Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Messaging Layer Security
Search
sylph01
August 26, 2018
Technology
0
960
Messaging Layer Security
@ Harekaze Talk #2
https://harekaze.connpass.com/event/92791/
sylph01
August 26, 2018
Tweet
Share
More Decks by sylph01
See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
91
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
31
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
250
Adding Security to Microcontroller Ruby
sylph01
2
3.3k
Secure Messaging at IETF 118
sylph01
0
84
Adventures in the Dungeons of OpenSSL
sylph01
0
530
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
330
Build and Learn Rails Authentication
sylph01
8
2.1k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
310
Other Decks in Technology
See All in Technology
EDRの検知の仕組みと検知回避について
chayakonanaika
11
4.8k
「正しく」失敗できる チームの作り方 〜リアルな事例から紐解く失敗を恐れない組織とは〜 / A team that can fail correctly
i35_267
5
860
IAMのマニアックな話2025
nrinetcom
PRO
1
230
Potential EM 制度を始めた理由、そして2年後にやめた理由 - EMConf JP 2025
hoyo
2
2.6k
AI Agent時代なのでAWSのLLMs.txtが欲しい!
watany
2
220
Amazon Q Developerの無料利用枠を使い倒してHello worldを表示させよう!
nrinetcom
PRO
2
110
Perlの生きのこり - エンジニアがこの先生きのこるためのカンファレンス2025
kfly8
2
270
生成AI×財務経理:PoCで挑むSlack AI Bot開発と現場巻き込みのリアル
pohdccoe
1
620
株式会社Awarefy(アウェアファイ)会社説明資料 / Awarefy-Company-Deck
awarefy
3
11k
IAMポリシーのAllow/Denyについて、改めて理解する
smt7174
2
200
【内製開発Summit 2025】イオンスマートテクノロジーの内製化組織の作り方/In-house-development-summit-AST
aeonpeople
2
610
内製化を加速させるlaC活用術
nrinetcom
PRO
2
140
Featured
See All Featured
Building Applications with DynamoDB
mza
93
6.2k
Done Done
chrislema
182
16k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
12
990
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
Code Reviewing Like a Champion
maltzj
521
39k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
114
50k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
27
1.6k
Visualization
eitanlees
146
15k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
1k
Agile that works and the tools we love
rasmusluckow
328
21k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.5k
Bootstrapping a Software Product
garrettdimon
PRO
306
110k
Transcript
MLS: Messaging Layer Security sylph01 @ Harekaze Talk #2, 8/26/2018
Notes on Privacy publicͳٕज़ͷղઆͰ͢ εϥΠυʮެ։͢Δ൛Λͬͯͩ͘ ͍͞ʯʢΑͬͯࣸਅࡱͬͯҙຯແʣ
