Copyright 2017, wolfssl Inc. All rights reserved. 今日 TLS 1. 3 IoT TLS 新ー話

Size: px

Start display at page:

なつきしもね
5 years ago
Views:

1 今日 TLS 1. 3 IoT TLS 新ー話

2 woflssl ー専門技術ー IoT ー暗号技術

3 wolfssl Japan 本社米国世界各地専門 wolfssl ー世界最高水準製品提供 wolfssl Japan 一員日本客世界水準技術ー届

4 Internet Engineering Task Force (IETF) 安全存知通信通標準確保 TLS/SSL IoT ー間

5 HTTP Web) SMTP/ POP SSL(TLS) TCP FTP IP IP LAN SIP IP DTLS UDP IPsec IP DNS ( DHCP IP... 安全通信階層実現ーー層間位置

6 SSL1.0 SSL2.0 SSL3.0 TLS1.0 TLS1.1 TLS IETF CBC AES SHA-256 (GCM,CCM) TLS1.3 DH PSK TDES MD5 RC4, CBC SHA-1 SSL 今日新 TLS ー話

7 より Internet Engineering Task Force (IETF) Draft21 Proposed Standard TLS1.3 TLS 1. 3 IETF 標準化団体ーー検討れ年議論活発化年最初現在 21 正式標準化直前状態

8 TLS 1 3 声.

9 声聞

10 DraI21 普及期 ??? 実確際使わ例れ年制定年れ TLS.

11 ?

12 発見 / 発表種類名前説明 2008 乱数生成 Debian RNG 2009 NULバイト攻撃 NULバイト攻撃 2009 再ネゴシエーション 2011 MAC 認証暗号 BEAST 2012 政府による盗聴 Flame 2012 乱数生成組込み系エントロピー不足 2012 圧縮サイドチャネル攻撃 CRIME 2013 政府による盗聴 Bullrun, Edgehill 2013 政府による盗聴 Dual EC DRBG 2013 パディング攻撃 Lucky Thirteen 圧縮サイドチャネル攻撃 BREACH 2013 圧縮サイドチャネル攻撃 TIME 2013 暗号の危殆化 RC 切り詰め攻撃 2014 ダウングレード攻撃トリプルハンドシェイク攻撃 2014 パディング攻撃 POODLE 2014 不正なASN.1 BERserk 2015 状態遷移攻撃 SMACK 2015 ダウングレード攻撃 FREAK 2015 ダウングレード攻撃 Logjam 2015 メーカーによる盗聴 Superfish 2016 危殆化 :DES3 SWEET ダウングレード攻撃 DROWN 2016 メッセージハッシュ攻撃 SLOTH 2017 証明書発行 Symantec Copyright 2017, wolfssl Inc. All rights reserved. 間 TLS/SSL 数々攻撃脆弱性問題克服

13 安全れ性堅牢性 SSL3 TLS

14 TLS1.0 SSL3 結果ーー大ー

15 重負荷苦 Web IoT ー負荷増大直接増大れ事情新普及遅要因事情

16 今回知れー

17 TLS TLS1.0 SSL3 1.3 大幅見直安全性大幅向上処理負荷軽ー向上

18 朗報れ負! 荷増加悩ー

19 ?

21 本当?

22 日夜世界中れ攻撃者ー側

23 側導新入ーー

24 ー古許意味

25 側ーれ同水準われ繋

26 TLS. わ側 1 3 知れ時代意外早

27 TLS1.0 SSL3 1.3 れ新ー変われ安全性性能風関わ少わ見

28 暗号化技術目的鍵合意 / 鍵交換 ( 公開鍵暗号 ) 暗号鍵を安全に通信相手と共有証明書 / 署名正しい通信相手か確認共通鍵暗号メッセージの暗号 / 復号化メッセージ認証メッセージ改ざん検証存 TLS 中安全通信実現暗号化技術使われ正通信相手確認証明書署名実際通信内容暗号化復号化共通鍵暗号送れー改れ検証ー認証れ暗号化技術れれ方式提案れ使われ

