Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
『プロフェッショナルSSL/TLS』読書会 第7章前半資料
sylph01
October 06, 2017
Technology
0
110
『プロフェッショナルSSL/TLS』読書会 第7章前半資料
7.1 〜 7.3まで。
sylph01
October 06, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
sylph01
0
180
sylph01
0
370
sylph01
1
1.7k
sylph01
1
42
sylph01
0
320
sylph01
0
41
sylph01
1
230
sylph01
0
330
sylph01
0
200
Other Decks in Technology
See All in Technology
nitya
0
310
eller86
1
230
legalforce
PRO
4
280
thockin
3
950
aditya45
2
2.4k
chaspy
6
1.3k
torisoup
11
6.1k
lmi
3
1.1k
gobeyond20xx
0
330
110y
1
11k
khrd
1
640
sat
40
29k
Featured
See All Featured
pauljervisheath
195
15k
andyhume
63
3.7k
geeforr
332
29k
rmw
11
810
mojombo
359
62k
paulrobertlloyd
72
1.4k
jakevdp
775
200k
tanoku
86
8.6k
zakiwarfel
88
3.4k
tenderlove
53
3.5k
brettharned
93
3k
cherdarchuk
71
260k
Transcript
(7) ϓϩτίϧʹର͢Δ ߈ܸ: 7.1-7.3 @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 10/6/2017
શମײ ࠓઆ໌͢Δ߈ܸख๏ͲΕTLSͷϓϩτίϧͷόʔδϣϯΞο ϓʹΑͬͯݱతʹ༗ޮͰͳ͍ɻ • ҆શͰͳ͍࠶ωΰγΤʔγϣϯɿ࠶ωΰγΤʔγϣϯ֦ு • BEAST: 1.1ͰIVΛຖϨίʔυͰϥϯμϜԽɺ1.3ͰCBCϞʔυࣗମ ഇࢭ •
ѹॖαΠυνϟωϧ: TLSϨίʔυͷѹॖʹ͍ͭͯ1.3Ͱશഇ
