Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, privacy, performance of next-generati...

kazuho
September 08, 2018

Security, privacy, performance of next-generation transport protocols

Discusses the motivation behind QUIC encryption and TLS encrypted SNI.

kazuho

September 08, 2018
Tweet

More Decks by kazuho

Other Decks in Technology

Transcript

  1.  • 1SJODJQBM044%FWFMPQFS!'BTUMZ • MFBEEFWFMPQFSPG – )0 )551 – QJDPUMT

    5-4 – RVJDMZ 26*$ • BVUIPSPG – 3'$r &BSMZ)JOUTGPS)551 – ESBGUJFUGIUUQCJTDBDIFEJHFTU – ESBGUJFUGUMTFTOJ 8IPBN*
  2.  ZFTUFSEBZ UPEBZ UPNPSSPX OBNFSFTPMVUJPO %/4 %/4PWFS)5514 USBOTQPSU 5$1 26*$

    5-4 TFDVSJUZ 5-4 5-4 BQQMJDBUJPOQSPUPDPM )551 5IFCJHQJDUVSF
  3.  • 5-4 • 4FDVSJUZPGBUSBOTQPSU • 26*$ – IBOETIBLF –

    QBDLFUOVNCFSFODSZQUJPO • &ODSZQUFE4/* "HFOEB
  4.  • "&"%DJQIFST – XJUIPVUFYQMJDJUOPODF • GBTUFSIBOETIBLF UP355 • GPSXBSETFDSFDZ

    • CFUUFSQSJWBDZ – POFPGGTFTTJPOUJDLFUT – DFSUJGJDBUFTOPNPSFUSBOTNJUUFEJODMFBS 5-4
  5.  AES-CTR "&4($. AES ciphertext 1 plaintext 1 nonce ||

    0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag
  6.  AES-CTR "&"%JO5-4 VTJOH"&4($. AES ciphertext 1 plaintext 1 nonce

    || 0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag OPODFSFDPSEOVNCFSBEEEBUBSFDPSEIFBEFS
  7.  5-4IBOETIBLFGMPX ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate

    Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
  8.  %JGGFSFODFTCFUIBOETIBLFGMPXT • 5-4 – FYDIBOHFQBSBNFUFST JODMDFSUJGJDBUFT  UIFOFYDIBOHFUIFQVCMJDLFZT •

    5-4 – FYDIBOHFQVCMJDLFZTBTXFMMBTQBSBNFUFST • SFUSZUPVTFBOPUIFSQVCMJDLFZBMHPSJUIN – TFUVQFODSZQUFEDIBOOFMVTJOHUIF FYDIBOHFELFZT • VTFUIFDIBOOFMUPBVUIFOUJDBUF
  9.  • MFTTSPVOEUSJQT • JEFOUJUZPGUIFFOEQPJOUTBSFQSPUFDUFE – JFDFSUJGJDBUFT – DGUSBDLJOHEFWJDFTVTJOHDMJFOUDFSUBVUI •

    CVUUIFTFSWFSOBNF 4/* JTVOQSPUFDUFE – CFDBVTFJUJTQBSUPG$MJFOU)FMMP – XJMMDPWFSUIBUMBUFS 5IFCFOFGJUT
  10.  • 5-4 – QSPWJEFTDPOGJEFOUJBMJUZ JOUFHSJUZ – VTJOHUIFFYDIBOHFELFZT • 5$1

    – SFTQPOTJCMFGPSQSPWJEJOHBWBJMBCJMJUZ – CVUUIFQBDLFUTDBOCFUBNQFSFE 5-4PWFS5$1
  11.  • POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT • NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT •

    PGGQBUIBUUBDL – BUUBDLFSEPFTOPUIBWFBDDFTTUPQBDLFUT – OPUTPQSBDUJDBMGPS5$1 5ISFFUZQFTPGBUUBDLT
  12.  • POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT – FTTFOUJBMMZBTQFDJBMQVSQPTFSPVUFS • BEEJUJPOBMDPTUUPPCTFSWFUIFQBZMPBEPGUIF SPVUFEQBDLFUTJTUIFQSPCMFN

    • NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT – BOPEFUIBUUBQTPOUIFOFUXPSL JOKFDUT QBDLFUTBUCFTUFGGPSU .BOPOUIFTJEFBUUBDLJTFBTZ
  13.  • JOKFDUJOHPOF 345QBDLFUUFSNJOBUFTB 5$1DPOOFDUJPO • FODSZQUFEUSBOTQPSUT FH %5-4 *1TFD

     QSPWJEFSFTJTUBODFUPJOKFDUJPOBUUBDL – CZFODSZQUJOHFWFSZQBDLFUVTJOHUIF FYDIBOHFELFZT • FH QO cc"&4@($. QO QBZMPBE BOEWFSZQSBDUJDBMGPS5$1
  14.  Packet type and flags (1 octet) Destination Connection ID

