Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
『プロフェッショナルSSL/TLS』読書会 第7章後半資料
Search
sylph01
December 08, 2017
Technology
0
310
『プロフェッショナルSSL/TLS』読書会 第7章後半資料
https://ptls-study.connpass.com/event/71304/
sylph01
December 08, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
93
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
33
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
250
Adding Security to Microcontroller Ruby
sylph01
2
3.3k
Secure Messaging at IETF 118
sylph01
0
85
Adventures in the Dungeons of OpenSSL
sylph01
0
530
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
330
Build and Learn Rails Authentication
sylph01
8
2.1k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
310
Other Decks in Technology
See All in Technology
Amazon Aurora のバージョンアップ手法について
smt7174
2
150
1行のコードから社会課題の解決へ: EMの探究、事業・技術・組織を紡ぐ実践知 / EM Conf 2025
9ma3r
12
4k
Share my, our lessons from the road to re:Invent
naospon
0
150
DevinでAI AWSエンジニア製造計画 序章 〜CDKを添えて〜/devin-load-to-aws-engineer
tomoki10
0
160
Охота на косуль у древних
ashapiro
0
110
アジャイルな開発チームでテスト戦略の話は誰がする? / Who Talks About Test Strategy?
ak1210
1
630
脳波を用いた嗜好マッチングシステム
hokkey621
