How Secure and Quick is QUIC? Provable Security and Performance Analyses.

Cristina Nita-Rotaru came from Northeastern to give talk on her recent Oakland S&P paper. In her talk, she discussed the trade-offs between provable security and guaranteed performance in adversarial networks. I will give a summary of the work here, but please consult the paper for more details.

In the web, everything is connected. There are a large number of computer services, many types of devices, tremendous amount of data, and availability via cloud computing. However, users have high expectations for these services. They expect them to available 24/7, correct 100% of the time, fast, reliable, and secure. The environments are complex because of unexpected interactions, misconfigurations, failures, and attacks.

More importantly, there is a latency challenge. Online businesses rely more and more on mobile and web applications, so latency is a more critical issue. Time translates into money for many web sites. Finally, the latency physical barrier is the real issue. Bandwidth is cheap and will continue to grow, but there are inherent limitations for latency. As a result, people have revisited secure transport protocols with an eye on latency.

Websites commonly use TLS as the protocol for establishing an end-to-end secure channel, providing confidentiality, integrity, and authentication. However, the latency of connection establishment is high. Consequently, Google developed a new protocol called Quick UDP Internet Connections (QUIC) and implemented it as part of the Chrome browser in 2013. The design goals were to provide security protection comparable to TLS, reduce connection latency by collapsing TCP and TLS in one layer, good performance of connection establishment, and easy deployability.

Their work seeks to answer the following questions: What provable security guarantees does QUIC provide, and under which assumptions? How effective is QUIC at achieving minimum latency guarantees in the presence of attackers?

Here are a few challenges:
- Understanding the protocol: documentation is incomplete
- Choosing a security model: existing protocols and security models not suitable
- Capturing performance in the model: no existing models

They define a new security model called QACCE. I won’t go into the details here because it represents a complex cryptographic game, but I refer you to the paper. This model is suitable for performance driven protocols and shows that QUIC satisfies it. QUIC does not satisfy the traditional notion of forward secrecy, provided by some TLS modes, e.g. TLS-DHE.

With simple attacks, such as replay and manipulation attacks, on some parameters, it is easy to prevent QUIC from achieving its minimal latency goals. They have implemented these attacks and demonstrated that they are practical. For more details on these attacks, please refer to the paper.

This is interesting work that looks at an important question regarding latency and security. They define relevant new models for performance and security. Hopefully, this work will motivate closer looks at many secure protocols in the web.