Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
『プロフェッショナルSSL/TLS』読書会 第7章後半資料
Search
sylph01
December 08, 2017
Technology
0
320
『プロフェッショナルSSL/TLS』読書会 第7章後半資料
https://ptls-study.connpass.com/event/71304/
sylph01
December 08, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
Updates on MLS on Ruby (and maybe more)
sylph01
1
180
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (RubyConf Taiwan 2025 ver.)
sylph01
1
88
PicoRuby's Networking is Incomplete
sylph01
1
43
The Definitive? Guide To Locally Organizing RubyKaigi
sylph01
6
1.6k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
sylph01
1
130
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
sylph01
2
600
Introduction to C Extensions
sylph01
3
210
"Actual" Security in Microcontroller Ruby!?
sylph01
0
150
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
72
Other Decks in Technology
See All in Technology
複数サービスを支えるマルチテナント型Batch MLプラットフォーム
lycorptech_jp
PRO
1
960
Platform開発が先行する Platform Engineeringの違和感
kintotechdev
4
590
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
10
75k
ブロックテーマ時代における、テーマの CSS について考える Toro_Unit / 2025.09.13 @ Shinshu WordPress Meetup
torounit
0
130
20250905_MeetUp_Ito-san_s_presentation.pdf
magicpod
1
100
Oracle Cloud Infrastructure IaaS 新機能アップデート 2025/06 - 2025/08
oracle4engineer
PRO
0
110
現場で効くClaude Code ─ 最新動向と企業導入
takaakikakei
1
260
Snowflake Intelligence × Document AIで“使いにくいデータ”を“使えるデータ”に
kevinrobot34
1
120
新規プロダクトでプロトタイプから正式リリースまでNext.jsで開発したリアル
kawanoriku0
1
220
IoT x エッジAI - リアルタイ ムAI活用のPoCを今すぐ始め る方法 -
niizawat
0
120
AWSで始める実践Dagster入門
kitagawaz
1
750
Automating Web Accessibility Testing with AI Agents
maminami373
0
1.3k
Featured
See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Done Done
chrislema
185
16k
Embracing the Ebb and Flow
colly
87
4.8k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.6k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Building Adaptive Systems
keathley
43
2.7k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
580
The Invisible Side of Design
smashingmag
301
51k
Scaling GitHub
holman
463
140k
Side Projects
sachag
455
43k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Transcript
(7) ϓϩτίϧʹର͢Δ ߈ܸ: 7.4-7.8 @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 12/8/2017
None
લճͷ༰ લͷΠϕϯτϖʔδ ͔ΒͲ͏ͧ
7.4 Lucky 13 ҉߸ར༻Ϟʔυ͕CBCϞʔυͰ͋Δͱ͖ʹʮฏจͷখ͞ͳҰ෦ ʯΛղಡͰ͖Δ߈ܸɻ ࠜຊݪҼCBCϞʔυͰΘΕΔύσΟϯά͕TLSͷશੑݕূͷ ΈͰอޢ͞Εͳ͍͜ͱʹΑͬͯύσΟϯάΦϥΫϧ߈ܸ͕ ཱͯ͠͠·͏͜ͱɻ ฏจ1όΠτΛղಡ͢Δͷʹ8192ճͷHTTPϦΫΤετΛ͏ɻ
