株式会社ゼタントで行った勉強会「JavaScriptを使って学ぶEnd-to-Endセキュリティ」の第3回目のスライドです。 https://zettant.connpass.com/event/149136/

1. JavaScript End-to-End
3
1),2)
1)
2)
January 26, 2020
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 1 / 61

2. Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 2 / 61

3. 1 2
End-to-End (E2E)
Web E2E JavaScript
(AES)
AES( )
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 3 / 61

4. :
1 PK SK
2 PK SK
3 D PK X
4 X SK D
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 4 / 61

5. ⇒ AES
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 5 / 61

6. AES pros/cons
RSA 1
AES
1
Diffie-Hellman
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 6 / 61

7. :
Web Web
:
Bash, Git
Node.js, npm, yarn
Google Chrome and/or Firefox
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 7 / 61

8. ( )
1 &JS
2 AES
3
4 MAC
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 8 / 61

9. Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 9 / 61

10. ⇓
JavaScript
RSA
(Elliptic Curve Cryptography)2
2
2
Elliptic Curve Diffie-Hellman; ECDH
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 10 / 61

11. RSA
RSA Cryptography
1977 Rivest-Shamir-Edelman 3 2000
( )
RFC 8017 (PKCS#1 v2.2) ANSI X9.31 IEEE 1363
CRYPTREC
1024–4096bits 3
4
3
4
RSA-OAEP( ) RSA-PSS( )
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 11 / 61

12. Elliptic-Curve Cryptography
5
1985 Victor Miller Neal Koblitz
Diffie-Hellman(DH)6
ECDH
DSA7
ECDSA
RFC8442 CRYPTREC IEEE P1363 TLS
Bitcoin
256–521bits (Compact form)
ECDH ECDH-Ephemeral
8
5
6
RFC2631 https://tools.ietf.org/html/rfc2631
7
NIST FIPS 186-4 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
8
Forward Secrecy( )
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 12 / 61

13. AES Pros/Cons
Pros Cons
AES
(128bits )
SoC
9
(RSA: 2048bits )
⇒
9
Intel AES-NI
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 13 / 61

14. AES RSA 10
1
AES RSA
128 3072 256–383
192 7680 384–511
256 15360 512–
AES RSA 24
10
Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 4, NIST,
01/2016. https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-4/final
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 14 / 61

15. AES-128 RSA-3072
AES: = 0, 1, . . . , 2128
− 1 1
RSA: = 2 ( )
RSA
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 15 / 61

16. Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 16 / 61

17. JavaScript (Node.js)
src/commands-browser.html
Node.JS
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 17 / 61

18. E2E
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 18 / 61

19. :
Node.js (> v10) yarn 11
Google Chrome ( )
Firefox
Visual Studio Code WebStorm
11
: npm i -g yarn
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 19 / 61

20. JavaScript
GitHub 12
Clone
$ git clone
https://github.com/junkurihara/slides-e2e-security-js.git
$ cd sample03
$ yarn install
$ yarn build
12
https://github.com/junkurihara/slides-e2e-security-js/
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 20 / 61

21. RSA
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 21 / 61

22. RSA
RSA
D PK
⇒ RSA 13
RSA
13
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 22 / 61

23. RSA 2 14
PKCS#1-v1.5 Padding
Optimal Asymmetric Encryption Padding (OAEP)
14
PKCS#1 (RFC8017) https://tools.ietf.org/html/rfc8017
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 23 / 61

24. PKCS#1-v1.5 Padding
RSA RSAES-PKCS1-v1 5
M
D = 0x00 || 0x02 || RandomSequence || 0x00 || M
15
PKCS#1 v2.2 RFC8017)
CRYPTREC
16
15
1998 Bleinchenbacher’s Attack 2018 Internet
(ROBOT Attack)
16
https://www.cryptrec.go.jp/method.html
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 24 / 61

25. Optimal Asymmetric Encryption Padding (OAEP) 17
RSA RSA-OAEP RSAES (RSA
Encryption Scheme) - OAEP
M All or Nothing Transform
(AONT) D
D = AONT(M, RandomSeed)
PKCS#1-v1.5 Padding
PKCS#1 v2.2 (RFC8017)
OAEP
RSA OAEP
17
M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption,” in Proc. EUROCRYPTO 1994,
pp. 92–111, LNCS 950, 1994.
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 25 / 61

26. : OAEP
Masked Seed, Masked Data Block
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 26 / 61

27. JavaScript RSA-OAEP
sample
string
$ yarn execute rsa-oaep-demo ’hello world’
<Input Data>
hello world
<Generated RSA Key Pair (PEM Form)>
Public Key:
30820122300d06092a864....... // (DER)
Private Key:
308204bc020100300d060....... // (DER)
=======
<Encrypted Data (in Base64)>
9f28a2acbd7cd5bc748f3....... // ’hello world’ RSA-OAEP
=======
<Decrypted Data>
hello world //
=======
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 27 / 61

