Key Points

provides more secure messaging model than conventional encrypted message traffic solutions

References

Reference_description_with_linked_URLs_______________________	Notes______________________________________________________________
Secure Messaging Concepts

Key Concepts

QUIC (Quick UDP Internet Connections) is a newer transport layer protocol, built on top of UDP, designed to improve the performance and security of web connections.It aims to replace TCP and TLS by combining connection establishment, encryption, and multiplexing into a single protocol. QUIC offers advantages like faster connection setup, better resilience to packet loss, and improved security by encrypting more data, including the Server Name Indicator (SNI). [1, 2, 3]

Details about QUIC: [1, 2]

Building on UDP:QUIC leverages UDP's speed and efficiency while adding reliability and security features. [1, 2]
Encryption:QUIC uses TLS 1.3 encryption for secure communication, and it encrypts a wider range of metadata than TCP/TLS, including the SNI. [3, 4]
Multiplexing: QUIC allows for multiple streams of data to be sent over a single connection, which can improve throughput and reduce latency. [1, 3]
Connection Migration:QUIC supports connection migration, allowing connections to continue seamlessly even if the client IP address changes or the connection is re-established on a new network. [5]
Zero-RTT:QUIC supports 0-RTT connection establishment, which means that the client can send data in the first packet without waiting for a full handshake, reducing latency, according to the APNIC Labs [https://labs.apnic.net/index.php/2022/11/02/comparing-quic-and-tcp/]. [6]

Generative AI is experimental.

[1] https://www.emqx.com/en/blog/quic-protocol-the-features-use-cases-and-impact-for-iot-iov

[2] https://blog.apnic.net/2022/07/11/a-look-at-quic-use/

[3] https://www.f5.com/company/blog/nginx/primer-quic-networking-encryption-in-nginx

[4] https://blog.cloudflare.com/the-road-to-quic/

[5] https://www.zscaler.com/blogs/product-insights/quic-secure-communication-protocol-shaping-future-of-internet

[6] https://labs.apnic.net/index.php/2022/11/02/comparing-quic-and-tcp/

QUIC Protocol: A Detailed Report

What is QUIC?

QUIC (Quick UDP Internet Connections) is a general-purpose transport layer network protocol developed by Google and standardized by the IETF (Internet Engineering Task Force). It's designed to enhance performance and security for applications that rely on the Internet Protocol (IP). QUIC typically operates on top of UDP (User Datagram Protocol).

How does QUIC work?

QUIC aims to address some of the limitations of TCP (Transmission Control Protocol). It improves upon TCP by combining the functionalities of TCP, TLS (Transport Layer Security), and HTTP/2 into a single protocol, resulting in faster connection establishment, improved multiplexing, and enhanced security.

Key Features of QUIC:

Reduced Latency:QUIC significantly reduces connection establishment time by combining the TLS and transport handshakes, saving multiple round trips.
Multiplexing:It supports multiple independent streams within a single connection, preventing head-of-line blocking, where a delay in one stream affects others.
Connection Migration:QUIC can seamlessly transition between networks (e.g., Wi-Fi to cellular) without disrupting the connection, improving user experience on mobile devices.
Enhanced Security:Encryption is built-in, unlike TCP where it's optional through TLS.
Congestion Control:QUIC employs more responsive and efficient congestion control mechanisms than TCP, leading to better performance in varying network conditions.

Examples of QUIC Use and Advantages:

Web Browsing:
- How it's used:Browsers load web pages with numerous assets like images, scripts, and stylesheets.
- Advantage over TCP:QUIC's multiplexing prevents head-of-line blocking, ensuring that a slow or stalled download of one asset doesn't delay the loading of others, leading to faster page rendering and improved user experience.
Real-time Applications:
- How it's used:Video conferencing, online gaming, and live streaming applications require low latency and reliable connections for smooth, interactive experiences.
- Advantage over TCP:QUIC's low latency and optimized congestion control provide a more stable and responsive experience for real-time applications, reducing delays, buffering, and interruptions.
Mobile Applications:
- How it's used:Mobile applications need to function seamlessly even when users switch between networks (Wi-Fi, cellular).
- Advantage over TCP:QUIC's connection migration feature allows connections to persist even when the underlying IP address or network changes, eliminating the need to re-establish connections and providing a more seamless user experience.