ύσΟϯά DESɺAESͳͲͷϒϩοΫ҉߸ͰೖྗΛϒϩοΫʹἧ͑ΔͨΊ ʹฏจʹύσΟϯάΛՃ͢Δɻ PKCS#7 padding: ඌʹ༩͢ΔόΠτͷʹ͍͠ͷίʔυ ϙΠϯτͷจࣈΛՃ͢Δɻ 2จࣈΓͳ͍߹: 0x02 0x02
4จࣈΓͳ͍߹: 0x04 0x04 0x04 0x04 ͽͬͨΓͷ߹1ϒϩοΫ·Δ͝ͱύσΟϯάΛՃɻ
ύσΟϯάΦϥΫϧ ʮ෮߸ͨ݁͠ՌύσΟϯά͕ؒҧ͍͑ͯ·ͨ͠ʯ͕ʮ෮߸ͨ݁͠ ՌσʔλͷશੑνΣοΫΛ௨Γ·ͤΜͰͨ͠ʯͱҧ͏ΤϥʔΛ ฦ͢߹ʹ߈ܸ͕ՄೳʹͳΔɻ TLS 1.0Ͱ • ύσΟϯάΤϥʔ: decryption_failed •
MACͷΤϥʔ: bad_record_mac →۠ผͰ͖ͯ͠·͏͜ͱͰʮύσΟϯάΦϥΫϧʯ͕Ͱ͖Δʂ
λΠϛϯάΦϥΫϧ TLS 1.0ͷΑ͏ʹҧͬͨΤϥʔͰڭ͑ͯ͘Εͳͯ͘ɺύσΟϯά ͕ਖ਼͍͠߹ͱؒҧ͍ͬͯΔ߹Ͱʮ࣮ߦ࣌ؒʯ͕ҟͳΔ͜ͱΛ ͬͯύσΟϯάΦϥΫϧ͕Ͱ͖ͯ͠·͏ɻ decrypted = decrypt_cbc(ciphertext) if !padding_correct?(decrypted)
return false else check_mac(decrypted, mac) # this takes additional time! end
ύσΟϯάΦϥΫϧ߈ܸ ࠷ऴతͳಈ࡞ͷ༷ࢠ٭62൪ͷγϛϡϨʔλ https:/ / erlend.oftedal.no/blog/poet/ ͕ඇৗʹΑ͘Ͱ͖͍ͯΔͷͰճͯ͠Έ ΔͱΑ͍ɻ
None
None
ύσΟϯάΦϥΫϧ߈ܸ ղಡରͷϒϩοΫͷલͷϒϩοΫΛૢ࡞͢ΔͷͰɺ͜ΕΛԾʹ ͱ͓͘ɻਖ਼͍͠લͷϒϩοΫͷ ͱ͓͘ɻ ʢલͷਤࢀরʣ ͜͜Ͱɺ ʢ҉߸ԽॲཧͷఆٛΑΓʣͳͷͰɺ
ύσΟϯάΦϥΫϧ߈ܸ ͜͜Ͱɺ طɺ·ͨύσΟϯάΦϥΫϧଘࡏ࣌ʹ Λ ૢ࡞ͯ͠ ͕ύσΟϯάͱͯ͠༗ޮͳΛ͍࣋ͬͯΔ͔Ͳ͏͔Θ ͔ΔͷͰɺ݁Ռͱͯ͠ ͷ͕Θ͔Δʢͨͩ͠1όΠτͣͭʣɻ
TLSʹର͢Δ߈ܸ TLS 1.0ͰύσΟϯάΤϥʔͱMACΤϥʔ͕ҟͳΔΤϥʔΛฦ͠ ͕ͨɺ௨৴͕҉߸Խ͞Ε͍ͯΔͷͰωοτϫʔΫ্͔Β߈ܸ͢Δ ͷࠔͩͬͨɻ͔͠͠OpenSSLʹλΠϛϯάΦϥΫϧ͕ଘࡏ ͨͨ͠Ί࣮࣭ύσΟϯάΦϥΫϧ߈ܸ͕Մೳͩͬͨɻ 2003ͷCanvelΒʹΑΔ߈ܸ: OpenSSL + IMAPΛ߈ܸɻී௨ύσΟ
ϯάͷਪଌʹࣦഊͨ͠߹TLSηογϣϯ͕Εͯ͠·͏͕ɺ IMAPࣦഊͨ͠߹ʹࣗಈͰ࠶ࢼߦ͢ΔͨΊ߹͕Α͔ͬͨɻ