28. ( ):
RSA
$ yarn execute rsa-keygen
<Generated RSA Key Pair (DER Form)>
Public Key:
30820122300d06092a864886f70d010......
Private Key:
308204be020100300d06092a864886f......
RSA-OAEP (-p )
$ yarn execute rsa-oaep-encrypt ’hello world’
-p ’308201223......’
<Encrypted Data (in HexString)>
8da122191b1ec6da72afe88c96cfbb3...... //
RSA-OAEP (-s )
$ yarn execute rsa-oaep-decrypt ’8da122191b1ec6da72afe88c96cfbb3......’
-s ’308204be020100300d06092a864886f......’
<Decrypted Data>
hello world
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 28 / 61

29. RSA-OAEP
RSA (src/test-api.js)
// bits = 2048
const jscu = getJscu(); // jscu Node.js Crypto, WebCrypto
const keyPair = await jscu.pkc.generateKey(
’RSA’,
{modulusLength: bits} // 2048bits RSA
);
RSA-OAEP (src/test-api.js)
const jscu = getJscu(); // jscu Node.js Crypto, WebCrypto
// DER (Uint8Array) jscu
const publicKey = new jscu.Key(’der’, publicDer);
const encrypted = await jscu.pkc.encrypt(
uint8ArrayData, //
publicKey,
{hash: ’SHA-256’} // OAEP ’SHA-256’
);
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 29 / 61

30. RSA-OAEP (src/test-api.js)
const jscu = getJscu(); // jscu Node.js Crypto, WebCrypto
// DER (Uint8Array) jscu
const privateKey = new jscu.Key(’der’, privateDer);
const decrypted = await jscu.pkc.decrypt(
uint8ArrayEncryptedData,
privateKey,
{hash: ’SHA-256’} //
);
jscu Node.js
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 30 / 61

31. RSAES-OAEP WebCrypto API( ) Node.js
Crypto 18
RSAES-PKCS1-v1 5 JS
OAEP
⇒ SSL/TLS ROBOT
18
WebCrypto jscu purejs
(IE )
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 31 / 61

32. (ECDH)
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 32 / 61

33. 1
ECDH
Elliptic-Curve Diffie-Hellman (ECDH)
ECDH
⇒ ( ) AES
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 33 / 61

34. (EC)DH :
(A) (B)
19
19
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 34 / 61

35. :
ECDH 20
2 : (PK1, SK1) (PK2, SK2)
SharedRandomBits = ECDH(PK1, SK2)
= ECDH(PK2, SK1).
ECDH
(Compact form)
20
EC DH
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 35 / 61

36. JavaScript ECDH
sample 2
$ yarn execute check-ecdh
<ECC Key Pair A (DER Form)>
Public Key:
3059301306072a8648ce3d020106082... // A
Private Key:
308193020100301306072a8648ce3d0... // A
=======
<ECC Key Pair B (DER Form)>
Public Key:
3059301306072a8648ce3d020106082... // B
Private Key:
308193020100301306072a8648ce3d0... // B
=======
// A B
Shared Bits from Public Key A and Private Key B: c55393fc681811141...
// B A
Shared Bits from Public Key B and Private Key A: c55393fc681811141...
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 36 / 61

37. ECDH
src/test-api.js
const jscu = getJscu();
const jscec = getJscec(); //js-crypto-ec jscu
// DER jscu JWK
const publicKey = new jscu.Key(’der’, publicDer);
const privateKey = new jscu.Key(’der’, privateDer);
const publicJwk = await publicKey.export(’jwk’);
const privateJwk = await privateKey.export(’jwk’);
//
const derived = await jscec.deriveSecret(publicJwk, privateJwk);
jscu ECDH+AES API ECDH
ECDH
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 37 / 61

38. ECDH WebCrypto API( )
Node.js Crypto 21
21
[ ] encrypt API deriveBits( ) [Node.js]
ECDH
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 38 / 61

39. 2
AES
(=ECDH ) AES
⇒
HKDF (RFC5869)
Concat KDF (RFC8039)22
etc....
HKDF
22
JOSE https://tools.ietf.org/html/rfc8037
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 39 / 61

40. JavaScript ECDH AES
ECDH, HDKF, AES
AES
⇓
RSA
23
23
AES
( 256bits )
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 40 / 61

