TLS徹底演習

5-4పఈԋश 4FDVSJUZ$BNQ **+େ௡ൟथ ೥݄೔ 7FS

ࣗݾ঺հ w גࣜձࣾΠϯλʔωοτΠχγΞςΟϒ **+ w ܦӦاըຊ෦഑৴ࣄۀਪਐ෦ w ΦʔϓϯιʔεϓϩδΣΫτ/PEFKTͷ$PSF 5FDIOJDBM$PNNJUUFFϝϯόʔɺ5-4DSZQUPؔ
࿈ػೳͷٕज़୲౰ɻ

ຊߨٛͷ໨త w 5-4Λపఈతʹཧղͯ͠΋Β͏ɻ w Ͱ΋5-4͸֤छηΩϡϦςΟٕज़ͷू߹ମɺͦΕͧΕ͕ਂ ͯ͘೉͍͠ɻ̔࣌ؒ͋ͬͯ΋શ෦͸ແཧɻ w ͦ͜Ͱ̏ͭʹ෼͚·ͨ͠ɻ ࠲ֶɿٕज़ऀʹͱͬͯͳͥ͜Ε͔Β5-4͕ॏཁ͔
ߨٛɾԋशɿ5-4ϋϯυγΣΠΫΛֶͿ ߨٛɾԋशɿ5-4ٕज़ͷίΞɺ҉߸ٕज़ΛֶͿ

ຊ೔ͷߨٛͷྲྀΕ w ߨٛɿ5-4ͷ֓ཁ w ߨٛɿ5-4Λཧղ͢Δ४උ ಛʹ"&"% w ߨٛɾԋशɿ5-4ϋϯυγΣΠΫઆ໌ɺ5-4#PUͱ 5-4ϋϯυγΣΠΫ͠Α͏ɺϦΞϧ.BOJO5IF
.JEEMF w ߨٛɾԋश$IB$IB1PMZͷ࣮૷

5-4ͷ֓ཁ

ΠϯλʔωοτͷڴҖ ౪ௌ ύεϫʔυ΍ΫϨδο τΧʔυ൪߸Λ౪Έݟ

ΠϯλʔωοτͷڴҖ վ͟Μ ௨৴్தͰσʔλΛॻ͖׵͑

ΠϯλʔωοτͷڴҖ ͳΓ͢·͠ ϢʔβʹͳΓ͢· ͯ͠௨৴Λߦ͏

ΠϯλʔωοτͷڴҖ ൱ೝ ͦΜͳ௨৴ͯ͠· ͤΜͱΩϟϯηϧ

ΠϯλʔωοτͷڴҖ͔ΒकΔηΩϡϦςΟ ରࡦ ౪ௌ վ͟Μ ੒Γ͢ ·͠ ൱ೝ ҉߸Խ ׬શੑνΣοΫ ೝূ
ॺ໊

֤ϨΠϠʔʹ͓͚ΔηΩϡϦςΟ௨৴ WPA IPsec TLS,DTLS,SSH S/MIME, PGP ແઢLAN IP TCP, UDP
σʔλ ࠓ೔ͷओ୊

TLSͷ໨త • TLSϓϩτίϧͷ࠷ॏཁͳΰʔϧ͸ɺ௨৴͢Δ̎ͭͷΞϓϦέʔγ ϣϯͷؒͰϓϥΠόγʔͱσʔλͷ׬શੑΛఏڙ͢Δ͜ͱͰ͢ɻ RFC5246: The Transport Layer Security (TLS)
Protocol Version 1.2 1. Introduction The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications. ΞϓϦ ΞϓϦ ׬શੑ ϓϥΠόγʔ

5-4ͷ؆୯ͳྺ࢙ 44- ະൃද ೥ 44- ೥ 44- ೥ *&5'5-48(ελʔτ ೥
5-4 ೥ 5-4 ೥ 5-4 ೥ 5-4ݕ౼ελʔτ ೥ 5-4࢓༷Խ׬ྃʁ 44-͸چωοτεέʔϓࣾ ͷࢲతϓϩτίϧ େਓͷࣄ৘Ͱ໊শมߋ 44-ͱجຊઃܭ͸େ͖͘ม͑ͣվྑ ༷ʑͳػೳ֦ு ۙ೔8(ϥετίʔϧΛ໨ඪ ·ͩΘ͔Γ·ͤΜ %308/ 100%-& #&"45

5-4ͷҐஔ෇͚ 5$1 5-4 *1 WW &UIFSOFU )551 )551ͷ࣌୅ ʙ 5-4ʙ
5-4ʙ

5-4ͷҐஔ෇͚ 5$1 5-4 *1 WW &UIFSOFU )551ηϚϯςΟΫε 5$1 *1 WW
&UIFSOFU 5-4 41%: )551ηϚϯςΟΫε )551 )551͔Β)551΁ ʙ ʙ ϒϥ΢β͸5-4௨ ৴ͷΈαϙʔτ Ͳͷ5-4όʔ δϣϯͰ΋0,

5-4ͷҐஔ෇͚ 26*$ *1 WW 5$1 6%1 5-4 &UIFSOFU )551ηϚϯςΟΫε )551
26*$҉߸ϓϩτίϧ ʙ )551ʙ )551͔Β26*$΁ (PPHMFಠࣗ҉߸ ϓϩτίϧ

5-4ͷҐஔ෇͚ 26*$ *1 WW 5$1 6%1 &UIFSOFU 5-4 )551ηϚϯςΟΫε )551
ʙʁ 26*$͔Β5-4΁ ʙ ౷Ұ͞ΕΔ༧ఆ

ͳͥ5-4͕ॏཁ͔ʁ ৗ࣌5-4࣌୅ͷ౸དྷ

1FSWBTJWF4VSWFJMMBODF ޿ൣғͷ౪ௌߦҝ w ࠃՈతͳ૊৫ ถࠃ/4"ͱӳࠃ($)2ͳͲ ͕ലେͳ ༧ࢉͰߦ͏޿ൣғͷ౪ௌߦҝ w ೥݄ΤυϫʔυɾεϊʔσϯʹΑͬͯͦͷ ׆ಈ಺༰͕ϦʔΫ͞ΕΔɻ
Πϯλʔωοτి࿩ͷ๣डɾ؂ࢹɺσʔληϯλʔ ಺௨৴౪ௌɺ҉߸ղಡɺ҉߸όοΫυΞɺαΠόʔ߈ ܸ౳

/4"ʹΑΔαΠόʔ߈ܸͷҰྫ 26"/56. '09"$*% IUUQXXXFYBNQMFDPN XXXFYBNQMFDPN Ϛϧ΢ΣΞΛૹΓࠐΉ ్தܦ࿏Ͱվ͟ΜίϯςϯπΛૹ৴ '09"$*%ʹ༠ಋ վ͟Μίϯςϯπ IUUQTXXXTDIOFJFSDPNCMPHBSDIJWFTIPX@UIF@OTB@BUUIUNM

ϓϩτίϧٕज़ऀͷ༕ྀ w ैདྷେن໛ͳઃඋͱ༧ࢉ͕ඞཁͰݱ࣮తʹ͸ແཧͱ ݟΒΕ͖ͯͨ߈ܸ͕࣮ࡍʹߦΘΕ͍ͯͨɻ w ެऺແઢ-"/ͷීٴͳͲ௨৴ͷ౪ௌɾվ͟Μ͕Մ ೳͳ؀ڥ͕޿͕͖͍ͬͯͯΔɻ w ޾͍࠷৽ͷٕज़Ͱ͔ͬ͠Γ҉߸Խ͞Εͨ௨৴·Ͱ͸ ·ͩഁΒΕ͓ͯΒͣɺ҆શͰ͋Ζ͏ɻ

