Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
『プロフェッショナルSSL/TLS』読書会 第1章資料
Search
sylph01
May 12, 2017
Technology
0
1.3k
『プロフェッショナルSSL/TLS』読書会 第1章資料
https://connpass.com/event/56085/
sylph01
May 12, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
91
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
31
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
250
Adding Security to Microcontroller Ruby
sylph01
2
3.3k
Secure Messaging at IETF 118
sylph01
0
84
Adventures in the Dungeons of OpenSSL
sylph01
0
530
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
330
Build and Learn Rails Authentication
sylph01
8
2.1k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
310
Other Decks in Technology
See All in Technology
データエンジニアリング領域におけるDuckDBのユースケース
chanyou0311
9
2.1k
組織におけるCCoEの役割とAWS活用事例
nrinetcom
PRO
4
120
データベースの負荷を紐解く/untangle-the-database-load
emiki
2
500
LINE NEWSにおけるバックエンド開発
lycorptech_jp
PRO
0
220
ウォンテッドリーのデータパイプラインを支える ETL のための analytics, rds-exporter / analytics, rds-exporter for ETL to support Wantedly's data pipeline
unblee
0
120
Active Directory攻防
cryptopeg
PRO
8
5.4k
Windows の新しい管理者保護モード
murachiakira
0
200
JavaにおけるNull非許容性
skrb
2
2.6k
ABWG2024採択者が語るエンジニアとしての自分自身の見つけ方〜発信して、つながって、世界を広げていく〜
maimyyym
1
120
AI Agent時代なのでAWSのLLMs.txtが欲しい!
watany
2
220
LINEギフトにおけるバックエンド開発
lycorptech_jp
PRO
0
260
分解して理解する Aspire
nenonaninu
2
1k
Featured
See All Featured
Product Roadmaps are Hard
iamctodd
PRO
50
11k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
114