sylph01 the IDIOT (ID + IoT) engineer ਪ͠: ສཬখ࿏෨ɺ౻ా༏ҥʢؒٶͷ ؋ʣ
ੜͷ҉߸ɺCTFະϓϨΠ Twitter: @s01
[એ] "Dark Depths of SMTP" @ٕज़ॻయ4 BOOTHʹͯ൦த! (Γ3෦ͱ͔)
ຊฤ
ׂͱ࠷ۙʹग़ͨ Internet-DraftͷͰ͢ https:/ /datatracker.ietf.org/doc/draft-barnes-mls-protocol/ https:/ /github.com/ekr/mls-protocol
͜ΕԿ ෳਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draftɻ ࣮ࡍಡΜͰΈͨͱ͜Ζ͔֬ʹάϧʔϓνϟοτʹ͓͚Δ伴ަͷ ղܾ͍ͯ͠Δ͚Ͳɺ(TLSͱൺֱՄೳͳ)MLS໊ͬͯশաେ ࠂͰʁͱ͍͏ҹ͋Δɻ
ηΩϡΞϝοηʔδϯάʁ ࠷ۙͷϝοηʔδϯάαʔϏεEnd-to-End҉߸Խ͕ී௨Ͱ͢ɻ • Signalʢ͕͜͜͠Γʣ • Facebook Messenger • WhatsApp •
LINE ͳͲEnd-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ
͋Δఔ҉߸ͷࣝΛલఏͱ ͠·͢ CTFνʔϜͷษڧձͩ͠େৎͩΑͶʂͱࢥ͍·͕͢ • Diffie-Hellman伴ަͱ͔ • ϋογϡؔɺରশ伴҉߸ɺެ։伴҉߸ͱ͔ • ެ։伴ج൫ͷΈͱ͔ ͦͷΜͷઆ໌ࡶʹ͠·͢ɻ
None
None
None
Forward Secrecy ௨৴ϓϩτίϧͷੑ࣭Ͱɺظ伴(long-term key)ͷ࿐ʹΑͬͯա ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ࿐ʹ͑ Δɺͱ͍͏ੑ࣭͔ͩΒɻ
Post-Compromise Security Internet-Draftͷ΄͏ʹఆٛه͞Ε͍ͯͳ͔͕ͬͨɺ"On Ends- to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͷఆٛͰ(3.0.2)ɺ άϧʔϓϝϯόʔͷશͳঢ়ଶ(ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴) ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ ϓͷձ͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost- compromise securityΛ࣋ͭɺͱ͍͏ɻ ΑΓݫີͳఆٛ(3.1)ʹ͋Δɻ
2 partiesͷ߹ղܾࡁΈ Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ "Ratchet"ʮҰਐΜͩΒΒͳ͍ʯͷͷྫ͑Ͱɺ҉߸ʹ ͓͚Δ"Ratchet"ͱϋογϡؔΛͬͯʮ৽͍͔͠Βաڈͷ ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢ΔʯΈͷ͜ͱɻ ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ
ʮͨ͘͞ΜʯͷࢀՃऀͷ߹ ͠ΜͲ͍ Α͘औΒΕΔํ๏ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠ ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀͦͷʮsender keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏ͷɻ "hash ratchet"Λ͏͜ͱͰForward Secrecy࣮ݱͰ͖Δ͕ɺҰ 伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏ΛΘͳͯ͘ͳΒ
ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ
MLSͷఏҊ πϦʔߏΛͬͨඇಉظͰͷgroup keyingΛForward Secrecy + Post-Compromise SecurityΛอ࣮ͬͯݱɻ • Asynchronous Ratchet
Tree: άϧʔϓϝϯόʔ͕ڞ༗伴Λੜ/ߋ ৽͢Δ • Merkle Trees: identity keyΛอ࣋͠ɺϢʔβʔ͕άϧʔϓʹؚ·Ε Δ͜ͱΛূ໌͢Δ Λ͏ɻೋͳͷͰ֤ૢ࡞͕ ͰͰ͖Δɻ
None
Protocol Overview • ֤participantͷ࣋ͭঢ়ଶΛstate • initial stateάϧʔϓੜऀ͕initΞϧΰϦζϜͰੜɻ ͜Εʹinitial participantΛؚΉɻ •
GroupinitϝοηʔδΛparticipantʹૹ৴͢Δͱparticipant group stateΛsetupͰ͖ಉ͡shared keyΛಋग़Ͱ͖Δ • participantϝοηʔδΛߋ৽͠৽ͨͳshared stateΛಋग़͢ Δɻˠstateಉ࢜ͷDAG͕ੜՄೳ
