Slide 1
Slide 1 text
4FDVSJUZ
QSJWBDZ
QFSGPSNBODF
PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT
,B[VIP0LV
4FQ
Slide 2
Slide 2 text
4FDVSJUZ
QSJWBDZ
QFSGPSNBODF
PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT
,B[VIP0LV
4FQ
Slide 3
Slide 3 text
• 1SJODJQBM044%FWFMPQFS!'BTUMZ
• MFBEEFWFMPQFSPG
– )0 )551
– QJDPUMT 5-4
– RVJDMZ 26*$
• BVUIPSPG
– 3'$r &BSMZ)JOUTGPS)551
– ESBGUJFUGIUUQCJTDBDIFEJHFTU
– ESBGUJFUGUMTFTOJ
8IPBN*
Slide 4
Slide 4 text
ZFTUFSEBZ UPEBZ UPNPSSPX
OBNFSFTPMVUJPO %/4 %/4PWFS)5514
USBOTQPSU 5$1
26*$
5-4
TFDVSJUZ 5-4 5-4
BQQMJDBUJPOQSPUPDPM )551
5IFCJHQJDUVSF
Slide 5
Slide 5 text
• QFSWBTJWFNPOJUPSJOH
• QFPQMFSFMZJOHNPSFPO QVCMJD
XJGJ
$BOXFUSVTUUIFOFUXPSL
Slide 6
Slide 6 text
• 5-4
• 4FDVSJUZPGBUSBOTQPSU
• 26*$
– IBOETIBLF
– QBDLFUOVNCFSFODSZQUJPO
• &ODSZQUFE4/*
"HFOEB
Slide 7
Slide 7 text
5-4
Slide 8
Slide 8 text
• FTTFOUJBMMZ5-4
• QVCMJTIFEBT3'$JO"VHVTU
5-4
Slide 9
Slide 9 text
• "&"%DJQIFST
– XJUIPVUFYQMJDJUOPODF
• GBTUFSIBOETIBLF UP355
• GPSXBSETFDSFDZ
• CFUUFSQSJWBDZ
– POFPGGTFTTJPOUJDLFUT
– DFSUJGJDBUFTOPNPSFUSBOTNJUUFEJODMFBS
5-4
Slide 10
Slide 10 text
AES-CTR
"&4($.
AES
ciphertext 1
plaintext 1
nonce || 0
AES
ciphertext 2
nonce || 1
AES
ciphertext 3
nonce || 3
plaintext 2
plaintext 3
GCM
add. data
tag
Slide 11
Slide 11 text
AES-CTR
"&"%JO5-4 VTJOH"&4($.
AES
ciphertext 1
plaintext 1
nonce || 0
AES
ciphertext 2
nonce || 1
AES
ciphertext 3
nonce || 3
plaintext 2
plaintext 3
GCM
add. data
tag
OPODF
SFDPSEOVNCFS
BEEEBUB
SFDPSEIFBEFS
Slide 12
Slide 12 text
ClientHello
ServerHello
ServerCertificate
ServerKeyExchange
(ClientSertificate)
ClientKeyExchange
Finished
Finished
Application Data
5-4IBOETIBLFGMPX
Client Server
plaintext
encrypted
Slide 13
Slide 13 text
5-4IBOETIBLFGMPX
ClientHello (w. pubkey)
ServerHello (w. pubkey)
EncryptedExtensions
ServerCertificate
Finished
App. Data (server only)
(ClientCertificate)
Finished
Application Data
Client Server
plaintext
encrypted
(unauthenticated)
encrypted
(authenticated)
Slide 14
Slide 14 text
%JGGFSFODFTCFUIBOETIBLFGMPXT
• 5-4
– FYDIBOHFQBSBNFUFST JODMDFSUJGJDBUFT
UIFOFYDIBOHFUIFQVCMJDLFZT
• 5-4
– FYDIBOHFQVCMJDLFZTBTXFMMBTQBSBNFUFST
• SFUSZUPVTFBOPUIFSQVCMJDLFZBMHPSJUIN
