Challenges in Standard QUIC Protocol Implementation

Slide Note
Embed
Share

The content discusses the challenges and shortcomings of the standard QUIC protocol implementation, focusing on the use of TLS 1.3 for cryptographic handshake. It highlights issues such as complexity in implementation and state machine, lack of a full security proof, and the risk of ossification due to legacy support. Despite improvements, there are still obstacles to overcome for a robust QUIC implementation.


Uploaded on Jul 14, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. nQUIC: Noise-Based Packet Protection Mathias Hall-Andersen NCC Group David Wong NCC Group Nick Sullivan Cloudflare Alishah Chator Cloudflare

  2. The Traditional HTTPS Stack HTTP TLS TCP IP

  3. The Traditional HTTPS Stack HTTP TLS Ossification TCP IP

  4. The QUIC way of doing things HTTP HTTP TLS QUIC TCP UDP IP

  5. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake

  6. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings:

  7. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine

  8. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine Current design does not have a full security proof

  9. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine Current design does not have a full security proof Risk of ossification due to legacy support

  10. Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine Current design does not have a full security proof Risk of ossification due to legacy support Additionally, existing TLS implementations must be significantly modified to integrate with QUIC

  11. An Alternative Handshake Protocol These problems motivate finding a protocol with a simpler state machine, less complexity, and stronger security guarantees.

  12. An Alternative Handshake Protocol These problems motivate finding a protocol with a simpler state machine, less complexity, and stronger security guarantees. That brings us to the Noise Framework

  13. What is Noise A framework for specifying Cryptographic Handshakes

  14. What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language

  15. What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language These protocols can vary in their guarantees and complexity

  16. What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language These protocols can vary in their guarantees and complexity However, once a protocol is selected, the handshake proceeds in a straightforward fashion

  17. What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns

  18. What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns s s e e Public Key Tokens

  19. What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns s s e s s s e e s e e e Public Key Tokens DH Tokens

  20. What is Noise Here is a basic example handshake pattern e payload payload e e e

  21. What is Noise Here is a basic example handshake pattern e Initiator sends a public ephemeral DH share

  22. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over

  23. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share e

  24. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share e e e A DHKE is performed using these keys to obtain

  25. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share payload e e e A DHKE is performed using these keys to obtain Responder sends payload encrypted under a derived key

  26. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share payload e e e A DHKE is performed using these keys to obtain Responder sends payload encrypted under a derived key Noise does additional processing to mix all handshake data into the derived key

  27. Noise vs TLS Once a handshake pattern is selected, noise follows a simple linear state machine

  28. Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure

  29. Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure Noise is generally implemented as a build your own protocol library

  30. Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure Noise is generally implemented as a build your own protocol library Noise lacks cryptographic agility

  31. Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI

  32. Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI Leaf Intermediary Root Chain of Trust

  33. Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI Leaf Intermediary Root Chain of Trust However this is not necessary in a centrally managed setting

  34. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key

  35. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting

  36. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting However, PSKs require many more keys, since every pair of endpoints must have its own unique key

  37. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting However, PSKs require many more keys, since every pair of endpoints must have its own unique key vs

  38. Peer Authentication and Pinning nQUIC is designed for the public key pinning setting

  39. Peer Authentication and Pinning nQUIC is designed for the public key pinning setting This applies to cases where: Public keys or Certificate Chains are obtained out-of-band

  40. Peer Authentication and Pinning nQUIC is designed for the public key pinning setting This applies to cases where: Public keys or Certificate Chains are obtained out-of-band Peers are bootstrapped with keys

  41. Peer Authentication and Pinning nQUIC is designed for the public key pinning setting This applies to cases where: Public keys or Certificate Chains are obtained out-of-band Peers are bootstrapped with keys Public keys are managed by a trusted key management service

  42. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange 2. Authentication of Transport Parameters 3. Authenticated Version Negotiation 4. Authenticated Negotiation of Application Protocol 5. Address Validation

  43. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters 3. Authenticated Version Negotiation 4. Authenticated Negotiation of Application Protocol 5. Address Validation

  44. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation 4. Authenticated Negotiation of Application Protocol 5. Address Validation

  45. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation Can be placed in the payload field 4. Authenticated Negotiation of Application Protocol 5. Address Validation

  46. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation Can be placed in the payload field 4. Authenticated Negotiation of Application Protocol ALPN data can be placed in transport parameters 5. Address Validation

  47. nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation Can be placed in the payload field 4. Authenticated Negotiation of Application Protocol ALPN data can be placed in transport parameters 5. Address Validation Handled by QUIC address validation tokens

  48. nQUICs Noise Pattern We needed a handshake that:

  49. nQUICs Noise Pattern We needed a handshake that: Authenticates the server

  50. nQUICs Noise Pattern We needed a handshake that: Authenticates the server Optionally authenticates the client

More Related Content