Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Messaging Layer Security
Search
sylph01
August 26, 2018
Technology
0
960
Messaging Layer Security
@ Harekaze Talk #2
https://harekaze.connpass.com/event/92791/
sylph01
August 26, 2018
Tweet
Share
More Decks by sylph01
See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
93
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
35
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
250
Adding Security to Microcontroller Ruby
sylph01
2
3.3k
Secure Messaging at IETF 118
sylph01
0
85
Adventures in the Dungeons of OpenSSL
sylph01
0
530
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
330
Build and Learn Rails Authentication
sylph01
8
2.1k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
310
Other Decks in Technology
See All in Technology
目標と時間軸 〜ベイビーステップでケイパビリティを高めよう〜
kakehashi
PRO
8
900
"TEAM"を導入したら最高のエンジニア"Team"を実現できた / Deploying "TEAM" and Building the Best Engineering "Team"
yuj1osm
1
230
JavaにおけるNull非許容性
skrb
2
2.7k
クラウド食堂とは?
hiyanger
0
120
リクルートのエンジニア組織を下支えする 新卒の育成の仕組み
recruitengineers
PRO
1
140
IoTシステム開発の複雑さを低減するための統合的アーキテクチャ
kentaro
1
120
JAWS FESTA 2024「バスロケ」GPS×サーバーレスの開発と運用の舞台裏/jawsfesta2024-bus-gps-serverless
ma2shita
3
290
開発組織を進化させる!AWSで実践するチームトポロジー
iwamot
2
500
データエンジニアリング領域におけるDuckDBのユースケース
chanyou0311
9
2.5k
LINEギフトにおけるバックエンド開発
lycorptech_jp
PRO
0
390
AWS Well-Architected Frameworkで学ぶAmazon ECSのセキュリティ対策
umekou
2
150
AIエージェント開発のノウハウと課題
pharma_x_tech
8
4.4k
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.2k
Music & Morning Musume
bryan
46
6.4k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
380
4 Signs Your Business is Dying
shpigford
183
22k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
Unsuck your backbone
ammeep
669
57k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
175
52k
We Have a Design System, Now What?
morganepeng
51
7.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
It's Worth the Effort
3n
184
28k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Transcript
MLS: Messaging Layer Security sylph01 @ Harekaze Talk #2, 8/26/2018
Notes on Privacy publicͳٕज़ͷղઆͰ͢ εϥΠυʮެ։͢Δ൛Λͬͯͩ͘ ͍͞ʯʢΑͬͯࣸਅࡱͬͯҙຯແʣ
sylph01 the IDIOT (ID + IoT) engineer ਪ͠: ສཬখ࿏෨ɺ౻ా༏ҥʢؒٶͷ ؋ʣ
ੜͷ҉߸ɺCTFະϓϨΠ Twitter: @s01
