$30 off During Our Annual Pro Sale. View Details »

TLS徹底演習

 TLS徹底演習

セキュリティ・キャンプ全国大会2016 集中講義

Shigeki Ohtsu

August 10, 2016
Tweet

More Decks by Shigeki Ohtsu

Other Decks in Technology

Transcript

  1. TLSͷ໨త • TLSϓϩτίϧͷ࠷ॏཁͳΰʔϧ͸ɺ௨৴͢Δ̎ͭͷΞϓϦέʔγ ϣϯͷؒͰϓϥΠόγʔͱσʔλͷ׬શੑΛఏڙ͢Δ͜ͱͰ͢ɻ RFC5246: The Transport Layer Security (TLS)

    Protocol Version 1.2 1. Introduction The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications. ΞϓϦ ΞϓϦ ׬શੑ ϓϥΠόγʔ
  2. 5-4ͷ؆୯ͳྺ࢙ 44- ະൃද ೥ 44- ೥ 44- ೥ *&5'5-48(ελʔτ ೥

    5-4 ೥ 5-4 ೥ 5-4 ೥ 5-4ݕ౼ελʔτ ೥ 5-4࢓༷Խ׬ྃʁ 44-͸چωοτεέʔϓࣾ ͷࢲతϓϩτίϧ େਓͷࣄ৘Ͱ໊শมߋ 44-ͱجຊઃܭ͸େ͖͘ม͑ͣվྑ ༷ʑͳػೳ֦ு ۙ೔8(ϥετίʔϧΛ໨ඪ ·ͩΘ͔Γ·ͤΜ %308/ 100%-& #&"45
  3. 5-4ͷҐஔ෇͚ 5$1 5-4 *1 WW &UIFSOFU )551ηϚϯςΟΫε 5$1 *1 WW

    &UIFSOFU 5-4 41%: )551ηϚϯςΟΫε )551 )551͔Β)551΁ ʙ ʙ ϒϥ΢β͸5-4௨ ৴ͷΈαϙʔτ Ͳͷ5-4όʔ δϣϯͰ΋0,
  4. 5-4ͷҐஔ෇͚ 26*$ *1 WW 5$1 6%1 5-4 &UIFSOFU )551ηϚϯςΟΫε )551

    26*$҉߸ϓϩτίϧ ʙ )551ʙ )551͔Β26*$΁ (PPHMFಠࣗ҉߸ ϓϩτίϧ
  5. *"# ʹΑΔΠϯλʔωοτͷ ৴པੑʹؔ͢Δએݴ  w ৽͘͠ϓϩτίϧΛઃܭ͢Δࡍʹ͸ɺ҉߸ԽػೳΛඞ ਢͱ͢΂͖ɻ w ωοτϫʔΫӡ༻ऀ΍αʔϏεఏڙऀʹ҉߸Խ௨৴ͷ ಋೖΛਪਐ͢ΔΑ͏ڧ͘ٻΊΔɻ

    w ίϯςϯπϑΟϧλʔ΍*%4౳ฏจ௨৴͕ඞཁͳػೳ ʹ͍ͭͯ͸কདྷతʹ୅ସٕज़ͷ։ൃʹऔΓ૊Ήɻ *OUFSOFU"SDIJUFDUVSF#PBSE IUUQTXXXJBCPSHJBCTUBUFNFOUPOJOUFSOFUDPOpEFOUJBMJUZ
  6. $ISPNFͷ)551্ͷػೳഇࢭ $ISPNFͰ͸ɺԼهͷػೳΛ)551 ฏจ௨৴ Ͱར༻ېࢭ͢Δ༧ఆ w Ґஔ৘ใΛऔಘ ഇࢭࡁ  w σόΠεͷಈ͖΍ํ޲Λૢ࡞

    w ҉߸Խ͞ΕͨಈըԻ੠ͷ࠶ੜ w ΧϝϥɾϚΠΫͳͲͷૢ࡞ w ΞϓϦέʔγϣϯͷΩϟογϡ৘ใͷૢ࡞ IUUQTTJUFTHPPHMFDPNBDISPNJVNPSHEFW)PNFDISPNJVNTFDVSJUZEFQSFDBUJOHQPXFSGVMGFBUVSFTPOJOTFDVSFPSJHJOT
  7. ৗ࣌5-4΁ࢸΔಓ ৗ࣌5-4 ࠃՈϨϕϧͷ޿ൣғͳ౪ௌߦҝ ωοτίϯςϯπ ͷ݈શੑͷ֬อ )551 ฏจ௨৴ ্ͷ ϒϥ΢βͷػೳഇࢭ ҉߸Խલఏͷ

    ৽ٕज़։ൃ কདྷతͳ৽ٕज़͸5-4ར༻Λલఏͱ͢Δɻ ࠷ઌ୺ͷٕज़ऀ͸5-4Λආ͚ͯ௨Δ͜ͱ͸Ͱ͖ͳ͍ɻ ແྉূ໌ॻ
  8. TLSͷཁૉٕज़ X509ূ໌ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉߸ σδλϧ ॺ໊ ϝοηʔδೝূ

    ཚ਺ ੜ੒ TLS 伴ަ׵ Ұํ޲ϋογϡ TLSϓϩτίϧ͸ɺ͜ΕΒͷཁૉٕज़Λ૊Έ߹Θͤͯ ΞϓϦؒͷηΩϡΞ௨৴Λཱ֬͢ΔखॱΛܾΊΔ
  9. TLSཁૉٕज़ͷґଘੑ X509ূ໌ ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ

    ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ ຊདྷ͸͜ͷҰͭҰͭΛ͖ͪΜͱཧղ͢Δ͜ͱ͕ඞཁ
  10. TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ClientHello ServerHelloDone ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application

    Data ཚ਺ੜ੒ ରশ҉߸ɾ҉߸ϞʔυɾҰํ޲ϋογϡɾཚ਺ੜ੒ 1,*ɾ9ূ໌ॻɾσδλϧॺ໊ ཚ਺ੜ੒ ServerHello Certificate ClientKeyExchange ServerKeyExchange ཚ਺ੜ੒ɾ伴ަ׵ɾ ެ։伴҉߸ɾσδλϧॺ໊ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ཚ਺ੜ੒ɾ伴ަ׵ σδλϧॺ໊
  11. TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ཚ਺ੜ੒ $MJFOU4FSWFS)FMMPͷ/PODF 伴ϖΞͷੜ੒σʔλ҉߸Խͷ*7 1,* $"ʹΑΔαʔόূ໌ॻͷॺ໊ͱൃߦ 9ূ໌ॻ $FSUJpDBUFʹΑΔαʔόɾΫϥΠΞϯτͷೝূɾެ։伴ͷऔಘ ిࢠॺ໊ ূ໌ॻͷॺ໊ɾ伴ަ׵Ͱަ׵͢Δެ։伴ͷॺ໊

    伴ަ׵ 4FSWFS$MJFOU,FZ&YDIBOHFʹΑΔ &$ %)ެ։伴ͷަ׵ ެ։伴҉߸ 34"伴ަ׵࣌ʹ1SF.BTUFS4FDSFUͷ҉߸ૹ৴ Ұํ޲ϋογϡ $#$ͳͲͷ҉߸Ϟʔυར༻࣌ʹΞϓϦσʔλͷ."$ੜ੒ ϝοηʔδೝূ .BTUFS4FDSFUͷੜ੒ɺ'JOJTIFEʹΑΔϋϯυγΣΠΫσʔλͷ׬શ ੑݕূ ରশ҉߸ɾ҉߸Ϟʔυ $IBOHF$JQIFS4QFDҎ߱ͷϋϯυγΣΠΫͱΞϓϦέʔγϣϯσʔλͷ҉߸Խ ʢ஫ɿଞʹ΋ࡉ͔͍ͱ͜ΖͰ࢖ΘΕ͍ͯ·͢ɻ
  12. ࠓճ࢖͏TLSཁૉٕज़ AEAD Poly1305 ChaCha20 ECDHE RSA SHA256 X509ূ໌ ॻ PKI

    ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ LinuxͳΒ/dev/urandom+OpenSSLॲཧ ࠓ೔ͷԋश
  13. ηοτϝχϡʔԽ͞ΕͨTLSͷཁૉٕज़ TLS CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9C} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256={0xCC,0xA8} ରশ ҉߸ ҉߸Ϟʔ

    υ σδλϧ ॺ໊ ϝοηʔδೝূ (ϋογϡ) 伴ަ׵ TLS _ _ _WITH_ _ 伴௕ _ _ 伴ަ׵ɾσδλϧॺ໊ʹRSA ରশ҉߸ʹ128bit伴௕ͷAES ҉߸ϞʔυʹGCM(AEAD) ϋογϡʹSHA256 伴ަ׵ʹECDHE σδλϧॺ໊ʹRSA ରশ҉߸ʹChaCha20 ҉߸ϞʔυʹPoly1305(AEAD) ϋογϡʹSHA256 ൪߸ͱͯ͠0xCC,0xA8ΛׂΓ౰ͯ
  14. ࠓ͸5-4ʹԿΛ࢖͏ʁ 伴ަ׵ 34" 'PSXBSE4FDSFDZ %)& &$%)& σδλϧॺ໊ 34" %44 %4"

    &$%4" ର৅҉߸ %&4 3$ "&4 $IB$IB ͦͷଞ ҉߸Ϟʔυ $#$ "&"% $$. ($. 1PMZ ϝοηʔδೝূ ʢϋογϡʣ .% 4)" 4)" 4)" ੺ɿ࢖Θͳ͍ɺԫɿ஫ҙɺ྘ɿࠓͷͱ͜Ζ࢖ͬͯେৎ෉ ஫ҙ͸ɺ҉߸ֶత஫ҙͱকདྷతʹීٴ͕ݟࠐ·Εͳ͍஫ҙ΋ؚ·Ε·͢ ͪͳΈʹɺ ྔࢠίϯϐϡʔλͰ伴ަ׵ɺσδλ ϧॺ໊͸શ෦Ξ΢τʂ
  15. ରশ҉߸ ҉߸จ ฏจ ڞ௨伴 ڞ௨伴 ฏจ ετϦʔϜ҉߸ɿσʔλΛஞ࣍҉߸Խ(RC4, Chacha20) ϒϩοΫ҉߸ɿσʔλΛϒϩοΫຖʹ҉߸Խ(DES, AES)

