Security, privacy, performance of next-generation transport protocols

by kazuho

Slide 1

Slide 1 text

4FDVSJUZ QSJWBDZ QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ

Slide 2

Slide 2 text

4FDVSJUZ QSJWBDZ QFSGPSNBODF PGOFYUHFOFSBUJPOUSBOTQPSUQSPUPDPMT ,B[VIP0LV 4FQ

Slide 3

Slide 3 text

• 1SJODJQBM044%FWFMPQFS!'BTUMZ • MFBEEFWFMPQFSPG – )0 )551 – QJDPUMT 5-4 – RVJDMZ 26*$ • BVUIPSPG – 3'$r &BSMZ)JOUTGPS)551 – ESBGUJFUGIUUQCJTDBDIFEJHFTU – ESBGUJFUGUMTFTOJ 8IPBN*

Slide 4

Slide 4 text

ZFTUFSEBZ UPEBZ UPNPSSPX OBNFSFTPMVUJPO %/4 %/4PWFS)5514 USBOTQPSU 5$1 26*$5-4 TFDVSJUZ 5-4 5-4 BQQMJDBUJPOQSPUPDPM )551 5IFCJHQJDUVSF

Slide 5

Slide 5 text

• QFSWBTJWFNPOJUPSJOH • QFPQMFSFMZJOHNPSFPO QVCMJD XJGJ $BOXFUSVTUUIFOFUXPSL

Slide 6

Slide 6 text

• 5-4 • 4FDVSJUZPGBUSBOTQPSU • 26*$ – IBOETIBLF – QBDLFUOVNCFSFODSZQUJPO • &ODSZQUFE4/* "HFOEB

Slide 7

Slide 7 text

5-4

Slide 8

Slide 8 text

• FTTFOUJBMMZ5-4 • QVCMJTIFEBT3'$JO"VHVTU 5-4

Slide 9

Slide 9 text

• "&"%DJQIFST – XJUIPVUFYQMJDJUOPODF • GBTUFSIBOETIBLF UP355 • GPSXBSETFDSFDZ • CFUUFSQSJWBDZ – POFPGGTFTTJPOUJDLFUT – DFSUJGJDBUFTOPNPSFUSBOTNJUUFEJODMFBS 5-4

Slide 10

Slide 10 text

AES-CTR "&4($. AES ciphertext 1 plaintext 1 nonce || 0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag

Slide 11

Slide 11 text

AES-CTR "&"%JO5-4 VTJOH"&4($. AES ciphertext 1 plaintext 1 nonce || 0 AES ciphertext 2 nonce || 1 AES ciphertext 3 nonce || 3 plaintext 2 plaintext 3 GCM add. data tag OPODFSFDPSEOVNCFSBEEEBUBSFDPSEIFBEFS

Slide 12

Slide 12 text

ClientHello ServerHello ServerCertificate ServerKeyExchange (ClientSertificate) ClientKeyExchange Finished Finished Application Data 5-4IBOETIBLFGMPX Client Server plaintext encrypted

Slide 13

Slide 13 text

5-4IBOETIBLFGMPX ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)

Slide 14

Slide 14 text

%JGGFSFODFTCFUIBOETIBLFGMPXT • 5-4 – FYDIBOHFQBSBNFUFST JODMDFSUJGJDBUFT UIFOFYDIBOHFUIFQVCMJDLFZT • 5-4 – FYDIBOHFQVCMJDLFZTBTXFMMBTQBSBNFUFST • SFUSZUPVTFBOPUIFSQVCMJDLFZBMHPSJUIN – TFUVQFODSZQUFEDIBOOFMVTJOHUIF FYDIBOHFELFZT • VTFUIFDIBOOFMUPBVUIFOUJDBUF

Slide 15

Slide 15 text

• MFTTSPVOEUSJQT • JEFOUJUZPGUIFFOEQPJOUTBSFQSPUFDUFE – JFDFSUJGJDBUFT – DGUSBDLJOHEFWJDFTVTJOHDMJFOUDFSUBVUI • CVUUIFTFSWFSOBNF 4/* JTVOQSPUFDUFE – CFDBVTFJUJTQBSUPG$MJFOU)FMMP – XJMMDPWFSUIBUMBUFS 5IFCFOFGJUT

