SM-DP+ で学ぶ TLS ハンドシェイク (楽天モバイル)
Rakuten Mini に tcpdump を入れて、楽天モバイルの SM-DP+ と通信する際の TLS ハンドシェイクの様子を見てみました。SM-DP+ のアドレスが "rakuten.prod.ondemandconnectivity.com" になっているので、Thales (Gemalto) のサービスを利用されているのでしょうか。なるほど、確かにそういうソリューションはアリだと思います。
@startuml "SM-DP+" <- LPA: Client Hello (rakuten.prod.ondemandconnectivity.com) "SM-DP+" -> LPA: Server Hello (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) "SM-DP+" -> LPA: Certificate (*.prod.ondemandconnectivity.com, GSM Association - RSP2 Root CI1) "SM-DP+" -> LPA: Server Key Exchange "SM-DP+" -> LPA: Server Hello Done "SM-DP+" <- LPA: Client Key Exchange "SM-DP+" <- LPA: Change Cipher Spec "SM-DP+" <- LPA: Finished "SM-DP+" -> LPA: Change Cipher Spec "SM-DP+" -> LPA: Finished @enduml
ハンドシェイク中に流れていたメッセージとパラメータは、資料としてここに貼っておきます。
(SM-DP+ < LPA) Client Hello
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 198
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 194
Version: TLS 1.2 (0x0303)
Random: aaae079065c30cd5523bb8e3de7f8b2b5d142623b93e66d53867f07945f00146
GMT Unix Time: Sep 28, 2060 02:32:00.000000000 東京 (標準時)
Random Bytes: 65c30cd5523bb8e3de7f8b2b5d142623b93e66d53867f07945f00146
Session ID Length: 0
Cipher Suites Length: 28
Cipher Suites (14 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 125
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: server_name (len=42)
Type: server_name (0)
Length: 42
Server Name Indication extension
Server Name list length: 40
Server Name Type: host_name (0)
Server Name length: 37
Server Name: rakuten.prod.ondemandconnectivity.com
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
Extension: session_ticket (len=0)
Type: session_ticket (35)
Length: 0
Data (0 bytes)
Extension: signature_algorithms (len=20)
Type: signature_algorithms (13)
Length: 20
Signature Hash Algorithms Length: 18
Signature Hash Algorithms (9 algorithms)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (4)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (5)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (6)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: application_layer_protocol_negotiation (len=11)
Type: application_layer_protocol_negotiation (16)
Length: 11
ALPN Extension Length: 9
ALPN Protocol
ALPN string length: 8
ALPN Next Protocol: http/1.1
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: x25519 (0x001d)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
(SM-DP+ > LPA) Server Hello
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 112
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 108
Version: TLS 1.2 (0x0303)
Random: ddfa9070ac4963c42f1ff9a24f22850c2c0ceff5b11936e6444f574e47524401
GMT Unix Time: Jan 6, 2088 09:01:52.000000000 東京 (標準時)
Random Bytes: ac4963c42f1ff9a24f22850c2c0ceff5b11936e6444f574e47524401
Session ID Length: 32
Session ID: 1467e29c67b26cc0d2a711124f1f0a5430c05e88ce2d9b9294d4199780fd3652
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Compression Method: null (0)
Extensions Length: 36
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: server_name (len=0)
Type: server_name (0)
Length: 0
Extension: ec_point_formats (len=4)
Type: ec_point_formats (11)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: application_layer_protocol_negotiation (len=11)
Type: application_layer_protocol_negotiation (16)
Length: 11
ALPN Extension Length: 9
ALPN Protocol
ALPN string length: 8
ALPN Next Protocol: http/1.1
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
(SM-DP+ > LPA) Certificate, Server Key Exchange, Server Hello Done
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 1330
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 1326
Certificates Length: 1323
Certificates (1323 bytes)
Certificate Length: 728
Certificate: 308202d430820279a003020102021003485c90de04b1e87a12a507d3e768cd300a06082a… (id-at-commonName=*.prod.ondemandconnectivity.com,id-at-organizationName=GEMALTO SA,id-at-localityName=Tours,id-at-countryName=FR)
