Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3

The common approach in secure channel protocols is to rely on ciphertexts arriving in-order and to close the connection upon any rogue ciphertext. Cryptographic security models for channels generally reflect such design. This is reasonable when running atop lower-level transport protocols like TCP ensuring in-order delivery, as for example is the case with TLS or SSH. However, channels such as QUIC or DTLS which run over a non-reliable transport protocol like UDP, do not—and in fact cannot—close the connection if packets are lost or arrive in a different order. Those protocols instead have to carefully catch effects arising naturally in unreliable networks, usually by using a sliding-window technique where ciphertexts can be decrypted correctly as long as they are not misplaced too far. To accommodate such handling of unreliable network messages, we introduce a generalized notion of robustness of cryptographic channels. This property can capture unreliable network behavior and guarantees that adversarial tampering cannot hinder ciphertexts that can be decrypted correctly from being accepted. We show that robustness is orthogonal to the common notion of integrity for channels, but together with integrity and chosen-plaintext security it provides a robust analogue of chosen-ciphertext security of channels. We then discuss two particularly interesting targets, namely the packet encryption in the record layer protocols of QUIC and of DTLS 1.3. We show that both protocols achieve the intended level of robust chosen-ciphertext security based on certain properties of their sliding-window techniques and on the underlying AEAD schemes. Notably, the robustness needed in handling unreliable network messages require both record layer protocols to tolerate repeated adversarial forgery attempts, which means we can only establish non-tight security bounds (in terms of AEAD integrity). Our bounds have led the responsible IETF working groups to introduce concrete forgery limits for both protocol drafts.

[1]  Chanathip Namprempre,et al.  Authenticated encryption in SSH: provably fixing the SSH binary packet protocol , 2002, CCS '02.

[2]  Martin Thomson,et al.  QUIC: A UDP-Based Multiplexed and Secure Transport , 2020, RFC.

[3]  Cristina Nita-Rotaru,et al.  How Secure and Quick is QUIC? Provable Security and Performance Analyses , 2015, 2015 IEEE Symposium on Security and Privacy.

[4]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[5]  Tetsu Iwata,et al.  Breaking and Repairing GCM Security Proofs , 2012, IACR Cryptol. ePrint Arch..

[6]  Gordon Procter A Security Analysis of the Composition of ChaCha20 and Poly1305 , 2014, IACR Cryptol. ePrint Arch..

[7]  Tadayoshi Kohno,et al.  Building Secure Cryptographic Transforms, or How to Encrypt and MAC , 2003, IACR Cryptol. ePrint Arch..

[8]  Kenneth G. Paterson,et al.  Data Is a Stream: Security of Stream-Based Channels , 2015, CRYPTO.

[9]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[10]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[11]  Britta Hale,et al.  From Stateless to Stateful: Generic Authentication and Authenticated Encryption Constructions with Application to TLS , 2015, CT-RSA.

[12]  Christopher Patton,et al.  Partially Specified Channels: The TLS 1.3 Record Layer without Elision , 2018, IACR Cryptol. ePrint Arch..

[13]  Eric Rescorla,et al.  The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 , 2020, RFC.

[14]  Mihir Bellare,et al.  Ratcheted Encryption and Key Exchange: The Security of Messaging , 2017, CRYPTO.

[15]  Cristina Nita-Rotaru,et al.  Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUIC , 2019, Journal of Cryptology.

[16]  Igors Stepanovs,et al.  Optimal Channel Security Against Fine-Grained State Compromise: The Safety of Messaging , 2018, IACR Cryptol. ePrint Arch..

[17]  Yi Zhou,et al.  A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[18]  Jakob Jonsson,et al.  On the Security of CTR + CBC-MAC , 2002, Selected Areas in Cryptography.

[19]  Mihir Bellare,et al.  The Power of Verification Queries in Message Authentication and Authenticated Encryption , 2004, IACR Cryptol. ePrint Arch..

[20]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation , 2012, IACR Cryptol. ePrint Arch..

[21]  Phillip Rogaway,et al.  Simplifying Game-Based Definitions: Indistinguishability up to Correctness and Its Application to Stateful AE , 2018, IACR Cryptol. ePrint Arch..

[22]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[23]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[24]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[26]  Kenneth G. Paterson,et al.  Limits on Authenticated Encryption Use in TLS , 2024, IACR Cryptol. ePrint Arch..

[27]  Mihir Bellare,et al.  Nonces are Noticed: AEAD Revisited , 2019, IACR Cryptol. ePrint Arch..

[28]  Felix Günther,et al.  A Formal Treatment of Multi-key Channels , 2017, CRYPTO.

[29]  Matilda Backendal,et al.  Puncturable Symmetric KEMs for Forward-Secret 0-RTT Key Exchange , 2019 .

[30]  Bertram Poettering,et al.  Security Notions for Bidirectional Channels , 2017, IACR Trans. Symmetric Cryptol..

[31]  Thomas Shrimpton A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security , 2004, IACR Cryptol. ePrint Arch..

[32]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[33]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.