7.1 〜 7.3まで。
(7) ϓϩτίϧʹର͢Δ߈ܸ: 7.1-7.3@ʰϓϩϑΣογϣφϧSSL/TLSʱಡॻձRyo Kajiwara (@s01), 10/6/2017
View Slide
શମײࠓઆ໌͢Δ߈ܸख๏ͲΕTLSͷϓϩτίϧͷόʔδϣϯΞοϓʹΑͬͯݱతʹ༗ޮͰͳ͍ɻ• ҆શͰͳ͍࠶ωΰγΤʔγϣϯɿ࠶ωΰγΤʔγϣϯ֦ு• BEAST: 1.1ͰIVΛຖϨίʔυͰϥϯμϜԽɺ1.3ͰCBCϞʔυࣗମഇࢭ• ѹॖαΠυνϟωϧ: TLSϨίʔυͷѹॖʹ͍ͭͯ1.3Ͱશഇ
7.1 ҆શͰͳ͍࠶ωΰγΤʔγϣϯಉ͡TCPίωΫγϣϯͰ࠶TLSϋϯυγΣΠΫΛࢼΈΔͱɺαʔόʔ͜ΕΛ࠶ωΰγΤʔγϣϯͰ͋ΔͱΈͳ͢ɻ͜ͷͱ͖ɺݹ͍TLSετϦʔϜͱ৽͍͠TLSετϦʔϜͰܧଓੑ͕ͳ͘ɺಉ͡૬ख͔Βདྷ͍ͯΔͷ͔Ͳ͏͔Λݕূ͢Δखཱ͕ͯͳ͔ͬͨ͜ͱʹΑͬͯMITM߈ܸ͕ՄೳͰ͋ͬͨɻ
ʢਤ7.1ʣ
7.1 ҆શͰͳ͍࠶ωΰγΤʔγϣϯԿͰϚζ͍ʁˠΞϓϦέʔγϣϯσʔλͷશੑ͕ഁΒΕΔʂྫͰɺଓͷ಄ʹҙͷฏจΛૠೖ͢Δ͜ͱʹޭ͍ͯ͠Δɻ
7.1.2 Ҿ͖ى͜͢ํ๏• ΫϥΠΞϯτʹΑΔ࠶ωΰγΤʔγϣϯΛڐՄ͍ͯ͠Δαʔό• IISΛআ͘• Server Gated Cryptography• ༌ग़༻҉߸ͰωΰγΤʔγϣϯͨ͠ޙΑΓڧ͍҉߸ڧʹҾ্͖͛Δͱ͍͏ํ๏• ΫϥΠΞϯτূ໌ॻ
7.1.3 HTTPʹର͢Δ߈ܸ1. ҙͷGETϦΫΤετͷ࣮ߦGET /path/to/hoge HTTP/1.0X-Ignore: GET /index.jsp HTTP/1.0Cookie: JSESSIONID=XXXX-Ignore:ͷίϩϯ·Ͱ͕߈ܸऀͷϦΫΤετɻ͜͏͢ΔͱຊདྷͷϦΫΤετͷ1ߦΛϔομԽͯ͠ແࢹ͢Δ͜ͱ͕Ͱ͖ɺҙͷGETཱ͕͢ΔɻCSRFͱͦΜͳʹมΘΒͳ͍͔Βݟա͝͞Ε͍͕ͯͨ…
2. POSTͷԠ༻POST /statuses/update.xml HTTP/1.0Authorization: Basic [߈ܸऀͷcred]Content-Type: application/x-www-form-urlencodedContent-Length: [ਪଌ͞ΕΔ͞]status=POST /statuses/update.xml HTTP/1.1Authorization: Basic [٘ਜ਼ऀͷcred]status=ͷ=·Ͱ͕߈ܸऀͷϦΫΤετɻ
