1> શূ໌ॻ௕ ূ໌ॻ#1௕ ূ໌ॻσʔλ#1

    ূ໌ॻ#2௕ ূ໌ॻσʔλ#2 ෳ਺ͷূ໌ॻσʔλΛૹ෇ ࠷ॳ͸ඞͣαʔόূ໌ॻ 2ͭ໨Ҏ߱͸தؒূ໌ॻͳͲ
  77. None

  78. Perfect Forward Secrecy(PFS) • લํൿಗੑ • ηογϣϯຖʹҰ࣌తͳ伴Λ࢖͏ɻ • ϋϯυγΣΠΫΛؚΉશ҉߸σʔλΛऔಘ͞Ε͍ͯΔΑ͏ͳঢ় گͰ΋ɺকདྷతͳൿີ伴࿙ӮͳͲͷϦεΫʹରԠ͢Δɻ

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Ephemeral:Ұ࣌తͳ 伴ަ׵ख๏

  79. %)&WT&$%)& w %)%J⒎F)FMMNBO཭ࢄର਺໰୊Λར༻ͨ͠伴ަ׵ H?Y NPE1 ?ZNPE1 H?Z NPE1 ?YNPE1H? YZ

    NPE1 ૉ਺1 δΣωϨʔλH ެ։伴 ੺ࣈɺ੨ࣈʣͳͲͷ৘ใΛަ׵ɻ&$%)& ΑΓܭࢉྔ͕ଟ͍ɻ w &$%)&ɿପԁؔ਺্Ͱͷ཭ࢄର਺ԋࢉΛར༻ͨ͠伴ަ׵ ପԁؔ਺ͷύϥϝʔλɾج఺Λ໊લͰنఆ TFDQ౳ ɺެ։伴 ପԁ ۂઢ্ͷ఺ Λަ׵ɻ%)ΑΓ伴௕ɾܭࢉྔ͕গͳͯ͘͢Ήɻ

  80. ECDHEͷϋϯυγΣΠΫ ClientHello + elliptic_curves + ec_point_formats ServerHello + ec_point_formats Certificate

    ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data (੺จࣈ͕௥Ճมߋ͞ΕΔͱ͜Ζʣ ClientHello֦ுΛ௥Ճ ServerHello֦ுΛ௥Ճ ପԁۂઢ໊ͱServer ͷެ։伴Λॺ໊෇͖ Ͱૹ෇ Clientͷެ։伴Λૹ෇ ପԁ఺ͷॻࣜΛ߹ҙ ࢖͑Δପԁۂઢ໊ͱପԁ఺ॻࣜΛ௨஌ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ެ։伴͸ຖճϥϯμϜʹੜ੒͞Ε·͢

  81. ECDHE ClientHello֦ு ΫϥΠΞϯτ͕αϙʔτ͍ͯ͠ΔପԁۂઢͷϦετΛαʔόଆʹ௨஌ɻαʔό͸ Ϧετͷத͔Βద੾ͳପԁۂઢΛબͼ ServerKeyExchange಺Ͱબ୒ͨ͠ପԁ ۂઢΛ௨஌͢Δ 0 1 2 3

    4 5 6 7 elliptic_curves(10) Ϧετ௕ σʔλ௕ secp256r1 (23) 0x00 0x0a 0x00 0x04 0x00 0x02 0x00 0x17

  82. ECDHE Client/Server Hello֦ு ପԁ҉߸ͷެ։伴ͷॻࣜ 0 1 2 3 4 5

    ec_point_formats(11) Ϧετ௕ σʔλ௕ uncompressed(0) 0x00 0x0b 0x00 0x02 0x01 0x00

  83. ServerKeyExchange ClientHello ServerHello Certificate ServerKeyExchange (੺จࣈ͸ϋϯυγΣΠΫʣ

  84. ECDHE ServerKeyExchange ServerECDHParams Signature ECParameters ECPoint algorithm signature curve_type named_curve

    ௕ ͞ public key (Hello֦ுࢦఆͷॻࣜʣ RSA-SHA256 (0x04,0x01) named_curve (3) secp256r1 (23) signature = sign(algorithm, ClientHello.random + ServerHello.random + ServerECDHParams); RSAൿີ伴ͰServerECDHParmsͱRandomΛॺ໊
  85. None