0
290
生成AI “再”入門 2025年春@WIRED TUESDAY EDITOR'S LOUNGE
kajikent
0
130
Aurora PostgreSQLがCloudWatch Logsに 出力するログの課金を削減してみる #jawsdays2025
non97
1
220
入門 PEAK Threat Hunting @SECCON
odorusatoshi
0
170
AI自体のOps 〜LLMアプリの運用、AWSサービスとOSSの使い分け〜
minorun365
PRO
4
260
2/18 Making Security Scale: メルカリが考えるセキュリティ戦略 - Coincheck x LayerX x Mercari
jsonf
0
220
Featured
See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
133
33k
A Modern Web Designer's Workflow
chriscoyier
693
190k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2.1k
How GitHub (no longer) Works
holman
314
140k
Building a Modern Day E-commerce SEO Strategy
aleyda
38
7.1k
Practical Orchestrator
shlominoach
186
10k
Scaling GitHub
holman
459
140k
Building an army of robots
kneath
303
45k
Transcript
(7) ϓϩτίϧʹର͢Δ ߈ܸ: 7.4-7.8 @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 12/8/2017
None
લճͷ༰ લͷΠϕϯτϖʔδ ͔ΒͲ͏ͧ
7.4 Lucky 13 ҉߸ར༻Ϟʔυ͕CBCϞʔυͰ͋Δͱ͖ʹʮฏจͷখ͞ͳҰ෦ ʯΛղಡͰ͖Δ߈ܸɻ ࠜຊݪҼCBCϞʔυͰΘΕΔύσΟϯά͕TLSͷશੑݕূͷ ΈͰอޢ͞Εͳ͍͜ͱʹΑͬͯύσΟϯάΦϥΫϧ߈ܸ͕ ཱͯ͠͠·͏͜ͱɻ ฏจ1όΠτΛղಡ͢Δͷʹ8192ճͷHTTPϦΫΤετΛ͏ɻ
ύσΟϯά DESɺAESͳͲͷϒϩοΫ҉߸ͰೖྗΛϒϩοΫʹἧ͑ΔͨΊ ʹฏจʹύσΟϯάΛՃ͢Δɻ PKCS#7 padding: ඌʹ༩͢ΔόΠτͷʹ͍͠ͷίʔυ ϙΠϯτͷจࣈΛՃ͢Δɻ 2จࣈΓͳ͍߹: 0x02 0x02
