Datagram Transport Layer Security
| application | SIP | ... | ||
| transport | DTLS | |||
| UDP | ||||
| Internet | IP ( IPv4 , IPv6 ) | |||
| Network access | Ethernet |
Token ring |
FDDI | ... |
Datagram Transport Layer Security ( DTLS ) is a TLS- based encryption protocol that, in contrast to TLS , can also be transmitted via unreliable transport protocols such as UDP .
history
- February 2004: First draft and implementation in OpenSSL
- 2006: RFC 4347 for the standardization of DTLS 1.0.
- January 2012: RFC 6347 replaces previous RFC and updates DTLS to version 1.2.
background
With Voice over IP (VoIP) and the SIP signaling protocol that is widespread there , which is preferably transmitted over UDP due to various advantages, the need arose to also transfer the security provided by TLS with SIP over TCP to transport over UDP. TLS itself is not suitable for this, as none of the packets following a packet loss can be authenticated.
Although DTLS was standardized in RFC 4347 in April 2006 , it has so far only been used in practice with the ReSIProcate SIP stack, Citrix Enlightened Data Transport (ICA over UDP) and with VPN protocols such as Cisco AnyConnect.
functionality
The way DTLS works is largely the same as that of TLS . In order not to create an implication with regard to the security of the new protocol by changing the original protocol too much, changes were only made at those points where this is necessary when using an unreliable transport protocol. These changes are:
- Restoring the reliability of the handshake at the beginning of the communication, since the arrival of all packets must be guaranteed in this part in order to enable authentication and key exchange. This is done by sending the packets again after a certain time.
- Explicit numbering of the individual packets during transmission. With TLS, this only happens implicitly, which means that if a packet is lost, a correct HMAC can no longer be calculated, which constitutes an integrity violation and in turn leads to a connection break.
- An optional replay detection for individual packets.
Norms and standards
- RFC 4347 , Datagram Transport Layer Security (2006, obsolete)
- RFC 6347 , Datagram Transport Layer Security Version 1.2 (2012)
Individual evidence
- ↑ Nagendra Modadugu and Eric Rescorla: The Design and Implementation of Datagram TLS . In: Proceedings of NDSS 2004 . 2004 ( PDF file; 194 kB ).
- ↑ reSIProcate project
- ↑ 0: Configuring NetScaler Gateway to support EDT. Retrieved June 16, 2017 .