Abstract
QUIC is a secure transport protocol developed by Google. Lychev et al. proposed a security model (QACCE model) to capture the security of QUIC. However, the QACCE model is very complicated, and it is not clear if security requirements for QUIC are appropriately defined. In this paper, we show the first formal analysis result of QUIC using automated security verification tool ProVerif. Our symbolic model formalizes the QACCE model and the specification of QUIC. As the result of the verification, we find three attacks against QUIC in the QACCE model. It means that the Lychev et al.’s security proofs are not correct. We discuss why such attacks occur, and clarify there are unnecessarily strong points in the QACCE model. Finally, we give a way to improve the QACCE model to exactly address the appropriate security requirements.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In the original model, this query returns the encryption of \(m_{b^{q}_{p,j}}\). However, since p in \(m_{b^{q}_{p,j}}\) is equal to p in \(\pi ^{r}_{p,j}\), \(m_{b^{q}_{p,j}}\) must be changed to \(m_{b^{r}_{p,j}}\).
- 2.
In the original model, \(\mathsf {encrypt}\) query for \(\pi ^{r}_{p,j}\) is prohibited. However, \(\mathsf {encrypt}( \pi ^{r}_{p,j}, *, *, *, \mathsf {init})\) returns the ciphertext generated by p, and it is not reasonable. In this definition, the ciphertext of generated by \(p'\) should be prohibited. Thus, \(\pi ^{r}_{p,j}\) must be changed to \(\pi ^{q}_{p',i}\).
References
Dierks, T., Allen, C.: The TLS protocol version 1.0. In: RFC 2246 (Proposed Standard), Internet Engineering Task Force (1999)
Ford, B.: Structured streams: a new transport abstraction. In: SIGCOMM 2007, pp. 361–372 (2007)
Stewart, R.: Stream control transmission protocol. In: RFC 4960 (Proposed Standard), Internet Engineering Task Force (2007)
Erman, J., Gopalakrishnan, V., Jana, R., Ramakrishnan, K.K.: Towards a SPDY’ier mobile web? In: CoNEXT 2013, pp. 303–314 (2013)
Roskind, J.: QUIC (Quick UDP Internet Connections): Multiplexed Stream Transport Over UDP (2013). https://docs.google.com/document/d/1RNHkx_VvKWyWg6Lr8SZ-saqsQx7rFV-ev2jRFUoVD34/
StatCounter: StatConter Global Stats: Top. 5 Desktop Browsers from to Apr 2016 (2016). http://gs.statcounter.com/#desktop-browser-ww-monthly-201504-201604
Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: ACM Conference on Computer and Communications Security 2014, pp. 1193–1204 (2014)
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). doi:10.1007/3-540-48329-2_21
Lychev, R., Jero, S., Boldyreva, A., Nita-Rotaru, C.: How secure and quick is QUIC? Provable security and performance analyses. In: 2015 IEEE Symposium on Security and Privacy, pp. 214–231 (2015)
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. Internet-Draft draft-ietf-tls-tls13-13 (2016)
ProVerif: Cryptographic protocol verifier in the formal model. http://prosecco.gforge.inria.fr/personal/bblanche/proverif/
Blanchet, B.: Automatic verification of correspondences for security protocols. J. Comput. Secur. 17(4), 363–434 (2009)
Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. J. Logic Algebraic Program. 75(1), 3–51 (2008). Algebraic Process Calculi. The First Twenty Five Years and Beyond. III
Cheval, V., Blanchet, B.: Proving more observational equivalences with ProVerif. In: Basin, D., Mitchell, J.C. (eds.) POST 2013. LNCS, vol. 7796, pp. 226–246. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36830-1_12
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Protocol Flow of QUIC
The 1-RTT protocol of QUIC is shown in Table 1. The 0-RTT protocol simply omits \(m_1\) and \(m_2\) from the 1-RTT protocol and renumber the sequence number, which starts from 1.
The client has following information.
-
\(pk_S\): a verification key of a server which is obtained from PKI
-
\(\tau _t\): current time period
The server has following information.