– TFUVQFODSZQUFEDIBOOFMVTJOHUIF
FYDIBOHFELFZT
• VTFUIFDIBOOFMUPBVUIFOUJDBUF
Slide 15
Slide 15 text
• MFTTSPVOEUSJQT
• JEFOUJUZPGUIFFOEQPJOUTBSFQSPUFDUFE
– JFDFSUJGJDBUFT
– DGUSBDLJOHEFWJDFTVTJOHDMJFOUDFSUBVUI
• CVUUIFTFSWFSOBNF 4/*
JTVOQSPUFDUFE
– CFDBVTFJUJTQBSUPG$MJFOU)FMMP
– XJMMDPWFSUIBUMBUFS
5IFCFOFGJUT
Slide 16
Slide 16 text
• NJEEMFCPYFTEJTSVQUJOH5-4IBOETIBLF
– UIJOLTl5IJT5-4IBOETIBLFTVTQJDJPVT*U`TB
GVMMIBOETIBLFCVUEPFTOPUDPOUBJOB
DFSUJGJDBUFz
UFSNJOBUFTUIFDPOOFDUJPO
– SFBMJUZDFSUJGJDBUFJTFODSZQUFE
• TPMVUJPONBLF5-4IBOETIBLFMPPL
MJLF5-4SFTVNQUJPO
5BDLMJOHPTTJGJDBUJPO
Slide 17
Slide 17 text
4FDVSJUZPGBUSBOTQPSU
Slide 18
Slide 18 text
• DPOGJEFOUJBMJUZ
• JOUFHSJUZ
• BWBJMBCJMJUZ
5IFTFDVSJUZUSJBE
Slide 19
Slide 19 text
• 5-4
– QSPWJEFTDPOGJEFOUJBMJUZ
JOUFHSJUZ
– VTJOHUIFFYDIBOHFELFZT
• 5$1
– SFTQPOTJCMFGPSQSPWJEJOHBWBJMBCJMJUZ
– CVUUIFQBDLFUTDBOCFUBNQFSFE
5-4PWFS5$1
Slide 20
Slide 20 text
• NJEEMFCPYJOKFDUT5$1SFTFUT
– TFOEB5$1QBDLFUXJUI345CJUTFU
• CMPDLBDDFTTUPDFSUBJOXFCTJUFT
– CZPCTFSWJOHQMBJOUFYU FH
4/*
• CMPDLDFSUBJOQSPUPDPMT FH11
3FTFUJOKFDUJPOBUUBDL
Slide 21
Slide 21 text
• POQBUIBUUBDL
– BUUBDLFSDBOESPQNPEJGZQBDLFUT
• NBOPOUIFTJEFBUUBDL
– BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT
• PGGQBUIBUUBDL
– BUUBDLFSEPFTOPUIBWFBDDFTTUPQBDLFUT
– OPUTPQSBDUJDBMGPS5$1
5ISFFUZQFTPGBUUBDLT
Slide 22
Slide 22 text
• POQBUIBUUBDL
– BUUBDLFSDBOESPQNPEJGZQBDLFUT
– FTTFOUJBMMZBTQFDJBMQVSQPTFSPVUFS
• BEEJUJPOBMDPTUUPPCTFSWFUIFQBZMPBEPGUIF
SPVUFEQBDLFUTJTUIFQSPCMFN
• NBOPOUIFTJEFBUUBDL
– BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT
– BOPEFUIBUUBQTPOUIFOFUXPSL
JOKFDUT
QBDLFUTBUCFTUFGGPSU
.BOPOUIFTJEFBUUBDLJTFBTZ
Slide 23
Slide 23 text
• JOKFDUJOHPOF 345QBDLFUUFSNJOBUFTB
5$1DPOOFDUJPO
• FODSZQUFEUSBOTQPSUT FH
%5-4
*1TFD
QSPWJEFSFTJTUBODFUPJOKFDUJPOBUUBDL
– CZFODSZQUJOHFWFSZQBDLFUVTJOHUIF
FYDIBOHFELFZT
• FH
QO cc"&4@($. QO
QBZMPBE
BOEWFSZQSBDUJDBMGPS5$1
Slide 24
Slide 24 text
Packet type and flags (1 octet)
Destination Connection ID (0,4-18 octets)
Encrypted Packet Number (1,2,4 octets)
Encrypted Payload
AEAD tag (16 octets or more)
26*$QBDLFU
additional text
• "&"%
Ћ UPQSPUFDUFBDIQBDLFU
AEAD payload
encrypted???