7.1 ҆શͰͳ͍࠶ωΰγΤʔγϣϯ ಉ͡TCPίωΫγϣϯͰ࠶TLSϋϯυγΣΠΫΛࢼΈΔͱɺαʔ όʔ͜ΕΛ࠶ωΰγΤʔγϣϯͰ͋ΔͱΈͳ͢ɻ ͜ͷͱ͖ɺݹ͍TLSετϦʔϜͱ৽͍͠TLSετϦʔϜͰܧଓੑ͕ ͳ͘ɺಉ͡૬ख͔Βདྷ͍ͯΔͷ͔Ͳ͏͔Λݕূ͢Δखཱ͕ͯͳ ͔ͬͨ͜ͱʹΑͬͯMITM߈ܸ͕ՄೳͰ͋ͬͨɻ
ʢਤ7.1ʣ
7.1 ҆શͰͳ͍࠶ωΰγΤʔγϣϯ ԿͰϚζ͍ʁˠΞϓϦέʔγϣϯσʔλͷશੑ͕ഁΒΕΔʂ ྫͰɺଓͷ಄ʹҙͷฏจΛૠೖ͢Δ͜ͱʹޭ͍ͯ͠ Δɻ
7.1.2 Ҿ͖ى͜͢ํ๏ • ΫϥΠΞϯτʹΑΔ࠶ωΰγΤʔγϣϯΛڐՄ͍ͯ͠Δαʔό • IISΛআ͘ • Server Gated Cryptography
• ༌ग़༻҉߸ͰωΰγΤʔγϣϯͨ͠ޙΑΓڧ͍҉߸ڧʹ Ҿ্͖͛Δͱ͍͏ํ๏ • ΫϥΠΞϯτূ໌ॻ
7.1.3 HTTPʹର͢Δ߈ܸ 1. ҙͷGETϦΫΤετͷ࣮ߦ GET /path/to/hoge HTTP/1.0 X-Ignore: GET /index.jsp
HTTP/1.0 Cookie: JSESSIONID=XXX X-Ignore:ͷίϩϯ·Ͱ͕߈ܸऀͷϦΫΤετɻ͜͏͢Δͱຊདྷ ͷϦΫΤετͷ1ߦΛϔομԽͯ͠ແࢹ͢Δ͜ͱ͕Ͱ͖ɺҙͷ GETཱ͕͢Δɻ CSRFͱͦΜͳʹมΘΒͳ͍͔Βݟա͝͞Ε͍͕ͯͨ…
2. POSTͷԠ༻ POST /statuses/update.xml HTTP/1.0 Authorization: Basic [߈ܸऀͷcred] Content-Type: application/x-www-form-urlencoded
Content-Length: [ਪଌ͞ΕΔ͞] status=POST /statuses/update.xml HTTP/1.1 Authorization: Basic [٘ਜ਼ऀͷcred] status=ͷ=·Ͱ͕߈ܸऀͷϦΫΤετɻ
2. POSTͷԠ༻ • ಉҰαʔϏε্ͷผͷΞΧϯτΛ͏ • Content-Lengthͷ͞ݫີͳ͞ΛΔඞཁͳ͍ɻͲ͜· Ͱͷ͕͋͞ΕϦΫΤετͷ͏ͪཉ͍͠ใΛॻ͖ग़ͤΔ ͔ɺͱ͍͏͕͞Θ͔ΕΑ͍ɻ • ਪଌ͞ΕΔ͞Λେ͖͘औΓ͗͢ΔͱϦΫΤετ͕ͦΜͳʹ
͘ͳ͍ͷͰࣦഊ͢Δɻ
3. ͦͷଞ • ϦμΠϨΫτͷ༻ • ΦʔϓϯϦμΠϨΫτ͕͋Εͦ͜ʹඈͤΔ • ฏจͷϦμΠϨΫτ͕͋Εࣄ্࣮ฏจ௨৴ʹͰ͖Δ • HTTP
307(Temporary Redirect)Λฦ͢ϦμΠϨΫτ͕ଘࡏ͢Δ ͱɺHTTP 307ϦμΠϨΫτ࣌ಉ͡ϝιουͰϦμΠϨΫ τ͢ΔͨΊɺPOST͕POSTͱͯ͠ϦμΠϨΫτͰ͖Δʂ
3. ͦͷଞ • TRACEϝιουΛͬͯXSSͰ͖Δ • ຊདྷmessage/httpͷContent-Type͕ͩɺ • શͯͷϨεϙϯεΛHTMLͱղऍͪ͠Ό͏ϒϥβͩͱXSS ཱʂ
