Introduction:
This blog focuses on distinguishing between various types of protocols for transferring data transmission . All these protocols have in common is that it sends data in an encrypted manner. The paper firstly speaks about the layers in which these protocols are working, requirements, implementation , cryptographic parameters and lastly compares the performance of all the protocols.
Layer:
TLS 1.2 and TLS 1.3, both protocols work on TCP protocol for reliable transport. QUIC is a transport layer protocol that runs on top of UDP. MASQUE is built on top of QUIC and is also an UDP based protocol. WireGuard uses the UDP transport protocol to transfer data. Usage of TCP makes the packets liable to loss in transmission performance. It runs in a connectionless way as well. IPsec uses UDP as it allows packets to get through firewalls and it is not limited to UDP alone and can use other transport protocols.
TLS 1.2 can be worked over both TCP and UDP as it is meant to be backward compatible with previous versions of TLS and SSL.TLS 1.3 works over UDP because UDP is faster than TCP. In order to provide reliability , TLS 1.3 has a 3-way handshake which helps provide authentication at end points as well as negotiations of cryptographic parameters.
Masque is implemented in the application of both TCP/IP and OSI models.Masque is built on top of QUIC as it mainly helps in MASQUE’s proxying capabilities. QUIC in turn is built on top of UDP. Since QUIC sends unreliable messages , it provides scope for UDP tunneling. MASQUE is a framework that allows for multiplexing application traffic over QUIC encryption.QUIC encryption is a built-in encryption protocol based on TLS 1.3 that provides secure communication between endpoints and makes it harder for third parties to intercept and manipulate internet traffic.
QUIC was called Quic UDP Internet Connections. It uses HTTPS/2’s multiplexed connections. It can improve performance by forward error correction (FEC). QUIC also mitigates ossification which is a drawback of TCP as well as TLS. QUIC is almost equivalent to TCP but with much reduced latency.
WireGuard uses UDP because it’s connectionless and it’s more straightforward than TCP. Wireguard also provides encryption. Since UDP is connectionless, it doesn’t have to establish and maintain a connection before transmitting data.This results in faster data transmission, which can improve the performance of WireGuard.But due to its connectionless nature , it could potentially lead to packet loss sometimes.
IPSEC works over layer 3, i.e. is the Network layer. In IPSEC we have two modes , tunnel mode and transport mode. IPsec’s default mode, known as Transport Mode, provides end-to-end security between a client and a server. IPsec’s Tunnel Mode is typically used for site-to-site VPNs, where the original IP packet is encapsulated for secure transmission. In Tunnel Mode, IPsec can use either TCP or UDP as the transport protocol to carry the encapsulated packets. Tunnel mode is usually more secure than transport mode as it encrypts the entire packet whereas the transport mode encrypts only the payload of the packet.
Requirements:
TLS 1.2 and TLS 1.3:
- TLS 1.2 requires a reliable transport service, digital certificates,cryptographic algorithms (RSA,Diffie-hellman, AES)and appropriate key exchange methods.
- TLS 1.3 is built on top of TLS 1.2 with improved security and provides scope for elliptic curve cryptography as it is more efficient for inputs of small sized data and a secure transport protocol.
MASQUE:
MASQUE stands for Multiplexed Application Substrate over QUIC Encryption. The acronym itself suggests that it is built and uses the QUIC’s underlying transport protocol.
QUIC:
It’s a transport protocol designed by google.It requires UDP for its performance. It provides better security and multiplexing compared to traditional TCP.QUIC uses HTTP/2’s multiplexed connections.It also uses AEAD and various certificate chains.
WIREGUARD:
Wireguard is an VPN protocol which mainly relies on cryptographic primitives like Curve25519 for key exchange and ChaCha20 for encryption.
IPsec:
IPSEC uses cryptographic algorithms for authentication and encryption which is done using HMAC,DES and AES.It uses IKE for key exchange which happens in two phases.
