Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
『プロフェッショナルSSL/TLS』読書会 第7章後半資料
Search
sylph01
December 08, 2017
Technology
0
290
『プロフェッショナルSSL/TLS』読書会 第7章後半資料
https://ptls-study.connpass.com/event/71304/
sylph01
December 08, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
Secure Messaging at IETF 118
sylph01
0
32
Adventures in the Dungeons of OpenSSL
sylph01
0
290
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
190
Build and Learn Rails Authentication
sylph01
8
1.8k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
180
DNS Encryption and Its Controversies
sylph01
0
620
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1.2k
Action Mailbox in Action
sylph01
1
3k
Keebs-n-Kaigi
sylph01
1
240
Other Decks in Technology
See All in Technology
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.6k
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.6k
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
150
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM and Prompt Engineering and Building Tutors
ks91
PRO
0
220
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
4
310
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.5k
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
63
18k
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
240
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
710
On Your Data を超えていく!
hirotomotaguchi
2
140
Postman v10リリース後を振り返る
nagix
0
140
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
110
Featured
See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Web Components: a chance to create the future
zenorocha
305
41k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
The Pragmatic Product Professional
lauravandoore
24
5.8k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
Building Effective Engineering Teams - LeadDev
addyosmani
27
1.8k
Optimizing for Happiness
mojombo
370
69k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Teambox: Starting and Learning
jrom
128
8.4k
Large-scale JavaScript Application Architecture
addyosmani
503
110k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Transcript
(7) ϓϩτίϧʹର͢Δ ߈ܸ: 7.4-7.8 @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 12/8/2017
None
લճͷ༰ લͷΠϕϯτϖʔδ ͔ΒͲ͏ͧ
7.4 Lucky 13 ҉߸ར༻Ϟʔυ͕CBCϞʔυͰ͋Δͱ͖ʹʮฏจͷখ͞ͳҰ෦ ʯΛղಡͰ͖Δ߈ܸɻ ࠜຊݪҼCBCϞʔυͰΘΕΔύσΟϯά͕TLSͷશੑݕূͷ ΈͰอޢ͞Εͳ͍͜ͱʹΑͬͯύσΟϯάΦϥΫϧ߈ܸ͕ ཱͯ͠͠·͏͜ͱɻ ฏจ1όΠτΛղಡ͢Δͷʹ8192ճͷHTTPϦΫΤετΛ͏ɻ
