Datagram Transport Layer Security

Last updated

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed [1] [2] [3] to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses UDP or SCTP, the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP, it avoids the "TCP meltdown problem", [4] [5] when being used to create a VPN tunnel.

Contents

Definition

The following documents define DTLS:

DTLS 1.0 is based on TLS 1.1, DTLS 1.2 is based on TLS 1.2, and DTLS 1.3 is based on TLS 1.3. There is no DTLS 1.1 because this version-number was skipped in order to harmonize version numbers with TLS. [2] Like previous DTLS versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability". [7]

Implementations

Libraries

Library support for DTLS
ImplementationDTLS 1.0 [1] DTLS 1.2 [2] DTLS 1.3 [3]
Botan YesYes
cryptlib NoNo
GnuTLS YesYes
Java Secure Socket Extension YesYes
LibreSSL YesYes [8]
libsystools [9] YesNo
MatrixSSL YesYes
mbed TLS (previously PolarSSL)Yes [10] Yes [10]
Network Security Services Yes [11] Yes [12]
OpenSSL YesYes [13]
PyDTLS [14] [15] YesYes
Python3-dtls [16] [17] YesYes
RSA BSAFE NoNo
s2n NoNo
Schannel XP/2003, Vista/2008 NoNo
Schannel 7/2008R2, 8/2012, 8.1/2012R2, 10 Yes [18] No [18]
Schannel 10 (1607), 2016 YesYes [19]
Secure Transport OS X 10.2–10.7 / iOS 1–4NoNo
Secure Transport OS X 10.8–10.10 / iOS 5–8Yes [20] No
SharkSSLNoNo
tinydtls [21] NoYes
Waher.Security.DTLS [22] NoYes
wolfSSL (previously CyaSSL) [23] YesYesYes
@nodertc/dtls [24] [25] NoYes
java-dtls [26] YesYes
pion/dtls [27] (Go)NoYes
californium/scandium [28] (Java)NoYes
SNF4J [29] (Java)YesYes
ImplementationDTLS 1.0DTLS 1.2DTLS 1.3

Applications

Vulnerabilities

In February 2013 two researchers from Royal Holloway, University of London discovered a timing attack [38] which allowed them to recover (parts of the) plaintext from a DTLS connection using the OpenSSL or GnuTLS implementation of DTLS when Cipher Block Chaining mode encryption was used.

See also

Related Research Articles

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

STUN is a standardized set of methods, including a network protocol, for traversal of network address translator (NAT) gateways in applications of real-time voice, video, messaging, and other interactive communications.

<span class="mw-page-title-main">GnuTLS</span> Free software library implementing TLS

GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

FTPS is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure Sockets Layer cryptographic protocols.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

Constrained Application Protocol (CoAP) is a specialized UDP-based Internet application protocol for constrained devices, as defined in RFC 7252. It enables those constrained devices called "nodes" to communicate with the wider Internet using similar protocols. CoAP is designed for use between devices on the same constrained network, between devices and general nodes on the Internet, and between devices on different constrained networks both joined by an internet. CoAP is also being used via other mechanisms, such as SMS on mobile communication networks.

QUIC is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google, implemented, and deployed in 2012, announced publicly in 2013 as experimentation broadened, and described at an IETF meeting. QUIC is used by more than half of all connections from the Chrome web browser to Google's servers. Microsoft Edge, Firefox, and Safari support it.

OpenConnect is a free and open-source cross-platform multi-protocol virtual private network (VPN) client software which implement secure point-to-point connections.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

WebRTC Gateway connects between WebRTC and an established VoIP technology such as SIP. WebRTC is an API definition drafted by the World Wide Web Consortium (W3C) that supports browser-to-browser applications for voice calling, video chat, and messaging without the need of either internal or external plugins.

IPOP (IP-Over-P2P) is an open-source user-centric software virtual network allowing end users to define and create their own virtual private networks (VPNs). IPOP virtual networks provide end-to-end tunneling of IP or Ethernet over “TinCan” links setup and managed through a control API to create various software-defined VPN overlays.