TLSʹର͢Δ߈ܸ Lucky 13߈ܸ(2013, AlFardan and Paterson): TLS 1.1Ͱ decryption_failed௨͕ඇਪʹͳΓɺMACͷܭࢉύσΟϯ ά͕ؒҧ͍ͬͯͨ߹Ͱߦ͏͜ͱͱ͕ͨ͠ɺMACͷύϑΥʔϚ
ϯε͕σʔλϑϥάϝϯτͷ͞ʹґଘͯ͠͠·͏͜ͱΛར༻͠ ͨαΠυνϟωϧΛͬͯ߈ܸʹޭͨ͠ɻ
Өڹ • ฏจશ෦Λ߈ܸ͢Δʹඇৗʹ͕͔͔࣌ؒΔͨΊɺ௨৴ճ෮ػ ߏΛඋ͍͑ͯΔࣗతͳγεςϜΛରʹ͢Δ͜ͱ͕ଟ͍ • Ұ෦ͷฏจ͕໌͍ͯ͠Δ߹ʹΑΓগͳ͍ࢼߦճͰࡁΉ ʢͱ͍֤͑όΠτ͋ͨΓ65536ճʣ • JavaScriptϚϧΣΞΛͬͨ߈ܸ •
Cookieͷจࣈछ੍ݶʹΑΓճ͕ݮΔ • ਪଌʹࣦഊͯ͠௨৴ࣦഊ͕ϢʔβʔʹόϨͳ͍ʂ
؇ࡦ ݁ͱͯ͠TLSʹ͓͚ΔCBCʹ͕͋Δɻ݁ՌTLS 1.3ͰCBC ϞʔυશഇɺAEADݶఆͱͳΔ༧ఆɻ ετϦʔϜ҉߸Λ͑ύσΟϯά͕ཁΒͳ͍͕ɺগͳ͘ͱ ࣌1TLSʹଘࡏͨ͠།ҰͷετϦʔϜ҉߸RC4ͰɺͦΕͦΕͰ ͕͋ͬͨɻ ೝূ͖ͭ҉߸(AEAD; GCMϞʔυͳͲ)Λ͑MACʹΑΔλΠϛϯ άղܾ͢Δ͕͜ΕʹTLS
1.2͕ඞཁɻ 1 TLS 1.3ͰChaCha20/Poly1305͕͑ΔΑ͏ʹͳΔϋζ
None
7.5 RC4ͷऑ TL;DR: ݱతʹRC4͏ཧ༝ͳ͍ͷͰ͏ͳɻ
伴εέδϡʔϦϯάͷऑ 伴εέδϡʔϦϯά = ͍จࣈྻ͔Β伴ετϦʔϜΛग़ྗ͢ΔΞ ϧΰϦζϜͷ͜ͱɻ ͘͝Ұ෦͕Θ͔Εॳظग़ྗͷଟ͘ΛܾఆͰ͖ͯ͠·͏Α͏ͳ 伴͕ଟ͍ʢऑ伴ͷଘࡏʣɺ伴ͷ࠶ར༻͕͋Δ͚ͩͰ伴ετϦʔϜ ͷҰ෦ΛಛఆͰ͖ͯ͠·͏ɺͱ͍͏͕ΒΕ͍͕ͯͨ… 2011 BEAST߈ܸൃදˠRC4͕TLS
1.0ҎલͰ།Ұ҆શͳ҉߸Ξϧ ΰϦζϜʹʂ
୯ҰόΠτͷภΓ ಛʹॏཁͳͷ͕ɺ伴ετϦʔϜͷ2όΠτ͕௨ৗͷ2ഒͷ֬Ͱ0 ʹͳΔɺͱ͍͏ੑ࣭ɻ 0ʹͳΔͱ͍͏͜ͱXORΛऔͬͯ0ɻ →ͨ͘͞ΜͷଓΛੜ͠ɺ࠷සൟʹ2όΠτʹݱΕΔ͕ฏ จͱҰகɺͱݟͯؒҧ͍ͳͦ͞͏
ઌ಄256όΠτʹ͓͚ΔภΓ 2013, AlFardanΒ: ઌ಄256όΠτͷ֤όΠτͷதͰಛఆͷʹภΔ ͕͋Δ͜ͱΛൃݟɻ →256όΠτΛղಡ͢ΔͨΊʹඞཁͳσʔλαϯϓϧ͕ ɺจ ࣈ͕ݶΒΕΔ߹ʹ ʹͳͬͨɻRC4͕௨ৗอূ͢Δͷ ɻ
ઌ಄256όΠτʹ͓͚ΔภΓ ͱ͍͑ɺ࣮ࡍͷ߈ܸࠔ: • 2^28ݸͷαϯϓϧΛಘΔΑ͏ͳଓΛൃੜͤ͞Δ͜ͱ͕͍͠ • BEAST߈ܸͰߦΘΕͨΑ͏ʹJavaScriptϚϧΣΞΛͬͯ ଓΛ੍ޚ͢Δͷ͕ཧత͔ʁ • डಈతʹ߈ܸ͢ΔͷࠔɻMITM߈ܸ͕΄͍͠ɻ •
ͦΕͰઌ಄256όΠτ͔͠Θ͔Βͳ͍ɻ
ͦͷޙ • ೋॏόΠτ߈ܸ: ࿈ଓͨ͠όΠτʹภΓ͕͋Δͱ͍͏ੑ࣭ͷར ༻ɻҰఆͷִؒͰग़ྗʹݱΕΔɻ • αϯϓϧऔಘʹҟͳΔRC4伴Λඞཁͱ͠ͳ͍ɻඞཁͳଓ ͕ݮΔ • डಈత߈ܸෆՄೳ