  86. ServerHelloDone ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone (੺จࣈ͸ϋϯυγΣΠΫʣ

  87. ServerHelloDone handshake type handshake௕ 0x0e 0x00 0x00 0x00 ServerHelloͷऴྃͷ߹ਤ ϋϯυγΣΠΫϔομͷΈ

    ͜͜Ͱ4FSWFS)FMMP͔Βଓ͘Ұ࿈ͷϋϯυγΣΠ Ϋͷલ൒͕ऴྃͨ͜͠ͱΛࠂ͛Δ߹ਤ
  88. None

  89. TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange (੺จࣈ͸ϋϯυγΣΠΫʣ

  90. ECDHE ClientKeyExchange ClientECDHParams ECPoint ௕͞ public key (Hello֦ுࢦఆͷॻࣜʣ ClientKeyExchange͸ॺ ໊ͷඞཁ͸ͳ͍

  91. None

  92. ࣭໰ɿ ECDHEެ։伴ͷकΒΕํͷҧ͍ • ServerKeyExchange: ެ։伴Λॺ໊ • ClientKeyExchange: ΍Γ͍ͨ์୊ Ͳ͏ͯ͠Ͱ͠ΐ͏ʁ

  93. PreMasterSecret/MasterSecret • TLSͰར༻͢ΔIV(ॳظϕΫτϧ)ɺڞ༗伴ɺMAC伴ͷσʔλݩ • MasterSecret͸48όΠτ௕ɻPreMasterSecretͷ௕͞͸伴ަ׵ํࣜʹґ ଘ͢Δɻ • MasterSecret͸ɺPreMasterSecretɺClientRandomɺ ServerRandomɺݻఆϥϕϧ͔Βੜ੒͢Δɻ •

    Clinet/ServerRandom͸શؙͯݟ͑ɻPreMasterSecret͸ɺඞͣࢮक͠ ͯकΒͳ͍ͱ͍͚ͳ͍ɻ͜Ε͕࿙͍͑͢ΔͱTLSͷ҆શੑ͸શ͓ͯ͡ΌΜɻ 'SFBL-PHKBN
  94. None

  95. ChangeCipherSpec Client->Server ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec (੺จࣈ͸ϋϯυγΣΠΫʣ

  96. ChangeCipherSpec ૹ৴ݩ͕҉߸։࢝Λએݴɻ͜ΕΛૹ৴ͨ͠ޙ͸҉߸ ௨৴Λߦ͏ɻ Record Layer ChangeCipherSpec ContentTy pe Version length

    (2byte) major minor 0x14 0x03 0x03 0x00 0x01 0x01
  97. None

  98. TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished

    (੺จࣈ͸ϋϯυγΣΠΫʣ

  99. Finished struct { opaque verify_data[verify_data_length]; } Finished; verify_data = PRF(master_secret,

    finished_label, Hash(handshake_messages))[0..11]; finished_label: ΫϥΠΞϯτ͸ɺ"client finished"ɺαʔό͸"server finished" 12όΠτݻఆ ͜Ε·ͰͷϋϯυγΣΠΫσʔλʢͨ ͩࣗ͠෼͸আ͘ʣͷϋογϡΛܭࢉ TLS1.2Ͱ͸ SHA256Λ࢖͏ FinishedΛड৴͢Δͱɺ͜Ε·Ͱૹड৴ͨ͠ϋϯυγΣΠΫσʔλ͔Βܭࢉͨ͠஋ͱൺֱɻ ϋϯυγΣΠΫσʔλ͕վ͟Μ͞Εͯͳ͍͜ͱΛ֬ೝ͢Δɻ
  100. None

