Abstract
Secure channel establishment protocols such as TLS are some of the most important cryptographic protocols, enabling the encryption of Internet traffic. Reducing the latency (the number of interactions between parties) in such protocols has become an important design goal to improve user experience. The most important protocols addressing this goal are TLS 1.3 over TCP Fast Open (TFO), Google’s QUIC over UDP, and QUIC[TLS] (a new design for QUIC that uses TLS 1.3 key exchange) over UDP. There have been a number of formal security analyses for TLS 1.3 and QUIC, but their security, when layered with their underlying transport protocols, cannot be easily compared. Our work is the first to thoroughly compare the security and availability properties of these protocols. Towards this goal, we develop novel security models that permit “layered” security analysis. In addition to the standard goals of server authentication and data privacy and integrity, we consider the goals of IP spoofing prevention, key exchange packet integrity, secure channel header integrity, and reset authentication, which capture a range of practical threats not usually taken into account by existing security models that focus mainly on the crypto cores of the protocols. Equipped with our new models we provide a detailed comparison of the above three protocols. We hope that our results will help protocol designers in their future protocol analyses and practitioners to better understand the advantages and limitations of novel secure channel establishment protocols.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For the network-layer protocols, we only consider the Internet Protocol and its IP address header fields because our model mainly focuses on the application and transport layers and additionally only captures the IP-spoofing attack.
- 2.
Some protocol header fields (e.g., port numbers, checksums, etc.) can be excluded if they are not the focus of the security analysis.
- 3.
To fit TLS 1.3’s encryption scheme, unlike QACCE we model QUIC’s encryption scheme as a more general stateful AEAD scheme rather than a nonce-based one.
- 4.
Disjointness is a reasonable assumption as practical protocols (such as the 3 layered protocols that we consider) enforce different leading bits for different types of messages.
- 5.
A pre-reset message can also be carried within an encrypted key exchange packet. We consider it encrypted as a separate secure channel packet to get a clean packet-authentication security model described later.
- 6.
- 7.
This captures the case where a 0-RTT key only consists of a client encryption key while the server encryption key does not exist.
- 8.
This captures the post-handshake key exchange messages that are used for session resumption, post-handshake authentication, key update, etc.
- 9.
As discussed in [24], two session oracles having matching conversations with each other may not observe the same transcript due to the gap between one oracle sending a message and the other receiving it. We can use symmetric session identifiers to define matching conversations because our msACCE-std model focuses only on server authentication and we require session identifiers to exclude, if any, a client oracle’s last key exchange message(s) sent immediately before it sets its session key.
- 10.
In practice, 0-RTT replay attacks can be mounted to different servers with the same public-secret key pair. However, 0-RTT key exchange message(s) replayed to other servers with different public-secret key pairs will be rejected.
- 11.
Note that \({\mathsf {Encrypt}}\) and \({\mathsf {Decrypt}}\) queries are not needed because msACCE-pauth does not consider data privacy explicitly.
References
HTTPS encryption on the web - Google transparency report (2018). https://transparencyreport.google.com/https/overview
Abramov, R., Herzberg, A.: TCP ack storm DoS attacks. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IAICT, vol. 354, pp. 29–40. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21424-0_3
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations for the TLS 1.3 standard candidate. In: Security and Privacy (SP), pp. 483–502. IEEE (2017)
Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_14
Brendel, J., Fischlin, M., Günther, F.: Breakdown resilience of key exchange protocols and the cases of newhope and TLS 1.3. Cryptology ePrint Archive, Report 2017/1252 (2017)
Cao, Y., Qian, Z., Wang, Z., Dao, T., Krishnamurthy, S.V., Marvel, L.M.: Off-path TCP exploits: global rate limit considered dangerous. In: USENIX Security Symposium (2016)
Centre for the Protection of National Infrastructure: Security assessment of the transmission control protocol. Technical report CPNI Technical Note 3/2009, Centre for the Protection of National Infrastructure (2009)
Chen, S., Jero, S., Jagielski, M., Boldyreva, A., Nita-Rotaru, C.: Secure communication channel establishment: TLS 1.3 (over TCP Fast Open) vs. QUIC. Cryptology ePrint Archive, Report 2019/433 (2019). https://eprint.iacr.org/2019/433
Cheng, Y., Chu, J., Radhakrishnan, S., Jain, A.: TCP Fast Open. RFC 7413 (Experimental), December 2014
Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 470–485 (2016). https://doi.org/10.1109/SP.2016.35
Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1773–1788. ACM (2017)
Delignat-Lavaud, A., et al.: Implementing and proving the TLS 1.3 record layer. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, pp. 463–482. IEEE Computer Society (2017)
Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 1197–1210. ACM, New York (2015)
Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016/081 (2016). https://eprint.iacr.org/2016/081
Dowling, B.J.: Provable security of internet protocols. Ph.D. thesis, Queensland University of Technology (2017)
Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1193–1204. ACM (2014)
Fischlin, M., Günther, F.: Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 60–75. IEEE (2017)
Fischlin, M., Günther, F., Marson, G.A., Paterson, K.G.: Data is a stream: security of stream-based channels. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 545–564. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_27
Gebhart, G.: Tipping the scales on HTTPS: 2017 in review, December 2017. https://www.eff.org/deeplinks/2017/12/tipping-scales-https
Gilad, Y., Herzberg, A.: Off-path attacking the web. In: WOOT, pp. 41–52 (2012)
IP Latency Statistics — Verizon Enterprise Solutions: Verizon Enterprise Solutions (2018). http://www.verizonenterprise.com/about/network/latency/
Iyengar, J., Thomson, M.: QUIC: a UDP-based multiplexed and secure transport, January 2019. https://quicwg.org/base-drafts/draft-ietf-quic-transport.html
Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_17
Jero, S., Lee, H., Nita-Rotaru, C.: Leveraging state information for automated attack discovery in transport protocol implementations. In: IEEE/IFIP International Conference on Dependable Systems and Networks (2015)
Jero, S., Hoque, E., Choffnes, D., Mislove, A., Nita-Rotaru, C.: Automated attack discovery in TCP congestion control using a model-guided approach. In: Network and Distributed Systems Security Symposium (NDSS) (2018)
Joncheray, L.: A simple active attack against TCP. In: USENIX Security Symposium (1995)
Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_24
Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 81–96. IEEE (2016)
Kumar, V.A., Jayalekshmy, P.S., Patra, G.K., Thangavelu, R.P.: On remote exploitation of TCP sender for low-rate flooding denial-of-service attack. IEEE Commun. Lett. 13(1), 46–48 (2009)
Kuzmanovic, A., Knightly, E.: Low-rate TCP-targeted denial of service attacks and counter strategies. IEEE/ACM Trans. Netw. 14(4), 683–696 (2006)
Langley, A., Chang, W.: QUIC crypto (2016). https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit
Li, X., Xu, J., Zhang, Z., Feng, D., Hu, H.: Multiple handshakes security of TLS 1.3 candidates. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 486–505. IEEE (2016)
Linden, G.: Make data useful (2006). https://sites.google.com/site/glinden/Home/StanfordDataMining.2006-11-29.ppt
Lychev, R., Jero, S., Boldyreva, A., Nita-Rotaru, C.: How secure and quick is QUIC? Provable security and performance analyses. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 214–231. IEEE (2015)
Morris, R.: A weakness in the 4.2 BSD unix TCP/IP software. Technical report, AT&T Bell Leboratories (1985)
Patton, C., Shrimpton, T.: Partially specified channels: the TLS 1.3 record layer without elision. In: ACM SIGSAC Conference on Computer and Communications Security. ACM (2018)
Postel, J.: User datagram protocol. RFC 768 (Standard) (1980)
Postel, J.: Transmission control protocol. RFC 793 (Standard) (1981)
Qian, Z., Mao, Z.M.: Off-path TCP sequence number inference attack - how firewall middleboxes reduce security. In: IEEE Symposium on Security and Privacy, pp. 347–361 (2012)
Qian, Z., Mao, Z.M., Xie, Y.: Collaborative TCP sequence number inference attack: how to crack sequence number under a second. In: ACM Conference on Computer and Communications Security (2012)
Radhakrishnan, S., Cheng, Y., Chu, J., Jain, A., Raghavan, B.: TCP fast open. In: Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies, p. 21. ACM (2011)
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018
Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 98–107. ACM (2002)
Roskind, J.: QUIC(quick UDP internet connections): multiplexed stream transport over UDP. Technical report, Google (2013)
Savage, S., Cardwell, N., Wetherall, D., Anderson, T.: TCP congestion control with a misbehaving receiver. ACM SIGCOMM Comput. Commun. Rev. 29(5), 71–78 (1999)
Thomson, M., Turner, S.: Using transport layer security (TLS) to secure QUIC, January 2019. https://quicwg.org/base-drafts/draft-ietf-quic-tls.html
Watson, P.: Slipping in the window: TCP reset attacks. Technical report, CanSecWest (2004). http://bandwidthco.com/whitepapers/netforensics/tcpip/TCPResetAttacks.pdf
Acknowledgments
We thank the anonymous reviewers for their comments. This paper is based upon work supported by the National Science Foundation under Grant No. 1422794.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A TFO+TLS 1.3 and UDP+QUIC Protocol Definitions
A TFO+TLS 1.3 and UDP+QUIC Protocol Definitions
1.1 A.1 TFO+TLS 1.3 Protocol Definition
Referring to the msACCE protocol syntax, a TFO+TLS 1.3 2-RTT full handshake (see Fig. 1) is a 2-stage msACCE protocol in the full mode and a 0-RTT resumption handshake (see Fig. 1) is a 3-stage msACCE protocol in the resumption mode. Note that we focus only on the main components of the handshakes and omit more advanced features such as 0.5-RTT data, client authentication, and post-handshake messages (except NewSessionTicket). In a full handshake, the initial keys are set after sending or receiving ServerHello and the final keys (i.e., session keys) are set after sending or receiving ClientFinished (but only handshake messages up to ServerFinished are used for final key generation). In a 0-RTT resumption handshake, the parties set 0-RTT keys to encrypt or decrypt 0-RTT data, after sending or receiving ClientHello.
