Secure channel establishment protocols such as Transport Layer Security (TLS) are some of the most important cryptographic protocols, enabling the encryption of Internet traffic. Reducing latency (the number of interactions between parties before encrypted data can be transmitted) in such protocols has become an important design goal to improve user experience. The most important protocols addressing this goal are TLS 1.3, the latest TLS version standardized in 2018 to replace the widely deployed TLS 1.2, and Quick UDP Internet Connections (QUIC), a secure transport protocol from Google that is implemented in the Chrome browser. There have been a number of formal security analyses for TLS 1.3 and QUIC, but their security, when layered with their underlying transport protocols, cannot be easily compared. Our work is the first to thoroughly compare the security and availability properties of these protocols. Toward this goal, we develop novel security models that permit “layered” security analysis. In addition to the standard goals of server authentication and data confidentiality and integrity, we consider the goals of IP spoofing prevention, key exchange packet integrity, secure channel header integrity, and reset authentication, which capture a range of practical threats not usually taken into account by existing security models that focus mainly on the cryptographic cores of the protocols. Equipped with our new models we provide a detailed comparison of three low-latency layered protocols: TLS 1.3 over TCP Fast Open (TFO), QUIC over UDP, and QUIC[TLS] (a new design for QUIC that uses TLS 1.3 key exchange) over UDP. In particular, we show that TFO’s cookie mechanism does provably achieve the security goal of IP spoofing prevention. Additionally, we find several new availability attacks that manipulate the early key exchange packets without being detected by the communicating parties. By including packet-level attacks in our analysis, our results shed light on how the reliability, flow control, and congestion control of the above layered protocols compare, in adversarial settings. We hope that our models will help protocol designers in their future protocol analyses and that our results will help practitioners better understand the advantages and limitations of secure channel establishment protocols.

安全通道建立协议（例如传输层安全性（TLS））是一些最重要的加密协议，可对Internet流量进行加密。在这样的协议中，减少等待时间（在可以传输加密数据之前，各方之间的交互次数）已经成为改善用户体验的重要设计目标。解决此问题的最重要协议是TLS 1.3、2018年标准化的最新TLS版本，以取代广泛部署的TLS 1.2和Quick UDP Internet Connections（QUIC），这是Google的安全传输协议，已在Chrome浏览器中实现。对于TLS 1.3和QUIC，已经进行了许多正式的安全性分析，但是将它们的安全性与基础传输协议分层时，就不容易进行比较。我们的工作是率先全面比较这些协议的安全性和可用性属性的工作。为了实现这一目标，我们开发了新颖的安全模型，可以进行“分层”安全分析。除了服务器身份验证以及数据机密性和完整性的标准目标外，我们还考虑了IP欺骗预防，密钥交换数据包完整性，安全通道标头完整性和重置身份验证的目标，这些目标捕获了通常不考虑的一系列实际威胁现有的安全模型，这些模型主要侧重于协议的加密核心。借助我们的新模型，我们提供了三种低延迟分层协议的详细比较：TCP快速打开（TFO）上的TLS 1.3，UDP上的QUIC和QUIC [TLS]（使用TLS 1.3密钥交换的QUIC的新设计）通过UDP。特别是，我们证明TFO的cookie机制确实可以实现IP欺骗防护的安全目标。此外，我们发现了几种新的可用性攻击，这些攻击可操纵早期的密钥交换数据包，而不会被通信方检测到。通过在我们的分析中包括数据包级别的攻击，我们的结果揭示了在对抗设置中上述分层协议的可靠性，流量控制和拥塞控制的比较方式。我们希望我们的模型能够帮助协议设计者进行未来的协议分析，并且我们的结果将帮助从业人员更好地了解安全通道建立协议的优点和局限性。我们发现了几种新的可用性攻击，这些攻击可操纵早期的密钥交换数据包，而不会被通信方检测到。通过在我们的分析中包括数据包级别的攻击，我们的结果揭示了在对抗设置中上述分层协议的可靠性，流量控制和拥塞控制的比较方式。我们希望我们的模型能够帮助协议设计者进行未来的协议分析，并且我们的结果将帮助从业人员更好地了解安全通道建立协议的优点和局限性。我们发现了几种新的可用性攻击，这些攻击可操纵早期的密钥交换数据包，而不会被通信方检测到。通过在我们的分析中包括数据包级别的攻击，我们的结果揭示了在对抗设置中上述分层协议的可靠性，流量控制和拥塞控制的比较方式。我们希望我们的模型能够帮助协议设计者进行未来的协议分析，并且我们的结果将帮助从业人员更好地了解安全通道建立协议的优点和局限性。