Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
『プロフェッショナルSSL/TLS』読書会 第1章資料
sylph01
May 12, 2017
Technology
0
690
『プロフェッショナルSSL/TLS』読書会 第1章資料
https://connpass.com/event/56085/
sylph01
May 12, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
sylph01
0
200
sylph01
0
420
sylph01
1
1.8k
sylph01
1
52
sylph01
0
340
sylph01
0
48
sylph01
1
240
sylph01
0
350
sylph01
0
200
Other Decks in Technology
See All in Technology
kawaguti
2
370
jaguar_imo
0
120
oracle4engineer
2
510
finengine
0
370
ks91
PRO
0
350
shwars
0
110
halhira
1
120
ocise
0
130
miu_crescent
0
400
lambda
0
240
ytaka23
11
2.9k
kawaguti
0
450
Featured
See All Featured
samanthasiow
58
6.4k
qrush
285
19k
bryan
32
3.5k
pauljervisheath
195
15k
notwaldorf
21
2.1k
jponch
103
5.1k
orderedlist
PRO
330
36k
samlambert
237
10k
sachag
267
17k
yeseniaperezcruz
302
31k
dougneiner
56
5.4k
morganepeng
21
1.3k
Transcript
(1) SSL/TLSͱ҉߸ٕज़ @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 5/12/2017
1.1 Transport Layer Security (p.1-2) TLSͷ4ͭͷඪ(্͔Βߴ༏ઌ): • ҉߸ֶతͳηΩϡϦςΟ(Cryptographic security) •
૬ޓӡ༻ੑ(Interoperability) • ֦ுੑ(Extensibility) • ޮੑ(Efficiency)
1.2 ωοτϫʔΫͷ֊ ͍ΘΏΔOSIࢀরϞσϧͷɻTLS໊લͷ௨Γτϥϯεϙʔτ (ୈ4 = TCP, UDP)ʹରͯ͠securityΛఏڙ͢ΔɻϓϨθϯςʔγϣ ϯ=ୈ6ʹҐஔ͢Δɻ TLS͕ͳͯ͘HTTP(=ୈ7)ʮػೳ͢Δʯɻ
1.3 ϓϩτίϧͷྺ࢙ • SSL2: 1994/11 • SSL 3.0: 1995ޙ •