[એ] "Dark Depths of SMTP" @ٕज़ॻయ4 BOOTHʹͯ൦த! (Γ3෦ͱ͔)
ຊฤ
ׂͱ࠷ۙʹग़ͨ Internet-DraftͷͰ͢ https:/ /datatracker.ietf.org/doc/draft-barnes-mls-protocol/ https:/ /github.com/ekr/mls-protocol
͜ΕԿ ෳਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draftɻ ࣮ࡍಡΜͰΈͨͱ͜Ζ͔֬ʹάϧʔϓνϟοτʹ͓͚Δ伴ަͷ ղܾ͍ͯ͠Δ͚Ͳɺ(TLSͱൺֱՄೳͳ)MLS໊ͬͯশաେ ࠂͰʁͱ͍͏ҹ͋Δɻ
ηΩϡΞϝοηʔδϯάʁ ࠷ۙͷϝοηʔδϯάαʔϏεEnd-to-End҉߸Խ͕ී௨Ͱ͢ɻ • Signalʢ͕͜͜͠Γʣ • Facebook Messenger • WhatsApp •
LINE ͳͲEnd-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ
͋Δఔ҉߸ͷࣝΛલఏͱ ͠·͢ CTFνʔϜͷษڧձͩ͠େৎͩΑͶʂͱࢥ͍·͕͢ • Diffie-Hellman伴ަͱ͔ • ϋογϡؔɺରশ伴҉߸ɺެ։伴҉߸ͱ͔ • ެ։伴ج൫ͷΈͱ͔ ͦͷΜͷઆ໌ࡶʹ͠·͢ɻ
None
None
None
Forward Secrecy ௨৴ϓϩτίϧͷੑ࣭Ͱɺظ伴(long-term key)ͷ࿐ʹΑͬͯա ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ࿐ʹ͑ Δɺͱ͍͏ੑ࣭͔ͩΒɻ
Post-Compromise Security Internet-Draftͷ΄͏ʹఆٛه͞Ε͍ͯͳ͔͕ͬͨɺ"On Ends- to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͷఆٛͰ(3.0.2)ɺ άϧʔϓϝϯόʔͷશͳঢ়ଶ(ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴) ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ ϓͷձ͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost- compromise securityΛ࣋ͭɺͱ͍͏ɻ ΑΓݫີͳఆٛ(3.1)ʹ͋Δɻ
2 partiesͷ߹ղܾࡁΈ Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ "Ratchet"ʮҰਐΜͩΒΒͳ͍ʯͷͷྫ͑Ͱɺ҉߸ʹ ͓͚Δ"Ratchet"ͱϋογϡؔΛͬͯʮ৽͍͔͠Βաڈͷ ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢ΔʯΈͷ͜ͱɻ ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ
ʮͨ͘͞ΜʯͷࢀՃऀͷ߹ ͠ΜͲ͍ Α͘औΒΕΔํ๏ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠ ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀͦͷʮsender keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏ͷɻ "hash ratchet"Λ͏͜ͱͰForward Secrecy࣮ݱͰ͖Δ͕ɺҰ 伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏ΛΘͳͯ͘ͳΒ
ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ
MLSͷఏҊ πϦʔߏΛͬͨඇಉظͰͷgroup keyingΛForward Secrecy + Post-Compromise SecurityΛอ࣮ͬͯݱɻ • Asynchronous Ratchet
Tree: άϧʔϓϝϯόʔ͕ڞ༗伴Λੜ/ߋ ৽͢Δ • Merkle Trees: identity keyΛอ࣋͠ɺϢʔβʔ͕άϧʔϓʹؚ·Ε Δ͜ͱΛূ໌͢Δ Λ͏ɻೋͳͷͰ֤ૢ࡞͕ ͰͰ͖Δɻ
None
Protocol Overview • ֤participantͷ࣋ͭঢ়ଶΛstate • initial stateάϧʔϓੜऀ͕initΞϧΰϦζϜͰੜɻ ͜Εʹinitial participantΛؚΉɻ •
GroupinitϝοηʔδΛparticipantʹૹ৴͢Δͱparticipant group stateΛsetupͰ͖ಉ͡shared keyΛಋग़Ͱ͖Δ • participantϝοηʔδΛߋ৽͠৽ͨͳshared stateΛಋग़͢ Δɻˠstateಉ࢜ͷDAG͕ੜՄೳ
ϥΠϑαΠΫϧ • ࢀՃऀʹΑΔmember add • άϧʔϓ֎ʹΑΔmember add • key update
• ϝϯόʔͷআ ͕͋Δɻ
None
None
None
None
None
None