2. POSTͷԠ༻• ಉҰαʔϏε্ͷผͷΞΧϯτΛ͏• Content-Lengthͷ͞ݫີͳ͞ΛΔඞཁͳ͍ɻͲ͜·Ͱͷ͕͋͞ΕϦΫΤετͷ͏ͪཉ͍͠ใΛॻ͖ग़ͤΔ͔ɺͱ͍͏͕͞Θ͔ΕΑ͍ɻ• ਪଌ͞ΕΔ͞Λେ͖͘औΓ͗͢ΔͱϦΫΤετ͕ͦΜͳʹ͘ͳ͍ͷͰࣦഊ͢Δɻ
3. ͦͷଞ• ϦμΠϨΫτͷ༻• ΦʔϓϯϦμΠϨΫτ͕͋Εͦ͜ʹඈͤΔ• ฏจͷϦμΠϨΫτ͕͋Εࣄ্࣮ฏจ௨৴ʹͰ͖Δ• HTTP 307(Temporary Redirect)Λฦ͢ϦμΠϨΫτ͕ଘࡏ͢ΔͱɺHTTP 307ϦμΠϨΫτ࣌ಉ͡ϝιουͰϦμΠϨΫτ͢ΔͨΊɺPOST͕POSTͱͯ͠ϦμΠϨΫτͰ͖Δʂ
3. ͦͷଞ• TRACEϝιουΛͬͯXSSͰ͖Δ• ຊདྷmessage/httpͷContent-Type͕ͩɺ• શͯͷϨεϙϯεΛHTMLͱղऍͪ͠Ό͏ϒϥβͩͱXSSཱʂ
7.1.4 ଞͷϓϩτίϧ• SMTP: ͦͦূ໌ॻͷνΣοΫΛ͍ͯ͠ͳ͍TLS࣮͕ଟ͍ͷͰɺ͜ͷͱؔͳ͠ʹMITM߈ܸ͕༰қɻ• SMTPʹ͓͚ΔTLSͱαʔό-ΫϥΠΞϯτؒͷ҉߸Խʢͪ͜ΒΫϥΠΞϯτʹΑͬͯূ໌ॻͷݕূՄʣͱαʔό-αʔόؒͷϗοϓؒͷ҉߸ԽͳͷͰɺͲͷΈͪαʔόʔͰฏจͰ͢ɻຊ࣭తʹϝʔϧܦ༝Ͱ҉߸Խ௨৴͍ͨ͠ͳΒS/MIMEূ໌ॻͰݸਓೝূͨ͠ΓPGP͍·͠ΐ͏• FTPͰӨڹΞϦ
7.1.5 ΞʔΩςΫνϟʹىҼ͢Δ߈ܸSSLΦϑϩʔυͰऴͱͯ͠ػೳ͢Δαʔόʹ͕͋ͬͨΒΓ੬ऑɻͦΕͦ͏ɻʢͱ͍͑ɺapp server͕TLS௨৴͠ͳ͍͜ͱݱͰଟ͍ͷͰແࢹͰ͖ͳ͍ʣ
7.1.6 Өڹ• ඪతαΠτ͝ͱͷௐ͕ࠪඞཁͩͬͨΓͯ͠߈ܸ͕ࠔ• ͔͠͠ɺαΠτ͕ࣗಈԽ͍ͯ͠Δͱޭ·ͰԿͰϦΫΤετ͕ൃߦͰ͖Δ → ޭup• ߈ܸऀʮvictim͕αʔόΛ߈ܸ͍ͯ͠Δʯ͔ͷΑ͏ʹݟ͔͚ͤΔ͜ͱ͕Ͱ͖Δ