Slide 25
Slide 25 text
26*$
Slide 26
Slide 26 text
• FODSZQUFEUSBOTQPSU
– VTFT5-4GPSIBOETIBLF
• IBOETIBLFJO35
– 5$1
5-4UBLFT35
• NVMUJQMFYJOHTUSFBNTJOUPPOFDPOOFDUJPO
• GJYIFBEPGMJOFCMPDLJOHJO)551
– QSPDFTTPVUPGPSEFSQBDLFUTCFMPOHJOHUPB
EJGGFSFOUTUSFBNT
• NPCJMJUZ OFUXPSLNJHSBUJPO
'FBUVSFTPG26*$
Slide 27
Slide 27 text
26*$IBOETIBLF
Slide 28
Slide 28 text
stream 0
stream 4
stream 8
stream 16…
0SJHJOBMEFTJHO
HTTP request 1
TLS 1.3
HTTP request 2
HTTP request 3
packet 1 packet 8
packet layer 2 3… 9 10 11…
obtain “exporter secret”
↓
derive server traffic key & client traffic key
Slide 29
Slide 29 text
• EPVCMFFODSZQUJPO
• BNCJHVJUJFT
– XIFOUPBDUJWBUFBQQMJDBUJPOUSBGGJDLFZT
– XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE
26*$QBDLFUT
• BUUBDLWFDUPST
– SFTFUJOKFDUJPOBUUBDL
– "$,QSPNPUJPOBUUBDL
0SJHJOBMEFTJHOJTTVFT
Slide 30
Slide 30 text
*TTVFVTFPGFODSZQUJPO
stream 0
stream 4
stream 8
stream 16…
HTTP request 1
HTTP request 2
HTTP request 3
packet 1 packet 8
packet layer
obtain “exporter secret”
↓
derive server traffic key & client traffic key
2 3… 9 10 11…
TLS 1.3
Slide 31
Slide 31 text
*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT
ClientHello (w. pubkey)
ServerHello (w. pubkey)
EncryptedExtensions
ServerCertificate
Finished
App. Data (server only)
(ClientCertificate)
Finished
Application Data
Client Server
plaintext
encrypted
(unauthenticated)
encrypted
(authenticated)
Slide 32
Slide 32 text
*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT
stream 0
stream 4
stream 8
stream 16…
HTTP request 1
HTTP request 2
HTTP request 3
packet 1 packet 8
packet layer
obtain “exporter secret”
↓
derive server traffic key & client traffic key
activate them at different moments
2 3… 9 10 11…
TLS 1.3
Slide 33
Slide 33 text
*TTVFSFTFUJOKFDUJPOBUUBDL
stream 0
stream 4
stream 8
stream 16…
HTTP request 1
HTTP request 2
HTTP request 3
packet 1 packet 8
packet layer
obtain “exporter secret”
↓
derive server traffic key & client traffic key
activate them at different moments
2 3… 9 10 11…
TLS 1.3
reset!