    ز͔ͭͷ҉߸Ͱ͸طʹةຆԽɿ DES: 2005೥ NIST FPS46-3ن֨ͷഇࢭ(2030೥·Ͱ͸ڐ༰) RC4: RFC7455: Prohibiting RC4 Cipher Suites ҉߸Խ ෮߸Խ ϒϩοΫɺετϦʔϜͷ྆ऀͷҧ͍͸ݱࡏͳ͘ͳ͖͍ͬͯͯΔ ϒϩοΫ҉߸ "&4 Λ҉߸Ϟʔυ ޙड़ ͰΧ΢ϯλʔϞʔυΛར༻͢Δ͜ͱʹΑΓશͯε τϦʔϜ҉߸ͱͯ͠ར༻Ͱ͖·͢ɻ "&4($.͸ετϦʔϜ҉߸ॲཧ
  16. ରশ҉߸ AES • 1997೥ΑΓϓϩδΣΫτ։࢝ɺ2000೥બఆɺ2001 ೥࢓༷ൃߦ • ϒϩοΫαΠζ 128bit • 伴௕ɿ

    128bits, 192bits, 256bits ͷ̏छྨ • Intel/AMDͷCPUͰϋʔυ΢ΣΞॲཧͷαϙʔτ (AES-NI) ̎̌̍̒೥ݱࡏ5-4௨৴ͷσϑΝΫτ $IB$IB͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ
  17. ҉߸Ϟʔυ • ϒϩοΫ҉߸͸ಉ͡σʔλΛಉ͡伴Ͱ҉߸Խ͢ΔͱຖճಉҰͷ҉ ߸จʹͳΔɻ • ϒϩοΫ௕ΑΓ௕͍σʔλΛ҉߸Խ͢Δ৔߹ʹ҉߸ϞʔυΛར༻ ͯ͠܁Γฦ͠Λආ͚Δɻ • CBCɿʮ(ฏจ XOR

    ϕΫτϧ) Λ҉߸ԽʯΛଓ͚Δ • CTRɿ ʮΧ΢ϯλʔΛ҉߸Խ XOR ฏจʯΛଓ͚Δ ࣮ࡍʹTLSͰར༻͢Δʹ͸վ͟Μݕ஌ͷͨΊͷMAC(ϝοηʔδೝূʣͱͷ૊Έ߹ΘͤΔ (AEAD)ɻAES-GCM͕ࠓͷओྲྀɻ ͜Ε·Ͱͷ ओྲྀ $IB$IB1PMZ͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ
  18. ೝূλά AEADʢೝূ෇͖҉߸) ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w

    w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ &ODSZQU5IFO."$ ҉߸Խͨ͠ޙͰϋογϡ஋Λऔಘ
  19. GCM • GCM (Galois Counter Mode: ΨϩΞΧ΢ϯλʔ Ϟʔυʣ • CTRͱGHASHΛ૊Έ߹ΘͤͨAEAD

    • ϋʔυ΢ΣΞॲཧͰߴ଎Խ͕Մೳ • AESͱ૊Έ߹Θͤͯ AES-GCMͱͯ͠ར༻
  20. ҉߸ֶతϋογϡ ɾݪ૾ܭࢉࠔ೉ੑ 1SFJNBHF3FTJTUBODF ɾୈ̎ݪ૾ܭࢉࠔ೉ੑ OE1SFJNBHF3FTJTUBODF ɾڧিಥ଱ੑ 4USPOH$PMMJTJPO3FTJTUBODF ϋογϡ஋I͔Β΋ͱͷϝοηʔδNΛ୳͢ͷ͕ࠔ೉ ̷ I)"4)

    N ͷNΛݟ͚ͭΔ ಛఆͷϝοηʔδNͱಉ͡ϋογϡ஋Λ࣋ͭNΛ୳͢ͷ͕ࠔ೉ I)"4) N )"4) N IͷNΛݟ͚ͭΔ )"4) N )"4) N ͱͳΔNͱNΛݟ͚ͭΔͷ͕ࠔ೉
  21. Ұํ޲ϋογϡ • md5 • SHA-1 • SHA-2(SHA-256ͳͲ6छ) • SHA-3(SHA3-256ͳͲ6छ) 2018೥͙Β͍ʹ͸ݱ࣮తͳίετ

    ͰিಥσʔλΛ୳ͤΔݟࠐΈ(*2) طʹݱ࣮తͳ߈ܸख๏͕ଘࡏ (*2) Cryptanalysis of SHA-1 https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html (*1) how to Break MD5 and Other Hash Functions http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf 8/5ʹNISTΑΓਖ਼ࣜެ։
  22. "&"%Λࢥ͍ग़ͦ͏ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w

    w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ ϋογϡ஋ͩʂ ($. 1PMZ͋Εͬɺ4)"ͱ͔͡Όͳ͍ɻͳͥʁ
  23. "&"%Ͱ͸҉߸ֶతϋογϡ ·Ͱ͸ඞཁͳ͍ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w

    w w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸จ &ODSZQU 5IFO."$ ϋογϡલͷϝοηʔδ͕ ݟ͑ͯΔ ݪ૾ܭࢉࠔ೉ੑ͸͍Βͳ͍ɻ ݟ͑ͯΔϝοηʔδͷվ͟Μݕ஌ ."$ ͕ॏཁɻ ୈ̎ݪ૾ܭࢉࠔ೉ੑͱߴ͍ڧিಥ଱ੑ͕ٻΊΒΕΔɻ ύέοτຖʹܭࢉ͢ΔͷͰߴ଎ੑೳେࣄɻ ($.1PMZ͸ɺ"&"%޲͚ʹಛԽͨ͠ߴ଎."$ΞϧΰϦζϜ
  24. ެ։伴҉߸ 512bit RSAͷةݥੑ FREAK https://freakattack.com/ • ղΛٻΊΔͷ͕ࠔ೉ͳ਺ֶత໰୊Λར༻ͯ͠҉߸Λੜ੒ɻ • ެ։伴ͱൿີ伴ͷϖΞΛੜ੒ɻެ։伴͸͞Βͯ͠େৎ෉ɻ •

