Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security, privacy, performance of next-generation transport protocols
Search
kazuho
September 08, 2018
Technology
8
35k
Security, privacy, performance of next-generation transport protocols
Discusses the motivation behind QUIC encryption and TLS encrypted SNI.
kazuho
September 08, 2018
Tweet
Share
More Decks by kazuho
See All by kazuho
HTTP優先度制御の今後とビデオ配信
kazuho
0
94
Encrypted SNI
kazuho
5
6.2k
TLS 1.3とその周辺の標準化動向
kazuho
0
8.4k
Fastlyのプログラマから見たCDN
kazuho
29
18k
Other Decks in Technology
See All in Technology
スタートアップにおける組織設計とスクラムの長期戦略 / Scrum Fest Kanazawa 2024
yoshikiiida
13
3.6k
AWS IAMのアンチパターン/AWSが考える最低権限実現へのアプローチ概略(JAWS-UG朝会#59資料改修20分版)
htan
0
330
LLMアプリケーションの評価の実践と課題 ~PharmaXにおける今後の展望~
pharma_x_tech
2
160
シフトレフトで挑む セキュリティの生産性向上
sekido
PRO
0
270
Luupの開発組織におけるインシデントマネジメントの変遷 ver.RoadtoSRENEXT2024
grimoh
1
270
年間一億円削減した時系列データベースのアーキテクチャ改善~不確実性の高いプロジェクトへの挑戦~
lycorptech_jp
PRO
3
2.9k
たくさん本を読んだけど 1年後には綺麗サッパリ!を乗り越えて 学習の鬼になるぞ👹
yum3
0
160
[I/O Extended Android 2024] What`s new in Android 2024
kyeongwan
0
220
さらに高品質・高速化を目指すAI時代のテスト設計支援と、めざす先 / AI Test Lab vol.1
shift_evolve
0
190
AIエージェントを現場に導入する目線とは
masahiro_nishimi
1
1.5k
データベース研修 DB基礎【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
210
コンテナ・K8s研修 - 後半 Kubernetes 基礎&ハンズオン【MIXI 24新卒技術研修】
mixi_engineers
PRO
1
120
Featured
See All Featured
Six Lessons from altMBA
skipperchong
24
3.2k
What's in a price? How to price your products and services
michaelherold
239
11k
Building a Modern Day E-commerce SEO Strategy
aleyda
25
6.7k
Rebuilding a faster, lazier Slack
samanthasiow
78
8.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
325
21k
Building a Scalable Design System with Sketch
lauravandoore
458
32k
Rails Girls Zürich Keynote
gr2m
93
13k
GraphQLとの向き合い方2022年版
quramy
36
13k
Teambox: Starting and Learning
jrom
130
8.6k
Debugging Ruby Performance
tmm1
71
11k
Principles of Awesome APIs and How to Build Them.