ύσΟϯά DESɺAESͳͲͷϒϩοΫ҉߸ͰೖྗΛϒϩοΫʹἧ͑ΔͨΊ ʹฏจʹύσΟϯάΛՃ͢Δɻ PKCS#7 padding: ඌʹ༩͢ΔόΠτͷʹ͍͠ͷίʔυ ϙΠϯτͷจࣈΛՃ͢Δɻ 2จࣈΓͳ͍߹: 0x02 0x02
4จࣈΓͳ͍߹: 0x04 0x04 0x04 0x04 ͽͬͨΓͷ߹1ϒϩοΫ·Δ͝ͱύσΟϯάΛՃɻ
ύσΟϯάΦϥΫϧ ʮ෮߸ͨ݁͠ՌύσΟϯά͕ؒҧ͍͑ͯ·ͨ͠ʯ͕ʮ෮߸ͨ݁͠ ՌσʔλͷશੑνΣοΫΛ௨Γ·ͤΜͰͨ͠ʯͱҧ͏ΤϥʔΛ ฦ͢߹ʹ߈ܸ͕ՄೳʹͳΔɻ TLS 1.0Ͱ • ύσΟϯάΤϥʔ: decryption_failed •
MACͷΤϥʔ: bad_record_mac →۠ผͰ͖ͯ͠·͏͜ͱͰʮύσΟϯάΦϥΫϧʯ͕Ͱ͖Δʂ
λΠϛϯάΦϥΫϧ TLS 1.0ͷΑ͏ʹҧͬͨΤϥʔͰڭ͑ͯ͘Εͳͯ͘ɺύσΟϯά ͕ਖ਼͍͠߹ͱؒҧ͍ͬͯΔ߹Ͱʮ࣮ߦ࣌ؒʯ͕ҟͳΔ͜ͱΛ ͬͯύσΟϯάΦϥΫϧ͕Ͱ͖ͯ͠·͏ɻ decrypted = decrypt_cbc(ciphertext) if !padding_correct?(decrypted)
return false else check_mac(decrypted, mac) # this takes additional time! end
ύσΟϯάΦϥΫϧ߈ܸ ࠷ऴతͳಈ࡞ͷ༷ࢠ٭62൪ͷγϛϡϨʔλ https:/ / erlend.oftedal.no/blog/poet/ ͕ඇৗʹΑ͘Ͱ͖͍ͯΔͷͰճͯ͠Έ ΔͱΑ͍ɻ
None
None
ύσΟϯάΦϥΫϧ߈ܸ ղಡରͷϒϩοΫͷલͷϒϩοΫΛૢ࡞͢ΔͷͰɺ͜ΕΛԾʹ ͱ͓͘ɻਖ਼͍͠લͷϒϩοΫͷ ͱ͓͘ɻ ʢલͷਤࢀরʣ ͜͜Ͱɺ ʢ҉߸ԽॲཧͷఆٛΑΓʣͳͷͰɺ
ύσΟϯάΦϥΫϧ߈ܸ ͜͜Ͱɺ طɺ·ͨύσΟϯάΦϥΫϧଘࡏ࣌ʹ Λ ૢ࡞ͯ͠ ͕ύσΟϯάͱͯ͠༗ޮͳΛ͍࣋ͬͯΔ͔Ͳ͏͔Θ ͔ΔͷͰɺ݁Ռͱͯ͠ ͷ͕Θ͔Δʢͨͩ͠1όΠτͣͭʣɻ
TLSʹର͢Δ߈ܸ TLS 1.0ͰύσΟϯάΤϥʔͱMACΤϥʔ͕ҟͳΔΤϥʔΛฦ͠ ͕ͨɺ௨৴͕҉߸Խ͞Ε͍ͯΔͷͰωοτϫʔΫ্͔Β߈ܸ͢Δ ͷࠔͩͬͨɻ͔͠͠OpenSSLʹλΠϛϯάΦϥΫϧ͕ଘࡏ ͨͨ͠Ί࣮࣭ύσΟϯάΦϥΫϧ߈ܸ͕Մೳͩͬͨɻ 2003ͷCanvelΒʹΑΔ߈ܸ: OpenSSL + IMAPΛ߈ܸɻී௨ύσΟ
ϯάͷਪଌʹࣦഊͨ͠߹TLSηογϣϯ͕Εͯ͠·͏͕ɺ IMAPࣦഊͨ͠߹ʹࣗಈͰ࠶ࢼߦ͢ΔͨΊ߹͕Α͔ͬͨɻ
TLSʹର͢Δ߈ܸ Lucky 13߈ܸ(2013, AlFardan and Paterson): TLS 1.1Ͱ decryption_failed௨͕ඇਪʹͳΓɺMACͷܭࢉύσΟϯ ά͕ؒҧ͍ͬͯͨ߹Ͱߦ͏͜ͱͱ͕ͨ͠ɺMACͷύϑΥʔϚ