ͦͷޙ • HTTPηογϣϯ༻Cookieͷ༰औಘ͕2^34 -> 2^26ͰࡁΉɺͱ ͍͏ൃݟ • Invariance Weakness: ෆదͳ伴͕ͱ͖Ͳ͖ੜ͞ΕΔ͜ͱΛར
༻ɻ2^24ճʹ1ճTLSଓ͕ഁΒΕΔ • Cookie߈ܸʹ͔͔Δ࣌ؒͷॖɻBEASTಉ༷ͷJavaScriptϚϧ ΣΞΛ͏ɻͱ͍͑75͔͔࣌ؒΔɻ
؇ࡦ 2015/2, RFC 7465Ͱ TLSͰͷࠓޙͷRC4ར༻ېࢭʂ ͬͨͶʂʂ
None
7.6 τϦϓϧϋϯυγΣΠΫ߈ܸ 7.1ͷରࡦͱͯ͠ಋೖ͞Εͨʮ҆શͳ࠶ωΰγΤʔγϣϯʯʹର͢ Δ࠶߈ܸɻ తʢ࠶ωΰγΤʔγϣϯ͕ඞཁͳέʔεͰ͋ΔʣΫϥΠΞϯ τূ໌ॻ͕ඞཁͳΞΫηεͷͬऔΓɻ
࠶ωΰγΤʔγϣϯʹ͓͚Δ҆શੑ֬ อ ࠶ωΰγΤʔγϣϯ࣌ʹɺҎલͷϋϯυγΣΠΫʹ͓͚Δ Finishedʹؚ·ΕΔverify_dataͷΛ࠶ૹ৴͢Δ͜ͱͰɺαʔ όʔ࠶ωΰγΤʔγϣϯΛٻΊ͍ͯΔΫϥΠΞϯτ͕Ҏલଓ ͨ͜͠ͱͰ͋ΔͷͰ͋Δ͜ͱͷ֬ূΛಘΔɻ →߈ܸऀ͜ͷ߈ܸͰ͜ͷൿີͷΛ͘͜ͱΛඪͱ͢Δɻ
(1) ະͷ伴͕ڞ༗͞ΕΔऑ RSA伴ަͷऑΛѱ༻͢Δɻຊདྷதؒऀʹ෮߸Ͱ͖ͳ͍Pre- Master SecretΛຊདྷͷड͚खͰ͋Δαʔόʔʹ෮߸ͤ͞Δɺͱ͍ ͏͜ͱΛ͢Δɻ ަ͕ྃ͢Δͱɺଓʹ͏ύϥϝʔλ(Pre-Master Secret, random)͕ಉҰͰ͋ΔʹϚελʔ伴ಉҰͳ2ͭͷଓ͕Ͱ͖Δɻ (DH伴ަͰ͜Ε͕Մೳɻѱҙͷ͋Δαʔόʔ͕؆୯ʹഁΕΔ
DHύϥϝʔλΛબΑ͍ɻECDHEͰ໊લ͖ۂઢΛ͏ͷͰ ͜Ε͕ෆՄೳ)
ຊจͷਤ7.8
(2) શಉظ ͜ΕͰ·ͩ verify_data ͕ͦΕͧΕผͷΫϥΠΞϯτ͔Βདྷͯ ͍Δʢˡূ໌ॻ͕ҧ͏ʣͷͰ࠶ωΰγΤʔγϣϯ߈ܸ͕ෆՄೳɻ ͜͜ͰηογϣϯϦβϯϓγϣϯͰϋϯυγΣΠΫ͕লུ͞Ε ΔʢϚελʔ伴͕Θ͔͍ͬͯΕेͰ͋Δʣ͜ͱΛར༻͢Δɻ →1ͭͷଓͰҟͳ͍ͬͯͨূ໌ॻ͕ཁٻ͞Εͳ͘ͳΓɺηο γϣϯ࠶։ޙͷFinishedϝοηʔδಉҰʂ
ຊจͷਤ7.9
(3) ͳΓ͢·͠ ߈ܸऀ٘ਜ਼ऀͷΫϥΠΞϯτূ໌ॻΛ͍͍ͨͷͰ࠶ωΰγΤ ʔγϣϯΛڧ੍ͤ͞Δɻ ଓཱޙτϥϑΟοΫݟΕͳ͘ͳΔ͜ͱʹҙɻ
ຊจͷਤ7.10
Өڹ ߈ܸΛड͚ΔՄೳੑ͕͋Δͷɺ7.1ͱಉ༷ɺ߈ܸऀͱΫϥΠΞϯ τ͕۠ผͰ͖͍ͯͳ͍αʔόɻ ΑΓةݥͳϕΫλͱͯ͠ɺ߈ܸऀ࠶ωΰγΤʔγϣϯલʹҙ ͷσʔλΛํͷଓʹૹΕΔ͜ͱ͕͋Δɻ ࠶ωΰγΤʔγϣϯʹΑΓΫϥΠΞϯτূ໌ॻೝূΛಥഁͨ͠ޙ ɺJavaScriptϚϧΣΞΛྲྀ͠ࠐΜͰ͓͘͜ͱͰೝূ͞Εͨঢ়ଶ ͰϦΫΤετΛൃߦ͠·͘Δ͜ͱ͕Ͱ͖Δɻ