keavy
124
16k
KATA
mclloyd
20
13k
Transcript
4FDVSJUZ QSJWBDZ QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ
4FDVSJUZ QSJWBDZ QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ
• 1SJODJQBM044%FWFMPQFS!'BTUMZ • MFBEEFWFMPQFSPG – )0 )551 – QJDPUMT
5-4 – RVJDMZ 26*$ • BVUIPSPG – 3'$r &BSMZ)JOUTGPS)551 – ESBGUJFUGIUUQCJTDBDIFEJHFTU – ESBGUJFUGUMTFTOJ 8IPBN*
ZFTUFSEBZ UPEBZ UPNPSSPX OBNFSFTPMVUJPO %/4 %/4PWFS)5514 USBOTQPSU 5$1 26*$
5-4 TFDVSJUZ 5-4 5-4 BQQMJDBUJPOQSPUPDPM )551 5IFCJHQJDUVSF
• QFSWBTJWFNPOJUPSJOH • QFPQMFSFMZJOHNPSFPO QVCMJD XJGJ $BOXFUSVTUUIFOFUXPSL
• 5-4 • 4FDVSJUZPGBUSBOTQPSU • 26*$ – IBOETIBLF –
QBDLFUOVNCFSFODSZQUJPO • &ODSZQUFE4/* "HFOEB
5-4
• FTTFOUJBMMZ5-4 • QVCMJTIFEBT3'$JO"VHVTU 5-4
• "&"%DJQIFST – XJUIPVUFYQMJDJUOPODF • GBTUFSIBOETIBLF UP355 • GPSXBSETFDSFDZ
• CFUUFSQSJWBDZ – POFPGGTFTTJPOUJDLFUT – DFSUJGJDBUFTOPNPSFUSBOTNJUUFEJODMFBS 5-4
AES-CTR "&4($. AES ciphertext 1 plaintext 1 nonce ||
0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag
AES-CTR "&"%JO5-4 VTJOH"&4($. AES ciphertext 1 plaintext 1 nonce
|| 0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag OPODFSFDPSEOVNCFSBEEEBUBSFDPSEIFBEFS
ClientHello ServerHello ServerCertificate ServerKeyExchange (ClientSertificate) ClientKeyExchange Finished Finished Application
Data 5-4IBOETIBLFGMPX Client Server plaintext encrypted
5-4IBOETIBLFGMPX ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate
Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
%JGGFSFODFTCFUIBOETIBLFGMPXT • 5-4 – FYDIBOHFQBSBNFUFST JODMDFSUJGJDBUFT UIFOFYDIBOHFUIFQVCMJDLFZT •
5-4 – FYDIBOHFQVCMJDLFZTBTXFMMBTQBSBNFUFST • SFUSZUPVTFBOPUIFSQVCMJDLFZBMHPSJUIN – TFUVQFODSZQUFEDIBOOFMVTJOHUIF FYDIBOHFELFZT • VTFUIFDIBOOFMUPBVUIFOUJDBUF
• MFTTSPVOEUSJQT • JEFOUJUZPGUIFFOEQPJOUTBSFQSPUFDUFE – JFDFSUJGJDBUFT – DGUSBDLJOHEFWJDFTVTJOHDMJFOUDFSUBVUI •
CVUUIFTFSWFSOBNF 4/* JTVOQSPUFDUFE – CFDBVTFJUJTQBSUPG$MJFOU)FMMP – XJMMDPWFSUIBUMBUFS 5IFCFOFGJUT
• NJEEMFCPYFTEJTSVQUJOH5-4IBOETIBLF – UIJOLTl5IJT5-4IBOETIBLFTVTQJDJPVT*U`TB GVMMIBOETIBLFCVUEPFTOPUDPOUBJOB DFSUJGJDBUFz UFSNJOBUFTUIFDPOOFDUJPO – SFBMJUZDFSUJGJDBUFJTFODSZQUFE
• TPMVUJPONBLF5-4IBOETIBLFMPPL MJLF5-4SFTVNQUJPO 5BDLMJOHPTTJGJDBUJPO
4FDVSJUZPGBUSBOTQPSU
• DPOGJEFOUJBMJUZ • JOUFHSJUZ • BWBJMBCJMJUZ 5IFTFDVSJUZUSJBE
• 5-4 – QSPWJEFTDPOGJEFOUJBMJUZ JOUFHSJUZ – VTJOHUIFFYDIBOHFELFZT • 5$1
– SFTQPOTJCMFGPSQSPWJEJOHBWBJMBCJMJUZ – CVUUIFQBDLFUTDBOCFUBNQFSFE 5-4PWFS5$1
