UDP (User Datagram Protocol) is a transport layer protocol based on the exchange of datagrams (encapsulated in OSI model Layer 4 or transport layer). It allows datagrams to be sent over the network without first establishing a connection to the recipient, since the datagram itself contains enough address information in its header. By not having confirmation or flow control, packets can overtake. And there is also no way of knowing whether the packets arrived, since there is no confirmation of delivery or receipt.
As already mentioned, the DTLS, protocol, provides privacy for datagram protocols. It also allows communications between client/server applications without eavesdropping, unauthorized accesses, or message tampering. The DTLS protocol is based on the TLS protocol (Transport Layer Security) and provides the same security guarantees. Furthermore, the datagram semantics of the underlying protocols are preserved when using DTLS.
- TLS cannot go directly on top of UDP. This is because, in UDP, packets might be lost or get out of order and TLS does not have the tools to address these problems:
TLS does not allow packets to be decrypted independently, since the integrity check depends on the sequence number. TLS uses implicit sequence numbers while the DTLS protocol uses explicit sequence numbers to resolve this problem.
- The TLS link layer allows messages to be received reliably, breaking the connection if messages get lost. DTLS resolves this problem using a packet retransmission timer.
There is, however, a security issue with DTLS called heartbleed, caused by a bad implementation of the functionality known as heartbeat. This vulnerability has now been resolved, but it does not detract from the fact it constituted a serious security problem.
In February 2012, the heartbeat functionality was presented as part of the RFC for the TLS and DTLS protocols. Its main advantage is that it allows a connection to be kept open without the need to renegotiate a new connection. The implementation with the security flaw was added to version 1.0.1f of OpenSSL.
To exploit the security problem, follow these steps:
1. A device sends a “Heartbeat Request” message, which is usually a text string, along with the exact length of that payload.
2. The receiving device must then send the exact same string straight back to the sender.
3. The affected OpenSSL versions allocate a memory buffer for the return message based on the length field in the request message, regardless of the actual size of its payload. When the length is not checked, the message is returned along with anything that has been allocated in the memory buffer.
Attackers can get hold of important information by reading an arbitrary block of server memory, thereby compromising the security of the server, its communications and its users. Among the data that they might be able to get hold of is the master key of the server itself. Having this key would allow attackers to decrypt any current or stored traffic, through a passive “man-in the-middle” attack (if perfect forward secrecy is not used for communications), or an active one (if perfect forward secrecy is used).
The correction of the security flaw has been included in OpenSSL version 1.0.1g.
In conclusion, it is important to note that DTLS is a powerful security solution for UDP. However, if you want to use the heartbeat functionality, you should be aware of the security risks and ensure you use a version of OpenSSL in which the issue is resolved. (version 1.0.1g or later).