Messaging Layer Security

Transcript

1. MLS: Messaging Layer Security sylph01 @ Harekaze Talk #2, 8/26/2018

2. Notes on Privacy publicͳٕज़ͷղઆͰ͢ εϥΠυ͸ʮެ։͢Δ൛Λ࢖ͬͯͩ͘ ͍͞ʯʢΑͬͯࣸਅࡱͬͯ΋ҙຯແʣ

3. sylph01 the IDIOT (ID + IoT) engineer ਪ͠: ສཬখ࿏෨ɺ౻ా༏ҥʢؒٶͷ ؋௕ʣ

   ໺ੜͷ҉߸԰ɺCTF͸ະϓϨΠ Twitter: @s01

4. [એ఻] "Dark Depths of SMTP" @ٕज़ॻయ4 BOOTHʹͯ൦෍த! (࢒Γ3෦ͱ͔)

5. ຊฤ

6. ׂͱ࠷ۙʹग़ͨ Internet-Draftͷ࿩Ͱ͢ https:/ /datatracker.ietf.org/doc/draft-barnes-mls-protocol/ https:/ /github.com/ekr/mls-protocol

7. ͜Ε͸Կ ෳ਺ਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ ׵ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draftɻ ࣮ࡍಡΜͰΈͨͱ͜Ζ͔֬ʹάϧʔϓνϟοτʹ͓͚Δ伴ަ׵ͷ ໰୊͸ղܾ͍ͯ͠Δ͚Ͳɺ(TLSͱൺֱՄೳͳ)MLS໊ͬͯশ͸աେ ޿ࠂͰ͸ʁͱ͍͏ҹ৅͸͋Δɻ

8. ηΩϡΞϝοηʔδϯάʁ ࠷ۙͷϝοηʔδϯάαʔϏε͸End-to-End҉߸Խ͕ී௨Ͱ͢ɻ • Signalʢ͕͜͜͸͠Γʣ • Facebook Messenger • WhatsApp •

   LINE ͳͲ͸End-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ

9. ͋Δఔ౓҉߸ͷ஌ࣝΛલఏͱ ͠·͢ CTFνʔϜͷษڧձͩ͠େৎ෉ͩΑͶʂͱ͸ࢥ͍·͕͢ • Diffie-Hellman伴ަ׵ͱ͔ • ϋογϡؔ਺ɺରশ伴҉߸ɺެ։伴҉߸ͱ͔ • ެ։伴ج൫ͷ࢓૊Έͱ͔ ͦͷ΁Μͷઆ໌͸ࡶʹ͠·͢ɻ

10. None
11. None
12. None

13. Forward Secrecy ௨৴ϓϩτίϧͷੑ࣭Ͱɺ௕ظ伴(long-term key)ͷ๫࿐ʹΑͬͯա ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ๫࿐ʹ଱͑ Δɺͱ͍͏ੑ࣭͔ͩΒɻ

14. Post-Compromise Security Internet-Draftͷ΄͏ʹ͸ఆٛ͸ه͞Ε͍ͯͳ͔͕ͬͨɺ"On Ends- to-Ends Encryption: Asynchronous Group Messaging with

    Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͷఆٛͰ͸(3.0.2)ɺ άϧʔϓϝϯόʔͷ׬શͳঢ়ଶ(௕ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴) ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ ϓͷձ࿩͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost- compromise securityΛ࣋ͭɺͱ͍͏ɻ ΑΓݫີͳఆٛ͸(3.1)ʹ͋Δɻ

15. 2 partiesͷ৔߹͸ղܾࡁΈ Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ "Ratchet"͸ʮҰ౓ਐΜͩΒ໭Βͳ͍ʯ΋ͷͷྫ͑Ͱɺ҉߸෼໺ʹ ͓͚Δ"Ratchet"ͱ͸ϋογϡؔ਺Λ࢖ͬͯʮ৽͍͠஋͔Βաڈͷ ஋ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢Δʯ࢓૊Έͷ͜ͱɻ ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ

16. ʮͨ͘͞ΜʯͷࢀՃऀͷ৔߹ ͠ΜͲ͍ Α͘औΒΕΔํ๏͸ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠ ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀ͸ͦͷʮsender keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏΋ͷɻ "hash ratchet"Λ࢖͏͜ͱͰForward Secrecy͸࣮ݱͰ͖Δ͕ɺҰ౓ 伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏Λ࢖Θͳͯ͘͸ͳΒ

    ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ

17. MLSͷఏҊ πϦʔߏ଄Λ࢖ͬͨඇಉظͰͷgroup keyingΛForward Secrecy + Post-Compromise SecurityΛอ࣮ͬͯݱɻ • Asynchronous Ratchet

    Tree: άϧʔϓϝϯόʔ͕ڞ༗伴Λੜ੒/ߋ ৽͢Δ • Merkle Trees: identity keyΛอ࣋͠ɺϢʔβʔ͕άϧʔϓʹؚ·Ε Δ͜ͱΛূ໌͢Δ Λ࢖͏ɻೋ෼໦ͳͷͰ֤ૢ࡞͕ ͰͰ͖Δɻ
18. None

19. Protocol Overview • ֤participantͷ࣋ͭঢ়ଶΛstate • initial state͸άϧʔϓੜ੒ऀ͕initΞϧΰϦζϜͰੜ੒ɻ ͜Εʹ͸initial participantΛؚΉɻ •

    GroupinitϝοηʔδΛparticipantʹૹ৴͢Δͱparticipant͸ group stateΛsetupͰ͖ಉ͡shared keyΛಋग़Ͱ͖Δ • participant͸ϝοηʔδΛߋ৽͠৽ͨͳshared stateΛಋग़͢ Δɻˠstateಉ࢜ͷDAG͕ੜ੒Մೳ

20. ϥΠϑαΠΫϧ • ࢀՃऀʹΑΔmember add • άϧʔϓ֎ʹΑΔmember add • key update

    • ϝϯόʔͷ࡟আ ͕͋Δɻ
21. None
22. None
23. None
24. None
25. None
26. None

27. Merkle Tree ผ໊ʮϋογϡ໦ʯɻϊʔυʹϋογϡ஋Λ࣋ͭೋ෼໦ͷ͜ͱɻ leaf node͸σʔλϒϩοΫͷϋογϡ஋Λ࣋ͭɻ parent node͸ͦΕͧΕͷࢠϊʔυͷϋογϡ஋Λ࿈݁ͨ͠΋ͷͷ ϋογϡ஋Λ࣋ͭɻ

28. Merkle Tree MLSͰ͸ɺ • • • ͱͯ͠ܭࢉ͞ΕΔɻ

29. Merkle Proof ͋Δleaf͕Merkle TreeͷmemberͰ͋Δ͜ͱΛূ໌͢ΔͨΊʹ͸ɺ • leaf nodeͷ஋ͱ • ͦͷleaf nodeͷcopathͷ஋

    Λ࢖ͬͯrootͷ஋͕ܭࢉͰ͖Ε͹Α͍ɻ
30. None

31. ࣮ࡍͲ͏࢖ͬͯΔͷ MLSͷhandshake messageʹgroup stateͷมԽΛࣔ͢ϝοηʔδʹ ͸ʮૹ৴ऀͷIdentity keyͷެ։伴ʯʮάϧʔϓͷIdentity Keyʹର͢ ΔMerkle Treeʯʮhandshake messageͷॺ໊஋ʯؚ͕·ΕΔɻ

32. ࣮ࡍͲ͏࢖ͬͯΔͷ • ૹ৴ऀͷIdentity Keyͷެ։伴͕΄Μͱʹͦͷૹ৴ऀͷ΋ͷͰ͋ Δ͔Ͳ͏͔͸ॺ໊஋ͷݕূΛߦ͏ɻ • ૹ৴ऀ͕ຊ౰ʹάϧʔϓʹؚ·ΕΔ͔Ͳ͏͔͸ɺIdentity Keyͷ ެ։伴ͱɺhandshakeʹ෇ଐ͢ΔMerkle Tree্ͷͦͷެ։伴ͷ

    copathΛ࢖ͬͯMerkle rootΛܭࢉ͠ɺࣗ෼ͷ͍࣋ͬͯΔstateͷ Merkle rootͱҰக͢Δ͔Λ֬ೝ͢Δɻ https:/ /github.com/bifurcation/mls/blob/master/messages.go#L201 पลΛࢀরɻ

33. Asynchronous Ratchet Tree "On Ends-to-Ends Encryption: Asynchronous Group Messaging with

    Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͔Βɻ ࣮ࡍʹϝοηʔδ͕ૹΒΕΔ伴Λάϧʔϓ಺Ͱਃ͠߹ΘͤΔͨΊ ʹ༻͍ΒΕΔɻDiffie-Hellman伴ަ׵ͷݪཧΛ༻͍Δɻ Asynchronousͱ͍͍ͬͯΔͷ͸ɺؒʹެ։伴ج൫ΛڬΉ͜ͱͰҰ ෦ͷάϧʔϓϝϯόʔ͕ΦϑϥΠϯͰ΋ॳظάϧʔϓ伴Λਃ͠߹Θ ͤΔ͜ͱ͕Ͱ͖ΔͨΊɻ