ݕࡧαʔϏεձࣾͷ༕ྀ w ݕࡧͷϖʔδϥϯΫ͕ߴ͍αΠτѼͷฏจ௨৴͸ɺ߈ܸର ৅ͱͯ͠౰વૂΘΕΔɻ w ฏจ௨৴ͰϢʔβ͕ίϯςϯπվ͟Μ΍Ϛϧ΢ΣΞײછʹ Αͬͯ%%P4߈ܸͷҰ୺Λ୲͏ڪΕ΋͋Γ (JUIVC΁ͷ߈ ܸྫ ɻ
w ωοτίϯςϯπͷ݈શੑͷ௿Լ͸ɺ௕ظతʹݕࡧαʔ Ϗε΁ͷ৴པੑΛଛͳ͏͜ͱʹͳΔɻ 4&0͸Ͳ͏ͳΔʁ

*"# ʹΑΔΠϯλʔωοτͷ ৴པੑʹؔ͢Δએݴ w ৽͘͠ϓϩτίϧΛઃܭ͢Δࡍʹ͸ɺ҉߸ԽػೳΛඞ ਢͱ͢΂͖ɻ w ωοτϫʔΫӡ༻ऀ΍αʔϏεఏڙऀʹ҉߸Խ௨৴ͷ ಋೖΛਪਐ͢ΔΑ͏ڧ͘ٻΊΔɻ
w ίϯςϯπϑΟϧλʔ΍*%4౳ฏจ௨৴͕ඞཁͳػೳ ʹ͍ͭͯ͸কདྷతʹ୅ସٕज़ͷ։ൃʹऔΓ૊Ήɻ *OUFSOFU"SDIJUFDUVSF#PBSE IUUQTXXXJBCPSHJBCTUBUFNFOUPOJOUFSOFUDPOpEFOUJBMJUZ

.P[JMMBʹΑΔ ҆શͰͳ͍)551ͷഇࢭએݴ ͋Δ࣌ظ͔Β৽نػೳ͸ɺ)5514͚ͩར༻Ͱ͖ΔΑ͏ʹ͢ Δɻ ݱࡏ)551 ฏจ௨৴ Ͱར༻Ͱ͖ΔػೳͰɺϢʔβͷηΩϡ ϦςΟ΍ϓϥΠόγʔʹϦεΫΛ༩͑Δ΋ͷΛ࡟আ͍ͯ͘͠
IUUQTCMPHNP[JMMBPSHTFDVSJUZEFQSFDBUJOHOPOTFDVSFIUUQ

$ISPNFͷ)551্ͷػೳഇࢭ $ISPNFͰ͸ɺԼهͷػೳΛ)551 ฏจ௨৴ Ͱར༻ېࢭ͢Δ༧ఆ w Ґஔ৘ใΛऔಘ ഇࢭࡁ w σόΠεͷಈ͖΍ํ޲Λૢ࡞
w ҉߸Խ͞ΕͨಈըԻ੠ͷ࠶ੜ w ΧϝϥɾϚΠΫͳͲͷૢ࡞ w ΞϓϦέʔγϣϯͷΩϟογϡ৘ใͷૢ࡞ IUUQTTJUFTHPPHMFDPNBDISPNJVNPSHEFW)PNFDISPNJVNTFDVSJUZEFQSFDBUJOHQPXFSGVMGFBUVSFTPOJOTFDVSFPSJHJOT

ৗ࣌5-4΁ࢸΔಓ ৗ࣌5-4 ࠃՈϨϕϧͷ޿ൣғͳ౪ௌߦҝ ωοτίϯςϯπ ͷ݈શੑͷ֬อ )551 ฏจ௨৴ ্ͷ ϒϥ΢βͷػೳഇࢭ ҉߸Խલఏͷ
৽ٕज़։ൃ কདྷతͳ৽ٕज़͸5-4ར༻Λલఏͱ͢Δɻ ࠷ઌ୺ͷٕज़ऀ͸5-4Λආ͚ͯ௨Δ͜ͱ͸Ͱ͖ͳ͍ɻ ແྉূ໌ॻ

5-4Λཧղ͢Δ४උ

TLSͷཁૉٕज़ X509ূ໌ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉߸ σδλϧ ॺ໊ ϝοηʔδೝূ
ཚ਺ ੜ੒ TLS 伴ަ׵ Ұํ޲ϋογϡ TLSϓϩτίϧ͸ɺ͜ΕΒͷཁૉٕज़Λ૊Έ߹Θͤͯ ΞϓϦؒͷηΩϡΞ௨৴Λཱ֬͢ΔखॱΛܾΊΔ

TLSཁૉٕज़ͷґଘੑ X509ূ໌ ॻ PKI ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ
ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ ຊདྷ͸͜ͷҰͭҰͭΛ͖ͪΜͱཧղ͢Δ͜ͱ͕ඞཁ

TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ClientHello ServerHelloDone ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application
Data ཚ਺ੜ੒ ରশ҉߸ɾ҉߸ϞʔυɾҰํ޲ϋογϡɾཚ਺ੜ੒ 1,*ɾ9ূ໌ॻɾσδλϧॺ໊ ཚ਺ੜ੒ ServerHello Certificate ClientKeyExchange ServerKeyExchange ཚ਺ੜ੒ɾ伴ަ׵ɾ ެ։伴҉߸ɾσδλϧॺ໊ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ϝοηʔδೝূ ରশ҉߸ɾ҉߸Ϟʔυ ཚ਺ੜ੒ɾ伴ަ׵ σδλϧॺ໊

TLSཁૉٕज़͸Ͳ͜Ͱ࢖ΘΕΔʁ ཚ਺ੜ੒ $MJFOU4FSWFS)FMMPͷ/PODF 伴ϖΞͷੜ੒σʔλ҉߸Խͷ*7 1,* $"ʹΑΔαʔόূ໌ॻͷॺ໊ͱൃߦ 9ূ໌ॻ $FSUJpDBUFʹΑΔαʔόɾΫϥΠΞϯτͷೝূɾެ։伴ͷऔಘ ిࢠॺ໊ ূ໌ॻͷॺ໊ɾ伴ަ׵Ͱަ׵͢Δެ։伴ͷॺ໊
伴ަ׵ 4FSWFS$MJFOU,FZ&YDIBOHFʹΑΔ &$ %)ެ։伴ͷަ׵ ެ։伴҉߸ 34"伴ަ׵࣌ʹ1SF.BTUFS4FDSFUͷ҉߸ૹ৴ Ұํ޲ϋογϡ $#$ͳͲͷ҉߸Ϟʔυར༻࣌ʹΞϓϦσʔλͷ."$ੜ੒ ϝοηʔδೝূ .BTUFS4FDSFUͷੜ੒ɺ'JOJTIFEʹΑΔϋϯυγΣΠΫσʔλͷ׬શ ੑݕূ ରশ҉߸ɾ҉߸Ϟʔυ $IBOHF$JQIFS4QFDҎ߱ͷϋϯυγΣΠΫͱΞϓϦέʔγϣϯσʔλͷ҉߸Խ ʢ஫ɿଞʹ΋ࡉ͔͍ͱ͜ΖͰ࢖ΘΕ͍ͯ·͢ɻ

ࠓճ࢖͏TLSཁૉٕज़ AEAD Poly1305 ChaCha20 ECDHE RSA SHA256 X509ূ໌ ॻ PKI
ରশ ҉߸ ҉߸Ϟʔυ ެ։伴҉ ߸ σδλϧ ॺ໊ ϝοηʔδೝূ ཚ਺ ੜ੒ 伴ަ׵ Ұํ޲ϋογϡ LinuxͳΒ/dev/urandom+OpenSSLॲཧ ࠓ೔ͷԋश

ηοτϝχϡʔԽ͞ΕͨTLSͷཁૉٕज़ TLS CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 = {0x00,0x9C} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256={0xCC,0xA8} ରশ ҉߸ ҉߸Ϟʔ
υ σδλϧ ॺ໊ ϝοηʔδೝূ (ϋογϡ) 伴ަ׵ TLS _ _ _WITH_ _ 伴௕ _ _ 伴ަ׵ɾσδλϧॺ໊ʹRSA ରশ҉߸ʹ128bit伴௕ͷAES ҉߸ϞʔυʹGCM(AEAD) ϋογϡʹSHA256 伴ަ׵ʹECDHE σδλϧॺ໊ʹRSA ରশ҉߸ʹChaCha20 ҉߸ϞʔυʹPoly1305(AEAD) ϋογϡʹSHA256 ൪߸ͱͯ͠0xCC,0xA8ΛׂΓ౰ͯ