50k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2.1k
Large-scale JavaScript Application Architecture
addyosmani
511
110k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
The Language of Interfaces
destraynor
156
24k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
A better future with KSS
kneath
238
17k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Transcript
(1) SSL/TLSͱ҉߸ٕज़ @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 5/12/2017
1.1 Transport Layer Security (p.1-2) TLSͷ4ͭͷඪ(্͔Βߴ༏ઌ): • ҉߸ֶతͳηΩϡϦςΟ(Cryptographic security) •
૬ޓӡ༻ੑ(Interoperability) • ֦ுੑ(Extensibility) • ޮੑ(Efficiency)
1.2 ωοτϫʔΫͷ֊ ͍ΘΏΔOSIࢀরϞσϧͷɻTLS໊લͷ௨Γτϥϯεϙʔτ (ୈ4 = TCP, UDP)ʹରͯ͠securityΛఏڙ͢ΔɻϓϨθϯςʔγϣ ϯ=ୈ6ʹҐஔ͢Δɻ TLS͕ͳͯ͘HTTP(=ୈ7)ʮػೳ͢Δʯɻ
1.3 ϓϩτίϧͷྺ࢙ • SSL2: 1994/11 • SSL 3.0: 1995ޙ •
TLS 1.0(RFC 2246): 1999/1 • ΄ͱΜͲSSL 3.0ͱࠩͳ͍͕ޓੑͳ͠ • TLS 1.1: 2006/4 (security fix, TLS֦ு(2003/6)) • TLS 1.2: 2008/4 (AEADରԠ) • TLS 1.3: ongoing
1.4 ҉߸ٕज़ Ͳͷ͘Β͍҉߸ٕज़ʹ͠Έ͕͋Δ͔ʹΑͬͯಡΈඈ͠·͢ɻ • ҉߸ֶͷจ͕ಡΊΔ/ॻ͚Δ: ৸ͯͯେৎ • ʢͨͿΜ͜ͷؒͩͱࢥ͍·͢ʣ • ύεϫʔυͬͯ҉߸Խͯ͠อଘ͞ΕΔΜͩΑͶʁ:
Ώͬ͘ΓಡΉ
1.4.1 ཁૉٕज़ (p.5) Kerckhoffsͷݪଇ ҉߸γεςϜɺ伴Ҏ֎ͷ͕ͯ͢߈ܸऀʹঠѲ͞Εͨͱͯ͠ ҆શͰͳ͚ΕͳΒͳ͍ɻ • ҉߸ΞϧΰϦζϜ͕ఢରऀʹ࿙Εͯ҆શͰ͋Δඞཁ͕͋Δ • ༏Εͨ҉߸ΞϧΰϦζϜΛઃܭ͢Δͷ͍͠ɻͨ͘͞Μͷਓ
ͷʹ৮Εͯਫ਼ࠪ͞Εͨͷ΄Ͳ҆શɻ ݱͷ҉߸ʮܭࢉྔత҆શੑʯʹͦͷࠜڌΛஔ͍͍ͯΔ
1.4.1 ཁૉٕज़ (p.7) ετϦʔϜ҉߸ 伴͔ΒϥϯμϜʹݟ͑ΔจࣈྻͰ͋Δ伴ετϦʔϜΛੜ͠ɺ ͱͯ͠҉߸จΛಘΔɻ ετϦʔϜ҉߸Ͱʮಉ͡伴Λ͍·Θ͞ͳ͍͜ͱʯ͕ඇৗʹॏ ཁɻˠظؒʹΘͨͬͯར༻͢Δൿີ伴͔Βɺ௨৴ͷͨͼʹ1ճݶ Γͷ伴ʢηογϣϯ伴ʣΛಋग़ͯ͠͏ɻ RC4͕༗໊͕ͩऑ͕ΒΕ͍ͯΔɻECRYPT
Stream Cipher Project ʹ࠷৽ͷͷ͕͋ΔɻSalsa20/12SOSEMANUKͳͲɻ
1.4.1 ཁૉٕज़ (p.8) ϒϩοΫ҉߸ ϒϩοΫ୯ҐͰ·ͱΊͯ҉߸Խɻଟ͘ͷํࣜͰ16byte͝ͱɻೖྗ Λड͚ͱͬͯϥϯμϜʹݟ͑Δग़ྗΛฦؔ͢ɻ ϒϩοΫ҉߸ҙͷ͞ͷσʔλΛ҉߸Խ͢ΔͨΊ҉߸ར༻Ϟ ʔυͱΈ߹ΘͤͰ͏ɻ ੈքͰ࠷Α͘ར༻͞Ε͍ͯΔͷAESɻ伴͕128bit/192bit/ 256bitɺϒϩοΫ128bitݻఆɻ
