Quic Protocol for secure messaging
- jimm1
Key Points
- provides more secure messaging model than conventional encrypted message traffic solutions
References
| Reference_description_with_linked_URLs_______________________ | Notes______________________________________________________________ |
|---|---|
| Secure Messaging Concepts | |
Key Concepts
A bi-direction quic protocol covert channel - QuiCC v1.0.0 video - David Cheeseman 2023
Summary of "A Bi-Direction QUIC Protocol Covert Channel - QuiCC v1.0.0"
Introduction and Background:
- Presenter: David Cheesman, a master's student at Johns Hopkins University.
- Course: Covert Channels under Dr. Lineer Watkins.
- Focus: Demonstrating a covert channel using the QUIC protocol (RFC 9000 & RFC 9396).
Protocol and Exploitation:
- QUIC's 64-bit connection ID field is used to embed encrypted payloads, leveraging its high entropy for covert communication.
- Connection IDs are indistinguishable from benign traffic due to their required randomness.
Implementation Tools and Libraries:
- Tools: AOQIC Library (Python-based QUIC HTTP client/server) and custom CC Crypto Library for encryption.
- RSA encryption is utilized, but implementation uses a simplified setup for faster development.
Code Modifications:
- Added global values like RSA parameters, CID history tracking, and metadata for peer communication.
- Adjustments to the connection module for generating, queuing, and processing connection IDs.
Message and Payload Handling:
- Messages are encrypted and transmitted using connection IDs.
- Server and client exchange RSA public keys during setup.
- Keep-alive messages ensure channel synchronization.
Covert Channel Features:
- Supports encrypted messages, file transfers, and remote command execution.
- Command outputs (stdout and stderr) are queued and transmitted back via the channel.
Demonstration:
- Demonstrated sending text messages, files, and remote commands.
- Shannon entropy of transmitted data matches that of random bytes, making traffic indistinguishable.
Limitations and Bugs:
- Current issues include synchronization drops and random host IDs being sent unexpectedly.
- RSA key size is reduced (1024 bits) to expedite demonstration, potentially impacting security.
Future Enhancements:
- Expand channel bandwidth by exploiting additional high-entropy headers.
- Develop mitigations against active interference (e.g., random byte injections by adversaries).
Code Availability:
- The code is open-source and hosted on GitHub under the repository "nuvia/qicc."
//--------------
https://developer.mozilla.org/en-US/docs/Web/API
When writing code for the Web, there are a large number of Web APIs available. Below is a list of all the APIs and interfaces (object types) that you may be able to use while developing your Web app or site.
Web APIs are typically used with JavaScript, although this doesn't always have to be the case.
This is a list of all the APIs that are available
developer.mozilla.org Web_Workers_API
A worker is an object created using a constructor (e.g. Worker()) that runs a named JavaScript file — this file contains the code that will run in the worker thread.
In addition to the standard JavaScript set of functions (such as String, Array, Object, JSON, etc.), you can run almost any code you like inside a worker thread. There are some exceptions: for example, you can't directly manipulate the DOM from inside a worker, or use some default methods and properties of the Window object. For information about the code that you can run see supported functions, and supported Web APIs.
Data is sent between workers and the main thread via a system of messages — both sides send their messages using the postMessage() method, and respond to messages via the onmessage event handler (the message is contained within the message event's data property). The data is copied rather than shared.
developer.mozilla.org. - NavigatorUAData: getHighEntropyValues() method
The NavigatorUAData interface of the User-Agent Client Hints API returns information about the browser and operating system of a user.
An instance of this object is returned by calling Navigator.userAgentData or WorkerNavigator.userAgentData. Therefore, this interface has no constructor.
Note: The terms high entropy and low entropy refer to the amount of information these values reveal about the browser. The values returned as properties are deemed low entropy, and unlikely to identify a user. The values returned by NavigatorUAData.getHighEntropyValues() could potentially reveal more information. These values are therefore retrieved via a Promise, allowing time for the browser to request user permission, or make other checks.
//--------------
shmoocon
David Cheeseman, CISSP/CKADDavid Cheeseman, CISSP/CKAD
Sr Cybersecurity Engineer and Security ProfessionalSr Cybersecurity Engineer and Security Professional
Had a blast presenting my work! Posted the slides to my GitHub! Thanks to all the staff that made hashtag#ShmooCon such a blast!
https://github.com/nuvious/QuiCC
Covert channels are means of transmitting information in a clandestine way that are not observable by a passive warden and are resistant to intercept or disruption by an active warden.
This covert channel is implemented using the quic protocol defined by RFC 9000 and RFC 9369 by exploiting high entropy header fields
In the context of HTTP headers, "high entropy header fields" refer to specific pieces of information within a request header that provide a high level of detail about the client device, potentially revealing sensitive information like the exact model, operating system version, and architecture, which could be used for user fingerprinting if not handled carefully; unlike "low entropy" fields which provide more generic information about the client
https://developer.mozilla.org/en-US/docs/Web/API/NavigatorUAData/getHighEntropyValues
//--------------
What is the QUIC protocol used for?
