Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3.

Saved in:
Bibliographic Details
Title: Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3.
Authors: Fischlin, Marc1 (AUTHOR) marc.fischlin@cryptoplexity.de, Günther, Felix2 (AUTHOR), Janson, Christian1 (AUTHOR)
Source: Journal of Cryptology. Jun2024, Vol. 37 Issue 2, p1-49. 49p.
Subjects: Internet Engineering Task Force (Organization), Secure Sockets Layer (Computer network protocol), Forgery
Abstract: The common approach in secure communication channel protocols is to rely on ciphertexts arriving in-order and to close the connection upon any rogue ciphertext. Cryptographic security models for channels generally reflect such design. This is reasonable when running atop lower-level transport protocols like TCP ensuring in-order delivery, as for example, is the case with TLS or SSH. However, protocols like QUIC or DTLS which run over a non-reliable transport such as UDP, do not—and in fact cannot—close the connection if packets are lost or arrive in a different order. Those protocols instead have to carefully catch effects arising naturally in unreliable networks, usually by using a sliding-window technique where ciphertexts can be decrypted correctly as long as they are not misplaced too far. In order to be able to capture QUIC and the newest DTLS version 1.3, we introduce a generalized notion of robustness of cryptographic channels. This property can capture unreliable network behavior and guarantees that adversarial tampering cannot hinder ciphertexts that can be decrypted correctly from being accepted. We show that robustness is orthogonal to the common notion of integrity for channels, but together with integrity and chosen-plaintext security it provides a robust analog of chosen-ciphertext security of channels. In contrast to prior work, robustness allows us to study packet encryption in the record layer protocols of QUIC and of DTLS 1.3 and the novel sliding-window techniques both protocols employ. We show that both protocols achieve robust chosen-ciphertext security based on certain properties of their sliding-window techniques and the underlying AEAD schemes. Notably, the robustness needed in handling unreliable network messages requires both record layer protocols to tolerate repeated adversarial forgery attempts. This means we can only establish non-tight security bounds (in terms of AEAD integrity), a security degradation that was missed in earlier protocol drafts. Our bounds led the responsible IETF working groups to introduce concrete forgery limits for both protocols and the IRTF CFRG to consider AEAD usage limits more broadly. [ABSTRACT FROM AUTHOR]
Copyright of Journal of Cryptology is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
Full text is not displayed to guests.
FullText Links:
  – Type: pdflink
Text:
  Availability: 1
Header DbId: egs
DbLabel: Engineering Source
An: 175138408
AccessLevel: 6
PubType: Academic Journal
PubTypeId: academicJournal
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Fischlin%2C+Marc%22">Fischlin, Marc</searchLink><relatesTo>1</relatesTo> (AUTHOR)<i> marc.fischlin@cryptoplexity.de</i><br /><searchLink fieldCode="AR" term="%22Günther%2C+Felix%22">Günther, Felix</searchLink><relatesTo>2</relatesTo> (AUTHOR)<br /><searchLink fieldCode="AR" term="%22Janson%2C+Christian%22">Janson, Christian</searchLink><relatesTo>1</relatesTo> (AUTHOR)
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22Journal+of+Cryptology%22">Journal of Cryptology</searchLink>. Jun2024, Vol. 37 Issue 2, p1-49. 49p.
– Name: Subject
  Label: Subjects
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Internet+Engineering+Task+Force+%28Organization%29%22">Internet Engineering Task Force (Organization)</searchLink><br /><searchLink fieldCode="DE" term="%22Secure+Sockets+Layer+%28Computer+network+protocol%29%22">Secure Sockets Layer (Computer network protocol)</searchLink><br /><searchLink fieldCode="DE" term="%22Forgery%22">Forgery</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: The common approach in secure communication channel protocols is to rely on ciphertexts arriving in-order and to close the connection upon any rogue ciphertext. Cryptographic security models for channels generally reflect such design. This is reasonable when running atop lower-level transport protocols like TCP ensuring in-order delivery, as for example, is the case with TLS or SSH. However, protocols like QUIC or DTLS which run over a non-reliable transport such as UDP, do not—and in fact cannot—close the connection if packets are lost or arrive in a different order. Those protocols instead have to carefully catch effects arising naturally in unreliable networks, usually by using a sliding-window technique where ciphertexts can be decrypted correctly as long as they are not misplaced too far. In order to be able to capture QUIC and the newest DTLS version 1.3, we introduce a generalized notion of robustness of cryptographic channels. This property can capture unreliable network behavior and guarantees that adversarial tampering cannot hinder ciphertexts that can be decrypted correctly from being accepted. We show that robustness is orthogonal to the common notion of integrity for channels, but together with integrity and chosen-plaintext security it provides a robust analog of chosen-ciphertext security of channels. In contrast to prior work, robustness allows us to study packet encryption in the record layer protocols of QUIC and of DTLS 1.3 and the novel sliding-window techniques both protocols employ. We show that both protocols achieve robust chosen-ciphertext security based on certain properties of their sliding-window techniques and the underlying AEAD schemes. Notably, the robustness needed in handling unreliable network messages requires both record layer protocols to tolerate repeated adversarial forgery attempts. This means we can only establish non-tight security bounds (in terms of AEAD integrity), a security degradation that was missed in earlier protocol drafts. Our bounds led the responsible IETF working groups to introduce concrete forgery limits for both protocols and the IRTF CFRG to consider AEAD usage limits more broadly. [ABSTRACT FROM AUTHOR]
– Name: AbstractSuppliedCopyright
  Label:
  Group: Ab
  Data: <i>Copyright of Journal of Cryptology is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.)
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=175138408
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.1007/s00145-023-09489-9
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 49
        StartPage: 1
    Subjects:
      – SubjectFull: Internet Engineering Task Force (Organization)
        Type: general
      – SubjectFull: Secure Sockets Layer (Computer network protocol)
        Type: general
      – SubjectFull: Forgery
        Type: general
    Titles:
      – TitleFull: Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Fischlin, Marc
      – PersonEntity:
          Name:
            NameFull: Günther, Felix
      – PersonEntity:
          Name:
            NameFull: Janson, Christian
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 06
              Text: Jun2024
              Type: published
              Y: 2024
          Identifiers:
            – Type: issn-print
              Value: 09332790
          Numbering:
            – Type: volume
              Value: 37
            – Type: issue
              Value: 2
          Titles:
            – TitleFull: Journal of Cryptology
              Type: main
ResultId 1