Messaging Layer Security and stuff @ IETF105

Transcript

1. Messaging Layer Security, and other security related stuff Ryo Kajiwara

   @ lepidum IETF105 Report Session, ISOC-JP
2. None

3. Messaging Layer Security (mls)

4. աڈʹ࿩ͨ͠ࢿྉʹ͍ͭͯ ݕࡧͯ͠ग़ͯ͘Δࢿྉʹ͸ࢲ͕2018/8ʹ࿩ͨ͠ࢿྉ͕ग़͖ͯ·͢ ͕ɺ۩ମతͳํࣜʹؔͯ͠͸͔ͳΓଟ͘ͷΞοϓσʔτ͕ೖͬͯ ͍·͢ɻ֓આ෦෼ʹؔͯ͠͸एׯͦΕΛྲྀ༻͍ͯ͠·͢ɻ https:/ /speakerdeck.com/sylph01/messaging-layer-security ۩ମతʹݴ͏ͱɺ17൪໨ͷεϥΠυҎ߱ͷ಺༰͸΄ͱΜͲݱࡏͷ υϥϑτʹ࢒͍ͬͯ·ͤΜɻπϦʔͷܭࢉʹؔͯ͠Asynchronous Ratchet Treeͷ֓೦͚ͩ͸ࠓͷυϥϑτͰ΋͋Δఔ౓௨༻͠·͢ɻ

5. ͜Ε͸Կʁ ෳ਺ਓͷάϧʔϓʹ͓͚ΔηΩϡΞϝοηʔδϯάͷͨΊͷ伴ަ ׵ͷํ๏Λඪ४Խ͠Α͏ɺͱ͍͏Internet-Draft -> Working Groupɻ ͘͢͝ฏ͍ͨ͘͏ͱɺάϧʔϓνϟοτΛEnd-to-End҉߸Խ͢Δ ํ๏Λඪ४Խ͠Α͏ͥɺͱ͍͏಺༰ɻ

6. ηΩϡΞϝοηʔδϯάʁ ࠷ۙͷϝοηʔδϯάαʔϏε͸End-to-End҉߸Խ͕ී௨Ͱ͢ɻ • Signalʢ͕͜͜͸͠Γʣ • Facebook Messenger • WhatsApp •

   LINE ͳͲ͸End-to-End҉߸ԽΛطʹऔΓೖΕ͍ͯ·͢ɻ

7. WG Charter͔Βཁ໿ ҎԼͷੑ࣭Λ࣋ͭάϧʔϓ伴ͷ߹ҙɾϝοηʔδอޢΛඞཁͱ͢ ΔΞϓϦέʔγϣϯ͕ଟ͘ଘࡏ͢ΔͨΊɺͦΕΛ࣮ݱ͍ͨ͠: ϝοηʔδͷൿີੑɺϝοηʔδͷ׬શੑɾೝূɺϝϯόʔͷೝ ূɺඇಉظੑɺForward SecrecyɺPost-Compromise Securityɺε έʔϥϏϦςΟ

8. είʔϓʹ͍ͭͯ • ֤ϕϯμʔ͸ಠࣗϓϩτίϧͰ࣮ݱ͍ͯ͠ΔͨΊɺࣗ਎ͷϓϩ τίϧɾελοΫΛಠཱʹҡ࣋؅ཧ͢Δඞཁ͕͋Γɺ݁Ռͱ͠ ͯಠཱʹ඼࣭อূΛ͢Δඞཁ͕͋Δɻ • MLS͸ϝοηʔδͷηΩϡϦςΟ෦෼ʹ͍ͭͯڞ௨ͷํ๏Λఏ ࣔ͢Δ͜ͱͰɺϓϩτίϧͷਖ਼౰ੑɾ҆શੑͷݕূ݁ՌΛڞ༗ Ͱ͖Δ͜ͱΛ໨ࢦ͢(shared validation

   of the protocol)ɻ • 伴߹ҙҎ্ͷϝοηʔδϯάΞϓϦέʔγϣϯͷ interoperability/federationΛఏڙ͢Δ΋ͷͰ͸ͳ͍