IMPLEMENTATION:
TLS 1.2:
First step of TLS implementation includes sending a hello message to the server from the client side along with the SNI. On receiving a response hello and server side certificates .The client authenticates the certificates. After the authentication is successful, exchange of key material and key derivation takes place.If the key derivation is successful on both sides the secure connection is established. Key derivation is done with the help of HKDF (Hashed KDF), which initially takes a seed produced by a cryptographic random number generator. Then from which a pre-master key is produced which is then added with a nonce(96 random bits) to produce a master key . The master key is again used to produce 4 keys - Server mac key, Client mac key (mac keys are used for integrity), Server write key and Client write key(write keys are for authentication).Now cipher suites are exchanged.
CipherSuite = <Key Exchange Algorithm, Cipher Algorithm, MAC Algorithm>
Most commonly used cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 . TLS 1.2 offers 37 different types of cipher suites.RSA’s are mostly not preferred because of it being vulnerable to attacks . Stream and counter mode of cipher can be encrypted whereas block mode cipher can’t be encrypted by Galois counter mode. The ECDHE uses prime field P-521 (we also have P-128,P-256,P-384) as prescribed by NIST. Usually the certificate authority provides both ECDH and RSA certificates and those can be used based on preferences. Once the establishment of connection is done secure data transfer could take place.Encrypt and decrypt data using the established session keys.All the encrypted data’s integrity could be checked with the help of comparing mac values using client and server mac’s respectively. On the finish command, the mac values on both client and server’s side is checked. The connection is closed only if both of the sides are verified .The handshake contributes to a 2RTT. FREAK,LOGJAM,BREACH and POODLE are various attacks prone to TLS 1.2.
TLS 1.3:
Initially client and server exchange hello messages with each other that includes TLS version number, random number and cipher suite. TLS 1.3 is better than TLS 1.2 in terms of a secure cipher suite because it doesn’t include key exchange and signature algorithms , in place of these they support bulk cipher and hashing algorithms.
Cipher suite: TLS_AES_256_GCM_SHA384 and there are 4 other cipher suites that can be used.
After hello messages get exchanged, the server sends its certificate to the client which can be verified using the server’s public key. Server key exchange takes place optionally if mentioned in the cipher suite. Additionally, if the server wishes to verify the client a certificate is also requested (optional).After hello is complete , client generates a pre-master key which is encrypted using server’s key and sent to the server for further key derivation .After successfully establishing the shared secret key , secure data communication could take place.TLS 1.3 reduces RTT to 0 , which enables the server-client to send data immediately after the the client hello message is sent.If the client and server had previous history of communication , the information cached fro that early session would be used to negotiate the new connection without having to start the correction parameters from scratch,allowing the client to compute the private encryption keys required to protect application data before even talking to the server. However, the 0-RTT feature has some security risks, as an attacker-controlled client can use it to cause rejection of early data by the server. The 0-RTT feature improves performance.In the context of TLS 1.3, ossification is mentioned as a challenge that affected the design and deployment of the protocol but it doesn’t serve as a risk.
MASQUE:
MASQUE leverages the HTTP request/response semantics to enable tunneling of TCP or UDP traffic. It multiplexes streams allowing for efficient tunneling TCP/UDP traffic.It uses congestion controller to manage the multiplexed flows.It encrypts flow METADATA to ensure privacy and security.As MASQUE is built on top of QUIC, the implementation of QUIC is stated below.
QUIC:
It’s a protocol to fix all the shortcomings of TCP. Similar to TLS , here also hello message is exchanged by both client and the server(on server’s side along with a digital certificate).Now client and server exchange packets to establish QUIC connection.A unique Connection ID (CID) is generated for the connection, and this ID helps in connection identification and multiplexing. It uses a token for authenticating the client’s connection request.QUIC supports independent stream data transfer and streams could be identified using stream ID’s.Stream multiplexing allows for concurrent transmission of data, reducing latency.QUIC provides the privilege of prioritizing streams whose priority could be assigned by the server. This helps optimize the delivery of critical content.Application data is split into smaller packets and transmitted over QUIC streams.QUIC offers 0 RTT.QUICK supports connection migration, allowing a client to change its IP address or port without disrupting the connection.This is useful for scenarios where the client switches networks or devices.Connection termination could be initiated either by client or server.QUIC’s design aims to minimize the latency introduced by handshakes.QUIC often uses TLS for key exchange and authentication during its handshake process.
