SM-DP+ で学ぶ TLS ハンドシェイク (楽天モバイル)
Rakuten Mini に tcpdump を入れて、楽天モバイルの SM-DP+ と通信する際の TLS ハンドシェイクの様子を見てみました。SM-DP+ のアドレスが "rakuten.prod.ondemandconnectivity.com" になっているので、Thales (Gemalto) のサービスを利用されているのでしょうか。なるほど、確かにそういうソリューションはアリだと思います。
@startuml "SM-DP+" <- LPA: Client Hello (rakuten.prod.ondemandconnectivity.com) "SM-DP+" -> LPA: Server Hello (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) "SM-DP+" -> LPA: Certificate (*.prod.ondemandconnectivity.com, GSM Association - RSP2 Root CI1) "SM-DP+" -> LPA: Server Key Exchange "SM-DP+" -> LPA: Server Hello Done "SM-DP+" <- LPA: Client Key Exchange "SM-DP+" <- LPA: Change Cipher Spec "SM-DP+" <- LPA: Finished "SM-DP+" -> LPA: Change Cipher Spec "SM-DP+" -> LPA: Finished @enduml
ハンドシェイク中に流れていたメッセージとパラメータは、資料としてここに貼っておきます。
(SM-DP+ < LPA) Client Hello
Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 198 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 194 Version: TLS 1.2 (0x0303) Random: aaae079065c30cd5523bb8e3de7f8b2b5d142623b93e66d53867f07945f00146 GMT Unix Time: Sep 28, 2060 02:32:00.000000000 東京 (標準時) Random Bytes: 65c30cd5523bb8e3de7f8b2b5d142623b93e66d53867f07945f00146 Session ID Length: 0 Cipher Suites Length: 28 Cipher Suites (14 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 125 Extension: renegotiation_info (len=1) Type: renegotiation_info (65281) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: server_name (len=42) Type: server_name (0) Length: 42 Server Name Indication extension Server Name list length: 40 Server Name Type: host_name (0) Server Name length: 37 Server Name: rakuten.prod.ondemandconnectivity.com Extension: extended_master_secret (len=0) Type: extended_master_secret (23) Length: 0 Extension: session_ticket (len=0) Type: session_ticket (35) Length: 0 Data (0 bytes) Extension: signature_algorithms (len=20) Type: signature_algorithms (13) Length: 20 Signature Hash Algorithms Length: 18 Signature Hash Algorithms (9 algorithms) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (4) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (5) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (6) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Extension: status_request (len=5) Type: status_request (5) Length: 5 Certificate Status Type: OCSP (1) Responder ID list Length: 0 Request Extensions Length: 0 Extension: application_layer_protocol_negotiation (len=11) Type: application_layer_protocol_negotiation (16) Length: 11 ALPN Extension Length: 9 ALPN Protocol ALPN string length: 8 ALPN Next Protocol: http/1.1 Extension: ec_point_formats (len=2) Type: ec_point_formats (11) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: supported_groups (len=8) Type: supported_groups (10) Length: 8 Supported Groups List Length: 6 Supported Groups (3 groups) Supported Group: x25519 (0x001d) Supported Group: secp256r1 (0x0017) Supported Group: secp384r1 (0x0018)
(SM-DP+ > LPA) Server Hello
Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 112 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 108 Version: TLS 1.2 (0x0303) Random: ddfa9070ac4963c42f1ff9a24f22850c2c0ceff5b11936e6444f574e47524401 GMT Unix Time: Jan 6, 2088 09:01:52.000000000 東京 (標準時) Random Bytes: ac4963c42f1ff9a24f22850c2c0ceff5b11936e6444f574e47524401 Session ID Length: 32 Session ID: 1467e29c67b26cc0d2a711124f1f0a5430c05e88ce2d9b9294d4199780fd3652 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Compression Method: null (0) Extensions Length: 36 Extension: renegotiation_info (len=1) Type: renegotiation_info (65281) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: server_name (len=0) Type: server_name (0) Length: 0 Extension: ec_point_formats (len=4) Type: ec_point_formats (11) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: application_layer_protocol_negotiation (len=11) Type: application_layer_protocol_negotiation (16) Length: 11 ALPN Extension Length: 9 ALPN Protocol ALPN string length: 8 ALPN Next Protocol: http/1.1 Extension: extended_master_secret (len=0) Type: extended_master_secret (23) Length: 0
(SM-DP+ > LPA) Certificate, Server Key Exchange, Server Hello Done
Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 1330 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1326 Certificates Length: 1323 Certificates (1323 bytes) Certificate Length: 728 Certificate: 308202d430820279a003020102021003485c90de04b1e87a12a507d3e768cd300a06082a… (id-at-commonName=*.prod.ondemandconnectivity.com,id-at-organizationName=GEMALTO SA,id-at-localityName=Tours,id-at-countryName=FR) signedCertificate version: v3 (2) serialNumber: 0x03485c90de04b1e87a12a507d3e768cd signature (ecdsa-with-SHA256) Algorithm Id: 1.2.840.10045.4.3.2 (ecdsa-with-SHA256) issuer: rdnSequence (0) rdnSequence: 2 items (id-at-commonName=GSM Association - RSP2 Root CI1,id-at-organizationName=GSM Association) RDNSequence item: 1 item (id-at-organizationName=GSM Association) RelativeDistinguishedName item (id-at-organizationName=GSM Association) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: GSM Association RDNSequence item: 1 item (id-at-commonName=GSM Association - RSP2 Root CI1) RelativeDistinguishedName item (id-at-commonName=GSM Association - RSP2 Root CI1) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: GSM Association - RSP2 Root CI1 validity notBefore: utcTime (0) utcTime: 2020-05-22 00:00:00 (UTC) notAfter: utcTime (0) utcTime: 2022-08-24 23:59:59 (UTC) subject: rdnSequence (0) rdnSequence: 4 items (id-at-commonName=*.prod.ondemandconnectivity.com,id-at-organizationName=GEMALTO SA,id-at-localityName=Tours,id-at-countryName=FR) RDNSequence item: 1 item (id-at-countryName=FR) RelativeDistinguishedName item (id-at-countryName=FR) Id: 2.5.4.6 (id-at-countryName) CountryName: FR RDNSequence item: 1 item (id-at-localityName=Tours) RelativeDistinguishedName item (id-at-localityName=Tours) Id: 2.5.4.7 (id-at-localityName) DirectoryString: printableString (1) printableString: Tours RDNSequence item: 1 item (id-at-organizationName=GEMALTO SA) RelativeDistinguishedName item (id-at-organizationName=GEMALTO SA) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: GEMALTO SA RDNSequence item: 1 item (id-at-commonName=*.prod.ondemandconnectivity.com) RelativeDistinguishedName item (id-at-commonName=*.prod.ondemandconnectivity.com) Id: 2.5.4.3 (id-at-commonName) DirectoryString: uTF8String (4) uTF8String: *.prod.ondemandconnectivity.com subjectPublicKeyInfo algorithm (id-ecPublicKey) Algorithm Id: 1.2.840.10045.2.1 (id-ecPublicKey) ECParameters: namedCurve (1) namedCurve: 1.2.840.10045.3.1.7 (secp256r1) Padding: 0 subjectPublicKey: 04b656ecce3584125a1e6d103b3ba786e042c1a99604d7338a46cb5eaf03c13a2efc93fd… extensions: 7 items Extension (id-ce-certificatePolicies) Extension Id: 2.5.29.32 (id-ce-certificatePolicies) CertificatePoliciesSyntax: 1 item PolicyInformation policyIdentifier: 2.23.146.1.2.1.3 (joint-iso-itu-t.23.146.1.2.1.3) Extension (id-ce-cRLDistributionPoints) Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints) CRLDistPointsSyntax: 1 item DistributionPoint distributionPoint: fullName (0) fullName: 1 item GeneralName: uniformResourceIdentifier (6) uniformResourceIdentifier: http://gsma-crl.symauth.com/offlineca/gsma-rsp2-root-ci1.crl Extension (id-ce-extKeyUsage) Extension Id: 2.5.29.37 (id-ce-extKeyUsage) critical: True KeyPurposeIDs: 2 items KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth) KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth) Extension (id-ce-keyUsage) Extension Id: 2.5.29.15 (id-ce-keyUsage) critical: True Padding: 7 KeyUsage: 80 1... .... = digitalSignature: True .0.. .... = contentCommitment: False ..0. .... = keyEncipherment: False ...0 .... = dataEncipherment: False .... 0... = keyAgreement: False .... .0.. = keyCertSign: False .... ..0. = cRLSign: False .... ...0 = encipherOnly: False 0... .... = decipherOnly: False Extension (id-ce-subjectAltName) Extension Id: 2.5.29.17 (id-ce-subjectAltName) GeneralNames: 3 items GeneralName: dNSName (2) dNSName: *.prod.ondemandconnectivity.com GeneralName: dNSName (2) dNSName: *.prod.ids-odc.gemalto.com GeneralName: registeredID (8) registeredID: 1.3.6.1.4.1.31746.1.220.100.101.2 (iso.3.6.1.4.1.31746.1.220.100.101.2) Extension (id-ce-subjectKeyIdentifier) Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier) SubjectKeyIdentifier: 8efb03c8e210f825105a66bffe5e1a1927bcc76b Extension (id-ce-authorityKeyIdentifier) Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier) AuthorityKeyIdentifier keyIdentifier: 81370f5125d0b1d408d4c3b232e6d25e795bebfb algorithmIdentifier (ecdsa-with-SHA256) Algorithm Id: 1.2.840.10045.4.3.2 (ecdsa-with-SHA256) Padding: 0 encrypted: 3046022100cc75a507eb5c94024aa51ffa4d7d31ed15fe044f477ad88f6cb26abb3e9a78… Certificate Length: 589 Certificate: 30820249308201efa00302010202106e68567a77a0ee7c85ee183963dfaa7a300a06082a… (id-at-commonName=GSM Association - RSP2 Root CI1,id-at-organizationName=GSM Association) signedCertificate version: v3 (2) serialNumber: 0x6e68567a77a0ee7c85ee183963dfaa7a signature (ecdsa-with-SHA256) Algorithm Id: 1.2.840.10045.4.3.2 (ecdsa-with-SHA256) issuer: rdnSequence (0) rdnSequence: 2 items (id-at-commonName=GSM Association - RSP2 Root CI1,id-at-organizationName=GSM Association) RDNSequence item: 1 item (id-at-organizationName=GSM Association) RelativeDistinguishedName item (id-at-organizationName=GSM Association) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: GSM Association RDNSequence item: 1 item (id-at-commonName=GSM Association - RSP2 Root CI1) RelativeDistinguishedName item (id-at-commonName=GSM Association - RSP2 Root CI1) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: GSM Association - RSP2 Root CI1 validity notBefore: utcTime (0) utcTime: 2017-02-22 00:00:00 (UTC) notAfter: generalizedTime (1) generalizedTime: 2052-02-21 23:59:59 (UTC) subject: rdnSequence (0) rdnSequence: 2 items (id-at-commonName=GSM Association - RSP2 Root CI1,id-at-organizationName=GSM Association) RDNSequence item: 1 item (id-at-organizationName=GSM Association) RelativeDistinguishedName item (id-at-organizationName=GSM Association) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: GSM Association RDNSequence item: 1 item (id-at-commonName=GSM Association - RSP2 Root CI1) RelativeDistinguishedName item (id-at-commonName=GSM Association - RSP2 Root CI1) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: GSM Association - RSP2 Root CI1 subjectPublicKeyInfo algorithm (id-ecPublicKey) Algorithm Id: 1.2.840.10045.2.1 (id-ecPublicKey) ECParameters: namedCurve (1) namedCurve: 1.2.840.10045.3.1.7 (secp256r1) Padding: 0 subjectPublicKey: 049d6abad2f41c2317e76189ebf8de89bb00a997d42d68ff5f5d29fcc8a7eac79937e85f… extensions: 6 items Extension (id-ce-keyUsage) Extension Id: 2.5.29.15 (id-ce-keyUsage) critical: True Padding: 1 KeyUsage: 06 0... .... = digitalSignature: False .0.. .... = contentCommitment: False ..0. .... = keyEncipherment: False ...0 .... = dataEncipherment: False .... 0... = keyAgreement: False .... .1.. = keyCertSign: True .... ..1. = cRLSign: True .... ...0 = encipherOnly: False 0... .... = decipherOnly: False Extension (id-ce-basicConstraints) Extension Id: 2.5.29.19 (id-ce-basicConstraints) critical: True BasicConstraintsSyntax cA: True Extension (id-ce-subjectAltName) Extension Id: 2.5.29.17 (id-ce-subjectAltName) GeneralNames: 1 item GeneralName: registeredID (8) registeredID: 1.3.6.1.4.1.46304 (iso.3.6.1.4.1.46304) Extension (id-ce-certificatePolicies) Extension Id: 2.5.29.32 (id-ce-certificatePolicies) critical: True CertificatePoliciesSyntax: 1 item PolicyInformation policyIdentifier: 2.23.146.1.2.1.0 (joint-iso-itu-t.23.146.1.2.1.0) Extension (id-ce-cRLDistributionPoints) Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints) CRLDistPointsSyntax: 1 item DistributionPoint distributionPoint: fullName (0) fullName: 1 item GeneralName: uniformResourceIdentifier (6) uniformResourceIdentifier: http://gsma-crl.symauth.com/offlineca/gsma-rsp2-root-ci1.crl Extension (id-ce-subjectKeyIdentifier) Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier) SubjectKeyIdentifier: 81370f5125d0b1d408d4c3b232e6d25e795bebfb algorithmIdentifier (ecdsa-with-SHA256) Algorithm Id: 1.2.840.10045.4.3.2 (ecdsa-with-SHA256) Padding: 0 encrypted: 30450220209758b0e3055b388f2bb97c9e1e66bb4aa246255fdb9a1af6e9651bf388012c… Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 114 Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 110 EC Diffie-Hellman Server Params Curve Type: named_curve (0x03) Named Curve: x25519 (0x001d) Pubkey Length: 32 Pubkey: e77f9f2abe1566d1fdd3c195bff77a78e1dbca48676d3c55826c7739b2dabe5f Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Length: 70 Signature: 30440220709f62956b1cccbaf5afc73a762cd6979e6dd40345bf0b3991668b99cdcc3392… TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0
(SM-DP+ < LPA) Client Key Exchange, Change Cipher Spec, Finished
Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 37 Handshake Protocol: Client Key Exchange Handshake Type: Client Key Exchange (16) Length: 33 EC Diffie-Hellman Client Params Pubkey Length: 32 Pubkey: fe4a98ccd86a53697931d3e2ac14664f483db564830c501f55317098bb2dbf54 TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 40 Handshake Protocol: Encrypted Handshake Message
(SM-DP+ > LPA) Change Cipher Spec, Finished
Transport Layer Security TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 40 Handshake Protocol: Encrypted Handshake Message