ࠓ͸5-4ʹԿΛ࢖͏ʁ 伴ަ׵ 34" 'PSXBSE4FDSFDZ %)& &$%)& σδλϧॺ໊ 34" %44 %4"
&$%4" ର৅҉߸ %&4 3$ "&4 $IB$IB ͦͷଞ ҉߸Ϟʔυ $#$ "&"% $$. ($. 1PMZ ϝοηʔδೝূ ʢϋογϡʣ .% 4)" 4)" 4)" ੺ɿ࢖Θͳ͍ɺԫɿ஫ҙɺ྘ɿࠓͷͱ͜Ζ࢖ͬͯେৎ෉ ஫ҙ͸ɺ҉߸ֶత஫ҙͱকདྷతʹීٴ͕ݟࠐ·Εͳ͍஫ҙ΋ؚ·Ε·͢ ͪͳΈʹɺ ྔࢠίϯϐϡʔλͰ伴ަ׵ɺσδλ ϧॺ໊͸શ෦Ξ΢τʂ

ରশ҉߸ ҉߸จ ฏจ ڞ௨伴 ڞ௨伴 ฏจ ετϦʔϜ҉߸ɿσʔλΛஞ࣍҉߸Խ(RC4, Chacha20) ϒϩοΫ҉߸ɿσʔλΛϒϩοΫຖʹ҉߸Խ(DES, AES)
ز͔ͭͷ҉߸Ͱ͸طʹةຆԽɿ DES: 2005೥ NIST FPS46-3ن֨ͷഇࢭ(2030೥·Ͱ͸ڐ༰) RC4: RFC7455: Prohibiting RC4 Cipher Suites ҉߸Խ ෮߸Խ ϒϩοΫɺετϦʔϜͷ྆ऀͷҧ͍͸ݱࡏͳ͘ͳ͖͍ͬͯͯΔ ϒϩοΫ҉߸ "&4 Λ҉߸Ϟʔυ ޙड़ ͰΧ΢ϯλʔϞʔυΛར༻͢Δ͜ͱʹΑΓશͯε τϦʔϜ҉߸ͱͯ͠ར༻Ͱ͖·͢ɻ "&4($.͸ετϦʔϜ҉߸ॲཧ

ରশ҉߸ AES • 1997೥ΑΓϓϩδΣΫτ։࢝ɺ2000೥બఆɺ2001 ೥࢓༷ൃߦ • ϒϩοΫαΠζ 128bit • 伴௕ɿ
128bits, 192bits, 256bits ͷ̏छྨ • Intel/AMDͷCPUͰϋʔυ΢ΣΞॲཧͷαϙʔτ (AES-NI) ̎̌̍̒೥ݱࡏ5-4௨৴ͷσϑΝΫτ $IB$IB͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

҉߸Ϟʔυ • ϒϩοΫ҉߸͸ಉ͡σʔλΛಉ͡伴Ͱ҉߸Խ͢ΔͱຖճಉҰͷ҉ ߸จʹͳΔɻ • ϒϩοΫ௕ΑΓ௕͍σʔλΛ҉߸Խ͢Δ৔߹ʹ҉߸ϞʔυΛར༻ ͯ͠܁Γฦ͠Λආ͚Δɻ • CBCɿʮ(ฏจ XOR
ϕΫτϧ) Λ҉߸ԽʯΛଓ͚Δ • CTRɿ ʮΧ΢ϯλʔΛ҉߸Խ XOR ฏจʯΛଓ͚Δ ࣮ࡍʹTLSͰར༻͢Δʹ͸վ͟Μݕ஌ͷͨΊͷMAC(ϝοηʔδೝূʣͱͷ૊Έ߹ΘͤΔ (AEAD)ɻAES-GCM͕ࠓͷओྲྀɻ ͜Ε·Ͱͷ ओྲྀ $IB$IB1PMZ͸ޙͰͨͬ΀Γͱઆ໌͠·͢ɻ

ೝূλά AEADʢೝূ෇͖҉߸) ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w
w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ &ODSZQU5IFO."$ ҉߸Խͨ͠ޙͰϋογϡ஋Λऔಘ

AEADʢೝূ෇͖҉߸) ฏจ AEAD ෮߸Խ վ͟ΜνΣοΫ ҉߸Խ͠ͳ͍͚Ͳվ͟Μ๷ ࢭ͕ඞཁͳσʔλ ʢϔομ౳ʣ ҉߸จ ೝূλά
ڞ௨伴 ॳظϕΫτϧ

GCM • GCM (Galois Counter Mode: ΨϩΞΧ΢ϯλʔ Ϟʔυʣ • CTRͱGHASHΛ૊Έ߹ΘͤͨAEAD
• ϋʔυ΢ΣΞॲཧͰߴ଎Խ͕Մೳ • AESͱ૊Έ߹Θͤͯ AES-GCMͱͯ͠ར༻

Ұํ޲ϋογϡ σʔλ Ұํ޲ ϋογϡؔ਺ ϋογϡ஋ ϋογϡ஋Λൺֱ͢Δ͜ͱͰσʔλͷվ͟ΜΛνΣοΫ͢Δ͜ͱ͕Ͱ͖Δɻ

҉߸ֶతϋογϡ ɾݪ૾ܭࢉࠔ೉ੑ 1SFJNBHF3FTJTUBODF ɾୈ̎ݪ૾ܭࢉࠔ೉ੑ OE1SFJNBHF3FTJTUBODF ɾڧিಥ଱ੑ 4USPOH$PMMJTJPO3FTJTUBODF ϋογϡ஋I͔Β΋ͱͷϝοηʔδNΛ୳͢ͷ͕ࠔ೉ ̷ I)"4)
N ͷNΛݟ͚ͭΔ ಛఆͷϝοηʔδNͱಉ͡ϋογϡ஋Λ࣋ͭNΛ୳͢ͷ͕ࠔ೉ I)"4) N )"4) N IͷNΛݟ͚ͭΔ )"4) N )"4) N ͱͳΔNͱNΛݟ͚ͭΔͷ͕ࠔ೉

Ұํ޲ϋογϡ • md5 • SHA-1 • SHA-2(SHA-256ͳͲ6छ) • SHA-3(SHA3-256ͳͲ6छ) 2018೥͙Β͍ʹ͸ݱ࣮తͳίετ
ͰিಥσʔλΛ୳ͤΔݟࠐΈ(*2) طʹݱ࣮తͳ߈ܸख๏͕ଘࡏ (*2) Cryptanalysis of SHA-1 https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html (*1) how to Break MD5 and Other Hash Functions http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf 8/5ʹNISTΑΓਖ਼ࣜެ։

"&"%Λࢥ͍ग़ͦ͏ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w w
w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸Խ͢Δฏจ AEAD ҉߸Խ ҉߸จ ڞ௨伴 ॳظϕΫτϧ ϋογϡ஋ͩʂ ($. 1PMZ͋Εͬɺ4)"ͱ͔͡Όͳ͍ɻͳͥʁ

"&"%Ͱ͸҉߸ֶతϋογϡ ·Ͱ͸ඞཁͳ͍ ೝূλά ҉߸Խ͠ͳ͍͚Ͳվ͟Μ w w w w w w
w w w w w ๷ࢭ͕ඞཁͳσʔλ w w w w w w w w w ʢϔομ౳ʣ w w w w ҉߸จ &ODSZQU 5IFO."$ ϋογϡલͷϝοηʔδ͕ ݟ͑ͯΔ ݪ૾ܭࢉࠔ೉ੑ͸͍Βͳ͍ɻ ݟ͑ͯΔϝοηʔδͷվ͟Μݕ஌ ."$ ͕ॏཁɻ ୈ̎ݪ૾ܭࢉࠔ೉ੑͱߴ͍ڧিಥ଱ੑ͕ٻΊΒΕΔɻ ύέοτຖʹܭࢉ͢ΔͷͰߴ଎ੑೳେࣄɻ ($.1PMZ͸ɺ"&"%޲͚ʹಛԽͨ͠ߴ଎."$ΞϧΰϦζϜ