• NJEEMFCPYJOKFDUT5$1SFTFUT – TFOEB5$1QBDLFUXJUI345CJUTFU • CMPDLBDDFTTUPDFSUBJOXFCTJUFT – CZPCTFSWJOHQMBJOUFYU FH
4/* • CMPDLDFSUBJOQSPUPDPMT FH11 3FTFUJOKFDUJPOBUUBDL
• POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT • NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT •
PGGQBUIBUUBDL – BUUBDLFSEPFTOPUIBWFBDDFTTUPQBDLFUT – OPUTPQSBDUJDBMGPS5$1 5ISFFUZQFTPGBUUBDLT
• POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT – FTTFOUJBMMZBTQFDJBMQVSQPTFSPVUFS • BEEJUJPOBMDPTUUPPCTFSWFUIFQBZMPBEPGUIF SPVUFEQBDLFUTJTUIFQSPCMFN
• NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT – BOPEFUIBUUBQTPOUIFOFUXPSL JOKFDUT QBDLFUTBUCFTUFGGPSU .BOPOUIFTJEFBUUBDLJTFBTZ
• JOKFDUJOHPOF 345QBDLFUUFSNJOBUFTB 5$1DPOOFDUJPO • FODSZQUFEUSBOTQPSUT FH %5-4 *1TFD
QSPWJEFSFTJTUBODFUPJOKFDUJPOBUUBDL – CZFODSZQUJOHFWFSZQBDLFUVTJOHUIF FYDIBOHFELFZT • FH QO cc"&4@($. QO QBZMPBE BOEWFSZQSBDUJDBMGPS5$1
Packet type and flags (1 octet) Destination Connection ID
(0,4-18 octets) Encrypted Packet Number (1,2,4 octets) Encrypted Payload AEAD tag (16 octets or more) 26*$QBDLFU additional text • "&"% Ћ UPQSPUFDUFBDIQBDLFU AEAD payload encrypted???
26*$
• FODSZQUFEUSBOTQPSU – VTFT5-4GPSIBOETIBLF • IBOETIBLFJO35 – 5$1 5-4UBLFT35
• NVMUJQMFYJOHTUSFBNTJOUPPOFDPOOFDUJPO • GJYIFBEPGMJOFCMPDLJOHJO)551 – QSPDFTTPVUPGPSEFSQBDLFUTCFMPOHJOHUPB EJGGFSFOUTUSFBNT • NPCJMJUZ OFUXPSLNJHSBUJPO 'FBUVSFTPG26*$
26*$IBOETIBLF
stream 0 stream 4 stream 8 stream 16… 0SJHJOBMEFTJHO
HTTP request 1 TLS 1.3 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer 2 3… 9 10 11… obtain “exporter secret” ↓ derive server traffic key & client traffic key
• EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFBQQMJDBUJPOUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT
• BUUBDLWFDUPST – SFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL 0SJHJOBMEFTJHOJTTVFT
*TTVFVTFPGFODSZQUJPO stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key 2 3… 9 10 11… TLS 1.3
*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate
Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3
*TTVFSFTFUJOKFDUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 reset!
*TTVF"$,QSPNPUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…
HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 ACK (8)
• DIBOHF5-4 4PMVUJPO
• DIBOHFUIFTVCQSPUPDPMPG 5-4 4PMVUJPO
#BDLHSPVOEMBZFSTPG5-4 segment segment TLS messages: TLS records: TCP segments:
plaintext HS 1RTT SH EE Certificate Fin NST
plaintext HS 1RTT SH EE Certificate Fin NST stream
0 stream 0 TLS messages: TLS records: QUIC frames: HS HS QUC packets: datagram datagram UDP datagrams: stream 0 1RTT -BZFSTJOUIFPSJHJOBMEFTJHO confidentiality injection resistance
SH EE Certificate Fin NST CRYPTO CRYPTO TLS messages:
QUIC frames: Initial HS QUC packets: datagram datagram UDP datagrams: CRYPTO 1RTT -BZFSTJOUIFSFGJOFEEFTJHO HS CRYPTO confidentiality injection resistance
• PSJHJOBMEFTJHO 5-4 – *0PGFODSZQUFEPDUFUT – BDDFTTUPlFYQPSUFSTFDSFUz •
SFGJOFEEFTJHO – *0PG5-4NFTTBHFT JOQMBJOUFYU – FWFOUTUPJOTUBMMUSBGGJDLFZT • 355 VOJEJSFDUJPOBM )4 CJ 355 CJ – OPUF%5-4SFRVJSFTTVDIBOJOUFSOBM"1* 3FRVJSFEDIBOHFTUP5-4TUBDL"1*
• TFQBSBUJPOPGDPODFSO – 5-4QSPWJEFTLFZTBOEBVUIFOUJDBUJPO – 26*$FODSZQUTUIFQBDLFUT • OPNPSFBNCJHVJUZ –
EJTUJODUTUSFBNTGPSFBDIFODSZQUJPOMFWFM – UISFFEJTUJODUQBDLFUOVNCFSTQBDF • JF *OJUJBM )BOETIBLF 355 • OPDIBODFPG"$,QSPNPUJPOBUUBDL 3FGJOFEEFTJHOUIFCFOFGJUT
• EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT
• BUUBDLWFDUPST – MFTTGSBHJMFUPSFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL *TTVFTSFTPMWFE BMNPTU
26*$QBDLFUOVNCFSFODSZQUJPO
• QBDLFUOVNCFS 1/ – JTVOJRVFGPSFBDIQBDLFUCFJOHTFOU – JODSFBTFTNPOPUPOJDBMMZ • UIFSFGPSF
DBOCFVTFEUPUSBDLBDMJFOU – $POOFDUJPO*%JTDIBOHFEXIFOBOFOEQPJOU NJHSBUFTUPBEJGGFSFOUOFUXPSL8IBU TIPVMEXFEPGPSQBDLFUOVNCFS 1BDLFUOVNCFSBOEQSJWBDZ
• KVNQ1/XIFOTXJUDIJOH$*% – QFFSTOFFEUPBHSFFPOUIFSBOEPNPGGTFU • TJODF1/ CJU JTSPVOEFEPOXJSFUP
CJUT • PGGTFUOFFETUPCFEJGGFSFOUGPSFBDIEJSFDUJPO – XIBUUPEPPOQBUIQSPCJOHFSSPS • EJGGFSFOU1/TQBDFGPSFBDI$*% – NFBOTIBWJOHFODSZQUJPOLFZTBOE"$, RVFVFGPSFBDI$*% $POTJEFSFEBQQSPBDIFT
• FODSZQUJOH1/JTTJNQMFSUIBO – JOTFSUJOHKVNQTIBWJOHNBOZLFZTTQBDFT 4PMVUJPOQBDLFUOVNCFSFODSZQUJPO
#VUIPX type CID PN payload 1 0/4-18 1/2/4 any
size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: ??? ↓ unencrypted encrypted
/BÏWFBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any
size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE+ciph. ciph. AEAD tag 1 0/4-18 16 any – 1/2/4 16 size: + PNE: AES ↓ unencrypted encrypted
"EPQUFEBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any
size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: AES_CTR(ciphertext, PN) ↓ unencrypted encrypted
• TPNFNPCJMFOFUXPSLTlGJYzPVUPGPSEFS EFMJWFSZCZMPPLJOHBU1/ – UPMFTTFOSFUSBOTNJUT – OPEPXOTJEFGPS5$1 – JTTVFGPS26*$