According to the TFO and TLS 1.3 specifications [10, 43], the TFO+TLS 1.3 header contains the TCP header [39]. We ignore some uninteresting header fields such as port numbers and the checksum because modifying them only leads to redirected or dropped packets. Such adversarial capabilities are already considered in the msACCE security models. We thus define the header space \(\mathcal {H}\) as containing the following fields: a 32-bit sequence number \({\mathtt {sqn}}\), a 32-bit acknowledgment number \({\mathtt {ack}}\), a 4-bit data offset \({\mathtt {off}}\), a 6-bit reserved field \({\mathtt {resvd}}\), a 6-bit control bits field \({\mathtt {ctrl}}\), a 16-bit window \({\mathtt {window}}\), a 16-bit urgent pointer \({\mathtt {urgp}}\), a variable-length (\({\le }\)320-bit) padded options \({\mathtt {opt}}\). For encrypted packets, \(\mathcal {H}\) additionally contains the TLS 1.3 record header fields: an 8-bit type \({\mathtt {type}}\), a 16-bit version \({\mathtt {ver}}\), and a 16-bit length \({\mathtt {len}}\). We further define reset packets as those with the RST bit (i.e., the 4-th bit of \({\mathtt {ctrl}}\)) set to 1. Note that \(\mathsf {scfg\_gen}\) is undefined.
TLS 1.3 enforces different content types for encrypted key exchange and secure channel messages. For simplicity, we define \(\mathcal {M}_{\mathsf {KE}}\) and \(\mathcal {M}_{\mathsf {SC}}\) as consisting of bit strings differing in their first bits. \(\mathcal {M}_{\mathsf {pRST}}=\varnothing \). We refer to the full version [9] for the remaining TFO details and to [6, 18] for the detailed descriptions of TLS 1.3 handshake messages and key generations in earlier TLS 1.3 drafts as well as [43] for the latest updates.
1.2 A.2 UDP+QUIC Protocol Definition
Referring to the msACCE protocol syntax, an UDP+QUIC 1-RTT full handshake (see Fig. 2) is a 2-stage msACCE protocol in the full mode and a 0-RTT resumption handshake (see Fig. 2) is a 2-stage msACCE protocol in the resumption mode. The initial keys are set after sending or receiving ClientHello and the final keys (i.e., session keys) are set after sending or receiving ServerHello.
According to the UDP and QUIC specifications [32, 38, 45], the UDP+QUIC header contains the UDP header [38] and the QUIC header (described below). As with the TCP header, we ignore the port numbers and checksum in the UDP header. Similarly, we also ignore the UDP length field because it only affects the length of the QUIC header and payload. We thus can completely omit the UDP header and define the header space \(\mathcal {H}\) as containing the following fields: an 8-bit public flag \({\mathtt {flag}}\), a 64-bit connection ID \({\mathtt {cid}}\), a variable-length (\({\le }\)48-bit) sequence number \({\mathtt {sqn}}\), and other optional fields. We further define reset packets as those with the PUBLIC_FLAG_RESET bit (i.e., the 7-th bit of \({\mathtt {flag}}\)) set to 1. A reset packet header only contains \({\mathtt {flag}}\) and \({\mathtt {cid}}\).
As with TLS 1.3, we define \(\mathcal {M}_{\mathsf {KE}}\) and \(\mathcal {M}_{\mathsf {SC}}\) as consisting of bit strings differing in their first bits. \(\mathcal {M}_{\mathsf {pRST}}=\varnothing \). We refer to [35] for the detailed descriptions of \(\mathsf {scfg\_gen}\) and QUIC handshake messages and key generations.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, S., Jero, S., Jagielski, M., Boldyreva, A., Nita-Rotaru, C. (2019). Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) vs. QUIC. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11735. Springer, Cham. https://doi.org/10.1007/978-3-030-29959-0_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-29959-0_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29958-3
Online ISBN: 978-3-030-29959-0
eBook Packages: Computer ScienceComputer Science (R0)