Slide 16

Slide 16 text

• NJEEMFCPYFTEJTSVQUJOH5-4IBOETIBLF – UIJOLTl5IJT5-4IBOETIBLFTVTQJDJPVT*U`TB GVMMIBOETIBLFCVUEPFTOPUDPOUBJOB DFSUJGJDBUFz UFSNJOBUFTUIFDPOOFDUJPO – SFBMJUZDFSUJGJDBUFJTFODSZQUFE • TPMVUJPONBLF5-4IBOETIBLFMPPL MJLF5-4SFTVNQUJPO 5BDLMJOHPTTJGJDBUJPO

Slide 17

Slide 17 text

4FDVSJUZPGBUSBOTQPSU

Slide 18

Slide 18 text

• DPOGJEFOUJBMJUZ • JOUFHSJUZ • BWBJMBCJMJUZ 5IFTFDVSJUZUSJBE

Slide 19

Slide 19 text

• 5-4 – QSPWJEFTDPOGJEFOUJBMJUZ JOUFHSJUZ – VTJOHUIFFYDIBOHFELFZT • 5$1 – SFTQPOTJCMFGPSQSPWJEJOHBWBJMBCJMJUZ – CVUUIFQBDLFUTDBOCFUBNQFSFE 5-4PWFS5$1

Slide 20

Slide 20 text

• NJEEMFCPYJOKFDUT5$1SFTFUT – TFOEB5$1QBDLFUXJUI345CJUTFU • CMPDLBDDFTTUPDFSUBJOXFCTJUFT – CZPCTFSWJOHQMBJOUFYU FH 4/* • CMPDLDFSUBJOQSPUPDPMT FH11 3FTFUJOKFDUJPOBUUBDL

Slide 21

Slide 21 text

• POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT • NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT • PGGQBUIBUUBDL – BUUBDLFSEPFTOPUIBWFBDDFTTUPQBDLFUT – OPUTPQSBDUJDBMGPS5$1 5ISFFUZQFTPGBUUBDLT

Slide 22

Slide 22 text

• POQBUIBUUBDL – BUUBDLFSDBOESPQNPEJGZQBDLFUT – FTTFOUJBMMZBTQFDJBMQVSQPTFSPVUFS • BEEJUJPOBMDPTUUPPCTFSWFUIFQBZMPBEPGUIF SPVUFEQBDLFUTJTUIFQSPCMFN • NBOPOUIFTJEFBUUBDL – BUUBDLFSDBOPCTFSWFJOKFDUQBDLFUT – BOPEFUIBUUBQTPOUIFOFUXPSL JOKFDUT QBDLFUTBUCFTUFGGPSU .BOPOUIFTJEFBUUBDLJTFBTZ

Slide 23

Slide 23 text

• JOKFDUJOHPOF 345QBDLFUUFSNJOBUFTB 5$1DPOOFDUJPO • FODSZQUFEUSBOTQPSUT FH %5-4 *1TFD QSPWJEFSFTJTUBODFUPJOKFDUJPOBUUBDL – CZFODSZQUJOHFWFSZQBDLFUVTJOHUIF FYDIBOHFELFZT • FH QO cc"&4@($. QO QBZMPBE BOEWFSZQSBDUJDBMGPS5$1

Slide 24

Slide 24 text

Packet type and flags (1 octet) Destination Connection ID (0,4-18 octets) Encrypted Packet Number (1,2,4 octets) Encrypted Payload AEAD tag (16 octets or more) 26*$QBDLFU additional text • "&"%Ћ UPQSPUFDUFBDIQBDLFU AEAD payload encrypted???

Slide 25

Slide 25 text

26*$

Slide 26

Slide 26 text

• FODSZQUFEUSBOTQPSU – VTFT5-4GPSIBOETIBLF • IBOETIBLFJO35 – 5$15-4UBLFT35 • NVMUJQMFYJOHTUSFBNTJOUPPOFDPOOFDUJPO • GJYIFBEPGMJOFCMPDLJOHJO)551 – QSPDFTTPVUPGPSEFSQBDLFUTCFMPOHJOHUPB EJGGFSFOUTUSFBNT • NPCJMJUZ OFUXPSLNJHSBUJPO 'FBUVSFTPG26*$