29 _ECDHE / (bit) 実際 TLS 通信暗号通信送手受手通信最初選択肢れれ方式使合意れ暗号ー言覧 TLS 実際われ暗号ー一例 TLS 長時代変化追従各部分暗号方式組合わ使

30 TLS_NULL_WITH_NULL_NULL TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_IDEA_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA 実際登時録代れ新暗号 IETF ー

31 TLS_NULL_WITH_NULL_NULL TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_IDEA_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DH_DSS_WITH_DES_CBC_SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DH_RSA_WITH_DES_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 TLS_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA Reserved to avoid conflicts with SSLv3 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_RC4_128_SHA TLS_KRB5_WITH_IDEA_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_IDEA_CBC_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_PSK_WITH_NULL_SHA TLS_DHE_PSK_WITH_NULL_SHA TLS_RSA_PSK_WITH_NULL_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA Reserved to avoid conflicts with deployed implementapons Reserved to avoid conflicts Reserved to avoid conflicts with deployed implementapons Unassigned Reserved to avoid conflicts with widely deployed implementapons TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA256 Unassigned TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA TLS_PSK_WITH_RC4_128_SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA TLS_PSK_WITH_AES_128_CBC_SHA TLS_PSK_WITH_AES_256_CBC_SHA TLS_DHE_PSK_WITH_RC4_128_SHA TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA TLS_DHE_PSK_WITH_AES_128_CBC_SHA TLS_DHE_PSK_WITH_AES_256_CBC_SHA TLS_RSA_PSK_WITH_RC4_128_SHA TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA TLS_RSA_PSK_WITH_AES_128_CBC_SHA TLS_RSA_PSK_WITH_AES_256_CBC_SHA TLS_RSA_WITH_SEED_CBC_SHA TLS_DH_DSS_WITH_SEED_CBC_SHA TLS_DH_RSA_WITH_SEED_CBC_SHA TLS_DHE_DSS_WITH_SEED_CBC_SHA TLS_DHE_RSA_WITH_SEED_CBC_SHA TLS_DH_anon_WITH_SEED_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 TLS_DH_anon_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_256_GCM_SHA384 TLS_PSK_WITH_AES_128_GCM_SHA256 TLS_PSK_WITH_AES_256_GCM_SHA384 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 TLS_PSK_WITH_AES_128_CBC_SHA256 TLS_PSK_WITH_AES_256_CBC_SHA384 TLS_PSK_WITH_NULL_SHA256 TLS_PSK_WITH_NULL_SHA384 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 TLS_DHE_PSK_WITH_NULL_SHA256 TLS_DHE_PSK_WITH_NULL_SHA384 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 TLS_RSA_PSK_WITH_NULL_SHA256 TLS_RSA_PSK_WITH_NULL_SHA384 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 含今登れ危録険 2 性れ増以中上使われー IETF

32 最終的 (HKDF) DHE ECDHE RSA ECDSA AES_128_GCM_SHA256 AES_256_GCM_SHA384 CHACHA20_POLY1305_SHA256 AES_128_CCM_SHA256 AES_128_CCM_8_SHA256 証明書の指定に従う

33 暗号化技術鍵合意 / 鍵交換 ( 公開鍵暗号 ) 証明書 / 署名共通鍵暗号メッセージ認証目的暗号鍵を安全に通信相手と共有正しい通信相手か確認メッセージの暗号 / 復号化メッセージ改ざん検証鍵一合一意方式わ共通部鍵分公暗開号鍵方式鍵部交分換

34 RSA DH 公開鍵方式れれ発明者頭文字 RSA ー DH 方式広使われ

35 RSA ECC DSA ECDSA DH ECDH ECDH ECDHE ECDHE 加れ方複式数派生後系改良

36 RSA 系 DH 系れれ RSA 系 DH 系呼

37 TLS1.2 / RSADH / RSA 証鍵明合書意中署交名換れ RSA RSA 系系わ系れ両方 DH TLS

38 暗号化技術方式 / RSADH 証明書 / 署名 RSA 系 TLS1.2 近年非常大規模長期間わ通信情報蓄積れー暗号解読可能性明出れ安全思われ RSA 鍵交換 RSA 系使認識れ