  101. ChangeCipherSpec Server -> Client ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange

    ChangeCipherSpec Finished ChangeCipherSpec (੺จࣈ͸ϋϯυγΣΠΫʣ
  102. None

  103. ServerFinished ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec

    Finished (੺จࣈ͸ϋϯυγΣΠΫʣ
  104. None

  105. Application Data ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished

    ChangeCipherSpec Finished Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ
  106. None

  107. ԋश 5-4#PUΛ࢖ͬͨ̍ର̍5-4 w ೋਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU ໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ w αΠϘ΢ζͰσʔλΛ΍ΓऔΓ͠·͢ɻ૬ޓͰ҉߸จͷ෮ ߸Խ͕Ͱ͖Δ͜ͱΛ֬ೝ͠·͢ɻ 5-4҉߸௨৴ 5-44FSWFSGDBCEDCGBBCDG

    "QQMJDBUJPO%BUBIPHF #PU #PU

  108. ԋश ϦΞϧ.BO*O5IF.JEEMF w ̏ਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU໾ɺ ѱਓ໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ w ѱਓ໾Λհͯ͠5-4ϋϯυγΣΠΫΛߦ͍·͢ɻ·ͣ͸ѱਓ͸ͦ ͷ··ӈ͔Βࠨʹड͚ྲྀ͠·͢ɻ w ࣍ʹѱਓ໾Ͱ4FSWFS$MJFOUͷ#PUΛͨͯͯͳΓ͢·͠௨৴Λ͠·

    ͠ΐ͏ɻ

  109. $IB$IB1PMZ ೥݄̒ʹ࢓༷Խ׬ྃ 3'$ ͨ͠ 5-4ͷ৽͍͠҉߸ํࣜ ࢲ͸҉߸ઐ໳ՈͰ͸ͳ͍ͷͰ҆ શੑͷ͓࿩͸εΩοϓ͠·͢ɻ

  110. $IB$IB1PMZ w $IB$IB%+#FSOTUFJO EKC ࢯ͕ߟҊͨ͠҉ ߸ํࣜ ࠷ॳʹ4BMTBΛൃදɺ$IB$IBʹվྑ  w 1PMZEKCࢯ͕ߟҊͨ͠."$ํࣜ

    "&4ͱ૊Έ ߹Θͤͨ"&41PMZͰൃද  جຊ྆ऀ͸ಠཱͨ͠΋ͷɻ(PPHMFͷ"EBN-BOHMFZ ࢯ͕$IB$IB1PMZͱͯ͠ʹυϥϑ τ࢓༷Λެ։

  111.  1PMZ࿦จൃද ࠷ऴ൛  $IB$IB࿦จൃද ࠷ऴ൛  4BMTB͕F4USFBNͷ'JOBMJTUʹબఆ  $IB$IBΛ࢖ͬͨ#-",&͕4)"ͷ࠷ऴީิʹબఆ

     ESBGUBHMUMTDIBDIBQPMZެ։  $ISPNF͕$IB$IB1PMZΛ࣮૷ɻ(PPHMFαʔϏεͰར༻։࢝ 0QFO44)͕$IB$IB1PMZΛ࣮૷  5-48(͔Β$'3(΁$IB$IB1PMZͷ࢓༷ݕ౼ΛਐΊΔ͜ͱΛཁ੥  -JCSF44-͕GPSLɻ$IB$IB1PMZΛ࣮૷  #PSJOH44-͕GPSLɻ$IB$IB1PMZΛ࣮૷  $MPVE'MBSF͕$IB$IB1PZͷར༻։࢝ɻ0QFO44-༻ύονެ։  3'$ $IB$IB1PMZ࢓༷ ͕ެ։  0QFO44- BMQIB ͕$IB$IB1PMZΛ࣮૷  'JSFGPY͕$IB$IB1PZΛ࣮૷  3'$$IB$IB1PMZ$JQIFS4VJUFTGPS5SBOTQPSU-BZFS4FDVSJUZ 5-4 $IB$IB1PMZ͜Ε·ͰͷาΈ  4OPXEFOࣄ݅