The overall design goals of the QUIC protocol at its inception were to enhance performance, reduce latency, and improve security for network-based products and services. Indeed, browser-based and mobile applications perform better with this protocol.
//--------------
caq>>
how is the bi-direction quic protocol covert channel different than normal encrypted or vpn message traffic?
A bi-directional QUIC protocol covert channel differs from normal encrypted or VPN message traffic because it hides secret information within the seemingly regular QUIC packet headers and encryption parameters, exploiting the complexity of the protocol to embed covert data in a way that is difficult to detect by standard network monitoring tools, while still appearing as legitimate QUIC traffic; whereas typical encrypted or VPN traffic transmits data in a more predictable pattern, making it easier to identify and isolate suspicious activity
Hidden within normal traffic:
A QUIC covert channel embeds secret data within the various fields of a QUIC packet, like connection IDs, packet numbers, or encryption parameters, making it hard to distinguish from regular traffic unless specifically looking for these subtle variations.
Exploiting protocol complexity:
QUIC's intricate handshake process and multiplexing features provide more opportunities to manipulate seemingly innocuous parts of the protocol to convey hidden information.
Dynamic adjustments:
Unlike a dedicated VPN, a QUIC covert channel can dynamically adjust its "encoding" to make detection harder by changing the way secret data is embedded within the packets depending on network conditions.
Minimal disruption to normal traffic:
Since the covert communication is hidden within the regular QUIC flow, it can potentially avoid raising red flags by not significantly altering the overall traffic pattern.
How it can be used maliciously:
Exfiltrating sensitive data:
An attacker could use a QUIC covert channel to steal sensitive data from a compromised system without raising suspicion by embedding the data in seemingly normal QUIC packets.
Establishing a backdoor:
A covert channel could be used to establish a hidden communication channel with a malicious server for further command and control.
Detection challenges:
Complex analysis:
Detecting a QUIC covert channel requires deep packet inspection and advanced analysis to identify subtle deviations from normal QUIC traffic patterns.
False positives:
Standard network monitoring tools might generate false positives due to the inherent complexity of the QUIC protoco
//--------------
caq>>
can quic protocol run over lorawan nets?
add the double secret probation concept that
adds variable message packet size, locations,
//--------------
caq>>
homomorphic encryption on squic protocol as
squic can run on multiple protocols or outside ? as net noise
Homomorphic encryption is a type of cryptography that allows users to perform calculations on encrypted data without first decrypting it, meaning you can analyze and process data while maintaining its privacy by keeping it in its encrypted form throughout the computation process; essentially, it lets you operate on data without revealing the underlying information itself.
https://www.techtarget.com/searchsecurity/definition/homomorphic-encryption
//--------------
caq>> lora comms
how does signal to noise detection work on a lorawan connection
is static data under sdc
-------------------
semtech LoRa and LoRaWAN
https://www.semtech.com/uploads/technology/LoRa/lora-and-lorawan.pdf
Long Range Wide Area Network (LoRaWAN) is an open networking protocol that enables devices to communicate using a type of proprietary wireless technology known as Long Range Radio or LoRa.
LoRa was designed by Semtech and is characterised by its approach to signal modulation using a technique known as chirp spread spectrum (CSS).
A fixed channel bandwidth is selected, determined by spectrum availability and the application’s performance and data rate requirements. For example a 125 KHz bandwidth is most commonly used across Europe in LoRaWAN networks. The data rate of any given LoRa transmission is further determined by a so-called spreading factor in the range SF7 (lowest amount of spreading) to SF12 (highest amount of spreading).
The choice of bandwidth and spreading factor effectively determines the symbol period used, where a lower spreading factor has a lower symbol period (less time per symbol, higher data rate) and a larger spreading factor a larger symbol period (more time per symbol, lower data rate). Moreover, the choice of spreading factor also determines the processing gain obtained through the chirp modulation scheme when a receiver demodulates the signal.
-------------------
What is LoRa: The fundamentals
https://medium.com/@prajzler/what-is-lora-the-fundamentals-79a5bb3e6dec
-------------------
How does LoRa Radio actually work?
https://forum.arduino.cc/t/how-does-lora-radio-actually-work/468627
LoRa technology is a proprietary wireless technology developed by Semtech Corporation. It utilizes a spread spectrum modulation in the Sub-GHz band to enable long range (greater than 10 miles) coverage, low power consumption (up to 10 years battery power), high network capacity (up to 1 million nodes), robust communication, and localization capability.
LoRa technology is capable of demodulating 20 dB below noise level, significantly improving immunity to the interference when combined with integrated forward error correction.
LoRa technology has high sensitivity, -148 dBm, enabling extremely long range connectivity.
