The IETF QUIC protocol is a modern UDP-based, stream-multiplexing, encrypted transport protocol. Inspired by prior art, QUIC’s packet and header encryption removes cleartext information from the network while simultaneously mitigating ossification of version-specific protocol behavior. As one example, QUIC’s standard packet header is almost fully encrypted and authenticated. To aid network operator debugging, a single (optional) bit in the header is reserved for use as a means of coarsely measuring end-to-end RTT.
The delta between TLS 1.3 (over TCP) and QUIC as secure transport protocols is non-negligible. In particular, there are several facets of the design that warrant further analysis, including, though not limited to the following:
- Cryptographic handshake integration. Designed with TLS 1.3 [RFC8446] as the authenticated key exchange protocol (AKE), QUIC uses state-of-the-art cryptography for establishing and using shared session secrets for packet encryption. Consequently, QUIC also benefits from extensive security analysis efforts that helped standardize TLS 1.3. However, QUIC’s modular design and the integration of TLS 1.3 in particular, has not yet received formal analysis.
- Packet protection. Analysis of TLS assumed ordered delivery, whereas QUIC does not enjoy that benefit. The effect of packet loss on QUIC’s record layer security is important and not well understood. Moreover, QUIC’s record layer provides features that TLS does not, such as header protection. Capturing the semantics of this new packet protection algorithm and proving them correct is critical.
- Denial of Service (DoS) features. QUIC has a number of features designed to reduce the effects of DoS, both on individual connections, such as duplicate packet detection and complete packet protection, server resources, such as Retry, and the resources of bystanders, such as anti-reflection. It has yet to be shown whether or not these techniques achieve their desired goals.
- Privacy. Many of QUIC’s features account for and attempt mitigation of packet linkability across network paths and between different connections. For example, voluntary connection migration requires endpoints to use new connection identifiers if possible as a way of preventing cross-path linkability. Also, as a means of improving endpoint privacy postures, among others, QUIC does not mandate endpoints provide any way for networks to measure per-connection Round Trip Time (RTT). The optional spin bit is the only signal made willingly available to the network. Currently, there is no strong analysis supporting the concrete privacy benefits these features provide to QUIC endpoints.
Other remaining issues include stateless reset, accepting signals from the network for PMTUD and ECN, among others.
In its current state, the QUIC draft specifications have yet to receive comprehensive security or privacy analysis. Similar to TLS 1.3, there is a limited amount of time for this analysis before the protocol is standardized. And this analysis is a critical step towards ensuring safety, correctness, security, and privacy aspects of this emerging protocol.
QUIC Security and Privacy (QUIPS) was a workshop held at NDSS 2020 with the goal of creating a medium through which QUIC security and privacy analysis efforts can be brought to the attention of the IETF and developer communities, in order to build confidence in and improve QUIC before its widespread deployment. QUIPS solicited papers and talks on all aspects of the security of the QUIC protocol or implementations thereof. The goal was to present and discuss those submissions at the workshop in the presence of the designers and early implementers of QUIC and other attendees, so that the soundness of QUIC can be ascertained and any weaknesses that are identified can be mitigated or documented in a timely fashion.
QUIPS consisted of two main sessions, followed by a Q&A panel comprised of session attendees. The morning session featured peer-reviewed papers submitted to the workshop. The afternoon session featured invited talks and previously published works relevant to QUIPS topics.
This document summarizes the workshop presentations and panel session. In doing so, it highlights problems identified for the continued development of QUIC.