34. Asynchronous Ratchet Tree πϦʔͷߏஙʹ͸ • Diffie-HellmanͰ༻͍Δ༗ݶ܈·ͨ͸ପԁۂઢ • Derive-Key-Pair function: octet

    string͔Βkey pairΛੜ੒͢Δؔ਺ ͕ඞཁɻ·ͨɺπϦʔͷ֤ϊʔυ͸ secret octet string (optional), asymmetric private key (optional), asymmetric public key Λ࣋ͭɻ֤ ϊʔυͷ伴ϖΞ͸ Derive-Key-Pair functionͰಋग़͞ΕΔɻ
35. None

36. ARTͷߋ৽ ϝϯόʔͷ௥Ճ΍֤ϝϯόʔͷΩʔͷߋ৽͕ىͬͨ͜৔߹ɺMLS messageΛ࢖ͬͯάϧʔϓͷratchet treeͷߋ৽͕ߦΘΕΔɻ • खݩͷπϦʔΛϝοηʔδʹԊͬͯߋ৽͢Δʢެ։伴͕ॻ͖׵ ΘΔʣ • ॻ͖׵Θͬͨެ։伴ͷҐஔ͔Β਌ϊʔυΛDiffie-Hellmanͷԋࢉ Λߦ͏͜ͱͰߋ৽͢ΔɻrootʹͨͲΓண͘·Ͱ܁Γฦ͢

37. ʢάϧʔϓͷ伴Λਃ͠߹ΘͤΔํ๏ʹ͍ͭͯ͸draft ver.01Ͱ TreeKEMͱ͍͏ํ๏͕௥Ճ͞Ε͕ͨࠓճ͸লུʣ

38. None
39. None

40. ΦϑϥΠϯͰ΋ॳظઃఆͰ͖Δʁ • UserInitKey objectʹ͸ॳظԽ༻ͷ୹໋ͳkeyͰ͋ΔUserInitKeyຊ ମʢެ։伴ʣͱIdentity Keyͷެ։伴ؚ͕·ΕΔɻ • άϧʔϓΛੜ੒͢ΔϢʔβʔ͸ɺ֤Ϣʔβʔʹ͍ͭͯUserInitKey ΛऔΓدͤɺ֤UserInitKeyʹରͯ͠ɺੜ੒ͨ͠ॳظԽ༻伴ϖΞ Λ࢖ͬͯDH伴ަ׵ΛࢼΈΔɻ

    • ॳظԽ༻伴ϖΞͷൿີ伴͕ࣗ਎ͷleaf key • DH伴ަ׵ʹΑΓਃ͠߹ΘͤΒΕͨ஋͕֤Ϣʔβʔͷleaf key • ͜ΕΒΛ࢖ͬͯARTΛܗ੒Ͱ͖Δ
41. None

42. ·ͱΊ • άϧʔϓνϟοτʹ͓͚ΔEnd-to-End҉߸Խ࣌ͷ伴ڞ༗ํ๏ʹ ͍ͭͯ࿩͠·ͨ͠ • ݱࡏ΋IETFͰඪ४Խ࡞ۀ͕ਐΜͰ͍·͢ • ϝοηʔδϯάαʔϏεΛӡӦ͍ͯ͠Δେن໛ϕϯμʔ͔Β ΋஫໨͞Ε͍ͯΔΒ͍͠ •

    ͱ͸໊͍͑લ͸ϛεϦʔσΟϯάؾຯͳؾ͕͢Δ • E2E҉߸Խ͞Ε͍ͯΔηΩϡΞͳϝοηʔδϯάΛ࢖͍·͠ΐ ͏

43. ࢀߟURL • The Messaging Layer Security (MLS) Protocol https:/ /

    datatracker.ietf.org/doc/draft-barnes-mls-protocol/ • GitHub: bifurcation/mls https:/ /github.com/bifurcation/mls Golang Ͱͷ࣮૷ • GitHub: cisco/mlspp https:/ /github.com/cisco/mlspp C++Ͱͷ࣮૷ • On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guaranteesɹhttps:/ /eprint.iacr.org/2017/666.pdf Asynchronous Ratchet Treesͷݩ࿦จ