Challenges in Standard QUIC Protocol Implementation

Slide Note
Embed
Share

The content discusses the challenges and shortcomings of the standard QUIC protocol implementation, focusing on the use of TLS 1.3 for cryptographic handshake. It highlights issues such as complexity in implementation and state machine, lack of a full security proof, and the risk of ossification due to legacy support. Despite improvements, there are still obstacles to overcome for a robust QUIC implementation.

azaiah
azaiah Follow

Uploaded on Jul 14, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. nQUIC: Noise-Based Packet Protection Mathias Hall-Andersen NCC Group David Wong NCC Group Nick Sullivan Cloudflare Alishah Chator Cloudflare

  2. The Traditional HTTPS Stack HTTP TLS TCP IP

  3. The Traditional HTTPS Stack HTTP TLS Ossification TCP IP

  4. The QUIC way of doing things HTTP HTTP TLS QUIC TCP UDP IP

  5. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake

  6. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings:

  7. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine

  8. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine Current design does not have a full security proof

  9. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine Current design does not have a full security proof Risk of ossification due to legacy support

  10. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine Current design does not have a full security proof Risk of ossification due to legacy support Additionally, existing TLS implementations must be significantly modified to integrate with QUIC

  11. An Alternative Handshake Protocol These problems motivate finding a protocol with a simpler state machine, less complexity, and stronger security guarantees.

  12. An Alternative Handshake Protocol These problems motivate finding a protocol with a simpler state machine, less complexity, and stronger security guarantees. That brings us to the Noise Framework

  13. What is Noise A framework for specifying Cryptographic Handshakes

  14. What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language

  15. What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language These protocols can vary in their guarantees and complexity

  16. What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language These protocols can vary in their guarantees and complexity However, once a protocol is selected, the handshake proceeds in a straightforward fashion

  17. What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns

  18. What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns s s e e Public Key Tokens

  19. What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns s s e s s s e e s e e e Public Key Tokens DH Tokens

  20. What is Noise Here is a basic example handshake pattern e payload payload e e e

  21. What is Noise Here is a basic example handshake pattern e Initiator sends a public ephemeral DH share

  22. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over

  23. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share e

  24. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share e e e A DHKE is performed using these keys to obtain

  25. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share payload e e e A DHKE is performed using these keys to obtain Responder sends payload encrypted under a derived key

  26. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share payload e e e A DHKE is performed using these keys to obtain Responder sends payload encrypted under a derived key Noise does additional processing to mix all handshake data into the derived key

  27. Noise vs TLS Once a handshake pattern is selected, noise follows a simple linear state machine

  28. Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure

  29. Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure Noise is generally implemented as a build your own protocol library

  30. Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure Noise is generally implemented as a build your own protocol library Noise lacks cryptographic agility

  31. Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI

  32. Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI Leaf Intermediary Root Chain of Trust

  33. Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI Leaf Intermediary Root Chain of Trust However this is not necessary in a centrally managed setting

  34. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key

  35. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting

  36. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting However, PSKs require many more keys, since every pair of endpoints must have its own unique key

  37. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting However, PSKs require many more keys, since every pair of endpoints must have its own unique key vs

  38. Peer Authentication and Pinning nQUIC is designed for the public key pinning setting

  39. Peer Authentication and Pinning nQUIC is designed for the public key pinning setting This applies to cases where: Public keys or Certificate Chains are obtained out-of-band

  40. Peer Authentication and Pinning nQUIC is designed for the public key pinning setting This applies to cases where: Public keys or Certificate Chains are obtained out-of-band Peers are bootstrapped with keys

  41. Peer Authentication and Pinning nQUIC is designed for the public key pinning setting This applies to cases where: Public keys or Certificate Chains are obtained out-of-band Peers are bootstrapped with keys Public keys are managed by a trusted key management service

  42. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange 2. Authentication of Transport Parameters 3. Authenticated Version Negotiation 4. Authenticated Negotiation of Application Protocol 5. Address Validation

  43. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters 3. Authenticated Version Negotiation 4. Authenticated Negotiation of Application Protocol 5. Address Validation

  44. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation 4. Authenticated Negotiation of Application Protocol 5. Address Validation

  45. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation Can be placed in the payload field 4. Authenticated Negotiation of Application Protocol 5. Address Validation

  46. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation Can be placed in the payload field 4. Authenticated Negotiation of Application Protocol ALPN data can be placed in transport parameters 5. Address Validation

  47. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation Can be placed in the payload field 4. Authenticated Negotiation of Application Protocol ALPN data can be placed in transport parameters 5. Address Validation Handled by QUIC address validation tokens

  48. nQUICs Noise Pattern We needed a handshake that:

  49. nQUICs Noise Pattern We needed a handshake that: Authenticates the server

  50. nQUICs Noise Pattern We needed a handshake that: Authenticates the server Optionally authenticates the client

Related


Understanding QUIC: A Quick Overview by Geoff Huston

Understanding QUIC: A Quick Overview by Geoff Huston

cging
Understanding OSI Model and TCP/IP Protocol Suite in Computer Networking

Understanding OSI Model and TCP/IP Protocol Suite in Computer Networking

gwendolyn
Understanding Mobile Computing and TCP/IP Protocol Suite

Understanding Mobile Computing and TCP/IP Protocol Suite

ambrosia
Understanding EIGRP: A Comprehensive Overview

Understanding EIGRP: A Comprehensive Overview

rebeca
Modernizing Network Security with nQUIC Noise-Based Packet Protection

Modernizing Network Security with nQUIC Noise-Based Packet Protection

katarina
Adaptive Tree-based Convergecast Protocol

Adaptive Tree-based Convergecast Protocol

zofia
Understanding OSI Model and TCP/IP Protocol Suite

Understanding OSI Model and TCP/IP Protocol Suite

marlie
London Homeless Coalition (LHC) Death Communication Protocol

London Homeless Coalition (LHC) Death Communication Protocol

cinder
MAAP Protocol Overview in IEEE 1722: Address Acquisition and Message Format