ཱཁ݅ ͱ͍͑߈ܸ༰қͰͳ͍ɻ • ΤϯτϦʔϙΠϯτͱରԠ͢ΔϖΠϩʔυͷߏங • ࠶ωΰγΤʔγϣϯޙτϥϑΟοΫ͕ݟ͑ͳ͘ͳΔ ͞ΒʹɺҎԼͷଆ໘ຬͨ͢ඞཁ͕͋Δ: • ΫϥΠΞϯτূ໌ॻΛ͍ͬͯΔαΠτͷΈରʹͰ͖Δ •
ѱҙͷ͋ΔαΠτʹݺͼࠐΉඞཁ͕͋Δ
؇ࡦ • ͯ͢ͷΞΫηεʹΫϥΠΞϯτূ໌ॻΛཁٻ • ͦ͏͢Δͱ࠷ॳͷଓʹ߈ܸऀͷূ໌ॻ͕ཁٻ͞ΕΔ • ࠶ωΰγΤʔγϣϯΛແޮʹ͢Δ • ECDHEͷΈΛ༗ޮʹ͢Δ •
RSAͱDHEͷ伴ަͷʹґଘ͍ͯ͠ΔͨΊ
None
7.7 POODLE 2014/10, Google Security TeamʹΑΔɻ Lucky 13߈ܸͱಉ༷ͷύσΟϯάΦϥΫϧ߈ܸʹϓϩτίϧμϯ άϨʔυ߈ܸΛΈ߹Θͤͨͷɻ
ύσΟϯάํࣜͷҧ͍ ຊจͷਤ7.11
ύσΟϯάํࣜͷҧ͍ POODLEͷѱ༻ʹʮ࠷ޙඌͷ҉߸ԽϒϩοΫશମ͕ύσΟϯάͩ ͚ʹͳΔΑ͏ʹ͢Δʯඞཁ͕͋Δɻ →߈ܸऀʹΞΫηεͰ͖Δͷ҉߸Խ͞Εͨঢ়ଶͷΈͳͷͰύσ ΟϯάΛ͍͡Εͳ͍ɻ࠷ޙඌͷϒϩοΫͷΈ͕ύσΟϯάͰ ͋ΕMACݕূʹҾ͔͔ͬΒͣʹ͖ͳΑ͏ʹมߋΛՃ͑ΒΕ Δɻ ࠷ޙඌͷ҉߸ԽϒϩοΫશମ͕ύσΟϯά͚ͩʹͳͬͨ߹ɺ෮ ߸Խޙͷ࠷ऴόΠτͷ(AESͷ߹)15ɻ
࣮ࡍͲ͏ͬͯ߈ܸ͢Δͷ ͜ͷํ๏Ͱ҉߸จͷඌ1όΠτ͔͠ղಡ͢Δ͜ͱ͕Ͱ͖ͳ͍ɻ ͳͷͰɺJavaScriptΛͬͯPOSTͷૹ৴URLͱϦΫΤετϘσΟΛ ੍ޚ͠ɺղಡ͍ͨ͠(CookieͳͲ)ؚ͕·ΕΔ෦Λ࠷ऴϒϩοΫ ʹ࣋ͬͯ͘ΔΑ͏ʹૢ࡞Λ͢Δɻ
࣮ࡍͲ͏ͬͯ߈ܸ͢Δͷ • ͍URLͱ࠷খݶͷϦΫΤετϘσΟ͔ΒਪଌΛ։࢝ • URLΛ1όΠτͣͭͯ͘͠ύσΟϯάͷ͞Λ֬ఆ • 1όΠτΛղಡ͢ΔͷʹඞཁͳਪଌϦΫΤετΛૹ৴ • ΓͷόΠτʹରͯ͠Ҏ্܁Γฦ͠ 1όΠτ͋ͨΓ256ճͰेʹඞཁͳόΠτ͕200จࣈલޙͰ
ࠓ·ͰΑΓང͔ʹޮ͕ྑ͍ʂ
TLS 1.0Ҏ߱ͰPOODLE͕Ͱ͖Δέʔ ε͕͋Δ SSLv3 -> TLSͷϚΠάϨʔγϣϯͷࡍʹҰ෦ͷϕϯμʔͷύσΟ ϯάͷ࣮͕దͰͳ͔ͬͨͨΊɻ
؇ࡦ • ϒϥβɿSSL 3.0ͷϑΥʔϧόοΫΛແޮʹͨ͠ɻ • SSLv3ͷແޮԽ • PCI DSS 3.2Ͱ2018
6/30·ͰʹSSLv3, Early TLS(TLS 1.0)Λແ ޮԽͯ͠όʔδϣϯΞοϓ͠Ζɺͱ໌ݴ͞Ε͍ͯ·͢
None
7.8 Bullrun …ͱ͍͏͔Dual EC DRBGͷɻඪ४ͱͯ͠ఏএ͞Εٖͨࣅཚੜ ثʹNSAͷόοΫυΞ͕ೖͬͯͨΑɺͱ͍͏ɻ NSAʮ༻ͷൿີ伴ٕज़ͷͨΊͷϙϦγʔɺඪ४ɺ͓Αͼ༷ ʹରͯ͠ӨڹΛٴ΅͢ʯ׆ಈʹؒ2ԯ5ઍສυϧΛ͍ͬͯΔͦ ͏Ͱ͢ɻӳࠃGCHQͰಉ༷ͷ׆ಈ͕͋Δͱ͔ɻ