I have a sensor node which broadcast sensor data as UDP packets to a specific port. I have to secure this broadcast. I tried to find out how can I achieve that and found out that DTLS is the answer.
What all do I need to do to implement DTLS? Initially, I thought I do not need certificates, however, I learnt that DTLS is also using handshake to exchange keys. Do I need to create certificates for that ?
DTLS is a version of TLS (which is end-to-end security) used over UDP or other unreliable packet delivery mechanism. DLTS can not be used with broadcasting which is unidirectional.
Now, what is "secure" in your case? Do you need to encrypt the data? But encryption is a concept which is contrary to broadcasting (as the number of recipients grows, security drops exponentially). Signing of data is possible. It is of course possible to encrypt the data for one or multiple recipients (using either symmetric encryption or public-key encryption) but again this is hardly a broadcast and has nothing to do with UDP itself (or other transport).
Related
I was researching on QUIC protocol and my professor asked me this question. QUIC is said to be built on UDP and uses TLS packets. TLS itself requires reliable connection that is TCP. So, why QUIC is not said to be built on TCP?
PS: Please correct me if my concepts are wrong and if possible, please explain in deep how QUIC packets work.
QUIC is said to be built on UDP and uses TLS packets.
QUIC (RFC 9000) does not use TLS "packets".
Technically, TLS uses the term "record" to indicate a block of bytes that defines how the protocol is framed. A record specifies the TLS protocol version, the length of the record, etc.
Inside TLS frames there are one or more TLS messages that specify cryptographic information or commands.
The TLS records are transported by TCP.
What QUIC does instead is to reuse some of the TLS messages, but nothing of the TLS record layer.
For example, in TCP the first bytes sent by a client are typically a TLS record that wraps the ClientHello message.
In QUIC, instead, the first bytes are a QUIC Initial packet, that wraps a CRYPTO frame, that wraps the ClientHello message, and all of these bytes must fit into a UDP datagram (they typically do, and the Initial packet even carries a PADDING frame to make the initial bytes at least 1200).
Refer to RFC 9001 for more details about how TLS is used in QUIC.
More broadly about QUIC, it is based on UDP but borrows many TCP features (retransmissions, flow control, etc.) that basically make it an alternative to TCP in the sense that it is a reliable network protocol, with additional security (encryption) features built-in, borrowed by TLS.
TCP is clear-text and relies on TLS layered on top to provide encryption.
QUIC is a mix of TCP features and TLS features (there is no clear-text QUIC), without layering.
When you say "Why QUIC is not said to be built on TCP?", I say "QUIC is not built on TCP, it is built on UDP. However, QUIC borrows TCP features that make QUIC provide similar functionalities as TCP, in particular reliability and flow control, that are not provided by UDP".
For example, in Jetty we have implemented HTTP/1.1 and HTTP/2 (that are TCP-based protocols) on top of QUIC, using a single, persistent, QUIC stream.
This shows that QUIC can be indeed a replacement for TCP, as it can carry protocols that were designed for TCP.
QUIC includes TLS in it to allow it to be used over UDP in the same way as TCP works.
Why bother reinventing TCP and not just use TCP? Well TCP is kind of “stuck” as it’s slow to roll out new changes that fundamentally change how TCP works. Enhancing it to allow new features like multiplex streams will take a loooong time to roll out everywhere TCP is supported.
QUIC is built over simple UDP packets and everything else is handled at either end by QUIC and all the routers and networks in the middle don’t need to know about these new QUIC features.
The RFCs are all written by committee, and the structure and language is often confusing, so it is easy to mix things up.
A full TLS implementation requires a reliable transport, which as of today is provided by TCP and SCTP (RFC3436).
QUIC (RFC9001) doesn't actually require a full TLS implementation though, and instead simply re-uses parts of the TLSv1.3 standard:
4.1. Interface to TLS
As shown in Figure 4, the interface from QUIC to TLS consists of four
primary functions:
* Sending and receiving handshake messages
* Processing stored transport and application state from a resumed
session and determining if it is valid to generate or accept 0-RTT
data
* Rekeying (both transmit and receive)
* Updating handshake state
So, given the above, the actual process that QUIC takes to encrypting the packet data isn't TLS at all, but is instead provided by QUIC.