ϥΠϑαΠΫϧ • ࢀՃऀʹΑΔmember add • άϧʔϓ֎ʹΑΔmember add • key update
• ϝϯόʔͷআ ͕͋Δɻ
None
None
None
None
None
None
Merkle Tree ผ໊ʮϋογϡʯɻϊʔυʹϋογϡΛ࣋ͭೋͷ͜ͱɻ leaf nodeσʔλϒϩοΫͷϋογϡΛ࣋ͭɻ parent nodeͦΕͧΕͷࢠϊʔυͷϋογϡΛ࿈݁ͨ͠ͷͷ ϋογϡΛ࣋ͭɻ
Merkle Tree MLSͰɺ • • • ͱͯ͠ܭࢉ͞ΕΔɻ
Merkle Proof ͋Δleaf͕Merkle TreeͷmemberͰ͋Δ͜ͱΛূ໌͢ΔͨΊʹɺ • leaf nodeͷͱ • ͦͷleaf nodeͷcopathͷ
Λͬͯrootͷ͕ܭࢉͰ͖ΕΑ͍ɻ
None
࣮ࡍͲ͏ͬͯΔͷ MLSͷhandshake messageʹgroup stateͷมԽΛࣔ͢ϝοηʔδʹ ʮૹ৴ऀͷIdentity keyͷެ։伴ʯʮάϧʔϓͷIdentity Keyʹର͢ ΔMerkle Treeʯʮhandshake messageͷॺ໊ʯؚ͕·ΕΔɻ
࣮ࡍͲ͏ͬͯΔͷ • ૹ৴ऀͷIdentity Keyͷެ։伴͕΄Μͱʹͦͷૹ৴ऀͷͷͰ͋ Δ͔Ͳ͏͔ॺ໊ͷݕূΛߦ͏ɻ • ૹ৴ऀ͕ຊʹάϧʔϓʹؚ·ΕΔ͔Ͳ͏͔ɺIdentity Keyͷ ެ։伴ͱɺhandshakeʹଐ͢ΔMerkle Tree্ͷͦͷެ։伴ͷ
copathΛͬͯMerkle rootΛܭࢉ͠ɺࣗͷ͍࣋ͬͯΔstateͷ Merkle rootͱҰக͢Δ͔Λ֬ೝ͢Δɻ https:/ /github.com/bifurcation/mls/blob/master/messages.go#L201 पลΛࢀরɻ
Asynchronous Ratchet Tree "On Ends-to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͔Βɻ ࣮ࡍʹϝοηʔδ͕ૹΒΕΔ伴ΛάϧʔϓͰਃ͠߹ΘͤΔͨΊ ʹ༻͍ΒΕΔɻDiffie-Hellman伴ަͷݪཧΛ༻͍Δɻ Asynchronousͱ͍͍ͬͯΔͷɺؒʹެ։伴ج൫ΛڬΉ͜ͱͰҰ ෦ͷάϧʔϓϝϯόʔ͕ΦϑϥΠϯͰॳظάϧʔϓ伴Λਃ͠߹Θ ͤΔ͜ͱ͕Ͱ͖ΔͨΊɻ
Asynchronous Ratchet Tree πϦʔͷߏஙʹ • Diffie-HellmanͰ༻͍Δ༗ݶ܈·ͨପԁۂઢ • Derive-Key-Pair function: octet
string͔Βkey pairΛੜ͢Δؔ ͕ඞཁɻ·ͨɺπϦʔͷ֤ϊʔυ secret octet string (optional), asymmetric private key (optional), asymmetric public key Λ࣋ͭɻ֤ ϊʔυͷ伴ϖΞ Derive-Key-Pair functionͰಋग़͞ΕΔɻ
None
ARTͷߋ৽ ϝϯόʔͷՃ֤ϝϯόʔͷΩʔͷߋ৽͕ىͬͨ͜߹ɺMLS messageΛͬͯάϧʔϓͷratchet treeͷߋ৽͕ߦΘΕΔɻ • खݩͷπϦʔΛϝοηʔδʹԊͬͯߋ৽͢Δʢެ։伴͕ॻ͖ ΘΔʣ • ॻ͖Θͬͨެ։伴ͷҐஔ͔ΒϊʔυΛDiffie-Hellmanͷԋࢉ Λߦ͏͜ͱͰߋ৽͢ΔɻrootʹͨͲΓண͘·Ͱ܁Γฦ͢
ʢάϧʔϓͷ伴Λਃ͠߹ΘͤΔํ๏ʹ͍ͭͯdraft ver.01Ͱ TreeKEMͱ͍͏ํ๏͕Ճ͞Ε͕ͨࠓճলུʣ
None
None
ΦϑϥΠϯͰॳظઃఆͰ͖Δʁ • UserInitKey objectʹॳظԽ༻ͷ໋ͳkeyͰ͋ΔUserInitKeyຊ ମʢެ։伴ʣͱIdentity Keyͷެ։伴ؚ͕·ΕΔɻ • άϧʔϓΛੜ͢ΔϢʔβʔɺ֤Ϣʔβʔʹ͍ͭͯUserInitKey ΛऔΓدͤɺ֤UserInitKeyʹରͯ͠ɺੜͨ͠ॳظԽ༻伴ϖΞ ΛͬͯDH伴ަΛࢼΈΔɻ
• ॳظԽ༻伴ϖΞͷൿີ伴͕ࣗͷleaf key • DH伴ަʹΑΓਃ͠߹ΘͤΒΕ͕֤ͨϢʔβʔͷleaf key • ͜ΕΒΛͬͯARTΛܗͰ͖Δ
None
·ͱΊ • άϧʔϓνϟοτʹ͓͚ΔEnd-to-End҉߸Խ࣌ͷ伴ڞ༗ํ๏ʹ ͍ͭͯ͠·ͨ͠ • ݱࡏIETFͰඪ४Խ࡞ۀ͕ਐΜͰ͍·͢ • ϝοηʔδϯάαʔϏεΛӡӦ͍ͯ͠Δେنϕϯμʔ͔Β ͞Ε͍ͯΔΒ͍͠ •
ͱ໊͍͑લϛεϦʔσΟϯάؾຯͳؾ͕͢Δ • E2E҉߸Խ͞Ε͍ͯΔηΩϡΞͳϝοηʔδϯάΛ͍·͠ΐ ͏
ࢀߟURL • The Messaging Layer Security (MLS) Protocol https:/ /
datatracker.ietf.org/doc/draft-barnes-mls-protocol/ • GitHub: bifurcation/mls https:/ /github.com/bifurcation/mls Golang Ͱͷ࣮ • GitHub: cisco/mlspp https:/ /github.com/cisco/mlspp C++Ͱͷ࣮ • On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guaranteesɹhttps:/ /eprint.iacr.org/2017/666.pdf Asynchronous Ratchet Treesͷݩจ