← Back to context

Comment by aoetalks

5 months ago

I was about to agree with you, and then I read the article on DTLS.

> And that data-stream the interface that TLS provides

That’s exactly the problem. You might lose a UDP packet. That would corrupt data encrypted with stream cipher.

With DTLS, each packet is encrypted individually.

https://en.m.wikipedia.org/wiki/Datagram_Transport_Layer_Sec...

2 comments

aoetalks

Reply
ekr____  5 months ago

Just on a technical note, TLS 1.3 only uses AEAD ciphers where the nonce is determined by the record numbers, so it actually is in principle possible to decrypt the packets even if they are received out of order by trial decrypting with different record numbers. You don't do this in TLS (as opposed to DTLS) because it runs over TCP and therefore you are guaranteed in-order delivery.

DTLS, by contrast, provides a record number hint (the low order bits of the record number and epoch) to assist in record number reconstruction: https://www.rfc-editor.org/rfc/rfc9147.html#name-reconstruct....

LukeShu  5 months ago

I would agree with you that DTLS is a misnomer; that it does not provide the layer-4/transport-layer -like interface that regular TLS provides.

(It isn't quite a layer-3/internetwork-layer -like interface; from the UDP that it sits on, it has a multiplexing component that is "half" of a layer 4 interface.)