signedCertificate
version: v3 (2)
serialNumber: 0x03485c90de04b1e87a12a507d3e768cd
signature (ecdsa-with-SHA256)
Algorithm Id: 1.2.840.10045.4.3.2 (ecdsa-with-SHA256)
issuer: rdnSequence (0)
rdnSequence: 2 items (id-at-commonName=GSM Association - RSP2 Root CI1,id-at-organizationName=GSM Association)
RDNSequence item: 1 item (id-at-organizationName=GSM Association)
RelativeDistinguishedName item (id-at-organizationName=GSM Association)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: GSM Association
RDNSequence item: 1 item (id-at-commonName=GSM Association - RSP2 Root CI1)
RelativeDistinguishedName item (id-at-commonName=GSM Association - RSP2 Root CI1)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: GSM Association - RSP2 Root CI1
validity
notBefore: utcTime (0)
utcTime: 2020-05-22 00:00:00 (UTC)
notAfter: utcTime (0)
utcTime: 2022-08-24 23:59:59 (UTC)
subject: rdnSequence (0)
rdnSequence: 4 items (id-at-commonName=*.prod.ondemandconnectivity.com,id-at-organizationName=GEMALTO SA,id-at-localityName=Tours,id-at-countryName=FR)
RDNSequence item: 1 item (id-at-countryName=FR)
RelativeDistinguishedName item (id-at-countryName=FR)
Id: 2.5.4.6 (id-at-countryName)
CountryName: FR
RDNSequence item: 1 item (id-at-localityName=Tours)
RelativeDistinguishedName item (id-at-localityName=Tours)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: Tours
RDNSequence item: 1 item (id-at-organizationName=GEMALTO SA)
RelativeDistinguishedName item (id-at-organizationName=GEMALTO SA)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: GEMALTO SA
RDNSequence item: 1 item (id-at-commonName=*.prod.ondemandconnectivity.com)
RelativeDistinguishedName item (id-at-commonName=*.prod.ondemandconnectivity.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: *.prod.ondemandconnectivity.com
subjectPublicKeyInfo
algorithm (id-ecPublicKey)
Algorithm Id: 1.2.840.10045.2.1 (id-ecPublicKey)
ECParameters: namedCurve (1)
namedCurve: 1.2.840.10045.3.1.7 (secp256r1)
Padding: 0
subjectPublicKey: 04b656ecce3584125a1e6d103b3ba786e042c1a99604d7338a46cb5eaf03c13a2efc93fd…
extensions: 7 items
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
CertificatePoliciesSyntax: 1 item
PolicyInformation
policyIdentifier: 2.23.146.1.2.1.3 (joint-iso-itu-t.23.146.1.2.1.3)
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://gsma-crl.symauth.com/offlineca/gsma-rsp2-root-ci1.crl
Extension (id-ce-extKeyUsage)
Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
critical: True
KeyPurposeIDs: 2 items
KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 7
KeyUsage: 80
1... .... = digitalSignature: True
.0.. .... = contentCommitment: False
..0. .... = keyEncipherment: False
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .0.. = keyCertSign: False
.... ..0. = cRLSign: False
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-ce-subjectAltName)
Extension Id: 2.5.29.17 (id-ce-subjectAltName)
GeneralNames: 3 items
GeneralName: dNSName (2)
dNSName: *.prod.ondemandconnectivity.com
GeneralName: dNSName (2)
dNSName: *.prod.ids-odc.gemalto.com
GeneralName: registeredID (8)
registeredID: 1.3.6.1.4.1.31746.1.220.100.101.2 (iso.3.6.1.4.1.31746.1.220.100.101.2)
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: 8efb03c8e210f825105a66bffe5e1a1927bcc76b
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: 81370f5125d0b1d408d4c3b232e6d25e795bebfb
algorithmIdentifier (ecdsa-with-SHA256)
Algorithm Id: 1.2.840.10045.4.3.2 (ecdsa-with-SHA256)
Padding: 0
encrypted: 3046022100cc75a507eb5c94024aa51ffa4d7d31ed15fe044f477ad88f6cb26abb3e9a78…
Certificate Length: 589
Certificate: 30820249308201efa00302010202106e68567a77a0ee7c85ee183963dfaa7a300a06082a… (id-at-commonName=GSM Association - RSP2 Root CI1,id-at-organizationName=GSM Association)
