How Secure and Quick is QUIC? Provable Security and Performance Analyses
Project Members
Robert Lychev, Samuel Jero, Alexandra Boldyreva, and Cristina Nita-Rotaru
Robert Lychev, Samuel Jero, Alexandra Boldyreva, and Cristina Nita-Rotaru
Abstract
QUIC is a secure transport protocol developed by Google and implemented in Chrome in 2013, currently representing one of the most promising solutions to decreasing latency while intending to provide security properties similar with TLS. In this work we shed some light on QUIC's strengths and weaknesses in terms of its provable security and performance guarantees in the presence of attackers. We introduce a security model for analyzing performance-driven protocols like QUIC and prove that QUIC satisfies our definition under reasonable assumptions on the protocol's building blocks. Our analyses also reveal that with simple replay and manipulation attacks on some public parameters exchanged during the handshake, an adversary could easily prevent QUIC from achieving minimal latency by causing connection failure, probably resulting in fallback to TLS.