Slide 27

Slide 27 text

26*$IBOETIBLF

Slide 28

Slide 28 text

stream 0 stream 4 stream 8 stream 16… 0SJHJOBMEFTJHO HTTP request 1 TLS 1.3 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer 2 3… 9 10 11… obtain “exporter secret” ↓ derive server traffic key & client traffic key

Slide 29

Slide 29 text

• EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFBQQMJDBUJPOUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT • BUUBDLWFDUPST – SFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL 0SJHJOBMEFTJHOJTTVFT

Slide 30

Slide 30 text

*TTVFVTFPGFODSZQUJPO stream 0 stream 4 stream 8 stream 16… HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key 2 3… 9 10 11… TLS 1.3

Slide 31

Slide 31 text

*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)

Slide 32

Slide 32 text

*TTVFXIFOUPBDUJWBUFUSBGGJDLFZT stream 0 stream 4 stream 8 stream 16… HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3

Slide 33

Slide 33 text

*TTVFSFTFUJOKFDUJPOBUUBDL stream 0 stream 4 stream 8 stream 16… HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 reset!

Slide 34

Slide 34 text

*TTVF"$,QSPNPUJPOBUUBDL stream 0 stream 4 stream 8 stream 16… HTTP request 1 HTTP request 2 HTTP request 3 packet 1 packet 8 packet layer obtain “exporter secret” ↓ derive server traffic key & client traffic key activate them at different moments 2 3… 9 10 11… TLS 1.3 ACK (8)

Slide 35

Slide 35 text

• DIBOHF5-4 4PMVUJPO

Slide 36

Slide 36 text

• DIBOHFUIFTVCQSPUPDPMPG 5-4 4PMVUJPO

Slide 37

Slide 37 text

#BDLHSPVOEMBZFSTPG5-4 segment segment TLS messages: TLS records: TCP segments: plaintext HS 1RTT SH EE Certificate Fin NST

Slide 38

Slide 38 text

plaintext HS 1RTT SH EE Certificate Fin NST stream 0 stream 0 TLS messages: TLS records: QUIC frames: HS HS QUC packets: datagram datagram UDP datagrams: stream 0 1RTT -BZFSTJOUIFPSJHJOBMEFTJHO confidentiality injection resistance

Slide 39

Slide 39 text

SH EE Certificate Fin NST CRYPTO CRYPTO TLS messages: QUIC frames: Initial HS QUC packets: datagram datagram UDP datagrams: CRYPTO 1RTT -BZFSTJOUIFSFGJOFEEFTJHO HS CRYPTO confidentiality injection resistance

Slide 40

Slide 40 text

• PSJHJOBMEFTJHO 5-4 – *0PGFODSZQUFEPDUFUT – BDDFTTUPlFYQPSUFSTFDSFUz • SFGJOFEEFTJHO – *0PG5-4NFTTBHFT JOQMBJOUFYU – FWFOUTUPJOTUBMMUSBGGJDLFZT • 355 VOJEJSFDUJPOBM )4 CJ 355 CJ – OPUF%5-4SFRVJSFTTVDIBOJOUFSOBM"1* 3FRVJSFEDIBOHFTUP5-4TUBDL"1*

Slide 41

Slide 41 text

• TFQBSBUJPOPGDPODFSO – 5-4QSPWJEFTLFZTBOEBVUIFOUJDBUJPO – 26*$FODSZQUTUIFQBDLFUT • OPNPSFBNCJHVJUZ – EJTUJODUTUSFBNTGPSFBDIFODSZQUJPOMFWFM – UISFFEJTUJODUQBDLFUOVNCFSTQBDF • JF *OJUJBM )BOETIBLF 355 • OPDIBODFPG"$,QSPNPUJPOBUUBDL 3FGJOFEEFTJHOUIFCFOFGJUT

Slide 42

Slide 42 text

• EPVCMFFODSZQUJPO • BNCJHVJUJFT – XIFOUPBDUJWBUFUSBGGJDLFZT – XIFOTUSFBNTXJUDIFTUPVTJOHQSPUFDUFE 26*$QBDLFUT • BUUBDLWFDUPST – MFTTGSBHJMFUPSFTFUJOKFDUJPOBUUBDL – "$,QSPNPUJPOBUUBDL *TTVFTSFTPMWFE BMNPTU

