Datagram Transport Layer Security (DTLS) provides communication security for datagram protocols. It is also used with WebRTC.
DTLS is based on Transport Layer Security (TLS) protocol. This datagram-compatible version of the protocol is specifically designed to be similar to TLS with the minimal amount of changes needed to fix problems created by the reordering or loss of packets. There are two main areas that unreliability creates problems for TLS:
- The traffic encryption layer does not allow individual packets to be decrypted, there are two inter-record dependencies:
- Cryptographic context is chained between records
- A Message Authentication Code (MAC) that includes a sequence number provides anti-replay and message reordering protection, but the sequence numbers are implicit in the records
- The handshake layer breaks if messages are lost because it depends on them being transmitted reliably for these two reasons:
- The handshake is a lockstep cryptographic handshake requiring messages to be transmitted and received in a defined order, causing a problem with potential reordering and message loss
- Fragmentation can be a problem because the handshake messages are potentially larger then any given datagram
The first problem caused by the inter-packet dependencies can be solved by using a method employed in the Secure Internet Protocol (IPsec) by adding explicit state to each individual record.
To solve the issue of packet loss DTLS employs a simple retransmission timer. Figure 1 below illustrates the basic concept. The client is expecting to see the HelloVerifyRequest message from the server. If the timer expires then the client knows that either the ClientHello or the HelloVerifyRequest was lost and retransmits.
Reordering is solved by giving each handshake message a specific sequence number used to determine if it has received the next message in the sequence. If the message is the next one then the peer processes it, if it is not the next one then it queues it up for future handling when message’s individual sequence number is reached.
Handshake messages can be quite large (224 – 1 bytes) and UDP datagrams are usually limited to less then 1500 bytes. DTLS compensates for this by allowing each handshake message to be fragmented over several UDP datagrams. Each handshake message contains a fragment offset and a fragment length allowing the recipient to reassemble the bytes into the complete message when all packets are received.
Optionally DTLS supports replay detection by maintaining a bitmap window of received records. Records that are to old to fit in the window and those that have been previously received are discarded. This is the same technique used by IPsec AH/ESP.