Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Messaging Layer Security
Search
sylph01
August 26, 2018
Technology
0
960
Messaging Layer Security
@ Harekaze Talk #2
https://harekaze.connpass.com/event/92791/
sylph01
August 26, 2018
Tweet
Share
More Decks by sylph01
See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
94
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
35
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
250
Adding Security to Microcontroller Ruby
sylph01
2
3.3k
Secure Messaging at IETF 118
sylph01
0
85
Adventures in the Dungeons of OpenSSL
sylph01
0
530
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
330
Build and Learn Rails Authentication
sylph01
8
2.1k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
310
Other Decks in Technology
See All in Technology
データエンジニアリング領域におけるDuckDBのユースケース
chanyou0311
9
2.6k
ExaDB-XSで利用されているExadata Exascaleについて
oracle4engineer
PRO
3
300
Ruby on Railsで持続可能な開発を行うために取り組んでいること
am1157154
3
160
クラウド関連のインシデントケースを収集して見えてきたもの
lhazy
9
1.9k
開発組織を進化させる!AWSで実践するチームトポロジー
iwamot
2
520
DevinでAI AWSエンジニア製造計画 序章 〜CDKを添えて〜/devin-load-to-aws-engineer
tomoki10
0
200
株式会社Awarefy(アウェアファイ)会社説明資料 / Awarefy-Company-Deck
awarefy
3
12k
入門 PEAK Threat Hunting @SECCON
odorusatoshi
0
180
JAWS DAYS 2025 アーキテクチャ道場 事前説明会 / JAWS DAYS 2025 briefing document
naospon
0
2.8k
JAWS FESTA 2024「バスロケ」GPS×サーバーレスの開発と運用の舞台裏/jawsfesta2024-bus-gps-serverless
ma2shita
3
310
What's new in Go 1.24?
ciarana
1
120
4th place solution Eedi - Mining Misconceptions in Mathematics
rist
0
150
Featured
See All Featured
Optimizing for Happiness
mojombo
377
70k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
13
1k
4 Signs Your Business is Dying
shpigford
183
22k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
11
1.3k
Producing Creativity
orderedlist
PRO
344
40k
Six Lessons from altMBA
skipperchong
27
3.6k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
380
Transcript
MLS: Messaging Layer Security sylph01 @ Harekaze Talk #2, 8/26/2018
Notes on Privacy publicͳٕज़ͷղઆͰ͢ εϥΠυʮެ։͢Δ൛Λͬͯͩ͘ ͍͞ʯʢΑͬͯࣸਅࡱͬͯҙຯແʣ
sylph01 the IDIOT (ID + IoT) engineer ਪ͠: ສཬখ࿏෨ɺ౻ా༏ҥʢؒٶͷ ؋ʣ
ੜͷ҉߸ɺCTFະϓϨΠ Twitter: @s01
[એ] "Dark Depths of SMTP" @ٕज़ॻయ4 BOOTHʹͯ൦த! (Γ3෦ͱ͔)
ຊฤ
