Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
『プロフェッショナルSSL/TLS』読書会 第1章資料
Search
sylph01
May 12, 2017
Technology
0
1.4k
『プロフェッショナルSSL/TLS』読書会 第1章資料
https://connpass.com/event/56085/
sylph01
May 12, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
The Definitive? Guide To Locally Organizing RubyKaigi
sylph01
6
1.4k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
sylph01
1
98
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
sylph01
2
450
Introduction to C Extensions
sylph01
3
200
"Actual" Security in Microcontroller Ruby!?
sylph01
0
140
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
60
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
300
Adding Security to Microcontroller Ruby
sylph01
3
3.6k
Secure Messaging at IETF 118
sylph01
0
110
Other Decks in Technology
See All in Technology
Clineを含めたAIエージェントを 大規模組織に導入し、投資対効果を考える / Introducing AI agents into your organization
i35_267
4
1.5k
あなたの声を届けよう! 女性エンジニア登壇の意義とアウトプット実践ガイド #wttjp / Call for Your Voice
kondoyuko
4
390
Windows 11 で AWS Documentation MCP Server 接続実践/practical-aws-documentation-mcp-server-connection-on-windows-11
emiki
0
910
ローカルLLMでファインチューニング
knishioka
0
140
実践! AIエージェント導入記
1mono2prod
0
150
Observability infrastructure behind the trillion-messages scale Kafka platform
lycorptech_jp
PRO
0
130
本当に使える?AutoUpgrade の新機能を実践検証してみた
oracle4engineer
PRO
1
140
GeminiとNotebookLMによる金融実務の業務革新
abenben
0
220
Microsoft Build 2025 技術/製品動向 for Microsoft Startup Tech Community