  112. "&4ͱ$IB$IBͷൺֱ "&4 $IB$IB ํࣜ ϒϩοΫ CJUT   ετϦʔϜ ೖྗ

    伴௕  CJUT 伴௕CJUT /PODFͳ͠ ॳظΧ΢ϯλʔͳ͠ /PODFCJUT EKC࿦จͰ͸CJUT  ॳظΧ΢ϯλʔCJUT ඪ४ /*45'*14 3'$   4BMTB͸FTUSFBNιϑτ΢ΣΞ1Iબఆ ੑೳಛੑ "&4/*ͳͲઐ༻ϋʔυ΢ΣΞʹΑΔߴ଎ ॲཧ͕Մೳ ࣄલܭࢉ΍4#09͕ඞཁͳ͘ɺλΠϛϯά߈ܸ͕ൃੜ͠ʹ ͍͘ɻ4*.%Λ࢖ͬͨߴ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ ΩϟογϡλΠϛϯάͳͲαΠυνϟωϧ ߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ /PODFΛ࠶ར༻͠ͳ͍͜ͱ %+#ͷ࿦จIUUQDSZQUPDIBDIBDIBDIBQEG͕ΞϧΰϦζϜنఆͷࢀরઌ Χ΢ϯλʔϞʔυͱ૊Έ߹ΘͤͯετϦʔϜ҉߸ͱͯ͠ར༻͕Մೳ

  113. 2VBSUFS3PVOE B C D E   B C E?B

    E  D E C?D C  B C E?B E  D E C?D C B C D E͸CJUVOTJHOFEJOU Y Z͸ Y Z NPE? ?͸903 O͸OϏοτࠨϩʔςγϣϯ B C D Eʹରͯ͠ɺશͯճ ԋࢉ͕ߦΘΕ͍ͯΔɻ $IB$IBϥ΢ϯυԋࢉ ৐ࢉ͕ͳ͘ݻఆ௕ԋࢉ $POTUBOU5JNF B C D E

  114. ՝୊ɾԋश TVEPOQNHJOTUBMMTFDDBNQDIBDIBXPSLTIPQQFS ຊ೔ͷ՝୊ ࣄલֶश

  115. B B B B B B B B B B

    B B B B B B C C C C C C C C C C C C C C C C C C C C C C B B B B B B B B B B B B B B B B C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C D D D D D D D D D D D D D D D D όΠτY ྻϥ΢ϯυ ର֯ϥ΢ϯυ 2VBSUFS3PVOE όΠτ όΠτ όΠτ όΠτ छྨͷ$IB$IBϥ΢ϯυ ԋश

  116.  F E C LFZ LFZ LFZ LFZ LFZ LFZ

    LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T ྻϥ΢ϯυ ର֯ϥ΢ϯυ Yճ ॳظ$IB$IB4UBUF $IB$IB4UBUF ఆ਺஋ ࣮͸ҎԼͷจࣈྻ  FYQBOECZUFL 伴 όΠτ௕ /PODF όΠτ௕ ͔Β࢝·ΔΧ΢ϯλʔ όΠτ௕ $IB$IB4USFBN4UBUF ϥ΢ϯυ

  117. $IB$IB4UBUFͷ &OEJBOʹ஫ҙ        

            L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<>  F E C L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> LFZ LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF όΠτຖʹ۠੾ͬ ͨ-JUUMF&OEJBO ͜ͷΑ͏ͳॱ൪Ͱσʔ λॲཧΛ͢Δ࣌͸஫ҙɻݟ͔ ͚#JH&OEJBOɻ

  118. $IB$IB#MPDL'VODUJPO  F E C LFZ LFZ LFZ LFZ LFZ

    LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T  ৒༨࿨ ॳظ$IB$IBTUBUF 3PVOE$IB$IBTUBUF 'JOBM$IB$IB4UBUF