ϝοηʔδೝূ(HMAC) • ࣄલʹڞ௨伴Λڞ༗ • ڞ௨伴ͱσʔλΛ૊Έ߹Θͤͨϋογϡ஋Λ࡞੒ • σʔλͷ׬શੑͱϋογϡ࡞੒ऀΛೝূ͢Δ σʔλ Ұํ޲ ϋογϡؔ਺
ϋογϡ஋ ڞ௨伴

ެ։伴҉߸ 512bit RSAͷةݥੑ FREAK https://freakattack.com/ • ղΛٻΊΔͷ͕ࠔ೉ͳ਺ֶత໰୊Λར༻ͯ͠҉߸Λੜ੒ɻ • ެ։伴ͱൿີ伴ͷϖΞΛੜ੒ɻެ։伴͸͞Βͯ͠େৎ෉ɻ •
ެ։伴Ͱ҉߸Խ͠ൿີ伴Ͱ෮߸Խɻ • RSA ૉҼ਺෼ղ • ECC(ପԁۂઢ҉߸ʣପԁۂઢ্ͷ཭ࢄର਺໰୊ ެ։伴 ൿີ伴 ҉߸Խ ෮߸Խ

伴ަ׵ • 2ऀؒͰ҆શʹ伴Λڞ༗͢Δ࢓૊Έ • ޓ͍ʹެ։伴Λަ׵͍͋͠ɺڞ༗伴Λੜ੒͢Δɻ • ௨৴ܦ࿏্Ͱڞ༗伴ͷ΍ΓऔΓ͕ͳ͍ɻ • DH (Diffie-Hellman)
• ECDH(ପԁۂઢDH) ੬ऑੑɿDH Logjam https://weakdh.org/ ެ։伴 ެ։伴 ൿີ伴 ൿີ伴 Ұ࣌తͳ伴ަ׵͸& &QIFNFSBM ͷจࣈ͕෇͘ %)& &$%)&

σδλϧॺ໊ • σʔλͷ׬શੑͷνΣοΫ͕ՄೳͱͳΔɻ • σʔλͷૹ৴ݩͷೝূ͕ՄೳͱͳΔɻ • ެ։伴ͷ৴པੑͷൣғͰ൱ೝ๷ࢭ͕ՄೳͱͳΔɻ • RSA •
DSA,ECDSA ެ։伴 ൿີ伴 σʔλʴσδλϧॺ໊ σʔλϋογϡ ஋Λ҉߸Խ͠ σδλϧॺ໊Λ ੜ੒ σδλϧॺ໊Λ෮߸Խɻ σʔλϋογϡ஋ͱൺ ֱ͠ݕূ͢Δ

1,*֓ཁ $" $FSUJpDBUF"VUIPSJUZ 7" 7BMJEBUJPO"VUIPSJUZ 3" 3FHJTUSBUJPO"VUIPSJUZ $3-0$41 $43 伴ϖΞ
࣮ࡏ֬ೝ αʔόূ໌ॻ IUUQTʙ ࣦޮ֬ೝ ࿦ཧతʹෳ਺ͷ໾ׂʹ෼͔Ε͍ͯΔ͕෺ཧతʹ̍ͭͰ΋Α͍ 3PPUূ໌ॻ 04ɾϒϥ΢β ϕϯμʔ

αʔόূ໌ॻ 9 w 5-4௨৴ͷ৴པੑΛ୲อ͢Δཁ w ϏϧτΠϯͷϧʔτূ໌ॻ͔Βαʔόূ ໌ॻ·Ͱূ໌ॻνΣʔϯͷॺ໊ݕূ w ΦϯϥΠϯҎ֎Ͱ৴པੑΛ୲อ 1,*
ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ ϏϧτΠϯͷ ϧʔτূ໌ॻ αʔόূ໌ॻ தؒূ໌ॻ τϥετΞϯΧʔ

ূ໌ॻͷछྨ &7ূ໌ॻ &YUFOEFE 7BMJEBUJPO $"ڞ௨ͷݫ֨ͳ૊৫ͷ࣮ࡏূ໌ ෺ཧత࣮ࡏ ॻ໘΍σʔλ ޱ࠲औҾʹΑΔ࣮ࡏ৹ࠪɾॺ໊ ఏग़ɾి࿩֬ೝͳͲ
ΞυϨεόʔ͕྘৭ 07ূ໌ॻ 0SHBOJ[BUJPO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨ૊৫ͷ࣮ࡏূ໌ ʢॻ໘΍σʔλ৹ࠪɾి࿩֬ೝͳͲ %7ূ໌ॻ %PNBJO 7BMJEBUJPO ֤$"ϙϦγʔ $14 ʹैͬͨυϝΠϯอ࣋ূ໌ ϝʔϧͷ౸ୡੑ֬ೝͳͲ -FU`T&ODSZQUͳͲ ແྉূ໌ॻ͕͋ΔΑ ωοτϫʔΫҎ֎ ͷ࣮ࡏূ໌

αʔόূ໌ॻͷத਎ όʔδϣϯɺγϦΞϧ൪߸ɺൃߦऀ৘ใɺ༗ޮظݶɺαʔό ࣝผࢠɺެ։伴৘ใɺ֦ு৘ใ ར༻༻్ɺผ໊΍ࣦޮ৘ใɾ ϙϦγʔࢀরઌ ɺσδλϧॺ໊

αʔόূ໌ॻͷ֬ೝ αʔόূ໌ॻͱൿີ伴ͷରԠ͕ؒҧ͍ͬͯͨΒ5-4 αʔό͸ىಈ͠ͳ͍ɻͳͷͰαʔόূ໌ॻͱൿີ伴 ͷެ։伴͕Ұக͢Δ͔ඞͣνΣοΫ͢Δɻ αʔό ূ໌ॻ ൿີ伴 PQFOTTMYQVCLFZJOTFSWFSDSUOPPVUTFSWFS@QVCLFZQFN PQFOTTMSTBQVCPVUJOQSJWBUFLFZPVUQSJWBUF@QVCLFZQFN ެ։伴
ެ։伴

5-4ηΩϡϦςΟͷ౔୆ 5-4ͷ ηΩϡϦςΟ ཚ਺ੜ੒ 1,* ൿີ伴ͷ ؅ཧ ҉߸ٕज़ Τϯ τϩϐʔෆ଍
ෆਖ਼ ൃߦ ࿙Ӯ ΞϧΰϦζϜɾ ڧ౓ͷةຆԽ 5-4͸ɺ͜ͷ̐ͭͷ֎෦ཁૉͷ্ͰΠϯλʔ ωοτͰ҆શͳ௨৴Λఏڙ͢Δ࢓૊ΈͰ͋Δɻ ٯʹݴ͑͹ɺͲΕ΄Ͳ׬ᘳͳ5-4ϓϩτίϧΛ࡞ͬͯ΋ ͜ͷ̐ͭͷ֎෦ཁૉ͕ഁΒΕͨΒ҆શΛ֬อͰ͖ͳ͍ɻ

TLSϋϯυγΣΠΫ ஫ɿෳࡶ͞Λආ͚ΔͨΊΫϥΠΞϯτೝূػೳͷઆ໌͸লུ͠·͢ɻ 5-4#PUͱڙʹ

ԋश ࣮ࡍʹ$IB$IBͷύέοτΛݟͯΈΔ IUUQTDIBDIBUMTLPVMBZFSDPN ʹ$ISPNFͰΞΫηεɺ%FWFMPQFS5PPMͰ֬ೝͯ͠ΈΔɻ IUUQTDIBDIBUMTLPVMBZFSDPNDIBDIB@TBNQMFQDBQ Λμ΢ϯϩʔυͯ͠ɺ&UIFSSFBMͰݟͯΈΑ͏ɻ