4จࣈΓͳ͍߹: 0x04 0x04 0x04 0x04 ͽͬͨΓͷ߹1ϒϩοΫ·Δ͝ͱύσΟϯάΛՃɻ
ύσΟϯάΦϥΫϧ ʮ෮߸ͨ݁͠ՌύσΟϯά͕ؒҧ͍͑ͯ·ͨ͠ʯ͕ʮ෮߸ͨ݁͠ ՌσʔλͷશੑνΣοΫΛ௨Γ·ͤΜͰͨ͠ʯͱҧ͏ΤϥʔΛ ฦ͢߹ʹ߈ܸ͕ՄೳʹͳΔɻ TLS 1.0Ͱ • ύσΟϯάΤϥʔ: decryption_failed •
MACͷΤϥʔ: bad_record_mac →۠ผͰ͖ͯ͠·͏͜ͱͰʮύσΟϯάΦϥΫϧʯ͕Ͱ͖Δʂ
λΠϛϯάΦϥΫϧ TLS 1.0ͷΑ͏ʹҧͬͨΤϥʔͰڭ͑ͯ͘Εͳͯ͘ɺύσΟϯά ͕ਖ਼͍͠߹ͱؒҧ͍ͬͯΔ߹Ͱʮ࣮ߦ࣌ؒʯ͕ҟͳΔ͜ͱΛ ͬͯύσΟϯάΦϥΫϧ͕Ͱ͖ͯ͠·͏ɻ decrypted = decrypt_cbc(ciphertext) if !padding_correct?(decrypted)
return false else check_mac(decrypted, mac) # this takes additional time! end
ύσΟϯάΦϥΫϧ߈ܸ ࠷ऴతͳಈ࡞ͷ༷ࢠ٭62൪ͷγϛϡϨʔλ https:/ / erlend.oftedal.no/blog/poet/ ͕ඇৗʹΑ͘Ͱ͖͍ͯΔͷͰճͯ͠Έ ΔͱΑ͍ɻ
None
None
ύσΟϯάΦϥΫϧ߈ܸ ղಡରͷϒϩοΫͷલͷϒϩοΫΛૢ࡞͢ΔͷͰɺ͜ΕΛԾʹ ͱ͓͘ɻਖ਼͍͠લͷϒϩοΫͷ ͱ͓͘ɻ ʢલͷਤࢀরʣ ͜͜Ͱɺ ʢ҉߸ԽॲཧͷఆٛΑΓʣͳͷͰɺ
ύσΟϯάΦϥΫϧ߈ܸ ͜͜Ͱɺ طɺ·ͨύσΟϯάΦϥΫϧଘࡏ࣌ʹ Λ ૢ࡞ͯ͠ ͕ύσΟϯάͱͯ͠༗ޮͳΛ͍࣋ͬͯΔ͔Ͳ͏͔Θ ͔ΔͷͰɺ݁Ռͱͯ͠ ͷ͕Θ͔Δʢͨͩ͠1όΠτͣͭʣɻ
TLSʹର͢Δ߈ܸ TLS 1.0ͰύσΟϯάΤϥʔͱMACΤϥʔ͕ҟͳΔΤϥʔΛฦ͠ ͕ͨɺ௨৴͕҉߸Խ͞Ε͍ͯΔͷͰωοτϫʔΫ্͔Β߈ܸ͢Δ ͷࠔͩͬͨɻ͔͠͠OpenSSLʹλΠϛϯάΦϥΫϧ͕ଘࡏ ͨͨ͠Ί࣮࣭ύσΟϯάΦϥΫϧ߈ܸ͕Մೳͩͬͨɻ 2003ͷCanvelΒʹΑΔ߈ܸ: OpenSSL + IMAPΛ߈ܸɻී௨ύσΟ
ϯάͷਪଌʹࣦഊͨ͠߹TLSηογϣϯ͕Εͯ͠·͏͕ɺ IMAPࣦഊͨ͠߹ʹࣗಈͰ࠶ࢼߦ͢ΔͨΊ߹͕Α͔ͬͨɻ
TLSʹର͢Δ߈ܸ Lucky 13߈ܸ(2013, AlFardan and Paterson): TLS 1.1Ͱ decryption_failed௨͕ඇਪʹͳΓɺMACͷܭࢉύσΟϯ ά͕ؒҧ͍ͬͯͨ߹Ͱߦ͏͜ͱͱ͕ͨ͠ɺMACͷύϑΥʔϚ
ϯε͕σʔλϑϥάϝϯτͷ͞ʹґଘͯ͠͠·͏͜ͱΛར༻͠ ͨαΠυνϟωϧΛͬͯ߈ܸʹޭͨ͠ɻ