    (0,4-18 octets) Encrypted Packet Number (1,2,4 octets) Encrypted Payload AEAD tag (16 octets or more) 26*$QBDLFU additional text • "&"% Ћ UPQSPUFDUFBDIQBDLFU AEAD payload encrypted???
  15.  • FODSZQUFEUSBOTQPSU – VTFT5-4GPSIBOETIBLF • IBOETIBLFJO35 – 5$1 5-4UBLFT35

    • NVMUJQMFYJOHTUSFBNTJOUPPOFDPOOFDUJPO • GJYIFBEPGMJOFCMPDLJOHJO)551 – QSPDFTTPVUPGPSEFSQBDLFUTCFMPOHJOHUPB EJGGFSFOUTUSFBNT • NPCJMJUZ OFUXPSLNJHSBUJPO 'FBUVSFTPG26*$
  16.  stream 0 stream 4 stream 8 stream 16… 0SJHJOBMEFTJHO

    HTTP request 1 TLS 1.3 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer 2 3… 9 10 11… obtain “exporter secret” ↓ derive server traffic key & client traffic key
  17.  *TTVFVTFPGFODSZQUJPO stream 0 stream 4 stream 8 stream 16…

    HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key 2 3… 9 10 11… TLS 1.3
  18.  *TTVFXIFOUPBDUJWBUFUSBGGJDLFZT ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate

    Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
  19.  *TTVFXIFOUPBDUJWBUFUSBGGJDLFZT stream 0 stream 4 stream 8 stream 16…

    HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3
  20.  *TTVFSFTFUJOKFDUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…

    HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 reset!
  21.  *TTVF"$,QSPNPUJPOBUUBDL stream 0 stream 4 stream 8 stream 16…

    HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 ACK (8)
  22.  plaintext HS 1RTT SH EE Certificate Fin NST stream

    0 stream 0 TLS messages: TLS records: QUIC frames: HS HS QUC packets: datagram datagram UDP datagrams: stream 0 1RTT -BZFSTJOUIFPSJHJOBMEFTJHO confidentiality injection resistance
  23.  SH EE Certificate Fin NST CRYPTO CRYPTO TLS messages:

    QUIC frames: Initial HS QUC packets: datagram datagram UDP datagrams: CRYPTO 1RTT -BZFSTJOUIFSFGJOFEEFTJHO HS CRYPTO confidentiality injection resistance
  24.  • PSJHJOBMEFTJHO 5-4  – *0PGFODSZQUFEPDUFUT – BDDFTTUPlFYQPSUFSTFDSFUz •

    SFGJOFEEFTJHO – *0PG5-4NFTTBHFT JOQMBJOUFYU – FWFOUTUPJOTUBMMUSBGGJDLFZT • 355 VOJEJSFDUJPOBM )4 CJ 355 CJ – OPUF%5-4SFRVJSFTTVDIBOJOUFSOBM"1* 3FRVJSFEDIBOHFTUP5-4TUBDL"1*
  25.  • TFQBSBUJPOPGDPODFSO – 5-4QSPWJEFTLFZTBOEBVUIFOUJDBUJPO – 26*$FODSZQUTUIFQBDLFUT • OPNPSFBNCJHVJUZ –

    EJTUJODUTUSFBNTGPSFBDIFODSZQUJPOMFWFM – UISFFEJTUJODUQBDLFUOVNCFSTQBDF • JF *OJUJBM )BOETIBLF 355 • OPDIBODFPG"$,QSPNPUJPOBUUBDL 3FGJOFEEFTJHOUIFCFOFGJUT
  26.  • EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT

    • BUUBDLWFDUPST – MFTTGSBHJMFUPSFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL *TTVFTSFTPMWFE BMNPTU
  27.  • QBDLFUOVNCFS 1/ – JTVOJRVFGPSFBDIQBDLFUCFJOHTFOU – JODSFBTFTNPOPUPOJDBMMZ • UIFSFGPSF

    DBOCFVTFEUPUSBDLBDMJFOU – $POOFDUJPO*%JTDIBOHFEXIFOBOFOEQPJOU NJHSBUFTUPBEJGGFSFOUOFUXPSL8IBU TIPVMEXFEPGPSQBDLFUOVNCFS 1BDLFUOVNCFSBOEQSJWBDZ
  28.  • KVNQ1/XIFOTXJUDIJOH$*% – QFFSTOFFEUPBHSFFPOUIFSBOEPNPGGTFU • TJODF1/ CJU JTSPVOEFEPOXJSFUP 