Slide 43

Slide 43 text

26*$QBDLFUOVNCFSFODSZQUJPO

Slide 44

Slide 44 text

• QBDLFUOVNCFS 1/ – JTVOJRVFGPSFBDIQBDLFUCFJOHTFOU – JODSFBTFTNPOPUPOJDBMMZ • UIFSFGPSF DBOCFVTFEUPUSBDLBDMJFOU – $POOFDUJPO*%JTDIBOHFEXIFOBOFOEQPJOU NJHSBUFTUPBEJGGFSFOUOFUXPSL8IBU TIPVMEXFEPGPSQBDLFUOVNCFS 1BDLFUOVNCFSBOEQSJWBDZ

Slide 45

Slide 45 text

• KVNQ1/XIFOTXJUDIJOH$*% – QFFSTOFFEUPBHSFFPOUIFSBOEPNPGGTFU • TJODF1/ CJU JTSPVOEFEPOXJSFUP CJUT • PGGTFUOFFETUPCFEJGGFSFOUGPSFBDIEJSFDUJPO – XIBUUPEPPOQBUIQSPCJOHFSSPS • EJGGFSFOU1/TQBDFGPSFBDI$*% – NFBOTIBWJOHFODSZQUJPOLFZTBOE"$, RVFVFGPSFBDI$*% $POTJEFSFEBQQSPBDIFT

Slide 46

Slide 46 text

• FODSZQUJOH1/JTTJNQMFSUIBO – JOTFSUJOHKVNQTIBWJOHNBOZLFZTTQBDFT 4PMVUJPOQBDLFUOVNCFSFODSZQUJPO

Slide 47

Slide 47 text

#VUIPX type CID PN payload 1 0/4-18 1/2/4 any size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: ??? ↓ unencrypted encrypted

Slide 48

Slide 48 text

/BÏWFBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE+ciph. ciph. AEAD tag 1 0/4-18 16 any – 1/2/4 16 size: + PNE: AES ↓ unencrypted encrypted

Slide 49

Slide 49 text

"EPQUFEBQQSPBDI type CID PN payload 1 0/4-18 1/2/4 any size: unencrypted: type CID PN ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: encrypted: AES_GCM(PN, payload) ↓ 1 0/4-18 1/2/4 any size: type CID PNE ciphertext AEAD tag 1 0/4-18 1/2/4 any 16 size: + PNE: AES_CTR(ciphertext, PN) ↓ unencrypted encrypted

Slide 50

Slide 50 text

• TPNFNPCJMFOFUXPSLTlGJYzPVUPGPSEFS EFMJWFSZCZMPPLJOHBU1/ – UPMFTTFOSFUSBOTNJUT – OPEPXOTJEFGPS5$1 – JTTVFGPS26*$ CFDBVTFXFDBOVTFQBDLFUT BSSJWJOHPVUPGPSEFS • 26*$XJMMCFPTTJGJFEPODFNJEEMFCPYFT TUBSUVTJOH1/JOQBSUJDVMBSXBZT 1/&UPQSFWFOUNJTVTFPG1/

Slide 51

Slide 51 text

• 5$15-4 – BEESFTTFTDPOGJEFOUJBMJUZ JOUFHSJUZ • JOBEEJUJPO 26*$5-4 – JNQSPWFTBWBJMBCJMJUZ – QSFTFSWFTVTFSQSJWBDZ – QSFWFOUTPTTJGJDBUJPO – PQUJNJ[FTGPSQFSGPSNBODF • TFUVQJO35 35JO5$15-4 • VTFPGQBDLFUTBSSJWJOHPVUPGPSEFS 5IFJNQSPWFNFOUT

Slide 52

Slide 52 text

• FODSZQUJPOJTUIFUBTLPG26*$ – IBOETIBLFEPOFCZ5-4 • BMNPTUFWFSZUIJOHJTFODSZQUFE – POMZQBDLFUUZQF $*% QSPUPDPMWFSTJPOBSF WJTJCMFPOUIFXJSF • XIBUUPFYQPTFJTEFDJEFEFYQMJDJUMZ – FH lTQJOCJUzFYQFSJNFOU 26*$BOEFODSZQUJPO

