The Defect of DTLS toward Detected Aged Packets

DTLS (Datagram Transport Layer Security) is aimed at providing secure encryption and authentication services for UDP. Compared to TLS (for TCP), DTLS made changes in several areas due to the unreliability of UDP. But it has no clear strategy in response to certain extreme situation such as a replay detect loop which could lead to the potential malicious threat like DDoS. This paper will mainly analyse the defect of DTLS specifications regarding the way to handle a detected replayed message. In addition, several attack experiments will be given to help reveal the defect and the brief descriptions of corresponding solutions will be introduced.

[1]  Guoqing Xu,et al.  Cache Side-Channel Attack to Recover Plaintext against Datagram TLS , 2015, 2015 5th International Conference on IT Convergence and Security (ICITCS).

[2]  Ryan K. L. Ko,et al.  Taxonomy of Man-in-the-Middle Attacks on HTTPS , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.

[3]  Thomas Noël,et al.  DTLS Improvements for Fast Handshake and Bigger Payload in Constrained Environments , 2016, ADHOC-NOW.

[4]  Yassine Maleh,et al.  DoS Attacks Analysis and Improvement in DTLS Protocol for Internet of Things , 2016, BDAW '16.

[5]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  Debojit Boro,et al.  UDP Flooding Attack Detection Using Information Metric Measure , 2016 .

[7]  Muhammad Yousaf,et al.  Security Analysis of DTLS Structure and Its Application to Secure Multicast Communication , 2014, 2014 12th International Conference on Frontiers of Information Technology.

[8]  Yassine Maleh,et al.  An enhanced DTLS protocol for Internet of Things applications , 2016, 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM).

[9]  Marco Tiloca,et al.  On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake , 2017, International Journal of Information Security.

[10]  Karl Andersson,et al.  Elimination of DoS UDP Reflection Amplification Bandwidth Attacks, Protecting TCP Services , 2015, FNSS.