JP7289709B2 - Information processing device, information processing method and program - Google Patents

Description

The present invention relates to an information processing device, an information processing method, and a program for decrypting encrypted packets.

Protocols are widely used to encrypt and securely transmit data on the Internet. Typical examples include SSL (Secure Socket Layer) disclosed in Non-Patent Document 1 and TLS (Transport Layer Security) disclosed in its successor, Non-Patent Document 2.

While the proportion of secure communications in Internet communications is increasing, the number of attack methods that exploit protocol vulnerabilities is also increasing. For example, there is an attack method called POODLE (Padding Oracle On Downgraded Legacy Encryption) disclosed in Non-Patent Document 3. In this attack technique, an attacker can drop the version to vulnerable SSL 3.0 and cause communication.

In order to deal with the increasing number of attack methods exploiting the vulnerability of such protocols, TLS 1.3 disclosed in Non-Patent Document 4 has been modified to improve communication security. There are two major changes in the TLS 1.3 record layer protocol.

The first change is that the Type field, which indicates the type of packet, is encrypted. A fixed value “23” is always set as OpaqueType in the Header of the record layer packet regardless of the packet type. A Type field indicating the actual packet type is included in the encrypted CiphertextFragment. As a result, the actual packet type cannot be known unless the encrypted CiphertextFragment is decrypted.

The second change is the change of padding. To hide the actual Content size, the maximum Padding size is extended to (2 ¹⁴ −1) bytes, and the Padding size can take random values. Furthermore, the field indicating the padding size is deleted from the packet, and the size of the CiphertextFragment including the padding is set in the Header of the record layer packet. Therefore, the actual Content size cannot be known unless all encrypted CiphertextFragments are decrypted.

A. Freier, P. Karlton, P. Kocher: "The Secure Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, 1996. T. Dierks, E. Rescorla: "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, 2008. Bodo Moller, Thai Duong, Krzysztof Kotowicz: "This POODLE Bites: Exploiting The SSL 3.0 Fallback", Google Security Advisory E. Reacorla: "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, 2018.

In TLS 1.3, the OpaqueType in the Header of the record layer packet does not indicate the actual packet type, and must be overwritten with the Type obtained after decoding the CiphertextFragment. In addition, since the size of the CiphertextFragment of the Header is the size including padding, it is necessary to overwrite with the Content size obtained after decoding the CiphertextFragment and removing the padding. When these overwriting processes are executed by the CPU, memory copying takes time.

SUMMARY OF THE INVENTION The present invention has been made in view of such circumstances. With the goal.

An information processing apparatus according to the present invention includes input means for reading an encrypted packet, decryption means for decrypting the encrypted packet read by the input means, and the encrypted packet read by the input means. output means for outputting the first header of the received packet and the data output from the decoding means to a specified memory area; and a control means for generating a second header, wherein the output means generates the generated second header after outputting the data output from the first header and the decoding means to the memory area. to overwrite the first header in the memory area.

According to the present invention, it is possible to reduce processing time for overwriting a header of a packet with information obtained by decrypting an encrypted packet.

1 is a diagram showing a system configuration example of an integrated circuit for communication processing in an embodiment of the present invention; FIG. It is a figure which shows the structural example of the encryption/decryption process part in this embodiment. It is a figure which shows the structure of the record layer packet in TLS1.3. FIG. 4 is a diagram showing the structure of a regenerated header in this embodiment; 4 is a flowchart for explaining an operation example of an encryption/decryption processing unit according to the embodiment; 4 is a flow chart showing an operation example of a data output unit according to the embodiment; It is a figure explaining the encryption/decryption process in this embodiment.

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of the present invention will be described below with reference to the drawings. It should be noted that the embodiments described below are merely examples, and are not intended to limit the scope of the present invention.

FIG. 1 is a block diagram showing a system configuration example of an integrated circuit for communication processing in one embodiment of the present invention. A communication processing integrated circuit 100 includes a CPU 101 , an encryption/decryption processing unit 102 , a DRAM controller 103 , a communication processing unit 104 , an SRAM 105 , a DRAM 107 , and a network interface unit 108 .

The CPU 101 , the encryption/decryption processing unit 102 , the DRAM controller 103 , the communication processing unit 104 and the SRAM 105 are connected to the system bus 106 and exchange data with each other via the system bus 106 . The DRAM controller 103 writes data to and reads data from the DRAM 107 . The communication processing unit 104 is connected to a communication network such as the Internet via a network interface unit 108, and transmits and receives packets to and from external devices. This configuration is a typical configuration in an integrated circuit called System-On-A-Chip (SoC).