7.1.4 ଞͷϓϩτίϧ • SMTP: ͦͦূ໌ॻͷνΣοΫΛ͍ͯ͠ͳ͍TLS࣮͕ଟ͍ͷ Ͱɺ͜ͷͱؔͳ͠ʹMITM߈ܸ͕༰қɻ • SMTPʹ͓͚ΔTLSͱαʔό-ΫϥΠΞϯτؒͷ҉߸Խʢͪ͜ ΒΫϥΠΞϯτʹΑͬͯূ໌ॻͷݕূՄʣͱαʔό-αʔ όؒͷϗοϓؒͷ҉߸ԽͳͷͰɺͲͷΈͪαʔόʔͰฏจ
Ͱ͢ɻຊ࣭తʹϝʔϧܦ༝Ͱ҉߸Խ௨৴͍ͨ͠ͳΒS/MIME ূ໌ॻͰݸਓೝূͨ͠ΓPGP͍·͠ΐ͏ • FTPͰӨڹΞϦ
7.1.5 ΞʔΩςΫνϟʹىҼ͢Δ߈ܸ SSLΦϑϩʔυͰऴͱͯ͠ػೳ͢Δαʔόʹ͕͋ͬͨΒ Γ੬ऑɻͦΕͦ͏ɻ ʢͱ͍͑ɺapp server͕TLS௨৴͠ͳ͍͜ͱݱͰଟ͍ ͷͰແࢹͰ͖ͳ͍ʣ
7.1.6 Өڹ • ඪతαΠτ͝ͱͷௐ͕ࠪඞཁͩͬͨΓͯ͠߈ܸ͕ࠔ • ͔͠͠ɺαΠτ͕ࣗಈԽ͍ͯ͠Δͱޭ·ͰԿͰϦΫΤε τ͕ൃߦͰ͖Δ → ޭup •
߈ܸऀʮvictim͕αʔόΛ߈ܸ͍ͯ͠Δʯ͔ͷΑ͏ʹݟ͔͚ͤ Δ͜ͱ͕Ͱ͖Δ
7.1.7, 7.1.8 2010ʹRenegotiation Indicationͱ͍͏ͷͰʮͲ͏ͯ͠࠶ωΰγ Τʔγϣϯ͕ඞཁͳέʔεʯʢʹ·͋ΫϥΠΞϯτূ໌ॻͷ͜ ͱʣΛηΩϡΞʹߦ͏ͨΊͷ֦ு͕ग़ͨɻ ͔͠͠ɿ • ϓϩτίϧͷमਖ਼ʹ6ϲ݄ •
ϥΠϒϥϦ/OSͷύονʹ͞Βʹ12ϲ݄ • ͔ͦ͜Βਁಁ͢Δ·Ͱ͞Βʹ24ϲ݄
None
7.2 BEAST TLS 1.0ҎલͷϓϩτίϧͰ҉߸Խ͞ΕͨσʔλͷҰ෦Λ෮߸͠ൈ ͖ग़ͤΔɺͱ͍͏߈ܸɻ TLS 1.0ʹ͓͚Δʮ༧ଌՄೳͳIVʯΛ͍ɺCBCϞʔυͷ҉߸ʹର͠ ͯ߈ܸΛֻ͚Δͷɻ ಈ࡞ݪཧʹ͍ͭͯɺDavid Wongࢯͷղઆಈը͕͋ΔɻURL
https://www.youtube.com/watch?v=-_8-2pDFvmgʢ"beast attack explanation"Ͱग़ͯ͘Δಈըʣ
CBC with known IV࣮࣭ECB ECBdeterministic encryptionʢܾఆత҉߸Խʣɻಉ͡༰ͷฏ จϒϩοΫಉ͡҉߸จʹͳΔɻ
CBC with known IV࣮࣭ECB ಉ͡༰ͷฏจϒϩοΫಉ͡҉߸จʹͳΔͷͰɺϒϩοΫ୯Ґ (16byte)ͷਪଌͳΒ҉߸ԽΛ ճࢼΈΕ෮߸Ͱ͖ΔʢECBΦϥ Ϋϧ; ͦΕͦ͏ʣɻ CBCϞʔυΛ࣮࣭ECBʹҾ͖Լ͛ɺࢼߦճΛ͞ΒʹݮΒ͢͜ͱ͕
Ͱ͖Δɺͱ͍͏ͷ͕ຊ߈ܸͷझࢫɻ
CBC with known IV࣮࣭ECB CBCʹ͓͚ΔIVͷ͍ճ͠ୈ1ϒϩοΫʹର࣮࣭ͯ͠తʹECBͱಉ ͡ޮՌΛͨΒ͢ɻԼਤʹ͓͍ͯɺblock cipher encryptionͷҾ͕ IVͱฏจ͔ΒߏͰ͖Δ͜ͱʹҙɻ
