Messaging Layer Security

404139d782ec666acea93dffc86e089f?s=47 sylph01
August 26, 2018

Messaging Layer Security

404139d782ec666acea93dffc86e089f?s=128

sylph01

August 26, 2018
Tweet

Transcript

  1. MLS: Messaging Layer Security sylph01 @ Harekaze Talk #2, 8/26/2018

  2. Notes on Privacy publicͳٕज़ͷղઆͰ͢ εϥΠυ͸ʮެ։͢Δ൛Λ࢖ͬͯͩ͘ ͍͞ʯʢΑͬͯࣸਅࡱͬͯ΋ҙຯແʣ

  3. sylph01 the IDIOT (ID + IoT) engineer ਪ͠: ສཬখ࿏෨ɺ౻ా༏ҥʢؒٶͷ ؋௕ʣ

    ໺ੜͷ҉߸԰ɺCTF͸ະϓϨΠ Twitter: @s01
  4. [એ఻] "Dark Depths of SMTP" @ٕज़ॻయ4 BOOTHʹͯ൦෍த! (࢒Γ3෦ͱ͔)

  5. ຊฤ

  6. ׂͱ࠷ۙʹग़ͨ Internet-Draftͷ࿩Ͱ͢ https:/ /datatracker.ietf.org/doc/draft-barnes-mls-protocol/ https:/ /github.com/ekr/mls-protocol

  7. ͜Ε͸Կ ෳ਺ਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ ׵ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draftɻ ࣮ࡍಡΜͰΈͨͱ͜Ζ͔֬ʹάϧʔϓνϟοτʹ͓͚Δ伴ަ׵ͷ ໰୊͸ղܾ͍ͯ͠Δ͚Ͳɺ(TLSͱൺֱՄೳͳ)MLS໊ͬͯশ͸աେ ޿ࠂͰ͸ʁͱ͍͏ҹ৅͸͋Δɻ

  8. ηΩϡΞϝοηʔδϯάʁ ࠷ۙͷϝοηʔδϯάαʔϏε͸End-to-End҉߸Խ͕ී௨Ͱ͢ɻ • Signalʢ͕͜͜͸͠Γʣ • Facebook Messenger • WhatsApp •

    LINE ͳͲ͸End-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ
  9. ͋Δఔ౓҉߸ͷ஌ࣝΛલఏͱ ͠·͢ CTFνʔϜͷษڧձͩ͠େৎ෉ͩΑͶʂͱ͸ࢥ͍·͕͢ • Diffie-Hellman伴ަ׵ͱ͔ • ϋογϡؔ਺ɺରশ伴҉߸ɺެ։伴҉߸ͱ͔ • ެ։伴ج൫ͷ࢓૊Έͱ͔ ͦͷ΁Μͷઆ໌͸ࡶʹ͠·͢ɻ

  10. None
  11. None
  12. None
  13. Forward Secrecy ௨৴ϓϩτίϧͷੑ࣭Ͱɺ௕ظ伴(long-term key)ͷ๫࿐ʹΑͬͯա ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ๫࿐ʹ଱͑ Δɺͱ͍͏ੑ࣭͔ͩΒɻ

  14. Post-Compromise Security Internet-Draftͷ΄͏ʹ͸ఆٛ͸ه͞Ε͍ͯͳ͔͕ͬͨɺ"On Ends- to-Ends Encryption: Asynchronous Group Messaging with

    Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͷఆٛͰ͸(3.0.2)ɺ άϧʔϓϝϯόʔͷ׬શͳঢ়ଶ(௕ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴) ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ ϓͷձ࿩͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost- compromise securityΛ࣋ͭɺͱ͍͏ɻ ΑΓݫີͳఆٛ͸(3.1)ʹ͋Δɻ
  15. 2 partiesͷ৔߹͸ղܾࡁΈ Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ "Ratchet"͸ʮҰ౓ਐΜͩΒ໭Βͳ͍ʯ΋ͷͷྫ͑Ͱɺ҉߸෼໺ʹ ͓͚Δ"Ratchet"ͱ͸ϋογϡؔ਺Λ࢖ͬͯʮ৽͍͠஋͔Βաڈͷ ஋ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢Δʯ࢓૊Έͷ͜ͱɻ ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ

  16. ʮͨ͘͞ΜʯͷࢀՃऀͷ৔߹ ͠ΜͲ͍ Α͘औΒΕΔํ๏͸ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠ ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀ͸ͦͷʮsender keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏΋ͷɻ "hash ratchet"Λ࢖͏͜ͱͰForward Secrecy͸࣮ݱͰ͖Δ͕ɺҰ౓ 伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏Λ࢖Θͳͯ͘͸ͳΒ

    ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ
  17. MLSͷఏҊ πϦʔߏ଄Λ࢖ͬͨඇಉظͰͷgroup keyingΛForward Secrecy + Post-Compromise SecurityΛอ࣮ͬͯݱɻ • Asynchronous Ratchet

    Tree: άϧʔϓϝϯόʔ͕ڞ༗伴Λੜ੒/ߋ ৽͢Δ • Merkle Trees: identity keyΛอ࣋͠ɺϢʔβʔ͕άϧʔϓʹؚ·Ε Δ͜ͱΛূ໌͢Δ Λ࢖͏ɻೋ෼໦ͳͷͰ֤ૢ࡞͕ ͰͰ͖Δɻ
  18. None
  19. Protocol Overview • ֤participantͷ࣋ͭঢ়ଶΛstate • initial state͸άϧʔϓੜ੒ऀ͕initΞϧΰϦζϜͰੜ੒ɻ ͜Εʹ͸initial participantΛؚΉɻ •

    GroupinitϝοηʔδΛparticipantʹૹ৴͢Δͱparticipant͸ group stateΛsetupͰ͖ಉ͡shared keyΛಋग़Ͱ͖Δ • participant͸ϝοηʔδΛߋ৽͠৽ͨͳshared stateΛಋग़͢ Δɻˠstateಉ࢜ͷDAG͕ੜ੒Մೳ
  20. ϥΠϑαΠΫϧ • ࢀՃऀʹΑΔmember add • άϧʔϓ֎ʹΑΔmember add • key update

    • ϝϯόʔͷ࡟আ ͕͋Δɻ
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. Merkle Tree ผ໊ʮϋογϡ໦ʯɻϊʔυʹϋογϡ஋Λ࣋ͭೋ෼໦ͷ͜ͱɻ leaf node͸σʔλϒϩοΫͷϋογϡ஋Λ࣋ͭɻ parent node͸ͦΕͧΕͷࢠϊʔυͷϋογϡ஋Λ࿈݁ͨ͠΋ͷͷ ϋογϡ஋Λ࣋ͭɻ

  28. Merkle Tree MLSͰ͸ɺ • • • ͱͯ͠ܭࢉ͞ΕΔɻ

  29. Merkle Proof ͋Δleaf͕Merkle TreeͷmemberͰ͋Δ͜ͱΛূ໌͢ΔͨΊʹ͸ɺ • leaf nodeͷ஋ͱ • ͦͷleaf nodeͷcopathͷ஋

    Λ࢖ͬͯrootͷ஋͕ܭࢉͰ͖Ε͹Α͍ɻ
  30. None
  31. ࣮ࡍͲ͏࢖ͬͯΔͷ MLSͷhandshake messageʹgroup stateͷมԽΛࣔ͢ϝοηʔδʹ ͸ʮૹ৴ऀͷIdentity keyͷެ։伴ʯʮάϧʔϓͷIdentity Keyʹର͢ ΔMerkle Treeʯʮhandshake messageͷॺ໊஋ʯؚ͕·ΕΔɻ

  32. ࣮ࡍͲ͏࢖ͬͯΔͷ • ૹ৴ऀͷIdentity Keyͷެ։伴͕΄Μͱʹͦͷૹ৴ऀͷ΋ͷͰ͋ Δ͔Ͳ͏͔͸ॺ໊஋ͷݕূΛߦ͏ɻ • ૹ৴ऀ͕ຊ౰ʹάϧʔϓʹؚ·ΕΔ͔Ͳ͏͔͸ɺIdentity Keyͷ ެ։伴ͱɺhandshakeʹ෇ଐ͢ΔMerkle Tree্ͷͦͷެ։伴ͷ

    copathΛ࢖ͬͯMerkle rootΛܭࢉ͠ɺࣗ෼ͷ͍࣋ͬͯΔstateͷ Merkle rootͱҰக͢Δ͔Λ֬ೝ͢Δɻ https:/ /github.com/bifurcation/mls/blob/master/messages.go#L201 पลΛࢀরɻ
  33. Asynchronous Ratchet Tree "On Ends-to-Ends Encryption: Asynchronous Group Messaging with

    Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͔Βɻ ࣮ࡍʹϝοηʔδ͕ૹΒΕΔ伴Λάϧʔϓ಺Ͱਃ͠߹ΘͤΔͨΊ ʹ༻͍ΒΕΔɻDiffie-Hellman伴ަ׵ͷݪཧΛ༻͍Δɻ Asynchronousͱ͍͍ͬͯΔͷ͸ɺؒʹެ։伴ج൫ΛڬΉ͜ͱͰҰ ෦ͷάϧʔϓϝϯόʔ͕ΦϑϥΠϯͰ΋ॳظάϧʔϓ伴Λਃ͠߹Θ ͤΔ͜ͱ͕Ͱ͖ΔͨΊɻ
  34. Asynchronous Ratchet Tree πϦʔͷߏஙʹ͸ • Diffie-HellmanͰ༻͍Δ༗ݶ܈·ͨ͸ପԁۂઢ • Derive-Key-Pair function: octet

    string͔Βkey pairΛੜ੒͢Δؔ਺ ͕ඞཁɻ·ͨɺπϦʔͷ֤ϊʔυ͸ secret octet string (optional), asymmetric private key (optional), asymmetric public key Λ࣋ͭɻ֤ ϊʔυͷ伴ϖΞ͸ Derive-Key-Pair functionͰಋग़͞ΕΔɻ
  35. None
  36. ARTͷߋ৽ ϝϯόʔͷ௥Ճ΍֤ϝϯόʔͷΩʔͷߋ৽͕ىͬͨ͜৔߹ɺMLS messageΛ࢖ͬͯάϧʔϓͷratchet treeͷߋ৽͕ߦΘΕΔɻ • खݩͷπϦʔΛϝοηʔδʹԊͬͯߋ৽͢Δʢެ։伴͕ॻ͖׵ ΘΔʣ • ॻ͖׵Θͬͨެ։伴ͷҐஔ͔Β਌ϊʔυΛDiffie-Hellmanͷԋࢉ Λߦ͏͜ͱͰߋ৽͢ΔɻrootʹͨͲΓண͘·Ͱ܁Γฦ͢

  37. ʢάϧʔϓͷ伴Λਃ͠߹ΘͤΔํ๏ʹ͍ͭͯ͸draft ver.01Ͱ TreeKEMͱ͍͏ํ๏͕௥Ճ͞Ε͕ͨࠓճ͸লུʣ

  38. None
  39. None
  40. ΦϑϥΠϯͰ΋ॳظઃఆͰ͖Δʁ • UserInitKey objectʹ͸ॳظԽ༻ͷ୹໋ͳkeyͰ͋ΔUserInitKeyຊ ମʢެ։伴ʣͱIdentity Keyͷެ։伴ؚ͕·ΕΔɻ • άϧʔϓΛੜ੒͢ΔϢʔβʔ͸ɺ֤Ϣʔβʔʹ͍ͭͯUserInitKey ΛऔΓدͤɺ֤UserInitKeyʹରͯ͠ɺੜ੒ͨ͠ॳظԽ༻伴ϖΞ Λ࢖ͬͯDH伴ަ׵ΛࢼΈΔɻ

    • ॳظԽ༻伴ϖΞͷൿີ伴͕ࣗ਎ͷleaf key • DH伴ަ׵ʹΑΓਃ͠߹ΘͤΒΕͨ஋͕֤Ϣʔβʔͷleaf key • ͜ΕΒΛ࢖ͬͯARTΛܗ੒Ͱ͖Δ
  41. None
  42. ·ͱΊ • άϧʔϓνϟοτʹ͓͚ΔEnd-to-End҉߸Խ࣌ͷ伴ڞ༗ํ๏ʹ ͍ͭͯ࿩͠·ͨ͠ • ݱࡏ΋IETFͰඪ४Խ࡞ۀ͕ਐΜͰ͍·͢ • ϝοηʔδϯάαʔϏεΛӡӦ͍ͯ͠Δେن໛ϕϯμʔ͔Β ΋஫໨͞Ε͍ͯΔΒ͍͠ •

    ͱ͸໊͍͑લ͸ϛεϦʔσΟϯάؾຯͳؾ͕͢Δ • E2E҉߸Խ͞Ε͍ͯΔηΩϡΞͳϝοηʔδϯάΛ࢖͍·͠ΐ ͏
  43. ࢀߟURL • The Messaging Layer Security (MLS) Protocol https:/ /

    datatracker.ietf.org/doc/draft-barnes-mls-protocol/ • GitHub: bifurcation/mls https:/ /github.com/bifurcation/mls Golang Ͱͷ࣮૷ • GitHub: cisco/mlspp https:/ /github.com/cisco/mlspp C++Ͱͷ࣮૷ • On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guaranteesɹhttps:/ /eprint.iacr.org/2017/666.pdf Asynchronous Ratchet Treesͷݩ࿦จ