ϯε͕σʔλϑϥάϝϯτͷ͞ʹґଘͯ͠͠·͏͜ͱΛར༻͠ ͨαΠυνϟωϧΛͬͯ߈ܸʹޭͨ͠ɻ
Өڹ • ฏจશ෦Λ߈ܸ͢Δʹඇৗʹ͕͔͔࣌ؒΔͨΊɺ௨৴ճ෮ػ ߏΛඋ͍͑ͯΔࣗతͳγεςϜΛରʹ͢Δ͜ͱ͕ଟ͍ • Ұ෦ͷฏจ͕໌͍ͯ͠Δ߹ʹΑΓগͳ͍ࢼߦճͰࡁΉ ʢͱ͍֤͑όΠτ͋ͨΓ65536ճʣ • JavaScriptϚϧΣΞΛͬͨ߈ܸ •
Cookieͷจࣈछ੍ݶʹΑΓճ͕ݮΔ • ਪଌʹࣦഊͯ͠௨৴ࣦഊ͕ϢʔβʔʹόϨͳ͍ʂ
؇ࡦ ݁ͱͯ͠TLSʹ͓͚ΔCBCʹ͕͋Δɻ݁ՌTLS 1.3ͰCBC ϞʔυશഇɺAEADݶఆͱͳΔ༧ఆɻ ετϦʔϜ҉߸Λ͑ύσΟϯά͕ཁΒͳ͍͕ɺগͳ͘ͱ ࣌1TLSʹଘࡏͨ͠།ҰͷετϦʔϜ҉߸RC4ͰɺͦΕͦΕͰ ͕͋ͬͨɻ ೝূ͖ͭ҉߸(AEAD; GCMϞʔυͳͲ)Λ͑MACʹΑΔλΠϛϯ άղܾ͢Δ͕͜ΕʹTLS
1.2͕ඞཁɻ 1 TLS 1.3ͰChaCha20/Poly1305͕͑ΔΑ͏ʹͳΔϋζ
None
7.5 RC4ͷऑ TL;DR: ݱతʹRC4͏ཧ༝ͳ͍ͷͰ͏ͳɻ
伴εέδϡʔϦϯάͷऑ 伴εέδϡʔϦϯά = ͍จࣈྻ͔Β伴ετϦʔϜΛग़ྗ͢ΔΞ ϧΰϦζϜͷ͜ͱɻ ͘͝Ұ෦͕Θ͔Εॳظग़ྗͷଟ͘ΛܾఆͰ͖ͯ͠·͏Α͏ͳ 伴͕ଟ͍ʢऑ伴ͷଘࡏʣɺ伴ͷ࠶ར༻͕͋Δ͚ͩͰ伴ετϦʔϜ ͷҰ෦ΛಛఆͰ͖ͯ͠·͏ɺͱ͍͏͕ΒΕ͍͕ͯͨ… 2011 BEAST߈ܸൃදˠRC4͕TLS
1.0ҎલͰ།Ұ҆શͳ҉߸Ξϧ ΰϦζϜʹʂ
୯ҰόΠτͷภΓ ಛʹॏཁͳͷ͕ɺ伴ετϦʔϜͷ2όΠτ͕௨ৗͷ2ഒͷ֬Ͱ0 ʹͳΔɺͱ͍͏ੑ࣭ɻ 0ʹͳΔͱ͍͏͜ͱXORΛऔͬͯ0ɻ →ͨ͘͞ΜͷଓΛੜ͠ɺ࠷සൟʹ2όΠτʹݱΕΔ͕ฏ จͱҰகɺͱݟͯؒҧ͍ͳͦ͞͏
ઌ಄256όΠτʹ͓͚ΔภΓ 2013, AlFardanΒ: ઌ಄256όΠτͷ֤όΠτͷதͰಛఆͷʹภΔ ͕͋Δ͜ͱΛൃݟɻ →256όΠτΛղಡ͢ΔͨΊʹඞཁͳσʔλαϯϓϧ͕ ɺจ ࣈ͕ݶΒΕΔ߹ʹ ʹͳͬͨɻRC4͕௨ৗอূ͢Δͷ ɻ
ઌ಄256όΠτʹ͓͚ΔภΓ ͱ͍͑ɺ࣮ࡍͷ߈ܸࠔ: • 2^28ݸͷαϯϓϧΛಘΔΑ͏ͳଓΛൃੜͤ͞Δ͜ͱ͕͍͠ • BEAST߈ܸͰߦΘΕͨΑ͏ʹJavaScriptϚϧΣΞΛͬͯ ଓΛ੍ޚ͢Δͷ͕ཧత͔ʁ • डಈతʹ߈ܸ͢ΔͷࠔɻMITM߈ܸ͕΄͍͠ɻ •
ͦΕͰઌ಄256όΠτ͔͠Θ͔Βͳ͍ɻ
ͦͷޙ • ೋॏόΠτ߈ܸ: ࿈ଓͨ͠όΠτʹภΓ͕͋Δͱ͍͏ੑ࣭ͷར ༻ɻҰఆͷִؒͰग़ྗʹݱΕΔɻ • αϯϓϧऔಘʹҟͳΔRC4伴Λඞཁͱ͠ͳ͍ɻඞཁͳଓ ͕ݮΔ • डಈత߈ܸෆՄೳ
