Datagram Transport Layer Security

Datagram Transport Layer Security ( DTLS ) is a system based on TLS encryption protocol that can be in contrast to TLS transmitted over unreliable transport protocols such as UDP.


  • February 2004: First draft and implementation in OpenSSL
  • 2006: RFC 4347 for standardization of DTLS 1.0.
  • January 2012: RFC 6347 replaces the previous RFC and DTLS updated to version 1.2.


With Voice over IP ( VoIP ) and the published there signaling protocol SIP, which is transmitted due to various advantages preferred over UDP, the need arose to carry the given TLS security for SIP over TCP on the transport over UDP. TLS itself is not suitable for this, since none of the after a packet loss following packages can be authenticated more.

Although DTLS was standardized in April 2006 in RFC 4347, it is used in practice up to now only the reSIProcate SIP stack. However, it is expected to be deployed rapidly in the VoIP field, since DTLS here combines the security of TLS with the speed of UDP and so fills this gap in the existing protocols.


The operation of DTLS largely corresponds to the TLS. In order not to bring about by excessive change in the original protocol an implication regarding the security of the new protocol, were made only at the locations changes, where this is necessary for an unreliable transport. These changes are:

  • Restoring the reliability of the handshake at the beginning of communication, because in this part of the arrival of all packages must be guaranteed in order to allow authentication and key exchange can. This is accomplished in that the packets be resent after a certain time.
  • Explicit numbering of the individual packets during transmission. This only happens implicitly when TLS, whereby when a packet loss is no more correct HMAC can be calculated, which is a breach of integrity and in turn leads to a loss of connection.
  • An optional replay - detection for individual packages.