    ެ։伴Ͱ҉߸Խ͠ൿີ伴Ͱ෮߸Խɻ • RSA ૉҼ਺෼ղ • ECC(ପԁۂઢ҉߸ʣପԁۂઢ্ͷ཭ࢄର਺໰୊ ެ։伴 ൿີ伴 ҉߸Խ ෮߸Խ
  25. 伴ަ׵ • 2ऀؒͰ҆શʹ伴Λڞ༗͢Δ࢓૊Έ • ޓ͍ʹެ։伴Λަ׵͍͋͠ɺڞ༗伴Λੜ੒͢Δɻ • ௨৴ܦ࿏্Ͱڞ༗伴ͷ΍ΓऔΓ͕ͳ͍ɻ • DH (Diffie-Hellman)

    • ECDH(ପԁۂઢDH) ੬ऑੑɿDH Logjam https://weakdh.org/ ެ։伴 ެ։伴 ൿີ伴 ൿີ伴 Ұ࣌తͳ伴ަ׵͸& &QIFNFSBM ͷจࣈ͕෇͘ %)& &$%)&
  26. σδλϧॺ໊ • σʔλͷ׬શੑͷνΣοΫ͕ՄೳͱͳΔɻ • σʔλͷૹ৴ݩͷೝূ͕ՄೳͱͳΔɻ • ެ։伴ͷ৴པੑͷൣғͰ൱ೝ๷ࢭ͕ՄೳͱͳΔɻ • RSA •

    DSA,ECDSA ެ։伴 ൿີ伴 σʔλʴσδλϧॺ໊ σʔλϋογϡ ஋Λ҉߸Խ͠ σδλϧॺ໊Λ ੜ੒ σδλϧॺ໊Λ෮߸Խɻ σʔλϋογϡ஋ͱൺ ֱ͠ݕূ͢Δ
  27. 1,*֓ཁ $" $FSUJpDBUF"VUIPSJUZ 7" 7BMJEBUJPO"VUIPSJUZ 3" 3FHJTUSBUJPO"VUIPSJUZ $3-0$41 $43 伴ϖΞ

    ࣮ࡏ֬ೝ αʔόূ໌ॻ IUUQTʙ ࣦޮ֬ೝ ࿦ཧతʹෳ਺ͷ໾ׂʹ෼͔Ε͍ͯΔ͕෺ཧతʹ̍ͭͰ΋Α͍ 3PPUূ໌ॻ 04ɾϒϥ΢β ϕϯμʔ
  28. αʔόূ໌ॻ 9 w 5-4௨৴ͷ৴པੑΛ୲อ͢Δཁ w ϏϧτΠϯͷϧʔτূ໌ॻ͔Βαʔόূ ໌ॻ·Ͱূ໌ॻνΣʔϯͷॺ໊ݕূ w ΦϯϥΠϯҎ֎Ͱ৴པੑΛ୲อ 1,*

    ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ τϥετΞϯΧʔ
  29. ূ໌ॻͷछྨ &7ূ໌ॻ &YUFOEFE 7BMJEBUJPO $"ڞ௨ͷݫ֨ͳ૊৫ͷ࣮ࡏূ໌ ෺ཧత࣮ࡏ ॻ໘΍σʔλ ޱ࠲औҾʹΑΔ࣮ࡏ৹ࠪɾॺ໊ ఏग़ɾి࿩֬ೝͳͲ 

    ΞυϨεόʔ͕྘৭ 07ূ໌ॻ 0SHBOJ[BUJPO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨ૊৫ͷ࣮ࡏূ໌ ʢॻ໘΍σʔλ৹ࠪɾి࿩֬ೝͳͲ %7ূ໌ॻ %PNBJO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨυϝΠϯอ࣋ূ໌ ϝʔϧͷ౸ୡੑ֬ೝͳͲ -FU`T&ODSZQUͳͲ ແྉূ໌ॻ͕͋ΔΑ ωοτϫʔΫҎ֎ ͷ࣮ࡏূ໌
  30. 5-4ηΩϡϦςΟͷ౔୆ 5-4ͷ ηΩϡϦςΟ ཚ਺ੜ੒ 1,* ൿີ伴ͷ ؅ཧ ҉߸ٕज़ Τϯ τϩϐʔෆ଍

    ෆਖ਼ ൃߦ ࿙Ӯ ΞϧΰϦζϜɾ ڧ౓ͷةຆԽ 5-4͸ɺ͜ͷ̐ͭͷ֎෦ཁૉͷ্ͰΠϯλʔ ωοτͰ҆શͳ௨৴Λఏڙ͢Δ࢓૊ΈͰ͋Δɻ ٯʹݴ͑͹ɺͲΕ΄Ͳ׬ᘳͳ5-4ϓϩτίϧΛ࡞ͬͯ΋ ͜ͷ̐ͭͷ֎෦ཁૉ͕ഁΒΕͨΒ҆શΛ֬อͰ͖ͳ͍ɻ
  31. 4FD$BNQ5-4#PU w OQNJOTUBMMTFDDBNQUMTFYFSDJTF w 4FSWFS$MJFOU#PUͷεΫϦϓτΛ࡞੒ DPOTU4FD$BNQSFRVJSF TFDDBNQUMTFYFSDJTF  4FD$BNQ5-4#PU GBMTF