7.1.7, 7.1.82010ʹRenegotiation Indicationͱ͍͏ͷͰʮͲ͏ͯ͠࠶ωΰγΤʔγϣϯ͕ඞཁͳέʔεʯʢʹ·͋ΫϥΠΞϯτূ໌ॻͷ͜ͱʣΛηΩϡΞʹߦ͏ͨΊͷ֦ு͕ग़ͨɻ͔͠͠ɿ• ϓϩτίϧͷमਖ਼ʹ6ϲ݄• ϥΠϒϥϦ/OSͷύονʹ͞Βʹ12ϲ݄• ͔ͦ͜Βਁಁ͢Δ·Ͱ͞Βʹ24ϲ݄
7.2 BEASTTLS 1.0ҎલͷϓϩτίϧͰ҉߸Խ͞ΕͨσʔλͷҰ෦Λ෮߸͠ൈ͖ग़ͤΔɺͱ͍͏߈ܸɻTLS 1.0ʹ͓͚Δʮ༧ଌՄೳͳIVʯΛ͍ɺCBCϞʔυͷ҉߸ʹରͯ͠߈ܸΛֻ͚Δͷɻಈ࡞ݪཧʹ͍ͭͯɺDavid Wongࢯͷղઆಈը͕͋ΔɻURLhttps://www.youtube.com/watch?v=-_8-2pDFvmgʢ"beastattack explanation"Ͱग़ͯ͘Δಈըʣ
CBC with known IV࣮࣭ECBECBdeterministic encryptionʢܾఆత҉߸Խʣɻಉ͡༰ͷฏจϒϩοΫಉ͡҉߸จʹͳΔɻ
CBC with known IV࣮࣭ECBಉ͡༰ͷฏจϒϩοΫಉ͡҉߸จʹͳΔͷͰɺϒϩοΫ୯Ґ(16byte)ͷਪଌͳΒ҉߸ԽΛ ճࢼΈΕ෮߸Ͱ͖ΔʢECBΦϥΫϧ; ͦΕͦ͏ʣɻCBCϞʔυΛ࣮࣭ECBʹҾ͖Լ͛ɺࢼߦճΛ͞ΒʹݮΒ͢͜ͱ͕Ͱ͖Δɺͱ͍͏ͷ͕ຊ߈ܸͷझࢫɻ
CBC with known IV࣮࣭ECBCBCʹ͓͚ΔIVͷ͍ճ͠ୈ1ϒϩοΫʹର࣮࣭ͯ͠తʹECBͱಉ͡ޮՌΛͨΒ͢ɻԼਤʹ͓͍ͯɺblock cipher encryptionͷҾ͕IVͱฏจ͔ΒߏͰ͖Δ͜ͱʹҙɻ
CBC with known IV࣮࣭ECBୈ2ϒϩοΫͷฏจ͕Γͨ͘ɺୈ3ϒϩοΫͷฏจ͕ૢ࡞Մೳͱ͢Δɻ֤ϒϩοΫͷ҉߸จΔ͜ͱ͕Ͱ͖Δɻ
CBC with known IV࣮࣭ECBԼਤΑΓ ɺ͜͜Ͱɺ ͱ͢Δͱ:
CBC with known IV࣮࣭ECB͜͜Ͱ ͳΒ ͱͰ͖Δʂ
༧ଌՄೳͳIVʹ͍ͭͯTLS 1.0ҎલͰίωΫγϣϯશମΛ1ͭͷϝοηʔδͱΈͳ͠ɺແ࡞ҝͳIVઌ಄ͷϨίʔυͷΈʹద༻͞Ε͍ͯͨɻ2ͭͷϨίʔυҎ߱ɺલͷϨίʔυͷ࠷ऴϒϩοΫͷ҉߸จ͕IVͱͳ͍ͬͯͨʢΑͬͯ༧ଌՄೳʣɻ1.1, 1.2ͰϨίʔυ͝ͱʹrandomized IVɻ