FIG. 2 is a block diagram showing a configuration example of the encryption/decryption processing unit 102 in this embodiment. The encryption/decryption processing unit 102 has a data input unit 201 , an encryption processing unit 202 , a padding processing unit 203 , a data output unit 204 and an overall control unit 205 . The encryption/decryption processing unit 102 is an information processing unit capable of performing encryption processing and decryption processing on packets, and the decryption processing will be mainly described below.

A typical decryption processing flow of a record layer packet in the encryption/decryption processing unit 102 will be described. In the following description, a record layer packet conforming to the TLS (Transport Layer Security) 1.3 standard will be described as an example, but the present invention is not limited to this. For example, this embodiment can be applied to a system that communicates a packet from which actual information to be stored in the header is obtained by decrypting the encrypted packet.

The overall control unit 205 receives from the CPU 101 settings such as a mode indicating encryption processing or decryption processing, algorithms used in encryption processing and MAC processing, TLS version information, and transfer addresses for input data and output data. set. In the case of TLS1.3, the version information is a fixed value "1.3". The general control unit 205 transfers various setting values set by the CPU 101 to the data input unit 201 , encryption processing unit 202 , padding processing unit 203 and data output unit 204 . After that, the overall control unit 205 receives a processing start request from the CPU 101 and instructs each module to start processing.

In response to the instruction to start processing, the data input unit 201 transfers encrypted Read a record layer packet. Here, the data input unit 201 divides and reads the encrypted TLS1.3 record layer packet.

FIG. 3 is a diagram showing the format of a TLS1.3 record layer packet. A record layer packet has a Header (310) of 5 bytes and a CiphertextFragment (320) of "CiphertextLength" bytes.

Header (310) has 1-byte OpaqueType (311), 2-byte Legacy Record Version (312), and 2-byte CiphertextLength (313). OpaqueType (311) is always a fixed value "23" regardless of the actual packet type (Type). Also, Legacy Record Version (312) is always a fixed value "3.1" regardless of the actual TLS version. CiphertextLength (313) indicates the size of CiphertextFragment (320).

CiphertextFragment (320) is the encrypted area. CiphertextFragment (320) has Content (321) of "MSGLEN" bytes and Type (322) of 1 byte. In addition, CiphertextFragment (320) has Padding (323) of "Cpadlength" bytes and MAC (324) of "MACLEN" bytes.

Content (321) is actual data transferred by encrypted communication. Type (322) indicates the type of record layer packet to be transferred, and takes a non-“0” value according to the packet type. Padding (323) is a fixed value “0” and an arbitrary random size of (2 ¹⁴ −1) bytes or less. MAC (324) is the MAC (Message Authentication Code) value of CiphertextFragment (320). Specifically, MAC (324) is a MAC value obtained based on the data before encryption stored in Content (321), Type (322), and Padding (323).

The data input unit 201 divides and receives the record layer packet in arbitrary processing units. The data input unit 201 first receives the header of the record layer packet and transmits it to the overall control unit 205 . After that, the data input unit 201 divides the CiphertextFragment of the record layer packet into units of processing, receives them, and transmits them to the encryption processing unit 202 .

General control section 205 transmits the header received from data input section 201 to data output section 204 . The data output unit 204 outputs the header received from the overall control unit 205 to a memory area such as the SRAM 105 or the DRAM 107 indicated by the transfer destination address of the output data instructed by the overall control unit 205 via the system bus 106 . .

The encryption processing unit 202 performs encryption processing and decryption processing of the CiphertextFragment input from the data input unit 201 . Further, the cryptographic processing unit 202 performs calculations and the like related to MAC processing. Algorithms used in encryption processing, decryption processing, and MAC processing are those specified by the overall control unit 205 . The encryption processing unit 202 outputs the decrypted data of the decrypted CiphertextFragment excluding the MAC to the padding processing unit 203 . Further, the encryption processing unit 202 performs tampering detection by comparing the decrypted MAC with the MAC generated by the MAC processing. The encryption processing unit 202 notifies the general control unit 205 whether or not a MAC error has occurred.

