Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Messaging Layer Security
Search
sylph01
August 26, 2018
Technology
0
1k
Messaging Layer Security
@ Harekaze Talk #2
https://harekaze.connpass.com/event/92791/
sylph01
August 26, 2018
Tweet
Share
More Decks by sylph01
See All by sylph01
The Definitive? Guide To Locally Organizing RubyKaigi
sylph01
6
1.5k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
sylph01
1
100
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
sylph01
2
470
Introduction to C Extensions
sylph01
3
200
"Actual" Security in Microcontroller Ruby!?
sylph01
0
140
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
63
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
300
Adding Security to Microcontroller Ruby
sylph01
3
3.6k
Secure Messaging at IETF 118
sylph01
0
110
Other Decks in Technology
See All in Technology
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
10
130k
関数型プログラミングで 「脳がバグる」を乗り越える
manabeai
2
220
60以上のプロダクトを持つ組織における開発者体験向上への取り組み - チームAPIとBackstageで構築する組織の可視化基盤 - / sre next 2025 Efforts to Improve Developer Experience in an Organization with Over 60 Products
vtryo
2
960
Sansanのデータプロダクトマネジメントのアプローチ
sansantech
PRO
0
230
American airlines ®️ USA Contact Numbers: Complete 2025 Support Guide
airhelpsupport
0
390
「Chatwork」のEKS環境を支えるhelmfileを使用したマニフェスト管理術
hanayo04
1
240
Four Keysから始める信頼性の改善 - SRE NEXT 2025
ozakikota
0
200
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
lufthanahelpsupport
0
240
NewSQLや分散データベースを支えるRaftの仕組み - 仕組みを理解して知る得意不得意
hacomono
PRO
3
230
ロールが細分化された組織でSREは何をするか?
tgidgd
1
200
ビジネス職が分析も担う事業部制組織でのデータ活用の仕組みづくり / Enabling Data Analytics in Business-Led Divisional Organizations
zaimy
1
310
Amplify Gen2から知るAWS CDK Toolkit Libraryの使い方/How to use the AWS CDK Toolkit Library as known from Amplify Gen2
fossamagna
0
230
Featured
See All Featured
KATA
mclloyd
30
14k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Adopting Sorbet at Scale
ufuk
77
9.5k
Docker and Python
trallard
45
3.5k
Side Projects
sachag
455
42k
How GitHub (no longer) Works
holman
314
140k
Making the Leap to Tech Lead
cromwellryan
134
9.4k
Site-Speed That Sticks
csswizardry
10
700
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Producing Creativity
orderedlist
PRO
346
40k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.4k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
