Security Standardisation Research

QUIC is a secure transport protocol developed by Google. Lychev et al. proposed a security model (QACCE model) to capture the security of QUIC. However, the QACCE model is very complicated, and it is not clear if security requirements for QUIC are appropriately defined. In this paper, we show the first formal analysis result of QUIC using automated security verification tool ProVerif. Our symbolic model formalizes the QACCE model and the specification of QUIC. As the result of the verification, we find three attacks against QUIC in the QACCE model. It means that the Lychev et al.’s security proofs are not correct. We discuss why such attacks occur, and clarify there are unnecessarily strong points in the QACCE model. Finally, we give a way to improve the QACCE model to exactly address the appropriate security requirements.

[1]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[2]  Feng Hao,et al.  Tap-Tap and Pay (TTP): Preventing the Mafia Attack in NFC Payment , 2015, SSR.

[3]  Feng Hao,et al.  TouchSignatures: Identification of User Touch Actions based on Mobile Sensors via JavaScript , 2015, AsiaCCS.

[4]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[5]  Ueli Maurer,et al.  (De-)Constructing TLS , 2014, IACR Cryptol. ePrint Arch..

[6]  Ross J. Anderson,et al.  PIN skimmer: inferring PINs through the camera and microphone , 2013, SPSM '13.

[7]  Lixia Zhang,et al.  Stream Control Transmission Protocol , 2000, RFC.

[8]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[9]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[10]  Budi Arief,et al.  Risks of Offline Verify PIN on Contactless Cards , 2013, Financial Cryptography.

[11]  Di Ma,et al.  Secure Proximity Detection for NFC Devices Based on Ambient Sensor Data , 2012, ESORICS.

[12]  Jörg Schwenk,et al.  On the Security of TLS-DH and TLS-RSA in the Standard Model , 2013, IACR Cryptol. ePrint Arch..

[13]  Ricardo J. Rodríguez,et al.  Practical Experiences on NFC Relay Attacks with Android - Virtual Pickpocketing Revisited , 2015, RFIDSec.

[14]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[15]  Ahmad-Reza Sadeghi,et al.  Universally Composable Security Analysis of TLS , 2008, ProvSec.

[16]  Yan Zhu,et al.  Tap-Wave-Rub: lightweight malware prevention for smartphones using intuitive human gestures , 2013, WiSec '13.

[17]  可児 潤也 「"Little Brothers Watching You:" Raising Awareness of Data Leaks on Smartphones」の報告 , 2013 .

[18]  Chuah Chai Wen,et al.  A Framework for Security Analysis of Key Derivation Functions , 2012, ISPEC.

[19]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[20]  Jun Han,et al.  ACCessory: password inference using accelerometers on smartphones , 2012, HotMobile '12.

[21]  Zheng Yang,et al.  On the Security of the Pre-shared Key Ciphersuites of TLS , 2014, Public Key Cryptography.

[22]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[23]  Bryan Ford Structured streams: a new transport abstraction , 2007, SIGCOMM 2007.

[24]  Raphael Spreitzer,et al.  PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices , 2014, SPSM@CCS.

[25]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[26]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[27]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[28]  Cristina Nita-Rotaru,et al.  How Secure and Quick is QUIC? Provable Security and Performance Analyses , 2015, 2015 IEEE Symposium on Security and Privacy.

[29]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[30]  Eric Rescorla,et al.  Transport Layer Security (TLS) Renegotiation Indication Extension , 2010, RFC.

[31]  John Kelsey,et al.  Compression and Information Leakage of Plaintext , 2002, FSE.

[32]  Dengguo Feng,et al.  Multiple Handshakes Security of TLS 1.3 Candidates , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[33]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[34]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[35]  Douglas Stebila,et al.  On the security of TLS renegotiation , 2013, IACR Cryptol. ePrint Arch..

[36]  Feng Hao,et al.  TouchSignatures: Identification of user touch actions and PINs based on mobile sensor data via JavaScript , 2016, J. Inf. Secur. Appl..

[37]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[38]  Quirin Scheitle,et al.  QUIC-Quick UDP Internet Connections , 2017 .

[39]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[40]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[41]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[42]  Emina Torlak,et al.  Applications and extensions of Alloy: past, present and future , 2013, Mathematical Structures in Computer Science.

[43]  Dan Boneh,et al.  Symmetric Cryptography in Javascript , 2009, 2009 Annual Computer Security Applications Conference.

[44]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[45]  N. Asokan,et al.  Drone to the Rescue: Relay-Resilient Authentication using Ambient Multi-sensing , 2014, Financial Cryptography.

[46]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[47]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.

[48]  Hugo Krawczyk,et al.  The OPTLS Protocol and TLS 1.3 , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[49]  Frederik Vercauteren,et al.  A cross-protocol attack on the TLS protocol , 2012, CCS.

[50]  Sean Turner,et al.  Prohibiting Secure Sockets Layer (SSL) Version 2.0 , 2011, RFC.

[51]  Bogdan Warinschi,et al.  The TLS Handshake Protocol: A Modular Analysis , 2010, Journal of Cryptology.

[52]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[53]  Vlastimil Klíma,et al.  Attacking RSA-Based Sessions in SSL/TLS , 2003, CHES.

[54]  Vincent Cheval,et al.  Proving More Observational Equivalences with ProVerif , 2013, POST.