The padding processing unit 203 determines whether the decrypted divided data input from the encryption processing unit 202 is Content, Type, or Padding, and acquires “MSGLEN”. count for Data determined as Content by the padding processing unit 203 is output from the data output unit 204 to the SRAM 105, DRAM 107, or the like via the system bus 106. FIG. Data determined as padding by the padding processing unit 203 is discarded by the padding processing unit 203 because it is unnecessary data. Data determined to be Type in the padding processing unit 203 and “MSGLEN” are output to the overall control unit 205 .

The overall control unit 205 regenerates the packet header based on the data determined as Type, the value of “MSGLEN”, and the TLS version information set by the CPU 101 . FIG. 4 is a diagram showing an example of a header regenerated by the overall control unit 205. As shown in FIG. The regenerated Header (410) consists of a 1-byte Type (411) indicating the actual type of the packet, a 2-byte fixed value "1.3" set by the CPU 101 Version (412), and a 2-byte of MSGLEN (413).

If the result of the MAC processing in the encryption processing unit 202 is not a MAC error, the general control unit 205 sends the data output unit 204 the address of the data output destination in order to overwrite the original header with the regenerated header. Reset to the transfer destination address of the output data. After that, the overall control unit 205 transmits the regenerated header to the data output unit 204 . The data output unit 204 outputs the regenerated header to the same area as the previously output header based on the reset destination address of the output data, and overwrites the regenerated header with the regenerated header. After the data output unit 204 has completed transferring the regenerated header to the SRAM 105, DRAM 107, or the like, the overall control unit 205 notifies the CPU 101 of the completion of processing by an interrupt.

FIG. 5 is a flow chart for explaining the operation of the encryption/decryption processing unit 102 in this embodiment. FIG. 5 shows an operation example of the general control unit 205 of the encryption/decryption processing unit 102 . Note that the processing shown in FIG. 5 is processing for one packet.

In step S<b>501 , the overall control unit 205 receives setting values necessary for processing from the CPU 101 . The setting values required for processing include the mode indicating encryption processing or decryption processing as described above, algorithms used in encryption processing and MAC processing, TLS version information, transfer addresses for input data and output data, etc. is included.

After receiving the setting values in step S501, in step S502, the general control unit 205 receives various setting values set by the CPU 101 through the data input unit 201, the encryption processing unit 202, the padding processing unit 203, and the data output unit 201. transfer to unit 204;

Next, in step S<b>503 , the overall control unit 205 receives a request to start processing from the CPU 101 . Subsequently, in step S504, the overall control unit 205 instructs the data input unit 201, encryption processing unit 202, padding processing unit 203, and data output unit 204 to start processing.

Next, in step S<b>505 , the overall control unit 205 receives from the data input unit 201 the Header of the record layer packet received by the data input unit 201 . Subsequently, in step S<b>506 , the overall control unit 205 transmits the Header received from the data input unit 201 to the data output unit 204 in order to transfer it to the SRAM 105 or DRAM 107 .

Next, in step S507, the overall control unit 205 receives from the padding processing unit 203 the data determined to be Type and the value of "MSGLEN" obtained by decrypting the encrypted packet. Subsequently, in step S508, the overall control unit 205 regenerates the header of the packet based on the data determined to be Type received in step S507, the value of "MSGLEN", and the version information set by the CPU 101. .

Next, in step S<b>509 , the overall control unit 205 determines whether or not the Header overwrite mode is set according to the setting from the CPU 101 . Here, the Header overwrite mode is a mode in which the previously output Header is overwritten with the regenerated Header. If the overall control unit 205 determines that the mode is the Header overwrite mode (Yes), the process proceeds to step S510, and if it determines that the mode is not the Header overwrite mode (No), the process proceeds to step S514.

In step S510 to which the overall control unit 205 proceeds when it determines that it is the Header overwrite mode, the overall control unit 205 determines whether the result of MAC processing in the encryption processing unit 202 is a MAC error. If the overall control unit 205 determines that there is no MAC error (No), the process proceeds to step S511, and if it determines that there is a MAC error (Yes), the process skips step S511 and proceeds to step S512. move on.

In step S511, the overall control unit 205 changes the transfer destination address of the data output unit 204 to the transfer destination address (start address) of the output data in order to overwrite the previously output original header with the regenerated header. to reset. After the process of step S511, the process proceeds to step S512.

In step S<b>512 , the overall control unit 205 outputs the regenerated Header to the data output unit 204 . Subsequently, in step S513, the overall control unit 205 waits until the data output unit 204 completes transfer of the regenerated Header. After the overall control unit 205 determines in step S513 that the transfer of the regenerated Header is complete, in step S515 the overall control unit 205 notifies the CPU 101 of the completion of processing by an interrupt and completes the processing.

