Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
『プロフェッショナルSSL/TLS』読書会 第1章資料
Search
sylph01
May 12, 2017
Technology
0
1.2k
『プロフェッショナルSSL/TLS』読書会 第1章資料
https://connpass.com/event/56085/
sylph01
May 12, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
Secure Messaging at IETF 118
sylph01
0
33
Adventures in the Dungeons of OpenSSL
sylph01
0
290
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
190
Build and Learn Rails Authentication
sylph01
8
1.8k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
180
DNS Encryption and Its Controversies
sylph01
0
620
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1.2k
Action Mailbox in Action
sylph01
1
3k
Keebs-n-Kaigi
sylph01
1
240
Other Decks in Technology
See All in Technology
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
180
アクセス制御にまつわる改善 / Improving access control
itkq
0
510
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2k
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
440
反実仮想機械学習とは何か
usaito
PRO
8
3k
Janus
bkuhlmann
1
490
私が trocco を推す理由
__allllllllez__
1
200
日本におけるデータエンジニアリングのこれまでとこれから
foursue
16
4.1k
ユーザーストーリーのレビューを自動化したみたの
bun913
1
410
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
340
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.3k
データベース02: データベースの概念
trycycle
0
140
Featured
See All Featured
What's in a price? How to price your products and services
michaelherold
237
11k
What the flash - Photography Introduction
edds
64
11k
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