Slide 34
Slide 34 text
*TTVF"$,QSPNPUJPOBUUBDL
stream 0
stream 4
stream 8
stream 16…
HTTP request 1
HTTP request 2
HTTP request 3
packet 1 packet 8
packet layer
obtain “exporter secret”
↓
derive server traffic key & client traffic key
activate them at different moments
2 3… 9 10 11…
TLS 1.3
ACK (8)
Slide 35
Slide 35 text
• DIBOHF5-4
4PMVUJPO
Slide 36
Slide 36 text
• DIBOHFUIFTVCQSPUPDPMPG 5-4
4PMVUJPO
Slide 37
Slide 37 text
#BDLHSPVOEMBZFSTPG5-4
segment segment
TLS messages:
TLS records:
TCP segments:
plaintext HS 1RTT
SH EE Certificate Fin NST
Slide 38
Slide 38 text
plaintext HS 1RTT
SH EE Certificate Fin NST
stream 0 stream 0
TLS messages:
TLS records:
QUIC frames:
HS HS
QUC packets:
datagram datagram
UDP datagrams:
stream 0
1RTT
-BZFSTJOUIFPSJHJOBMEFTJHO
confidentiality
injection
resistance
Slide 39
Slide 39 text
SH EE Certificate Fin NST
CRYPTO CRYPTO
TLS messages:
QUIC frames:
Initial HS
QUC packets:
datagram datagram
UDP datagrams:
CRYPTO
1RTT
-BZFSTJOUIFSFGJOFEEFTJHO
HS
CRYPTO
confidentiality
injection resistance
Slide 40
Slide 40 text
• PSJHJOBMEFTJHO 5-4
– *0PGFODSZQUFEPDUFUT
– BDDFTTUPlFYQPSUFSTFDSFUz
• SFGJOFEEFTJHO
– *0PG5-4NFTTBHFT JOQMBJOUFYU
– FWFOUTUPJOTUBMMUSBGGJDLFZT
• 355 VOJEJSFDUJPOBM
)4 CJ
355 CJ
– OPUF%5-4SFRVJSFTTVDIBOJOUFSOBM"1*
3FRVJSFEDIBOHFTUP5-4TUBDL"1*
Slide 41
Slide 41 text
• TFQBSBUJPOPGDPODFSO
– 5-4QSPWJEFTLFZTBOEBVUIFOUJDBUJPO
– 26*$FODSZQUTUIFQBDLFUT
• OPNPSFBNCJHVJUZ
– EJTUJODUTUSFBNTGPSFBDIFODSZQUJPOMFWFM
– UISFFEJTUJODUQBDLFUOVNCFSTQBDF
• JF
*OJUJBM
)BOETIBLF
355
• OPDIBODFPG"$,QSPNPUJPOBUUBDL
3FGJOFEEFTJHOUIFCFOFGJUT
Slide 42
Slide 42 text
• EPVCMFFODSZQUJPO
• BNCJHVJUJFT
– XIFOUPBDUJWBUFUSBGGJDLFZT
– XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE
26*$QBDLFUT
• BUUBDLWFDUPST
– MFTTGSBHJMFUPSFTFUJOKFDUJPOBUUBDL
– "$,QSPNPUJPOBUUBDL
*TTVFTSFTPMWFE BMNPTU
Slide 43
Slide 43 text
26*$QBDLFUOVNCFSFODSZQUJPO
Slide 44
Slide 44 text
• QBDLFUOVNCFS 1/
– JTVOJRVFGPSFBDIQBDLFUCFJOHTFOU
– JODSFBTFTNPOPUPOJDBMMZ
• UIFSFGPSF
DBOCFVTFEUPUSBDLBDMJFOU
– $POOFDUJPO*%JTDIBOHFEXIFOBOFOEQPJOU
NJHSBUFTUPBEJGGFSFOUOFUXPSL8IBU
TIPVMEXFEPGPSQBDLFUOVNCFS
1BDLFUOVNCFSBOEQSJWBDZ
Slide 45
Slide 45 text
• KVNQ1/XIFOTXJUDIJOH$*%
– QFFSTOFFEUPBHSFFPOUIFSBOEPNPGGTFU
• TJODF1/ CJU
JTSPVOEFEPOXJSFUP
CJUT
• PGGTFUOFFETUPCFEJGGFSFOUGPSFBDIEJSFDUJPO
– XIBUUPEPPOQBUIQSPCJOHFSSPS
• EJGGFSFOU1/TQBDFGPSFBDI$*%
– NFBOTIBWJOHFODSZQUJPOLFZTBOE"$,
RVFVFGPSFBDI$*%
$POTJEFSFEBQQSPBDIFT
Slide 46
Slide 46 text
• FODSZQUJOH1/JTTJNQMFSUIBO
– JOTFSUJOHKVNQT
IBWJOHNBOZLFZTTQBDFT
4PMVUJPOQBDLFUOVNCFSFODSZQUJPO
Slide 47
Slide 47 text
#VUIPX
type CID PN payload
1 0/4-18 1/2/4 any
size:
unencrypted:
type CID PN ciphertext AEAD tag
1 0/4-18 1/2/4 any 16
size:
encrypted:
AES_GCM(PN, payload)
↓
1 0/4-18 1/2/4 any
size:
type CID PNE ciphertext AEAD tag
1 0/4-18 1/2/4 any 16
size:
+ PNE:
???