MAAP Protocol Overview in IEEE 1722: Address Acquisition and Message Format

chace
IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

IEEE 802.11-20/1761r1 Ranging Protocol for 11bd

ted
Understanding SFTP Server Functionality with ACS 5.x by Mohammad Azharuddin AAA Team

Understanding SFTP Server Functionality with ACS 5.x by Mohammad Azharuddin AAA Team

aimenmo
Hospital-Based Rapid Methadone Initiation Protocol in Fentanyl Era

Hospital-Based Rapid Methadone Initiation Protocol in Fentanyl Era

oslo
DetNet 3GPP SA2 Offline Discussion Summary

DetNet 3GPP SA2 Offline Discussion Summary

aminah
Understanding the Nagoya Protocol on Access and Benefit Sharing

Understanding the Nagoya Protocol on Access and Benefit Sharing

kaitlin
Security and Privacy in 3G/4G/5G Networks: The AKA Protocol

Security and Privacy in 3G/4G/5G Networks: The AKA Protocol

muey769
Understanding Standard Deviation, Variance, and Z-Scores

Understanding Standard Deviation, Variance, and Z-Scores

eilis
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords

Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords

quer_sna
Round-Efficient Byzantine Broadcast Under Strongly Adaptive and Majority Corruptions

Round-Efficient Byzantine Broadcast Under Strongly Adaptive and Majority Corruptions

aeriv
Addressing 5G Signaling Protocol Vulnerabilities

Addressing 5G Signaling Protocol Vulnerabilities

lyon
Suicide Prevention & Postvention Protocol

Suicide Prevention & Postvention Protocol

genesis
Comprehensive ICU Protocol for Sedation, Analgesia, and Delirium Control by Dr. Vinod Srivastava

Comprehensive ICU Protocol for Sedation, Analgesia, and Delirium Control by Dr. Vinod Srivastava

oslo
Important Networking Concepts Overview

Important Networking Concepts Overview

bernice
Roughtime: Securing time for IoT devices

Roughtime: Securing time for IoT devices

jayda
Effective Protocol Deviation Management in Clinical Research

Effective Protocol Deviation Management in Clinical Research

madilyn

More Related Content

International Relations and Protocol Division Presentation to Presiding Officers on Operations
International Relations and Protocol Division Presentation to Presiding Officers on Operations
Understanding the CEDAW Optional Protocol
Understanding the CEDAW Optional Protocol
Understanding TCP Protocol and Reliability in Networking
Understanding TCP Protocol and Reliability in Networking
Understanding User Datagram Protocol (UDP) in Unix and Network Programming
Understanding User Datagram Protocol (UDP) in Unix and Network Programming
Workplace Exposure Standard for Silica Dust in Stone Benchtop Fabrication
Workplace Exposure Standard for Silica Dust in Stone Benchtop Fabrication
Strengthening Institutional Capacity for Nagoya Protocol Implementation in Uganda
Strengthening Institutional Capacity for Nagoya Protocol Implementation in Uganda
Overview of Liberia and ABS Protocol Implementation
Overview of Liberia and ABS Protocol Implementation
Health and Disability Services Standard NZS 8134:2021 Update Overview
Health and Disability Services Standard NZS 8134:2021 Update Overview
Brain Oxygen Optimization in Severe TBI - Protocol Summary
Brain Oxygen Optimization in Severe TBI - Protocol Summary
Problem of Practice Protocol and Collaboration in Opportunity Culture
Problem of Practice Protocol and Collaboration in Opportunity Culture
Comprehensive Guide to Stroke Care: SCENS Protocol Overview
Comprehensive Guide to Stroke Care: SCENS Protocol Overview
Impact of Extending Acute Stroke Triage Criteria to 24 Hours
Impact of Extending Acute Stroke Triage Criteria to 24 Hours
Community Project Implementation Structures in Gulf of Guinea Northern Regions
Community Project Implementation Structures in Gulf of Guinea Northern Regions
Understanding Small Area Fair Market Rents (SAFMR) Implementation Webinar
Understanding Small Area Fair Market Rents (SAFMR) Implementation Webinar
Evolution of Internet Protocol: From IPv4 to IPv6
Evolution of Internet Protocol: From IPv4 to IPv6
Implementation Challenges and Solutions for Real-Time Navigational Warning Service with S-124
Implementation Challenges and Solutions for Real-Time Navigational Warning Service with S-124
Standard of Care for Peripheral Lesion Assessment in Lung Cancer
Standard of Care for Peripheral Lesion Assessment in Lung Cancer
Understanding IEEE 802.11b Wireless LANs
Understanding IEEE 802.11b Wireless LANs
Evolution of Public Policy Implementation Studies
Evolution of Public Policy Implementation Studies
Policy Implementation in Uganda: Evidence and Challenges
Policy Implementation in Uganda: Evidence and Challenges
Update on ESCO Implementation in EURES
Update on ESCO Implementation in EURES
Efficient Key Recovery Attack on SIDH
Efficient Key Recovery Attack on SIDH
Enhancing Data Reception Performance with GPU Acceleration in CCSDS 131.2-B Protocol
Enhancing Data Reception Performance with GPU Acceleration in CCSDS 131.2-B Protocol
Revolutionizing Financial Systems with Aquo Protocol
Revolutionizing Financial Systems with Aquo Protocol