TLS 1.0(RFC 2246): 1999/1 • ΄ͱΜͲSSL 3.0ͱࠩͳ͍͕ޓੑͳ͠ • TLS 1.1: 2006/4 (security fix, TLS֦ு(2003/6)) • TLS 1.2: 2008/4 (AEADରԠ) • TLS 1.3: ongoing
1.4 ҉߸ٕज़ Ͳͷ͘Β͍҉߸ٕज़ʹ͠Έ͕͋Δ͔ʹΑͬͯಡΈඈ͠·͢ɻ • ҉߸ֶͷจ͕ಡΊΔ/ॻ͚Δ: ৸ͯͯେৎ • ʢͨͿΜ͜ͷؒͩͱࢥ͍·͢ʣ • ύεϫʔυͬͯ҉߸Խͯ͠อଘ͞ΕΔΜͩΑͶʁ:
Ώͬ͘ΓಡΉ
1.4.1 ཁૉٕज़ (p.5) Kerckhoffsͷݪଇ ҉߸γεςϜɺ伴Ҏ֎ͷ͕ͯ͢߈ܸऀʹঠѲ͞Εͨͱͯ͠ ҆શͰͳ͚ΕͳΒͳ͍ɻ • ҉߸ΞϧΰϦζϜ͕ఢରऀʹ࿙Εͯ҆શͰ͋Δඞཁ͕͋Δ • ༏Εͨ҉߸ΞϧΰϦζϜΛઃܭ͢Δͷ͍͠ɻͨ͘͞Μͷਓ
ͷʹ৮Εͯਫ਼ࠪ͞Εͨͷ΄Ͳ҆શɻ ݱͷ҉߸ʮܭࢉྔత҆શੑʯʹͦͷࠜڌΛஔ͍͍ͯΔ
1.4.1 ཁૉٕज़ (p.7) ετϦʔϜ҉߸ 伴͔ΒϥϯμϜʹݟ͑ΔจࣈྻͰ͋Δ伴ετϦʔϜΛੜ͠ɺ ͱͯ͠҉߸จΛಘΔɻ ετϦʔϜ҉߸Ͱʮಉ͡伴Λ͍·Θ͞ͳ͍͜ͱʯ͕ඇৗʹॏ ཁɻˠظؒʹΘͨͬͯར༻͢Δൿີ伴͔Βɺ௨৴ͷͨͼʹ1ճݶ Γͷ伴ʢηογϣϯ伴ʣΛಋग़ͯ͠͏ɻ RC4͕༗໊͕ͩऑ͕ΒΕ͍ͯΔɻECRYPT
Stream Cipher Project ʹ࠷৽ͷͷ͕͋ΔɻSalsa20/12SOSEMANUKͳͲɻ
1.4.1 ཁૉٕज़ (p.8) ϒϩοΫ҉߸ ϒϩοΫ୯ҐͰ·ͱΊͯ҉߸Խɻଟ͘ͷํࣜͰ16byte͝ͱɻೖྗ Λड͚ͱͬͯϥϯμϜʹݟ͑Δग़ྗΛฦؔ͢ɻ ϒϩοΫ҉߸ҙͷ͞ͷσʔλΛ҉߸Խ͢ΔͨΊ҉߸ར༻Ϟ ʔυͱΈ߹ΘͤͰ͏ɻ ੈքͰ࠷Α͘ར༻͞Ε͍ͯΔͷAESɻ伴͕128bit/192bit/ 256bitɺϒϩοΫ128bitݻఆɻ
1.4.1 ཁૉٕज़ (p.9) ϋογϡؔ • ݪ૾ܭࢉࠔੑ: ͋Δϋογϡʹର͠ɺಉ͡ϋογϡʹͳΔ ϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭ • ୈ2ݪ૾ܭࢉࠔੑ(ऑিಥੑ):
͋Δϝοηʔδͱϋογϡ͔ Βɺಉ͡ϋογϡʹͳΔผͷϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔ Ͱ͋Δੑ࣭ • িಥੑ(ڧিಥੑ): ಉ͡ϋογϡʹͳΔϝοηʔδͷΈ ߹ΘͤΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭
1.4.1 ཁૉٕज़ (p.9) SHA1(160bit)͕Α͘ΘΕ͍ͯΔ͕SHA256ͷஔ͖͕͑ਪ͞ Ε͍ͯΔɻ ϋογϡؔͷڧݪཧతʹʮੜͷύϥυοΫεʯ͔ΒΑ ͯ͘ϋογϡͷ͞ͷɻn-bitͷϋογϡ2^(n/2)ճϋογ ϡܭࢉ͢ΕিಥΛߴ֬Ͱݟ͚ͭΒΕΔɻ