39 TLS1.3 暗号化技術方式 / DH 証明書 / 署名 RSA 系役鍵割合意整理 1 3 系署名系風 TLS. DH RSA

40 TLS1.0 SSL3 1.3 れ方式使わ安全性向上効果 TLS 1. 3 場合れ以上大効果点少

41 Application Data Application Data 実際暗号化れ TLS ー通信

42 Client Hello Server Hello Certificate Server Key Exchange Server Hello Done Client Key Exchange Change Cipher Spec Encrypted Handshake Change Cipher Spec Encrypted Handshake Application Data Application Data TLS1.2 SSL 実前れ準備平文行われわ送暗号化ー SSL

43 Client Hello Server Hello Certificate Server Key Exchange Server Hello Done Client Key Exchange Change Cipher Spec Encrypted Handshake Change Cipher Spec Encrypted Handshake Application Data Application Data TLS1.2 SSL Client Hello Server Hello Certificate Server Key Exchange Server Hello Done Client Key Exchange Change Cipher Spec Encrypted Handshake Change Cipher Spec Encrypted Handshake Application Data Application Data TLS1.3 暗号 1 化整 3 れ方以最式後初整部理分れ暗号大化幅必向要上情報ー TLS.

44 Client Hello Server Hello Certificate Server Key Exchange Server Hello Done Client Key Exchange Change Cipher Spec Encrypted Handshake Change Cipher Spec Encrypted Handshake Application Data Application Data TLS1.2 SSL Client Hello Server Hello Certificate Server Key Exchange Server Hello Done Client Key Exchange Change Cipher Spec Encrypted Handshake Change Cipher Spec Encrypted Handshake Application Data Application Data TLS1.3 大公幅開鍵向隠原情上脆理報弱性早突原理部隠わ的分万一安盗全性れ攻撃ー

45 TLS1.3 実性能向上方式整理れ SSL3 TLS

46 Client Hello Server Hello Certificate Server Key Exchange Server Hello Done Client Key Exchange Change Cipher Spec Encrypted Handshake Change Cipher Spec Encrypted Handshake Application Data Application Data TLS1.2 Finished Client Hello (key_share) Server Hello (Key, key_share) Certificate CertificateVerify Finished Application Data Application Data TLS1.3 従れ往往来復復大幅転 1 送次 3 開往始路覧途中大実質見的改往善復ーーーーーー.

47 暗号化技術鍵合意 / 鍵交換 ( 公開鍵暗号 ) 証明書 / 署名共通鍵暗号メッセージ認証目的暗号鍵を安全に通信相手と共有正しい通信相手か確認メッセージの暗号 / 復号化メッセージ改ざん検証方式 1 3 一整理共通鍵暗号 TLS.

48 Client Hello Server Hello Certificate Server Key Exchange Server Hello Done Client Key Exchange Change Cipher Spec Encrypted Handshake Change Cipher Spec Encrypted Handshake Application Data Application Data TLS1.2 Finished Client Hello (key_share) Server Hello (Key, key_share) Certificate CertificateVerify Finished Application Data Application Data TLS1.3 終共わ通鍵暗号暗号実化際使われ暗号化方式ーー

49 AES- CBC AES- CBC,

53 AES- CBC MAC TLS(16k) AES- CBC k TLS MAC MAC

54 AES- CBC AES- GCM TLS 1. 3 AES- CBC TLS 1. 3 AES- GCM AEAD

55 AES- GCM AES AES AES WikipediaGalois/Counter Mode AES- GCM CBC authenfcated encrypfon with asociated data :AEAD CBC AEAD

