Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Messaging Layer Security
Search
sylph01
August 26, 2018
Technology
0
860
Messaging Layer Security
@ Harekaze Talk #2
https://harekaze.connpass.com/event/92791/
sylph01
August 26, 2018
Tweet
Share
More Decks by sylph01
See All by sylph01
Secure Messaging at IETF 118
sylph01
0
32
Adventures in the Dungeons of OpenSSL
sylph01
0
290
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
190
Build and Learn Rails Authentication
sylph01
8
1.8k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
180
DNS Encryption and Its Controversies
sylph01
0
620
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1.2k
Action Mailbox in Action
sylph01
1
3k
Keebs-n-Kaigi
sylph01
1
240
Other Decks in Technology
See All in Technology
シン・Kafka / shin-kafka
oracle4engineer
PRO
7
2.7k
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
100
スタートアップの技術顧問を3年間続けて発生した事と気付き
biwakonbu
0
160
小さな開発会社がWebサービスを作る理由
polidog
PRO
1
160
Terraformあれやこれ/terraform-this-and-that
emiki
5
470
0→1開発における技術選定において一番大切なこと
bicstone
1
330
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
190
20240416_devopsdaystokyo
kzkmaeda
1
190
〜小さく始めて大きく育てる〜データ分析基盤の開発から活用まで
kniino
0
2k
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
700
少数チームで挑む: SwiftUI, TCA, KMPを用いた 新規動画配信アプリ 「ABEMA Live」の開発について
tomu28
0
540
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
1
180
Featured
See All Featured
Infographics Made Easy
chrislema
237
18k
Typedesign – Prime Four
hannesfritz
36
2.1k
Unsuck your backbone
ammeep
662
57k
The Cost Of JavaScript in 2023
addyosmani
14
3.8k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Visualization
eitanlees
135
14k
For a Future-Friendly Web
brad_frost
171
8.9k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
273
13k
4 Signs Your Business is Dying
shpigford
175
21k
Rails Girls Zürich Keynote
gr2m
91
13k
Transcript
MLS: Messaging Layer Security sylph01 @ Harekaze Talk #2, 8/26/2018
Notes on Privacy publicͳٕज़ͷղઆͰ͢ εϥΠυʮެ։͢Δ൛Λͬͯͩ͘ ͍͞ʯʢΑͬͯࣸਅࡱͬͯҙຯແʣ
sylph01 the IDIOT (ID + IoT) engineer ਪ͠: ສཬখ࿏෨ɺ౻ా༏ҥʢؒٶͷ ؋ʣ
ੜͷ҉߸ɺCTFະϓϨΠ Twitter: @s01
[એ] "Dark Depths of SMTP" @ٕज़ॻయ4 BOOTHʹͯ൦த! (Γ3෦ͱ͔)
ຊฤ