Advantages over other protocols:

QUIC's improvements over TCP and other protocols contribute to faster loading times, better performance in challenging network conditions (e.g., high latency, packet loss), and a more secure online experience due to its built-in encryption.

A bi-direction quic protocol covert channel - QuiCC v1.0.0 video - David Cheeseman 2023

Summary of "A Bi-Direction QUIC Protocol Covert Channel - QuiCC v1.0.0"

Introduction and Background:
- Presenter: David Cheesman, a master's student at Johns Hopkins University.
- Course: Covert Channels under Dr. Lineer Watkins.
- Focus: Demonstrating a covert channel using the QUIC protocol (RFC 9000 & RFC 9396).
Protocol and Exploitation:
- QUIC's 64-bit connection ID field is used to embed encrypted payloads, leveraging its high entropy for covert communication.
- Connection IDs are indistinguishable from benign traffic due to their required randomness.
Implementation Tools and Libraries:
- Tools: AOQIC Library (Python-based QUIC HTTP client/server) and custom CC Crypto Library for encryption.
- RSA encryption is utilized, but implementation uses a simplified setup for faster development.
Code Modifications:
- Added global values like RSA parameters, CID history tracking, and metadata for peer communication.
- Adjustments to the connection module for generating, queuing, and processing connection IDs.
Message and Payload Handling:
- Messages are encrypted and transmitted using connection IDs.
- Server and client exchange RSA public keys during setup.
- Keep-alive messages ensure channel synchronization.
Covert Channel Features:
- Supports encrypted messages, file transfers, and remote command execution.
- Command outputs (stdout and stderr) are queued and transmitted back via the channel.
Demonstration:
- Demonstrated sending text messages, files, and remote commands.
- Shannon entropy of transmitted data matches that of random bytes, making traffic indistinguishable.
Limitations and Bugs:
- Current issues include synchronization drops and random host IDs being sent unexpectedly.
- RSA key size is reduced (1024 bits) to expedite demonstration, potentially impacting security.
Future Enhancements:
- Expand channel bandwidth by exploiting additional high-entropy headers.
- Develop mitigations against active interference (e.g., random byte injections by adversaries).
Code Availability:
- The code is open-source and hosted on GitHub under the repository "nuvia/qicc."

//--------------

https://developer.mozilla.org/en-US/docs/Web/API

When writing code for the Web, there are a large number of Web APIs available. Below is a list of all the APIs and interfaces (object types) that you may be able to use while developing your Web app or site.

Web APIs are typically used with JavaScript, although this doesn't always have to be the case.

This is a list of all the APIs that are available

developer.mozilla.org Web_Workers_API

A worker is an object created using a constructor (e.g. Worker()) that runs a named JavaScript file — this file contains the code that will run in the worker thread.

In addition to the standard JavaScript set of functions (such as String, Array, Object, JSON, etc.), you can run almost any code you like inside a worker thread. There are some exceptions: for example, you can't directly manipulate the DOM from inside a worker, or use some default methods and properties of the Window object. For information about the code that you can run see supported functions, and supported Web APIs.

Data is sent between workers and the main thread via a system of messages — both sides send their messages using the postMessage() method, and respond to messages via the onmessage event handler (the message is contained within the message event's data property). The data is copied rather than shared.

developer.mozilla.org. - NavigatorUAData: getHighEntropyValues() method

The NavigatorUAData interface of the User-Agent Client Hints API returns information about the browser and operating system of a user.

An instance of this object is returned by calling Navigator.userAgentData or WorkerNavigator.userAgentData. Therefore, this interface has no constructor.

Note: The terms high entropy and low entropy refer to the amount of information these values reveal about the browser. The values returned as properties are deemed low entropy, and unlikely to identify a user. The values returned by NavigatorUAData.getHighEntropyValues() could potentially reveal more information. These values are therefore retrieved via a Promise, allowing time for the browser to request user permission, or make other checks.