Өڹ • ฏจશ෦Λ߈ܸ͢Δʹඇৗʹ͕͔͔࣌ؒΔͨΊɺ௨৴ճ෮ػ ߏΛඋ͍͑ͯΔࣗతͳγεςϜΛରʹ͢Δ͜ͱ͕ଟ͍ • Ұ෦ͷฏจ͕໌͍ͯ͠Δ߹ʹΑΓগͳ͍ࢼߦճͰࡁΉ ʢͱ͍֤͑όΠτ͋ͨΓ65536ճʣ • JavaScriptϚϧΣΞΛͬͨ߈ܸ •
Cookieͷจࣈछ੍ݶʹΑΓճ͕ݮΔ • ਪଌʹࣦഊͯ͠௨৴ࣦഊ͕ϢʔβʔʹόϨͳ͍ʂ
؇ࡦ ݁ͱͯ͠TLSʹ͓͚ΔCBCʹ͕͋Δɻ݁ՌTLS 1.3ͰCBC ϞʔυશഇɺAEADݶఆͱͳΔ༧ఆɻ ετϦʔϜ҉߸Λ͑ύσΟϯά͕ཁΒͳ͍͕ɺগͳ͘ͱ ࣌1TLSʹଘࡏͨ͠།ҰͷετϦʔϜ҉߸RC4ͰɺͦΕͦΕͰ ͕͋ͬͨɻ ೝূ͖ͭ҉߸(AEAD; GCMϞʔυͳͲ)Λ͑MACʹΑΔλΠϛϯ άղܾ͢Δ͕͜ΕʹTLS
1.2͕ඞཁɻ 1 TLS 1.3ͰChaCha20/Poly1305͕͑ΔΑ͏ʹͳΔϋζ
None
7.5 RC4ͷऑ TL;DR: ݱతʹRC4͏ཧ༝ͳ͍ͷͰ͏ͳɻ
伴εέδϡʔϦϯάͷऑ 伴εέδϡʔϦϯά = ͍จࣈྻ͔Β伴ετϦʔϜΛग़ྗ͢ΔΞ ϧΰϦζϜͷ͜ͱɻ ͘͝Ұ෦͕Θ͔Εॳظग़ྗͷଟ͘ΛܾఆͰ͖ͯ͠·͏Α͏ͳ 伴͕ଟ͍ʢऑ伴ͷଘࡏʣɺ伴ͷ࠶ར༻͕͋Δ͚ͩͰ伴ετϦʔϜ ͷҰ෦ΛಛఆͰ͖ͯ͠·͏ɺͱ͍͏͕ΒΕ͍͕ͯͨ… 2011 BEAST߈ܸൃදˠRC4͕TLS
1.0ҎલͰ།Ұ҆શͳ҉߸Ξϧ ΰϦζϜʹʂ
୯ҰόΠτͷภΓ ಛʹॏཁͳͷ͕ɺ伴ετϦʔϜͷ2όΠτ͕௨ৗͷ2ഒͷ֬Ͱ0 ʹͳΔɺͱ͍͏ੑ࣭ɻ 0ʹͳΔͱ͍͏͜ͱXORΛऔͬͯ0ɻ →ͨ͘͞ΜͷଓΛੜ͠ɺ࠷සൟʹ2όΠτʹݱΕΔ͕ฏ จͱҰகɺͱݟͯؒҧ͍ͳͦ͞͏
ઌ಄256όΠτʹ͓͚ΔภΓ 2013, AlFardanΒ: ઌ಄256όΠτͷ֤όΠτͷதͰಛఆͷʹภΔ ͕͋Δ͜ͱΛൃݟɻ →256όΠτΛղಡ͢ΔͨΊʹඞཁͳσʔλαϯϓϧ͕ ɺจ ࣈ͕ݶΒΕΔ߹ʹ ʹͳͬͨɻRC4͕௨ৗอূ͢Δͷ ɻ
ઌ಄256όΠτʹ͓͚ΔภΓ ͱ͍͑ɺ࣮ࡍͷ߈ܸࠔ: • 2^28ݸͷαϯϓϧΛಘΔΑ͏ͳଓΛൃੜͤ͞Δ͜ͱ͕͍͠ • BEAST߈ܸͰߦΘΕͨΑ͏ʹJavaScriptϚϧΣΞΛͬͯ ଓΛ੍ޚ͢Δͷ͕ཧత͔ʁ • डಈతʹ߈ܸ͢ΔͷࠔɻMITM߈ܸ͕΄͍͠ɻ •
ͦΕͰઌ಄256όΠτ͔͠Θ͔Βͳ͍ɻ
ͦͷޙ • ೋॏόΠτ߈ܸ: ࿈ଓͨ͠όΠτʹภΓ͕͋Δͱ͍͏ੑ࣭ͷར ༻ɻҰఆͷִؒͰग़ྗʹݱΕΔɻ • αϯϓϧऔಘʹҟͳΔRC4伴Λඞཁͱ͠ͳ͍ɻඞཁͳଓ ͕ݮΔ • डಈత߈ܸෆՄೳ
ͦͷޙ • HTTPηογϣϯ༻Cookieͷ༰औಘ͕2^34 -> 2^26ͰࡁΉɺͱ ͍͏ൃݟ • Invariance Weakness: ෆదͳ伴͕ͱ͖Ͳ͖ੜ͞ΕΔ͜ͱΛར
