Save 37% off PRO during our Black Friday Sale! »

Messaging Layer Security

404139d782ec666acea93dffc86e089f?s=47 sylph01
August 26, 2018
Technology
0
640

Messaging Layer Security

@ Harekaze Talk #2 https://harekaze.connpass.com/event/92791/

404139d782ec666acea93dffc86e089f?s=128

sylph01

August 26, 2018
Tweet

More Decks by sylph01

See All by sylph01
404139d782ec666acea93dffc86e089f?s=48 sylph01
4
780
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
330
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
680
404139d782ec666acea93dffc86e089f?s=48 sylph01
1
2.1k
404139d782ec666acea93dffc86e089f?s=48 sylph01
1
68
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
540
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
54
404139d782ec666acea93dffc86e089f?s=48 sylph01
1
310
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
510

Other Decks in Technology

See All in Technology
8d80af14296180866264212adbfb587e?s=48 godan
0
150
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
230
D65ac1a4aacb7a449bb61cef10fb7143?s=48 yamanoku
3
640
A60224e356e52f631bec70bc9df52889?s=48 empitsu
0
1.1k
97a7f7899e0df28c3636b8d44bbe6578?s=48 korodroid
0
280
23f4d5d797a91b6d17d627b90b5a42d9?s=48 kentaro
0
150
0b238801605070def81a98cfe8061aee?s=48 shonansurvivors
5
420
91f6ef52b846ca5f00325b05f3e3547d?s=48 cola119
2
110
Ab628671841774343b1020f22f712069?s=48 mouson
0
260
Ff0453fcbf27a84de92b9cc1f2aed9af?s=48 koike91
0
380
33dd5188ff5f608ca2a1e007b9528e6b?s=48 okepy
PRO
0
350
8d0803aa4572615f7bce5f5288e6b716?s=48 mochan_tk
0
690

Featured

See All Featured
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
655
120k
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
44
5k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
240k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
122
16k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
443
29k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
504
37k
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
84
3.7k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
373
43k
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
349
27k
Eb8975af8e49e19e3dd6b6b84a542e26?s=48 qrush
288
19k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
6
970
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
72
3.9k

Transcript

  1. MLS: Messaging Layer Security sylph01 @ Harekaze Talk #2, 8/26/2018

  2. Notes on Privacy publicͳٕज़ͷղઆͰ͢ εϥΠυ͸ʮެ։͢Δ൛Λ࢖ͬͯͩ͘ ͍͞ʯʢΑͬͯࣸਅࡱͬͯ΋ҙຯແʣ

  3. sylph01 the IDIOT (ID + IoT) engineer ਪ͠: ສཬখ࿏෨ɺ౻ా༏ҥʢؒٶͷ ؋௕ʣ

    ໺ੜͷ҉߸԰ɺCTF͸ະϓϨΠ Twitter: @s01

  4. [એ఻] "Dark Depths of SMTP" @ٕज़ॻయ4 BOOTHʹͯ൦෍த! (࢒Γ3෦ͱ͔)

  5. ຊฤ

  6. ׂͱ࠷ۙʹग़ͨ Internet-Draftͷ࿩Ͱ͢ https:/ /datatracker.ietf.org/doc/draft-barnes-mls-protocol/ https:/ /github.com/ekr/mls-protocol

  7. ͜Ε͸Կ ෳ਺ਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ ׵ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draftɻ ࣮ࡍಡΜͰΈͨͱ͜Ζ͔֬ʹάϧʔϓνϟοτʹ͓͚Δ伴ަ׵ͷ ໰୊͸ղܾ͍ͯ͠Δ͚Ͳɺ(TLSͱൺֱՄೳͳ)MLS໊ͬͯশ͸աେ ޿ࠂͰ͸ʁͱ͍͏ҹ৅͸͋Δɻ