//--------------
shmoocon

David Cheeseman, CISSP/CKADDavid Cheeseman, CISSP/CKAD
Sr Cybersecurity Engineer and Security ProfessionalSr Cybersecurity Engineer and Security Professional

Had a blast presenting my work! Posted the slides to my GitHub! Thanks to all the staff that made hashtag#ShmooCon such a blast!

https://lnkd.in/gyxvfVYi

https://www.linkedin.com/posts/dcheeseman_shmoocon-activity-7283995766912700416-W722?utm_source=share&utm_medium=member_desktop

https://github.com/nuvious/QuiCC

Covert channels are means of transmitting information in a clandestine way that are not observable by a passive warden and are resistant to intercept or disruption by an active warden.

This covert channel is implemented using the quic protocol defined by RFC 9000 and RFC 9369 by exploiting high entropy header fields

In the context of HTTP headers, "high entropy header fields" refer to specific pieces of information within a request header that provide a high level of detail about the client device, potentially revealing sensitive information like the exact model, operating system version, and architecture, which could be used for user fingerprinting if not handled carefully; unlike "low entropy" fields which provide more generic information about the client

https://developer.mozilla.org/en-US/docs/Web/API/NavigatorUAData/getHighEntropyValues

//--------------

What is the QUIC protocol used for?

https://www.google.com/search?q=can+quic+protocol+run+over+lorawan+nets%3F&oq=can+quic+protocol+run+over+lorawan+nets%3F&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRhA0gEJMTQ4NTlqMGo3qAIAsAIA&sourceid=chrome&ie=UTF-8

The overall design goals of the QUIC protocol at its inception were to enhance performance, reduce latency, and improve security for network-based products and services. Indeed, browser-based and mobile applications perform better with this protocol.

https://www.zscaler.com/blogs/product-insights/quic-secure-communication-protocol-shaping-future-of-internet

//--------------

caq>>
how is the bi-direction quic protocol covert channel different than normal encrypted or vpn message traffic?

https://www.google.com/search?q=how+is+the+bi-direction+quic+protocol+covert+channel+different+than+normal+encrypted+or+vpn+message+traffic%3F&oq=how+is+the+bi-direction+quic+protocol+covert+channel+different+than+normal+encrypted+or+vpn+message+traffic%3F&gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBCTI0OTA2ajBqN6gCALACAA&sourceid=chrome&ie=UTF-8

A bi-directional QUIC protocol covert channel differs from normal encrypted or VPN message traffic because it hides secret information within the seemingly regular QUIC packet headers and encryption parameters, exploiting the complexity of the protocol to embed covert data in a way that is difficult to detect by standard network monitoring tools, while still appearing as legitimate QUIC traffic; whereas typical encrypted or VPN traffic transmits data in a more predictable pattern, making it easier to identify and isolate suspicious activity

Hidden within normal traffic:
A QUIC covert channel embeds secret data within the various fields of a QUIC packet, like connection IDs, packet numbers, or encryption parameters, making it hard to distinguish from regular traffic unless specifically looking for these subtle variations.
Exploiting protocol complexity:
QUIC's intricate handshake process and multiplexing features provide more opportunities to manipulate seemingly innocuous parts of the protocol to convey hidden information.
Dynamic adjustments:
Unlike a dedicated VPN, a QUIC covert channel can dynamically adjust its "encoding" to make detection harder by changing the way secret data is embedded within the packets depending on network conditions.
Minimal disruption to normal traffic:
Since the covert communication is hidden within the regular QUIC flow, it can potentially avoid raising red flags by not significantly altering the overall traffic pattern.
How it can be used maliciously:
Exfiltrating sensitive data:
An attacker could use a QUIC covert channel to steal sensitive data from a compromised system without raising suspicion by embedding the data in seemingly normal QUIC packets.
Establishing a backdoor:
A covert channel could be used to establish a hidden communication channel with a malicious server for further command and control.
Detection challenges:
Complex analysis:
Detecting a QUIC covert channel requires deep packet inspection and advanced analysis to identify subtle deviations from normal QUIC traffic patterns.
False positives:
Standard network monitoring tools might generate false positives due to the inherent complexity of the QUIC protoco

//--------------

caq>>
can quic protocol run over lorawan nets?