    DMJFOU͸GBMTF Πϯετʔϧ͞ΕͨOPEF@NPEVMF͕ݟ͔ͭΕ͹ OPEF@NPEVMFTTFDDBNQUMTFYFSDJTFTBNQMFT ʹίʔυ͕͋Γ·͢ɻ IUUQTHJTUHJUIVCDPNTIJHFLJGBBCDCCGFEGBFCB ʹ΋͋Γ·͢ɻ
  32. TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished

    ChangeCipherSpec Finished Application Data Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355ඞཁ
  33. TLSϋϯυγΣΠΫ(resumption) ClientHello(session_id) ServerHello(session_id) ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application

    Data (੺จࣈ͸ϋϯυγΣΠΫʣ SessionIDʹΑΔTLSηογϣ ϯͷ࠶։ɻ 伴ަ׵΍ূ໌ॻૹ෇ΛεΩοϓɻ ࠓճ͸ԋशͷର৅֎Ͱ͢ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355Ͱ͢Ή
  34. TLS1.2ͷߏ଄ I P ϔ ο μ T C P ϔ

    ο μ TLS Record Layer (5όΠτ) λΠϓ ʢ̐छ ྨʣ (1byte) όʔδϣϯ (2byte) ௕͞ (2byte) Handshake (λΠϓ:0x16) msgλΠϓ ʢ̍̌छྨʣ ௕͞ ʢ3όΠτ௕ʣ ϋϯυγΣΠΫσʔλ Alert (λΠϓ:0x15) Ϩϕϧ ཧ༝ ChangeCipherSpec (λΠϓ:0x14) λΠϓ Application Data (λΠϓ:0x17) ҉߸Խ͞Εͨσʔλ msgλΠϓ ϋϯυγΣΠΫσʔλͷछྨ 0x00 HelloRequest 0x01 ClientHello 0x02 ServerHello 0x0b Certificate 0x0c ServerKeyExchange 0x0d CertificateRequest 0x0e ServerHelloDone 0x0f CertificateVerify 0x10 ClientKeyExchange 0x14 Finished TLS Record Layerσʔλʹ ଓ͍ͯɺ࣍ͷ̐छྨͷTLSσ ʔλͷ͍ͣΕ͔͕ଓ͘ɻ TLS Handshake͸ɺ͜ͷ ̍̌छྨʹ෼͔ΕΔɻ
  35. 5-4ϋϯυγΣΠΫϑϨʔϜΛಡΉ Record Layer Handshake (ClientHello) type protocol version length (2byte)

    msg type length (3byte) client version random major minor major minor 0x16 0x03 0x03 0x00 0x45 0x01 0x00 0x00 0x41 0x03 0x03 32 byte όΠτ όΠτ ҉߸Խ͞Εͳ͍ ҉߸Խ͞ΕΔ
  36. ClientHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ ใ client_version uint8 major, uint8

    minor 2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1όΠτ෼ cipher_suites uint8 CipherSuite[2] <2..2^16-2> 2όΠτ෼ compression_ methods null(0) <1..2^8-1> 1όΠτ෼ extensions extension_type(65535), extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ Extension௕ Extensionsσʔλྫ
  37. ClientHello Record Layer Handshake (ClientHello) type protocol version length (2byte

    ) msg type length (3byte) client version random sessi on id cipher suite comp ressi on Exte nsion majo r mino r major minor 0x16 0x03 0x03 ?? ?? 0x01 ?? ?? ?? 0x03 0x03 32 byte Մม Մม Մม Մม Version 0x03,0x00 = SSLv3 0x03,0x01= TLSv1.0 0x03,0x02=TLSv1.1 0x03,0x03=TLSv1.2 ΫϥΠΞϯτ͕ར༻Ͱ͖Δ ࠷ߴͷTLSόʔδϣϯΛࢦ ఆɺαʔό͕Ͳͷόʔδϣ ϯΛ࢖͏͔બ୒͢Δ
  38. ServerHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ใ server_version uint8 major, uint8 minor

    2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1 cipher_suite uint8 CipherSuite[2] 2 N/A compression_method null(0) 1 N/A extensions extension_type, extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ Record Layer(5bytes) Handshake (ServerHello) type protocol version length (2bytes) msg type length (3byte) server version random 32bytes session id cipher suite 2bytes compression majo r minor major minor 0x16 0x03 0x03 ? + 4 0x01 ? 0x03 0x03 ? ௕͞1byte 0x00,0x9c ௕͞2bytes
  39. Certificate ߲໨ ཁૉ αΠζ certificate_list ASN.1Cert<2^24-1> <0..2^24-1> શূ໌ॻ௕ ূ໌ॻ#1௕ ূ໌ॻσʔλ#1

    ূ໌ॻ#2௕ ূ໌ॻσʔλ#2 ෳ਺ͷূ໌ॻσʔλΛૹ෇ ࠷ॳ͸ඞͣαʔόূ໌ॻ 2ͭ໨Ҏ߱͸தؒূ໌ॻͳͲ
  40. %)&WT&$%)& w %)%J⒎F)FMMNBO཭ࢄର਺໰୊Λར༻ͨ͠伴ަ׵ H?Y NPE1 ?ZNPE1 H?Z NPE1 ?YNPE1H? YZ