signedCertificate
version: v3 (2)
serialNumber: 0x6e68567a77a0ee7c85ee183963dfaa7a
signature (ecdsa-with-SHA256)
Algorithm Id: 1.2.840.10045.4.3.2 (ecdsa-with-SHA256)
issuer: rdnSequence (0)
rdnSequence: 2 items (id-at-commonName=GSM Association - RSP2 Root CI1,id-at-organizationName=GSM Association)
RDNSequence item: 1 item (id-at-organizationName=GSM Association)
RelativeDistinguishedName item (id-at-organizationName=GSM Association)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: GSM Association
RDNSequence item: 1 item (id-at-commonName=GSM Association - RSP2 Root CI1)
RelativeDistinguishedName item (id-at-commonName=GSM Association - RSP2 Root CI1)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: GSM Association - RSP2 Root CI1
validity
notBefore: utcTime (0)
utcTime: 2017-02-22 00:00:00 (UTC)
notAfter: generalizedTime (1)
generalizedTime: 2052-02-21 23:59:59 (UTC)
subject: rdnSequence (0)
rdnSequence: 2 items (id-at-commonName=GSM Association - RSP2 Root CI1,id-at-organizationName=GSM Association)
RDNSequence item: 1 item (id-at-organizationName=GSM Association)
RelativeDistinguishedName item (id-at-organizationName=GSM Association)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: GSM Association
RDNSequence item: 1 item (id-at-commonName=GSM Association - RSP2 Root CI1)
RelativeDistinguishedName item (id-at-commonName=GSM Association - RSP2 Root CI1)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: GSM Association - RSP2 Root CI1
subjectPublicKeyInfo
algorithm (id-ecPublicKey)
Algorithm Id: 1.2.840.10045.2.1 (id-ecPublicKey)
ECParameters: namedCurve (1)
namedCurve: 1.2.840.10045.3.1.7 (secp256r1)
Padding: 0
subjectPublicKey: 049d6abad2f41c2317e76189ebf8de89bb00a997d42d68ff5f5d29fcc8a7eac79937e85f…
extensions: 6 items
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 1
KeyUsage: 06
0... .... = digitalSignature: False
.0.. .... = contentCommitment: False
..0. .... = keyEncipherment: False
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .1.. = keyCertSign: True
.... ..1. = cRLSign: True
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax
cA: True
Extension (id-ce-subjectAltName)
Extension Id: 2.5.29.17 (id-ce-subjectAltName)
GeneralNames: 1 item
GeneralName: registeredID (8)
registeredID: 1.3.6.1.4.1.46304 (iso.3.6.1.4.1.46304)
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
critical: True
CertificatePoliciesSyntax: 1 item
PolicyInformation
policyIdentifier: 2.23.146.1.2.1.0 (joint-iso-itu-t.23.146.1.2.1.0)
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://gsma-crl.symauth.com/offlineca/gsma-rsp2-root-ci1.crl
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: 81370f5125d0b1d408d4c3b232e6d25e795bebfb
algorithmIdentifier (ecdsa-with-SHA256)
Algorithm Id: 1.2.840.10045.4.3.2 (ecdsa-with-SHA256)
Padding: 0
encrypted: 30450220209758b0e3055b388f2bb97c9e1e66bb4aa246255fdb9a1af6e9651bf388012c…
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 114
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 110
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: x25519 (0x001d)
Pubkey Length: 32
Pubkey: e77f9f2abe1566d1fdd3c195bff77a78e1dbca48676d3c55826c7739b2dabe5f
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 70
Signature: 30440220709f62956b1cccbaf5afc73a762cd6979e6dd40345bf0b3991668b99cdcc3392…
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
(SM-DP+ < LPA) Client Key Exchange, Change Cipher Spec, Finished
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 37
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 33
EC Diffie-Hellman Client Params
Pubkey Length: 32
Pubkey: fe4a98ccd86a53697931d3e2ac14664f483db564830c501f55317098bb2dbf54
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
(SM-DP+ > LPA) Change Cipher Spec, Finished
Transport Layer Security
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
