Forward-Secure 0-RTT Goes Live: Implementation and Performance Analysis in QUIC

Dallmeier, Fynn; Drees, J.; Gellert, Kai; Handirk, Tobias; Jager, Tibor; Klauke, Jonas; Nachtigall, Simon; Renzelmann, Timo; Wolf, Rudi

doi:10.1007/978-3-030-65411-5_11

“…However, based on § 9.2 of RFC 9001, 0-RTT provides no protection against replay attacks. The work in [72] did propose a forward secrecy scheme for 0-RTT, but as recently demonstrated by [73], the protocol's speed is reduced when enabling forward secrecy on 0-RTT. That is, as expected, applying forward secrecy produces additional overhead, which as a result renders QUIC less antagonistic vis-à-vis TCP implementations.…”

Section: Challenges and Future Directionsmentioning

confidence: 99%

Revisiting QUIC attacks: A comprehensive review on QUIC security and a hands-on study

Chatzoglou

¹

,

Kouliaridis

²

,

Καρόπουλος

³

et al. 2022

Preprint

View full text Add to dashboard Cite

Built on top of UDP, the recently standardized QUIC protocol primarily aims to gradually replace the TCP plus TLS plus HTTP/2 model. For instance, HTTP/3 is designed to exploit QUIC’s features, including reduced connection establishment time, multiplexing without head of line blocking, always-encrypted end-to-end security, and others. This work serves two key objectives. Initially, it offers the first to our knowledge full-fledged review on QUIC security as seen through the lens of the relevant literature so far. Second and more importantly, through extensive fuzz testing, we conduct a hands-on security evaluation against the six most popular QUIC-enabled production-grade servers. This assessment identified several effective and practical zero-day vulnerabilities, which, if exploited, can quickly overwhelm the server resources. This finding is a clear indication that the fragmented production-level implementations of this contemporary protocol are not yet mature enough. Overall, the work at hand provides the first wholemeal appraisal of QUIC security from both a literature review and empirical standpoint, and it is therefore foreseen to serve as a reference for future research in this timely area.

show abstract

“…9.2 of RFC 9001, 0-RTT provides no protection against replay attacks. The work in [72] did propose a forward secrecy scheme for 0-RTT, but as recently demonstrated by [73], the protocol's speed is reduced when enabling forward secrecy on 0-RTT. That is, as expected, applying forward secrecy produces additional overhead, which as a result renders QUIC less antagonistic vis-à-vis TCP implementations.…”

Section: Challenges and Future Directionsmentioning

confidence: 99%

Revisiting QUIC attacks: a comprehensive review on QUIC security and a hands-on study

Chatzoglou

¹

,

Kouliaridis

²

,

Καρόπουλος

³

et al. 2022

Int. J. Inf. Secur.

10

0

View full text Add to dashboard Cite

Built on top of UDP, the recently standardized QUIC protocol primarily aims to gradually replace the TCP plus TLS plus HTTP/2 model. For instance, HTTP/3 is designed to exploit QUIC’s features, including reduced connection establishment time, multiplexing without head of line blocking, always-encrypted end-to-end security, and others. This work serves two key objectives. Initially, it offers the first to our knowledge full-fledged review on QUIC security as seen through the lens of the relevant literature so far. Second and more importantly, through extensive fuzz testing, we conduct a hands-on security evaluation against the six most popular QUIC-enabled production-grade servers. This assessment identified several effective and practical zero-day vulnerabilities, which, if exploited, can quickly overwhelm the server resources. This finding is a clear indication that the fragmented production-level implementations of this contemporary protocol are not yet mature enough. Overall, the work at hand provides the first wholemeal appraisal of QUIC security from both a literature review and empirical standpoint, and it is therefore foreseen to serve as a reference for future research in this timely area.

show abstract