I understand that TLS requires a reliable transport but following the TCP/IP model the first layer in case of sending data/request would be Application layer ... After connection established and the data is ready it moves to the next layer which is the Transport layer for the TCP header to be added.
So the first step after the DNS would be the TCP handshake then up to TLS handshake then down to TCP again to add the TCP header ? OR I'm missing something here ?
The problem with layer models is that there are too many cases when there are either too many or not enough layers. It is important to understand the concept of layers, and why do we need one. But IMHO, neither of the layer models are actually representing the Internet.
As already said in comments, DNS is a separate "application" from the standpoint of what you are describing. So, whether DNS is happening or not does not have an affect of what happens next.
I think this figure shows the layer model with TLS in it (source).
Application is passing its data to TLS layer. This layer is usually implemented as a library that is linked with the application, so it is also "above" sockets.
TLS works on top of TCP, that is TLS gives encrypted stream along with its own signaling packets to TCP and TCP processes them as any other packets.
So, basically it is how you describe. First, a TCP connection is established. After which TCP just sends whatever stream of data TLS is giving it, and this stream starts with a TLS handshake.
There is one nuance though. TCP is a stream based protocol. It accepts stream on one side and returns stream on the other side. Dividing the stream into packets is happening in TCP itself. That is TLS is using "records" of any size which are convinient to TLS. The records do not necessary correspond with packets.
I saw that SCTP is going to be used for Data Channels starting in Chrome 31, and officially RTP based channels are going to be deprecated sometimes in February 2014 according to this google group thread:
https://groups.google.com/forum/#!topic/discuss-webrtc/y2A97iCByTU
Does this also mean that webrtc audio and video channels are also going to be transported over SCTP eventually(if not already in the works)?
How does RTP fit in the whole SCTP transport effort? Does that mean SRTP packets will flow over SCTP data channel? Or perhaps just the payload will be sent over SCTP transport protocol.
If I am reading info on SCTP, it combines best of TCP and UDP protocols; but it does not include encryption by default; so in mind the traffic flowing over should still be encrypted.
Any additional info would be helpful. Thanks!
The audio and video will keep going over RTP (actually SRTP which is the secure version or RTP) but the data channel will uses SCTP over DTLS over UDP. Both Firefox and Chrome are implementing this and you can find it described in the IETF draft specifications. For some types of NAT / Firewall traversal, the UDP packets may get tunneled in TURN over TCP.
Glad to provide you pointers to the draft specifications if that helps.
SCTP stands for Stream Control Transmission Protocol.
SCTP as a protocol can be seen as a hybrid of UDP and TCP.
At its core, SCTP holds the following characteristics:
Connection oriented. Similar to TCP, SCTP is connection oriented. It also offers a multi-homing capability that isn’t used by WebRTC
Optional reliability. Reliability is optional in SCTP and is up to the implementer using SCTP to decide if he needs this capability or not
Optional ordering. Ordering of packets sent via SCTP is optional and is left for the implementer to decide if this is necessary for him or not
Message oriented. SCTP makes sure that each message sent is properly parsed on the receiver end in the same manner in which it was sent
Flow control. Similar to TCP, SCTP provides a flow control mechanism that makes sure the network doesn’t get congested
SCTP is not implemented by all operating systems. In such cases, an application level implementation of SCTP will usually be used.
SCTP is used in WebRTC for the implementation and delivery of the Data Channel.
Google is experimenting with the QUIC protocol as a future replacement to SCTP
WebRTC DataChannels use SCTP. Looking at the graph of bits received from chrome://webrtc-internals, there is a regular sending of a small amount of data. Is this the SCTP heartbeat?
From what I understand, this is the ICE heartbeat.
I am just elaborating Sam's answer.