4FD$BNQ5-4#PU w ίϚϯυϥΠϯͰ)&9ܗࣜͷ5-4ϑϨʔϜΛೖྗ͠ ͯ5-4ϋϯυγΣΠΫΛߦ͏#PU w 4FSWFS$MJFOU྆ํͰಈ͖·͢ɻ w $MJFOU͸࠷ॳʹ)FMMP3FRVFTUͷϑϨʔϜΛೖྗ͠ ͯ։࢝ɻ w
/0%&@%&#6(TFDDBNQͰग़ྗϑϨʔϜ ͷ+40/Λग़ྗ͠·͢ɻ

4FD$BNQ5-4#PU w OQNJOTUBMMTFDDBNQUMTFYFSDJTF w 4FSWFS$MJFOU#PUͷεΫϦϓτΛ࡞੒ DPOTU4FD$BNQSFRVJSF TFDDBNQUMTFYFSDJTF 4FD$BNQ5-4#PU GBMTF
DMJFOU͸GBMTF Πϯετʔϧ͞ΕͨOPEF@NPEVMF͕ݟ͔ͭΕ͹ OPEF@NPEVMFTTFDDBNQUMTFYFSDJTFTBNQMFT ʹίʔυ͕͋Γ·͢ɻ IUUQTHJTUHJUIVCDPNTIJHFLJGBBCDCCGFEGBFCB ʹ΋͋Γ·͢ɻ

5-4#PU

5-4CPU%FCVHϞʔυ FYQPSU/0%&@%&#6(TFDDBNQ

TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished
ChangeCipherSpec Finished Application Data Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355ඞཁ

TLSϋϯυγΣΠΫ(resumption) ClientHello(session_id) ServerHello(session_id) ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data Application
Data (੺จࣈ͸ϋϯυγΣΠΫʣ SessionIDʹΑΔTLSηογϣ ϯͷ࠶։ɻ 伴ަ׵΍ূ໌ॻૹ෇ΛεΩοϓɻ ࠓճ͸ԋशͷର৅֎Ͱ͢ ҉߸Խͨ͠ΞϓϦ௨৴Λ ߦ͏·Ͱ355Ͱ͢Ή

TLSϋϯυγΣΠΫͷҙຯ ClientHello/ServerHello/ServerHelloDone TLSͷͨΊͷ৘ใަ׵ όʔδϣϯɾཚ਺ɾ҉߸ํࣜɾ֦ு৘ใ Certificate ެ։伴৘ใͷૹ෇ ΤϯυϙΠϯτͷೝূ ClientKeyExchange/ServerKeyExchange ڞ༗伴ަ׵ ChangeCipherSpec
҉߸։࢝ͷ߹ਤ Finished ϋϯυγΣΠΫσʔλͷվ͟ΜνΣοΫ

TLS1.2ͷߏ଄ I P ϔ ο μ T C P ϔ
ο μ TLS Record Layer (5όΠτ) λΠϓ ʢ̐छ ྨʣ (1byte) όʔδϣϯ (2byte) ௕͞ (2byte) Handshake (λΠϓ:0x16) msgλΠϓ ʢ̍̌छྨʣ ௕͞ ʢ3όΠτ௕ʣ ϋϯυγΣΠΫσʔλ Alert (λΠϓ:0x15) Ϩϕϧ ཧ༝ ChangeCipherSpec (λΠϓ:0x14) λΠϓ Application Data (λΠϓ:0x17) ҉߸Խ͞Εͨσʔλ msgλΠϓ ϋϯυγΣΠΫσʔλͷछྨ 0x00 HelloRequest 0x01 ClientHello 0x02 ServerHello 0x0b Certificate 0x0c ServerKeyExchange 0x0d CertificateRequest 0x0e ServerHelloDone 0x0f CertificateVerify 0x10 ClientKeyExchange 0x14 Finished TLS Record Layerσʔλʹ ଓ͍ͯɺ࣍ͷ̐छྨͷTLSσ ʔλͷ͍ͣΕ͔͕ଓ͘ɻ TLS Handshake͸ɺ͜ͷ ̍̌छྨʹ෼͔ΕΔɻ

5-4ϋϯυγΣΠΫϑϨʔϜΛಡΉ Record Layer Handshake (ClientHello) type protocol version length (2byte)
msg type length (3byte) client version random major minor major minor 0x16 0x03 0x03 0x00 0x45 0x01 0x00 0x00 0x41 0x03 0x03 32 byte όΠτ όΠτ ҉߸Խ͞Εͳ͍ ҉߸Խ͞ΕΔ

ԋश w ̎ͭͷίϚϯυϥΠϯλʔϛφϧΛ։͍ͯҰͭ͸ UMT@DMJFOU@CPUɺ΋͏Ұͭ͸UMT@TFSWFS@CPUΛىಈ ͢Δɻ w UMT@DMJFOU@CPUʹ)FMMP3FRVFTUΛೖྗͯ͠ɺग़ྗ͠ ͨ$MJFOU)FMMPΛίϐʔͯ͠TFSWFSCPUʹೖྗ͠Α ͏ w
/0%&@%&#6(TFDDBNQͷઃఆΛͯ͠ +40/Λ֬ೝ͠Α͏ɻ

ClientHello ClientHello ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ

ClientHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ ใ client_version uint8 major, uint8
minor 2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1όΠτ෼ cipher_suites uint8 CipherSuite[2] <2..2^16-2> 2όΠτ෼ compression_ methods null(0) <1..2^8-1> 1όΠτ෼ extensions extension_type(65535), extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ type σʔ λ௕ σʔλ Extension௕ Extensionsσʔλྫ

ClientHello Record Layer Handshake (ClientHello) type protocol version length (2byte
) msg type length (3byte) client version random sessi on id cipher suite comp ressi on Exte nsion majo r mino r major minor 0x16 0x03 0x03 ?? ?? 0x01 ?? ?? ?? 0x03 0x03 32 byte Մม Մม Մม Մม Version 0x03,0x00 = SSLv3 0x03,0x01= TLSv1.0 0x03,0x02=TLSv1.1 0x03,0x03=TLSv1.2 ΫϥΠΞϯτ͕ར༻Ͱ͖Δ ࠷ߴͷTLSόʔδϣϯΛࢦ ఆɺαʔό͕Ͳͷόʔδϣ ϯΛ࢖͏͔બ୒͢Δ

ServerHello ClientHello ServerHello (੺จࣈ͸ϋϯυγΣΠΫʣ ClientHelloͱServerHelloͷ ΍ΓऔΓͰ૒ํ͕ར༻͢ΔTLS όʔδϣϯ΍҉߸ԽํࣜͳͲ Λ߹ҙ͢Δɻ

ServerHello ߲໨ ཁૉ αΠζ ઌ಄ͷ௕͞৘ใ server_version uint8 major, uint8 minor
2 N/A random uint32 gmt_unix_time, opaque random_bytes[28] 4 + 28 N/A session_id opaque SessionID <0..32> 1 cipher_suite uint8 CipherSuite[2] 2 N/A compression_method null(0) 1 N/A extensions extension_type, extension_data<0..2^16-1> <0..2^16-1> 2όΠτ෼ Record Layer(5bytes) Handshake (ServerHello) type protocol version length (2bytes) msg type length (3byte) server version random 32bytes session id cipher suite 2bytes compression majo r minor major minor 0x16 0x03 0x03 ? + 4 0x01 ? 0x03 0x03 ? ௕͞1byte 0x00,0x9c ௕͞2bytes