Slide 53

Slide 53 text

&ODSZQUFE4/*

Slide 54

Slide 54 text

• 4FSWFS/BNF*OEJDBUJPO – QBSUPG$MJFOU)FMMP – VTFECZUIFTFSWFSUPTFMFDU • LFZBMHPSJUIN • TFSWFSDFSUJGJDBUF 8IBUJT4/* ClientHello (w. pubkey) ServerHello (w. pubkey) EncryptedExtensions ServerCertificate Finished App. Data (server only) (ClientCertificate) Finished Application Data Client Server plaintext encrypted (unauthenticated) encrypted (authenticated)

Slide 55

Slide 55 text

• %/4SFTPMVUJPO • 4/* • TFSWFSDFSUJGJDBUF • TFSWFS*1BEESFTT • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

Slide 56

Slide 56 text

• %/4SFTPMVUJPO %P) • 4/* ˡ UIJT • TFSWFSDFSUJGJDBUF 5-4 • TFSWFS*1BEESFTT NBTTTDBMFNVMUJUFOBODZ • USBGGJDBOBMZTJT 4PVSDFTPGTFSWFSJEFOUJUZMFBLBHF

Slide 57

Slide 57 text

• ESBGUSFTDPSMBUMTFTOJ – UPCFDPNFESBGUJFUGUMTFTOJ • LFZJEFB – VTFQVCMJDLFZDSZQUPUPFODSZQU4/* – VTF%/4UPEJTUSJCVUFUIFQVCMJDLFZ 4PMVUJPOFODSZQUFE4/*

Slide 58

Slide 58 text

)PXJUXPSLT example.com? _esni.example.com? example.com=192.0.2.1 _esni.example.com=pubkey ClientHello {ESNI=encrypt("example.com")} DoH recursor HTTPS server DNS authoritative server

Slide 59

Slide 59 text

TUSVDU\ VJOUDIFDLTVN<> ,FZ4IBSF&OUSZ LFZT? QVCMJDLFZT $JQIFS4VJUF DJQIFS@TVJUFT? VJOUQBEEFE@MFOHUI VJOUOPU@CFGPSF VJOUOPU@BGUFS &YUFOTJPOFYUFOTJPOT? ^&4/*,FZT @FTOJFTOJFYBNQFOFU*/595 E8[B2#'"#D"225S+CP;Z:YD1:P6IPOISW/YWKGQSKB;CK/#/ .Y%ZDE%7W#+P),0.I,[BWE*N03*""*5"2&&"""""'T (E."""""89"H"" &4/*SFDPSE

Slide 60

Slide 60 text

• &4/*SFDPSEJTOPUTJHOFE – TPUIBUJUDBOCFTNBMM – BUUBDLFSDBOTQPPGUIFN • CVUBOBUUBDLFSDBOBMTPTQPPGUIF*1BEESFTTPG FYBNQMFDPN – BDDFTTUPUIFBEESFTTSFWFBMTUIF4/* • UPTVNNBSJ[F &4/* – JNQSPWFTQSJWBDZXIFO%/4JTIFBMUIZ – EPFTOPUXPSTFOUIFTFDVSJUZXIFOVOEFS BUUBDL 4FDVSJUZBTQFDUT

Slide 61

Slide 61 text

• 355BQQMJDBUJPOEBUBJOGVMM IBOETIBLF – OFFEUPEJTUSJCVUFTJHOFEQVCLFZ BOE DFSUJGJDBUFDIBJOVTJOH%/4 • QSPUFDUJOHJOJUJBMFYDIBOHFGSPN JOKFDUJPOBUUBDL 6TJOH&4/*QVCMJDLFZGPSPUIFSQVSQPTFT

Slide 62

Slide 62 text

3FDBQJUVMBUJPO

Slide 63

Slide 63 text

• OFBSMZDPNQMFUFUPGJYJOHQSJWBDZMFBLT • FODSZQUJPOJTBMTPVTFEGPS – QSPWJEJOHBWBJMBCJMJUZ – QSFWFOUJOHPTTJGJDBUJPO • GPSGVSUIFSFWPMVUJPOJOUIFGVUVSF • BMNPTUFWFSZUIJOHJTFODSZQUFEJO26*$ – FODSZQUFWFONPSFJOVQDPNJOHQSPUPDPMT – XFEFCBUFBOEEFDJEFXIBUUPFYQPTFUPUIF OFUXPSL 0VSTUBUVT