Cryptology ePrint Archive: Report 2015/582
How Secure and Quick is QUIC? Provable Security and Performance Analyses
Robert Lychev and Samuel Jero and Alexandra Boldyreva and Cristina Nita-Rotaru
Abstract: QUIC is a secure transport
protocol developed by Google and implemented in Chrome in 2013, currently
representing one of the most promising solutions to decreasing latency
while intending to provide security properties similar with TLS.
In this work we shed some light on QUIC's strengths and weaknesses
in terms of its provable security and performance guarantees in the presence of attackers.
We first introduce a security model for analyzing performance-driven protocols like QUIC
and prove that QUIC satisfies our definition under reasonable assumptions on the protocol's building blocks.
However, we find that QUIC does not satisfy the traditional notion of forward secrecy that is provided by some modes of TLS,
Our analyses also reveal that with simple bit-flipping and replay attacks on some
public parameters exchanged during the handshake, an
adversary could easily prevent QUIC from achieving minimal latency
advantages either by having it fall back to TCP or by causing
the client and server to have an inconsistent view of their
handshake leading to a failure to complete the connection.
We have implemented these attacks and demonstrated that they
Our results suggest that QUIC's security weaknesses are introduced by the very mechanisms used to reduce latency,
which highlights the seemingly inherent trade off between minimizing latency and providing `good' security guarantees.
Category / Keywords: applications / Network security, key exchange, secure channels
Original Publication (with major differences): IEEE Security & Privacay 2015
Date: received 12 Jun 2015
Contact author: robert lychev at gmail com
Available format(s): PDF | BibTeX Citation
Version: 20150621:080405 (All versions of this report)
Short URL: ia.cr/2015/582
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]