Challenges in Standard QUIC Protocol Implementation
The content discusses the challenges and shortcomings of the standard QUIC protocol implementation, focusing on the use of TLS 1.3 for cryptographic handshake. It highlights issues such as complexity in implementation and state machine, lack of a full security proof, and the risk of ossification due to legacy support. Despite improvements, there are still obstacles to overcome for a robust QUIC implementation.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
nQUIC: Noise-Based Packet Protection Mathias Hall-Andersen NCC Group David Wong NCC Group Nick Sullivan Cloudflare Alishah Chator Cloudflare
The Traditional HTTPS Stack HTTP TLS TCP IP
The Traditional HTTPS Stack HTTP TLS Ossification TCP IP
The QUIC way of doing things HTTP HTTP TLS QUIC TCP UDP IP
Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake
Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings:
Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine
Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine Current design does not have a full security proof
Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine Current design does not have a full security proof Risk of ossification due to legacy support
Problem solved?...Not so fast! Standard QUIC uses TLS 1.3 as its Cryptographic Handshake TLS is a major improvement on previous versions but still has some shortcomings: Complex in both implementation and state machine Current design does not have a full security proof Risk of ossification due to legacy support Additionally, existing TLS implementations must be significantly modified to integrate with QUIC
An Alternative Handshake Protocol These problems motivate finding a protocol with a simpler state machine, less complexity, and stronger security guarantees.
An Alternative Handshake Protocol These problems motivate finding a protocol with a simpler state machine, less complexity, and stronger security guarantees. That brings us to the Noise Framework
What is Noise A framework for specifying Cryptographic Handshakes
What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language
What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language These protocols can vary in their guarantees and complexity
What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language These protocols can vary in their guarantees and complexity However, once a protocol is selected, the handshake proceeds in a straightforward fashion
What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns
What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns s s e e Public Key Tokens
What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns s s e s s s e e s e e e Public Key Tokens DH Tokens
What is Noise Here is a basic example handshake pattern e payload payload e e e
What is Noise Here is a basic example handshake pattern e Initiator sends a public ephemeral DH share
What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over
What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share e
What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share e e e A DHKE is performed using these keys to obtain
What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share payload e e e A DHKE is performed using these keys to obtain Responder sends payload encrypted under a derived key
What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share payload e e e A DHKE is performed using these keys to obtain Responder sends payload encrypted under a derived key Noise does additional processing to mix all handshake data into the derived key
Noise vs TLS Once a handshake pattern is selected, noise follows a simple linear state machine
Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure
Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure Noise is generally implemented as a build your own protocol library
Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure Noise is generally implemented as a build your own protocol library Noise lacks cryptographic agility
Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI
Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI Leaf Intermediary Root Chain of Trust
Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI Leaf Intermediary Root Chain of Trust However this is not necessary in a centrally managed setting
Peer Authentication and Pinning Pinning instructs a peer to expect a specific key
Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting
Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting However, PSKs require many more keys, since every pair of endpoints must have its own unique key
Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting However, PSKs require many more keys, since every pair of endpoints must have its own unique key vs
Peer Authentication and Pinning nQUIC is designed for the public key pinning setting
Peer Authentication and Pinning nQUIC is designed for the public key pinning setting This applies to cases where: Public keys or Certificate Chains are obtained out-of-band
Peer Authentication and Pinning nQUIC is designed for the public key pinning setting This applies to cases where: Public keys or Certificate Chains are obtained out-of-band Peers are bootstrapped with keys
Peer Authentication and Pinning nQUIC is designed for the public key pinning setting This applies to cases where: Public keys or Certificate Chains are obtained out-of-band Peers are bootstrapped with keys Public keys are managed by a trusted key management service
nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange 2. Authentication of Transport Parameters 3. Authenticated Version Negotiation 4. Authenticated Negotiation of Application Protocol 5. Address Validation
nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters 3. Authenticated Version Negotiation 4. Authenticated Negotiation of Application Protocol 5. Address Validation
nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation 4. Authenticated Negotiation of Application Protocol 5. Address Validation
nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation Can be placed in the payload field 4. Authenticated Negotiation of Application Protocol 5. Address Validation
nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation Can be placed in the payload field 4. Authenticated Negotiation of Application Protocol ALPN data can be placed in transport parameters 5. Address Validation
nQUIC Motivated by simplicity while still satisfying the following requirements: 1. Authenticated Key Exchange Feature of Noise 2. Authentication of Transport Parameters Can be placed in the payload field 3. Authenticated Version Negotiation Can be placed in the payload field 4. Authenticated Negotiation of Application Protocol ALPN data can be placed in transport parameters 5. Address Validation Handled by QUIC address validation tokens
nQUICs Noise Pattern We needed a handshake that:
nQUICs Noise Pattern We needed a handshake that: Authenticates the server
nQUICs Noise Pattern We needed a handshake that: Authenticates the server Optionally authenticates the client