  8. ηΩϡΞϝοηʔδϯάʁ ࠷ۙͷϝοηʔδϯάαʔϏε͸End-to-End҉߸Խ͕ී௨Ͱ͢ɻ • Signalʢ͕͜͜͸͠Γʣ • Facebook Messenger • WhatsApp •

    LINE ͳͲ͸End-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ

  9. ͋Δఔ౓҉߸ͷ஌ࣝΛલఏͱ ͠·͢ CTFνʔϜͷษڧձͩ͠େৎ෉ͩΑͶʂͱ͸ࢥ͍·͕͢ • Diffie-Hellman伴ަ׵ͱ͔ • ϋογϡؔ਺ɺରশ伴҉߸ɺެ։伴҉߸ͱ͔ • ެ։伴ج൫ͷ࢓૊Έͱ͔ ͦͷ΁Μͷઆ໌͸ࡶʹ͠·͢ɻ

  10. None
  11. None
  12. None

  13. Forward Secrecy ௨৴ϓϩτίϧͷੑ࣭Ͱɺ௕ظ伴(long-term key)ͷ๫࿐ʹΑͬͯա ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ๫࿐ʹ଱͑ Δɺͱ͍͏ੑ࣭͔ͩΒɻ

  14. Post-Compromise Security Internet-Draftͷ΄͏ʹ͸ఆٛ͸ه͞Ε͍ͯͳ͔͕ͬͨɺ"On Ends- to-Ends Encryption: Asynchronous Group Messaging with

    Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͷఆٛͰ͸(3.0.2)ɺ άϧʔϓϝϯόʔͷ׬શͳঢ়ଶ(௕ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴) ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ ϓͷձ࿩͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost- compromise securityΛ࣋ͭɺͱ͍͏ɻ ΑΓݫີͳఆٛ͸(3.1)ʹ͋Δɻ

  15. 2 partiesͷ৔߹͸ղܾࡁΈ Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ "Ratchet"͸ʮҰ౓ਐΜͩΒ໭Βͳ͍ʯ΋ͷͷྫ͑Ͱɺ҉߸෼໺ʹ ͓͚Δ"Ratchet"ͱ͸ϋογϡؔ਺Λ࢖ͬͯʮ৽͍͠஋͔Βաڈͷ ஋ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢Δʯ࢓૊Έͷ͜ͱɻ ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ

  16. ʮͨ͘͞ΜʯͷࢀՃऀͷ৔߹ ͠ΜͲ͍ Α͘औΒΕΔํ๏͸ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠ ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀ͸ͦͷʮsender keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏΋ͷɻ "hash ratchet"Λ࢖͏͜ͱͰForward Secrecy͸࣮ݱͰ͖Δ͕ɺҰ౓ 伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏Λ࢖Θͳͯ͘͸ͳΒ

    ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ

  17. MLSͷఏҊ πϦʔߏ଄Λ࢖ͬͨඇಉظͰͷgroup keyingΛForward Secrecy + Post-Compromise SecurityΛอ࣮ͬͯݱɻ • Asynchronous Ratchet

    Tree: άϧʔϓϝϯόʔ͕ڞ༗伴Λੜ੒/ߋ ৽͢Δ • Merkle Trees: identity keyΛอ࣋͠ɺϢʔβʔ͕άϧʔϓʹؚ·Ε Δ͜ͱΛূ໌͢Δ Λ࢖͏ɻೋ෼໦ͳͷͰ֤ૢ࡞͕ ͰͰ͖Δɻ
  18. None

  19. Protocol Overview • ֤participantͷ࣋ͭঢ়ଶΛstate • initial state͸άϧʔϓੜ੒ऀ͕initΞϧΰϦζϜͰੜ੒ɻ ͜Εʹ͸initial participantΛؚΉɻ •

    GroupinitϝοηʔδΛparticipantʹૹ৴͢Δͱparticipant͸ group stateΛsetupͰ͖ಉ͡shared keyΛಋग़Ͱ͖Δ • participant͸ϝοηʔδΛߋ৽͠৽ͨͳshared stateΛಋग़͢ Δɻˠstateಉ࢜ͷDAG͕ੜ੒Մೳ