༻ɻ2^24ճʹ1ճTLSଓ͕ഁΒΕΔ • Cookie߈ܸʹ͔͔Δ࣌ؒͷॖɻBEASTಉ༷ͷJavaScriptϚϧ ΣΞΛ͏ɻͱ͍͑75͔͔࣌ؒΔɻ
؇ࡦ 2015/2, RFC 7465Ͱ TLSͰͷࠓޙͷRC4ར༻ېࢭʂ ͬͨͶʂʂ
None
7.6 τϦϓϧϋϯυγΣΠΫ߈ܸ 7.1ͷରࡦͱͯ͠ಋೖ͞Εͨʮ҆શͳ࠶ωΰγΤʔγϣϯʯʹର͢ Δ࠶߈ܸɻ తʢ࠶ωΰγΤʔγϣϯ͕ඞཁͳέʔεͰ͋ΔʣΫϥΠΞϯ τূ໌ॻ͕ඞཁͳΞΫηεͷͬऔΓɻ
࠶ωΰγΤʔγϣϯʹ͓͚Δ҆શੑ֬ อ ࠶ωΰγΤʔγϣϯ࣌ʹɺҎલͷϋϯυγΣΠΫʹ͓͚Δ Finishedʹؚ·ΕΔverify_dataͷΛ࠶ૹ৴͢Δ͜ͱͰɺαʔ όʔ࠶ωΰγΤʔγϣϯΛٻΊ͍ͯΔΫϥΠΞϯτ͕Ҏલଓ ͨ͜͠ͱͰ͋ΔͷͰ͋Δ͜ͱͷ֬ূΛಘΔɻ →߈ܸऀ͜ͷ߈ܸͰ͜ͷൿີͷΛ͘͜ͱΛඪͱ͢Δɻ
(1) ະͷ伴͕ڞ༗͞ΕΔऑ RSA伴ަͷऑΛѱ༻͢Δɻຊདྷதؒऀʹ෮߸Ͱ͖ͳ͍Pre- Master SecretΛຊདྷͷड͚खͰ͋Δαʔόʔʹ෮߸ͤ͞Δɺͱ͍ ͏͜ͱΛ͢Δɻ ަ͕ྃ͢Δͱɺଓʹ͏ύϥϝʔλ(Pre-Master Secret, random)͕ಉҰͰ͋ΔʹϚελʔ伴ಉҰͳ2ͭͷଓ͕Ͱ͖Δɻ (DH伴ަͰ͜Ε͕Մೳɻѱҙͷ͋Δαʔόʔ͕؆୯ʹഁΕΔ
DHύϥϝʔλΛબΑ͍ɻECDHEͰ໊લ͖ۂઢΛ͏ͷͰ ͜Ε͕ෆՄೳ)
ຊจͷਤ7.8
(2) શಉظ ͜ΕͰ·ͩ verify_data ͕ͦΕͧΕผͷΫϥΠΞϯτ͔Βདྷͯ ͍Δʢˡূ໌ॻ͕ҧ͏ʣͷͰ࠶ωΰγΤʔγϣϯ߈ܸ͕ෆՄೳɻ ͜͜ͰηογϣϯϦβϯϓγϣϯͰϋϯυγΣΠΫ͕লུ͞Ε ΔʢϚελʔ伴͕Θ͔͍ͬͯΕेͰ͋Δʣ͜ͱΛར༻͢Δɻ →1ͭͷଓͰҟͳ͍ͬͯͨূ໌ॻ͕ཁٻ͞Εͳ͘ͳΓɺηο γϣϯ࠶։ޙͷFinishedϝοηʔδಉҰʂ
ຊจͷਤ7.9
(3) ͳΓ͢·͠ ߈ܸऀ٘ਜ਼ऀͷΫϥΠΞϯτূ໌ॻΛ͍͍ͨͷͰ࠶ωΰγΤ ʔγϣϯΛڧ੍ͤ͞Δɻ ଓཱޙτϥϑΟοΫݟΕͳ͘ͳΔ͜ͱʹҙɻ
ຊจͷਤ7.10
Өڹ ߈ܸΛड͚ΔՄೳੑ͕͋Δͷɺ7.1ͱಉ༷ɺ߈ܸऀͱΫϥΠΞϯ τ͕۠ผͰ͖͍ͯͳ͍αʔόɻ ΑΓةݥͳϕΫλͱͯ͠ɺ߈ܸऀ࠶ωΰγΤʔγϣϯલʹҙ ͷσʔλΛํͷଓʹૹΕΔ͜ͱ͕͋Δɻ ࠶ωΰγΤʔγϣϯʹΑΓΫϥΠΞϯτূ໌ॻೝূΛಥഁͨ͠ޙ ɺJavaScriptϚϧΣΞΛྲྀ͠ࠐΜͰ͓͘͜ͱͰೝূ͞Εͨঢ়ଶ ͰϦΫΤετΛൃߦ͠·͘Δ͜ͱ͕Ͱ͖Δɻ
