QUIC looks more secure than TLS for MitM synchronization attacks

[Bill Cox]

I just read the client/server hello stuff in QUIC's crypto spec.  There is a problem in TLS where a MitM can control the eventual handshake hash on both connections, enabling him to do an offline birthday attack on the extended master secret and other values which are supposed to be unique to a session.  This cuts the bit-security in half because of the birthday paradox.

Because QUIC sends a client-random in a full client-hello, and then server responds with a server-hello containing an ephemeral key, there is no way for the MitM to predict the outcome from the server.  If he wants an offline attack, he has to accept the server hello, and then do the full second pre-image attack against the client, which has double the bit security.

I have a feeling this is not an accident.  The QUIC crypto guys rock :)

Is there any chance that the IETF wont ruin QUIC when they morph it into TLS 1.3?

Bill

[ianG]

On 3/09/2015 01:12 am, 'Bill Cox' via QUIC Prototype Protocol Discussion

TLS WG people are trying to put TLS 1.3 into TCP for opportunistic
security...

so maybe there is a chance, if you're quick, while they're distracted... ;-)



iang