Transcript
MLS: Messaging Layer Security sylph01 @ Harekaze Talk #2, 8/26/2018
Notes on Privacy publicͳٕज़ͷղઆͰ͢ εϥΠυʮެ։͢Δ൛Λͬͯͩ͘ ͍͞ʯʢΑͬͯࣸਅࡱͬͯҙຯແʣ
sylph01 the IDIOT (ID + IoT) engineer ਪ͠: ສཬখ࿏෨ɺ౻ా༏ҥʢؒٶͷ ؋ʣ
ੜͷ҉߸ɺCTFະϓϨΠ Twitter: @s01
[એ] "Dark Depths of SMTP" @ٕज़ॻయ4 BOOTHʹͯ൦த! (Γ3෦ͱ͔)
ຊฤ
ׂͱ࠷ۙʹग़ͨ Internet-DraftͷͰ͢ https:/ /datatracker.ietf.org/doc/draft-barnes-mls-protocol/ https:/ /github.com/ekr/mls-protocol
͜ΕԿ ෳਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draftɻ ࣮ࡍಡΜͰΈͨͱ͜Ζ͔֬ʹάϧʔϓνϟοτʹ͓͚Δ伴ަͷ ղܾ͍ͯ͠Δ͚Ͳɺ(TLSͱൺֱՄೳͳ)MLS໊ͬͯশաେ ࠂͰʁͱ͍͏ҹ͋Δɻ
ηΩϡΞϝοηʔδϯάʁ ࠷ۙͷϝοηʔδϯάαʔϏεEnd-to-End҉߸Խ͕ී௨Ͱ͢ɻ • Signalʢ͕͜͜͠Γʣ • Facebook Messenger • WhatsApp •
LINE ͳͲEnd-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ
͋Δఔ҉߸ͷࣝΛલఏͱ ͠·͢ CTFνʔϜͷษڧձͩ͠େৎͩΑͶʂͱࢥ͍·͕͢ • Diffie-Hellman伴ަͱ͔ • ϋογϡؔɺରশ伴҉߸ɺެ։伴҉߸ͱ͔ • ެ։伴ج൫ͷΈͱ͔ ͦͷΜͷઆ໌ࡶʹ͠·͢ɻ
None
None
None
Forward Secrecy ௨৴ϓϩτίϧͷੑ࣭Ͱɺظ伴(long-term key)ͷ࿐ʹΑͬͯա ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ࿐ʹ͑ Δɺͱ͍͏ੑ࣭͔ͩΒɻ
Post-Compromise Security Internet-Draftͷ΄͏ʹఆٛه͞Ε͍ͯͳ͔͕ͬͨɺ"On Ends- to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͷఆٛͰ(3.0.2)ɺ άϧʔϓϝϯόʔͷશͳঢ়ଶ(ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴) ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ ϓͷձ͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost- compromise securityΛ࣋ͭɺͱ͍͏ɻ ΑΓݫີͳఆٛ(3.1)ʹ͋Δɻ
2 partiesͷ߹ղܾࡁΈ Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ "Ratchet"ʮҰਐΜͩΒΒͳ͍ʯͷͷྫ͑Ͱɺ҉߸ʹ ͓͚Δ"Ratchet"ͱϋογϡؔΛͬͯʮ৽͍͔͠Βաڈͷ ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢ΔʯΈͷ͜ͱɻ ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ
ʮͨ͘͞ΜʯͷࢀՃऀͷ߹ ͠ΜͲ͍ Α͘औΒΕΔํ๏ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠ ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀͦͷʮsender keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏ͷɻ "hash ratchet"Λ͏͜ͱͰForward Secrecy࣮ݱͰ͖Δ͕ɺҰ 伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏ΛΘͳͯ͘ͳΒ
ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ
MLSͷఏҊ πϦʔߏΛͬͨඇಉظͰͷgroup keyingΛForward Secrecy + Post-Compromise SecurityΛอ࣮ͬͯݱɻ • Asynchronous Ratchet
Tree: άϧʔϓϝϯόʔ͕ڞ༗伴Λੜ/ߋ ৽͢Δ • Merkle Trees: identity keyΛอ࣋͠ɺϢʔβʔ͕άϧʔϓʹؚ·Ε Δ͜ͱΛূ໌͢Δ Λ͏ɻೋͳͷͰ֤ૢ࡞͕ ͰͰ͖Δɻ
None
Protocol Overview • ֤participantͷ࣋ͭঢ়ଶΛstate • initial stateάϧʔϓੜऀ͕initΞϧΰϦζϜͰੜɻ ͜Εʹinitial participantΛؚΉɻ •
GroupinitϝοηʔδΛparticipantʹૹ৴͢Δͱparticipant group stateΛsetupͰ͖ಉ͡shared keyΛಋग़Ͱ͖Δ • participantϝοηʔδΛߋ৽͠৽ͨͳshared stateΛಋग़͢ Δɻˠstateಉ࢜ͷDAG͕ੜՄೳ
