Modern computers communicate using a variety of layers to ensure that the information they are manipulating is transmitted in an efficient and robust manner. The most common model used to describe these different layers is the Internet Protocol Suite, commonly referred to as TCP/IP:
This article will focus on the transport layer of this architecture, explaining the difference between two different communications protocols: Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS).
2. Transport Layer
The most common components of the transport layer in the Internet Protocol Suite are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). TCP is used for connection-oriented transmission – most commonly HTTPS security certificates but also SMTP, POP, FTP. These can guarantee the integrity of a website, protect the privacy of its users and enable other interesting features such as accessing user geolocation.
TCP also provides a method of verifying that information was correctly delivered as well as methods for error-checking. On the other hand, UDP is connection-less and used for applications that prioritize latency – i.e. video streaming, gaming, broadcasting, etc. This allows packets to be sent faster on a one-way trip and error-checking is limited to a simple checksum.
The major disadvantage of these communications protocols is that they are not encrypted and are therefore subject to eavesdropping, forgery and tampering by malicious agents. This is where TLS and DTLS use encryption to secure communications between devices. When discussing TLS and DTLS it is interesting to compare them to TCP and UDP due to their similar use cases. TLS and TCP worry about communicating information slowly but surely whereas UDP and DTLS communicate information rapidly and with a concern for latency-critical applications.
3. Transport Layer Security (TLS)
Prior to TLS there was the Secure Sockets Layer (SSL), a protocol mainly used for binding the identity of a website to a cryptographic key. This process concludes with the creation of an SSL certificate and is used in HTTP protocols to establish a connection between a browser and a web page or other documents.
It can also be mentioned that SSL certification usually includes data related to the website, such as the domain name and ownership information. This being said, Transport Layer Security is the upgrade from the deprecated Secure Sockets Layer (SSL). The differences between TLS and SSL are highly technical and regard aspects like the handshake process and hash-based message authentication code support.
3.1. TLS Handshake
In order to begin communications, a client-server system first relies on a 3-way TCP handshake (green). In the first full “round trip” of the TLS portion, a few pieces of information have been transferred in plain text, such as the TLS Protocol Version and other options. Afterward, the client-server negotiation of the encryption tunnel begins.
This machine pair has to agree on the version of the TLS protocol, choose a cipher suite (algorithms used to secure a network connection) and verify certificates if necessary. We can see how adding a hypothetical 30ms latency may cause an issue because of the “round trips” necessary (see image below). The server then picks a TLS version and cipher suite to continue communications and also presents its certificate to the client.
If the client approves the certificate, the client can initiate a Diffie-Hellman key exchange or the RSA to agree on a symmetric key. The server returns an encrypted “Finished” message to the client. The client decrypts it using the symmetric key and verifies the MAC. Application data can now be sent:
4. Datagram Transport Layer Security (DTLS)
Although Datagram Transport Layer Security (DTLS) is a separate encrypted communications protocol from TLS, it is based on TLS and intended to provide similar security guarantees for streaming data as well as many of the same functionalities. One of the main differences between the two protocols is that DTLS avoids the long communication times of TLS. However, due to the fact that this protocol is often used on top of UDP, it does not re-order or re-transmit packets and does not guarantee the non-replayability of packets. DTLS can also improve the performance of VPN applications while maintaining encryption.
5. Particular Differences
Below are some clear notable differences between the two protocols.
5.1. Explicit Records
TLS divides a long sequence of data into multiple chunks. These divisions are transparent to applications. This is not the case for DTLS as it uses records that can be sent completely or not. These records need to be managed by the applications themselves.
5.2. Tolerated Alterations
Datagrams, as in UDP, can be lost, reordered, and modified. Therefore, both client and server machines can allow non-regularized communications. For example, the order of records could even be subject to change for any number of reasons (i.e. latency). However, duplicates, in particular, may induce a warning. Records with wild anomalies may just be dropped.
5.3. No Verified Termination
Just like UDP, there is no notion of an end signal in the transmission in DTLS. DTLS simply stops transmitting. This means that a client receiving data from a server does not know if the entirety of the data has been delivered or if there has been an error in communications. TLS signals this with an alert message.
5.4. Protection Against Ip Spoofing
Below are some example implementations for both protocols.
- E-Mail Encryption (close to 90% of emails today use this)
- Network Access (using EAP-TLS)
- Single Sign-On Services (like Amazon AWS)
- Signing and Encrypting Documents (and code)
- Cisco AnyConnect VPN Client uses TLS to perform authentification of users and invented DTLS based VPN
- Citrix Systems NetScaler uses DTLS to secure UDP
- WebRTC uses compatible web browsers like Google Chrome, Opera and Firefox for DTLS-SRTP communications
This was an article about the differences between TLS and DTLS communications protocols