࣮ࡍͷ߈ܸ• ύεϫʔυηογϣϯIDΛΔ߹ɺ16byteͰेͰ͋Δ͜ͱ͕ଟ͍• ͳͷͰ͍ύεϫʔυΛ͚ͭ·͠ΐ͏…• ηογϣϯID16ਐΤϯίʔυ͞Ε͍ͯΔ͜ͱ͕ଟ͍• HTTPϝοηʔδͷߏ༧͍͢͠Ҏ্ΑΓɺ௨ৗΑΓਪଌճΛ͔ͳΓݮΒ͢͜ͱ͕Ͱ͖Δɻ
࣮ࡍͷ߈ܸ͞ΒʹɺϞμϯϒϥβͰ• ϦΫΤετURIʹ༨ܭͳจࣈΛ͢͜ͱʹΑͬͯɺϦΫΤετͷதʹ͋ΔػඍใͷҐஔΛͣΒ͢͜ͱ͕Մೳ• ҉߸Խ͞ΕΔͷͱͦͷૹ৴λΠϛϯάΛ੍ޚͰ͖Δ• ͱ͍͑͜ΕJavaΞϓϨοτΛΘͳ͍ͱ͍͚ͳ͍ɻJavaΞϓϨοτͷผͷ੬ऑੑͰSame-Origin PolicyΛಥഁ͢Δ
ରࡦ• 0/nׂ• ۭͷϨίʔυΛ1ݸڬΉͱʮલͷϨίʔυ͕ͦͷ··IVʹͳΔʯΘΓʹʮલͷϨίʔυΛ҉߸Խͨ͠ͷʯ͕IVʹͳΔɻ• ͔͠͠Ұ෦ͷϒϥβ͕ඇରԠ
ରࡦ• 1/n-1ׂ• ͡Ό͋ʮ1byteؚ͚ͩΜͩϨίʔυʯͱʮͦΕҎ֎ʯʹ͚ͯૹΖ͏• ཧ্ಈ࡞͢Δͷ͚ͩͲChrome͕ͬͯଟ͘ͷαΠτ͕ݟΕͳ͘ͳͬͯrevertͨ͠
αʔόʔαΠυͷରࡦ• 2013·ͰσϑΥϧτͰRC4ʹ͢Δ͜ͱ͕ਪ͞Ε͍ͯͨ• ผͷ͕͋Δ(7.5)• RC4ετϦʔϜ҉߸ͳͷͰCBCϞʔυͱ͔ؔͳ͍• ݱతʹGCMϞʔυΛ͏ɻ࣮࣭ετϦʔϜ҉߸• ͬͱɺݱతʹTLS 1.1ରԠΫϥΠΞϯτ͕૿͍͑ͯΔͷͰTLS 1.0ΛΘͳ͍ͱ͍͏ͷ͕Ұ൪ͷରࡦ
ྺ࢙• ༧ଌՄೳͳIVͷ߈ܸ1995ʹIPsecɺ2002ʹSSHʹରͯ͠ܯࠂ͞Ε͍ͯͨ• 2002ʹTLSʹద༻ՄೳͱΘ͔Δɻ0/nׂ͕ఏҊ͞ΕΔɻ• 2004, 2006ʹGregory Bard͕TLSʹ͓͚ΔCBCͷΛൃදɺ͔͠͠ݱ࣮తͳ߈ܸͰͳ͍ͱͯ͠ແࢹ͞ΕΔ
ྺ࢙• 2006ʹTLS 1.1Ͱϓϩτίϧ্ͷղܾΛݟ͕ͨɺΫϥΠΞϯτ୭࣮ͤͣ• 2011ɺDuongͱRizzoʹΑͬͯBEAST߈ܸ͕։ൃ͞ΕΔɻݱ࣮తͳڴҖͰ͋ΔͱΈͳ͞ΕΔ• AppleͷରԠ2013ʹͳ͔ͬͯΒ
ӨڹBEASTΫϥΠΞϯτ͔ΒͷσʔλετϦʔϜʹର͢Δ߈ܸɻඪతWebαʔόʔʹૹ৴͞ΕΔͷ੍͕ޚͰ͖Δඞཁ͕͋ΔɻՃ͑ͯɺʮαʔόଆͰCBC༏ઌͷઃఆͱTLSѹॖͷແޮԽͷઃఆ͕ඞཁʯʮJavaΞϓϨοτͷSOPʹର͢Δ੬ऑੑʯ͕ඞཁͰ͋ΓɺݱతʹϦεΫɻ