KATA
mclloyd
15
12k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Code Reviewing Like a Champion
maltzj
514
39k
Done Done
chrislema
178
15k
Teambox: Starting and Learning
jrom
128
8.4k
Transcript
(1) SSL/TLSͱ҉߸ٕज़ @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 5/12/2017
1.1 Transport Layer Security (p.1-2) TLSͷ4ͭͷඪ(্͔Βߴ༏ઌ): • ҉߸ֶతͳηΩϡϦςΟ(Cryptographic security) •
૬ޓӡ༻ੑ(Interoperability) • ֦ுੑ(Extensibility) • ޮੑ(Efficiency)
1.2 ωοτϫʔΫͷ֊ ͍ΘΏΔOSIࢀরϞσϧͷɻTLS໊લͷ௨Γτϥϯεϙʔτ (ୈ4 = TCP, UDP)ʹରͯ͠securityΛఏڙ͢ΔɻϓϨθϯςʔγϣ ϯ=ୈ6ʹҐஔ͢Δɻ TLS͕ͳͯ͘HTTP(=ୈ7)ʮػೳ͢Δʯɻ
1.3 ϓϩτίϧͷྺ࢙ • SSL2: 1994/11 • SSL 3.0: 1995ޙ •
TLS 1.0(RFC 2246): 1999/1 • ΄ͱΜͲSSL 3.0ͱࠩͳ͍͕ޓੑͳ͠ • TLS 1.1: 2006/4 (security fix, TLS֦ு(2003/6)) • TLS 1.2: 2008/4 (AEADରԠ) • TLS 1.3: ongoing
1.4 ҉߸ٕज़ Ͳͷ͘Β͍҉߸ٕज़ʹ͠Έ͕͋Δ͔ʹΑͬͯಡΈඈ͠·͢ɻ • ҉߸ֶͷจ͕ಡΊΔ/ॻ͚Δ: ৸ͯͯେৎ • ʢͨͿΜ͜ͷؒͩͱࢥ͍·͢ʣ • ύεϫʔυͬͯ҉߸Խͯ͠อଘ͞ΕΔΜͩΑͶʁ:
Ώͬ͘ΓಡΉ
1.4.1 ཁૉٕज़ (p.5) Kerckhoffsͷݪଇ ҉߸γεςϜɺ伴Ҏ֎ͷ͕ͯ͢߈ܸऀʹঠѲ͞Εͨͱͯ͠ ҆શͰͳ͚ΕͳΒͳ͍ɻ • ҉߸ΞϧΰϦζϜ͕ఢରऀʹ࿙Εͯ҆શͰ͋Δඞཁ͕͋Δ • ༏Εͨ҉߸ΞϧΰϦζϜΛઃܭ͢Δͷ͍͠ɻͨ͘͞Μͷਓ
ͷʹ৮Εͯਫ਼ࠪ͞Εͨͷ΄Ͳ҆શɻ ݱͷ҉߸ʮܭࢉྔత҆શੑʯʹͦͷࠜڌΛஔ͍͍ͯΔ
1.4.1 ཁૉٕज़ (p.7) ετϦʔϜ҉߸ 伴͔ΒϥϯμϜʹݟ͑ΔจࣈྻͰ͋Δ伴ετϦʔϜΛੜ͠ɺ ͱͯ͠҉߸จΛಘΔɻ ετϦʔϜ҉߸Ͱʮಉ͡伴Λ͍·Θ͞ͳ͍͜ͱʯ͕ඇৗʹॏ ཁɻˠظؒʹΘͨͬͯར༻͢Δൿີ伴͔Βɺ௨৴ͷͨͼʹ1ճݶ Γͷ伴ʢηογϣϯ伴ʣΛಋग़ͯ͠͏ɻ RC4͕༗໊͕ͩऑ͕ΒΕ͍ͯΔɻECRYPT
Stream Cipher Project ʹ࠷৽ͷͷ͕͋ΔɻSalsa20/12SOSEMANUKͳͲɻ
1.4.1 ཁૉٕज़ (p.8) ϒϩοΫ҉߸ ϒϩοΫ୯ҐͰ·ͱΊͯ҉߸Խɻଟ͘ͷํࣜͰ16byte͝ͱɻೖྗ Λड͚ͱͬͯϥϯμϜʹݟ͑Δग़ྗΛฦؔ͢ɻ ϒϩοΫ҉߸ҙͷ͞ͷσʔλΛ҉߸Խ͢ΔͨΊ҉߸ར༻Ϟ ʔυͱΈ߹ΘͤͰ͏ɻ ੈքͰ࠷Α͘ར༻͞Ε͍ͯΔͷAESɻ伴͕128bit/192bit/ 256bitɺϒϩοΫ128bitݻఆɻ
