QUIC(Quick UDP Internet Connection) is a secure transportation layer protocol developed by Google team and implemented in Chrome to achieve both low latency and high reliability. It has been officially renamed to "HTTP/3". With the wide application of this protocol, ensuring its security becomes extremely important, but the work in this field has been found insufficient. This paper aims to find out new security issues of the QUIC protocol based on an analysis of its security. Firstly, based on the characteristics of the QUIC protocol, we discuss the security of it from the attacker's point of view and present a new attack (0-RTT attack) formally for the first time [1], which can lead to a denial-of-service. Secondly, we introduce the principle and implementation conditions of 0-RTT attack, also build a mathematical model based on finite-state machine to describe the transition process of each state in the QUIC protocol. Finally, we discussed the scope of effective attacks and provided some feasible suggestions on how to prevent such attacks.
[1]
Cristina Nita-Rotaru,et al.
Taking a long look at QUIC: an approach for rigorous evaluation of rapidly evolving transport protocols
,
2017,
Internet Measurement Conference.
[2]
Martin Thomson,et al.
QUIC: A UDP-Based Multiplexed and Secure Transport
,
2020,
RFC.
[3]
Cristina Nita-Rotaru,et al.
How Secure and Quick is QUIC? Provable Security and Performance Analyses
,
2015,
2015 IEEE Symposium on Security and Privacy.
[4]
Sandrine Vaton,et al.
Which secure transport protocol for a reliable HTTP/2-based web service: TLS or QUIC?
,
2017,
2017 IEEE Symposium on Computers and Communications (ISCC).
[5]
Jill M. Boyce,et al.
An improved UDP protocol for video transmission over Internet-to-wireless networks
,
2001,
IEEE Trans. Multim..
[6]
Fan Yang,et al.
The QUIC Transport Protocol: Design and Internet-Scale Deployment
,
2017,
SIGCOMM.
[7]
Bryan Ford,et al.
Structured streams: a new transport abstraction
,
2007,
SIGCOMM '07.