That's from http://www.microchip.com/design-centers/wireless-connectivity/embedded-wireless/lora-technology.
I guess the most important word in the first sentence is "proprietary". LoRa is not opened but controlled by one company. I guess they won't tell you in detail how they achieve all the nice values for LoRa.
-------------------
RSSI-based locating issues in LoRaWAN networks
https://www.icoteq.com/why-rssi-based-locating-is-problematic-in-lorawan-networks/
Learn why RSSI-based locating is problematic in LoRaWAN networks due to the variable nature of radio environments, interference, and the limitations of RSSI in accurately determining link range and signal quality. This article explains the challenges and offers insights into more reliable methods for improving location accuracy in LoRaWAN applications
https://www.icoteq.com/why-rssi-based-locating-is-problematic-in-lorawan-networks/
-------------------
-------------------
How does LoRa achieve sub-noise demodulation?
https://www.reddit.com/r/Lora/comments/vs5mzx/how_does_lora_achieve_subnoise_demodulation/
I only find that Chirp Spread Spectrum Modulation and Forward Error Correction is used but not how they correlate with the detection below noise.
The secret 'sauce' is 'spreading' a very small data stream into a much bigger channel than needed - this would sound like a waste of spectrum but the end result is still a relatively small channel (125KHz, 500KHz) so that the 'noise' is, again, 'spread' as well. This gives your data/signal a 'boost' above the 'noise' (signal to noise ratio). It's very similar to cellular 3G CDMA, but in that case the channels were a lot bigger (1.25MHz and above], and done for the same reason. Keeping the channels as small as possible is key - as a rule of thumb whenever you double your channel you also increase your 'noise' by 2X. But, of course, the smaller the channels the less data sent per 'unit of time' (symbol). So it's always a game of how far, for how long, with what power, at what costs, etc...With different 'timing' of 'spread' (spreading factors), and a modulation scheme similar to that of 'doppler radar' technology and the end result is an considerable 'link budget' with a very 'sensitive' and forgiving radio communication. This is a huge oversimplification of the technology, but will give you a start to google all above - there are tons of YouTube videos that go in deep into CHIRPs, spread spectrum, signal to noise ratio, link budget, etc...hope this helps!
And just to put number on your explanation: the SF (spreading Factor) in LoRa gives you the gain you can achieve. So for SF7, it means the de-spreading operation will provides a gain of 2^7 = 128 = 21dB. So a signal at -8dB (the 1% sensitivity SNR level), after de-spreading will now be at 13dB.
And from this, it should now be clear why you might have read that increasing the SF by 1 improve sensitivity by ~3dB (It is actually less than 3dB because you are also transmitting one bit more per symbol, which reduce the energy per bit)
-------------------
LoRaWAN Concentrators
The Things Network
Semtech’s LoRa concentrators power all LoRa communication.
Semtech has produced four LoRa concentrators and all LoRaWAN gateways use one of these devices to receive and transmit LoRa messages.
Read about all of Semtech’s LoRa products on their LoRa product page.
Additionally, RAK Wireless provides a great breakdown of available LoRa hardware.
This page provides a quick description of each of the LoRa concentrators.
Time Difference of Arrival (TDOA) geolocation is a technique for determining the location of a signal source by measuring the difference in time it takes for a signal to reach multiple receivers at known locations, essentially allowing you to calculate the distance from the source to each receiver and pinpoint its position based on those distances; it's often used in applications like tracking devices or locating cell phone calls by utilizing signals from multiple cell towers
Waveshare SX1303 915M LoRaWAN Gateway HAT Compatible with Raspberry Pi 5/4B/3B/Zero/Zero W/Zero 2W/Pico/Pico W/Pico WH, Mini-PCIe Socket, Long Range Transmission, Large Capacity, Multi-Band Support
$136.99
https://www.amazon.com/SX1303-915M-LoRaWAN-Gateway-HAT/dp/B0BGPZKR9S
//--------------
https://www.shmoocon.org/about_shmoocon/
DIFFERENT – ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It, and Bring It On.
AFFORDABLE – ShmooCon is about high quality without the high price. Keep in mind that space is limited, and we’ve sold out quickly every year.
ACCESSIBLE – ShmooCon is held in Washington, DC at the Washington Hilton
TICKET PRICE
All general admission tickets for ShmooCon 2025 are $175.
WHEN DO TICKETS GO ON SALE
Tickets for ShmooCon 2025 will be sold on Nov 1, Dec 1, and Dec 15, 2024 at noon, Eastern Time. These dates are subject to change so please keep an eye on our news page or follow us on social media for updates. Be warned, tickets sell out very quickly. Last year tickets sold out in just over 23 seconds across the three rounds of sales.
ShmooCon does not sell tickets at the door.
Potential Value Opportunities
Potential Challenges
Candidate Solutions
Step-by-step guide for Example
sample code block