MA: Com­pa­ring Ses­si­on Ti­ckets in QUIC to TLS over TCP

Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication over a computer network. TLS session tickets are a part of TLS, allowing for reuse of previously established session parameters and secrets to allowing for faster handshakes up to 0-RTT resumption (in TLS 1.3) and reduced computational workload.

QUIC is a modern transport protocol initially developed by Google and standardised by the IETF that aims to improve internet performance and security by integrating transport and cryptographic functions. RFC 9001 specifies the integration of TLS into QUIC, including the use of session tickets to facilitate 0-RTT in QUIC. However, QUIC requires additional parameters to resume a session compared to TLS over TCP, see 4.6.3 in RFC 9001. These additional parameters include, according to Section 4.6. in RFC 9001, QUIC transport parameters and the application protocol. Furhter additional information may be aded as needed, for example as needed by the application protocol.

Currently, there is a lack of research in QUIC session tickets, partly due to a generally low amount of research into session tickets. Questions that are worth answering are:

  • What information do popular QUIC implementations add to the session ticket of the underlying TLS library?
  • How do implementations handle a session ticket that is obtained using QUIC and subsequently used in TLS 1.3 over TCP on the same server and vice-versa, especially when the same STEK is used?
  • Are there any vulnerabilities arising from mixing information inside a ticket that is too much for TLS 1.3 over TCP or from missing information inside a QUIC session ticket that was obtained from TLS 1.3 over TCP?

Your tasks:

  • Select popular QUIC libraries for analysis.
  • Review the source code of the chosen libraries to determine how they handle session tickets and what information they add.
  • Evaluate the server behaviour when tickets from TLS 1.3 over TCP are sent to the server via QUIC and vice-versa. This should be done using our TLS-Attacker framework.

Kontakt