add the double secret probation concept that
adds variable message packet size, locations,

//--------------

caq>>
homomorphic encryption on squic protocol as

squic can run on multiple protocols or outside ? as net noise

Homomorphic encryption is a type of cryptography that allows users to perform calculations on encrypted data without first decrypting it, meaning you can analyze and process data while maintaining its privacy by keeping it in its encrypted form throughout the computation process; essentially, it lets you operate on data without revealing the underlying information itself.

https://www.techtarget.com/searchsecurity/definition/homomorphic-encryption

//--------------

caq>> lora comms

how does signal to noise detection work on a lorawan connection

is static data under sdc

https://www.google.com/search?q=how+does+signal+to+noise+detection+work+on+a+lorawan+connection&oq=how+does+signal+to+noise+detection+work+on+a+lorawan+connection&gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBCTMwNjU0ajBqN6gCALACAA&sourceid=chrome&ie=UTF-8

-------------------
semtech LoRa and LoRaWAN
https://www.semtech.com/uploads/technology/LoRa/lora-and-lorawan.pdf

Long Range Wide Area Network (LoRaWAN) is an open networking protocol that enables devices to communicate using a type of proprietary wireless technology known as Long Range Radio or LoRa.

LoRa was designed by Semtech and is characterised by its approach to signal modulation using a technique known as chirp spread spectrum (CSS).

A fixed channel bandwidth is selected, determined by spectrum availability and the application’s performance and data rate requirements. For example a 125 KHz bandwidth is most commonly used across Europe in LoRaWAN networks. The data rate of any given LoRa transmission is further determined by a so-called spreading factor in the range SF7 (lowest amount of spreading) to SF12 (highest amount of spreading).

The choice of bandwidth and spreading factor effectively determines the symbol period used, where a lower spreading factor has a lower symbol period (less time per symbol, higher data rate) and a larger spreading factor a larger symbol period (more time per symbol, lower data rate). Moreover, the choice of spreading factor also determines the processing gain obtained through the chirp modulation scheme when a receiver demodulates the signal.

-------------------
What is LoRa: The fundamentals

https://medium.com/@prajzler/what-is-lora-the-fundamentals-79a5bb3e6dec

-------------------
How does LoRa Radio actually work?
https://forum.arduino.cc/t/how-does-lora-radio-actually-work/468627

LoRa technology is a proprietary wireless technology developed by Semtech Corporation. It utilizes a spread spectrum modulation in the Sub-GHz band to enable long range (greater than 10 miles) coverage, low power consumption (up to 10 years battery power), high network capacity (up to 1 million nodes), robust communication, and localization capability.

LoRa technology is capable of demodulating 20 dB below noise level, significantly improving immunity to the interference when combined with integrated forward error correction.
LoRa technology has high sensitivity, -148 dBm, enabling extremely long range connectivity.

That's from http://www.microchip.com/design-centers/wireless-connectivity/embedded-wireless/lora-technology.

I guess the most important word in the first sentence is "proprietary". LoRa is not opened but controlled by one company. I guess they won't tell you in detail how they achieve all the nice values for LoRa.

-------------------
RSSI-based locating issues in LoRaWAN networks
https://www.icoteq.com/why-rssi-based-locating-is-problematic-in-lorawan-networks/

Learn why RSSI-based locating is problematic in LoRaWAN networks due to the variable nature of radio environments, interference, and the limitations of RSSI in accurately determining link range and signal quality. This article explains the challenges and offers insights into more reliable methods for improving location accuracy in LoRaWAN applications

https://www.icoteq.com/why-rssi-based-locating-is-problematic-in-lorawan-networks/

-------------------

How does LoRa achieve sub-noise demodulation?

https://www.reddit.com/r/Lora/comments/vs5mzx/how_does_lora_achieve_subnoise_demodulation/

I only find that Chirp Spread Spectrum Modulation and Forward Error Correction is used but not how they correlate with the detection below noise.