In step S514, to which the overall control unit 205 proceeds when it determines in step S509 that the Header overwrite mode is not set, the overall control unit 205 holds the regenerated Header in an internal register. Subsequently, in step S515, the overall control unit 205 notifies the CPU 101 of the completion of the processing by an interrupt, and completes the processing.

FIG. 6 is a flow chart showing an operation example of the data output unit 204 in this embodiment. Note that the processing shown in FIG. 6 is processing in the data output unit 204 for one packet. When starting processing related to a packet, in step S601, the data output unit 204 initializes the address (Address) indicating the memory area of the transfer destination with the transfer destination address (Start Address) specified by the overall control unit 205. do. Here, the memory area indicated by the designated transfer destination address (Start Address) is the SRAM 105 or DRAM 107 area.

Next, in step S602, the data output unit 204 transfers the Header received from the overall control unit 205 to the memory area indicated by the transfer destination address (Start Address). The Header transferred in step S602 is the Header of the record layer packet received by the data input unit 201 before being decoded. Subsequently, in step S603, the data output unit 204 adds 5 bytes, which is the size of the Header, to the transfer destination address (Address).

Next, in step S604, the data output unit 204 determines whether processing of all data payloads has been completed. The overall control unit 205 notifies whether or not the processing of all data payloads has been completed. Based on this notification from the overall control unit 205, the data output unit 204 determines whether or not the processing of all data payloads has been completed. If the data output unit 204 determines that the processing of all data payloads has not been completed (No), the process proceeds to step S605, and if it determines that the processing of all data payloads has been completed (Yes). , the process proceeds to step S608.

In step S<b>605 to which the data output unit 204 proceeds when it determines that the processing of all data payloads has not been completed, the data output unit 204 receives unit data payloads from the padding processing unit 203 . Subsequently, in step S606, the data output unit 204 transfers the received unit data payload to the memory area indicated by the transfer destination address (Address).

Subsequently, in step S607, the data output unit 204 adds the number of bytes of the unit data payload size to the transfer destination address (Address). Thereafter, returning to step S604, the data output unit 204 again determines whether or not there is a subsequent data payload.

In step S608, to which the data output unit 204 proceeds when it determines in step S604 that processing of all data payloads has been completed, the data output unit 204 determines whether or not a MAC error has occurred. Whether or not a MAC error has occurred is notified by the overall control unit 205 upon receiving the result of MAC processing in the encryption processing unit 202 . The data output unit 204 determines whether or not a MAC error has occurred based on this notification from the overall control unit 205 . If the data output unit 204 determines that no MAC error has occurred (No), the process proceeds to step S609; if it determines that a MAC error has occurred (Yes), the process proceeds to step S609. Skip to step S610.

In step S<b>609 , the data output unit 204 reinitializes the transfer destination address (Address) with the transfer destination address (Start Address) specified by the overall control unit 205 . Subsequently, in step S610, the data output unit 204 transfers the Header regenerated by the overall control unit 205 to the memory area indicated by the transfer destination address (Address). As a result, the header of the original record layer packet that has been output earlier can be overwritten with the regenerated header. Whether or not to overwrite the header of the original record layer packet with the regenerated header may be switched according to the setting from the CPU 101 . For example, the switching operation may be based on a packet encryption standard set by the CPU 101 . For example, if the TLS version information set by the CPU 101 is TLS 1.3, overwriting may be performed, and if otherwise, overwriting may not be performed.

If the data output unit 204 determines in step S608 that a MAC error has occurred, in step S610 the data output unit 204 stores the header regenerated by the overall control unit 205 in the memory area indicated by the transfer destination address (Address). transfer to As a result, the regenerated Header is transferred to the memory area following the already transferred data payload. If a MAC error occurs, it is also possible that some tampering was made to the packet. In this case, by not overwriting the original Header with the regenerated Header, the cause of the MAC error can be analyzed. In this embodiment, when the data output unit 204 determines that a MAC error has occurred, the regenerated header is transferred to the memory area following the transferred data payload. You may make it transfer to a memory area.

The number of processing cycles for the encryption/decryption processing in this embodiment will be described with reference to FIG. FIG. 7A shows an example of the number of processing cycles according to the conventional example, and FIG. 7B shows an example of the number of processing cycles in this embodiment. In FIGS. 7(a) and 7(b), OH indicates the Header of the received record layer packet (before decoding processing), D0 to D3 indicate Content, P0 and P1 indicate padding data, MH indicates a regenerated Header.