    NPE1 ૉ਺1 δΣωϨʔλH ެ։伴 ੺ࣈɺ੨ࣈʣͳͲͷ৘ใΛަ׵ɻ&$%)& ΑΓܭࢉྔ͕ଟ͍ɻ w &$%)&ɿପԁؔ਺্Ͱͷ཭ࢄର਺ԋࢉΛར༻ͨ͠伴ަ׵ ପԁؔ਺ͷύϥϝʔλɾج఺Λ໊લͰنఆ TFDQ౳ ɺެ։伴 ପԁ ۂઢ্ͷ఺ Λަ׵ɻ%)ΑΓ伴௕ɾܭࢉྔ͕গͳͯ͘͢Ήɻ
  41. ECDHEͷϋϯυγΣΠΫ ClientHello + elliptic_curves + ec_point_formats ServerHello + ec_point_formats Certificate

    ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data (੺จࣈ͕௥Ճมߋ͞ΕΔͱ͜Ζʣ ClientHello֦ுΛ௥Ճ ServerHello֦ுΛ௥Ճ ପԁۂઢ໊ͱServer ͷެ։伴Λॺ໊෇͖ Ͱૹ෇ Clientͷެ։伴Λૹ෇ ପԁ఺ͷॻࣜΛ߹ҙ ࢖͑Δପԁۂઢ໊ͱପԁ఺ॻࣜΛ௨஌ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ެ։伴͸ຖճϥϯμϜʹੜ੒͞Ε·͢
  42. ECDHE Client/Server Hello֦ு ପԁ҉߸ͷެ։伴ͷॻࣜ 0 1 2 3 4 5

    ec_point_formats(11) Ϧετ௕ σʔλ௕ uncompressed(0) 0x00 0x0b 0x00 0x02 0x01 0x00
  43. ECDHE ServerKeyExchange ServerECDHParams Signature ECParameters ECPoint algorithm signature curve_type named_curve

    ௕ ͞ public key (Hello֦ுࢦఆͷॻࣜʣ RSA-SHA256 (0x04,0x01) named_curve (3) secp256r1 (23) signature = sign(algorithm, ClientHello.random + ServerHello.random + ServerECDHParams); RSAൿີ伴ͰServerECDHParmsͱRandomΛॺ໊
  44. ServerHelloDone handshake type handshake௕ 0x0e 0x00 0x00 0x00 ServerHelloͷऴྃͷ߹ਤ ϋϯυγΣΠΫϔομͷΈ

    ͜͜Ͱ4FSWFS)FMMP͔Βଓ͘Ұ࿈ͷϋϯυγΣΠ Ϋͷલ൒͕ऴྃͨ͜͠ͱΛࠂ͛Δ߹ਤ
  45. Finished struct { opaque verify_data[verify_data_length]; } Finished; verify_data = PRF(master_secret,

    finished_label, Hash(handshake_messages))[0..11]; finished_label: ΫϥΠΞϯτ͸ɺ"client finished"ɺαʔό͸"server finished" 12όΠτݻఆ ͜Ε·ͰͷϋϯυγΣΠΫσʔλʢͨ ͩࣗ͠෼͸আ͘ʣͷϋογϡΛܭࢉ TLS1.2Ͱ͸ SHA256Λ࢖͏ FinishedΛड৴͢Δͱɺ͜Ε·Ͱૹड৴ͨ͠ϋϯυγΣΠΫσʔλ͔Βܭࢉͨ͠஋ͱൺֱɻ ϋϯυγΣΠΫσʔλ͕վ͟Μ͞Εͯͳ͍͜ͱΛ֬ೝ͢Δɻ
  46. $IB$IB1PMZ w $IB$IB%+#FSOTUFJO EKC ࢯ͕ߟҊͨ͠҉ ߸ํࣜ ࠷ॳʹ4BMTBΛൃදɺ$IB$IBʹվྑ  w 1PMZEKCࢯ͕ߟҊͨ͠."$ํࣜ

    "&4ͱ૊Έ ߹Θͤͨ"&41PMZͰൃද  جຊ྆ऀ͸ಠཱͨ͠΋ͷɻ(PPHMFͷ"EBN-BOHMFZ ࢯ͕$IB$IB1PMZͱͯ͠ʹυϥϑ τ࢓༷Λެ։
  47.  1PMZ࿦จൃද ࠷ऴ൛  $IB$IB࿦จൃද ࠷ऴ൛  4BMTB͕F4USFBNͷ'JOBMJTUʹબఆ  $IB$IBΛ࢖ͬͨ#-",&͕4)"ͷ࠷ऴީิʹબఆ

