746 DTLS and Transport Security
746.1 Overview
This section covers Datagram Transport Layer Security (DTLS), the protocol that brings TLS-equivalent encryption to UDP-based IoT applications like CoAP, video streaming, and real-time telemetry.
Core concept: DTLS (Datagram TLS) provides TLS-equivalent encryption over UDP, enabling secure real-time IoT communication without TCP’s latency overhead.
Why it matters: CoAP and other UDP-based IoT protocols cannot use standard TLS; without DTLS, your sensor data travels unencrypted and vulnerable to interception.
Key takeaway: Use DTLS for CoAP (port 5684), video streaming, and real-time telemetry; use regular TLS over TCP only for file transfers and critical commands where reliability trumps speed.
746.2 Chapter Contents
This topic is covered in four focused chapters:
746.2.1 DTLS Fundamentals and Architecture
Learn the basics of DTLS, including:
- Why DTLS exists (TLS adapted for UDP)
- DTLS architecture and protocol stack
- Security properties: encryption, authentication, integrity
- Use cases: CoAP, VoIP, WebRTC, gaming
- Challenges for constrained IoT devices
- DTLS vs IPsec comparison
746.2.2 DTLS Handshake Protocols
Understand the handshake process in detail:
- DTLS 1.2 complete handshake (3-RTT with cookie)
- DTLS 1.3 improvements (1-RTT)
- TLS 1.3 handshake step-by-step
- 0-RTT session resumption (benefits and risks)
- Version comparison: TLS 1.2 vs 1.3, DTLS 1.2 vs 1.3
- Battery impact of handshake latency
746.2.3 DTLS Attack Scenarios and Authentication
Learn about security threats and defenses:
- Amplification DoS attacks and cookie defense
- Session hijacking and MAC protection
- Downgrade attacks and finished message verification
- PSK vs certificate authentication comparison
- Smart home PSK example (10 devices)
- Industrial IoT certificate example (1000 sensors)
746.2.4 DTLS Performance and Implementation
Master practical implementation:
- Performance benchmarks (ESP32, handshake time, memory)
- Session resumption optimization (60% battery savings)
- Connection ID for mobile devices (RFC 9146)
- Replay window tuning for lossy networks
- Worked examples: gateway memory calculation, battery life analysis
- Cross-hub connections to related content
746.3 Learning Path
Recommended order:
- Fundamentals - Start here to understand why DTLS exists
- Handshake - Learn how secure connections are established
- Attacks & Auth - Understand threats and authentication options
- Performance - Optimize for production deployments
Prerequisites: Before starting, review:
Next steps: After completing this section, continue to:
- Transport Fundamentals - Transport layer protocols
- Encryption Architecture - Cryptographic deep dive
746.4 Quick Reference
| Feature | TLS (TCP) | DTLS (UDP) |
|---|---|---|
| Use Case | Web, downloads | CoAP, VoIP, video |
| Latency | 100-300ms | 10-50ms |
| Packet Loss | Retransmits | Tolerates |
| IoT Fit | APIs, firmware | Real-time sensors |
| Mode | Memory | Scalability | Best For |
|---|---|---|---|
| PSK | ~1.5 KB | Poor | < 100 devices |
| Certificates | ~5 KB | Excellent | Enterprise |
746.5 Summary
DTLS enables secure real-time IoT communication by adapting TLS for UDP transport. Key points:
- Cookie mechanism prevents amplification DoS attacks
- Sequence numbers provide replay protection
- Session resumption reduces battery drain by 60%
- DTLS 1.3 offers 44% faster handshakes than 1.2
- PSK mode uses 70% less memory than certificates
Choose DTLS for latency-sensitive applications; choose TLS/TCP for reliability-critical data.