ϥΠϑαΠΫϧ • ࢀՃऀʹΑΔmember add • άϧʔϓ֎ʹΑΔmember add • key update
• ϝϯόʔͷআ ͕͋Δɻ
None
None
None
None
None
None
Merkle Tree ผ໊ʮϋογϡʯɻϊʔυʹϋογϡΛ࣋ͭೋͷ͜ͱɻ leaf nodeσʔλϒϩοΫͷϋογϡΛ࣋ͭɻ parent nodeͦΕͧΕͷࢠϊʔυͷϋογϡΛ࿈݁ͨ͠ͷͷ ϋογϡΛ࣋ͭɻ
Merkle Tree MLSͰɺ • • • ͱͯ͠ܭࢉ͞ΕΔɻ
Merkle Proof ͋Δleaf͕Merkle TreeͷmemberͰ͋Δ͜ͱΛূ໌͢ΔͨΊʹɺ • leaf nodeͷͱ • ͦͷleaf nodeͷcopathͷ
Λͬͯrootͷ͕ܭࢉͰ͖ΕΑ͍ɻ
None
࣮ࡍͲ͏ͬͯΔͷ MLSͷhandshake messageʹgroup stateͷมԽΛࣔ͢ϝοηʔδʹ ʮૹ৴ऀͷIdentity keyͷެ։伴ʯʮάϧʔϓͷIdentity Keyʹର͢ ΔMerkle Treeʯʮhandshake messageͷॺ໊ʯؚ͕·ΕΔɻ
࣮ࡍͲ͏ͬͯΔͷ • ૹ৴ऀͷIdentity Keyͷެ։伴͕΄Μͱʹͦͷૹ৴ऀͷͷͰ͋ Δ͔Ͳ͏͔ॺ໊ͷݕূΛߦ͏ɻ • ૹ৴ऀ͕ຊʹάϧʔϓʹؚ·ΕΔ͔Ͳ͏͔ɺIdentity Keyͷ ެ։伴ͱɺhandshakeʹଐ͢ΔMerkle Tree্ͷͦͷެ։伴ͷ
copathΛͬͯMerkle rootΛܭࢉ͠ɺࣗͷ͍࣋ͬͯΔstateͷ Merkle rootͱҰக͢Δ͔Λ֬ೝ͢Δɻ https:/ /github.com/bifurcation/mls/blob/master/messages.go#L201 पลΛࢀরɻ
Asynchronous Ratchet Tree "On Ends-to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͔Βɻ ࣮ࡍʹϝοηʔδ͕ૹΒΕΔ伴ΛάϧʔϓͰਃ͠߹ΘͤΔͨΊ ʹ༻͍ΒΕΔɻDiffie-Hellman伴ަͷݪཧΛ༻͍Δɻ Asynchronousͱ͍͍ͬͯΔͷɺؒʹެ։伴ج൫ΛڬΉ͜ͱͰҰ ෦ͷάϧʔϓϝϯόʔ͕ΦϑϥΠϯͰॳظάϧʔϓ伴Λਃ͠߹Θ ͤΔ͜ͱ͕Ͱ͖ΔͨΊɻ
Asynchronous Ratchet Tree πϦʔͷߏஙʹ • Diffie-HellmanͰ༻͍Δ༗ݶ܈·ͨପԁۂઢ • Derive-Key-Pair function: octet
string͔Βkey pairΛੜ͢Δؔ ͕ඞཁɻ·ͨɺπϦʔͷ֤ϊʔυ secret octet string (optional), asymmetric private key (optional), asymmetric public key Λ࣋ͭɻ֤ ϊʔυͷ伴ϖΞ Derive-Key-Pair functionͰಋग़͞ΕΔɻ
None
ARTͷߋ৽ ϝϯόʔͷՃ֤ϝϯόʔͷΩʔͷߋ৽͕ىͬͨ͜߹ɺMLS messageΛͬͯάϧʔϓͷratchet treeͷߋ৽͕ߦΘΕΔɻ • खݩͷπϦʔΛϝοηʔδʹԊͬͯߋ৽͢Δʢެ։伴͕ॻ͖ ΘΔʣ • ॻ͖Θͬͨެ։伴ͷҐஔ͔ΒϊʔυΛDiffie-Hellmanͷԋࢉ Λߦ͏͜ͱͰߋ৽͢ΔɻrootʹͨͲΓண͘·Ͱ܁Γฦ͢
ʢάϧʔϓͷ伴Λਃ͠߹ΘͤΔํ๏ʹ͍ͭͯdraft ver.01Ͱ TreeKEMͱ͍͏ํ๏͕Ճ͞Ε͕ͨࠓճলུʣ
None
None
ΦϑϥΠϯͰॳظઃఆͰ͖Δʁ • UserInitKey objectʹॳظԽ༻ͷ໋ͳkeyͰ͋ΔUserInitKeyຊ ମʢެ։伴ʣͱIdentity Keyͷެ։伴ؚ͕·ΕΔɻ • άϧʔϓΛੜ͢ΔϢʔβʔɺ֤Ϣʔβʔʹ͍ͭͯUserInitKey ΛऔΓدͤɺ֤UserInitKeyʹରͯ͠ɺੜͨ͠ॳظԽ༻伴ϖΞ ΛͬͯDH伴ަΛࢼΈΔɻ
• ॳظԽ༻伴ϖΞͷൿີ伴͕ࣗͷleaf key • DH伴ަʹΑΓਃ͠߹ΘͤΒΕ͕֤ͨϢʔβʔͷleaf key • ͜ΕΒΛͬͯARTΛܗͰ͖Δ
None
·ͱΊ • άϧʔϓνϟοτʹ͓͚ΔEnd-to-End҉߸Խ࣌ͷ伴ڞ༗ํ๏ʹ ͍ͭͯ͠·ͨ͠ • ݱࡏIETFͰඪ४Խ࡞ۀ͕ਐΜͰ͍·͢ • ϝοηʔδϯάαʔϏεΛӡӦ͍ͯ͠Δେنϕϯμʔ͔Β ͞Ε͍ͯΔΒ͍͠ •
ͱ໊͍͑લϛεϦʔσΟϯάؾຯͳؾ͕͢Δ • E2E҉߸Խ͞Ε͍ͯΔηΩϡΞͳϝοηʔδϯάΛ͍·͠ΐ ͏
ࢀߟURL • The Messaging Layer Security (MLS) Protocol https:/ /
datatracker.ietf.org/doc/draft-barnes-mls-protocol/ • GitHub: bifurcation/mls https:/ /github.com/bifurcation/mls Golang Ͱͷ࣮ • GitHub: cisco/mlspp https:/ /github.com/cisco/mlspp C++Ͱͷ࣮ • On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guaranteesɹhttps:/ /eprint.iacr.org/2017/666.pdf Asynchronous Ratchet Treesͷݩจ