ׂͱ࠷ۙʹग़ͨ Internet-DraftͷͰ͢ https:/ /datatracker.ietf.org/doc/draft-barnes-mls-protocol/ https:/ /github.com/ekr/mls-protocol
͜ΕԿ ෳਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draftɻ ࣮ࡍಡΜͰΈͨͱ͜Ζ͔֬ʹάϧʔϓνϟοτʹ͓͚Δ伴ަͷ ղܾ͍ͯ͠Δ͚Ͳɺ(TLSͱൺֱՄೳͳ)MLS໊ͬͯশաେ ࠂͰʁͱ͍͏ҹ͋Δɻ
ηΩϡΞϝοηʔδϯάʁ ࠷ۙͷϝοηʔδϯάαʔϏεEnd-to-End҉߸Խ͕ී௨Ͱ͢ɻ • Signalʢ͕͜͜͠Γʣ • Facebook Messenger • WhatsApp •
LINE ͳͲEnd-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ
͋Δఔ҉߸ͷࣝΛલఏͱ ͠·͢ CTFνʔϜͷษڧձͩ͠େৎͩΑͶʂͱࢥ͍·͕͢ • Diffie-Hellman伴ަͱ͔ • ϋογϡؔɺରশ伴҉߸ɺެ։伴҉߸ͱ͔ • ެ։伴ج൫ͷΈͱ͔ ͦͷΜͷઆ໌ࡶʹ͠·͢ɻ
None
None
None
Forward Secrecy ௨৴ϓϩτίϧͷੑ࣭Ͱɺظ伴(long-term key)ͷ࿐ʹΑͬͯա ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ࿐ʹ͑ Δɺͱ͍͏ੑ࣭͔ͩΒɻ
Post-Compromise Security Internet-Draftͷ΄͏ʹఆٛه͞Ε͍ͯͳ͔͕ͬͨɺ"On Ends- to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͷఆٛͰ(3.0.2)ɺ άϧʔϓϝϯόʔͷશͳঢ়ଶ(ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴) ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ ϓͷձ͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost- compromise securityΛ࣋ͭɺͱ͍͏ɻ ΑΓݫີͳఆٛ(3.1)ʹ͋Δɻ
2 partiesͷ߹ղܾࡁΈ Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ "Ratchet"ʮҰਐΜͩΒΒͳ͍ʯͷͷྫ͑Ͱɺ҉߸ʹ ͓͚Δ"Ratchet"ͱϋογϡؔΛͬͯʮ৽͍͔͠Βաڈͷ ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢ΔʯΈͷ͜ͱɻ ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ
ʮͨ͘͞ΜʯͷࢀՃऀͷ߹ ͠ΜͲ͍ Α͘औΒΕΔํ๏ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠ ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀͦͷʮsender keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏ͷɻ "hash ratchet"Λ͏͜ͱͰForward Secrecy࣮ݱͰ͖Δ͕ɺҰ 伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏ΛΘͳͯ͘ͳΒ
ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ
MLSͷఏҊ πϦʔߏΛͬͨඇಉظͰͷgroup keyingΛForward Secrecy + Post-Compromise SecurityΛอ࣮ͬͯݱɻ • Asynchronous Ratchet
Tree: άϧʔϓϝϯόʔ͕ڞ༗伴Λੜ/ߋ ৽͢Δ • Merkle Trees: identity keyΛอ࣋͠ɺϢʔβʔ͕άϧʔϓʹؚ·Ε Δ͜ͱΛূ໌͢Δ Λ͏ɻೋͳͷͰ֤ૢ࡞͕ ͰͰ͖Δɻ
None
Protocol Overview • ֤participantͷ࣋ͭঢ়ଶΛstate • initial stateάϧʔϓੜऀ͕initΞϧΰϦζϜͰੜɻ ͜Εʹinitial participantΛؚΉɻ •
GroupinitϝοηʔδΛparticipantʹૹ৴͢Δͱparticipant group stateΛsetupͰ͖ಉ͡shared keyΛಋग़Ͱ͖Δ • participantϝοηʔδΛߋ৽͠৽ͨͳshared stateΛಋग़͢ Δɻˠstateಉ࢜ͷDAG͕ੜՄೳ
ϥΠϑαΠΫϧ • ࢀՃऀʹΑΔmember add • άϧʔϓ֎ʹΑΔmember add • key update
• ϝϯόʔͷআ ͕͋Δɻ
None
None
None
None
None
None