CBC with known IV࣮࣭ECB ୈ2ϒϩοΫͷฏจ͕Γͨ͘ɺୈ3ϒϩοΫͷฏจ͕ૢ࡞Մೳͱ ͢Δɻ֤ϒϩοΫͷ҉߸จΔ͜ͱ͕Ͱ͖Δɻ
CBC with known IV࣮࣭ECB ԼਤΑΓ ɺ ͜͜Ͱɺ ͱ͢Δͱ:
CBC with known IV࣮࣭ECB ͜͜Ͱ ͳΒ ͱͰ͖Δʂ
༧ଌՄೳͳIVʹ͍ͭͯ TLS 1.0ҎલͰίωΫγϣϯશମΛ1ͭͷϝοηʔδͱΈͳ͠ɺແ ࡞ҝͳIVઌ಄ͷϨίʔυͷΈʹద༻͞Ε͍ͯͨɻ2ͭͷϨίʔ υҎ߱ɺલͷϨίʔυͷ࠷ऴϒϩοΫͷ҉߸จ͕IVͱͳ͍ͬͯ ͨʢΑͬͯ༧ଌՄೳʣɻ 1.1, 1.2ͰϨίʔυ͝ͱʹrandomized IVɻ
࣮ࡍͷ߈ܸ • ύεϫʔυηογϣϯIDΛΔ߹ɺ16byteͰेͰ͋Δ͜ ͱ͕ଟ͍ • ͳͷͰ͍ύεϫʔυΛ͚ͭ·͠ΐ͏… • ηογϣϯID16ਐΤϯίʔυ͞Ε͍ͯΔ͜ͱ͕ଟ͍ • HTTPϝοηʔδͷߏ༧͍͢͠
Ҏ্ΑΓɺ௨ৗΑΓਪଌճΛ͔ͳΓݮΒ͢͜ͱ͕Ͱ͖Δɻ
࣮ࡍͷ߈ܸ ͞ΒʹɺϞμϯϒϥβͰ • ϦΫΤετURIʹ༨ܭͳจࣈΛ͢͜ͱʹΑͬͯɺϦΫΤετͷ தʹ͋ΔػඍใͷҐஔΛͣΒ͢͜ͱ͕Մೳ • ҉߸Խ͞ΕΔͷͱͦͷૹ৴λΠϛϯάΛ੍ޚͰ͖Δ • ͱ͍͑͜ΕJavaΞϓϨοτΛΘͳ͍ͱ͍͚ͳ͍ɻJava ΞϓϨοτͷผͷ੬ऑੑͰSame-Origin
PolicyΛಥഁ͢Δ
ରࡦ • 0/nׂ • ۭͷϨίʔυΛ1ݸڬΉͱʮલͷϨίʔυ͕ͦͷ··IVʹͳ ΔʯΘΓʹʮલͷϨίʔυΛ҉߸Խͨ͠ͷʯ͕IVʹͳ Δɻ • ͔͠͠Ұ෦ͷϒϥβ͕ඇରԠ
ରࡦ • 1/n-1ׂ • ͡Ό͋ʮ1byteؚ͚ͩΜͩϨίʔυʯͱʮͦΕҎ֎ʯʹ͚ͯ ૹΖ͏ • ཧ্ಈ࡞͢Δͷ͚ͩͲChrome͕ͬͯଟ͘ͷαΠτ͕ݟ Εͳ͘ͳͬͯrevertͨ͠
αʔόʔαΠυͷରࡦ • 2013·ͰσϑΥϧτͰRC4ʹ͢Δ͜ͱ͕ਪ͞Ε͍ͯͨ • ผͷ͕͋Δ(7.5) • RC4ετϦʔϜ҉߸ͳͷͰCBCϞʔυͱ͔ؔͳ͍ • ݱతʹGCMϞʔυΛ͏ɻ࣮࣭ετϦʔϜ҉߸ •
ͬͱɺݱతʹTLS 1.1ରԠΫϥΠΞϯτ͕૿͍͑ͯΔͷ ͰTLS 1.0ΛΘͳ͍ͱ͍͏ͷ͕Ұ൪ͷରࡦ
ྺ࢙ • ༧ଌՄೳͳIVͷ߈ܸ1995ʹIPsecɺ2002ʹSSHʹରͯ͠ܯࠂ ͞Ε͍ͯͨ • 2002ʹTLSʹద༻ՄೳͱΘ͔Δɻ0/nׂ͕ఏҊ͞ΕΔɻ • 2004, 2006ʹGregory Bard͕TLSʹ͓͚ΔCBCͷΛൃදɺ͠
͔͠ݱ࣮తͳ߈ܸͰͳ͍ͱͯ͠ແࢹ͞ΕΔ