↓
unencrypted encrypted
Slide 48
Slide 48 text
/BÏWFBQQSPBDI
type CID PN payload
1 0/4-18 1/2/4 any
size:
unencrypted:
type CID PN ciphertext AEAD tag
1 0/4-18 1/2/4 any 16
size:
encrypted:
AES_GCM(PN, payload)
↓
1 0/4-18 1/2/4 any
size:
type CID PNE+ciph. ciph. AEAD tag
1 0/4-18 16 any – 1/2/4 16
size:
+ PNE:
AES
↓
unencrypted encrypted
Slide 49
Slide 49 text
"EPQUFEBQQSPBDI
type CID PN payload
1 0/4-18 1/2/4 any
size:
unencrypted:
type CID PN ciphertext AEAD tag
1 0/4-18 1/2/4 any 16
size:
encrypted:
AES_GCM(PN, payload)
↓
1 0/4-18 1/2/4 any
size:
type CID PNE ciphertext AEAD tag
1 0/4-18 1/2/4 any 16
size:
+ PNE:
AES_CTR(ciphertext, PN)
↓
unencrypted encrypted
Slide 50
Slide 50 text
• TPNFNPCJMFOFUXPSLTlGJYzPVUPGPSEFS
EFMJWFSZCZMPPLJOHBU1/
– UPMFTTFOSFUSBOTNJUT
– OPEPXOTJEFGPS5$1
– JTTVFGPS26*$
CFDBVTFXFDBOVTFQBDLFUT
BSSJWJOHPVUPGPSEFS
• 26*$XJMMCFPTTJGJFEPODFNJEEMFCPYFT
TUBSUVTJOH1/JOQBSUJDVMBSXBZT
1/&UPQSFWFOUNJTVTFPG1/
Slide 51
Slide 51 text
• 5$1
5-4
– BEESFTTFTDPOGJEFOUJBMJUZ
JOUFHSJUZ
• JOBEEJUJPO
26*$
5-4
– JNQSPWFTBWBJMBCJMJUZ
– QSFTFSWFTVTFSQSJWBDZ
– QSFWFOUTPTTJGJDBUJPO
– PQUJNJ[FTGPSQFSGPSNBODF
• TFUVQJO35 35JO5$1
5-4
• VTFPGQBDLFUTBSSJWJOHPVUPGPSEFS
5IFJNQSPWFNFOUT
Slide 52
Slide 52 text
• FODSZQUJPOJTUIFUBTLPG26*$
– IBOETIBLFEPOFCZ5-4
• BMNPTUFWFSZUIJOHJTFODSZQUFE
– POMZQBDLFUUZQF
$*%
QSPUPDPMWFSTJPOBSF
WJTJCMFPOUIFXJSF
• XIBUUPFYQPTFJTEFDJEFEFYQMJDJUMZ
– FH
lTQJOCJUzFYQFSJNFOU
26*$BOEFODSZQUJPO
Slide 53
Slide 53 text
&ODSZQUFE4/*
Slide 54
Slide 54 text
• 4FSWFS/BNF*OEJDBUJPO
– QBSUPG$MJFOU)FMMP
– VTFECZUIFTFSWFSUPTFMFDU
• LFZBMHPSJUIN
• TFSWFSDFSUJGJDBUF
8IBUJT4/*
ClientHello (w. pubkey)
ServerHello (w. pubkey)
EncryptedExtensions
ServerCertificate
Finished
App. Data (server only)
(ClientCertificate)
Finished
Application Data
Client Server
plaintext
encrypted
(unauthenticated)
encrypted
(authenticated)
Slide 55
Slide 55 text
• %/4SFTPMVUJPO
• 4/*
• TFSWFSDFSUJGJDBUF