  20. ϥΠϑαΠΫϧ • ࢀՃऀʹΑΔmember add • άϧʔϓ֎ʹΑΔmember add • key update

    • ϝϯόʔͷ࡟আ ͕͋Δɻ
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None

  27. Merkle Tree ผ໊ʮϋογϡ໦ʯɻϊʔυʹϋογϡ஋Λ࣋ͭೋ෼໦ͷ͜ͱɻ leaf node͸σʔλϒϩοΫͷϋογϡ஋Λ࣋ͭɻ parent node͸ͦΕͧΕͷࢠϊʔυͷϋογϡ஋Λ࿈݁ͨ͠΋ͷͷ ϋογϡ஋Λ࣋ͭɻ

  28. Merkle Tree MLSͰ͸ɺ • • • ͱͯ͠ܭࢉ͞ΕΔɻ

  29. Merkle Proof ͋Δleaf͕Merkle TreeͷmemberͰ͋Δ͜ͱΛূ໌͢ΔͨΊʹ͸ɺ • leaf nodeͷ஋ͱ • ͦͷleaf nodeͷcopathͷ஋

    Λ࢖ͬͯrootͷ஋͕ܭࢉͰ͖Ε͹Α͍ɻ
  30. None

  31. ࣮ࡍͲ͏࢖ͬͯΔͷ MLSͷhandshake messageʹgroup stateͷมԽΛࣔ͢ϝοηʔδʹ ͸ʮૹ৴ऀͷIdentity keyͷެ։伴ʯʮάϧʔϓͷIdentity Keyʹର͢ ΔMerkle Treeʯʮhandshake messageͷॺ໊஋ʯؚ͕·ΕΔɻ

  32. ࣮ࡍͲ͏࢖ͬͯΔͷ • ૹ৴ऀͷIdentity Keyͷެ։伴͕΄Μͱʹͦͷૹ৴ऀͷ΋ͷͰ͋ Δ͔Ͳ͏͔͸ॺ໊஋ͷݕূΛߦ͏ɻ • ૹ৴ऀ͕ຊ౰ʹάϧʔϓʹؚ·ΕΔ͔Ͳ͏͔͸ɺIdentity Keyͷ ެ։伴ͱɺhandshakeʹ෇ଐ͢ΔMerkle Tree্ͷͦͷެ։伴ͷ

    copathΛ࢖ͬͯMerkle rootΛܭࢉ͠ɺࣗ෼ͷ͍࣋ͬͯΔstateͷ Merkle rootͱҰக͢Δ͔Λ֬ೝ͢Δɻ https:/ /github.com/bifurcation/mls/blob/master/messages.go#L201 पลΛࢀরɻ

  33. Asynchronous Ratchet Tree "On Ends-to-Ends Encryption: Asynchronous Group Messaging with

    Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͔Βɻ ࣮ࡍʹϝοηʔδ͕ૹΒΕΔ伴Λάϧʔϓ಺Ͱਃ͠߹ΘͤΔͨΊ ʹ༻͍ΒΕΔɻDiffie-Hellman伴ަ׵ͷݪཧΛ༻͍Δɻ Asynchronousͱ͍͍ͬͯΔͷ͸ɺؒʹެ։伴ج൫ΛڬΉ͜ͱͰҰ ෦ͷάϧʔϓϝϯόʔ͕ΦϑϥΠϯͰ΋ॳظάϧʔϓ伴Λਃ͠߹Θ ͤΔ͜ͱ͕Ͱ͖ΔͨΊɻ