ྺ࢙ • 2006ʹTLS 1.1Ͱϓϩτίϧ্ͷղܾΛݟ͕ͨɺΫϥΠΞϯτ ୭࣮ͤͣ • 2011ɺDuongͱRizzoʹΑͬͯBEAST߈ܸ͕։ൃ͞ΕΔɻݱ࣮ తͳڴҖͰ͋ΔͱΈͳ͞ΕΔ • AppleͷରԠ2013ʹͳ͔ͬͯΒ
Өڹ BEASTΫϥΠΞϯτ͔ΒͷσʔλετϦʔϜʹର͢Δ߈ܸɻඪ తWebαʔόʔʹૹ৴͞ΕΔͷ੍͕ޚͰ͖Δඞཁ͕͋Δɻ Ճ͑ͯɺʮαʔόଆͰCBC༏ઌͷઃఆͱTLSѹॖͷແޮԽͷઃఆ͕ ඞཁʯʮJavaΞϓϨοτͷSOPʹର͢Δ੬ऑੑʯ͕ඞཁͰ͋Γɺݱ తʹϦεΫɻ
None
7.3 ѹॖαΠυνϟωϧ߈ܸ CRIMEɺTIMEɺBREACHɺͦΕͱʢաڈʹผͷͱ͜ΖͰղઆͨ͜͠ ͱ͕͋ΔͷͰʣࣥච/༁࣌Ͱଘࡏ͠ͳ͔ͬͨHEIST߈ܸʹ͍ͭ ͯղઆ͢Δɻ ѹॖΛ͍ͯͯ͠ϝοηʔδ͕Θ͔Δͱฏจͷใ͕࿙ΕΔʢʹ αΠυνϟωϧ߈ܸʣɺͱ͍͏ੑ࣭Λͬͨͷɻ TLS 1.3Ͱѹॖ͕ഇࢭ͞Εͨͷ͜ͷΜͷࣄ͔Βɻ
ѹॖΦϥΫϧͷΈ DEFLATEѹॖLZ77ͱϋϑϚϯූ߸ԽΛ͏ɻ͜ΕΒڞ௨ͷ෦ จࣈྻ͕͋Δͱѹॖ͕ޮ͘ɻ LZ77ͷྫ: Google is so googley -> Google
is so g(-13, 5)y ͜ͷੑ࣭Λ༻͍ͯɺʮ࣮ࡍͷCookieʯ+ʮ༧ʯͷΈ߹ΘͤΛϦ ΫΤετ͠ɺѹॖ͕ޮ͍ͨΒʮ༧ʯͷ༰࣮ࡍͷCookieʹ ଘࡏ͢Δʂ→܁Γฦͯ͠શମΛʮ༧ʯʂ
CRIME߈ܸ Compression Ration Info-leak Made Easyͷུɻ σʔλѹॖΛߦ͏HTTPS/SPDY্ΛྲྀΕΔCookieͷ༰Λ෮ݩ͠ɺ ηογϣϯϋΠδϟοΫΛ࣮ݱ͢Δɻ ߈ܸऀ͕҉߸จͷ͞ΛݟΕΔ͜ͱ +
ಉ࣌ʹϒϥβ͔Βෳͷ ૢ࡞͞ΕͨϦΫΤετΛૹΕΔ͜ͱΛલఏʹɺ҉߸จͷ͞Λར ༻ͯ͠ฏจΛׂΓग़͢ख๏ɻ ൃݟऀBEASTͷൃݟऀͱಉ͡2໊ɻ
TIME CRIMEͰ߈ܸऀ͕ϩʔΧϧωοτϫʔΫʹΞΫηε͠ͳ͚Ε ͳΒͳ͍ͱ͍͏੍͕͋ͬͨɻTIME߈ܸͦͷ݅Λ؇ΊΔ ͷɻ I/OͷλΠϛϯάࠩΛonLoadͱonReadyStateChangeΠϕϯτ͔Β ଌΓɺѹॖ͞ΕͨϨίʔυΛଌΔɻ
HEIST 2016ͷBlack HatͰൃද͞ΕͨɺCRIME/BREACHͷ݅Λ؇ΊΔ ͱ͍͏ҙຯͰTIME߈ܸͷϰΝϦΞϯτɻ Service WorkerͷFetch APIΛར༻ͨ࣌ؒ͠ଌఆͱɺHTTP/2ͷ߈ܸ Մೳੑʹ͍ͭͯݴٴ͍ͯͯ͠ɺ͜ΕΒͲͪΒ2013ͷ࣌Ͱ ଘࡏ͠ͳ͔ͬͨɻ http://sylph01.hatenablog.jp/entry/infosecpaper-
ac-20161220 ʹͯղઆهࣄॻ͍ͯΔͷͰৄࡉͦͪΒʹৡΓ·͢