41. ( )
EC (2 2 )
$ yarn execute ecc-keygen
<Generated ECC Key Pair (DER Form)>
Public Key:
3059301306072a8648ce3d020......
Private Key:
308193020100301306072a864.....
$ yarn execute ecc-keygen
<Generated ECC Key Pair (DER Form)>
Public Key:
3059301306072a8648ce3d020.....
Private Key:
308193020100301306072a864.....
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 41 / 61

42. ECDH+HKDF+AES-CBC
$ yarn execute ecdh-aes-encrypt ’hello world’
-p ’3059301306072a8648ce3d020106082a8648c......’ //
-s ’308193020100301306072a8648ce3d0201060......’ //
<Shared Bits> // ECDH
51a1a502d01917e6ae0c7cd69cc7078d4a07d0172d271555d001485621551eef
<Derived AES Key> // HDKF
Key: f52372329867b83ee4e2cada7452a909e85b1ffc2401c5e3b7e7aa7bf9363f7b
HKDF-Salt: 1dffbb6a9a0b91929b690116e3abd75b4a984e4d8686fcd9e35b4bd0220ebfe7
HKDF-Hash: SHA-256
<Encrypted data> // AES-CBC
Data: e36ded44e0e27a8f01d160feb54b1c30
Initial Vector: e9799bff5bdbd3400b1c753e5d5506ff
// Key, Salt, IV, Encrypted Data Msgpack
<Msgpacked encrypted and kdf data>
82a9656e6372797074656482a464617461d......
Msgpack serialize
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 42 / 61

43. ECDH+HKDF+AES-CBC
// msgpack
$ yarn execute ecdh-aes-decrypt ’82a9656e6372797074656482a46461......’
-p ’3059301306072a8648ce3d0201060......’ //
-s ’308193020100301306072a8648ce3......’ //
<Shared Bits> // ECDH
51a1a502d01917e6ae0c7cd69cc7078d4a07d0172d271555d001485621551eef
<Derived AES Key> // msgpack
f52372329867b83ee4e2cada7452a909e85b1ffc2401c5e3b7e7aa7bf9363f7b
<Decrypted Data> //
hello world
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 43 / 61

44. ECDH, HKDF, AES
: src/commands-node.js
// Shared bits
const sharedBits = await ecdh(publicKeyA, privateKeyB);
// HKDF key derivation
const aesKey = await deriveKeyFromMasterSecret(sharedBits, 32);
// AES-CBC encryption
const encrypted = await encryptAES(data, aesKey.key);
// packing for ease
const packed = msgpack.encode({encrypted, kdfParams: aesKey.kdfParams});
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 44 / 61

45. : src/commands-node.js
const depack = msgpack.decode(uint8ArrayData);
// Shared bits
const sharedBits = await ecdh(publicKeyB, privateKeyA);
// HKDF key derivation
const aesKey = await deriveKeyFromMasterSecret(
sharedBits, 32, depack.kdfParams.salt, depack.kdfParams.hash
);
// AES-CBC decryption
const decrypted = await decryptAES(
depack.encrypted.data, aesKey.key, depack.encrypted.iv
);
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 45 / 61

46. Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 46 / 61

47. 2
RSA-OAEP
ECDH, KDF, AES
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 47 / 61

48. n
n ( )
SK
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 48 / 61

49. 1 AES
⇒
2 Perfect Forward Secrecy
⇒
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 49 / 61

50. AES
Hybrid Encryption, Key Encapsulation
K AES 24
K
24
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 50 / 61

51. AES K
( )
AES AES
AES CDN
25
25
DRM
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 51 / 61

52. Perfect Forward Secrecy
(Perfect) Forward Secrecy
⇓
1 Ephemeral Scheme
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 52 / 61

53. SSL/TLS
⇒
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 53 / 61

54. Ephemeral Scheme
AES &
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 54 / 61

55. ECDH Ephemeral Scheme
26
ECDH-Ephemeral (ECDHE)27
⇒
i.e., Forward secrecy
Ephemeral
Ephemeral
?
26
RSA Ephemeral Scheme
RSA-4096 AES-256
27
TLS https://tools.ietf.org/html/rfc8422
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 55 / 61

56. Ephemeral
?
⇓
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 56 / 61

57. Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 57 / 61

58. RSA: OAEP (RSAES-OAEP)
ECDH: AES
:
Ephemeral Scheme: Perfect Forward Secrecy
JavaScript /
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 58 / 61

59. :
MAC
: SHA2, SHA3
: HMAC/CMAC
: RSA Signature/ECDSA
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 59 / 61

60. : iTransfy by Zettant
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 60 / 61

61. :
: recruit@zettant.com
URL: https://www.zettant.com
Jun Kurihara (Zettant Inc./U-Hyogo) E2E Security with JS 03 January 26, 2020 61 / 61