The secret 'sauce' is 'spreading' a very small data stream into a much bigger channel than needed - this would sound like a waste of spectrum but the end result is still a relatively small channel (125KHz, 500KHz) so that the 'noise' is, again, 'spread' as well. This gives your data/signal a 'boost' above the 'noise' (signal to noise ratio). It's very similar to cellular 3G CDMA, but in that case the channels were a lot bigger (1.25MHz and above], and done for the same reason. Keeping the channels as small as possible is key - as a rule of thumb whenever you double your channel you also increase your 'noise' by 2X. But, of course, the smaller the channels the less data sent per 'unit of time' (symbol). So it's always a game of how far, for how long, with what power, at what costs, etc...With different 'timing' of 'spread' (spreading factors), and a modulation scheme similar to that of 'doppler radar' technology and the end result is an considerable 'link budget' with a very 'sensitive' and forgiving radio communication. This is a huge oversimplification of the technology, but will give you a start to google all above - there are tons of YouTube videos that go in deep into CHIRPs, spread spectrum, signal to noise ratio, link budget, etc...hope this helps!

And just to put number on your explanation: the SF (spreading Factor) in LoRa gives you the gain you can achieve. So for SF7, it means the de-spreading operation will provides a gain of 2^7 = 128 = 21dB. So a signal at -8dB (the 1% sensitivity SNR level), after de-spreading will now be at 13dB.

And from this, it should now be clear why you might have read that increasing the SF by 1 improve sensitivity by ~3dB (It is actually less than 3dB because you are also transmitting one bit more per symbol, which reduce the energy per bit)

-------------------
LoRaWAN Concentrators

The Things Network

https://www.thethingsnetwork.org/docs/lorawan/concentrators/#:~:text=SX1301%20product%20page.-,SX1302,more%20traffic%20than%20its%20predecessor.

Semtech’s LoRa concentrators power all LoRa communication.

Semtech has produced four LoRa concentrators and all LoRaWAN gateways use one of these devices to receive and transmit LoRa messages.

Read about all of Semtech’s LoRa products on their LoRa product page.

Additionally, RAK Wireless provides a great breakdown of available LoRa hardware.

This page provides a quick description of each of the LoRa concentrators.

Time Difference of Arrival (TDOA) geolocation is a technique for determining the location of a signal source by measuring the difference in time it takes for a signal to reach multiple receivers at known locations, essentially allowing you to calculate the distance from the source to each receiver and pinpoint its position based on those distances; it's often used in applications like tracking devices or locating cell phone calls by utilizing signals from multiple cell towers

Waveshare SX1303 915M LoRaWAN Gateway HAT Compatible with Raspberry Pi 5/4B/3B/Zero/Zero W/Zero 2W/Pico/Pico W/Pico WH, Mini-PCIe Socket, Long Range Transmission, Large Capacity, Multi-Band Support

$136.99

https://www.amazon.com/SX1303-915M-LoRaWAN-Gateway-HAT/dp/B0BGPZKR9S

//--------------

https://www.shmoocon.org/

https://www.shmoocon.org/about_shmoocon/

DIFFERENT – ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It, and Bring It On.

AFFORDABLE – ShmooCon is about high quality without the high price. Keep in mind that space is limited, and we’ve sold out quickly every year.

ACCESSIBLE – ShmooCon is held in Washington, DC at the Washington Hilton

TICKET PRICE

All general admission tickets for ShmooCon 2025 are $175.

WHEN DO TICKETS GO ON SALE

Tickets for ShmooCon 2025 will be sold on Nov 1, Dec 1, and Dec 15, 2024 at noon, Eastern Time. These dates are subject to change so please keep an eye on our news page or follow us on social media for updates. Be warned, tickets sell out very quickly. Last year tickets sold out in just over 23 seconds across the three rounds of sales.

Key Points

References

Key Concepts

A bi-direction quic protocol covert channel - QuiCC v1.0.0 video - David Cheeseman 2023

Summary of "A Bi-Direction QUIC Protocol Covert Channel - QuiCC v1.0.0"

https://developer.mozilla.org/en-US/docs/Web/API

developer.mozilla.org Web_Workers_API

developer.mozilla.org. - NavigatorUAData: getHighEntropyValues() method

Potential Value Opportunities

Potential Challenges

Candidate Solutions

Step-by-step guide for Example

Recommended Next Steps

Related articles

Browser not supported