• TFSWFS*1BEESFTT
• USBGGJDBOBMZTJT
4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
Slide 56
Slide 56 text
• %/4SFTPMVUJPO %P)
• 4/* ˡ UIJT
• TFSWFSDFSUJGJDBUF 5-4
• TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ
• USBGGJDBOBMZTJT
4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF
Slide 57
Slide 57 text
• ESBGUSFTDPSMBUMTFTOJ
– UPCFDPNFESBGUJFUGUMTFTOJ
• LFZJEFB
– VTFQVCMJDLFZDSZQUPUPFODSZQU4/*
– VTF%/4UPEJTUSJCVUFUIFQVCMJDLFZ
4PMVUJPOFODSZQUFE4/*
Slide 58
Slide 58 text
)PXJUXPSLT
example.com?
_esni.example.com?
example.com=192.0.2.1
_esni.example.com=pubkey
ClientHello {ESNI=encrypt("example.com")}
DoH recursor
HTTPS server
DNS authoritative
server
Slide 59
Slide 59 text
TUSVDU\
VJOUDIFDLTVN<>
,FZ4IBSF&OUSZ LFZT
?
QVCMJDLFZT
$JQIFS4VJUF DJQIFS@TVJUFT
?
VJOUQBEEFE@MFOHUI
VJOUOPU@CFGPSF
VJOUOPU@BGUFS
&YUFOTJPOFYUFOTJPOT
?
^&4/*,FZT
@FTOJFTOJFYBNQFOFU*/595
E8[B2#'"#D"225S+CP;Z:YD1:P6IPOISW/YWKGQSKB;CK/#/
.Y
%ZDE%7W#+P),0.I
,[BWE*N03*""*5"2&&"""""'T
(E."""""89"H""
&4/*SFDPSE
Slide 60
Slide 60 text
• &4/*SFDPSEJTOPUTJHOFE
– TPUIBUJUDBOCFTNBMM
– BUUBDLFSDBOTQPPGUIFN
• CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1BEESFTTPG
FYBNQMFDPN
– BDDFTTUPUIFBEESFTTSFWFBMTUIF4/*
• UPTVNNBSJ[F
&4/*
– JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ
– EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS
BUUBDL
4FDVSJUZBTQFDUT
Slide 61
Slide 61 text
• 355BQQMJDBUJPOEBUBJOGVMM
IBOETIBLF
– OFFEUPEJTUSJCVUFTJHOFEQVCLFZ BOE
DFSUJGJDBUFDIBJOVTJOH%/4
• QSPUFDUJOHJOJUJBMFYDIBOHFGSPN
JOKFDUJPOBUUBDL
6TJOH&4/*QVCMJDLFZGPSPUIFSQVSQPTFT
Slide 62
Slide 62 text
3FDBQJUVMBUJPO
Slide 63
Slide 63 text
• OFBSMZDPNQMFUFUPGJYJOHQSJWBDZMFBLT
• FODSZQUJPOJTBMTPVTFEGPS
– QSPWJEJOHBWBJMBCJMJUZ
– QSFWFOUJOHPTTJGJDBUJPO
• GPSGVSUIFSFWPMVUJPOJOUIFGVUVSF
• BMNPTUFWFSZUIJOHJTFODSZQUFEJO26*$
– FODSZQUFWFONPSFJOVQDPNJOHQSPUPDPMT
– XFEFCBUFBOEEFDJEFXIBUUPFYQPTFUPUIF
OFUXPSL
0VSTUBUVT