CFDBVTFXFDBOVTFQBDLFUT BSSJWJOHPVUPGPSEFS • 26*$XJMMCFPTTJGJFEPODFNJEEMFCPYFT TUBSUVTJOH1/JOQBSUJDVMBSXBZT 1/&UPQSFWFOUNJTVTFPG1/
• 5$1 5-4 – BEESFTTFTDPOGJEFOUJBMJUZ JOUFHSJUZ • JOBEEJUJPO 26*$
5-4 – JNQSPWFTBWBJMBCJMJUZ – QSFTFSWFTVTFSQSJWBDZ – QSFWFOUTPTTJGJDBUJPO – PQUJNJ[FTGPSQFSGPSNBODF • TFUVQJO35 35JO5$1 5-4 • VTFPGQBDLFUTBSSJWJOHPVUPGPSEFS 5IFJNQSPWFNFOUT
• FODSZQUJPOJTUIFUBTLPG26*$ – IBOETIBLFEPOFCZ5-4 • BMNPTUFWFSZUIJOHJTFODSZQUFE – POMZQBDLFUUZQF $*%
QSPUPDPMWFSTJPOBSF WJTJCMFPOUIFXJSF • XIBUUPFYQPTFJTEFDJEFEFYQMJDJUMZ – FH lTQJOCJUzFYQFSJNFOU 26*$BOEFODSZQUJPO
&ODSZQUFE4/*
• 4FSWFS/BNF*OEJDBUJPO – QBSUPG$MJFOU)FMMP – VTFECZUIFTFSWFSUPTFMFDU • LFZBMHPSJUIN •
TFSWFSDFSUJGJDBUF 8IBUJT4/* ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
• %/4SFTPMVUJPO • 4/* • TFSWFSDFSUJGJDBUF • TFSWFS*1BEESFTT •
USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
• %/4SFTPMVUJPO %P) • 4/* ˡ UIJT • TFSWFSDFSUJGJDBUF
5-4 • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
• ESBGUSFTDPSMBUMTFTOJ – UPCFDPNFESBGUJFUGUMTFTOJ • LFZJEFB – VTFQVCMJDLFZDSZQUPUPFODSZQU4/* –
VTF%/4UPEJTUSJCVUFUIFQVCMJDLFZ 4PMVUJPOFODSZQUFE4/*
)PXJUXPSLT example.com? _esni.example.com? example.com=192.0.2.1 _esni.example.com=pubkey ClientHello {ESNI=encrypt("example.com")} DoH recursor
HTTPS server DNS authoritative server
TUSVDU\ VJOUDIFDLTVN<> ,FZ4IBSF&OUSZ LFZT? QVCMJDLFZT $JQIFS4VJUF DJQIFS@TVJUFT? VJOUQBEEFE@MFOHUI VJOUOPU@CFGPSF
VJOUOPU@BGUFS &YUFOTJPOFYUFOTJPOT? ^&4/*,FZT @FTOJFTOJFYBNQFOFU*/595 E8[B2#'"#D"225S+CP;Z:YD1:P6IPOISW/YWKGQSKB;CK/#/ .Y %ZDE%7W#+P),0.I ,[BWE*N03*""*5"2&&"""""'T (E."""""89"H"" &4/*SFDPSE
• &4/*SFDPSEJTOPUTJHOFE – TPUIBUJUDBOCFTNBMM – BUUBDLFSDBOTQPPGUIFN • CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1BEESFTTPG FYBNQMFDPN
– BDDFTTUPUIFBEESFTTSFWFBMTUIF4/* • UPTVNNBSJ[F &4/* – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS BUUBDL 4FDVSJUZBTQFDUT
• 355BQQMJDBUJPOEBUBJOGVMM IBOETIBLF – OFFEUPEJTUSJCVUFTJHOFEQVCLFZ BOE DFSUJGJDBUFDIBJOVTJOH%/4 • QSPUFDUJOHJOJUJBMFYDIBOHFGSPN
JOKFDUJPOBUUBDL 6TJOH&4/*QVCMJDLFZGPSPUIFSQVSQPTFT
3FDBQJUVMBUJPO
• OFBSMZDPNQMFUFUPGJYJOHQSJWBDZMFBLT • FODSZQUJPOJTBMTPVTFEGPS – QSPWJEJOHBWBJMBCJMJUZ – QSFWFOUJOHPTTJGJDBUJPO •
GPSGVSUIFSFWPMVUJPOJOUIFGVUVSF • BMNPTUFWFSZUIJOHJTFODSZQUFEJO26*$ – FODSZQUFWFONPSFJOVQDPNJOHQSPUPDPMT – XFEFCBUFBOEEFDJEFXIBUUPFYQPTFUPUIF OFUXPSL 0VSTUBUVT