1.4.1 ཁૉٕज़ (p.9) ϋογϡؔ • ݪ૾ܭࢉࠔੑ: ͋Δϋογϡʹର͠ɺಉ͡ϋογϡʹͳΔ ϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭ • ୈ2ݪ૾ܭࢉࠔੑ(ऑিಥੑ):
͋Δϝοηʔδͱϋογϡ͔ Βɺಉ͡ϋογϡʹͳΔผͷϝοηʔδΛݟ͚ͭΔ͜ͱ͕ࠔ Ͱ͋Δੑ࣭ • িಥੑ(ڧিಥੑ): ಉ͡ϋογϡʹͳΔϝοηʔδͷΈ ߹ΘͤΛݟ͚ͭΔ͜ͱ͕ࠔͰ͋Δੑ࣭
1.4.1 ཁૉٕज़ (p.9) SHA1(160bit)͕Α͘ΘΕ͍ͯΔ͕SHA256ͷஔ͖͕͑ਪ͞ Ε͍ͯΔɻ ϋογϡؔͷڧݪཧతʹʮੜͷύϥυοΫεʯ͔ΒΑ ͯ͘ϋογϡͷ͞ͷɻn-bitͷϋογϡ2^(n/2)ճϋογ ϡܭࢉ͢ΕিಥΛߴ֬Ͱݟ͚ͭΒΕΔɻ
1.4.1 ཁૉٕज़ (p.10) MAC(Message Authentication Code) ͋Δ͍ 伴͖ϋογϡ(keyed- hash):ϋογϡؔΛ֦ுͯ͠ೝূΛՄೳʹͨ͠ͷɻϋογϡ ΛσʔλͱҰॹʹૹΔͱϋογϡͦͷͷվ͟Μ͞Ε͏Δͷ
Ͱͦͷରࡦʹ͏ɻ
1.4.1 ཁૉٕज़ (p.10-11) ҉߸ར༻Ϟʔυ • ECB: ϒϩοΫ୯ҐͰݸผʹ҉߸Խɻ҉߸จʹฏจͷใ͕ݱΕ ͯ͠·͏ͨΊ੬ऑɻ͏ཧ༝ͳ͠ɻ • CBC:
લͷϒϩοΫͷ҉߸Խ݁ՌͷXORΛͱ͔ͬͯΒ҉߸Խɻ • ॳظԽϕΫτϧ(IV)ΛऔΔɻϥϯμϜͳΛ͏͜ͱͱɺ͜ͷ Λ͍·Θ͞ͳ͍͜ͱ͕ॏཁɻ • ଞ: CTRɺGCMɺOCBͳͲɻGCMͱOCBೝূ͖ͭ҉߸Λఏڙɻ
None
None
CTRϞʔυͷ߹ɺ҉߸Խ/෮߸Խ྆ํͰNonceͱcounterͷ҉߸Խ Λߦ͏ɻΑͬͯCTRϞʔυʹద༻͢Δؔblock cipherͰͳ͘ pseudo-random functionͰेɻ
1.4.1 ཁૉٕज़ (p.11-12) ެ։伴҉߸ํࣜ ҉߸Խʹ͏伴ͱ෮߸ʹ͏伴͕ผɻ ެ։伴Λ҆શʹ͘ڞ༗Ͱ͖Ε͚͕ࣗͩಡΊΔϝοηʔδΛ શһ͔ΒૹͬͯΒ͑ΔʢˠPKIɺୈ3ষʹͯʣɻ ެ։伴҉߸ܭࢉʹ͕͔͔࣌ؒΔͷͰɺڞ༗伴ͷωΰγΤʔγϣ ϯʹΘΕɺͦͷޙڞ༗伴Λͬͯରশ伴҉߸Λ͏ɻ RSAɺElGamal(DH伴ަΛެ։伴҉߸ʹద༻ͨ͠ͷ)
1.4.1 ཁૉٕज़ (p.13) ిࢠॺ໊ ిࢠϝοηʔδจॻͷਅਖ਼ੑ(authenticity)ΛݕূՄೳʹ͢Δ҉߸ ֶతͳखஈɻ MACిࢠॺ໊ͷҰछ͕ͩMAC伴ͷڞ༗ͱ͍͏͕͋Δɻ RSAΛٯํʹద༻͢Δ͜ͱͰిࢠॺ໊ΞϧΰϦζϜͱͯ͑͠ ΔɻҰํͰDSA/ECDSA҉߸ԽΞϧΰϦζϜͱͯ͑͠ͳ͍ɻ
1.4.1 ཁૉٕज़ (p.13) ཚੜث ҉߸ʹ࣭ͷ͍͍ʢhigh entropyͳʣཚ͕ඞཁɻ ֎෦ஔͷׂΓࠐΈʹΑΔΤϯτϩϐʔͷऩू(=TRNG)Ͱ͍ͩͨ ͍ͷ߹ेͳΤϯτϩϐʔ͕ू·Βͳ͍ͷͰ࣮ࡍٙࣅཚੜ ث(PRNG)Λ͏ɻ҉߸ʹ༻͍Δͷʹ෦ঢ়ଶͷ༧ଌෆՄೳ ੑΛ࣋ͬͨCSPRNG͕ඞཁɻ
1.4.2 ϓϩτίϧ (p.14) ؆୯ͳ҉߸௨৴ϓϩτίϧͷྫΛ͍ࣔͯ͠Δɻ • ·ͱ·ͬͨσʔλͷ҉߸ԽAESͰ • վ͟Μʹରॲ͢ΔͨΊϝοηʔδʹMACΛ༩ • ϝοηʔδͷܽམ/ϦϓϨΠ߈ܸʹରॲ͢ΔͨΊ࿈൪Λ༩
• ձͷऴྃΛࣔ͢ಛघͳϝοηʔδ • ձʹઌཱͬͯެ։伴҉߸ํࣜͰޓ͍Λೝূ • 伴ަΞϧΰϦζϜͰ҉߸伴Λަ