1.4.1 ཁૉٕज़ (p.10) MAC(Message Authentication Code) ͋Δ͍ 伴͖ϋογϡ(keyed- hash):ϋογϡؔΛ֦ுͯ͠ೝূΛՄೳʹͨ͠ͷɻϋογϡ ΛσʔλͱҰॹʹૹΔͱϋογϡͦͷͷվ͟Μ͞Ε͏Δͷ
Ͱͦͷରࡦʹ͏ɻ
1.4.1 ཁૉٕज़ (p.10-11) ҉߸ར༻Ϟʔυ • ECB: ϒϩοΫ୯ҐͰݸผʹ҉߸Խɻ҉߸จʹฏจͷใ͕ݱΕ ͯ͠·͏ͨΊ੬ऑɻ͏ཧ༝ͳ͠ɻ • CBC:
લͷϒϩοΫͷ҉߸Խ݁ՌͷXORΛͱ͔ͬͯΒ҉߸Խɻ • ॳظԽϕΫτϧ(IV)ΛऔΔɻϥϯμϜͳΛ͏͜ͱͱɺ͜ͷ Λ͍·Θ͞ͳ͍͜ͱ͕ॏཁɻ • ଞ: CTRɺGCMɺOCBͳͲɻGCMͱOCBೝূ͖ͭ҉߸Λఏڙɻ
None
None
CTRϞʔυͷ߹ɺ҉߸Խ/෮߸Խ྆ํͰNonceͱcounterͷ҉߸Խ Λߦ͏ɻΑͬͯCTRϞʔυʹద༻͢Δؔblock cipherͰͳ͘ pseudo-random functionͰेɻ
1.4.1 ཁૉٕज़ (p.11-12) ެ։伴҉߸ํࣜ ҉߸Խʹ͏伴ͱ෮߸ʹ͏伴͕ผɻ ެ։伴Λ҆શʹ͘ڞ༗Ͱ͖Ε͚͕ࣗͩಡΊΔϝοηʔδΛ શһ͔ΒૹͬͯΒ͑ΔʢˠPKIɺୈ3ষʹͯʣɻ ެ։伴҉߸ܭࢉʹ͕͔͔࣌ؒΔͷͰɺڞ༗伴ͷωΰγΤʔγϣ ϯʹΘΕɺͦͷޙڞ༗伴Λͬͯରশ伴҉߸Λ͏ɻ RSAɺElGamal(DH伴ަΛެ։伴҉߸ʹద༻ͨ͠ͷ)
1.4.1 ཁૉٕज़ (p.13) ిࢠॺ໊ ిࢠϝοηʔδจॻͷਅਖ਼ੑ(authenticity)ΛݕূՄೳʹ͢Δ҉߸ ֶతͳखஈɻ MACిࢠॺ໊ͷҰछ͕ͩMAC伴ͷڞ༗ͱ͍͏͕͋Δɻ RSAΛٯํʹద༻͢Δ͜ͱͰిࢠॺ໊ΞϧΰϦζϜͱͯ͑͠ ΔɻҰํͰDSA/ECDSA҉߸ԽΞϧΰϦζϜͱͯ͑͠ͳ͍ɻ
1.4.1 ཁૉٕज़ (p.13) ཚੜث ҉߸ʹ࣭ͷ͍͍ʢhigh entropyͳʣཚ͕ඞཁɻ ֎෦ஔͷׂΓࠐΈʹΑΔΤϯτϩϐʔͷऩू(=TRNG)Ͱ͍ͩͨ ͍ͷ߹ेͳΤϯτϩϐʔ͕ू·Βͳ͍ͷͰ࣮ࡍٙࣅཚੜ ث(PRNG)Λ͏ɻ҉߸ʹ༻͍Δͷʹ෦ঢ়ଶͷ༧ଌෆՄೳ ੑΛ࣋ͬͨCSPRNG͕ඞཁɻ
1.4.2 ϓϩτίϧ (p.14) ؆୯ͳ҉߸௨৴ϓϩτίϧͷྫΛ͍ࣔͯ͠Δɻ • ·ͱ·ͬͨσʔλͷ҉߸ԽAESͰ • վ͟Μʹରॲ͢ΔͨΊϝοηʔδʹMACΛ༩ • ϝοηʔδͷܽམ/ϦϓϨΠ߈ܸʹରॲ͢ΔͨΊ࿈൪Λ༩
• ձͷऴྃΛࣔ͢ಛघͳϝοηʔδ • ձʹઌཱͬͯެ։伴҉߸ํࣜͰޓ͍Λೝূ • 伴ަΞϧΰϦζϜͰ҉߸伴Λަ
1.4.2 ϓϩτίϧ (p.14) TLSʹ͓͍ͯ 1. ೝূͱ伴ަΛؚΜͩϋϯυγΣΠΫ 2. ϋϯυγΣΠΫޙʹػີੑͱશੑͷ͋Δঢ়ଶͰσʔλΛަ 3. γϟοτμϯͷखॱͰऴྃ
Λߦ͏ɻ
1.4.3 ҉߸ٕज़ʹର͢Δ߈ܸ (p.15) • ૯Γ߈ܸ • ࣮ʢόάʣʹର͢Δ߈ܸ: λΠϛϯά߈ܸͳͲ͕Α͘ΒΕΔ • αʔόʹ৵ೖͯ͠҉߸伴ΛऔΔ΄͏͕؆୯ͳ͜ͱ