1.4.1 ཁૉٕज़ (p.9) ϋογϡؔ • ݪ૾ܭࢉࠔੑ: ͋Δϋογϡʹର͠ɺಉ͡ϋογϡʹͳΔ ϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭ • ୈ2ݪ૾ܭࢉࠔੑ(ऑিಥੑ):
͋Δϝοηʔδͱϋογϡ͔ Βɺಉ͡ϋογϡʹͳΔผͷϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔ Ͱ͋Δੑ࣭ • িಥੑ(ڧিಥੑ): ಉ͡ϋογϡʹͳΔϝοηʔδͷΈ ߹ΘͤΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭
1.4.1 ཁૉٕज़ (p.9) SHA1(160bit)͕Α͘ΘΕ͍ͯΔ͕SHA256ͷஔ͖͕͑ਪ͞ Ε͍ͯΔɻ ϋογϡؔͷڧݪཧతʹʮੜͷύϥυοΫεʯ͔ΒΑ ͯ͘ϋογϡͷ͞ͷɻn-bitͷϋογϡ2^(n/2)ճϋογ ϡܭࢉ͢ΕিಥΛߴ֬Ͱݟ͚ͭΒΕΔɻ
1.4.1 ཁૉٕज़ (p.10) MAC(Message Authentication Code) ͋Δ͍ 伴͖ϋογϡ(keyed- hash):ϋογϡؔΛ֦ுͯ͠ೝূΛՄೳʹͨ͠ͷɻϋογϡ ΛσʔλͱҰॹʹૹΔͱϋογϡͦͷͷվ͟Μ͞Ε͏Δͷ
Ͱͦͷରࡦʹ͏ɻ
1.4.1 ཁૉٕज़ (p.10-11) ҉߸ར༻Ϟʔυ • ECB: ϒϩοΫ୯ҐͰݸผʹ҉߸Խɻ҉߸จʹฏจͷใ͕ݱΕ ͯ͠·͏ͨΊ੬ऑɻ͏ཧ༝ͳ͠ɻ • CBC:
લͷϒϩοΫͷ҉߸Խ݁ՌͷXORΛͱ͔ͬͯΒ҉߸Խɻ • ॳظԽϕΫτϧ(IV)ΛऔΔɻϥϯμϜͳΛ͏͜ͱͱɺ͜ͷ Λ͍·Θ͞ͳ͍͜ͱ͕ॏཁɻ • ଞ: CTRɺGCMɺOCBͳͲɻGCMͱOCBೝূ͖ͭ҉߸Λఏڙɻ
None
None
CTRϞʔυͷ߹ɺ҉߸Խ/෮߸Խ྆ํͰNonceͱcounterͷ҉߸Խ Λߦ͏ɻΑͬͯCTRϞʔυʹద༻͢Δؔblock cipherͰͳ͘ pseudo-random functionͰेɻ
1.4.1 ཁૉٕज़ (p.11-12) ެ։伴҉߸ํࣜ ҉߸Խʹ͏伴ͱ෮߸ʹ͏伴͕ผɻ ެ։伴Λ҆શʹ͘ڞ༗Ͱ͖Ε͚͕ࣗͩಡΊΔϝοηʔδΛ શһ͔ΒૹͬͯΒ͑ΔʢˠPKIɺୈ3ষʹͯʣɻ ެ։伴҉߸ܭࢉʹ͕͔͔࣌ؒΔͷͰɺڞ༗伴ͷωΰγΤʔγϣ ϯʹΘΕɺͦͷޙڞ༗伴Λͬͯରশ伴҉߸Λ͏ɻ RSAɺElGamal(DH伴ަΛެ։伴҉߸ʹద༻ͨ͠ͷ)
1.4.1 ཁૉٕज़ (p.13) ిࢠॺ໊ ిࢠϝοηʔδจॻͷਅਖ਼ੑ(authenticity)ΛݕূՄೳʹ͢Δ҉߸ ֶతͳखஈɻ MACిࢠॺ໊ͷҰछ͕ͩMAC伴ͷڞ༗ͱ͍͏͕͋Δɻ RSAΛٯํʹద༻͢Δ͜ͱͰిࢠॺ໊ΞϧΰϦζϜͱͯ͑͠ ΔɻҰํͰDSA/ECDSA҉߸ԽΞϧΰϦζϜͱͯ͑͠ͳ͍ɻ
1.4.1 ཁૉٕज़ (p.13) ཚੜث ҉߸ʹ࣭ͷ͍͍ʢhigh entropyͳʣཚ͕ඞཁɻ ֎෦ஔͷׂΓࠐΈʹΑΔΤϯτϩϐʔͷऩू(=TRNG)Ͱ͍ͩͨ ͍ͷ߹ेͳΤϯτϩϐʔ͕ू·Βͳ͍ͷͰ࣮ࡍٙࣅཚੜ ث(PRNG)Λ͏ɻ҉߸ʹ༻͍Δͷʹ෦ঢ়ଶͷ༧ଌෆՄೳ ੑΛ࣋ͬͨCSPRNG͕ඞཁɻ
1.4.2 ϓϩτίϧ (p.14) ؆୯ͳ҉߸௨৴ϓϩτίϧͷྫΛ͍ࣔͯ͠Δɻ • ·ͱ·ͬͨσʔλͷ҉߸ԽAESͰ • վ͟Μʹରॲ͢ΔͨΊϝοηʔδʹMACΛ༩ • ϝοηʔδͷܽམ/ϦϓϨΠ߈ܸʹରॲ͢ΔͨΊ࿈൪Λ༩
• ձͷऴྃΛࣔ͢ಛघͳϝοηʔδ • ձʹઌཱͬͯެ։伴҉߸ํࣜͰޓ͍Λೝূ • 伴ަΞϧΰϦζϜͰ҉߸伴Λަ