7.3 ѹॖαΠυνϟωϧ߈ܸCRIMEɺTIMEɺBREACHɺͦΕͱʢաڈʹผͷͱ͜ΖͰղઆͨ͜͠ͱ͕͋ΔͷͰʣࣥච/༁࣌Ͱଘࡏ͠ͳ͔ͬͨHEIST߈ܸʹ͍ͭͯղઆ͢ΔɻѹॖΛ͍ͯͯ͠ϝοηʔδ͕Θ͔Δͱฏจͷใ͕࿙ΕΔʢʹαΠυνϟωϧ߈ܸʣɺͱ͍͏ੑ࣭ΛͬͨͷɻTLS 1.3Ͱѹॖ͕ഇࢭ͞Εͨͷ͜ͷΜͷࣄ͔Βɻ
ѹॖΦϥΫϧͷΈDEFLATEѹॖLZ77ͱϋϑϚϯූ߸ԽΛ͏ɻ͜ΕΒڞ௨ͷ෦จࣈྻ͕͋Δͱѹॖ͕ޮ͘ɻLZ77ͷྫ: Google is so googley -> Google is so g(-13, 5)y͜ͷੑ࣭Λ༻͍ͯɺʮ࣮ࡍͷCookieʯ+ʮ༧ʯͷΈ߹ΘͤΛϦΫΤετ͠ɺѹॖ͕ޮ͍ͨΒʮ༧ʯͷ༰࣮ࡍͷCookieʹଘࡏ͢Δʂ→܁Γฦͯ͠શମΛʮ༧ʯʂ
CRIME߈ܸCompression Ration Info-leak Made EasyͷུɻσʔλѹॖΛߦ͏HTTPS/SPDY্ΛྲྀΕΔCookieͷ༰Λ෮ݩ͠ɺηογϣϯϋΠδϟοΫΛ࣮ݱ͢Δɻ߈ܸऀ͕҉߸จͷ͞ΛݟΕΔ͜ͱ + ಉ࣌ʹϒϥβ͔Βෳͷૢ࡞͞ΕͨϦΫΤετΛૹΕΔ͜ͱΛલఏʹɺ҉߸จͷ͞Λར༻ͯ͠ฏจΛׂΓग़͢ख๏ɻൃݟऀBEASTͷൃݟऀͱಉ͡2໊ɻ
TIMECRIMEͰ߈ܸऀ͕ϩʔΧϧωοτϫʔΫʹΞΫηε͠ͳ͚ΕͳΒͳ͍ͱ͍͏੍͕͋ͬͨɻTIME߈ܸͦͷ݅Λ؇ΊΔͷɻI/OͷλΠϛϯάࠩΛonLoadͱonReadyStateChangeΠϕϯτ͔ΒଌΓɺѹॖ͞ΕͨϨίʔυΛଌΔɻ
HEIST2016ͷBlack HatͰൃද͞ΕͨɺCRIME/BREACHͷ݅Λ؇ΊΔͱ͍͏ҙຯͰTIME߈ܸͷϰΝϦΞϯτɻService WorkerͷFetch APIΛར༻ͨ࣌ؒ͠ଌఆͱɺHTTP/2ͷ߈ܸՄೳੑʹ͍ͭͯݴٴ͍ͯͯ͠ɺ͜ΕΒͲͪΒ2013ͷ࣌Ͱଘࡏ͠ͳ͔ͬͨɻhttp://sylph01.hatenablog.jp/entry/infosecpaper-ac-20161220 ʹͯղઆهࣄॻ͍ͯΔͷͰৄࡉͦͪΒʹৡΓ·͢
ԿͰ࣌ؒଌఆͰ͕͞Θ͔ΔͷʁTCP Slow Start Algorithm• ϨεϙϯεMaximum Segment Size(MSS)୯Ґʹׂ͞ΕΔ• ࠷ॳinitial congestion windowʢΟϯυʣͷݸͷηάϝϯτ(͍͍ͩͨͷ߹10)͚ͩૹ৴• ACK͕དྷΔ͝ͱʹcongestion windowΛগͣͭ͠େ͖ͯ͘͠ଳҬΛ૿͍ͯ͘͠