ׂͱ࠷ۙʹग़ͨ Internet-DraftͷͰ͢ https:/ /datatracker.ietf.org/doc/draft-barnes-mls-protocol/ https:/ /github.com/ekr/mls-protocol
͜ΕԿ ෳਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draftɻ ࣮ࡍಡΜͰΈͨͱ͜Ζ͔֬ʹάϧʔϓνϟοτʹ͓͚Δ伴ަͷ ղܾ͍ͯ͠Δ͚Ͳɺ(TLSͱൺֱՄೳͳ)MLS໊ͬͯশաେ ࠂͰʁͱ͍͏ҹ͋Δɻ
ηΩϡΞϝοηʔδϯάʁ ࠷ۙͷϝοηʔδϯάαʔϏεEnd-to-End҉߸Խ͕ී௨Ͱ͢ɻ • Signalʢ͕͜͜͠Γʣ • Facebook Messenger • WhatsApp •
LINE ͳͲEnd-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ
͋Δఔ҉߸ͷࣝΛલఏͱ ͠·͢ CTFνʔϜͷษڧձͩ͠େৎͩΑͶʂͱࢥ͍·͕͢ • Diffie-Hellman伴ަͱ͔ • ϋογϡؔɺରশ伴҉߸ɺެ։伴҉߸ͱ͔ • ެ։伴ج൫ͷΈͱ͔ ͦͷΜͷઆ໌ࡶʹ͠·͢ɻ
None
None
None
Forward Secrecy ௨৴ϓϩτίϧͷੑ࣭Ͱɺظ伴(long-term key)ͷ࿐ʹΑͬͯա ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ࿐ʹ͑ Δɺͱ͍͏ੑ࣭͔ͩΒɻ
Post-Compromise Security Internet-Draftͷ΄͏ʹఆٛه͞Ε͍ͯͳ͔͕ͬͨɺ"On Ends- to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͷఆٛͰ(3.0.2)ɺ άϧʔϓϝϯόʔͷશͳঢ়ଶ(ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴) ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ ϓͷձ͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost- compromise securityΛ࣋ͭɺͱ͍͏ɻ ΑΓݫີͳఆٛ(3.1)ʹ͋Δɻ
2 partiesͷ߹ղܾࡁΈ Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ "Ratchet"ʮҰਐΜͩΒΒͳ͍ʯͷͷྫ͑Ͱɺ҉߸ʹ ͓͚Δ"Ratchet"ͱϋογϡؔΛͬͯʮ৽͍͔͠Βաڈͷ ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢ΔʯΈͷ͜ͱɻ ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ
ʮͨ͘͞ΜʯͷࢀՃऀͷ߹ ͠ΜͲ͍ Α͘औΒΕΔํ๏ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠ ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀͦͷʮsender keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏ͷɻ "hash ratchet"Λ͏͜ͱͰForward Secrecy࣮ݱͰ͖Δ͕ɺҰ 伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏ΛΘͳͯ͘ͳΒ
ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ
MLSͷఏҊ πϦʔߏΛͬͨඇಉظͰͷgroup keyingΛForward Secrecy + Post-Compromise SecurityΛอ࣮ͬͯݱɻ • Asynchronous Ratchet
Tree: άϧʔϓϝϯόʔ͕ڞ༗伴Λੜ/ߋ ৽͢Δ • Merkle Trees: identity keyΛอ࣋͠ɺϢʔβʔ͕άϧʔϓʹؚ·Ε Δ͜ͱΛূ໌͢Δ Λ͏ɻೋͳͷͰ֤ૢ࡞͕ ͰͰ͖Δɻ
None
Protocol Overview • ֤participantͷ࣋ͭঢ়ଶΛstate • initial stateάϧʔϓੜऀ͕initΞϧΰϦζϜͰੜɻ ͜Εʹinitial participantΛؚΉɻ •
GroupinitϝοηʔδΛparticipantʹૹ৴͢Δͱparticipant group stateΛsetupͰ͖ಉ͡shared keyΛಋग़Ͱ͖Δ • participantϝοηʔδΛߋ৽͠৽ͨͳshared stateΛಋग़͢ Δɻˠstateಉ࢜ͷDAG͕ੜՄೳ
ϥΠϑαΠΫϧ • ࢀՃऀʹΑΔmember add • άϧʔϓ֎ʹΑΔmember add • key update
• ϝϯόʔͷআ ͕͋Δɻ
None
None
None
None
None
None