  34. Asynchronous Ratchet Tree πϦʔͷߏஙʹ͸ • Diffie-HellmanͰ༻͍Δ༗ݶ܈·ͨ͸ପԁۂઢ • Derive-Key-Pair function: octet

    string͔Βkey pairΛੜ੒͢Δؔ਺ ͕ඞཁɻ·ͨɺπϦʔͷ֤ϊʔυ͸ secret octet string (optional), asymmetric private key (optional), asymmetric public key Λ࣋ͭɻ֤ ϊʔυͷ伴ϖΞ͸ Derive-Key-Pair functionͰಋग़͞ΕΔɻ
  35. None

  36. ARTͷߋ৽ ϝϯόʔͷ௥Ճ΍֤ϝϯόʔͷΩʔͷߋ৽͕ىͬͨ͜৔߹ɺMLS messageΛ࢖ͬͯάϧʔϓͷratchet treeͷߋ৽͕ߦΘΕΔɻ • खݩͷπϦʔΛϝοηʔδʹԊͬͯߋ৽͢Δʢެ։伴͕ॻ͖׵ ΘΔʣ • ॻ͖׵Θͬͨެ։伴ͷҐஔ͔Β਌ϊʔυΛDiffie-Hellmanͷԋࢉ Λߦ͏͜ͱͰߋ৽͢ΔɻrootʹͨͲΓண͘·Ͱ܁Γฦ͢

  37. ʢάϧʔϓͷ伴Λਃ͠߹ΘͤΔํ๏ʹ͍ͭͯ͸draft ver.01Ͱ TreeKEMͱ͍͏ํ๏͕௥Ճ͞Ε͕ͨࠓճ͸লུʣ

  38. None
  39. None

  40. ΦϑϥΠϯͰ΋ॳظઃఆͰ͖Δʁ • UserInitKey objectʹ͸ॳظԽ༻ͷ୹໋ͳkeyͰ͋ΔUserInitKeyຊ ମʢެ։伴ʣͱIdentity Keyͷެ։伴ؚ͕·ΕΔɻ • άϧʔϓΛੜ੒͢ΔϢʔβʔ͸ɺ֤Ϣʔβʔʹ͍ͭͯUserInitKey ΛऔΓدͤɺ֤UserInitKeyʹରͯ͠ɺੜ੒ͨ͠ॳظԽ༻伴ϖΞ Λ࢖ͬͯDH伴ަ׵ΛࢼΈΔɻ

    • ॳظԽ༻伴ϖΞͷൿີ伴͕ࣗ਎ͷleaf key • DH伴ަ׵ʹΑΓਃ͠߹ΘͤΒΕͨ஋͕֤Ϣʔβʔͷleaf key • ͜ΕΒΛ࢖ͬͯARTΛܗ੒Ͱ͖Δ
  41. None

  42. ·ͱΊ • άϧʔϓνϟοτʹ͓͚ΔEnd-to-End҉߸Խ࣌ͷ伴ڞ༗ํ๏ʹ ͍ͭͯ࿩͠·ͨ͠ • ݱࡏ΋IETFͰඪ४Խ࡞ۀ͕ਐΜͰ͍·͢ • ϝοηʔδϯάαʔϏεΛӡӦ͍ͯ͠Δେن໛ϕϯμʔ͔Β ΋஫໨͞Ε͍ͯΔΒ͍͠ •

    ͱ͸໊͍͑લ͸ϛεϦʔσΟϯάؾຯͳؾ͕͢Δ • E2E҉߸Խ͞Ε͍ͯΔηΩϡΞͳϝοηʔδϯάΛ࢖͍·͠ΐ ͏

  43. ࢀߟURL • The Messaging Layer Security (MLS) Protocol https:/ /

    datatracker.ietf.org/doc/draft-barnes-mls-protocol/ • GitHub: bifurcation/mls https:/ /github.com/bifurcation/mls Golang Ͱͷ࣮૷ • GitHub: cisco/mlspp https:/ /github.com/cisco/mlspp C++Ͱͷ࣮૷ • On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guaranteesɹhttps:/ /eprint.iacr.org/2017/666.pdf Asynchronous Ratchet Treesͷݩ࿦จ