Provable Security and Performance Analyses Robert Lychev Samuel Jero Purdue University Georgia Institute of Technology Alexandra Boldyreva and Cristina Nita Rotaru ID: 792122
Download The PPT/PDF document "How Secure and Quick is QUIC?" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
How Secure and Quick is QUIC?Provable Security and Performance Analyses
Robert Lychev*, Samuel Jero+,
+
Purdue
University
*Georgia Institute of Technology
Alexandra
Boldyreva
*
, and Cristina Nita-
Rotaru
+
Slide2Proliferation of mobile and web applications has made latency a very important issue for online businesses users might visit a web site less often if it is slower than a competitor by over 250ms, S.
Lohler NY Times 2012100ms latency costs Amazon 1% in sales, G. Linden, 2006 Bandwidth is cheap and will continue to grow, but information cannot travel faster than the speed of lightChallenge: minimize number of RTT’s required to establish a connection, without sacrificing securitymy internets are so slow!Minimizing Latency
Slide3Google’s answer to the latency challengeStands for Quick UDP Internet ConnectionsCommunication protocol developed by Google and implemented as part of Chrome browser in 2013
Was designed toproduce security protection comparable to TLS reduce connection latencyCan QUIC do this in presence of attackers?What is QUIC?
Slide4TCP session establishment
TLS key establishmentconnection establishmentand key agreementexchange dataexchange datasetup latency+TLS over TCP
QUIC
client
s
erver
s
erver
client
TCP guarantees ordered
delivery, provides protection against connection-spoofing,
but
adds latency
suffers from subtle
performance
attacks, e.g., TCP
reset,
Clayton
et al, 2006
What
about QUIC?
Setup Time: QUIC
vs
TLS
Slide5i
nitial key establishmentsession key establishmentdata exchange with session keyclientserverdata exchangewith initial key
s
ession key establishment
d
ata exchange with session key
TLS
QUIC
client
s
erver
Parties
can
often avoid 1 RTT in initial
key
establishment
of
QUIC by caching some parameters (achieving 0-RTT connections)
What implications does this have on security
?
Starting Data Exchange: QUIC
vs
TLS
Slide6Fischlin & Günther, ACM CCS 2014develop a security definition for multi-stage key agreement
and show that QUIC’s key exchange meets this definitionshow how to modify QUIC so that it can compose with any secure data exchange protocolprove QUIC’s key exchange with a modification is securePrevious Work on QUIC What about security of the whole protocol as is? What about its latency in presence of attackers?
Slide7What provable security guarantees does QUIC provide, and under which assumptions?How effective is QUIC at minimizing latency in presence of attackers?
Main Questions We Address
Slide8What provable security guarantees does QUIC provide, and under which assumptions?we develop a security definition suitable for performance driven protocols and show that QUIC satisfies it
QUIC does not satisfy the traditional notion of forward secrecy, provided by some TLS modes, e.g., TLS-DHEHow effective is QUIC at minimizing latency in presence of attackers?with simple attacks on some parameters, it is easy to prevent QUIC from achieving its minimal latency goalswe have implemented these attacks and demonstrated that they are practicalSummary of Our Results
Slide9Provable Security Analysis of QUIC how QUIC worksnew protocol and security modelssecurity of QUIC
QUIC Performance-degradation attacksSummary and Future WorkOutline
Slide10QUIC Protocol
c_i_hello: (cid)s_reject: (cid, scfg, stk)cid {0,1}64$-verify scfg signature-generate DH values (secc, pubc)
c_hello: (cid
, stk, scfg, pubc
)s_hello: (
cid, pubs)
cid
: connection id picked by the client
s
tk
: source-address token used
to prevent
spoofing
scfg
: server
config
contains server’s public
Diffie
-Hellman (DH) values
-generate
stk
based
on client’s IP
i
nitial data exchange
data exchange
-generate session
DH values
(
sec
s
,pub
s
)
-establish session
key using
pubs-establish initial key using scfg-verify stk-establish initial key using pub
c
-establish session
key using
pub
c
client
s
erver
c
an be reused
Slide11QUIC ProtocolConnection Resumption
cid {0,1}64$--generate DH values (secc, pubc)c_hello: (cid, stk, scfg, pubc)s_hello: (cid, pubs)cid is the new connection id picked by the client
stk can be reused
before expiration
scfg can be reused before expiration
i
nitial data exchange
data exchange
-generate session
DH values
(
sec
s
,pub
s
)
-establish session key
using
pub
s
-establish initial
key
using
scfg
-verify
stk
-establish initial
key using
pub
c
-establish session
key using
pub
c
clientserver1 RTT
Slide12cid {0,1}64
$--generate DH values (secc, pubc)c_hello: (cid, stk, scfg, pubc)s_hello: (cid, pubs)initial data exchange
data exchange
-generate session DH values
(secs,pubs)
-establish session key using pub
s
-establish initial
key
using
scfg
-establish session
key using
pub
c
client
s
erver
-client cannot initially check
stk
authenticity, so this
can lead to
inconsistent
view of the handshake
-
compromising the server before
scfg
expires can
reveal data encrypted with initial key
QUIC Protocol
Connection Resumption
-can achieve 0-RTT connections!