As shown in FIG. 7A, in the conventional example, the Header (OH) is read at t0, and the read OH is output at t1. Subsequently, the input data D0 is read at t1, and the data D0 is decoded at t2. After t1, the input data D0 to D3, P0 and P1 are sequentially read and decoded. When all packet processing is completed at t7, the Header (MH) is regenerated and stored in the register at t8, and the completion of processing is notified to the CPU 101 by an interrupt INT at t9. The CPU 101 receives the notification of the completion of processing, and memory copies the regenerated Header (MH) stored in the register to the OH area. This processing causes useless memory copying.

On the other hand, as shown in FIG. 7B, in this embodiment, after all packet processing is completed at t7, the regenerated Header (MH) is transferred to the OH area at t8. As a result, memory copying by the CPU 101 can be reduced. Normally, memory copying by the CPU 101 takes longer than memory copying by dedicated hardware. By automatically copying the regenerated header by hardware, in this embodiment, it is possible to reduce the processing time required for overwriting the header. Moreover, since there is no need to provide a register for storing the regenerated Header, hardware resources required for overwriting the Header can be reduced.

(Another embodiment of the present invention)
The present invention supplies a program that implements one or more functions of the above-described embodiments to a system or apparatus via a network or a storage medium, and one or more processors in the computer of the system or apparatus reads and executes the program. It can also be realized by processing to It can also be implemented by a circuit (for example, ASIC) that implements one or more functions.

It should be noted that the above-described embodiments are merely examples of specific implementations of the present invention, and the technical scope of the present invention should not be construed to be limited by these. That is, the present invention can be embodied in various forms without departing from its technical concept or main features.

100: CPU 102: Encryption/decryption processing unit 103: DRAM controller 104: Communication processing unit 105: SRAM 106: System bus 107: DRAM 108: Network interface 201: Data input unit 202: Encryption processing unit 203: Padding processing unit 204: Data Output unit 205: overall control unit

Claims (10)

input means for reading encrypted packets;
decryption means for decrypting the encrypted packet read by the input means;
output means for outputting the first header of the encrypted packet read by the input means and the data output from the decryption means to a designated memory area;
a control means for generating a second header related to the packet using the data output from the decoding means ;
The output means overwrites the first header in the memory area with the generated second header after outputting the first header and the data output from the decoding means to the memory area. An information processing device characterized by: 2. An information processing apparatus according to claim 1, wherein said second header has information indicating the size of the data output from said decoding means. 3. The information processing apparatus according to claim 2, wherein the size of the data output from said decryption means is a size excluding padding data contained in said encrypted packet. 4. The information processing apparatus according to claim 1, wherein the encrypted packet is a packet encrypted according to TLS (Transport Layer Security) 1.3 standard. The output means does not overwrite the first header in the memory area with the generated second header when an error occurs in decoding the encrypted packet by the decryption means. The information processing apparatus according to any one of claims 1 to 4. The output means outputs the generated second header to a memory area different from that of the first header when an error occurs in decoding the encrypted packet by the decryption means. The information processing apparatus according to any one of claims 1 to 5. 7. Whether or not to overwrite the first header in the memory area with the generated second header can be switched by a setting from a CPU. The information processing device according to . 8. The information processing apparatus according to claim 7, wherein the switching setting from the CPU is based on a standard for encrypting the packet. an input step of reading the encrypted packet;
a decryption step of decrypting the encrypted packet read in the input step by decryption means;
an output step of outputting the first header of the encrypted packet read in the input step and the data output from the decryption means to a designated memory area;
a control step of generating a second header related to the packet using the data output from the decoding means ;
In the output step, after outputting the first header and the data output from the decoding means to the memory area, overwriting the first header in the memory area with the generated second header. An information processing method characterized by: an input step of reading the encrypted packet;
a decryption step of decrypting the encrypted packet read in the input step by decryption means;
an output step of outputting the first header of the encrypted packet read in the input step and the data output from the decryption means to a designated memory area;
causing a computer to execute a control step of generating a second header related to the packet using the data output from the decoding means ;
and in the output step, after outputting the first header and the data output from the decoding means to the memory area, the generated second header overwrites the first header in the memory area. A program that causes a computer to execute a process.

Images