     ESBGUBHMUMTDIBDIBQPMZެ։  $ISPNF͕$IB$IB1PMZΛ࣮૷ɻ(PPHMFαʔϏεͰར༻։࢝ 0QFO44)͕$IB$IB1PMZΛ࣮૷  5-48(͔Β$'3(΁$IB$IB1PMZͷ࢓༷ݕ౼ΛਐΊΔ͜ͱΛཁ੥  -JCSF44-͕GPSLɻ$IB$IB1PMZΛ࣮૷  #PSJOH44-͕GPSLɻ$IB$IB1PMZΛ࣮૷  $MPVE'MBSF͕$IB$IB1PZͷར༻։࢝ɻ0QFO44-༻ύονެ։  3'$ $IB$IB1PMZ࢓༷ ͕ެ։  0QFO44- BMQIB ͕$IB$IB1PMZΛ࣮૷  'JSFGPY͕$IB$IB1PZΛ࣮૷  3'$$IB$IB1PMZ$JQIFS4VJUFTGPS5SBOTQPSU-BZFS4FDVSJUZ 5-4 $IB$IB1PMZ͜Ε·ͰͷาΈ  4OPXEFOࣄ݅
  48. "&4ͱ$IB$IBͷൺֱ "&4 $IB$IB ํࣜ ϒϩοΫ CJUT   ετϦʔϜ ೖྗ

    伴௕  CJUT 伴௕CJUT /PODFͳ͠ ॳظΧ΢ϯλʔͳ͠ /PODFCJUT EKC࿦จͰ͸CJUT  ॳظΧ΢ϯλʔCJUT ඪ४ /*45'*14 3'$   4BMTB͸FTUSFBNιϑτ΢ΣΞ1Iબఆ ੑೳಛੑ "&4/*ͳͲઐ༻ϋʔυ΢ΣΞʹΑΔߴ଎ ॲཧ͕Մೳ ࣄલܭࢉ΍4#09͕ඞཁͳ͘ɺλΠϛϯά߈ܸ͕ൃੜ͠ʹ ͍͘ɻ4*.%Λ࢖ͬͨߴ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ ΩϟογϡλΠϛϯάͳͲαΠυνϟωϧ ߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ /PODFΛ࠶ར༻͠ͳ͍͜ͱ %+#ͷ࿦จIUUQDSZQUPDIBDIBDIBDIBQEG͕ΞϧΰϦζϜنఆͷࢀরઌ Χ΢ϯλʔϞʔυͱ૊Έ߹ΘͤͯετϦʔϜ҉߸ͱͯ͠ར༻͕Մೳ
  49. 2VBSUFS3PVOE B C D E   B C E?B

    E  D E C?D C  B C E?B E  D E C?D C B C D E͸CJUVOTJHOFEJOU Y Z͸ Y Z NPE? ?͸903 O͸OϏοτࠨϩʔςγϣϯ B C D Eʹରͯ͠ɺશͯճ ԋࢉ͕ߦΘΕ͍ͯΔɻ $IB$IBϥ΢ϯυԋࢉ ৐ࢉ͕ͳ͘ݻఆ௕ԋࢉ $POTUBOU5JNF B C D E
  50. B B B B B B B B B B

    B B B B B B C C C C C C C C C C C C C C C C C C C C C C B B B B B B B B B B B B B B B B C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C D D D D D D D D D D D D D D D D όΠτY ྻϥ΢ϯυ ର֯ϥ΢ϯυ 2VBSUFS3PVOE όΠτ όΠτ όΠτ όΠτ छྨͷ$IB$IBϥ΢ϯυ ԋश
  51.  F E C LFZ LFZ LFZ LFZ LFZ LFZ

    LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T ྻϥ΢ϯυ ର֯ϥ΢ϯυ Yճ ॳظ$IB$IB4UBUF $IB$IB4UBUF ఆ਺஋ ࣮͸ҎԼͷจࣈྻ  FYQBOECZUFL 伴 όΠτ௕ /PODF όΠτ௕ ͔Β࢝·ΔΧ΢ϯλʔ όΠτ௕ $IB$IB4USFBN4UBUF ϥ΢ϯυ
  52. $IB$IB4UBUFͷ &OEJBOʹ஫ҙ        

            L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<>  F E C L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> LFZ LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF όΠτຖʹ۠੾ͬ ͨ-JUUMF&OEJBO ͜ͷΑ͏ͳॱ൪Ͱσʔ λॲཧΛ͢Δ࣌͸஫ҙɻݟ͔ ͚#JH&OEJBOɻ
  53. $IB$IB#MPDL'VODUJPO  F E C LFZ LFZ LFZ LFZ LFZ

    LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T  ৒༨࿨ ॳظ$IB$IBTUBUF 3PVOE$IB$IBTUBUF 'JOBM$IB$IB4UBUF
  54. $IB$IB,FZ4USFBN   CB GFED   CB GFED 

     CB GFED   CB GFED BCDEFGBCDEFG BCDEFGBCDEFG ̐όΠτ୯Ґͷ֤ཁૉΛ-JUUMF&OEJBOͰฒͼସ͑ ,FZ4USFBNͱฏจͷ903Λऔͬͯ҉߸จΛੜ੒͢Δɻ
  55. 伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ

    903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ $IB$IB4UBUF ,FZ4USFBN ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ϥ΢ϯυ ॳظঢ়ଶ ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF όΠτ $IB$IBฏจͷ҉߸Խ ϥ΢ϯυ ॳظঢ়ଶ ϥ΢ϯυ ॳظঢ়ଶ ϥ΢ϯυ ॳظঢ়ଶ $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN ෮߸Խ΋,FZ4USFBNͱ҉߸จΛ903͢Δ͚ͩ ͳͷͰखॱ͸΄΅ಉҰ
  56. ͳͥNFTTBHF BVUIFOUJDBUPS͕ඞཁ͔ʁ IUUQTXXXFYBNQMFDPN 903ͨ͠վ͟Μσʔλ Ϩίʔυ *7 ҉߸จ λά Ϩίʔυ *7

