749  DTLS Attack Scenarios and Authentication

749.1 Learning Objectives

By the end of this chapter, you will be able to:

  • Analyze Attack Scenarios: Understand amplification DoS, session hijacking, and downgrade attacks against DTLS
  • Evaluate Defense Mechanisms: Explain how cookie mechanism, MAC, and finished message verification protect DTLS
  • Compare Authentication Methods: Choose between PSK and certificate-based authentication based on deployment needs
  • Design Secure Deployments: Apply authentication best practices for small and large-scale IoT systems
TipMVU: Minimum Viable Understanding

Core concept: DTLS defends against UDP-specific attacks (amplification, replay, downgrade) through cookie mechanism, sequence numbers, and handshake verification.

Why it matters: Understanding attacks helps you configure DTLS correctly - a misconfigured DTLS deployment may be worse than no security at all.

Key takeaway: Use PSK for small deployments (< 100 devices) with manual provisioning; use certificates for enterprise scale with automated PKI and revocation.

749.2 Prerequisites

Before diving into this chapter, you should be familiar with:

749.3 DTLS Attack Scenarios and Defenses

Understanding attacks against DTLS helps appreciate its security mechanisms:

749.3.1 Attack 1: Amplification DoS

Attack Description:

Attacker sends small ClientHello (50 bytes) with spoofed source IP
Server responds with large Certificate (2000 bytes) to victim
Result: 40x amplification factor

DTLS Defense - HelloVerifyRequest (Cookie Mechanism):

Cookie Implementation:

Cookie = HMAC-SHA256(Client_IP + Client_Port + Server_Secret)

Verification:
1. Client sends ClientHello
2. Server computes cookie, sends HelloVerifyRequest
3. Client echoes cookie in second ClientHello
4. Server recomputes cookie, verifies match
5. Only then sends Certificate (large message)

Impact: Reduces amplification factor from 40x to 2x.

749.3.2 Attack 2: Session Hijacking

Attack Description:

Attacker intercepts DTLS handshake, tries to inject own messages
Goal: Establish session with server using victim's credentials

DTLS Defense - Message Authentication Code (MAC):

Mermaid diagram

Mermaid diagram
Figure 749.2: DTLS Message Authentication Code (MAC) Protection against session hijacking: legitimate client computes HMAC over data using shared secret key, sends encrypted data plus MAC tag to server; attacker intercepts message and attempts modification attack by flipping bits in encrypted payload while keeping original MAC, forwards modified data with unmodified MAC to server; server decrypts tampered data, recomputes MAC using shared key and decrypted plaintext, detects MAC mismatch between computed and received values, rejects packet as tampered; next legitimate message from client contains valid MAC which server accepts; MAC provides both data integrity (detects modification) and authenticity (proves sender knows secret key), modern AEAD ciphers like AES-GCM include built-in authentication eliminating separate MAC computation.

Result: Any tampering detected, packet rejected.

749.3.3 Attack 3: Downgrade Attack

Attack Description:

Attacker intercepts ClientHello, modifies supported cipher list
Removes strong ciphers (AES-256), forces weak cipher (DES)
Goal: Make encryption easier to crack

DTLS Defense - Finished Message Verification:

Handshake process:
1. ClientHello: Lists [AES-256-GCM, AES-128-CCM, 3DES]
2. Attacker modifies: [3DES] (removes strong ciphers)
3. ServerHello: Chooses 3DES (only option)
4. Handshake continues...
5. Finished message: Hash of ALL handshake messages
   - Client: Hash(original ClientHello + ServerHello + ...)
   - Server: Hash(modified ClientHello + ServerHello + ...)
   - Hashes don't match -> Handshake fails
   - Connection aborted

Result: Any modification to handshake messages detected.

749.4 Authentication Methods: PSK vs Certificates

DTLS supports two main authentication modes:

Feature Pre-Shared Key (PSK) X.509 Certificates
Setup Complexity Simple Complex (PKI needed)
Key Distribution Out-of-band (manual) Automated (CA)
Scalability Poor (N^2 keys for N devices) Excellent (each device has 1 cert)
Computation Low (symmetric crypto only) High (public key crypto)
Memory Low (16-32 bytes key) High (1-4 KB certificate)
Revocation Manual Automated (CRL, OCSP)
Perfect Forward Secrecy No (unless ECDHE-PSK) Yes (with ECDHE)
Best For Small deployments, factory provisioning Large deployments, enterprise

749.4.1 PSK Example: Smart Home (10 devices)

Provisioning:

Factory: Generate PSK = 0x1A2B3C4D...
        Write PSK to device EEPROM
        Print PSK on device label (or QR code)