Merkle Tree ผ໊ʮϋογϡʯɻϊʔυʹϋογϡΛ࣋ͭೋͷ͜ͱɻ leaf nodeσʔλϒϩοΫͷϋογϡΛ࣋ͭɻ parent nodeͦΕͧΕͷࢠϊʔυͷϋογϡΛ࿈݁ͨ͠ͷͷ ϋογϡΛ࣋ͭɻ
Merkle Tree MLSͰɺ • • • ͱͯ͠ܭࢉ͞ΕΔɻ
Merkle Proof ͋Δleaf͕Merkle TreeͷmemberͰ͋Δ͜ͱΛূ໌͢ΔͨΊʹɺ • leaf nodeͷͱ • ͦͷleaf nodeͷcopathͷ
Λͬͯrootͷ͕ܭࢉͰ͖ΕΑ͍ɻ
None
࣮ࡍͲ͏ͬͯΔͷ MLSͷhandshake messageʹgroup stateͷมԽΛࣔ͢ϝοηʔδʹ ʮૹ৴ऀͷIdentity keyͷެ։伴ʯʮάϧʔϓͷIdentity Keyʹର͢ ΔMerkle Treeʯʮhandshake messageͷॺ໊ʯؚ͕·ΕΔɻ
࣮ࡍͲ͏ͬͯΔͷ • ૹ৴ऀͷIdentity Keyͷެ։伴͕΄Μͱʹͦͷૹ৴ऀͷͷͰ͋ Δ͔Ͳ͏͔ॺ໊ͷݕূΛߦ͏ɻ • ૹ৴ऀ͕ຊʹάϧʔϓʹؚ·ΕΔ͔Ͳ͏͔ɺIdentity Keyͷ ެ։伴ͱɺhandshakeʹଐ͢ΔMerkle Tree্ͷͦͷެ։伴ͷ
copathΛͬͯMerkle rootΛܭࢉ͠ɺࣗͷ͍࣋ͬͯΔstateͷ Merkle rootͱҰக͢Δ͔Λ֬ೝ͢Δɻ https:/ /github.com/bifurcation/mls/blob/master/messages.go#L201 पลΛࢀরɻ
Asynchronous Ratchet Tree "On Ends-to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͔Βɻ ࣮ࡍʹϝοηʔδ͕ૹΒΕΔ伴ΛάϧʔϓͰਃ͠߹ΘͤΔͨΊ ʹ༻͍ΒΕΔɻDiffie-Hellman伴ަͷݪཧΛ༻͍Δɻ Asynchronousͱ͍͍ͬͯΔͷɺؒʹެ։伴ج൫ΛڬΉ͜ͱͰҰ ෦ͷάϧʔϓϝϯόʔ͕ΦϑϥΠϯͰॳظάϧʔϓ伴Λਃ͠߹Θ ͤΔ͜ͱ͕Ͱ͖ΔͨΊɻ
Asynchronous Ratchet Tree πϦʔͷߏஙʹ • Diffie-HellmanͰ༻͍Δ༗ݶ܈·ͨପԁۂઢ • Derive-Key-Pair function: octet
string͔Βkey pairΛੜ͢Δؔ ͕ඞཁɻ·ͨɺπϦʔͷ֤ϊʔυ secret octet string (optional), asymmetric private key (optional), asymmetric public key Λ࣋ͭɻ֤ ϊʔυͷ伴ϖΞ Derive-Key-Pair functionͰಋग़͞ΕΔɻ
None
ARTͷߋ৽ ϝϯόʔͷՃ֤ϝϯόʔͷΩʔͷߋ৽͕ىͬͨ͜߹ɺMLS messageΛͬͯάϧʔϓͷratchet treeͷߋ৽͕ߦΘΕΔɻ • खݩͷπϦʔΛϝοηʔδʹԊͬͯߋ৽͢Δʢެ։伴͕ॻ͖ ΘΔʣ • ॻ͖Θͬͨެ։伴ͷҐஔ͔ΒϊʔυΛDiffie-Hellmanͷԋࢉ Λߦ͏͜ͱͰߋ৽͢ΔɻrootʹͨͲΓண͘·Ͱ܁Γฦ͢
ʢάϧʔϓͷ伴Λਃ͠߹ΘͤΔํ๏ʹ͍ͭͯdraft ver.01Ͱ TreeKEMͱ͍͏ํ๏͕Ճ͞Ε͕ͨࠓճলུʣ
None
None
ΦϑϥΠϯͰॳظઃఆͰ͖Δʁ • UserInitKey objectʹॳظԽ༻ͷ໋ͳkeyͰ͋ΔUserInitKeyຊ ମʢެ։伴ʣͱIdentity Keyͷެ։伴ؚ͕·ΕΔɻ • άϧʔϓΛੜ͢ΔϢʔβʔɺ֤Ϣʔβʔʹ͍ͭͯUserInitKey ΛऔΓدͤɺ֤UserInitKeyʹରͯ͠ɺੜͨ͠ॳظԽ༻伴ϖΞ ΛͬͯDH伴ަΛࢼΈΔɻ
• ॳظԽ༻伴ϖΞͷൿີ伴͕ࣗͷleaf key • DH伴ަʹΑΓਃ͠߹ΘͤΒΕ͕֤ͨϢʔβʔͷleaf key • ͜ΕΒΛͬͯARTΛܗͰ͖Δ
None
·ͱΊ • άϧʔϓνϟοτʹ͓͚ΔEnd-to-End҉߸Խ࣌ͷ伴ڞ༗ํ๏ʹ ͍ͭͯ͠·ͨ͠ • ݱࡏIETFͰඪ४Խ࡞ۀ͕ਐΜͰ͍·͢ • ϝοηʔδϯάαʔϏεΛӡӦ͍ͯ͠Δେنϕϯμʔ͔Β ͞Ε͍ͯΔΒ͍͠ •
ͱ໊͍͑લϛεϦʔσΟϯάؾຯͳؾ͕͢Δ • E2E҉߸Խ͞Ε͍ͯΔηΩϡΞͳϝοηʔδϯάΛ͍·͠ΐ ͏
ࢀߟURL • The Messaging Layer Security (MLS) Protocol https:/ /
datatracker.ietf.org/doc/draft-barnes-mls-protocol/ • GitHub: bifurcation/mls https:/ /github.com/bifurcation/mls Golang Ͱͷ࣮ • GitHub: cisco/mlspp https:/ /github.com/cisco/mlspp C++Ͱͷ࣮ • On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guaranteesɹhttps:/ /eprint.iacr.org/2017/666.pdf Asynchronous Ratchet Treesͷݩจ