9. ඇಉظੑ(asynchronous usage) ͜͜Ͱ͍͏ʮඇಉظੑʯͱ͸ɺ2ਓͷϢʔβʔ͕ಉ࣌ʹΦϯϥΠϯ Ͱ͋Δ͜ͱΛཁٻ͢ΔΑ͏ͳMLSͷoperation͕ଘࡏͯ͠͸͍͚ͳ ͍ɺͱ͍͏ੑ࣭ͷ͜ͱɻ

10. Forward Secrecy ௨৴ϓϩτίϧͷੑ࣭Ͱɺ௕ظ伴(long-term key)ͷ๫࿐ʹΑͬͯա ڈͷηογϣϯΩʔͷ҆શੑ͕ࣦΘΕͳ͍ɺͱ͍͏ੑ࣭ɻ ʮաڈͷηογϣϯΩʔʯͷ҆શੑͳͷʹʮForwardʯʁˠϝο ηʔδΛૹͬͨ͋ͱকདྷʹΘͨͬͯηογϣϯΩʔͷ๫࿐ʹ଱͑ Δɺͱ͍͏ੑ࣭͔ͩΒɻ TLSͷจ຺ͰͷFSͱಉٛɻ·ͨɺ"Perfect" Forward

    Secrecyͱ Forward Secrecy͸Ұൠʹಉٛɻ

11. Post-Compromise Security ݫີͳఆٛͱͯ͠͸ "On Ends-to-Ends Encryption: Asynchronous Group Messaging with

    Strong Security Guarantees" (Cohn-Gordon et al., 2017) ͷ(3.0.2)ͱ(3.1)ɺ άϧʔϓϝϯόʔͷ׬શͳঢ়ଶ(௕ظ伴ͱͦΕΒ͔Βಋग़͞Εͨ伴) ͕compromise͞Εͨͱͯ͠ɺ৽ͨʹ҆શͳ伴͕ಋग़͞Εͯάϧʔ ϓͷձ࿩͕ܧଓ͞ΕҎޙͷൿີੑ͕कΒΕΔͱ͖ɺpost- compromise securityΛ࣋ͭɺͱ͍͏ɻ FS/PCS͸mls-architectureͷ3.2.2.1Ͱ΋ఆٛ͞Ε͍ͯΔɻ

12. Documents • draft-ietf-mls-architecture-02 • draft-ietf-mls-protocol-07 • draft-omara-mls-federation-00

13. mls-architecture

14. લఏ • full messaging protocolͷ࣮૷Λҙਤ͍ͯ͠ͳ͍ (<-> XMPP) • wire encodingͷఆٛͰ͸ͳ͘ɺந৅తͳσʔλߏ଄ͷΈΛఆٛ

    • άϧʔϓͷن໛͸as large as thousands

15. ໾ׂ Messaging Service͸2ͭͷabstract serviceΛఏڙ͢Δ: • Authentication Service: long-term identityͷ؅ཧ •

    long-term identity keyͷσΟεΧόϦʔαʔϏε • Delivery Service: ϝοηʔδͷड৴ͱ࠶഑෍ • ϝοηʔδͦͷ΋ͷͷϒϩʔυΩϟετͷ΄͔ɺάϧʔϓ伴 ߹ҙʹඞཁͳkeying materialͷ഑෍ͷ໾ׂ΋ߦ͏ ಉҰαʔόʔͰ΋Α͍͕ɺ໾ׂ͕ҧ͏ͷͰจষ্۠ผ͞ΕΔ