1.4.2 ϓϩτίϧ (p.14) TLSʹ͓͍ͯ 1. ೝূͱ伴ަΛؚΜͩϋϯυγΣΠΫ 2. ϋϯυγΣΠΫޙʹػີੑͱશੑͷ͋Δঢ়ଶͰσʔλΛަ 3. γϟοτμϯͷखॱͰऴྃ
Λߦ͏ɻ
1.4.3 ҉߸ٕज़ʹର͢Δ߈ܸ (p.15) • ૯Γ߈ܸ • ࣮ʢόάʣʹର͢Δ߈ܸ: λΠϛϯά߈ܸͳͲ͕Α͘ΒΕΔ • αʔόʹ৵ೖͯ͠҉߸伴ΛऔΔ΄͏͕؆୯ͳ͜ͱ
΄ͱΜͲͷ߹ɺʮϓϩτίϧΛࣗͰઃܭ͠ͳ͍ʯʮ҉߸ॲཧ ͷίʔυΛࣗͰ࣮͠ͳ͍ʯ΄͏͕҆શɻ
1.4.4 ҉߸ڧ (p.16-17) ҉߸ͷڧ = ҉߸ΞϧΰϦζϜΛഁΔͷʹඞཁͳૢ࡞ͷճɺ͜ ΕΛϏοτ҆શੑͱ͍͏ɻ ҉߸ԽํࣜʹΑͬͯϏοτ҆શੑͷॏΈ͕ҟͳΔͷͰɺଞͷํࣜ ͷͲͷϨϕϧͱՁ͔ɺͱ͍͏มද͕͋Δɻ 2012࣌Ͱʮ30ͷ߈ܸʹର͢Δอޢʯɿڞ௨伴҉߸Խʹ͓͚
Δ128Ϗοτ૬
1.4.4 ҉߸ڧ (p.16-17) NIST SP800-57 Part1 Rev.3 ͷp.64ʹ͋ΔՁ҆શੑͷද1 ڞ௨伴҉߸ RSA/DSA/DH
ପԁۂઢ҉߸ ϋογϡ 80 1024 160 160 112 2048 224 224 128 3072 256 256 256 15360 512 512 1 ୯ҐͦΕͧΕbit
1.4.5 MITM߈ܸ (p.17-21) ΞΫηεͷୣऔ • ARP spoofing: MACΞυϨεͱIPΞυϨεͷؔ࿈͚Λশ͢Δ ͜ͱͰϩʔΧϧωοτϫʔΫʹ͓͚Δܦ࿏ใΛশ͢Δ •
WPAD(Web Proxy Auto-Discovery) hijacking: ِͷϓϩΩγʹ༠ಋ • DNS hijacking, DNS cache poisoning: ِͷDNSใΛ༩͑Δ͜ͱͰ υϝΠϯʹ͔͏τϥϑΟοΫΛͬऔΔɻ • BGP route hijacking: Πϯλʔωοτ্ͷϧʔλ͕ෆਖ਼ͳܦ࿏Λ ࢦఆ͢Δ͜ͱͰ௨৴͕߈ܸऀͷͱ͜ΖΛ௨Δ
1.4.5 MITM߈ܸ (p.17-21) डಈత߈ܸ • ҉߸Խ͞Ε͍ͯͳ͍τϥϑΟοΫΛܧଓతʹϞχλϦϯά • ҉߸Խ͞ΕͨτϥϑΟοΫͰظؒอଘͯ͠҉߸͕ഁΒΕΔ ͷΛͯΑ͍ •
Perfect Forward Secrecy2ͷॏཁੑɻಉ͡伴Λͬͯաڈʹ͞ ͔ͷ΅ͬͯ௨৴͕෮ݩͰ͖ΔͱϚζ͍ɻ 2 Perfect Forward SecrecyͱForward Secrecyಉٛɻ
1.4.5 MITM߈ܸ (p.17-21) ೳಈతͳ߈ܸ ैདྷͷMITM߈ܸ: Mallory͕ʮBobͱ͍ͯ͠Δ͔ͷΑ͏ʹAliceʹࢥ ͍ࠐ·ͤΔʯʹೝূΛλʔήοτʹͨ͠ͷɻ ௨ৗͷDH伴ަͰೝূ͕ఏڙ͞Εͳ͍ͷͰ͜Ε͕Մೳɻ
1.4.5 MITM߈ܸ (p.17-21) ೳಈతͳ߈ܸ TLSͷ߹ɺAlice͕༗ޮͳͷͱͯ͠ड͚औΔΑ͏ͳূ໌ॻΛ Mallory͕ఏࣔ͢Δ͜ͱ͕ཧతͳ߈ܸɻ αʔϏεΛὃͯ͠ূ໌ॻΛೖख͢Δํ๏4ষɺ༗ޮʹݟ͑Δূ໌ ॻΛߏ͢Δ߈ܸ6ষʹͯɻܯࠂΛແࢹ͢Δ͜ͱΛظͯ͠ෆਖ਼ ͳূ໌ॻΛఏࣔ͢Δ͜ͱɻϒϥβʹ҉߸ԽΛແޮԽ͢ΔΑ͏ ͳϦΫΤετΛૹ৴͢Δ߈ܸɻ7ষʹͯɻ
ίετ͕ߴ͍ͨΊେنʹߦΘͣಛఆͷରʹରͯ͠ߦ͏ɻ
None
ิ ຊʹࡌͬͯͳ͍͚Ͳؔ࿈͢Δ·ͱΊɻ 1. ετϦʔϜ҉߸ͱOne-Time Pad 2. িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ 3. HMACͷఆٛ 4.