56 MB/Sec Chacha- Poly TDES AES- CBC AES- GCM ChaCha- Poly (AEAD) (AEAD) CBC GCM AES- GCM

57 AES- CBC AES- GCM ChaCha- Poly ChaCha- Poly TLS 1. 2 TLS 1. 3

58 MB/Sec Chacha- Poly TDES AES- CBC AES- GCM ChaCha- Poly (AEAD) (AEAD) / (AEAD) ChaCha- Poly CBC GCM

60 X = GAP G A P G P G, P, A x

61 X = GP XA x, G P A x

62 DH ( kb ) mod P A ( ka ) mod P B

64 EllipPc Curve Cryptography: ECC

65 80bit 112bit 128bit 192bit 256bit RSA/DH (ECC) ( ECC TLS ECC ECC

66 ECC / DHE ECDHE / RSA ECDSA TLS1.3 DH, RSA ECC EC ECDH ECDSA

68 NIST SECGSECP ECC NIST NIST SECG SECP TLS

69 Wikipedia Daniel Bernstein Curve Ed TLS 1. 2 TLS 1. 3 NIST, SECP

70 DH NISTCurve25519 DH 2048 ECDHE NIST 256 ECDH E CURVE DH CURVE

71 (PSK) Early Data TLS 1. 3

72 IoT IoT IoT IoT

73 Client Hello Server Hello Server Key Exchange Client Key Exchange Application Data Application Data TLS1.3PSK

76 wolfssltls wolfssl TLS.

77 wolfssl.jp 1 3 wolfssl TLS.

78 wolfssl GPLv2 wolfssl.jp wolfssl IDE, TLS 1. 3 TLS 1. 3

79 $ unzip wolfssl zip $ cd wolfssl $./configure $ make $./examples/server/server $./examples/client/client Unzip configure Makefile make wolfssl test IP localhost TLS

80 $ unzip wolfssl zip $ cd wolfssl $./configure enable- tls13 $ make $./examples/server/server v 4 $./examples/client/client - v TLS1.3 TLS1.3 TLS1.3 Configure v

81 TLS 1. 2

83 Wireshark 1. 2

84 1. 3 Client Hello/Server Hello

86 method = wolftlsv1_2_client_method(); /* */ Ctx = wolfssl_ctx_new(method); /* */ ssl = wolfssl_new(ctx); /* */ wolfssl_connect(ssl); /* TLS */ wolfssl_write(ssl, buff, size); /* */ wolfssl_read(ssl, buff, size); /* */ wolfssl_free(ssl); /* TLS */ wolfssl_ctx_free(ctx); /* */ API wolfssl

87 TLS1.3 TLS1.3 method = wolftlsv1_3_client_method(); /* */ Ctx = wolfssl_ctx_new(method); /* */ ssl = wolfssl_new(ctx); /* */ wolfssl_connect(ssl); /* TLS */ wolfssl_write(ssl, buff, size); /* */ wolfssl_read(ssl, buff, size); /* */ wolfssl_free(ssl); /* TLS */ wolfssl_ctx_free(ctx); /* */ TLS 1 3.

88 l TLSTLS1.2 int wolfssl_connect_tlsv13(wolfssl* ssl); int wolfssl_accept_tlsv13(wolfssl* ssl); l int wolfssl[_ctx]_no_fcket_tlsv13(wolfssl[_ctx]* ctx/ssl); int wolfssl_no_fcket_tlsv13(wolfssl* ssl); l DHE int wolfssl[_ctx]_no_dhe_psk(wolfssl[_ctx]* ctx/ssl); l int wolfssl_update_keys(wolfssl* ssl); l int wolfssl[_ctx]_allow_post_handshake_auth(wolfssl[_ctx]* ctx/ssl); int wolfssl_request_cerfficate(wolfssl* ssl); l Early Data int wolfssl_read/write_early_data(wolfssl*, const void*, int, int*); int wolfssl[_ctx]_set_max_early_data(wolfssl[_ctx]* ctx/ssl, unsigned int sz); TLS wolfssl TLS 1. 3

90 TLS IoT TLS 1. 3

TLS _final

TLS _final TLS 1.3 IoT 2018/12/06, kojo@wolfssl.com wolfssl Japan GK 1 woflssl 2 3 : 200 E H : 200 I N Q : 2 / MSJ Q : 20. : 2.. # I N TC L. 00 0 L P : 2 T T 4 5 6 wolfssl Japan 7 108-6028 2-15-1 A 28F 050-3698-1916

Copyright 2017, wolfssl Inc. All rights reserved. 今日 TLS 1. 3 IoT TLS 新 ー 話

Copyright 2017, wolfssl Inc. All rights reserved. 今日 TLS 1. 3 IoT TLS 新ー話