Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Messaging Layer Security

sylph01
August 26, 2018

Messaging Layer Security

sylph01

August 26, 2018
Tweet

More Decks by sylph01

Other Decks in Technology

Transcript

  1. MLS: Messaging Layer
    Security
    sylph01 @ Harekaze Talk #2,
    8/26/2018

    View Slide

  2. Notes on Privacy
    publicͳٕज़ͷղઆͰ͢
    εϥΠυ͸ʮެ։͢Δ൛Λ࢖ͬͯͩ͘
    ͍͞ʯʢΑͬͯࣸਅࡱͬͯ΋ҙຯແʣ

    View Slide

  3. sylph01
    the IDIOT (ID + IoT) engineer
    ਪ͠: ສཬখ࿏෨ɺ౻ా༏ҥʢؒٶͷ
    ؋௕ʣ
    ໺ੜͷ҉߸԰ɺCTF͸ະϓϨΠ
    Twitter: @s01

    View Slide

  4. [એ఻]
    "Dark Depths of
    SMTP"
    @ٕज़ॻయ4
    BOOTHʹͯ൦෍த!
    (࢒Γ3෦ͱ͔)

    View Slide

  5. ຊฤ

    View Slide

  6. ׂͱ࠷ۙʹग़ͨ
    Internet-Draftͷ࿩Ͱ͢
    https:/
    /datatracker.ietf.org/doc/draft-barnes-mls-protocol/
    https:/
    /github.com/ekr/mls-protocol

    View Slide

  7. ͜Ε͸Կ
    ෳ਺ਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ
    ׵ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draftɻ
    ࣮ࡍಡΜͰΈͨͱ͜Ζ͔֬ʹάϧʔϓνϟοτʹ͓͚Δ伴ަ׵ͷ
    ໰୊͸ղܾ͍ͯ͠Δ͚Ͳɺ(TLSͱൺֱՄೳͳ)MLS໊ͬͯশ͸աେ
    ޿ࠂͰ͸ʁͱ͍͏ҹ৅͸͋Δɻ

    View Slide

  8. ηΩϡΞϝοηʔδϯάʁ
    ࠷ۙͷϝοηʔδϯάαʔϏε͸End-to-End҉߸Խ͕ී௨Ͱ͢ɻ
    • Signalʢ͕͜͜͸͠Γʣ
    • Facebook Messenger
    • WhatsApp
    • LINE
    ͳͲ͸End-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ

    View Slide

  9. ͋Δఔ౓҉߸ͷ஌ࣝΛલఏͱ
    ͠·͢
    CTFνʔϜͷษڧձͩ͠େৎ෉ͩΑͶʂͱ͸ࢥ͍·͕͢
    • Diffie-Hellman伴ަ׵ͱ͔
    • ϋογϡؔ਺ɺରশ伴҉߸ɺެ։伴҉߸ͱ͔
    • ެ։伴ج൫ͷ࢓૊Έͱ͔
    ͦͷ΁Μͷઆ໌͸ࡶʹ͠·͢ɻ

    View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. Forward Secrecy
    ௨৴ϓϩτίϧͷੑ࣭Ͱɺ௕ظ伴(long-term key)ͷ๫࿐ʹΑͬͯա
    ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ
    ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο
    ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ๫࿐ʹ଱͑
    Δɺͱ͍͏ੑ࣭͔ͩΒɻ

    View Slide

  14. Post-Compromise Security
    Internet-Draftͷ΄͏ʹ͸ఆٛ͸ه͞Ε͍ͯͳ͔͕ͬͨɺ"On Ends-
    to-Ends Encryption: Asynchronous Group Messaging with Strong
    Security Guarantees" (Cohn-Gordon et al., 2017) ͷఆٛͰ͸(3.0.2)ɺ
    άϧʔϓϝϯόʔͷ׬શͳঢ়ଶ(௕ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴)
    ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ
    ϓͷձ࿩͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost-
    compromise securityΛ࣋ͭɺͱ͍͏ɻ
    ΑΓݫີͳఆٛ͸(3.1)ʹ͋Δɻ

    View Slide

  15. 2 partiesͷ৔߹͸ղܾࡁΈ
    Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ
    "Ratchet"͸ʮҰ౓ਐΜͩΒ໭Βͳ͍ʯ΋ͷͷྫ͑Ͱɺ҉߸෼໺ʹ
    ͓͚Δ"Ratchet"ͱ͸ϋογϡؔ਺Λ࢖ͬͯʮ৽͍͠஋͔Βաڈͷ
    ஋ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢Δʯ࢓૊Έͷ͜ͱɻ
    ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ

    View Slide

  16. ʮͨ͘͞ΜʯͷࢀՃऀͷ৔߹
    ͠ΜͲ͍
    Α͘औΒΕΔํ๏͸ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠
    ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀ͸ͦͷʮsender
    keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏΋ͷɻ
    "hash ratchet"Λ࢖͏͜ͱͰForward Secrecy͸࣮ݱͰ͖Δ͕ɺҰ౓
    伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏Λ࢖Θͳͯ͘͸ͳΒ
    ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ

    View Slide

  17. MLSͷఏҊ
    πϦʔߏ଄Λ࢖ͬͨඇಉظͰͷgroup keyingΛForward Secrecy +
    Post-Compromise SecurityΛอ࣮ͬͯݱɻ
    • Asynchronous Ratchet Tree: άϧʔϓϝϯόʔ͕ڞ༗伴Λੜ੒/ߋ
    ৽͢Δ
    • Merkle Trees: identity keyΛอ࣋͠ɺϢʔβʔ͕άϧʔϓʹؚ·Ε
    Δ͜ͱΛূ໌͢Δ
    Λ࢖͏ɻೋ෼໦ͳͷͰ֤ૢ࡞͕ ͰͰ͖Δɻ

    View Slide

  18. View Slide

  19. Protocol Overview
    • ֤participantͷ࣋ͭঢ়ଶΛstate
    • initial state͸άϧʔϓੜ੒ऀ͕initΞϧΰϦζϜͰੜ੒ɻ
    ͜Εʹ͸initial participantΛؚΉɻ
    • GroupinitϝοηʔδΛparticipantʹૹ৴͢Δͱparticipant͸
    group stateΛsetupͰ͖ಉ͡shared keyΛಋग़Ͱ͖Δ
    • participant͸ϝοηʔδΛߋ৽͠৽ͨͳshared stateΛಋग़͢
    Δɻˠstateಉ࢜ͷDAG͕ੜ੒Մೳ

    View Slide

  20. ϥΠϑαΠΫϧ
    • ࢀՃऀʹΑΔmember add
    • άϧʔϓ֎ʹΑΔmember add
    • key update
    • ϝϯόʔͷ࡟আ
    ͕͋Δɻ

    View Slide

  21. View Slide

  22. View Slide

  23. View Slide

  24. View Slide

  25. View Slide

  26. View Slide

  27. Merkle Tree
    ผ໊ʮϋογϡ໦ʯɻϊʔυʹϋογϡ஋Λ࣋ͭೋ෼໦ͷ͜ͱɻ
    leaf node͸σʔλϒϩοΫͷϋογϡ஋Λ࣋ͭɻ
    parent node͸ͦΕͧΕͷࢠϊʔυͷϋογϡ஋Λ࿈݁ͨ͠΋ͷͷ
    ϋογϡ஋Λ࣋ͭɻ

    View Slide

  28. Merkle Tree
    MLSͰ͸ɺ



    ͱͯ͠ܭࢉ͞ΕΔɻ

    View Slide

  29. Merkle Proof
    ͋Δleaf͕Merkle TreeͷmemberͰ͋Δ͜ͱΛূ໌͢ΔͨΊʹ͸ɺ
    • leaf nodeͷ஋ͱ
    • ͦͷleaf nodeͷcopathͷ஋
    Λ࢖ͬͯrootͷ஋͕ܭࢉͰ͖Ε͹Α͍ɻ

    View Slide

  30. View Slide

  31. ࣮ࡍͲ͏࢖ͬͯΔͷ
    MLSͷhandshake messageʹgroup stateͷมԽΛࣔ͢ϝοηʔδʹ
    ͸ʮૹ৴ऀͷIdentity keyͷެ։伴ʯʮάϧʔϓͷIdentity Keyʹର͢
    ΔMerkle Treeʯʮhandshake messageͷॺ໊஋ʯؚ͕·ΕΔɻ

    View Slide

  32. ࣮ࡍͲ͏࢖ͬͯΔͷ
    • ૹ৴ऀͷIdentity Keyͷެ։伴͕΄Μͱʹͦͷૹ৴ऀͷ΋ͷͰ͋
    Δ͔Ͳ͏͔͸ॺ໊஋ͷݕূΛߦ͏ɻ
    • ૹ৴ऀ͕ຊ౰ʹάϧʔϓʹؚ·ΕΔ͔Ͳ͏͔͸ɺIdentity Keyͷ
    ެ։伴ͱɺhandshakeʹ෇ଐ͢ΔMerkle Tree্ͷͦͷެ։伴ͷ
    copathΛ࢖ͬͯMerkle rootΛܭࢉ͠ɺࣗ෼ͷ͍࣋ͬͯΔstateͷ
    Merkle rootͱҰக͢Δ͔Λ֬ೝ͢Δɻ
    https:/
    /github.com/bifurcation/mls/blob/master/messages.go#L201
    पลΛࢀরɻ

    View Slide

  33. Asynchronous Ratchet Tree
    "On Ends-to-Ends Encryption: Asynchronous Group Messaging with
    Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͔Βɻ
    ࣮ࡍʹϝοηʔδ͕ૹΒΕΔ伴Λάϧʔϓ಺Ͱਃ͠߹ΘͤΔͨΊ
    ʹ༻͍ΒΕΔɻDiffie-Hellman伴ަ׵ͷݪཧΛ༻͍Δɻ
    Asynchronousͱ͍͍ͬͯΔͷ͸ɺؒʹެ։伴ج൫ΛڬΉ͜ͱͰҰ
    ෦ͷάϧʔϓϝϯόʔ͕ΦϑϥΠϯͰ΋ॳظάϧʔϓ伴Λਃ͠߹Θ
    ͤΔ͜ͱ͕Ͱ͖ΔͨΊɻ