ͦͷޙ • HTTPηογϣϯ༻Cookieͷ༰औಘ͕2^34 -> 2^26ͰࡁΉɺͱ ͍͏ൃݟ • Invariance Weakness: ෆదͳ伴͕ͱ͖Ͳ͖ੜ͞ΕΔ͜ͱΛར
༻ɻ2^24ճʹ1ճTLSଓ͕ഁΒΕΔ • Cookie߈ܸʹ͔͔Δ࣌ؒͷॖɻBEASTಉ༷ͷJavaScriptϚϧ ΣΞΛ͏ɻͱ͍͑75͔͔࣌ؒΔɻ
؇ࡦ 2015/2, RFC 7465Ͱ TLSͰͷࠓޙͷRC4ར༻ېࢭʂ ͬͨͶʂʂ
None
7.6 τϦϓϧϋϯυγΣΠΫ߈ܸ 7.1ͷରࡦͱͯ͠ಋೖ͞Εͨʮ҆શͳ࠶ωΰγΤʔγϣϯʯʹର͢ Δ࠶߈ܸɻ తʢ࠶ωΰγΤʔγϣϯ͕ඞཁͳέʔεͰ͋ΔʣΫϥΠΞϯ τূ໌ॻ͕ඞཁͳΞΫηεͷͬऔΓɻ
࠶ωΰγΤʔγϣϯʹ͓͚Δ҆શੑ֬ อ ࠶ωΰγΤʔγϣϯ࣌ʹɺҎલͷϋϯυγΣΠΫʹ͓͚Δ Finishedʹؚ·ΕΔverify_dataͷΛ࠶ૹ৴͢Δ͜ͱͰɺαʔ όʔ࠶ωΰγΤʔγϣϯΛٻΊ͍ͯΔΫϥΠΞϯτ͕Ҏલଓ ͨ͜͠ͱͰ͋ΔͷͰ͋Δ͜ͱͷ֬ূΛಘΔɻ →߈ܸऀ͜ͷ߈ܸͰ͜ͷൿີͷΛ͘͜ͱΛඪͱ͢Δɻ
(1) ະͷ伴͕ڞ༗͞ΕΔऑ RSA伴ަͷऑΛѱ༻͢Δɻຊདྷதؒऀʹ෮߸Ͱ͖ͳ͍Pre- Master SecretΛຊདྷͷड͚खͰ͋Δαʔόʔʹ෮߸ͤ͞Δɺͱ͍ ͏͜ͱΛ͢Δɻ ަ͕ྃ͢Δͱɺଓʹ͏ύϥϝʔλ(Pre-Master Secret, random)͕ಉҰͰ͋ΔʹϚελʔ伴ಉҰͳ2ͭͷଓ͕Ͱ͖Δɻ (DH伴ަͰ͜Ε͕Մೳɻѱҙͷ͋Δαʔόʔ͕؆୯ʹഁΕΔ
DHύϥϝʔλΛબΑ͍ɻECDHEͰ໊લ͖ۂઢΛ͏ͷͰ ͜Ε͕ෆՄೳ)
ຊจͷਤ7.8
(2) શಉظ ͜ΕͰ·ͩ verify_data ͕ͦΕͧΕผͷΫϥΠΞϯτ͔Βདྷͯ ͍Δʢˡূ໌ॻ͕ҧ͏ʣͷͰ࠶ωΰγΤʔγϣϯ߈ܸ͕ෆՄೳɻ ͜͜ͰηογϣϯϦβϯϓγϣϯͰϋϯυγΣΠΫ͕লུ͞Ε ΔʢϚελʔ伴͕Θ͔͍ͬͯΕेͰ͋Δʣ͜ͱΛར༻͢Δɻ →1ͭͷଓͰҟͳ͍ͬͯͨূ໌ॻ͕ཁٻ͞Εͳ͘ͳΓɺηο γϣϯ࠶։ޙͷFinishedϝοηʔδಉҰʂ
ຊจͷਤ7.9
(3) ͳΓ͢·͠ ߈ܸऀ٘ਜ਼ऀͷΫϥΠΞϯτূ໌ॻΛ͍͍ͨͷͰ࠶ωΰγΤ ʔγϣϯΛڧ੍ͤ͞Δɻ ଓཱޙτϥϑΟοΫݟΕͳ͘ͳΔ͜ͱʹҙɻ
ຊจͷਤ7.10
Өڹ ߈ܸΛड͚ΔՄೳੑ͕͋Δͷɺ7.1ͱಉ༷ɺ߈ܸऀͱΫϥΠΞϯ τ͕۠ผͰ͖͍ͯͳ͍αʔόɻ ΑΓةݥͳϕΫλͱͯ͠ɺ߈ܸऀ࠶ωΰγΤʔγϣϯલʹҙ ͷσʔλΛํͷଓʹૹΕΔ͜ͱ͕͋Δɻ ࠶ωΰγΤʔγϣϯʹΑΓΫϥΠΞϯτূ໌ॻೝূΛಥഁͨ͠ޙ ɺJavaScriptϚϧΣΞΛྲྀ͠ࠐΜͰ͓͘͜ͱͰೝূ͞Εͨঢ়ଶ ͰϦΫΤετΛൃߦ͠·͘Δ͜ͱ͕Ͱ͖Δɻ