-
\(pk_S\): a verification key
-
\(sk_S\): a signing key corresponding with \(pk_S\)
-
\(k_{\mathtt {stk}}\): a server secret key where \(k_{\mathtt {stk}} \leftarrow _R \{ 0,1 \}^{128}\)
-
\(Y' = g^{y'}\) where \(y' \leftarrow _R \# \langle g\rangle \) (ServerConfiguration for 0-RTT)
-
\(\tau _t\): current time period
-
\(\mathtt {scfg}^t\): a part of global state of server in the time period \(\tau _t\)
-
\(\mathtt {stk}\): source-address token \(\mathtt {stk}\)
-
xtrct_xpnd: key derivation function for QUIC
-
\(\mathtt {strike}\): set of used nonce
-
\(\mathtt {strike}_{rng}\): arrowed time period
-
pak: packet generate function for QUIC
-
process_packets: packet process function for QUIC
We assume that the server’s \(\mathtt {scfg}\) is refreshed every time period \(\tau _t\) using the scfg\(\_\)gen function as follows.
\(\underline{scfg\_gen(sk, \tau _t, \lambda )}\):
\(q \leftarrow _R \{\text {primes~of~size } \lambda \},\) \(g \leftarrow _R \{\text {generators~of } \mathbb {Z}_q \},\) \(x_s \leftarrow _R \mathbb {Z}_{q-1},\) \(y_s \leftarrow g^{x_s},\) \(\mathtt {pub}_s \leftarrow (g, q, y_s),\) \(\mathtt {sec}_s \leftarrow x_s,\) \(\mathtt {expy}\leftarrow \tau _{t+1},\) \(\mathtt {scid}\leftarrow \mathcal {H} (\mathtt {pub}_s, \mathtt {expy}),\) \(\mathtt {str}\leftarrow \) “QUIC server config signature”, \(\mathtt {scfg}^t_{\mathtt {pub}} \leftarrow (\mathtt {scid}, \mathtt {pub}_s,\) \(\mathtt {expy}, \mathtt {prof}),\) \(\mathtt {scfg}\leftarrow (\mathtt {scfg}^t_{\mathtt {pub}}, \mathtt {sec}_s).\)
B Formalization of Cryptographic Primitives
The cryptographic primitives used in QUIC are authenticated encryption with associated data (AEAD), Diffie-Hellman key agreement, digital signatures, the hash function (\(\mathcal {H}\)), and the key derivation function (\(\mathrm {xtrct\_xpnd}\)). Diffie-Hellman key agreement and digital signatures are formalized in the same way as in [11]. The hash function and the key derivation function are formalized merely as function symbols Hash and xtrct_xpnd that have no equation, respectively. Additionally, we use some function symbols for representing extraction of keys such as \(k_s\) and \(k_c\) from k output by the key derivation function.
AEAD is formalized by first introducing a function symbol E for encryption. A term \({\texttt {E(k, iv, m, h)}}\) represents encryption of the plaintext m with additional authenticated data h encrypted with key k and nonce iv. We also introduce destructor function symbol D, extract_nonce, extract_AD and equations
The first equation means that a ciphertexts is decrypted and verified by using the valid key and the nonce. Note that since D is a destructor, if decryption fails in a process, e.g., due to incorrect nonce or key, the process halts. The other equations enables the adversary to obtain the nonce and the associated data from a ciphertext.
C Definitions of Some Processes
The “main” processes that invokes clients and servers is shown in Fig. 3. It receives some parameters from the adversary through the public channel c. Figure 4 shows the processes that replies to \(\mathsf {encrypt}\), \(\mathsf {decrypt}\), \(\mathsf {reveal}\), and \(\mathsf {corrupt}\) queries and the process tap_m2 that serves as a secret channel that securely transmits \(m_2\) from the server to the client when a \(\mathsf {connprivate}\) query is issued.
In the formalization of secrecy, Oenc2 instead of Oenc is used. We must prohibit the adversary to send a plaintext twice in the \(\mathsf {encrypt}\) query, e.g., and , because otherwise the adversary trivially knows the secret bit by comparing the two ciphertexts. However, this restriction cannot be directly modeled in ProVerif. We therefore use another function symbol Ef instead of E in Oenc2 for producing distinct ciphertext on each query, even if the adversary sends a plaintext more than once. This makes it useless to compare ciphertexts received by Oenc2.
D ProVerif Script
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Sakurada, H., Yoneyama, K., Hanatani, Y., Yoshida, M. (2016). Analyzing and Fixing the QACCE Security of QUIC. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham. https://doi.org/10.1007/978-3-319-49100-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-49100-4_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49099-1
Online ISBN: 978-3-319-49100-4
eBook Packages: Computer ScienceComputer Science (R0)