A Quic(k) Security Overview: A Literature Research on Implemented Security Recommendations

被引：3

作者：

Tatschner, Stefan ^{[1
,2
]}

Peters, Sebastian N. ^{[1
]}

Emeis, David ^{[1
]}

Morris, John ^{[2
]}

Newe, Thomas ^{[2
]}

机构：

[1] Fraunhofer Inst AISEC, Garching, Germany

[2] Univ Limerick, Limerick, Ireland

来源：

18TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY & SECURITY, ARES 2023 | 2023年

关键词：

QUIC; RFC9000; security considerations; web;

D O I：

10.1145/3600160.3605164

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

Built on top of UDP, the relatively new QUIC protocol serves as the baseline for modern web protocol stacks. Equipped with a rich feature set, the protocol is defined by a 151 pages strong IETF stan-dard complemented by several additional documents. Enabling fast updates and feature iteration, most QUIC implementations are im-plemented as user space libraries leading to a large and fragmented ecosystem. This work addresses the research question, "if a complex standard with a large number of different implementations leads to an insecure ecosystem?". The relevant RFC documents were studied and "Security Consideration" items describing conceptional prob-lems were extracted. During the research, 13 popular production ready QUIC implementations were compared by evaluating 10 se-curity considerations from RFC9000. While related studies mostly focused on the functional part of QUIC, this study confirms that available QUIC implementations are not yet mature enough from a security point of view.

引用

页数：16

共 30 条

[1] Adamsky F., 2012, 2012 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC 2012), P143, DOI 10.1109/CyberC.2012.31
[2] Aldrich RJ., 2020, Digital War, V1, P29, DOI [10.1057/s42984-020-00014-x, DOI 10.1057/S42984-020-00014-X]
[3] Bishop Mike, 2022, 9114 RFC, DOI [10.17487/RFC9114, DOI 10.17487/RFC9114]
[4] Bottinger K., 2015, PROCEED INGS 10 ACM, P633, DOI DOI 10.1145/2714576
[5] Bradner S., 1997, Key words for use in RFCs to Indicate Requirement Levels, DOI [10.17487/rfc2119, DOI 10.17487/RFC2119]
[6] Revisiting QUIC attacks: a comprehensive review on QUIC security and a hands-on study
Chatzoglou, Efstratios
Kouliaridis, Vasileios
Karopoulos, Georgios
Kambourakis, Georgios
[J]. INTERNATIONAL JOURNAL OF INFORMATION SECURITY, 2023, 22 (02) : 347 - 365
[7] Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUIC
Chen, Shan
Jero, Samuel
Jagielski, Matthew
Boldyreva, Alexandra
Nita-Rotaru, Cristina
[J]. JOURNAL OF CRYPTOLOGY, 2021, 34 (03)
[8] A Survey and Analysis of TLS Interception Mechanisms and Motivations: Exploring how end-to-end TLS is made "end-to-me" for web traffic
de Carnavalet, Xavier de Carne
van Oorschot, Paul C.
[J]. ACM COMPUTING SURVEYS, 2023, 55 (13S)
[9] Eddy W., 2022, Standard STD 7, RFC 9293, DOI DOI 10.17487/RFC9293
[10] Huitema C., 2022, RFC 9250, DOI [10.17487/RFC9250, DOI 10.17487/RFC9250]

← 1 2 3 →