References

  1. 1 2 Rescorla, Eric; Modadugu, Nagendra (April 2006). Datagram Transport Layer Security. doi: 10.17487/RFC4347 . RFC 4347.
  2. 1 2 3 Rescorla, Eric; Modadugu, Nagendra (January 2012). Datagram Transport Layer Security Version 1.2. doi: 10.17487/RFC6347 . RFC 6347.
  3. 1 2 The Datagram Transport Layer Security (DTLS) Protocol Version 1.3. April 2022. doi: 10.17487/RFC9147 . RFC 9147.
  4. Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". Archived from the original on 2023-03-10. Retrieved 2015-10-17.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  5. Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency". In Atiquzzaman, Mohammed; Balandin, Sergey I (eds.). Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III. Vol. 6011. Bibcode:2005SPIE.6011..138H. CiteSeerX   10.1.1.78.5815 . doi:10.1117/12.630496. S2CID   8945952.
  6. Peck, M.; Igoe, K. (2012-09-25). "Suite B Profile for Datagram Transport Layer Security / Secure Real-time Transport Protocol (DTLS-SRTP)". IETF.
  7. "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".
  8. "LibreSSL 3.3.2 Release Notes". The OpenBSD Project. 2021-05-01. Retrieved 2021-06-13.
  9. Julien Kauffmann. "libsystools: A TLS/DTLS open source library for Windows/Linux using OpenSSL". SourceForge.
  10. 1 2 "mbed TLS 2.0.0 released". ARM. 2015-07-13. Retrieved 2015-08-25.
  11. "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2013-01-17. Retrieved 2012-10-27.
  12. "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Archived from the original on 2021-12-07. Retrieved 2014-06-30.
  13. "As of version 1.0.2". The OpenSSL Project. The OpenSSL Project. 2015-01-22. Archived from the original on 2014-09-04. Retrieved 2015-01-26.
  14. Ray Brown. "pydtls - Datagram Transport Layer Security for Python". GitHub.
  15. Ray Brown. "DTLS for Python". Python Software Foundation.
  16. Ray Brown/Mobius Software LTD. "pydtls - Datagram Transport Layer Security for Python". GitHub.
  17. Ray Brown/Mobius Software LTD. "DTLS for Python3 Based on PyDTLS". Python Software Foundation.
  18. 1 2 "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
  19. Justinha. "TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016". docs.microsoft.com. Retrieved 2017-09-01.
  20. "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
  21. Olaf Bergmann. "tinydtls". Eclipse Foundation.
  22. Peter Waher. "Waher.Security.DTLS". Waher Data AB.
  23. "wolfSSL Embedded SSL/TLS Library".
  24. Dmitriy Tsvettsikh. "Secure UDP communications using DTLS in pure js". GitHub.
  25. Dmitriy Tsvettsikh. "DTLS in pure js". npm.
  26. Mobius Software LTD. "Non blocking Java DTLS Implementation based on BouncyCastle and Netty". Mobius Software LTD.
  27. Sean DuBois. "pion/dtls: DTLS 1.2 Server/Client implementation for Go". GitHub.
  28. "californium/scandium: DTLS 1.2 Server/Client implementation for java and coap. Includes connection id extension". Eclipse Foundation.
  29. SNF4J.ORG. "Simple Network Framework for Java (SNF4J)". GitHub.{{cite web}}: CS1 maint: numeric names: authors list (link)
  30. "AnyConnect FAQ: tunnels, reconnect behavior, and the inactivity timer". Cisco . Retrieved 26 February 2017.
  31. "OpenConnect". OpenConnect . Retrieved 26 February 2017.
  32. "Cisco InterCloud Architectural Overview" (PDF). Cisco Systems.
  33. "ZScaler ZTNA 2.0 Tunnel". ZScaler.
  34. "f5 Datagram Transport Layer Security (DTLS)". f5 Networks.
  35. "Configuring a DTLS Virtual Server". Citrix Systems.
  36. "WebRTC Interop Notes". Archived from the original on 2013-05-11.
  37. "Firefox 86.0, See All New Features, Updates and Fixes". Mozilla. 2021-02-23. Archived from the original on 2021-02-22. Retrieved 2021-02-23. From Firefox 86 onward, DTLS 1.0 is no longer supported for establishing WebRTC's PeerConnections. All WebRTC services need to support DTLS 1.2 from now on as the minimum version.
  38. "Plaintext-Recovery Attacks Against Datagram TLS" (PDF).
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.