  119. ԋश $IB$IB2VBUFS3PVOE $IB$IB#MPDL'VODUJPO

  120. $IB$IB,FZ4USFBN   CB GFED   CB GFED 

     CB GFED   CB GFED BCDEFGBCDEFG BCDEFGBCDEFG ̐όΠτ୯Ґͷ֤ཁૉΛ-JUUMF&OEJBOͰฒͼସ͑ ,FZ4USFBNͱฏจͷ903Λऔͬͯ҉߸จΛੜ੒͢Δɻ

  121. 伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ

    903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ $IB$IB4UBUF ,FZ4USFBN ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ϥ΢ϯυ ॳظঢ়ଶ ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF όΠτ $IB$IBฏจͷ҉߸Խ ϥ΢ϯυ ॳظঢ়ଶ ϥ΢ϯυ ॳظঢ়ଶ ϥ΢ϯυ ॳظঢ়ଶ $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN ෮߸Խ΋,FZ4USFBNͱ҉߸จΛ903͢Δ͚ͩ ͳͷͰखॱ͸΄΅ಉҰ

  122. ԋश $IB$IB,FZ4USFBN $IB$IB&ODSZQUJPO

  123. 1PMZ ͪ͜Β͸গʑ೉͍͠ͷͰઆ໌͕ओͰ͢

  124. ͳͥNFTTBHF BVUIFOUJDBUPS͕ඞཁ͔ʁ IUUQTXXXFYBNQMFDPN 903ͨ͠վ͟Μσʔλ Ϩίʔυ *7 ҉߸จ λά Ϩίʔυ *7

    վ͟Μ҉߸จ λά )FMMP8PSME )FMMP$SBDLFE ܭࢉ͢Δͱ λά͕ҧ͏ʂ վ͟Μ ͞ΕͯΔΘʂ λάͷ࠶ܭࢉʹ͸ൿີ伴͕ඞཁ

  125. ()"4)ͱ1PMZ ()"4) 1PMZ ܭࢉํࣜ 8FHNBO$BSUFS$POTUSVDUJPO CJOBSZpFME Y Y Y Y

     QSJNFpFME  伴௕ CJUT "&4ͱ૊Έ߹Θͤͨ࣌ CJUT ."$௕ CJUT ར༻໨తʹԠͯ͡੾Γ٧ΊΔ CJUT ඪ४ /*4541% "&4($. 3'$ ੑೳಛੑ 1$-.6-2%2*ͳͲಛఆܭࢉ༻ϋʔυ΢ΣΞ ʹΑΔߴ଎ॲཧ͕Մೳ ࣄલܭࢉςʔϒϧ͕ඞཁͳ͘ɺ4*.%Λ࢖ͬͨߴ ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w ."$௕͸CJUTҎ্Λར༻͢Δ͜ͱ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w λΠϛϯά߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ "&4ͱ૊Έ߹Θͤͨ%+#ͷ࿦จIUUQDSZQUPNBDQPMZQEG͕ΞϧΰϦζϜنఆͷࢀরઌ

  126. 1PMZOPNJBMFWBMVBUJPO ೝূ͢Δσʔλ $ $ $ $O $O ʜ G S

    $SO $SO $SO ʜ $OS $OS ʜ $S $ S $ S ʜ $O S $O S ෼ղͨ͠ϝοηʔδΛ܎਺ ͱͨ͠ଟ߲ࣜͷ஋ͰධՁ ϗʔφʔ๏Λ࢖ͬͯ৐ࢉ ԋࢉΛݮΒͯ͠ܭࢉ 伴 S

  127. 8FHNBO$BSUFS$POTUSVDUJPO GPS1PMZ ೝূ͢Δσʔλ $ $ $ $O $O ʜ 伴

    S 伴 T ૉ਺Q $SO $SO $SO ʜ $OS $OSNPEQ T Ϣχόʔαϧϋογϡ 0OF5JNF伴 w ਺ֶతʹڧ౓͕ূ໌Ͱ͖͍ͯΔ w 4)"ͳͲͷ)."$ΑΓߴ଎