16. ηΩϡϦςΟલఏͷิ଍ 2.3.5: ΦϑϥΠϯͷϝϯόʔ͕ݹ͍伴Λ͍࣋ͬͯͨΒForward Secrecy/ Post-Compromise SecurityͷલఏͰ͋Δkeying materialͷ࡟আ/ஔ׵ ͸ෆՄೳɻMLS͸͜ͷ໰୊΁ͷରԠ͸ߦΘͳ͍(࣮૷Ͱղܾ͠Ζɺ ͱ͍͏͜ͱ͔)ɻ

17. ཁ݅ (Ұ෦ൈਮ) • ಉ࣌ΦϯϥΠϯΛཁٻ͠ͳ͍ (asynchronous) • एׯͷϝοηʔδϩε͕ൃੜͯ͠΋permanent exclusionʹͭͳ ͕Βͳ͍ •

    ϚϧνσόΠεରԠ • ཤྺͷ෮ݩ͸FS/PCSͷલఏΛ่͢ͷͰϓϩτίϧϨϕϧͰ͸ ڐՄ͠ͳ͍͕ଞͷํࣜͰ΍Δ͜ͱ͸ߟ͑ΒΕΔ

18. ཁ݅ (Ұ෦ൈਮɺଓ͖) • ϖΠϩʔυͷϑΥʔϚοτΛԾఆ͠ͳ͍ • ෳ਺ͷMLS࣮૷͕federation͢Δ͜ͱ͸͋ΓಘΔ • ͕charterͱͯ͠͸είʔϓ֎ɺmls-federationͰ΍͍ͬͯΔ໛ ༷ •

    কདྷόʔδϣϯͱͷޓ׵ੑ

19. ηΩϡϦςΟཁ݅ • ΫϥΠΞϯτͱαʔόʔͷؒͷ௨৴͸TLSͳͲͰ҉߸Խ͞Ε͍ͯ Δ͜ͱΛԾఆ͢Δ͕ɺτϥϯεϙʔτ૚ͷcompromiseʹ͸ASʹ ΑΔidentity keys͕ద੾ʹೝূ͞Ε͍ͯΔݶΓ଱͑Δ • DS͸άϧʔϓͷprivate content΁ͷΞΫηεΛ࣋ͨͳ͍(؅ཧऀ ͕ϝοηʔδΛ೷͖ݟΔ͜ͱ͸Ͱ͖ͳ͍)

    • ϝϯόʔͷ௥Ճ/࡟আ: MLS͸ଞͷϝϯόʔʹ஌ΒͤΔ͜ͱͳ͘ϝ ϯόʔͷ௥Ճ/࡟আΛߦ͏͜ͱΛڐՄ͠ͳ͍(ϓϩτίϧͷ࢓૊Έ ্ͦ͏ͳ͍ͬͯΔ)

20. mls-protocol

21. (എܠ)2 partiesͷ৔߹͸ղܾࡁΈ Signal Messaging ProtocolͰ༻͍ΒΕ͍ͯΔDouble Ratchetํࣜɻ "Ratchet"͸ʮҰ౓ਐΜͩΒ໭Βͳ͍ʯ΋ͷͷྫ͑Ͱɺ҉߸෼໺ʹ ͓͚Δ"Ratchet"ͱ͸ϋογϡؔ਺Λ࢖ͬͯʮ৽͍͠஋͔Βաڈͷ ஋ΛܭࢉͰ͖ͳ͍Α͏ʹͯ͠伴Λಋग़͢Δʯ࢓૊Έͷ͜ͱɻ ͷΑ͏ʹͯ͠ϝοηʔδ͝ͱʹ伴Λߋ৽͢Δɻ

22. (എܠ)ʮͨ͘͞ΜʯͷࢀՃऀͷ৔߹͠ ΜͲ͍ Α͘औΒΕΔํ๏͸ɺطʹཱ͍֬ͯ͠ΔνϟϯωϧΛ௨ͯ͠ ʮsender keyʯΛҰํతʹbroadcastɺ֤ࢀՃऀ͸ͦͷʮsender keyʯͰ҉߸Խͨ͠ϝοηʔδΛૹ৴͢Δɺͱ͍͏΋ͷɻ "hash ratchet"Λ࢖͏͜ͱͰForward Secrecy͸࣮ݱͰ͖Δ͕ɺҰ౓ 伴͕ഁΒΕΔͱ伴Λߋ৽͢Δͷʹಉ͡ํ๏Λ࢖Θͳͯ͘͸ͳΒ