΄ͱΜͲͷ߹ɺʮϓϩτίϧΛࣗͰઃܭ͠ͳ͍ʯʮ҉߸ॲཧ ͷίʔυΛࣗͰ࣮͠ͳ͍ʯ΄͏͕҆શɻ
1.4.4 ҉߸ڧ (p.16-17) ҉߸ͷڧ = ҉߸ΞϧΰϦζϜΛഁΔͷʹඞཁͳૢ࡞ͷճɺ͜ ΕΛϏοτ҆શੑͱ͍͏ɻ ҉߸ԽํࣜʹΑͬͯϏοτ҆શੑͷॏΈ͕ҟͳΔͷͰɺଞͷํࣜ ͷͲͷϨϕϧͱՁ͔ɺͱ͍͏มද͕͋Δɻ 2012࣌Ͱʮ30ͷ߈ܸʹର͢Δอޢʯɿڞ௨伴҉߸Խʹ͓͚
Δ128Ϗοτ૬
1.4.4 ҉߸ڧ (p.16-17) NIST SP800-57 Part1 Rev.3 ͷp.64ʹ͋ΔՁ҆શੑͷද1 ڞ௨伴҉߸ RSA/DSA/DH
ପԁۂઢ҉߸ ϋογϡ 80 1024 160 160 112 2048 224 224 128 3072 256 256 256 15360 512 512 1 ୯ҐͦΕͧΕbit
1.4.5 MITM߈ܸ (p.17-21) ΞΫηεͷୣऔ • ARP spoofing: MACΞυϨεͱIPΞυϨεͷؔ࿈͚Λশ͢Δ ͜ͱͰϩʔΧϧωοτϫʔΫʹ͓͚Δܦ࿏ใΛশ͢Δ •
WPAD(Web Proxy Auto-Discovery) hijacking: ِͷϓϩΩγʹ༠ಋ • DNS hijacking, DNS cache poisoning: ِͷDNSใΛ༩͑Δ͜ͱͰ υϝΠϯʹ͔͏τϥϑΟοΫΛͬऔΔɻ • BGP route hijacking: Πϯλʔωοτ্ͷϧʔλ͕ෆਖ਼ͳܦ࿏Λ ࢦఆ͢Δ͜ͱͰ௨৴͕߈ܸऀͷͱ͜ΖΛ௨Δ
1.4.5 MITM߈ܸ (p.17-21) डಈత߈ܸ • ҉߸Խ͞Ε͍ͯͳ͍τϥϑΟοΫΛܧଓతʹϞχλϦϯά • ҉߸Խ͞ΕͨτϥϑΟοΫͰظؒอଘͯ͠҉߸͕ഁΒΕΔ ͷΛͯΑ͍ •
Perfect Forward Secrecy2ͷॏཁੑɻಉ͡伴Λͬͯաڈʹ͞ ͔ͷ΅ͬͯ௨৴͕෮ݩͰ͖ΔͱϚζ͍ɻ 2 Perfect Forward SecrecyͱForward Secrecyಉٛɻ
1.4.5 MITM߈ܸ (p.17-21) ೳಈతͳ߈ܸ ैདྷͷMITM߈ܸ: Mallory͕ʮBobͱ͍ͯ͠Δ͔ͷΑ͏ʹAliceʹࢥ ͍ࠐ·ͤΔʯʹೝূΛλʔήοτʹͨ͠ͷɻ ௨ৗͷDH伴ަͰೝূ͕ఏڙ͞Εͳ͍ͷͰ͜Ε͕Մೳɻ
1.4.5 MITM߈ܸ (p.17-21) ೳಈతͳ߈ܸ TLSͷ߹ɺAlice͕༗ޮͳͷͱͯ͠ड͚औΔΑ͏ͳূ໌ॻΛ Mallory͕ఏࣔ͢Δ͜ͱ͕ཧతͳ߈ܸɻ αʔϏεΛὃͯ͠ূ໌ॻΛೖख͢Δํ๏4ষɺ༗ޮʹݟ͑Δূ໌ ॻΛߏ͢Δ߈ܸ6ষʹͯɻܯࠂΛແࢹ͢Δ͜ͱΛظͯ͠ෆਖ਼ ͳূ໌ॻΛఏࣔ͢Δ͜ͱɻϒϥβʹ҉߸ԽΛແޮԽ͢ΔΑ͏ ͳϦΫΤετΛૹ৴͢Δ߈ܸɻ7ষʹͯɻ
ίετ͕ߴ͍ͨΊେنʹߦΘͣಛఆͷରʹରͯ͠ߦ͏ɻ
None
ิ ຊʹࡌͬͯͳ͍͚Ͳؔ࿈͢Δ·ͱΊɻ 1. ετϦʔϜ҉߸ͱOne-Time Pad 2. িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ 3. HMACͷఆٛ 4.