torumakabe
2
250
変化する開発、進化する体系時代に適応するソフトウェアエンジニアの知識と考え方(JaSST'25 Kansai)
mizunori
1
200
【TiDB GAME DAY 2025】Shadowverse: Worlds Beyond にみる TiDB 活用術
cygames
0
1k
Definition of Done
kawaguti
PRO
6
480
Featured
See All Featured
Unsuck your backbone
ammeep
671
58k
Faster Mobile Websites
deanohume
307
31k
A designer walks into a library…
pauljervisheath
206
24k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.3k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
33
5.9k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Raft: Consensus for Rubyists
vanstee
140
7k
Typedesign – Prime Four
hannesfritz
42
2.7k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Stop Working from a Prison Cell
hatefulcrawdad
270
20k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
124
52k
Transcript
(1) SSL/TLSͱ҉߸ٕज़ @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 5/12/2017
1.1 Transport Layer Security (p.1-2) TLSͷ4ͭͷඪ(্͔Βߴ༏ઌ): • ҉߸ֶతͳηΩϡϦςΟ(Cryptographic security) •
૬ޓӡ༻ੑ(Interoperability) • ֦ுੑ(Extensibility) • ޮੑ(Efficiency)
1.2 ωοτϫʔΫͷ֊ ͍ΘΏΔOSIࢀরϞσϧͷɻTLS໊લͷ௨Γτϥϯεϙʔτ (ୈ4 = TCP, UDP)ʹରͯ͠securityΛఏڙ͢ΔɻϓϨθϯςʔγϣ ϯ=ୈ6ʹҐஔ͢Δɻ TLS͕ͳͯ͘HTTP(=ୈ7)ʮػೳ͢Δʯɻ
1.3 ϓϩτίϧͷྺ࢙ • SSL2: 1994/11 • SSL 3.0: 1995ޙ •
TLS 1.0(RFC 2246): 1999/1 • ΄ͱΜͲSSL 3.0ͱࠩͳ͍͕ޓੑͳ͠ • TLS 1.1: 2006/4 (security fix, TLS֦ு(2003/6)) • TLS 1.2: 2008/4 (AEADରԠ) • TLS 1.3: ongoing
1.4 ҉߸ٕज़ Ͳͷ͘Β͍҉߸ٕज़ʹ͠Έ͕͋Δ͔ʹΑͬͯಡΈඈ͠·͢ɻ • ҉߸ֶͷจ͕ಡΊΔ/ॻ͚Δ: ৸ͯͯେৎ • ʢͨͿΜ͜ͷؒͩͱࢥ͍·͢ʣ • ύεϫʔυͬͯ҉߸Խͯ͠อଘ͞ΕΔΜͩΑͶʁ:
Ώͬ͘ΓಡΉ
1.4.1 ཁૉٕज़ (p.5) Kerckhoffsͷݪଇ ҉߸γεςϜɺ伴Ҏ֎ͷ͕ͯ͢߈ܸऀʹঠѲ͞Εͨͱͯ͠ ҆શͰͳ͚ΕͳΒͳ͍ɻ • ҉߸ΞϧΰϦζϜ͕ఢରऀʹ࿙Εͯ҆શͰ͋Δඞཁ͕͋Δ • ༏Εͨ҉߸ΞϧΰϦζϜΛઃܭ͢Δͷ͍͠ɻͨ͘͞Μͷਓ
ͷʹ৮Εͯਫ਼ࠪ͞Εͨͷ΄Ͳ҆શɻ ݱͷ҉߸ʮܭࢉྔత҆શੑʯʹͦͷࠜڌΛஔ͍͍ͯΔ
1.4.1 ཁૉٕज़ (p.7) ετϦʔϜ҉߸ 伴͔ΒϥϯμϜʹݟ͑ΔจࣈྻͰ͋Δ伴ετϦʔϜΛੜ͠ɺ ͱͯ͠҉߸จΛಘΔɻ ετϦʔϜ҉߸Ͱʮಉ͡伴Λ͍·Θ͞ͳ͍͜ͱʯ͕ඇৗʹॏ ཁɻˠظؒʹΘͨͬͯར༻͢Δൿີ伴͔Βɺ௨৴ͷͨͼʹ1ճݶ Γͷ伴ʢηογϣϯ伴ʣΛಋग़ͯ͠͏ɻ RC4͕༗໊͕ͩऑ͕ΒΕ͍ͯΔɻECRYPT
Stream Cipher Project ʹ࠷৽ͷͷ͕͋ΔɻSalsa20/12SOSEMANUKͳͲɻ
1.4.1 ཁૉٕज़ (p.8) ϒϩοΫ҉߸ ϒϩοΫ୯ҐͰ·ͱΊͯ҉߸Խɻଟ͘ͷํࣜͰ16byte͝ͱɻೖྗ Λड͚ͱͬͯϥϯμϜʹݟ͑Δग़ྗΛฦؔ͢ɻ ϒϩοΫ҉߸ҙͷ͞ͷσʔλΛ҉߸Խ͢ΔͨΊ҉߸ར༻Ϟ ʔυͱΈ߹ΘͤͰ͏ɻ ੈքͰ࠷Α͘ར༻͞Ε͍ͯΔͷAESɻ伴͕128bit/192bit/ 256bitɺϒϩοΫ128bitݻఆɻ
1.4.1 ཁૉٕज़ (p.9) ϋογϡؔ • ݪ૾ܭࢉࠔੑ: ͋Δϋογϡʹର͠ɺಉ͡ϋογϡʹͳΔ ϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭ • ୈ2ݪ૾ܭࢉࠔੑ(ऑিಥੑ):
͋Δϝοηʔδͱϋογϡ͔ Βɺಉ͡ϋογϡʹͳΔผͷϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔ Ͱ͋Δੑ࣭ • িಥੑ(ڧিಥੑ): ಉ͡ϋογϡʹͳΔϝοηʔδͷΈ ߹ΘͤΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭
1.4.1 ཁૉٕज़ (p.9) SHA1(160bit)͕Α͘ΘΕ͍ͯΔ͕SHA256ͷஔ͖͕͑ਪ͞ Ε͍ͯΔɻ ϋογϡؔͷڧݪཧతʹʮੜͷύϥυοΫεʯ͔ΒΑ ͯ͘ϋογϡͷ͞ͷɻn-bitͷϋογϡ2^(n/2)ճϋογ ϡܭࢉ͢ΕিಥΛߴ֬Ͱݟ͚ͭΒΕΔɻ
1.4.1 ཁૉٕज़ (p.10) MAC(Message Authentication Code) ͋Δ͍ 伴͖ϋογϡ(keyed- hash):ϋογϡؔΛ֦ுͯ͠ೝূΛՄೳʹͨ͠ͷɻϋογϡ ΛσʔλͱҰॹʹૹΔͱϋογϡͦͷͷվ͟Μ͞Ε͏Δͷ
Ͱͦͷରࡦʹ͏ɻ
1.4.1 ཁૉٕज़ (p.10-11) ҉߸ར༻Ϟʔυ • ECB: ϒϩοΫ୯ҐͰݸผʹ҉߸Խɻ҉߸จʹฏจͷใ͕ݱΕ ͯ͠·͏ͨΊ੬ऑɻ͏ཧ༝ͳ͠ɻ • CBC:
લͷϒϩοΫͷ҉߸Խ݁ՌͷXORΛͱ͔ͬͯΒ҉߸Խɻ • ॳظԽϕΫτϧ(IV)ΛऔΔɻϥϯμϜͳΛ͏͜ͱͱɺ͜ͷ Λ͍·Θ͞ͳ͍͜ͱ͕ॏཁɻ • ଞ: CTRɺGCMɺOCBͳͲɻGCMͱOCBೝূ͖ͭ҉߸Λఏڙɻ
None
None
CTRϞʔυͷ߹ɺ҉߸Խ/෮߸Խ྆ํͰNonceͱcounterͷ҉߸Խ Λߦ͏ɻΑͬͯCTRϞʔυʹద༻͢Δؔblock cipherͰͳ͘ pseudo-random functionͰेɻ