1.4.2 ϓϩτίϧ (p.14) TLSʹ͓͍ͯ 1. ೝূͱ伴ަΛؚΜͩϋϯυγΣΠΫ 2. ϋϯυγΣΠΫޙʹػີੑͱશੑͷ͋Δঢ়ଶͰσʔλΛަ 3. γϟοτμϯͷखॱͰऴྃ
Λߦ͏ɻ
1.4.3 ҉߸ٕज़ʹର͢Δ߈ܸ (p.15) • ૯Γ߈ܸ • ࣮ʢόάʣʹର͢Δ߈ܸ: λΠϛϯά߈ܸͳͲ͕Α͘ΒΕΔ • αʔόʹ৵ೖͯ͠҉߸伴ΛऔΔ΄͏͕؆୯ͳ͜ͱ
΄ͱΜͲͷ߹ɺʮϓϩτίϧΛࣗͰઃܭ͠ͳ͍ʯʮ҉߸ॲཧ ͷίʔυΛࣗͰ࣮͠ͳ͍ʯ΄͏͕҆શɻ
1.4.4 ҉߸ڧ (p.16-17) ҉߸ͷڧ = ҉߸ΞϧΰϦζϜΛഁΔͷʹඞཁͳૢ࡞ͷճɺ͜ ΕΛϏοτ҆શੑͱ͍͏ɻ ҉߸ԽํࣜʹΑͬͯϏοτ҆શੑͷॏΈ͕ҟͳΔͷͰɺଞͷํࣜ ͷͲͷϨϕϧͱՁ͔ɺͱ͍͏มද͕͋Δɻ 2012࣌Ͱʮ30ͷ߈ܸʹର͢Δอޢʯɿڞ௨伴҉߸Խʹ͓͚
Δ128Ϗοτ૬
1.4.4 ҉߸ڧ (p.16-17) NIST SP800-57 Part1 Rev.3 ͷp.64ʹ͋ΔՁ҆શੑͷද1 ڞ௨伴҉߸ RSA/DSA/DH
ପԁۂઢ҉߸ ϋογϡ 80 1024 160 160 112 2048 224 224 128 3072 256 256 256 15360 512 512 1 ୯ҐͦΕͧΕbit
1.4.5 MITM߈ܸ (p.17-21) ΞΫηεͷୣऔ • ARP spoofing: MACΞυϨεͱIPΞυϨεͷؔ࿈͚Λশ͢Δ ͜ͱͰϩʔΧϧωοτϫʔΫʹ͓͚Δܦ࿏ใΛশ͢Δ •
WPAD(Web Proxy Auto-Discovery) hijacking: ِͷϓϩΩγʹ༠ಋ • DNS hijacking, DNS cache poisoning: ِͷDNSใΛ༩͑Δ͜ͱͰ υϝΠϯʹ͔͏τϥϑΟοΫΛͬऔΔɻ • BGP route hijacking: Πϯλʔωοτ্ͷϧʔλ͕ෆਖ਼ͳܦ࿏Λ ࢦఆ͢Δ͜ͱͰ௨৴͕߈ܸऀͷͱ͜ΖΛ௨Δ
1.4.5 MITM߈ܸ (p.17-21) डಈత߈ܸ • ҉߸Խ͞Ε͍ͯͳ͍τϥϑΟοΫΛܧଓతʹϞχλϦϯά • ҉߸Խ͞ΕͨτϥϑΟοΫͰظؒอଘͯ͠҉߸͕ഁΒΕΔ ͷΛͯΑ͍ •
Perfect Forward Secrecy2ͷॏཁੑɻಉ͡伴Λͬͯաڈʹ͞ ͔ͷ΅ͬͯ௨৴͕෮ݩͰ͖ΔͱϚζ͍ɻ 2 Perfect Forward SecrecyͱForward Secrecyಉٛɻ
1.4.5 MITM߈ܸ (p.17-21) ೳಈతͳ߈ܸ ैདྷͷMITM߈ܸ: Mallory͕ʮBobͱ͍ͯ͠Δ͔ͷΑ͏ʹAliceʹࢥ ͍ࠐ·ͤΔʯʹೝূΛλʔήοτʹͨ͠ͷɻ ௨ৗͷDH伴ަͰೝূ͕ఏڙ͞Εͳ͍ͷͰ͜Ε͕Մೳɻ
1.4.5 MITM߈ܸ (p.17-21) ೳಈతͳ߈ܸ TLSͷ߹ɺAlice͕༗ޮͳͷͱͯ͠ड͚औΔΑ͏ͳূ໌ॻΛ Mallory͕ఏࣔ͢Δ͜ͱ͕ཧతͳ߈ܸɻ αʔϏεΛὃͯ͠ূ໌ॻΛೖख͢Δํ๏4ষɺ༗ޮʹݟ͑Δূ໌ ॻΛߏ͢Δ߈ܸ6ষʹͯɻܯࠂΛແࢹ͢Δ͜ͱΛظͯ͠ෆਖ਼ ͳূ໌ॻΛఏࣔ͢Δ͜ͱɻϒϥβʹ҉߸ԽΛແޮԽ͢ΔΑ͏ ͳϦΫΤετΛૹ৴͢Δ߈ܸɻ7ষʹͯɻ
ίετ͕ߴ͍ͨΊେنʹߦΘͣಛఆͷରʹରͯ͠ߦ͏ɻ
None
ิ ຊʹࡌͬͯͳ͍͚Ͳؔ࿈͢Δ·ͱΊɻ 1. ετϦʔϜ҉߸ͱOne-Time Pad 2. িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ 3. HMACͷఆٛ 4.