    վ͟Μ҉߸จ λά )FMMP8PSME )FMMP$SBDLFE ܭࢉ͢Δͱ λά͕ҧ͏ʂ վ͟Μ ͞ΕͯΔΘʂ λάͷ࠶ܭࢉʹ͸ൿີ伴͕ඞཁ
  57. ()"4)ͱ1PMZ ()"4) 1PMZ ܭࢉํࣜ 8FHNBO$BSUFS$POTUSVDUJPO CJOBSZpFME Y Y Y Y

     QSJNFpFME  伴௕ CJUT "&4ͱ૊Έ߹Θͤͨ࣌ CJUT ."$௕ CJUT ར༻໨తʹԠͯ͡੾Γ٧ΊΔ CJUT ඪ४ /*4541% "&4($. 3'$ ੑೳಛੑ 1$-.6-2%2*ͳͲಛఆܭࢉ༻ϋʔυ΢ΣΞ ʹΑΔߴ଎ॲཧ͕Մೳ ࣄલܭࢉςʔϒϧ͕ඞཁͳ͘ɺ4*.%Λ࢖ͬͨߴ ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w ."$௕͸CJUTҎ্Λར༻͢Δ͜ͱ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w λΠϛϯά߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ "&4ͱ૊Έ߹Θͤͨ%+#ͷ࿦จIUUQDSZQUPNBDQPMZQEG͕ΞϧΰϦζϜنఆͷࢀরઌ
  58. 1PMZOPNJBMFWBMVBUJPO ೝূ͢Δσʔλ $ $ $ $O $O ʜ G S

    $SO $SO $SO ʜ $OS $OS ʜ $S $ S $ S ʜ $O S $O S ෼ղͨ͠ϝοηʔδΛ܎਺ ͱͨ͠ଟ߲ࣜͷ஋ͰධՁ ϗʔφʔ๏Λ࢖ͬͯ৐ࢉ ԋࢉΛݮΒͯ͠ܭࢉ 伴 S
  59. 8FHNBO$BSUFS$POTUSVDUJPO GPS1PMZ ೝূ͢Δσʔλ $ $ $ $O $O ʜ 伴

    S 伴 T ૉ਺Q $SO $SO $SO ʜ $OS $OSNPEQ T Ϣχόʔαϧϋογϡ 0OF5JNF伴 w ਺ֶతʹڧ౓͕ূ໌Ͱ͖͍ͯΔ w 4)"ͳͲͷ)."$ΑΓߴ଎
  60. 1PMZ $SO $SO $SM ʜ $OS $OSNPE T NPE ೝূ͢Δσʔλ

    伴 S $ $ $ $O $O ʜ όΠτ௕Ͱ෼ׂɻ಄ʹ̍όΠτ ෼෇Ճͯ̍̓͠όΠτ௕ʹ όΠτ 伴 T όΠτ ࠷ऴతʹόΠτ௕ ʹ੾Γ٧ΊΔ CJU෼ؒҾ͖ ઈົ ͳαΠζͷૉ਺
  61. ೝূ͢Δσʔλ $  όΠτ௕ $  όΠτ௕ $  

    όΠτ௕ ʴ $  όΠτ௕ $   1PMZVQEBUF ʴ 1PMZpOBM 1PMZʹΑΔ."$σʔλͷੜ੒ όΠτ௕ CJU௕ ಄ͷCJU࡟আ ."$ όΠτ௕ ʴ όΠτ௕ ."$ ࠷ऴతͳೝূίʔυ 伴S CJUؒҾ͖ 伴 S 伴 T $IB$IB Χ΢ϯλʔ LFZ OPODF 伴 T 伴S CJUؒҾ͖ 伴S CJUؒҾ͖ ԼҐόΠτ ԼҐόΠτ ্ҐόΠτ ෦෼৒༨஋ ෦෼৒༨஋ 1PMZVQEBUF
  62. 5-4޲͚"&4($.ͱ$IB$IB1PMZ "&4($. $IB$IB1PMZ ඪ४ 3'$ 3'$ 3'$  ESBGUJFUGUMTDIBDIBQPMZ ࣌఺*&5'-BTU$BMMத

    ରশ҉߸ "&4 "&4 $IB$IB 伴ަ׵ 34" %) %)& &$%)& &$%)&%)& ೝূ 34" &$%4" 14, 13' 4") "&4  4)" "&4 4)" ໌ࣔత*7 CZUFT ͳ͠ /PODF $MJFOU4FSWFS8SJUF*7 CZUFT  ໌ ࣔత*7 CZUFT ύουͨ͠4FR/VN CZUFT  903$MJFOU4FSWFS8SJUF*7 CZUFT λά௕ CZUFT CZUFT ࠷খ҉߸Խ௕ CZUFT CZUFT
  63. ॳظΧ΢ϯλʔ ॳظΧ΢ϯλʔ JODS ฏจ $IB$IB,FZ4USFBN LFZ OPODF 1PMZ 伴S 伴T

    ҉߸จ ೝূλά MFO ฏจ ccMFO ҉߸จ  "VUI%BUB ̌1BE ̌1BE ҉߸จ 伴S 伴T $IB$IB,FZ4USFBN LFZ OPODF MFO จࣈྻ௕ɺCJUɺMJUUMFFOEJBOදه $IB$IB1PMZʹΑΔ"&"%ੜ੒ $IB$IBΛ࢖ͬͯ 1PMZͷ伴Λੜ੒