Certificate ClientHello ServerHello Certificate (੺จࣈ͸ϋϯυγΣΠΫʣ

Certificate ߲໨ ཁૉ αΠζ certificate_list ASN.1Cert<2^24-1> <0..2^24-1> શূ໌ॻ௕ ূ໌ॻ#1௕ ূ໌ॻσʔλ#1
ূ໌ॻ#2௕ ূ໌ॻσʔλ#2 ෳ਺ͷূ໌ॻσʔλΛૹ෇ ࠷ॳ͸ඞͣαʔόূ໌ॻ 2ͭ໨Ҏ߱͸தؒূ໌ॻͳͲ

Perfect Forward Secrecy(PFS) • લํൿಗੑ • ηογϣϯຖʹҰ࣌తͳ伴Λ࢖͏ɻ • ϋϯυγΣΠΫΛؚΉશ҉߸σʔλΛऔಘ͞Ε͍ͯΔΑ͏ͳঢ় گͰ΋ɺকདྷతͳൿີ伴࿙ӮͳͲͷϦεΫʹରԠ͢Δɻ
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Ephemeral:Ұ࣌తͳ 伴ަ׵ख๏

%)&WT&$%)& w %)%J⒎F)FMMNBO཭ࢄର਺໰୊Λར༻ͨ͠伴ަ׵ H?Y NPE1 ?ZNPE1 H?Z NPE1 ?YNPE1H? YZ
NPE1 ૉ਺1 δΣωϨʔλH ެ։伴 ੺ࣈɺ੨ࣈʣͳͲͷ৘ใΛަ׵ɻ&$%)& ΑΓܭࢉྔ͕ଟ͍ɻ w &$%)&ɿପԁؔ਺্Ͱͷ཭ࢄର਺ԋࢉΛར༻ͨ͠伴ަ׵ ପԁؔ਺ͷύϥϝʔλɾج఺Λ໊લͰنఆ TFDQ౳ ɺެ։伴 ପԁ ۂઢ্ͷ఺ Λަ׵ɻ%)ΑΓ伴௕ɾܭࢉྔ͕গͳͯ͘͢Ήɻ

ECDHEͷϋϯυγΣΠΫ ClientHello + elliptic_curves + ec_point_formats ServerHello + ec_point_formats Certificate
ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data (੺จࣈ͕௥Ճมߋ͞ΕΔͱ͜Ζʣ ClientHello֦ுΛ௥Ճ ServerHello֦ுΛ௥Ճ ପԁۂઢ໊ͱServer ͷެ։伴Λॺ໊෇͖ Ͱૹ෇ Clientͷެ։伴Λૹ෇ ପԁ఺ͷॻࣜΛ߹ҙ ࢖͑Δପԁۂઢ໊ͱପԁ఺ॻࣜΛ௨஌ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ެ։伴͸ຖճϥϯμϜʹੜ੒͞Ε·͢

ECDHE ClientHello֦ு ΫϥΠΞϯτ͕αϙʔτ͍ͯ͠ΔପԁۂઢͷϦετΛαʔόଆʹ௨஌ɻαʔό͸ Ϧετͷத͔Βద੾ͳପԁۂઢΛબͼ ServerKeyExchange಺Ͱબ୒ͨ͠ପԁ ۂઢΛ௨஌͢Δ 0 1 2 3
4 5 6 7 elliptic_curves(10) Ϧετ௕ σʔλ௕ secp256r1 (23) 0x00 0x0a 0x00 0x04 0x00 0x02 0x00 0x17

ECDHE Client/Server Hello֦ு ପԁ҉߸ͷެ։伴ͷॻࣜ 0 1 2 3 4 5
ec_point_formats(11) Ϧετ௕ σʔλ௕ uncompressed(0) 0x00 0x0b 0x00 0x02 0x01 0x00

ServerKeyExchange ClientHello ServerHello Certificate ServerKeyExchange (੺จࣈ͸ϋϯυγΣΠΫʣ

ECDHE ServerKeyExchange ServerECDHParams Signature ECParameters ECPoint algorithm signature curve_type named_curve
௕ ͞ public key (Hello֦ுࢦఆͷॻࣜʣ RSA-SHA256 (0x04,0x01) named_curve (3) secp256r1 (23) signature = sign(algorithm, ClientHello.random + ServerHello.random + ServerECDHParams); RSAൿີ伴ͰServerECDHParmsͱRandomΛॺ໊

ServerHelloDone ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone (੺จࣈ͸ϋϯυγΣΠΫʣ

ServerHelloDone handshake type handshake௕ 0x0e 0x00 0x00 0x00 ServerHelloͷऴྃͷ߹ਤ ϋϯυγΣΠΫϔομͷΈ
͜͜Ͱ4FSWFS)FMMP͔Βଓ͘Ұ࿈ͷϋϯυγΣΠ Ϋͷલ൒͕ऴྃͨ͜͠ͱΛࠂ͛Δ߹ਤ

TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange (੺จࣈ͸ϋϯυγΣΠΫʣ

ECDHE ClientKeyExchange ClientECDHParams ECPoint ௕͞ public key (Hello֦ுࢦఆͷॻࣜʣ ClientKeyExchange͸ॺ ໊ͷඞཁ͸ͳ͍

࣭໰ɿ ECDHEެ։伴ͷकΒΕํͷҧ͍ • ServerKeyExchange: ެ։伴Λॺ໊ • ClientKeyExchange: ΍Γ͍ͨ์୊ Ͳ͏ͯ͠Ͱ͠ΐ͏ʁ

PreMasterSecret/MasterSecret • TLSͰར༻͢ΔIV(ॳظϕΫτϧ)ɺڞ༗伴ɺMAC伴ͷσʔλݩ • MasterSecret͸48όΠτ௕ɻPreMasterSecretͷ௕͞͸伴ަ׵ํࣜʹґ ଘ͢Δɻ • MasterSecret͸ɺPreMasterSecretɺClientRandomɺ ServerRandomɺݻఆϥϕϧ͔Βੜ੒͢Δɻ •
Clinet/ServerRandom͸શؙͯݟ͑ɻPreMasterSecret͸ɺඞͣࢮक͠ ͯकΒͳ͍ͱ͍͚ͳ͍ɻ͜Ε͕࿙͍͑͢ΔͱTLSͷ҆શੑ͸શ͓ͯ͡ΌΜɻ 'SFBL-PHKBN

ChangeCipherSpec Client->Server ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec (੺จࣈ͸ϋϯυγΣΠΫʣ

ChangeCipherSpec ૹ৴ݩ͕҉߸։࢝Λએݴɻ͜ΕΛૹ৴ͨ͠ޙ͸҉߸ ௨৴Λߦ͏ɻ Record Layer ChangeCipherSpec ContentTy pe Version length
(2byte) major minor 0x14 0x03 0x03 0x00 0x01 0x01

TLSϋϯυγΣΠΫ(full handshake) ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished
(੺จࣈ͸ϋϯυγΣΠΫʣ

Finished struct { opaque verify_data[verify_data_length]; } Finished; verify_data = PRF(master_secret,
finished_label, Hash(handshake_messages))[0..11]; finished_label: ΫϥΠΞϯτ͸ɺ"client finished"ɺαʔό͸"server finished" 12όΠτݻఆ ͜Ε·ͰͷϋϯυγΣΠΫσʔλʢͨ ͩࣗ͠෼͸আ͘ʣͷϋογϡΛܭࢉ TLS1.2Ͱ͸ SHA256Λ࢖͏ FinishedΛड৴͢Δͱɺ͜Ε·Ͱૹड৴ͨ͠ϋϯυγΣΠΫσʔλ͔Βܭࢉͨ͠஋ͱൺֱɻ ϋϯυγΣΠΫσʔλ͕վ͟Μ͞Εͯͳ͍͜ͱΛ֬ೝ͢Δɻ

ChangeCipherSpec Server -> Client ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange
ChangeCipherSpec Finished ChangeCipherSpec (੺จࣈ͸ϋϯυγΣΠΫʣ

ServerFinished ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec
Finished (੺จࣈ͸ϋϯυγΣΠΫʣ