DH伴ަʹ͓͚Δதؒऀ߈ܸ
ετϦʔϜ҉߸ͱOne-Time Pad One-Time Pad(Vernam҉߸)Ͱฏจͱಉ͡͞ͷཚྻΛ伴ͱ͠ ͯ ͷΑ͏ʹ҉߸จΛಘΔɻOne-Time Pad ฏจͷใΛҰ҉߸จʹ͞ͳ͍ใྔతʹperfectly secret ͳ҉߸͕ͩݱ࣮తͰͳ͍ͷͰɺݱ࣮ʹ͍伴͔Β伴ετϦʔϜ
Λੜ͢Δɻ
িಥੑʹؔ͢Δ༻ޠʹ͍ͭͯ SHA1SHAtteredͰڧিಥੑʢʹ1ͭͷিಥ͢ΔϖΞΛ࡞Γग़͢ ͜ͱʣಥഁ͞Ε͕ͨɺऑিಥੑʢʹ͋Δจࣈྻʹର͢Δϋο γϡͱಉ͡ϋογϡΛ༩͑ΔผͷจࣈྻΛࣔ͢ʣ·ͩಥഁ ͞Ε͍ͯͳ͍ͷͰɺ͜Ε͚ͩͰͬͯʮύεϫʔυϋογϡͱͯ͠ ෆద֨ʯͱ͍͏ͷιɻͬͱɺଞͷબࢶ͕ͬͱ༏लͳ ͷͰSHA256bcryptΛ͍·͠ΐ͏ɻ
HMACͷఆٛ ϋογϡؔHͱ伴KΛͬͯɺ ipad = Kͷ͞ͷ0x36 opad = Kͷ͞ͷ0x5c ʢ ||
࿈݁Λද͢ɻͳͷͰɺ ͱtextΛ͚ͬͭͨ͘ͷͷϋ ογϡΛɺ ͷޙΖʹ͚ͬͭͯ͘ɺͦͷϋογϡΛऔ Δɺͱ͍͏͜ͱʣ
DH伴ަʹ͓͚Δதؒऀ߈ܸ (ECͰͳ͍)DH伴ަ: • ެ։ͷ • p ͷେ͖ͳૉ • g
ͷੜݩ • ൿີͷ: • ૬खʹૹΒΕΔ:
None
None
DH伴ަʹ͓͚Δதؒऀ߈ܸ தؒऀEve͕ ͷΛड͚औΓɺ ͱಉ༷ͷੑ࣭Λ࣋ͭ Λੜ͠ɺҎԼͷΛ૬खʹΘΓʹ͢:
DH伴ަʹ͓͚Δதؒऀ߈ܸ ͦ͏͢ΔͱAliceͱBobҎԼͷΛܭࢉ͢Δ: ͜ͷͱ͖ɺAliceͱEveɺEveͱBobͷؒʹڞ௨伴ͷਃ͠߹Θཱ͕ͤ ͢Δʢલऀ ɺޙऀ ʣɻ