Merkle Tree ผ໊ʮϋογϡʯɻϊʔυʹϋογϡΛ࣋ͭೋͷ͜ͱɻ leaf nodeσʔλϒϩοΫͷϋογϡΛ࣋ͭɻ parent nodeͦΕͧΕͷࢠϊʔυͷϋογϡΛ࿈݁ͨ͠ͷͷ ϋογϡΛ࣋ͭɻ
Merkle Tree MLSͰɺ • • • ͱͯ͠ܭࢉ͞ΕΔɻ
Merkle Proof ͋Δleaf͕Merkle TreeͷmemberͰ͋Δ͜ͱΛূ໌͢ΔͨΊʹɺ • leaf nodeͷͱ • ͦͷleaf nodeͷcopathͷ
Λͬͯrootͷ͕ܭࢉͰ͖ΕΑ͍ɻ
None
࣮ࡍͲ͏ͬͯΔͷ MLSͷhandshake messageʹgroup stateͷมԽΛࣔ͢ϝοηʔδʹ ʮૹ৴ऀͷIdentity keyͷެ։伴ʯʮάϧʔϓͷIdentity Keyʹର͢ ΔMerkle Treeʯʮhandshake messageͷॺ໊ʯؚ͕·ΕΔɻ
࣮ࡍͲ͏ͬͯΔͷ • ૹ৴ऀͷIdentity Keyͷެ։伴͕΄Μͱʹͦͷૹ৴ऀͷͷͰ͋ Δ͔Ͳ͏͔ॺ໊ͷݕূΛߦ͏ɻ • ૹ৴ऀ͕ຊʹάϧʔϓʹؚ·ΕΔ͔Ͳ͏͔ɺIdentity Keyͷ ެ։伴ͱɺhandshakeʹଐ͢ΔMerkle Tree্ͷͦͷެ։伴ͷ
copathΛͬͯMerkle rootΛܭࢉ͠ɺࣗͷ͍࣋ͬͯΔstateͷ Merkle rootͱҰக͢Δ͔Λ֬ೝ͢Δɻ https:/ /github.com/bifurcation/mls/blob/master/messages.go#L201 पลΛࢀরɻ
Asynchronous Ratchet Tree "On Ends-to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͔Βɻ ࣮ࡍʹϝοηʔδ͕ૹΒΕΔ伴ΛάϧʔϓͰਃ͠߹ΘͤΔͨΊ ʹ༻͍ΒΕΔɻDiffie-Hellman伴ަͷݪཧΛ༻͍Δɻ Asynchronousͱ͍͍ͬͯΔͷɺؒʹެ։伴ج൫ΛڬΉ͜ͱͰҰ ෦ͷάϧʔϓϝϯόʔ͕ΦϑϥΠϯͰॳظάϧʔϓ伴Λਃ͠߹Θ ͤΔ͜ͱ͕Ͱ͖ΔͨΊɻ
Asynchronous Ratchet Tree πϦʔͷߏஙʹ • Diffie-HellmanͰ༻͍Δ༗ݶ܈·ͨପԁۂઢ • Derive-Key-Pair function: octet
string͔Βkey pairΛੜ͢Δؔ ͕ඞཁɻ·ͨɺπϦʔͷ֤ϊʔυ secret octet string (optional), asymmetric private key (optional), asymmetric public key Λ࣋ͭɻ֤ ϊʔυͷ伴ϖΞ Derive-Key-Pair functionͰಋग़͞ΕΔɻ
None
ARTͷߋ৽ ϝϯόʔͷՃ֤ϝϯόʔͷΩʔͷߋ৽͕ىͬͨ͜߹ɺMLS messageΛͬͯάϧʔϓͷratchet treeͷߋ৽͕ߦΘΕΔɻ • खݩͷπϦʔΛϝοηʔδʹԊͬͯߋ৽͢Δʢެ։伴͕ॻ͖ ΘΔʣ • ॻ͖Θͬͨެ։伴ͷҐஔ͔ΒϊʔυΛDiffie-Hellmanͷԋࢉ Λߦ͏͜ͱͰߋ৽͢ΔɻrootʹͨͲΓண͘·Ͱ܁Γฦ͢
ʢάϧʔϓͷ伴Λਃ͠߹ΘͤΔํ๏ʹ͍ͭͯdraft ver.01Ͱ TreeKEMͱ͍͏ํ๏͕Ճ͞Ε͕ͨࠓճলུʣ
None
None
ΦϑϥΠϯͰॳظઃఆͰ͖Δʁ • UserInitKey objectʹॳظԽ༻ͷ໋ͳkeyͰ͋ΔUserInitKeyຊ ମʢެ։伴ʣͱIdentity Keyͷެ։伴ؚ͕·ΕΔɻ • άϧʔϓΛੜ͢ΔϢʔβʔɺ֤Ϣʔβʔʹ͍ͭͯUserInitKey ΛऔΓدͤɺ֤UserInitKeyʹରͯ͠ɺੜͨ͠ॳظԽ༻伴ϖΞ ΛͬͯDH伴ަΛࢼΈΔɻ
• ॳظԽ༻伴ϖΞͷൿີ伴͕ࣗͷleaf key • DH伴ަʹΑΓਃ͠߹ΘͤΒΕ͕֤ͨϢʔβʔͷleaf key • ͜ΕΒΛͬͯARTΛܗͰ͖Δ
None
·ͱΊ • άϧʔϓνϟοτʹ͓͚ΔEnd-to-End҉߸Խ࣌ͷ伴ڞ༗ํ๏ʹ ͍ͭͯ͠·ͨ͠ • ݱࡏIETFͰඪ४Խ࡞ۀ͕ਐΜͰ͍·͢ • ϝοηʔδϯάαʔϏεΛӡӦ͍ͯ͠Δେنϕϯμʔ͔Β ͞Ε͍ͯΔΒ͍͠ •
ͱ໊͍͑લϛεϦʔσΟϯάؾຯͳؾ͕͢Δ • E2E҉߸Խ͞Ε͍ͯΔηΩϡΞͳϝοηʔδϯάΛ͍·͠ΐ ͏
ࢀߟURL • The Messaging Layer Security (MLS) Protocol https:/ /
datatracker.ietf.org/doc/draft-barnes-mls-protocol/ • GitHub: bifurcation/mls https:/ /github.com/bifurcation/mls Golang Ͱͷ࣮ • GitHub: cisco/mlspp https:/ /github.com/cisco/mlspp C++Ͱͷ࣮ • On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guaranteesɹhttps:/ /eprint.iacr.org/2017/666.pdf Asynchronous Ratchet Treesͷݩจ