    ͣɺpost-compromise security͕ͳ͍ͱ͍͑Δɻ

23. Ͳ͏΍࣮ͬͯݱ͢Δʁ

24. None
25. None
26. None
27. None

28. Ͳ͏΍ͬͯάϧʔϓͷڞ༗ൿ ີΛ҆શʹڞ༗͢Δʁ ެ։伴҉߸(Diffie-Hellman)Ͱɺʮࣗ਎ͷൿີ伴ʯʴʮଞͷϝϯόʔ ͷൿີ伴ʯΛ࢖ͬͯڞ༗ൿີΛಋग़͢Δɻશһͷൿີ伴Λ͍͍ͪ ͪ࢖͏ͱܭࢉίετ͕ߴ͍ͷͰπϦʔߏ଄Λऔ͍ͬͯΔɻ Asynchronous Ratchet Treeͱ͍͏࢓૊Έ͕͜Εʹ૬౰͢Δ͕ɺҰൠ ੑΛอͭͨΊdraft-01͔Β͸"Ratchet Tree"ͱ͍͏ޠʹมߋ͞Ε͍ͯ

    Δɻ
29. None

30. WG activity @ IETF 105

31. User Authentication Within Groups https:/ /datatracker.ietf.org/meeting/105/materials/slides-105-mls- sessa-user-authentication-within-groups-00.pdf SignalͰ͸௕ظ伴͔ΒϩάΠϯ༻QRίʔυΛੜ੒͍ͯ͠Δɻ͜ΕͰ ͸Post-Compromise Security͕ͳ͍ɻ

    Epoch-Level Authenticationʢಛఆͷ࣌఺ͰͷΈ༗ޮͳϩάΠϯ༻ QRίʔυΛੜ੒ʣͷಋೖͱͦͷํ๏ͷఏҊɻ

32. Protocol Enhancements • group secretͷߋ৽ΛͰ͖ΔݶΓdefer͍ͨ͠ • ݱࡏ͸group΁ͷ௥Ճͷࡍʹϝοηʔδϯάͷ༗ແʹؔΘΒͣ group secretͷߋ৽͕ߦΘΕɺ݁ՌେྔͷDHԋࢉ͕ൃੜ͢Δ •

    add/update/remove͸ఆ਺࣌ؒͰࡁΉΑ͏ʹͳΔ͚ΕͲ ratchetʢsecretͷߋ৽ʣͷίετ͕ߴ͍ɺͱ͍͏τϨʔυΦ ϑ͕͋Δ

33. Protocol Enhancements • Server-Initiated Add • LazinessΛಋೖͨ͠Βαʔόʔ͕AddΛ࡞ΕΔΑ͏ʹͳΔ (Welcome͸init secretΛؚΉͷͰෆՄೳ) •

    ݱࡏ͸User-Initiated AddͱGroup-Initiated Add͸ผͷ࢓૊ΈΛ ࢖͍ͬͯΔ͕ɺinit secret΋ඇಉظԽͰ͖Ε͹౷ҰͰ͖Δ͠ɺ ೝূ͞Εͨϝϯόʔ͸WelcomeΛ߹੒Ͱ͖ΔΑ͏ʹͳΔ • ͨͩ͠DH-like construction΁ͷϩοΫΠϯ͕༗Γಘͦ͏ͳͷ ʹՃ͑ͯݕূ͕͠ΜͲͦ͏