WebRTC DataChannel uses Stream Control Transport Protocol (SCTP) for sending
and receiving arbitrary data. Since, WebRTC requires that all WebRTC traffic be
encrypted, DTLS is used. However, most routers and NAT devices don't handle this
protocol well. Hence, SCTP is tunneled over DTLS and UDP. Now, even when two
peers are exchanging arbitrary data, it is happening over UDP. Hence, I too
believe that it is not a SCTP heartbeat.
As you might know, RTCPeerConnection uses ICE for resolving connectivity issues between
peers. ICE uses STUN keep-alives to check the connectivity status between
the peers. Currently, I believe chrome sends out STUN Binding Request every 450 ms to perform connectivity checks, but there is an ongoing discussion on extending that time interval.
What is the functional difference between TLS and DTLS?
How does application flow/negotiation differ while using TLS vs DTLS?
Basically DTLS is to construct TLS over datagram (UDP, DCCP, etc.)
DTLS is similar to TLS intentionally except that DTLS has to solve two problems: packet lost and reordering. DTLS implements
packet retransmission
assigning sequence number within the handshake
replay detection.
See RFC 6347 for details.
The idea is that DTLS is to TLS as UDP is to TCP, as much as possible.
See https://datatracker.ietf.org/doc/draft-ietf-tls-dtls13/ which will likely obsolete RFC 6347 for details on the specification, as well as links to discussions thereof.
There are key differences between DTLS and the Transport Layer Security (TLS) protocol that the application programmer needs to be aware of that other answers miss/imply do not exist!
The DTLS protocol provides communications privacy for datagram protocols. Contrary to the extant top-rated answers as of this writing(archive), DTLS is not an implementation (or "construct") of TLS over UDP (or datagram protocols in general), and, replay detection is a required feature of TLS, but optional in DTLS. DTLS includes an implementation of a very TLS-like handshake, modified to work over datagram protocols. The implementation does handle the problems of packet reordering and loss, but only for the packets used for the DTLS handshake (and cipher selection). In other words, the "flights" that these packets deliver are delivered reliably. However, the DTLS packets containing payload (application data) may deliver their payload no more reliably than the DTLS packets (typically UDP) that encapsulate them.
Furthermore, while the DTLS protocol (v1.2) is derived from the TLS protocol (v1.2) and claims to "provide equivalent security guarantees", it does not.2 Back in 2013, researchers identified major security shortcomings in both DTLS implementations and in the DTLS protocol itself, that have since been rectified, at least in GnuTLS and OpenSSL implementations.2 In addition, DTLS does not guarantee non-replayability.
Finally, the OP asks how application flows differ while using TLS vs DTLS. TLS is intended to deliver a stream of data reliably and with authenticated encryption, end-to-end. DTLS is intended for the delivery of application data that is authenticated and encrypted end-to-end, but with lower latency than can be achieved when all application data delivery is guaranteed. This is why DTLS is used to secure streaming applications where losses are less important than latency, e.g. VoIP, live video feeds and MMO gaming.
PS: DTLS 1.3 is done/will probably have been published as an RFC by the time you read this.3
PPS: Oh, and if this was worth reading, don't miss RFC 7457, "Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)". I'm surprised DTLS 1.3 (the final draft anyway) doesn't refer to it (such as from its Security Considerations section) (Suggested) and neither does the TLS 1.3 spec!
DTLS is an implementation of TLS over UDP (a datagram protocol). per wikipedia, TLS uses TCP, and DTLS uses UDP, so all the classic differences apply. UDP communications exist as streams of packets with no ordering, delivery reliability, or flow control. applications that use datagram protocols need to make sure they can handle these concerns internally.
https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption
http://www.diffen.com/difference/TCP_vs_UDP
One difference is that, due to being over UDP, stream ciphers are not allowed:
4.1.2.2. Null or Standard Stream Cipher
The DTLS NULL cipher is performed exactly as the TLS 1.2 NULL
cipher.
The only stream cipher described in TLS 1.2 is RC4, which cannot be
randomly accessed. RC4 MUST NOT be used with DTLS.