WireGuard:
The peers first generate their public and private keys.Peers configure WireGuard with their private key, public key, IP addresses, and allowed IP ranges for routing which is done with the help of cryptokey routing table. The MTU of the packets are specified with the help of super packets. Whenever a packet is received at first the source IP should match the ranges specified in the cryptokey routing table, if not the packet is dropped. Then each peer is uniquely assigned to the IP. This gives the packets the privilege to roam around the network. If the peer is not matched , the packet is then dropped too. After matching the peer , the peer public key is used to decrypt the received packet . Inside the payload if the source ip doesn’t match the cryptokey routing table , the packet is then dropped too .These are the three scenarios when the packets are dropped. After the packet is decrypted the secure channel is established and the data could be sent during the session rekey after time until reject after time comes into effect.During the keepalive time , null packets with zero padding is sent to keep the session alive . In wireguard , to mitigate the DDos attacks it uses a cookie scheme. The cookie scheme in turn uses AEAD over MAC as it is more secure by providing authentication along with encryption(confidentiality). It also provides an optional pre-shared symmetric key mode that adds an additional layer of symmetric encryption alongside the curve25519. Curve25519 provides security during the post quantum solutions and computers.To maintain security, WireGuard supports frequent rekeying.New session keys are periodically derived from the private keys and exchanged without requiring a full handshake.For added security, peers can rotate their public keys.Rotating keys helps mitigate the impact of a compromised private key.Either peer can initiate a termination by sending a termination message.Wireguard is popular for its simplicity and its implementation in the kernel space alone reduces latency as it doesn’t have to switch often between userspace and kernel space.Wireguard also provides an efficient queuing system to prevent needless allocations. It provides scope to build external kernel modules as well.
IPsec:
IPsec provides a framework for ensuring confidentiality, authenticity, and integrity of IP packets. IPsec components are authentication header(phase 2 - port 51), encapsulating security protocol-provides confidentiality and integrity-authentication and integrity (phase 2 - port 50) and IKE.ISAKMP/IKE Phase 1 stands for The Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) is used to establish a secure communication channel between two parties. It involves negotiation of encryption, authentication, and Diffie-Hellman parameters.
Phase 1 has two modes - main and aggressive modes. Main mode is more secure than aggressive mode because contents inside packet is encrypted. Negotiation will include steps of hashing(MD5 or SHA), authentication, Diffie-Hellman key exchange, lifetime and encryption standard that would be used. In phase 2 negotiation of specific IPsec security parameters, such as encryption algorithm, authentication algorithm, and the keys to be used for securing the communication.
Authentication is taken care in IPsec by monitoring inbound traffic by checking the authentication header in the IPsec header. In the outbound traffic the sender attaches authentication data to the IPsec header. While decrypting payload it checks for agreed upon encryption algorithm and keys negotiated during phase 2 of IKE.After decryption and authentication, the original IP packet is extracted from the IPsec packet. It’s then processed as usual by the network stack. Security associations have finite lifetimes to ensure that keys and parameters are periodically updated for security reasons.When a security association expires, a new negotiation process may be initiated to establish a new one.When communication is complete or the security requirements change, IPsec can be terminated.
Performance analysis:
TLS 1.3 is designed for improved data transfer speeds due to features like “0-RTT” (early data transmission) , CPU usage due to optimizations for handshake processes so its better than TLS 1.2.MASQUE leverages QUIC’s handshake, might offer faster handshakes, reduced latency for web-based applications. MASQUE’s performance and security is influenced by the underlying QUIC protocol.QUIC is designed for faster data transfer due to multiplexing and reduced head-of-line blocking.WireGuard’s handshake is designed to be lightweight and efficient.Wireguard uses modern cryptographic algorithms contribute to good data transfer speeds,low CPU usage for minimalistic approaches .IPsec’s handshake can vary depending on the mode (IKEv2 is more efficient than IKEv1).IPsec might have higher CPU usage due to encryption and additional packet processing.Wireguard was proposed to perform better than IPsec.
References:
Most of the content was written by referring to class notes. Thank you.