1.4.1 ཁૉٕज़ (p.11-12) ެ։伴҉߸ํࣜ ҉߸Խʹ͏伴ͱ෮߸ʹ͏伴͕ผɻ ެ։伴Λ҆શʹ͘ڞ༗Ͱ͖Ε͚͕ࣗͩಡΊΔϝοηʔδΛ શһ͔ΒૹͬͯΒ͑ΔʢˠPKIɺୈ3ষʹͯʣɻ ެ։伴҉߸ܭࢉʹ͕͔͔࣌ؒΔͷͰɺڞ༗伴ͷωΰγΤʔγϣ ϯʹΘΕɺͦͷޙڞ༗伴Λͬͯରশ伴҉߸Λ͏ɻ RSAɺElGamal(DH伴ަΛެ։伴҉߸ʹద༻ͨ͠ͷ)
1.4.1 ཁૉٕज़ (p.13) ిࢠॺ໊ ిࢠϝοηʔδจॻͷਅਖ਼ੑ(authenticity)ΛݕূՄೳʹ͢Δ҉߸ ֶతͳखஈɻ MACిࢠॺ໊ͷҰछ͕ͩMAC伴ͷڞ༗ͱ͍͏͕͋Δɻ RSAΛٯํʹద༻͢Δ͜ͱͰిࢠॺ໊ΞϧΰϦζϜͱͯ͑͠ ΔɻҰํͰDSA/ECDSA҉߸ԽΞϧΰϦζϜͱͯ͑͠ͳ͍ɻ
1.4.1 ཁૉٕज़ (p.13) ཚੜث ҉߸ʹ࣭ͷ͍͍ʢhigh entropyͳʣཚ͕ඞཁɻ ֎෦ஔͷׂΓࠐΈʹΑΔΤϯτϩϐʔͷऩू(=TRNG)Ͱ͍ͩͨ ͍ͷ߹ेͳΤϯτϩϐʔ͕ू·Βͳ͍ͷͰ࣮ࡍٙࣅཚੜ ث(PRNG)Λ͏ɻ҉߸ʹ༻͍Δͷʹ෦ঢ়ଶͷ༧ଌෆՄೳ ੑΛ࣋ͬͨCSPRNG͕ඞཁɻ
1.4.2 ϓϩτίϧ (p.14) ؆୯ͳ҉߸௨৴ϓϩτίϧͷྫΛ͍ࣔͯ͠Δɻ • ·ͱ·ͬͨσʔλͷ҉߸ԽAESͰ • վ͟Μʹରॲ͢ΔͨΊϝοηʔδʹMACΛ༩ • ϝοηʔδͷܽམ/ϦϓϨΠ߈ܸʹରॲ͢ΔͨΊ࿈൪Λ༩
• ձͷऴྃΛࣔ͢ಛघͳϝοηʔδ • ձʹઌཱͬͯެ։伴҉߸ํࣜͰޓ͍Λೝূ • 伴ަΞϧΰϦζϜͰ҉߸伴Λަ
1.4.2 ϓϩτίϧ (p.14) TLSʹ͓͍ͯ 1. ೝূͱ伴ަΛؚΜͩϋϯυγΣΠΫ 2. ϋϯυγΣΠΫޙʹػີੑͱશੑͷ͋Δঢ়ଶͰσʔλΛަ 3. γϟοτμϯͷखॱͰऴྃ
Λߦ͏ɻ
1.4.3 ҉߸ٕज़ʹର͢Δ߈ܸ (p.15) • ૯Γ߈ܸ • ࣮ʢόάʣʹର͢Δ߈ܸ: λΠϛϯά߈ܸͳͲ͕Α͘ΒΕΔ • αʔόʹ৵ೖͯ͠҉߸伴ΛऔΔ΄͏͕؆୯ͳ͜ͱ
΄ͱΜͲͷ߹ɺʮϓϩτίϧΛࣗͰઃܭ͠ͳ͍ʯʮ҉߸ॲཧ ͷίʔυΛࣗͰ࣮͠ͳ͍ʯ΄͏͕҆શɻ
1.4.4 ҉߸ڧ (p.16-17) ҉߸ͷڧ = ҉߸ΞϧΰϦζϜΛഁΔͷʹඞཁͳૢ࡞ͷճɺ͜ ΕΛϏοτ҆શੑͱ͍͏ɻ ҉߸ԽํࣜʹΑͬͯϏοτ҆શੑͷॏΈ͕ҟͳΔͷͰɺଞͷํࣜ ͷͲͷϨϕϧͱՁ͔ɺͱ͍͏มද͕͋Δɻ 2012࣌Ͱʮ30ͷ߈ܸʹର͢Δอޢʯɿڞ௨伴҉߸Խʹ͓͚
Δ128Ϗοτ૬
1.4.4 ҉߸ڧ (p.16-17) NIST SP800-57 Part1 Rev.3 ͷp.64ʹ͋ΔՁ҆શੑͷද1 ڞ௨伴҉߸ RSA/DSA/DH
ପԁۂઢ҉߸ ϋογϡ 80 1024 160 160 112 2048 224 224 128 3072 256 256 256 15360 512 512 1 ୯ҐͦΕͧΕbit
1.4.5 MITM߈ܸ (p.17-21) ΞΫηεͷୣऔ • ARP spoofing: MACΞυϨεͱIPΞυϨεͷؔ࿈͚Λশ͢Δ ͜ͱͰϩʔΧϧωοτϫʔΫʹ͓͚Δܦ࿏ใΛশ͢Δ •
WPAD(Web Proxy Auto-Discovery) hijacking: ِͷϓϩΩγʹ༠ಋ • DNS hijacking, DNS cache poisoning: ِͷDNSใΛ༩͑Δ͜ͱͰ υϝΠϯʹ͔͏τϥϑΟοΫΛͬऔΔɻ • BGP route hijacking: Πϯλʔωοτ্ͷϧʔλ͕ෆਖ਼ͳܦ࿏Λ ࢦఆ͢Δ͜ͱͰ௨৴͕߈ܸऀͷͱ͜ΖΛ௨Δ