Merkle Tree ผ໊ʮϋογϡʯɻϊʔυʹϋογϡΛ࣋ͭೋͷ͜ͱɻ leaf nodeσʔλϒϩοΫͷϋογϡΛ࣋ͭɻ parent nodeͦΕͧΕͷࢠϊʔυͷϋογϡΛ࿈݁ͨ͠ͷͷ ϋογϡΛ࣋ͭɻ
Merkle Tree MLSͰɺ • • • ͱͯ͠ܭࢉ͞ΕΔɻ
Merkle Proof ͋Δleaf͕Merkle TreeͷmemberͰ͋Δ͜ͱΛূ໌͢ΔͨΊʹɺ • leaf nodeͷͱ • ͦͷleaf nodeͷcopathͷ
Λͬͯrootͷ͕ܭࢉͰ͖ΕΑ͍ɻ
None
࣮ࡍͲ͏ͬͯΔͷ MLSͷhandshake messageʹgroup stateͷมԽΛࣔ͢ϝοηʔδʹ ʮૹ৴ऀͷIdentity keyͷެ։伴ʯʮάϧʔϓͷIdentity Keyʹର͢ ΔMerkle Treeʯʮhandshake messageͷॺ໊ʯؚ͕·ΕΔɻ
࣮ࡍͲ͏ͬͯΔͷ • ૹ৴ऀͷIdentity Keyͷެ։伴͕΄Μͱʹͦͷૹ৴ऀͷͷͰ͋ Δ͔Ͳ͏͔ॺ໊ͷݕূΛߦ͏ɻ • ૹ৴ऀ͕ຊʹάϧʔϓʹؚ·ΕΔ͔Ͳ͏͔ɺIdentity Keyͷ ެ։伴ͱɺhandshakeʹଐ͢ΔMerkle Tree্ͷͦͷެ։伴ͷ
copathΛͬͯMerkle rootΛܭࢉ͠ɺࣗͷ͍࣋ͬͯΔstateͷ Merkle rootͱҰக͢Δ͔Λ֬ೝ͢Δɻ https:/ /github.com/bifurcation/mls/blob/master/messages.go#L201 पลΛࢀরɻ
Asynchronous Ratchet Tree "On Ends-to-Ends Encryption: Asynchronous Group Messaging with
Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͔Βɻ ࣮ࡍʹϝοηʔδ͕ૹΒΕΔ伴ΛάϧʔϓͰਃ͠߹ΘͤΔͨΊ ʹ༻͍ΒΕΔɻDiffie-Hellman伴ަͷݪཧΛ༻͍Δɻ Asynchronousͱ͍͍ͬͯΔͷɺؒʹެ։伴ج൫ΛڬΉ͜ͱͰҰ ෦ͷάϧʔϓϝϯόʔ͕ΦϑϥΠϯͰॳظάϧʔϓ伴Λਃ͠߹Θ ͤΔ͜ͱ͕Ͱ͖ΔͨΊɻ
Asynchronous Ratchet Tree πϦʔͷߏஙʹ • Diffie-HellmanͰ༻͍Δ༗ݶ܈·ͨପԁۂઢ • Derive-Key-Pair function: octet
string͔Βkey pairΛੜ͢Δؔ ͕ඞཁɻ·ͨɺπϦʔͷ֤ϊʔυ secret octet string (optional), asymmetric private key (optional), asymmetric public key Λ࣋ͭɻ֤ ϊʔυͷ伴ϖΞ Derive-Key-Pair functionͰಋग़͞ΕΔɻ
None
ARTͷߋ৽ ϝϯόʔͷՃ֤ϝϯόʔͷΩʔͷߋ৽͕ىͬͨ͜߹ɺMLS messageΛͬͯάϧʔϓͷratchet treeͷߋ৽͕ߦΘΕΔɻ • खݩͷπϦʔΛϝοηʔδʹԊͬͯߋ৽͢Δʢެ։伴͕ॻ͖ ΘΔʣ • ॻ͖Θͬͨެ։伴ͷҐஔ͔ΒϊʔυΛDiffie-Hellmanͷԋࢉ Λߦ͏͜ͱͰߋ৽͢ΔɻrootʹͨͲΓண͘·Ͱ܁Γฦ͢
ʢάϧʔϓͷ伴Λਃ͠߹ΘͤΔํ๏ʹ͍ͭͯdraft ver.01Ͱ TreeKEMͱ͍͏ํ๏͕Ճ͞Ε͕ͨࠓճলུʣ
None
None
ΦϑϥΠϯͰॳظઃఆͰ͖Δʁ • UserInitKey objectʹॳظԽ༻ͷ໋ͳkeyͰ͋ΔUserInitKeyຊ ମʢެ։伴ʣͱIdentity Keyͷެ։伴ؚ͕·ΕΔɻ • άϧʔϓΛੜ͢ΔϢʔβʔɺ֤Ϣʔβʔʹ͍ͭͯUserInitKey ΛऔΓدͤɺ֤UserInitKeyʹରͯ͠ɺੜͨ͠ॳظԽ༻伴ϖΞ ΛͬͯDH伴ަΛࢼΈΔɻ
• ॳظԽ༻伴ϖΞͷൿີ伴͕ࣗͷleaf key • DH伴ަʹΑΓਃ͠߹ΘͤΒΕ͕֤ͨϢʔβʔͷleaf key • ͜ΕΒΛͬͯARTΛܗͰ͖Δ
None
·ͱΊ • άϧʔϓνϟοτʹ͓͚ΔEnd-to-End҉߸Խ࣌ͷ伴ڞ༗ํ๏ʹ ͍ͭͯ͠·ͨ͠ • ݱࡏIETFͰඪ४Խ࡞ۀ͕ਐΜͰ͍·͢ • ϝοηʔδϯάαʔϏεΛӡӦ͍ͯ͠Δେنϕϯμʔ͔Β ͞Ε͍ͯΔΒ͍͠ •
ͱ໊͍͑લϛεϦʔσΟϯάؾຯͳؾ͕͢Δ • E2E҉߸Խ͞Ε͍ͯΔηΩϡΞͳϝοηʔδϯάΛ͍·͠ΐ ͏
ࢀߟURL • The Messaging Layer Security (MLS) Protocol https:/ /
datatracker.ietf.org/doc/draft-barnes-mls-protocol/ • GitHub: bifurcation/mls https:/ /github.com/bifurcation/mls Golang Ͱͷ࣮ • GitHub: cisco/mlspp https:/ /github.com/cisco/mlspp C++Ͱͷ࣮ • On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guaranteesɹhttps:/ /eprint.iacr.org/2017/666.pdf Asynchronous Ratchet Treesͷݩจ