-verify
stk
-establish initial
key using pubc
Slide13Security Analysis Main ChallengesPrevious analyses of TLS are not suitable (Jager
et al, Krawzcyk et al, Bhargavan et al, Crypto 2012, 2013, 2014) data in QUIC can be exchanged using initial key before the session key is setParties can set distinct initial keys notion of having a ‘matching conversation’ is not sufficient need new notion of ‘setting a key with’ to capture data privacyscfg is public and can be reused before it expires need weaker notion for forward secrecy for initial keysuse traditional notion of forward secrecy for session keysUDP does not address unordered delivery and spoofingneed to capture attacks involving misordering, selectively delaying or dropping packets, and connection spoofing
Slide14Security Analysis Main ChallengesTo address these challenges we developed protocol model that captures data exchanges under initial key before
session key is set: Quick Communications (QC)security notion: Quick Authenticated and Confidential Channel Establishment (QACCE)
Slide15How Secure is QUIC?QUIC meets our notion of QACCE-security ifThe underlying signature scheme is suf-cmaQUIC supports ECDSA-SHA256 and RSA-PSS-SHA256
The underlying AEAD scheme is ind-cpa and auth-secure QUIC uses AES Galois-Counter Mode (GCM), McGrew et al, INDOCRYPT 2004SCDH Problem is hardIn the random oracle (RO) model model HMAC with RO in the key derivation
Slide16Provable Security Analysis of QUIC QUIC Performance-degradation attackstypes of performance-degradation attacks on QUICperformance-degradation attacks we have implemented
Summary and Future WorkOutline
Slide17Replaying public, cacheable content, e.g, scfg and stk results in fooling client and/or server parties into trying to achieve a connection and maintain
stateManipulating unprotected packet fields, e.g., cid & stkleads clients and server to have a distinct view of the key exchange resulting in a failure to establish a session keyThe attacks we have studiedcause servers and clients to waste time and resourcesstem from parameters whose purpose was to minimize latency, e.g., scfg and stkdo not concern data authenticity and confidentialityPerformance Attack Overview
Slide18Attack NameAttack TypeImpact
scfg Replay AttackReplayConnection Failurestk Replay AttackReplayServer DoScid Manipulation AttackManipulationConnection Failure, Server Loadstk Manipulation Attack ManipulationConnection Failure, Server LoadCrypto Stream Offset Attack OtherConnection Failuretargeted QUIC Chromium implementation from October 1, 2014 used Python scapy library (http://www.secdev.org/projects/scapy
/)
Attacks We Have Implemented
A
ttacks can be used to deny clients access to
any
a
pplication of
choice
and cause servers
to waste
resources!
Slide19Summary and Future WorkDeveloped security definition for performance-driven protocols and showed that QUIC meets our definitionHave implemented five different practical performance degradation attacks against QUIC
Demonstrate an inherent tradeoff between performance and security Our security definition could be used to analyze other performance-driven protocols, such as TLS version 1.3
s
ecurity
latency
low
Slide20Thank You
look for the full versionSecurity definitions and proofsAttack implementation detailsComparison to attacks against TLSMitigation strategies