     CJUT • PGGTFUOFFETUPCFEJGGFSFOUGPSFBDIEJSFDUJPO – XIBUUPEPPOQBUIQSPCJOHFSSPS • EJGGFSFOU1/TQBDFGPSFBDI$*% – NFBOTIBWJOHFODSZQUJPOLFZTBOE"$, RVFVFGPSFBDI$*% $POTJEFSFEBQQSPBDIFT
  29.  #VUIPX type CID PN payload 1 0/4-18 1/2/4 any

    size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: ??? ↓ unencrypted encrypted
  30.  /BÏWFBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any

    size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE+ciph. ciph. AEAD tag 1 0/4-18 16 any – 1/2/4 16 size: + PNE: AES ↓ unencrypted encrypted
  31.  "EPQUFEBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any

    size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: AES_CTR(ciphertext, PN) ↓ unencrypted encrypted
  32.  • TPNFNPCJMFOFUXPSLTlGJYzPVUPGPSEFS EFMJWFSZCZMPPLJOHBU1/ – UPMFTTFOSFUSBOTNJUT – OPEPXOTJEFGPS5$1 – JTTVFGPS26*$

    CFDBVTFXFDBOVTFQBDLFUT BSSJWJOHPVUPGPSEFS • 26*$XJMMCFPTTJGJFEPODFNJEEMFCPYFT TUBSUVTJOH1/JOQBSUJDVMBSXBZT 1/&UPQSFWFOUNJTVTFPG1/
  33.  • 5$1 5-4 – BEESFTTFTDPOGJEFOUJBMJUZ JOUFHSJUZ • JOBEEJUJPO 26*$

    5-4 – JNQSPWFTBWBJMBCJMJUZ – QSFTFSWFTVTFSQSJWBDZ – QSFWFOUTPTTJGJDBUJPO – PQUJNJ[FTGPSQFSGPSNBODF • TFUVQJO35 35JO5$1 5-4 • VTFPGQBDLFUTBSSJWJOHPVUPGPSEFS 5IFJNQSPWFNFOUT
  34.  • FODSZQUJPOJTUIFUBTLPG26*$ – IBOETIBLFEPOFCZ5-4 • BMNPTUFWFSZUIJOHJTFODSZQUFE – POMZQBDLFUUZQF $*%

    QSPUPDPMWFSTJPOBSF WJTJCMFPOUIFXJSF • XIBUUPFYQPTFJTEFDJEFEFYQMJDJUMZ – FH lTQJOCJUzFYQFSJNFOU 26*$BOEFODSZQUJPO
  35.  • 4FSWFS/BNF*OEJDBUJPO – QBSUPG$MJFOU)FMMP – VTFECZUIFTFSWFSUPTFMFDU • LFZBMHPSJUIN •

    TFSWFSDFSUJGJDBUF 8IBUJT4/* ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)
  36.  • %/4SFTPMVUJPO • 4/* • TFSWFSDFSUJGJDBUF • TFSWFS*1BEESFTT •

    USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
  37.  • %/4SFTPMVUJPO %P) • 4/* ˡ UIJT • TFSWFSDFSUJGJDBUF

    5-4 • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
  38.  TUSVDU\ VJOUDIFDLTVN<> ,FZ4IBSF&OUSZ LFZT? QVCMJDLFZT $JQIFS4VJUF DJQIFS@TVJUFT? VJOUQBEEFE@MFOHUI VJOUOPU@CFGPSF

    VJOUOPU@BGUFS &YUFOTJPOFYUFOTJPOT? ^&4/*,FZT @FTOJFTOJFYBNQFOFU*/595 E8[B2#'"#D"225S+CP;Z:YD1:P6IPOISW/YWKGQSKB;CK/#/ .Y %ZDE%7W#+P),0.I ,[BWE*N03*""*5"2&&"""""'T (E."""""89"H"" &4/*SFDPSE
  39.  • &4/*SFDPSEJTOPUTJHOFE – TPUIBUJUDBOCFTNBMM – BUUBDLFSDBOTQPPGUIFN • CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1BEESFTTPG FYBNQMFDPN

    – BDDFTTUPUIFBEESFTTSFWFBMTUIF4/* • UPTVNNBSJ[F &4/* – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS BUUBDL 4FDVSJUZBTQFDUT
  40.  • OFBSMZDPNQMFUFUPGJYJOHQSJWBDZMFBLT • FODSZQUJPOJTBMTPVTFEGPS – QSPWJEJOHBWBJMBCJMJUZ – QSFWFOUJOHPTTJGJDBUJPO •

    GPSGVSUIFSFWPMVUJPOJOUIFGVUVSF • BMNPTUFWFSZUIJOHJTFODSZQUFEJO26*$ – FODSZQUFWFONPSFJOVQDPNJOHQSPUPDPMT – XFEFCBUFBOEEFDJEFXIBUUPFYQPTFUPUIF OFUXPSL 0VSTUBUVT