Modernizing Network Security with nQUIC Noise-Based Packet Protection

Slide Note
Embed
Share

Explore the evolution of network security mechanisms through nQUIC Noise protocol, comparing it against traditional HTTPS stack. Delve into the secure transmission aspects of TCP/IP, TLS, and the innovative approaches of QUIC protocol, emphasizing the significance of securing protocols with TLS in modern network infrastructures.

katarina
katarina Follow

Uploaded on Jul 22, 2024 | 2 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. nQUIC nQUIC: Noise : Noise- -Based Packet Protection Protection Based Packet Mathias Hall-Andersen* University of Copenhagen David Wong* Facebook Alishah Chator Johns Hopkins University Nick Sullivan Cloudflare *Work done while at NCC Group Work done while at Cloudflare

  2. The Traditional HTTPS Stack HTTP TLS TCP IP

  3. The Traditional HTTPS Stack Multiplexed Streams HTTP TLS TCP IP

  4. The Traditional HTTPS Stack Multiplexed Streams HTTP Security TLS TCP IP

  5. The Traditional HTTPS Stack Multiplexed Streams HTTP Security TLS Reliability TCP IP

  6. The Traditional HTTPS Stack HTTP TLS Ossification TCP IP

  7. The QUIC way of doing things HTTP HTTP TLS QUIC TCP UDP IP

  8. The QUIC way of doing things HTTP HTTP Multiplexed Streams TLS Security Reliability QUIC TCP UDP IP

  9. Securing Protocols with TLS

  10. Securing Protocols with TLS: TCP TLS Handshake Layer TLS Record Layer TCP

  11. Securing Protocols with TLS: TCP TLS Handshake Layer Handshake messages, Application data, TLS alerts TLS Record Layer TCP

  12. Securing Protocols with TLS: TCP TLS Handshake Layer Handshake messages, Application data, TLS alerts Applies cryptographic protection TLS Record Layer TCP

  13. Securing Protocols with TLS: TCP TLS Handshake Layer Handshake messages, Application data, TLS alerts Applies cryptographic protection TLS Record Layer Reliable transport TCP

  14. Securing Protocols with TLS: QUIC TLS Handshake/Alerts Application Data QUIC

  15. Securing Protocols with TLS: QUIC TLS Handshake/Alerts Application Data Supplies both packet protection and reliable transport QUIC

  16. Handshake Modularity Extract keys from handshake QUIC TLS Handshake/Alerts

  17. Handshake Modularity Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets QUIC Packet Protector

  18. Handshake Modularity Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets QUIC Packet Protector

  19. Handshake Modularity Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets Separation between how handshake is performed and how the keys are used QUIC Packet Protector

  20. Handshake Modularity Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets Separation between how handshake is performed and how the keys are used QUIC Packet Protector

  21. Handshake Modularity? Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets QUIC Packet Protector

  22. Handshake Modularity? Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets Specifications focus on TLS 1.3 limits advantages of modularity QUIC Packet Protector

  23. Handshake Modularity? Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets Specifications focus on TLS 1.3 limits advantages of modularity - Avoiding complexity when not needed QUIC Packet Protector

  24. Handshake Modularity? Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets Specifications focus on TLS 1.3 limits advantages of modularity - Avoiding complexity when not needed - Swapping in new protocols with full security proofs QUIC Packet Protector

  25. Handshake Modularity? Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets Specifications focus on TLS 1.3 limits advantages of modularity - Avoiding complexity when not needed - Swapping in new protocols with full security proofs QUIC - Legacy support not always needed Packet Protector

  26. Handshake Modularity? Extract keys from handshake QUIC TLS Handshake/Alerts Use keys to protect packets Specifications focus on TLS 1.3 limits advantages of modularity - Avoiding complexity when not needed - Swapping in new protocols with full security proofs QUIC - Legacy support not always needed Packet Protector In addition, TLS implementations need significant modification before integrating with QUIC

  27. Are there circumstances we can do better than TLS 1.3?

  28. What is Noise A framework for specifying Cryptographic Handshakes

  29. What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language

  30. What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language These protocols can vary in their guarantees and complexity

  31. What is Noise A framework for specifying Cryptographic Handshakes A variety of protocols can be specified using the simple Noise language These protocols can vary in their guarantees and complexity However, once a protocol is selected, the handshake proceeds in a straightforward fashion

  32. What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns

  33. What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns s s e e Public Key Tokens

  34. What is Noise The Noise language consists of tokens, which combine into message patterns, when combine into handshake patterns s s e s s s e e s e e e Public Key Tokens DH Tokens

  35. What is Noise Here is a basic example handshake pattern e payload payload e e e

  36. What is Noise Here is a basic example handshake pattern e Initiator sends a public ephemeral DH share

  37. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over

  38. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share e

  39. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share e e e A DHKE is performed using these keys to obtain

