Wikipedia Encyclopedia

Datagram Transport Layer Security

Datagram Transport Layer Security

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed[1][2] to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses UDP or SCTP, the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP, it avoids the "TCP meltdown problem",[3][4] when being used to create a VPN tunnel.


The following documents define DTLS:

  • RFC 6347 for use with User Datagram Protocol (UDP),
  • RFC 5238 for use with Datagram Congestion Control Protocol (DCCP),
  • RFC 5415 for use with Control And Provisioning of Wireless Access Points (CAPWAP),
  • RFC 6083 for use with Stream Control Transmission Protocol (SCTP) encapsulation,
  • RFC 5764 for use with Secure Real-time Transport Protocol (SRTP) subsequently called DTLS-SRTP in a draft with Secure Real-Time Transport Control Protocol (SRTCP).[5]

DTLS 1.0 is based on TLS 1.1, and DTLS 1.2 is based on TLS 1.2. There is no DTLS 1.1 because this version-number was skipped in order to harmonize version numbers with TLS.[2] The DTLS 1.3 specification is being worked on and, like previous DTLS versions, is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".[6]



Library support for DTLS
Implementation DTLS 1.0[1] DTLS 1.2[2]
Botan Yes Yes
cryptlib No No
GnuTLS Yes Yes
Java Secure Socket Extension Yes Yes
LibreSSL Yes Yes[7]
MatrixSSL Yes Yes
mbed TLS (previously PolarSSL) Yes[9] Yes[9]
Network Security Services Yes[10] Yes[11]
OpenSSL Yes Yes[12]
s2n No No
SChannel XP/2003, Vista/2008 No No
SChannel 7/2008R2, 8/2012, 8.1/2012R2, 10 Yes[17] No[17]
SChannel 10 (1607), 2016 Yes Yes[18]
Secure Transport OS X 10.2–10.7 / iOS 1–4 No No
Secure Transport OS X 10.8–10.10 / iOS 5–8 Yes[19] No
SharkSSL No No
tinydtls [20] No Yes
Waher.Security.DTLS [21] No Yes
wolfSSL (previously CyaSSL) Yes Yes
@nodertc/dtls [22][23] No Yes
java-dtls[24] Yes Yes
pion/dtls[25] (Go)NoYes
californium/scandium[26] (Java)NoYes
SNF4J[27] (Java)YesYes
Implementation DTLS 1.0 DTLS 1.2



In February 2013 two researchers from Royal Holloway, University of London discovered a timing attack[36] which allowed them to recover (parts of the) plaintext from a DTLS connection using the OpenSSL or GnuTLS implementation of DTLS when Cipher Block Chaining mode encryption was used.

See also


  1. Rescorla, Eric; Modadugu, Nagendra (April 2006). Datagram Transport Layer Security. doi:10.17487/RFC4347. RFC 4347.
  2. Rescorla, Eric; Modadugu, Nagendra (January 2012). Datagram Transport Layer Security Version 1.2. doi:10.17487/RFC6347. RFC 6347.
  3. Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". Retrieved 2015-10-17.
  4. Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency". In Atiquzzaman, Mohammed; Balandin, Sergey I (eds.). Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III. Vol. 6011. Bibcode:2005SPIE.6011..138H. CiteSeerX doi:10.1117/12.630496. S2CID 8945952.
  5. Peck, M.; Igoe, K. (2012-09-25). "Suite B Profile for Datagram Transport Layer Security / Secure Real-time Transport Protocol (DTLS-SRTP)". IETF.
  6. "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".
  7. "LibreSSL 3.3.2 Release Notes". The OpenBSD Project. 2021-05-01. Retrieved 2021-06-13.
  8. Julien Kauffmann. "libsystools: A TLS/DTLS open source library for Windows/Linux using OpenSSL". SourceForge.
  9. "mbed TLS 2.0.0 released". ARM. 2015-07-13. Retrieved 2015-08-25.
  10. "NSS 3.14 release notes". Mozilla Developer Network. Mozilla. Archived from the original on 2013-01-17. Retrieved 2012-10-27.
  11. "NSS 3.16.2 release notes". Mozilla Developer Network. Mozilla. 2014-06-30. Retrieved 2014-06-30.
  12. "As of version 1.0.2". The OpenSSL Project. The OpenSSL Project. 2015-01-22. Retrieved 2015-01-26.
  13. Ray Brown. "pydtls - Datagram Transport Layer Security for Python". GitHub.
  14. Ray Brown. "DTLS for Python". Python Software Foundation.
  15. Ray Brown/Mobius Software LTD. "pydtls - Datagram Transport Layer Security for Python". GitHub.
  16. Ray Brown/Mobius Software LTD. "DTLS for Python3 Based on PyDTLS". Python Software Foundation.
  17. "An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1". Microsoft. Retrieved 13 November 2012.
  18. Justinha. "TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016". Retrieved 2017-09-01.
  19. "Technical Note TN2287: iOS 5 and TLS 1.2 Interoperability Issues". iOS Developer Library. Apple Inc. Retrieved 2012-05-03.
  20. Olaf Bergmann. "tinydtls". Eclipse Foundation.
  21. Peter Waher. "Waher.Security.DTLS". Waher Data AB.
  22. Dmitriy Tsvettsikh. "Secure UDP communications using DTLS in pure js". GitHub.
  23. Dmitriy Tsvettsikh. "DTLS in pure js". npm.
  24. Mobius Software LTD. "Non blocking Java DTLS Implementation based on BouncyCastle and Netty". Mobius Software LTD.
  25. Sean DuBois. "pion/dtls: DTLS 1.2 Server/Client implementation for Go". GitHub.
  26. "californium/scandium: DTLS 1.2 Server/Client implementation for java and coap. Includes connection id extension". Eclipse Foundation.
  27. SNF4J.ORG. "Simple Network Framework for Java (SNF4J)". GitHub.
  28. "AnyConnect FAQ: tunnels, reconnect behavior, and the inactivity timer". Cisco. Retrieved 26 February 2017.
  29. "OpenConnect". OpenConnect. Retrieved 26 February 2017.
  30. "Cisco InterCloud Architectural Overview" (PDF). Cisco Systems.
  31. "ZScaler ZTNA 2.0 Tunnel". ZScaler.
  32. "f5 Datagram Transport Layer Security (DTLS)". f5 Networks.
  33. "Configuring a DTLS Virtual Server". Citrix Systems.
  34. "WebRTC Interop Notes". Archived from the original on 2013-05-11.
  35. "Firefox 86.0, See All New Features, Updates and Fixes". Mozilla. 2021-02-23. Archived from the original on 2021-02-22. Retrieved 2021-02-23. From Firefox 86 onward, DTLS 1.0 is no longer supported for establishing WebRTC's PeerConnections. All WebRTC services need to support DTLS 1.2 from now on as the minimum version.
  36. Plaintext-Recovery Attacks Against Datagram TLS
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.