ཱཁ݅ ͱ͍͑߈ܸ༰қͰͳ͍ɻ • ΤϯτϦʔϙΠϯτͱରԠ͢ΔϖΠϩʔυͷߏங • ࠶ωΰγΤʔγϣϯޙτϥϑΟοΫ͕ݟ͑ͳ͘ͳΔ ͞ΒʹɺҎԼͷଆ໘ຬͨ͢ඞཁ͕͋Δ: • ΫϥΠΞϯτূ໌ॻΛ͍ͬͯΔαΠτͷΈରʹͰ͖Δ •
ѱҙͷ͋ΔαΠτʹݺͼࠐΉඞཁ͕͋Δ
؇ࡦ • ͯ͢ͷΞΫηεʹΫϥΠΞϯτূ໌ॻΛཁٻ • ͦ͏͢Δͱ࠷ॳͷଓʹ߈ܸऀͷূ໌ॻ͕ཁٻ͞ΕΔ • ࠶ωΰγΤʔγϣϯΛແޮʹ͢Δ • ECDHEͷΈΛ༗ޮʹ͢Δ •
RSAͱDHEͷ伴ަͷʹґଘ͍ͯ͠ΔͨΊ
None
7.7 POODLE 2014/10, Google Security TeamʹΑΔɻ Lucky 13߈ܸͱಉ༷ͷύσΟϯάΦϥΫϧ߈ܸʹϓϩτίϧμϯ άϨʔυ߈ܸΛΈ߹Θͤͨͷɻ
ύσΟϯάํࣜͷҧ͍ ຊจͷਤ7.11
ύσΟϯάํࣜͷҧ͍ POODLEͷѱ༻ʹʮ࠷ޙඌͷ҉߸ԽϒϩοΫશମ͕ύσΟϯάͩ ͚ʹͳΔΑ͏ʹ͢Δʯඞཁ͕͋Δɻ →߈ܸऀʹΞΫηεͰ͖Δͷ҉߸Խ͞Εͨঢ়ଶͷΈͳͷͰύσ ΟϯάΛ͍͡Εͳ͍ɻ࠷ޙඌͷϒϩοΫͷΈ͕ύσΟϯάͰ ͋ΕMACݕূʹҾ͔͔ͬΒͣʹ͖ͳΑ͏ʹมߋΛՃ͑ΒΕ Δɻ ࠷ޙඌͷ҉߸ԽϒϩοΫશମ͕ύσΟϯά͚ͩʹͳͬͨ߹ɺ෮ ߸Խޙͷ࠷ऴόΠτͷ(AESͷ߹)15ɻ
࣮ࡍͲ͏ͬͯ߈ܸ͢Δͷ ͜ͷํ๏Ͱ҉߸จͷඌ1όΠτ͔͠ղಡ͢Δ͜ͱ͕Ͱ͖ͳ͍ɻ ͳͷͰɺJavaScriptΛͬͯPOSTͷૹ৴URLͱϦΫΤετϘσΟΛ ੍ޚ͠ɺղಡ͍ͨ͠(CookieͳͲ)ؚ͕·ΕΔ෦Λ࠷ऴϒϩοΫ ʹ࣋ͬͯ͘ΔΑ͏ʹૢ࡞Λ͢Δɻ
࣮ࡍͲ͏ͬͯ߈ܸ͢Δͷ • ͍URLͱ࠷খݶͷϦΫΤετϘσΟ͔ΒਪଌΛ։࢝ • URLΛ1όΠτͣͭͯ͘͠ύσΟϯάͷ͞Λ֬ఆ • 1όΠτΛղಡ͢ΔͷʹඞཁͳਪଌϦΫΤετΛૹ৴ • ΓͷόΠτʹରͯ͠Ҏ্܁Γฦ͠ 1όΠτ͋ͨΓ256ճͰेʹඞཁͳόΠτ͕200จࣈલޙͰ
ࠓ·ͰΑΓང͔ʹޮ͕ྑ͍ʂ
TLS 1.0Ҏ߱ͰPOODLE͕Ͱ͖Δέʔ ε͕͋Δ SSLv3 -> TLSͷϚΠάϨʔγϣϯͷࡍʹҰ෦ͷϕϯμʔͷύσΟ ϯάͷ࣮͕దͰͳ͔ͬͨͨΊɻ
؇ࡦ • ϒϥβɿSSL 3.0ͷϑΥʔϧόοΫΛແޮʹͨ͠ɻ • SSLv3ͷແޮԽ • PCI DSS 3.2Ͱ2018
6/30·ͰʹSSLv3, Early TLS(TLS 1.0)Λແ ޮԽͯ͠όʔδϣϯΞοϓ͠Ζɺͱ໌ݴ͞Ε͍ͯ·͢
None
7.8 Bullrun …ͱ͍͏͔Dual EC DRBGͷɻඪ४ͱͯ͠ఏএ͞Εٖͨࣅཚੜ ثʹNSAͷόοΫυΞ͕ೖͬͯͨΑɺͱ͍͏ɻ NSAʮ༻ͷൿີ伴ٕज़ͷͨΊͷϙϦγʔɺඪ४ɺ͓Αͼ༷ ʹରͯ͠ӨڹΛٴ΅͢ʯ׆ಈʹؒ2ԯ5ઍສυϧΛ͍ͬͯΔͦ ͏Ͱ͢ɻӳࠃGCHQͰಉ༷ͷ׆ಈ͕͋Δͱ͔ɻ