  40. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share payload e e e A DHKE is performed using these keys to obtain Responder sends payload encrypted under a derived key

  41. What is Noise Here is a basic example handshake pattern e payload Initiator sends a public ephemeral DH share A cleartext payload is also sent over Responder sends a public ephemeral DH share payload e e e A DHKE is performed using these keys to obtain Responder sends payload encrypted under a derived key Noise does additional processing to mix all handshake data into the derived key

  42. Noise vs TLS Once a handshake pattern is selected, noise follows a simple linear state machine

  43. Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure

  44. Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure Noise is generally implemented as a build your own protocol library

  45. Noise vs TLS Once a handshake pattern is selected, Noise follows a simple linear state machine Noise is easy to prove secure Noise is generally implemented as a build your own protocol library Noise lacks cryptographic agility

  46. Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI

  47. Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI Leaf Intermediary Root Chain of Trust

  48. Peer Authentication and Pinning Traditionally, Authentication of peers in TLS involves a PKI Leaf Intermediary Root Chain of Trust However this is not necessary in a centrally managed setting

  49. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key

  50. Peer Authentication and Pinning Pinning instructs a peer to expect a specific key This is similar to the Preshared Symmetric Keys (PSKs) setting

Related


Understanding Noise in RF Integrated Circuits: Thermal and 1/f Noise

Understanding Noise in RF Integrated Circuits: Thermal and 1/f Noise

annamaria
Insights from ET-ISB Workshop on Low-Frequency Noise and GWADW 2021

Insights from ET-ISB Workshop on Low-Frequency Noise and GWADW 2021

zena
Understanding Noise in Communication Systems

Understanding Noise in Communication Systems

kinga
Aviation Noise Management Strategies in Sweden

Aviation Noise Management Strategies in Sweden

kriya
Enhancing Network Security Through Multi-Core Packet Scattering and Deep Packet Inspection

Enhancing Network Security Through Multi-Core Packet Scattering and Deep Packet Inspection

jaan372
Understanding Frequency Weighting in Noise Pollution Measurement

Understanding Frequency Weighting in Noise Pollution Measurement

ruadhan
Understanding Noise in Communication Systems

Understanding Noise in Communication Systems

claudius
Advanced Understanding of Low-Frequency Noise in Instrumentation

Advanced Understanding of Low-Frequency Noise in Instrumentation

enid
Understanding Snort: An Open-Source Network Intrusion Detection System

Understanding Snort: An Open-Source Network Intrusion Detection System

farah
Understanding Bandwidth, Channel Capacity, and Noise in Communication Networks

Understanding Bandwidth, Channel Capacity, and Noise in Communication Networks

schweigert_a
Understanding Noise Control Methods in Environmental Engineering

Understanding Noise Control Methods in Environmental Engineering

norm_654
Addressing Underwater Noise Pollution in EU Waters: Urgent Action Needed

Addressing Underwater Noise Pollution in EU Waters: Urgent Action Needed

dshor
Understanding Noise Pollution: Sources, Terminology, and Measurement

Understanding Noise Pollution: Sources, Terminology, and Measurement

broo_387
Understanding the Impact of Aircraft Noise on Health - Recent Update

Understanding the Impact of Aircraft Noise on Health - Recent Update

cono_9
Understanding Noise Pollution: Sources, Effects, and Control

Understanding Noise Pollution: Sources, Effects, and Control

califor
Enhancing Network Security Using Snort Virtual Network Function with DPI Service

Enhancing Network Security Using Snort Virtual Network Function with DPI Service

aheck
Understanding Wireshark Filters for Efficient Packet Analysis

Understanding Wireshark Filters for Efficient Packet Analysis

slil
Understanding Security Onion: Network Security Monitoring Tools

Understanding Security Onion: Network Security Monitoring Tools

sadhbh
Bandwidth and Packet Type Detection Schemes for 40-50GHz Millimeter Wave Communication Systems

Bandwidth and Packet Type Detection Schemes for 40-50GHz Millimeter Wave Communication Systems

kean660
Understanding the Basics of Packet Radio for Amateur Communication

Understanding the Basics of Packet Radio for Amateur Communication

ell_wi
Occupational Noise Exposure and Hearing Conservation Training Program

Occupational Noise Exposure and Hearing Conservation Training Program

joss
Protect Your Hearing: Strategies for Prevention

Protect Your Hearing: Strategies for Prevention

rgrac
Modernizing Official Statistics: Poland's Innovation Experience

Modernizing Official Statistics: Poland's Innovation Experience

anast
Proactive Network Protection Through DNS Security Insights

Proactive Network Protection Through DNS Security Insights

rserv

More Related Content