Datagram Transport Layer Security
Datagram Transport Layer Security (DTLS) is a communications protocol that provides security for datagram-based applications by allowing them to communicate in a way that is designed[1][2] to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport — the application does not suffer from the delays associated with stream protocols, but has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet.
Contents
Definition[edit]
The following documents define DTLS:
- RFC 6347 for use with User Datagram Protocol (UDP),
- RFC 5238 for use with Datagram Congestion Control Protocol (DCCP),
- RFC 5415 for use with Control And Provisioning of Wireless Access Points (CAPWAP),
- RFC 6083 for use with Stream Control Transmission Protocol (SCTP) encapsulation,
- RFC 5764 for use with Secure Real-time Transport Protocol (SRTP) subsequently called DTLS-SRTP in a draft with Secure Real-Time Transport Control Protocol (SRTCP).[3]
DTLS 1.0 is based on TLS 1.1, and DTLS 1.2 is based on TLS 1.2.
Implementations[edit]
Libraries[edit]
| Implementation | DTLS 1.0[1] | DTLS 1.2[2] |
|---|---|---|
| Botan | Yes | Yes |
| cryptlib | No | No |
| GnuTLS | Yes | Yes |
| Java Secure Socket Extension | Yes | Yes |
| LibreSSL | Yes | No |
| libsystools[4] | Yes | No |
| MatrixSSL | Yes | Yes |
| mbed TLS (previously PolarSSL) | Yes[5] | Yes[5] |
| Network Security Services | Yes[6] | Yes[7] |
| OpenSSL | Yes | Yes[8] |
| PyDTLS[9][10] | Yes | Yes |
| RSA BSAFE | No | No |
| SChannel XP/2003, Vista/2008 | No | No |
| SChannel 7/2008R2, 8/2012, 8.1/2012R2, 10 | Yes[11] | No[11] |
| SChannel 10 (1607), 2016 | Yes | Yes[12] |
| Secure Transport OS X 10.2-10.7 / iOS 1-4 | No | No |
| Secure Transport OS X 10.8-10.10 / iOS 5-8 | Yes[a] | No |
| SharkSSL | No | No |
| tinydtls [13] | No | Yes |
| wolfSSL (previously CyaSSL) | Yes | Yes |
| Implementation | DTLS 1.0 | DTLS 1.2 |
Applications[edit]
- Cisco AnyConnect VPN Client uses TLS and DTLS,[15] as does the AnyConnect-compatible open-source OpenConnect client
- Cisco InterCloud Fabric uses DTLS to form a tunnel between private and public/provider compute environments[16]
- F5 Networks Edge VPN Client uses TLS and DTLS[17]
- Citrix Systems NetScaler uses DTLS to secure UDP[18]
- Web browsers: Google Chrome, Opera and Firefox support DTLS-SRTP[19] for WebRTC
Vulnerabilities[edit]
In February 2013 two researchers from Royal Holloway, University of London discovered an attack[20] which allowed them to recover plaintext from a DTLS connection using the OpenSSL implementation of DTLS when Cipher Block Chaining mode encryption was used.
See also[edit]
References[edit]
- ^ a b RFC 4347
- ^ a b RFC 6347
- ^ Peck, M.; Igoe, K. (2012-09-25). "Suite B Profile for Datagram Transport Layer Security / Secure Real-time Transport Protocol (DTLS-SRTP)". IETF.
- ^ Julien Kauffmann. "libsystools: A TLS/DTLS open source library for Windows/Linux using OpenSSL". Sourceforge.
- ^ a b "mbed TLS 2.0.0 released". ARM. 2015-07-13. Retrieved 2015-08-25.
- ^ "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Retrieved 2012-10-27.
- ^ "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Retrieved 2014-06-30.
- ^ "As of version 1.0.2". The OpenSSL Project. The OpenSSL Project. 2015-01-22. Retrieved 2015-01-26.
- ^ Ray Brown. "pydtls - Datagram Transport Layer Security for Python". GitHub.
- ^ Ray Brown. "DTLS for Python". Python Software Foundation.
- ^ a b "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
- ^ Justinha. "TLS (Schannel SSP)". docs.microsoft.com. Retrieved 2017-05-01.
- ^ Olaf Bergmann. "tinydtls". Eclipse Foundation.
- ^ "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
- ^ "AnyConnect FAQ: tunnels, reconnect behavior, and the inactivity timer". Cisco. Retrieved 26 February 2017.
- ^ "Cisco InterCloud Architectural Overview" (PDF). Cisco Systems.
- ^ "f5 Datagram Transport Layer Security (DTLS)". f5 Networks.
- ^ "Configuring a DTLS Virtual Server". Citrix Systems.
- ^ "WebRTC Interop Notes". Archived from the original on 2013-05-11.
- ^ Plaintext-Recovery Attacks Against Datagram TLS
External links[edit]
- "Transport Layer Security (tls) - Charter". IETF.
- Modadugu, Nagendra; Rescorla, Eric (2003-11-21). "The Design and Implementation of Datagram TLS" (PDF). Stanford Crypto Group. Retrieved 2013-03-17.
- AlFardan, Nadhem J.; Paterson, Kenneth G. "Plaintext-Recovery Attacks Against Datagram TLS" (PDF). Retrieved 2013-11-25.
- Gibson, Steve; Laporte, Leo (2012-11-28). "Datagram Transport Layer Security". Security Now 380. Retrieved 2013-03-17. Skip to 1:07:14.
- Robin Seggelmann's Sample Code: echo, character generator, and discard client/servers.
This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.