    View Slide

  34. Asynchronous Ratchet Tree
    πϦʔͷߏஙʹ͸
    • Diffie-HellmanͰ༻͍Δ༗ݶ܈·ͨ͸ପԁۂઢ
    • Derive-Key-Pair function: octet string͔Βkey pairΛੜ੒͢Δؔ਺
    ͕ඞཁɻ·ͨɺπϦʔͷ֤ϊʔυ͸ secret octet string (optional),
    asymmetric private key (optional), asymmetric public key Λ࣋ͭɻ֤
    ϊʔυͷ伴ϖΞ͸ Derive-Key-Pair functionͰಋग़͞ΕΔɻ

    View Slide

  35. View Slide

  36. ARTͷߋ৽
    ϝϯόʔͷ௥Ճ΍֤ϝϯόʔͷΩʔͷߋ৽͕ىͬͨ͜৔߹ɺMLS
    messageΛ࢖ͬͯάϧʔϓͷratchet treeͷߋ৽͕ߦΘΕΔɻ
    • खݩͷπϦʔΛϝοηʔδʹԊͬͯߋ৽͢Δʢެ։伴͕ॻ͖׵
    ΘΔʣ
    • ॻ͖׵Θͬͨެ։伴ͷҐஔ͔Β਌ϊʔυΛDiffie-Hellmanͷԋࢉ
    Λߦ͏͜ͱͰߋ৽͢ΔɻrootʹͨͲΓண͘·Ͱ܁Γฦ͢

    View Slide

  37. ʢάϧʔϓͷ伴Λਃ͠߹ΘͤΔํ๏ʹ͍ͭͯ͸draft ver.01Ͱ
    TreeKEMͱ͍͏ํ๏͕௥Ճ͞Ε͕ͨࠓճ͸লུʣ

    View Slide

  38. View Slide

  39. View Slide

  40. ΦϑϥΠϯͰ΋ॳظઃఆͰ͖Δʁ
    • UserInitKey objectʹ͸ॳظԽ༻ͷ୹໋ͳkeyͰ͋ΔUserInitKeyຊ
    ମʢެ։伴ʣͱIdentity Keyͷެ։伴ؚ͕·ΕΔɻ
    • άϧʔϓΛੜ੒͢ΔϢʔβʔ͸ɺ֤Ϣʔβʔʹ͍ͭͯUserInitKey
    ΛऔΓدͤɺ֤UserInitKeyʹରͯ͠ɺੜ੒ͨ͠ॳظԽ༻伴ϖΞ
    Λ࢖ͬͯDH伴ަ׵ΛࢼΈΔɻ
    • ॳظԽ༻伴ϖΞͷൿີ伴͕ࣗ਎ͷleaf key
    • DH伴ަ׵ʹΑΓਃ͠߹ΘͤΒΕͨ஋͕֤Ϣʔβʔͷleaf key
    • ͜ΕΒΛ࢖ͬͯARTΛܗ੒Ͱ͖Δ

    View Slide

  41. View Slide

  42. ·ͱΊ
    • άϧʔϓνϟοτʹ͓͚ΔEnd-to-End҉߸Խ࣌ͷ伴ڞ༗ํ๏ʹ
    ͍ͭͯ࿩͠·ͨ͠
    • ݱࡏ΋IETFͰඪ४Խ࡞ۀ͕ਐΜͰ͍·͢
    • ϝοηʔδϯάαʔϏεΛӡӦ͍ͯ͠Δେن໛ϕϯμʔ͔Β
    ΋஫໨͞Ε͍ͯΔΒ͍͠
    • ͱ͸໊͍͑લ͸ϛεϦʔσΟϯάؾຯͳؾ͕͢Δ
    • E2E҉߸Խ͞Ε͍ͯΔηΩϡΞͳϝοηʔδϯάΛ࢖͍·͠ΐ
    ͏

    View Slide

  43. ࢀߟURL
    • The Messaging Layer Security (MLS) Protocol https:/
    /
    datatracker.ietf.org/doc/draft-barnes-mls-protocol/
    • GitHub: bifurcation/mls https:/
    /github.com/bifurcation/mls Golang
    Ͱͷ࣮૷
    • GitHub: cisco/mlspp https:/
    /github.com/cisco/mlspp C++Ͱͷ࣮૷
    • On Ends-to-Ends Encryption: Asynchronous Group Messaging with
    Strong Security Guaranteesɹhttps:/
    /eprint.iacr.org/2017/666.pdf
    Asynchronous Ratchet Treesͷݩ࿦จ

    View Slide