DH伴ަʹ͓͚Δதؒऀ߈ܸ
ετϦʔϜ҉߸ͱOne-Time Pad One-Time Pad(Vernam҉߸)Ͱฏจͱಉ͡͞ͷཚྻΛ伴ͱ͠ ͯ ͷΑ͏ʹ҉߸จΛಘΔɻOne-Time Pad ฏจͷใΛҰ҉߸จʹ͞ͳ͍ใྔతʹperfectly secret ͳ҉߸͕ͩݱ࣮తͰͳ͍ͷͰɺݱ࣮ʹ͍伴͔Β伴ετϦʔϜ
Λੜ͢Δɻ
িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ SHA1SHAtteredͰڧিಥੑʢʹ1ͭͷিಥ͢ΔϖΞΛ࡞Γग़͢ ͜ͱʣಥഁ͞Ε͕ͨɺऑিಥੑʢʹ͋Δจࣈྻʹର͢Δϋο γϡͱಉ͡ϋογϡΛ༩͑ΔผͷจࣈྻΛࣔ͢ʣ·ͩಥഁ ͞Ε͍ͯͳ͍ͷͰɺ͜Ε͚ͩͰͬͯʮύεϫʔυϋογϡͱͯ͠ ෆద֨ʯͱ͍͏ͷιɻͬͱɺଞͷબࢶ͕ͬͱ༏लͳ ͷͰSHA256bcryptΛ͍·͠ΐ͏ɻ
HMACͷఆٛ ϋογϡؔHͱ伴KΛͬͯɺ ipad = Kͷ͞ͷ0x36 opad = Kͷ͞ͷ0x5c ʢ ||
࿈݁Λද͢ɻͳͷͰɺ ͱtextΛ͚ͬͭͨ͘ͷͷϋ ογϡΛɺ ͷޙΖʹ͚ͬͭͯ͘ɺͦͷϋογϡΛऔ Δɺͱ͍͏͜ͱʣ
DH伴ަʹ͓͚Δதؒऀ߈ܸ (ECͰͳ͍)DH伴ަ: • ެ։ͷ • p ͷେ͖ͳૉ • g
ͷੜݩ • ൿີͷ: • ૬खʹૹΒΕΔ:
None
None
DH伴ަʹ͓͚Δதؒऀ߈ܸ தؒऀEve͕ ͷΛड͚औΓɺ ͱಉ༷ͷੑ࣭Λ࣋ͭ Λੜ͠ɺҎԼͷΛ૬खʹΘΓʹ͢:
DH伴ަʹ͓͚Δதؒऀ߈ܸ ͦ͏͢ΔͱAliceͱBobҎԼͷΛܭࢉ͢Δ: ͜ͷͱ͖ɺAliceͱEveɺEveͱBobͷؒʹڞ௨伴ͷਃ͠߹Θཱ͕ͤ ͢Δʢલऀ ɺޙऀ ʣɻ