ཱཁ݅ ͱ͍͑߈ܸ༰қͰͳ͍ɻ • ΤϯτϦʔϙΠϯτͱରԠ͢ΔϖΠϩʔυͷߏங • ࠶ωΰγΤʔγϣϯޙτϥϑΟοΫ͕ݟ͑ͳ͘ͳΔ ͞ΒʹɺҎԼͷଆ໘ຬͨ͢ඞཁ͕͋Δ: • ΫϥΠΞϯτূ໌ॻΛ͍ͬͯΔαΠτͷΈରʹͰ͖Δ •
ѱҙͷ͋ΔαΠτʹݺͼࠐΉඞཁ͕͋Δ
؇ࡦ • ͯ͢ͷΞΫηεʹΫϥΠΞϯτূ໌ॻΛཁٻ • ͦ͏͢Δͱ࠷ॳͷଓʹ߈ܸऀͷূ໌ॻ͕ཁٻ͞ΕΔ • ࠶ωΰγΤʔγϣϯΛແޮʹ͢Δ • ECDHEͷΈΛ༗ޮʹ͢Δ •
RSAͱDHEͷ伴ަͷʹґଘ͍ͯ͠ΔͨΊ
None
7.7 POODLE 2014/10, Google Security TeamʹΑΔɻ Lucky 13߈ܸͱಉ༷ͷύσΟϯάΦϥΫϧ߈ܸʹϓϩτίϧμϯ άϨʔυ߈ܸΛΈ߹Θͤͨͷɻ
ύσΟϯάํࣜͷҧ͍ ຊจͷਤ7.11
ύσΟϯάํࣜͷҧ͍ POODLEͷѱ༻ʹʮ࠷ޙඌͷ҉߸ԽϒϩοΫશମ͕ύσΟϯάͩ ͚ʹͳΔΑ͏ʹ͢Δʯඞཁ͕͋Δɻ →߈ܸऀʹΞΫηεͰ͖Δͷ҉߸Խ͞Εͨঢ়ଶͷΈͳͷͰύσ ΟϯάΛ͍͡Εͳ͍ɻ࠷ޙඌͷϒϩοΫͷΈ͕ύσΟϯάͰ ͋ΕMACݕূʹҾ͔͔ͬΒͣʹ͖ͳΑ͏ʹมߋΛՃ͑ΒΕ Δɻ ࠷ޙඌͷ҉߸ԽϒϩοΫશମ͕ύσΟϯά͚ͩʹͳͬͨ߹ɺ෮ ߸Խޙͷ࠷ऴόΠτͷ(AESͷ߹)15ɻ
࣮ࡍͲ͏ͬͯ߈ܸ͢Δͷ ͜ͷํ๏Ͱ҉߸จͷඌ1όΠτ͔͠ղಡ͢Δ͜ͱ͕Ͱ͖ͳ͍ɻ ͳͷͰɺJavaScriptΛͬͯPOSTͷૹ৴URLͱϦΫΤετϘσΟΛ ੍ޚ͠ɺղಡ͍ͨ͠(CookieͳͲ)ؚ͕·ΕΔ෦Λ࠷ऴϒϩοΫ ʹ࣋ͬͯ͘ΔΑ͏ʹૢ࡞Λ͢Δɻ
࣮ࡍͲ͏ͬͯ߈ܸ͢Δͷ • ͍URLͱ࠷খݶͷϦΫΤετϘσΟ͔ΒਪଌΛ։࢝ • URLΛ1όΠτͣͭͯ͘͠ύσΟϯάͷ͞Λ֬ఆ • 1όΠτΛղಡ͢ΔͷʹඞཁͳਪଌϦΫΤετΛૹ৴ • ΓͷόΠτʹରͯ͠Ҏ্܁Γฦ͠ 1όΠτ͋ͨΓ256ճͰेʹඞཁͳόΠτ͕200จࣈલޙͰ
ࠓ·ͰΑΓང͔ʹޮ͕ྑ͍ʂ
TLS 1.0Ҏ߱ͰPOODLE͕Ͱ͖Δέʔ ε͕͋Δ SSLv3 -> TLSͷϚΠάϨʔγϣϯͷࡍʹҰ෦ͷϕϯμʔͷύσΟ ϯάͷ࣮͕దͰͳ͔ͬͨͨΊɻ
؇ࡦ • ϒϥβɿSSL 3.0ͷϑΥʔϧόοΫΛແޮʹͨ͠ɻ • SSLv3ͷແޮԽ • PCI DSS 3.2Ͱ2018
6/30·ͰʹSSLv3, Early TLS(TLS 1.0)Λແ ޮԽͯ͠όʔδϣϯΞοϓ͠Ζɺͱ໌ݴ͞Ε͍ͯ·͢
None
7.8 Bullrun …ͱ͍͏͔Dual EC DRBGͷɻඪ४ͱͯ͠ఏএ͞Εٖͨࣅཚੜ ثʹNSAͷόοΫυΞ͕ೖͬͯͨΑɺͱ͍͏ɻ NSAʮ༻ͷൿີ伴ٕज़ͷͨΊͷϙϦγʔɺඪ४ɺ͓Αͼ༷ ʹରͯ͠ӨڹΛٴ΅͢ʯ׆ಈʹؒ2ԯ5ઍສυϧΛ͍ͬͯΔͦ ͏Ͱ͢ɻӳࠃGCHQͰಉ༷ͷ׆ಈ͕͋Δͱ͔ɻ