DH伴ަʹ͓͚Δதؒऀ߈ܸ
ετϦʔϜ҉߸ͱOne-Time Pad One-Time Pad(Vernam҉߸)Ͱฏจͱಉ͡͞ͷཚྻΛ伴ͱ͠ ͯ ͷΑ͏ʹ҉߸จΛಘΔɻOne-Time Pad ฏจͷใΛҰ҉߸จʹ͞ͳ͍ใྔతʹperfectly secret ͳ҉߸͕ͩݱ࣮తͰͳ͍ͷͰɺݱ࣮ʹ͍伴͔Β伴ετϦʔϜ
Λੜ͢Δɻ
িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ SHA1SHAtteredͰڧিಥੑʢʹ1ͭͷিಥ͢ΔϖΞΛ࡞Γग़͢ ͜ͱʣಥഁ͞Ε͕ͨɺऑিಥੑʢʹ͋Δจࣈྻʹର͢Δϋο γϡͱಉ͡ϋογϡΛ༩͑ΔผͷจࣈྻΛࣔ͢ʣ·ͩಥഁ ͞Ε͍ͯͳ͍ͷͰɺ͜Ε͚ͩͰͬͯʮύεϫʔυϋογϡͱͯ͠ ෆద֨ʯͱ͍͏ͷιɻͬͱɺଞͷબࢶ͕ͬͱ༏लͳ ͷͰSHA256bcryptΛ͍·͠ΐ͏ɻ
HMACͷఆٛ ϋογϡؔHͱ伴KΛͬͯɺ ipad = Kͷ͞ͷ0x36 opad = Kͷ͞ͷ0x5c ʢ ||
࿈݁Λද͢ɻͳͷͰɺ ͱtextΛ͚ͬͭͨ͘ͷͷϋ ογϡΛɺ ͷޙΖʹ͚ͬͭͯ͘ɺͦͷϋογϡΛऔ Δɺͱ͍͏͜ͱʣ
DH伴ަʹ͓͚Δதؒऀ߈ܸ (ECͰͳ͍)DH伴ަ: • ެ։ͷ • p ͷେ͖ͳૉ • g
ͷੜݩ • ൿີͷ: • ૬खʹૹΒΕΔ:
None
None
DH伴ަʹ͓͚Δதؒऀ߈ܸ தؒऀEve͕ ͷΛड͚औΓɺ ͱಉ༷ͷੑ࣭Λ࣋ͭ Λੜ͠ɺҎԼͷΛ૬खʹΘΓʹ͢:
DH伴ަʹ͓͚Δதؒऀ߈ܸ ͦ͏͢ΔͱAliceͱBobҎԼͷΛܭࢉ͢Δ: ͜ͷͱ͖ɺAliceͱEveɺEveͱBobͷؒʹڞ௨伴ͷਃ͠߹Θཱ͕ͤ ͢Δʢલऀ ɺޙऀ ʣɻ