ख๏ͷେࡶͳ֓ཁ• onLoad/onReadyStateChangeͷൃՐλΠϛϯάʢ·ͨServiceWorkerͷPromiseͷղܾλΠϛϯάʣ͕Θ͔ΔͷͰɺϨεϙϯεͷ௨৴͕࣌ؒΘ͔Δ• ͜ΕʹΑͬͯɺϨεϙϯε͕1 windowʹऩ·͔ͬͨɺ2 windowҎ্ʹͳ͔͕ͬͨΘ͔Δ• ͳͷͰɺϨεϙϯεʹreflect͞ΕΔΑ͏ͳͷ͞Λগ͍ͣͭͬͯ͠͡ڥքΛ୳Δ͜ͱͰɺຊདྷͷϨεϙϯεͷ͕͞Θ͔Δ
ʢਤ7.6ʣ
BREACH߈ܸBrowser Reconnaissance and Exfiltration via Adaptive Compression ofHypertextͷུɻΑ͘ࢥ͍ͭ͘ͳ͋CRIME߈ܸͷHTTPS + HTTP compression(gzip, DEFLATE)ʹର͢ΔϰΝϦΤʔγϣϯɻCRIME߈ܸ͕HTTP requestʹରͯ͠߈ܸͨ͠ͷʹର͠ɺBREACH߈ܸHTTP responseʹରͯ͠߈ܸΛ͢ΔɻϦΫΤετͷҰ෦͕Ϩεϙϯεʹө͞ΕΔ(reflected)͜ͱΛར༻͢Δɻ
߈ܸͷཱ݅• CRIME٘ਜ਼ऀͷωοτϫʔΫτϥϑΟοΫͷΞΫηε͕ඞཁ• ͨͩ͠TIMEʹΑͬͯ݅Λ؇Ͱ͖Δ• JSϚϧΣΞɺಛผʹՃͨ͠URLΛ࣋ͭλά• (વͳ͕Β)TLSͷѹॖ͕༗ޮͰ͋Δ• ࣄલ४උͱͯ͠ɺαΠτͷߏͷѲʢ߈ܸରͷcredentialͷprefixͳͲʣ
߈ܸͷཱ݅• BREACHωοτϫʔΫτϥϑΟοΫͷΞΫηε͕ඞཁ• ͨͩ͠HEISTʹΑͬͯ݅Λ؇Ͱ͖Δ• ͪ͜ΒTLSͷѹॖͰͳ͘ɺHTTPϨεϙϯεͷѹॖʹରͯ͠߈ܸ͢Δ͜ͱʹҙ• ඪతWebαΠτͷதʹɺʮϦΫΤετதͷจࣈྻ͕ө͞ΕΔ(reflection)ʯՕॴ͕͋Δ͔Ͳ͏͔ͷߏѲ͕ඞཁ
7.3.4, 7.3.5 ؇ࡦ• TLSͷѹॖഇΕ͍ͯΔ(1.3Ͱશഇ)• HTTPͷѹॖΛແޮԽ͢Δͷ͔ͳΓ͍͠• ϦΫΤετϨʔτΛ੍ޚɻେྔͷϦΫΤετ͕ඞཁ• ༨ܭͳۭനΛೖΕͯຊͷ͞ΛӅ͢• CSRFରࡦτʔΫϯͷϚεΩϯάʢHTMLʹݱΕΔͷ͕ຊͷτʔΫϯͰͳ͍Α͏ʹ͢Δʣ• ෦తʹѹॖΛແޮԽ͢Δ
7.4 Lucky 13࣍ճʹճ͠·͢