Datagram Transport Layer Security
In information technology, the Datagram Transport Layer Security (DTLS) communications protocol provides communications security for datagram protocols. DTLS allows datagram-based applications to communicate in a way that is designed[1][2] to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport — the application does not suffer from the delays associated with stream protocols, but has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet.
Definition
The following documents define DTLS:
- RFC 6347 for use with User Datagram Protocol (UDP),
- RFC 5238 for use with Datagram Congestion Control Protocol (DCCP),
- RFC 6083 for use with Stream Control Transmission Protocol (SCTP) encapsulation,
- RFC 5764 for use with Secure Real-time Transport Protocol (SRTP) subsequently called DTLS-SRTP in a draft with Secure Real-Time Transport Control Protocol (SRTCP).[3]
DTLS 1.0 is based on TLS 1.1, and DTLS 1.2 is based on TLS 1.2.
Version | DTLS 1.0 | DTLS 1.2 |
---|---|---|
Based on | TLS 1.1 | TLS 1.2 |
Implementations
Libraries
Implementation | DTLS 1.0[4] | DTLS 1.2[2] |
---|---|---|
Botan | Yes | Yes |
cryptlib | No | No |
GnuTLS | Yes | Yes |
Java Secure Socket Extension | No | No |
LibreSSL | Yes | No |
libsystools[5] | Yes | No |
MatrixSSL | Yes | Yes |
mbed TLS (previously PolarSSL) | Yes[6] | Yes[6] |
Network Security Services | Yes[7] | Yes[8] |
OpenSSL | Yes | Yes[9] |
Python[10][11] | Yes | No |
RSA BSAFE | No | No |
SChannel XP/2003, Vista/2008 | No | No |
SChannel 7/2008R2, 8/2012, 8.1/2012R2, 10 | Yes[12] | No[12] |
Secure Transport OS X 10.2-10.7 / iOS 1-4 | No | No |
Secure Transport OS X 10.8-10.10 / iOS 5-8 | Yes[a] | No |
SharkSSL | No | No |
tinydtls [13] | No | Yes |
wolfSSL (previously CyaSSL) | Yes | Yes |
Implementation | DTLS 1.0 | DTLS 1.2 |
Applications
- Cisco AnyConnect VPN Client uses TLS and DTLS,[15] as does the AnyConnect-compatible open-source OpenConnect client
- Cisco InterCloud Fabric uses DTLS to form a tunnel between private and public/provider compute environments[16]
- f5 Networks Edge VPN Client uses TLS and DTLS[17]
- Web browsers: Google Chrome, Opera and Firefox support DTLS-SRTP[18] for WebRTC
Vulnerabilities
In February 2013 two researchers from Royal Holloway, University of London discovered an attack[19] which allowed them to recover plaintext from a DTLS connection using the OpenSSL implementation of DTLS when Cipher Block Chaining mode encryption was used.
See also
References
- ↑ RFC 4347
- 1 2 RFC 6347
- ↑ Peck, M.; Igoe, K. (2012-09-25). "Suite B Profile for Datagram Transport Layer Security / Secure Real-time Transport Protocol (DTLS-SRTP)". IETF.
- ↑ RFC 4347
- ↑ Julien Kauffmann. "libsystools: A TLS/DTLS open source library for Windows/Linux using OpenSSL". Sourceforge.
- 1 2 "mbed TLS 2.0.0 released". ARM. 2015-07-13. Retrieved 2015-08-25.
- ↑ "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Retrieved 2012-10-27.
- ↑ "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Retrieved 2014-06-30.
- ↑ "As of version 1.0.2". The OpenSSL Project. The OpenSSL Project. 2015-01-22. Retrieved 2015-01-26.
- ↑ Ray Brown. "pydtls - Datagram Transport Layer Security for Python". GitHub.
- ↑ Ray Brown. "DTLS for Python". Python Software Foundation.
- 1 2 "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
- ↑ Olaf Bergmann. "tinydtls". Sourceforge.
- ↑ "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
- ↑ "Cisco AnyConnect VPN Client". Cisco.
- ↑ "Cisco InterCloud Architectural Overview" (PDF). Cisco Systems.
- ↑ "f5 Datagram Transport Layer Security (DTLS)". f5_Networks.
- ↑ "WebRTC Interop Notes".
- ↑ Plaintext-Recovery Attacks Against Datagram TLS
External links
- "Transport Layer Security (tls) - Charter". IETF.
- Modadugu, Nagendra; Rescorla, Eric (2003-11-21). "The Design and Implementation of Datagram TLS" (PDF). Stanford Crypto Group. Retrieved 2013-03-17.
- AlFardan, Nadhem J.; Paterson, Kenneth G. "Plaintext-Recovery Attacks Against Datagram TLS" (PDF). Retrieved 2013-11-25.
- Gibson, Steve; Laporte, Leo (2012-11-28). "Datagram Transport Layer Security". Security Now 380. Retrieved 2013-03-17. Skip to 1:07:14.
- Robin Seggelmann's Sample Code: echo, character generator, and discard client/servers.
This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.