Application Data ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished
ChangeCipherSpec Finished Application Data (੺จࣈ͸ϋϯυγΣΠΫʣ

ԋश 5-4#PUΛ࢖ͬͨ̍ର̍5-4 w ೋਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU ໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ w αΠϘ΢ζͰσʔλΛ΍ΓऔΓ͠·͢ɻ૬ޓͰ҉߸จͷ෮ ߸Խ͕Ͱ͖Δ͜ͱΛ֬ೝ͠·͢ɻ 5-4҉߸௨৴ 5-44FSWFSGDBCEDCGBBCDG
"QQMJDBUJPO%BUBIPHF #PU #PU

ԋश ϦΞϧ.BO*O5IF.JEEMF w ̏ਓҰ૊ʹͳͬͯ#PUΛ࢖ͬͨ5-4௨৴Λߦ͍·͢ɻ$MJFOU໾ɺ ѱਓ໾ɺ4FSWFS໾ΛܾΊͯԼ͍͞ɻ w ѱਓ໾Λհͯ͠5-4ϋϯυγΣΠΫΛߦ͍·͢ɻ·ͣ͸ѱਓ͸ͦ ͷ··ӈ͔Βࠨʹड͚ྲྀ͠·͢ɻ w ࣍ʹѱਓ໾Ͱ4FSWFS$MJFOUͷ#PUΛͨͯͯͳΓ͢·͠௨৴Λ͠·
͠ΐ͏ɻ

$IB$IB1PMZ ೥݄̒ʹ࢓༷Խ׬ྃ 3'$ ͨ͠ 5-4ͷ৽͍͠҉߸ํࣜ ࢲ͸҉߸ઐ໳ՈͰ͸ͳ͍ͷͰ҆ શੑͷ͓࿩͸εΩοϓ͠·͢ɻ

$IB$IB1PMZ w $IB$IB%+#FSOTUFJO EKC ࢯ͕ߟҊͨ͠҉ ߸ํࣜ ࠷ॳʹ4BMTBΛൃදɺ$IB$IBʹվྑ w 1PMZEKCࢯ͕ߟҊͨ͠."$ํࣜ
"&4ͱ૊Έ ߹Θͤͨ"&41PMZͰൃද جຊ྆ऀ͸ಠཱͨ͠΋ͷɻ(PPHMFͷ"EBN-BOHMFZ ࢯ͕$IB$IB1PMZͱͯ͠ʹυϥϑ τ࢓༷Λެ։

1PMZ࿦จൃද ࠷ऴ൛ $IB$IB࿦จൃද ࠷ऴ൛ 4BMTB͕F4USFBNͷ'JOBMJTUʹબఆ $IB$IBΛ࢖ͬͨ#-",&͕4)"ͷ࠷ऴީิʹબఆ
ESBGUBHMUMTDIBDIBQPMZެ։ $ISPNF͕$IB$IB1PMZΛ࣮૷ɻ(PPHMFαʔϏεͰར༻։࢝ 0QFO44)͕$IB$IB1PMZΛ࣮૷ 5-48(͔Β$'3(΁$IB$IB1PMZͷ࢓༷ݕ౼ΛਐΊΔ͜ͱΛཁ੥ -JCSF44-͕GPSLɻ$IB$IB1PMZΛ࣮૷ #PSJOH44-͕GPSLɻ$IB$IB1PMZΛ࣮૷ $MPVE'MBSF͕$IB$IB1PZͷར༻։࢝ɻ0QFO44-༻ύονެ։ 3'$ $IB$IB1PMZ࢓༷ ͕ެ։ 0QFO44- BMQIB ͕$IB$IB1PMZΛ࣮૷ 'JSFGPY͕$IB$IB1PZΛ࣮૷ 3'$$IB$IB1PMZ$JQIFS4VJUFTGPS5SBOTQPSU-BZFS4FDVSJUZ 5-4 $IB$IB1PMZ͜Ε·ͰͷาΈ 4OPXEFOࣄ݅

"&4ͱ$IB$IBͷൺֱ "&4 $IB$IB ํࣜ ϒϩοΫ CJUT ετϦʔϜ ೖྗ
伴௕ CJUT 伴௕CJUT /PODFͳ͠ ॳظΧ΢ϯλʔͳ͠ /PODFCJUT EKC࿦จͰ͸CJUT ॳظΧ΢ϯλʔCJUT ඪ४ /*45'*14 3'$ 4BMTB͸FTUSFBNιϑτ΢ΣΞ1Iબఆ ੑೳಛੑ "&4/*ͳͲઐ༻ϋʔυ΢ΣΞʹΑΔߴ଎ ॲཧ͕Մೳ ࣄલܭࢉ΍4#09͕ඞཁͳ͘ɺλΠϛϯά߈ܸ͕ൃੜ͠ʹ ͍͘ɻ4*.%Λ࢖ͬͨߴ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ ΩϟογϡλΠϛϯάͳͲαΠυνϟωϧ ߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ /PODFΛ࠶ར༻͠ͳ͍͜ͱ %+#ͷ࿦จIUUQDSZQUPDIBDIBDIBDIBQEG͕ΞϧΰϦζϜنఆͷࢀরઌ Χ΢ϯλʔϞʔυͱ૊Έ߹ΘͤͯετϦʔϜ҉߸ͱͯ͠ར༻͕Մೳ

2VBSUFS3PVOE B C D E B C E?B
E D E C?D C B C E?B E D E C?D C B C D E͸CJUVOTJHOFEJOU Y Z͸ Y Z NPE? ?͸903 O͸OϏοτࠨϩʔςγϣϯ B C D Eʹରͯ͠ɺશͯճ ԋࢉ͕ߦΘΕ͍ͯΔɻ $IB$IBϥ΢ϯυԋࢉ ৐ࢉ͕ͳ͘ݻఆ௕ԋࢉ $POTUBOU5JNF B C D E

՝୊ɾԋश TVEPOQNHJOTUBMMTFDDBNQDIBDIBXPSLTIPQQFS ຊ೔ͷ՝୊ ࣄલֶश

B B B B B B B B B B
B B B B B B C C C C C C C C C C C C C C C C C C C C C C B B B B B B B B B B B B B B B B C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C D D D D D D D D D D D D D D D D όΠτY ྻϥ΢ϯυ ର֯ϥ΢ϯυ 2VBSUFS3PVOE όΠτ όΠτ όΠτ όΠτ छྨͷ$IB$IBϥ΢ϯυ ԋश

F E C LFZ LFZ LFZ LFZ LFZ LFZ
LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T ྻϥ΢ϯυ ର֯ϥ΢ϯυ Yճ ॳظ$IB$IB4UBUF $IB$IB4UBUF ఆ਺஋ ࣮͸ҎԼͷจࣈྻ FYQBOECZUFL 伴 όΠτ௕ /PODF όΠτ௕ ͔Β࢝·ΔΧ΢ϯλʔ όΠτ௕ $IB$IB4USFBN4UBUF ϥ΢ϯυ

$IB$IB4UBUFͷ &OEJBOʹ஫ҙ
L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> L<> F E C L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> L<>L<>L<>L<> LFZ LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF όΠτຖʹ۠੾ͬ ͨ-JUUMF&OEJBO ͜ͷΑ͏ͳॱ൪Ͱσʔ λॲཧΛ͢Δ࣌͸஫ҙɻݟ͔ ͚#JH&OEJBOɻ

$IB$IB#MPDL'VODUJPO F E C LFZ LFZ LFZ LFZ LFZ
LFZ LFZ LFZ DPVOUFS OPODF OPODF OPODF T T T T T T T T T T T T T T T T ৒༨࿨ ॳظ$IB$IBTUBUF 3PVOE$IB$IBTUBUF 'JOBM$IB$IB4UBUF