34. ਐḿ mls-protocol • draft-08: 10݄ͷinterim • draft-09: 11݄ͷIETF 106 •

    ೥಺WGLCΛ໨ࢦ͢ͱͷ͜ͱ

35. ࠓޙ΋ಈ޲ͷupdateΛ ใࠂ͍͚ͯ͠Ε͹ͱࢥ ͍·͢ ͋ͱάϧʔϓ伴߹ҙʹ͍ͭͯݹయతͳconstructionҎ֎Λ༻͍Δํ ๏΋͋Γͦ͏…ʁ

36. None

37. Other Security Related Topics

38. IoTؔ܎ͷ࿩(teep, suit, rats)͸ଞͷํ͕͠Ό΂ Δͱࢥ͏ͷͰলུ

39. oauth.xyz (࣮ࡍʹ͜ͷ໊લΛURLόʔʹಥͬࠐΉͱαΠτ͕ग़ͯ͘Δ) OAuth 2.0͸ଟ͘ͷϢʔεέʔεΛΧόʔͨ͠ΓηΩϡϦςΟ্ͷ ໰୊ΛΧόʔ͢ΔͨΊʹଟ͘ͷ֦ு͕ग़͖͚ͯͨΕͲɺಉ͡໰୊ Λෳ਺ͷํ๏Ͱղܾ͢ΔΑ͏ͳෳࡶੑΛੜΈग़ͯ͠͠·ͬͨɻ τϥϯβΫγϣϯϞσϧ(Ұͭͷtransaction IDΛத৺ʹɺػೳΛ෇ ͚଍͍ͯ͘͠৔߹͸τϥϯβΫγϣϯʹ伴Λ௥Ճ͍ͯ͘͠ɺͱ͍ ͏ํࣜ)Ͱ੔ཧ͠ͳ͓ͦ͏ɺͱ͍͏ࢼΈɻ

40. Dragonblood ANRWͷinvited talkɻWPA3ͷDragonflyϋϯυγΣΠΫʹαΠυ νϟωϧ߈ܸ੬ऑੑ͕͋Γ·͢ɺͱ͍͏࿩ɻ ύεϫʔυΛପԁۂઢ͋Δ͍͸༗ݶମ্ͷཁૉʹม׵͢Δࡍ(hash- to-curve/group)ͷ࣮૷͕·ͣ͘ɺύεϫʔυʹΑͬͯࢼߦճ਺͕ม Θͬͯ͠·͏ͨΊɺ࣮ߦ࣌ؒΛଌఆ͢Δ͜ͱͰύεϫʔυಛఆͷ ͨΊͷ৘ใΛऔΓग़ͤΔɻ ͳ͓ɺ͜ͷൃදͷ͋ͱ͞Βʹ௥ՃͰCVE-2019-13377/13456͕ಉ ҰஶऀʹΑΓൃද͞Εͨɻ

41. TLS 1.3 Impact on Network Based Security Solutions TLS 1.3ͰϛυϧϘοΫε͕ఏڙ͍ͯͨ͠ηΩϡϦςΟػೳ͕Ͳ͏

    յΕΔ͔ͷ·ͱΊɻյΕΔ͔Β௚ͤɺͱ͍͏ओுͰ͸ͳ͘ɺӨڹ ൣғΛ໌Β͔ʹ͢Δ͜ͱΛ໨తͱ͍ͯ͠Δ΋ͷɻʢͱ͸͍͑ɺଟ ෼ͦ͏͍͏࿩΋ؚ·Ε͍ͯͦ͏ͩΑͳ͋…ʣInformational RFCͱ͢ Δ͜ͱΛ໨ࢦ͍ͯ͠Δɻ https:/ /datatracker.ietf.org/meeting/105/materials/slides-105-tls- sessb-tls-impact-on-network-security-00

42. ଟ෼ೖΓ͖Βͳ͍ͱࢥ͏DNS ؔ܎͸ࠓճ͸ׂѪ • ANRW: Oblivious DNS, Who Is Answering My

    Queries (DNS interceptionͷଌఆ), What Can You Learn from an IP? • dnsop • add (Applications Doing DNS) Ͳ͔͜Ͱެ։༧ఆʁ