  128. 1PMZ $SO $SO $SM ʜ $OS $OSNPE T NPE ೝূ͢Δσʔλ

    伴 S $ $ $ $O $O ʜ όΠτ௕Ͱ෼ׂɻ಄ʹ̍όΠτ ෼෇Ճͯ̍̓͠όΠτ௕ʹ όΠτ 伴 T όΠτ ࠷ऴతʹόΠτ௕ ʹ੾Γ٧ΊΔ CJU෼ؒҾ͖ ઈົ ͳαΠζͷૉ਺

  129. ೝূ͢Δσʔλ $  όΠτ௕ $  όΠτ௕ $  

    όΠτ௕ ʴ $  όΠτ௕ $   1PMZVQEBUF ʴ 1PMZpOBM 1PMZʹΑΔ."$σʔλͷੜ੒ όΠτ௕ CJU௕ ಄ͷCJU࡟আ ."$ όΠτ௕ ʴ όΠτ௕ ."$ ࠷ऴతͳೝূίʔυ 伴S CJUؒҾ͖ 伴 S 伴 T $IB$IB Χ΢ϯλʔ LFZ OPODF 伴 T 伴S CJUؒҾ͖ 伴S CJUؒҾ͖ ԼҐόΠτ ԼҐόΠτ ্ҐόΠτ ෦෼৒༨஋ ෦෼৒༨஋ 1PMZVQEBUF

  130. ԋश 1PMZ."$ ͕͢͞ʹ୹࣌ؒͰ࣮૷ͯ͠΋Β͏ͷ͸ਏ͍ͷͰϥΠ ϒϥϦΛ࢖ͬͯ΋Β͍·͢ɻ

  131. "&"% $IB$IB1PMZ Λ࡞Δ

  132. 5-4޲͚"&4($.ͱ$IB$IB1PMZ "&4($. $IB$IB1PMZ ඪ४ 3'$ 3'$ 3'$  ESBGUJFUGUMTDIBDIBQPMZ ࣌఺*&5'-BTU$BMMத

    ରশ҉߸ "&4 "&4 $IB$IB 伴ަ׵ 34" %) %)& &$%)& &$%)&%)& ೝূ 34" &$%4" 14, 13' 4") "&4  4)" "&4 4)" ໌ࣔత*7 CZUFT ͳ͠ /PODF $MJFOU4FSWFS8SJUF*7 CZUFT  ໌ ࣔత*7 CZUFT ύουͨ͠4FR/VN CZUFT  903$MJFOU4FSWFS8SJUF*7 CZUFT λά௕ CZUFT CZUFT ࠷খ҉߸Խ௕ CZUFT CZUFT

  133. ॳظΧ΢ϯλʔ ॳظΧ΢ϯλʔ JODS ฏจ $IB$IB,FZ4USFBN LFZ OPODF 1PMZ 伴S 伴T

    ҉߸จ ೝূλά MFO ฏจ ccMFO ҉߸จ  "VUI%BUB ̌1BE ̌1BE ҉߸จ 伴S 伴T $IB$IB,FZ4USFBN LFZ OPODF MFO จࣈྻ௕ɺCJUɺMJUUMFFOEJBOදه $IB$IB1PMZʹΑΔ"&"%ੜ੒ $IB$IBΛ࢖ͬͯ 1PMZͷ伴Λੜ੒

  134. ԋश 1PMZ,FZ(FOFSBUJPO $IB$IB1PMZ&ODSZQUJPO

  135. ΋͕࣌ؒ͠༨ͬͨΒ ڈ೥ͷԋश΍ͬͯΈ·͠ΐ͏ɻ TVEPOQNHJOTUBMMTFDDBNQDSZQUPXPSLTIPQQFS