ԋश $IB$IB2VBUFS3PVOE $IB$IB#MPDL'VODUJPO

$IB$IB,FZ4USFBN CB GFED CB GFED
CB GFED CB GFED BCDEFGBCDEFG BCDEFGBCDEFG ̐όΠτ୯Ґͷ֤ཁૉΛ-JUUMF&OEJBOͰฒͼସ͑ ,FZ4USFBNͱฏจͷ903Λऔͬͯ҉߸จΛੜ੒͢Δɻ

伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ
903 ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ʹ ฏจ ҉߸จ $IB$IB4UBUF ,FZ4USFBN ॳظ$IB$IB 4UBUF 伴ɾ/PODF Χ΢ϯλʔ 903 ϥ΢ϯυ ॳظঢ়ଶ ʹ ฏจ ҉߸จ ॳظ$IB$IB 4UBUF όΠτ $IB$IBฏจͷ҉߸Խ ϥ΢ϯυ ॳظঢ়ଶ ϥ΢ϯυ ॳظঢ়ଶ ϥ΢ϯυ ॳظঢ়ଶ $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN $IB$IB4UBUF ,FZ4USFBN ෮߸Խ΋,FZ4USFBNͱ҉߸จΛ903͢Δ͚ͩ ͳͷͰखॱ͸΄΅ಉҰ

ԋश $IB$IB,FZ4USFBN $IB$IB&ODSZQUJPO

1PMZ ͪ͜Β͸গʑ೉͍͠ͷͰઆ໌͕ओͰ͢

ͳͥNFTTBHF BVUIFOUJDBUPS͕ඞཁ͔ʁ IUUQTXXXFYBNQMFDPN 903ͨ͠վ͟Μσʔλ Ϩίʔυ *7 ҉߸จ λά Ϩίʔυ *7
վ͟Μ҉߸จ λά )FMMP8PSME )FMMP$SBDLFE ܭࢉ͢Δͱ λά͕ҧ͏ʂ վ͟Μ ͞ΕͯΔΘʂ λάͷ࠶ܭࢉʹ͸ൿີ伴͕ඞཁ

()"4)ͱ1PMZ ()"4) 1PMZ ܭࢉํࣜ 8FHNBO$BSUFS$POTUSVDUJPO CJOBSZpFME Y Y Y Y
QSJNFpFME 伴௕ CJUT "&4ͱ૊Έ߹Θͤͨ࣌ CJUT ."$௕ CJUT ར༻໨తʹԠͯ͡੾Γ٧ΊΔ CJUT ඪ४ /*4541% "&4($. 3'$ ੑೳಛੑ 1$-.6-2%2*ͳͲಛఆܭࢉ༻ϋʔυ΢ΣΞ ʹΑΔߴ଎ॲཧ͕Մೳ ࣄલܭࢉςʔϒϧ͕ඞཁͳ͘ɺ4*.%Λ࢖ͬͨߴ ଎ͳιϑτ΢ΣΞॲཧ͕Մೳ ஫ҙࣄ߲ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w ."$௕͸CJUTҎ্Λར༻͢Δ͜ͱ w 伴ɺ*7 /PODF Λ࠶ར༻͠ͳ͍͜ͱ w λΠϛϯά߈ܸʹରԠ࣮ͨ͠૷Ͱ͋Δ͜ͱ "&4ͱ૊Έ߹Θͤͨ%+#ͷ࿦จIUUQDSZQUPNBDQPMZQEG͕ΞϧΰϦζϜنఆͷࢀরઌ

1PMZOPNJBMFWBMVBUJPO ೝূ͢Δσʔλ $ $ $ $O $O ʜ G S
$SO $SO $SO ʜ $OS $OS ʜ $S $ S $ S ʜ $O S $O S ෼ղͨ͠ϝοηʔδΛ܎਺ ͱͨ͠ଟ߲ࣜͷ஋ͰධՁ ϗʔφʔ๏Λ࢖ͬͯ৐ࢉ ԋࢉΛݮΒͯ͠ܭࢉ 伴 S

8FHNBO$BSUFS$POTUSVDUJPO GPS1PMZ ೝূ͢Δσʔλ $ $ $ $O $O ʜ 伴
S 伴 T ૉ਺Q $SO $SO $SO ʜ $OS $OSNPEQ T Ϣχόʔαϧϋογϡ 0OF5JNF伴 w ਺ֶతʹڧ౓͕ূ໌Ͱ͖͍ͯΔ w 4)"ͳͲͷ)."$ΑΓߴ଎

1PMZ $SO $SO $SM ʜ $OS $OSNPE T NPE ೝূ͢Δσʔλ
伴 S $ $ $ $O $O ʜ όΠτ௕Ͱ෼ׂɻ಄ʹ̍όΠτ ෼෇Ճͯ̍̓͠όΠτ௕ʹ όΠτ 伴 T όΠτ ࠷ऴతʹόΠτ௕ ʹ੾Γ٧ΊΔ CJU෼ؒҾ͖ ઈົ ͳαΠζͷૉ਺

ೝূ͢Δσʔλ $ όΠτ௕ $ όΠτ௕ $
όΠτ௕ ʴ $ όΠτ௕ $ 1PMZVQEBUF ʴ 1PMZpOBM 1PMZʹΑΔ."$σʔλͷੜ੒ όΠτ௕ CJU௕ ಄ͷCJU࡟আ ."$ όΠτ௕ ʴ όΠτ௕ ."$ ࠷ऴతͳೝূίʔυ 伴S CJUؒҾ͖ 伴 S 伴 T $IB$IB Χ΢ϯλʔ LFZ OPODF 伴 T 伴S CJUؒҾ͖ 伴S CJUؒҾ͖ ԼҐόΠτ ԼҐόΠτ ্ҐόΠτ ෦෼৒༨஋ ෦෼৒༨஋ 1PMZVQEBUF

ԋश 1PMZ."$ ͕͢͞ʹ୹࣌ؒͰ࣮૷ͯ͠΋Β͏ͷ͸ਏ͍ͷͰϥΠ ϒϥϦΛ࢖ͬͯ΋Β͍·͢ɻ

"&"% $IB$IB1PMZ Λ࡞Δ

5-4޲͚"&4($.ͱ$IB$IB1PMZ "&4($. $IB$IB1PMZ ඪ४ 3'$ 3'$ 3'$ ESBGUJFUGUMTDIBDIBQPMZ ࣌఺*&5'-BTU$BMMத
ରশ҉߸ "&4 "&4 $IB$IB 伴ަ׵ 34" %) %)& &$%)& &$%)&%)& ೝূ 34" &$%4" 14, 13' 4") "&4 4)" "&4 4)" ໌ࣔత*7 CZUFT ͳ͠ /PODF $MJFOU4FSWFS8SJUF*7 CZUFT ໌ ࣔత*7 CZUFT ύουͨ͠4FR/VN CZUFT 903$MJFOU4FSWFS8SJUF*7 CZUFT λά௕ CZUFT CZUFT ࠷খ҉߸Խ௕ CZUFT CZUFT

ॳظΧ΢ϯλʔ ॳظΧ΢ϯλʔ JODS ฏจ $IB$IB,FZ4USFBN LFZ OPODF 1PMZ 伴S 伴T
҉߸จ ೝূλά MFO ฏจ ccMFO ҉߸จ "VUI%BUB ̌1BE ̌1BE ҉߸จ 伴S 伴T $IB$IB,FZ4USFBN LFZ OPODF MFO จࣈྻ௕ɺCJUɺMJUUMFFOEJBOදه $IB$IB1PMZʹΑΔ"&"%ੜ੒ $IB$IBΛ࢖ͬͯ 1PMZͷ伴Λੜ੒

ԋश 1PMZ,FZ(FOFSBUJPO $IB$IB1PMZ&ODSZQUJPO

΋͕࣌ؒ͠༨ͬͨΒ ڈ೥ͷԋश΍ͬͯΈ·͠ΐ͏ɻ TVEPOQNHJOTUBMMTFDDBNQDSZQUPXPSLTIPQQFS

TLS徹底演習

TLS徹底演習

More Decks by Shigeki Ohtsu

Other Decks in Technology

Featured

Transcript