44
  1. What is the functional difference between TLS and DTLS?
  2. How does application flow/negotiation differ while using TLS vs DTLS?
onebree
  • 1,785
  • 1
  • 15
  • 42
Pranav
  • 451
  • 1
  • 4
  • 8

4 Answers4

37

Basically DTLS is to construct TLS over datagram (UDP, DCCP, etc.)

DTLS is similar to TLS intentionally except that DTLS has to solve two problems: packet lost and reordering. DTLS implements

  1. packet retransmission
  2. assigning sequence number within the handshake
  3. replay detection.

See RFC 6347 for details.

Adobe
  • 11,070
  • 6
  • 77
  • 117
Yu Hao
  • 111,229
  • 40
  • 211
  • 267
  • 1
    Small nit, from the RFC you mention: "The behavior of such applications is unchanged when the DTLS protocol is used to secure communication, since the DTLS protocol does not compensate for lost or re-ordered data traffic." – Scott Franco Oct 11 '19 at 04:25
  • 3
    Wrong, Subsequently- identified security flaws show this answer is security-critically wrong; see my new answer. – Matthew Elvey Dec 14 '19 at 19:57
23

The idea is that DTLS is to TLS as UDP is to TCP, as much as possible.

See https://datatracker.ietf.org/doc/draft-ietf-tls-dtls13/ which will likely obsolete RFC 6347 for details on the specification, as well as links to discussions thereof.

There are key differences between DTLS and the Transport Layer Security (TLS) protocol that the application programmer needs to be aware of that other answers miss/imply do not exist!

The DTLS protocol provides communications privacy for datagram protocols. Contrary to the extant top-rated answers as of this writing(archive), DTLS is not an implementation (or "construct") of TLS over UDP (or datagram protocols in general), and, replay detection is a required feature of TLS, but optional in DTLS. DTLS includes an implementation of a very TLS-like handshake, modified to work over datagram protocols. The implementation does handle the problems of packet reordering and loss, but only for the packets used for the DTLS handshake (and cipher selection). In other words, the "flights" that these packets deliver are delivered reliably. However, the DTLS packets containing payload (application data) may deliver their payload no more reliably than the DTLS packets (typically UDP) that encapsulate them.

Furthermore, while the DTLS protocol (v1.2) is derived from the TLS protocol (v1.2) and claims to "provide equivalent security guarantees", it does not.2 Back in 2013, researchers identified major security shortcomings in both DTLS implementations and in the DTLS protocol itself, that have since been rectified, at least in GnuTLS and OpenSSL implementations.2 In addition, DTLS does not guarantee non-replayability.

Finally, the OP asks how application flows differ while using TLS vs DTLS. TLS is intended to deliver a stream of data reliably and with authenticated encryption, end-to-end. DTLS is intended for the delivery of application data that is authenticated and encrypted end-to-end, but with lower latency than can be achieved when all application data delivery is guaranteed. This is why DTLS is used to secure streaming applications where losses are less important than latency, e.g. VoIP, live video feeds and MMO gaming.

PS: DTLS 1.3 is done/will probably have been published as an RFC by the time you read this.3

PPS: Oh, and if this was worth reading, don't miss RFC 7457, "Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)". I'm surprised DTLS 1.3 (the final draft anyway) doesn't refer to it (such as from its Security Considerations section) and neither does the TLS 1.3 spec!

Matthew Elvey
  • 358
  • 2
  • 10
  • 2
    That's the right answer, to only guarantee sequencing for the TLS protocol itself, not the payloads. You don't want to choose the reliable protocol implementation for the client, it could be a number of different algorithms, and could be application specific. For example a secure video connection could use a custom frame dropping algorithm. – Scott Franco Oct 11 '19 at 04:33
  • Indeed - different UDP packets in the same stream could even have different priority flag settings for more or less important content - though maybe there's a lack of / need for research on whether/how networks and backbones actually pay attention to such flags - https://en.wikipedia.org/wiki/Type_of_service - last I knew they mostly don't. And since it's the network that does the actual packet dropping, not the app, it's key. – Matthew Elvey Jun 16 '20 at 18:48
9

DTLS is an implementation of TLS over UDP (a datagram protocol). per wikipedia, TLS uses TCP, and DTLS uses UDP, so all the classic differences apply. UDP communications exist as streams of packets with no ordering, delivery reliability, or flow control. applications that use datagram protocols need to make sure they can handle these concerns internally.

https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption

http://www.diffen.com/difference/TCP_vs_UDP

Frank Thomas
  • 2,231
  • 12
  • 26
2

One difference is that, due to being over UDP, stream ciphers are not allowed:

4.1.2.2. Null or Standard Stream Cipher

The DTLS NULL cipher is performed exactly as the TLS 1.2 NULL cipher.

The only stream cipher described in TLS 1.2 is RC4, which cannot be randomly accessed. RC4 MUST NOT be used with DTLS.

AnilRedshift
  • 6,552
  • 6
  • 29
  • 56