1.4.5 MITM߈ܸ (p.17-21) डಈత߈ܸ • ҉߸Խ͞Ε͍ͯͳ͍τϥϑΟοΫΛܧଓతʹϞχλϦϯά • ҉߸Խ͞ΕͨτϥϑΟοΫͰظؒอଘͯ͠҉߸͕ഁΒΕΔ ͷΛͯΑ͍ •
Perfect Forward Secrecy2ͷॏཁੑɻಉ͡伴Λͬͯաڈʹ͞ ͔ͷ΅ͬͯ௨৴͕෮ݩͰ͖ΔͱϚζ͍ɻ 2 Perfect Forward SecrecyͱForward Secrecyಉٛɻ
1.4.5 MITM߈ܸ (p.17-21) ೳಈతͳ߈ܸ ैདྷͷMITM߈ܸ: Mallory͕ʮBobͱ͍ͯ͠Δ͔ͷΑ͏ʹAliceʹࢥ ͍ࠐ·ͤΔʯʹೝূΛλʔήοτʹͨ͠ͷɻ ௨ৗͷDH伴ަͰೝূ͕ఏڙ͞Εͳ͍ͷͰ͜Ε͕Մೳɻ
1.4.5 MITM߈ܸ (p.17-21) ೳಈతͳ߈ܸ TLSͷ߹ɺAlice͕༗ޮͳͷͱͯ͠ड͚औΔΑ͏ͳূ໌ॻΛ Mallory͕ఏࣔ͢Δ͜ͱ͕ཧతͳ߈ܸɻ αʔϏεΛὃͯ͠ূ໌ॻΛೖख͢Δํ๏4ষɺ༗ޮʹݟ͑Δূ໌ ॻΛߏ͢Δ߈ܸ6ষʹͯɻܯࠂΛແࢹ͢Δ͜ͱΛظͯ͠ෆਖ਼ ͳূ໌ॻΛఏࣔ͢Δ͜ͱɻϒϥβʹ҉߸ԽΛແޮԽ͢ΔΑ͏ ͳϦΫΤετΛૹ৴͢Δ߈ܸɻ7ষʹͯɻ
ίετ͕ߴ͍ͨΊେنʹߦΘͣಛఆͷରʹରͯ͠ߦ͏ɻ
None
ิ ຊʹࡌͬͯͳ͍͚Ͳؔ࿈͢Δ·ͱΊɻ 1. ετϦʔϜ҉߸ͱOne-Time Pad 2. িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ 3. HMACͷఆٛ 4.
DH伴ަʹ͓͚Δதؒऀ߈ܸ
ετϦʔϜ҉߸ͱOne-Time Pad One-Time Pad(Vernam҉߸)Ͱฏจͱಉ͡͞ͷཚྻΛ伴ͱ͠ ͯ ͷΑ͏ʹ҉߸จΛಘΔɻOne-Time Pad ฏจͷใΛҰ҉߸จʹ͞ͳ͍ใྔతʹperfectly secret ͳ҉߸͕ͩݱ࣮తͰͳ͍ͷͰɺݱ࣮ʹ͍伴͔Β伴ετϦʔϜ
Λੜ͢Δɻ
িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ SHA1SHAtteredͰڧিಥੑʢʹ1ͭͷিಥ͢ΔϖΞΛ࡞Γग़͢ ͜ͱʣಥഁ͞Ε͕ͨɺऑিಥੑʢʹ͋Δจࣈྻʹର͢Δϋο γϡͱಉ͡ϋογϡΛ༩͑ΔผͷจࣈྻΛࣔ͢ʣ·ͩಥഁ ͞Ε͍ͯͳ͍ͷͰɺ͜Ε͚ͩͰͬͯʮύεϫʔυϋογϡͱͯ͠ ෆద֨ʯͱ͍͏ͷιɻͬͱɺଞͷબࢶ͕ͬͱ༏लͳ ͷͰSHA256bcryptΛ͍·͠ΐ͏ɻ
HMACͷఆٛ ϋογϡؔHͱ伴KΛͬͯɺ ipad = Kͷ͞ͷ0x36 opad = Kͷ͞ͷ0x5c ʢ ||
࿈݁Λද͢ɻͳͷͰɺ ͱtextΛ͚ͬͭͨ͘ͷͷϋ ογϡΛɺ ͷޙΖʹ͚ͬͭͯ͘ɺͦͷϋογϡΛऔ Δɺͱ͍͏͜ͱʣ
DH伴ަʹ͓͚Δதؒऀ߈ܸ (ECͰͳ͍)DH伴ަ: • ެ։ͷ • p ͷେ͖ͳૉ • g
ͷੜݩ • ൿີͷ: • ૬खʹૹΒΕΔ:
None
None
DH伴ަʹ͓͚Δதؒऀ߈ܸ தؒऀEve͕ ͷΛड͚औΓɺ ͱಉ༷ͷੑ࣭Λ࣋ͭ Λੜ͠ɺҎԼͷΛ૬खʹΘΓʹ͢:
DH伴ަʹ͓͚Δதؒऀ߈ܸ ͦ͏͢ΔͱAliceͱBobҎԼͷΛܭࢉ͢Δ: ͜ͷͱ͖ɺAliceͱEveɺEveͱBobͷؒʹڞ௨伴ͷਃ͠߹Θཱ͕ͤ ͢Δʢલऀ ɺޙऀ ʣɻ