ԿͰ࣌ؒଌఆͰ͕͞Θ͔Δͷʁ TCP Slow Start Algorithm • ϨεϙϯεMaximum Segment Size(MSS)୯Ґʹׂ͞ΕΔ •
࠷ॳinitial congestion windowʢΟϯυʣͷݸͷη άϝϯτ(͍͍ͩͨͷ߹10)͚ͩૹ৴ • ACK͕དྷΔ͝ͱʹcongestion windowΛগͣͭ͠େ͖ͯ͘͠ଳҬ Λ૿͍ͯ͘͠
ख๏ͷେࡶͳ֓ཁ • onLoad/onReadyStateChangeͷൃՐλΠϛϯάʢ·ͨService WorkerͷPromiseͷղܾλΠϛϯάʣ͕Θ͔ΔͷͰɺϨεϙϯε ͷ௨৴͕࣌ؒΘ͔Δ • ͜ΕʹΑͬͯɺϨεϙϯε͕1 windowʹऩ·͔ͬͨɺ2 window Ҏ্ʹͳ͔͕ͬͨΘ͔Δ
• ͳͷͰɺϨεϙϯεʹreflect͞ΕΔΑ͏ͳͷ͞Λগ͍ͣͭ͠ ͬͯ͡ڥքΛ୳Δ͜ͱͰɺຊདྷͷϨεϙϯεͷ͕͞Θ͔Δ
ʢਤ7.6ʣ
None
None
BREACH߈ܸ Browser Reconnaissance and Exfiltration via Adaptive Compression of HypertextͷུɻΑ͘ࢥ͍ͭ͘ͳ͋
CRIME߈ܸͷHTTPS + HTTP compression(gzip, DEFLATE)ʹର͢Δϰ ΝϦΤʔγϣϯɻ CRIME߈ܸ͕HTTP requestʹରͯ͠߈ܸͨ͠ͷʹର͠ɺBREACH߈ ܸHTTP responseʹରͯ͠߈ܸΛ͢ΔɻϦΫΤετͷҰ෦͕Ϩε ϙϯεʹө͞ΕΔ(reflected)͜ͱΛར༻͢Δɻ
߈ܸͷཱ݅ • CRIME٘ਜ਼ऀͷωοτϫʔΫτϥϑΟοΫͷΞΫηε͕ඞ ཁ • ͨͩ͠TIMEʹΑͬͯ݅Λ؇Ͱ͖Δ • JSϚϧΣΞɺಛผʹՃͨ͠URLΛ࣋ͭ<img>λά • (વͳ͕Β)TLSͷѹॖ͕༗ޮͰ͋Δ
• ࣄલ४උͱͯ͠ɺαΠτͷߏͷѲʢ߈ܸରͷcredentialͷ prefixͳͲʣ
߈ܸͷཱ݅ • BREACHωοτϫʔΫτϥϑΟοΫͷΞΫηε͕ඞཁ • ͨͩ͠HEISTʹΑͬͯ݅Λ؇Ͱ͖Δ • ͪ͜ΒTLSͷѹॖͰͳ͘ɺHTTPϨεϙϯεͷѹॖʹରͯ͠ ߈ܸ͢Δ͜ͱʹҙ • ඪతWebαΠτͷதʹɺʮϦΫΤετதͷจࣈྻ͕ө͞ΕΔ
(reflection)ʯՕॴ͕͋Δ͔Ͳ͏͔ͷߏѲ͕ඞཁ
7.3.4, 7.3.5 ؇ࡦ • TLSͷѹॖഇΕ͍ͯΔ(1.3Ͱશഇ) • HTTPͷѹॖΛແޮԽ͢Δͷ͔ͳΓ͍͠ • ϦΫΤετϨʔτΛ੍ޚɻେྔͷϦΫΤετ͕ඞཁ •
༨ܭͳۭനΛೖΕͯຊͷ͞ΛӅ͢ • CSRFରࡦτʔΫϯͷϚεΩϯάʢHTMLʹݱΕΔͷ͕ຊ ͷτʔΫϯͰͳ͍Α͏ʹ͢Δʣ • ෦తʹѹॖΛແޮԽ͢Δ
None
7.4 Lucky 13 ࣍ճʹճ͠·͢