Setup:  User scans QR code
        PSK entered into hub
        Hub stores PSK for each device

Handshake (simplified):

Client->Server: ClientHello, PSK_identity="light-bulb-01"
Server->Client: ServerHello, cipher=AES-128-CCM-PSK
[Both derive keys from PSK]
Client->Server: Finished (encrypted with derived key)
Server->Client: Finished
[Secure channel established]

Advantages: - No certificates needed - Fast handshake (no public key ops) - Low memory (fits on tiny MCUs)

Disadvantages: - Manual provisioning - If PSK compromised, all past sessions decryptable (no PFS) - Doesn’t scale to 1000s of devices

749.4.2 Certificate Example: Industrial IoT (1000 sensors)

Provisioning:

Factory: Generate key pair for each device
        Submit CSR to CA
        CA issues certificate
        Store cert + private key in secure element

Deployment: Device presents certificate during handshake
           Server verifies against trusted CA
           No manual PSK entry needed!

Advantages: - Scales to millions of devices - Certificate revocation (remove compromised devices) - Perfect Forward Secrecy (past sessions safe even if key leaked)

Disadvantages: - Requires PKI infrastructure - Higher memory (certificates) - Slower handshake (public key crypto)

749.5 Knowledge Check

Question 1: An industrial IoT gateway manages 200 sensors sending data every 10 seconds. Each sensor uses DTLS with certificates. The gateway runs out of memory after 50 concurrent connections. What’s the most effective solution?

Explanation: Memory optimization for constrained gateways:

Problem Analysis:

Current: 200 sensors, 50 concurrent = 25% success rate
Memory per DTLS session (certificates):
  - Certificate storage: 2-4 KB
  - Session state: 1 KB
  - Crypto context: 512 bytes
  = ~4-5 KB per connection

50 connections x 5 KB = 250 KB RAM
200 connections would need: 1 MB RAM (not available!)

Solution C - PSK + Aggressive Caching:

PSK mode memory:
  - No certificate storage: 0 KB (saved 2-4 KB!)
  - PSK: 32 bytes
  - Session state: 1 KB
  - Crypto context: 512 bytes
  = ~1.5 KB per connection

With session caching strategy:
  - Cache sessions for only 60 seconds (sensors send every 10s)
  - After data sent, cache session but free crypto context
  - Only keep 20 "active" full sessions at once
  - 180 "cached" sessions (just session ID + PSK)

Memory usage:
  Active: 20 x 1.5 KB = 30 KB
  Cached: 180 x 64 bytes = 11.5 KB
  Total: 41.5 KB (fits in 50 KB budget!)

Why NOT other options: - A (TLS): TLS requires TCP, which uses MORE memory (connection state, buffers, retransmit queues) than DTLS - B (larger window): Replay window is ~256 bytes, not the bottleneck - D (no DTLS): Removes end-to-end encryption (Wi-Fi only protects wireless hop, not wired network or cloud)

Key insight: For constrained gateways, PSK + session caching provides security with 70% less memory than certificates.

Question 2: A video doorbell using DTLS experiences 5% packet loss during uploads. Users complain of choppy video. What’s the correct diagnosis and fix?

Explanation: DTLS is designed for lossy networks:

Understanding the architecture:

Video Doorbell -> Wi-Fi -> Cloud
      |           |       |
    H.264       DTLS    Storage
    Codec       UDP
    (30 fps)  (encrypted)

5% packet loss = 1.5 frames/second lost (at 30 fps)

Option B is correct because:

1. Video Codecs Handle Packet Loss:

H.264 encoding:
  - I-frames (keyframes): Complete image, sent every 1-2 seconds
  - P-frames (predictive): Delta from previous frame
  - Packet loss: Decoder skips lost P-frame, displays previous frame
  - Next I-frame: Video recovers completely

Error concealment techniques:
  - Temporal concealment: Repeat previous frame
  - Spatial concealment: Interpolate from neighboring blocks
  - Forward error correction (FEC): Send redundant data

Why NOT other options: - A (switch to TCP): TCP would STALL video waiting for retransmits. Much worse user experience. - C (reduce window): Replay window prevents duplicates, doesn’t affect buffering. Reducing it would INCREASE false rejections. - D (DTLS 1.3): Both 1.2 and 1.3 handle packet loss identically during data transfer (difference is in handshake).

Real-world comparison: | Protocol | 5% Loss Impact | User Experience | |———-|—————-|—————–| | DTLS/UDP | 1-2 frames skipped/sec | Smooth video, minor artifacts | | TLS/TCP | 5-10 stalls/minute (0.5s each) | Stuttering, freezing |

Industry standard: All video conferencing (Zoom, WebRTC, Skype) uses DTLS/UDP, not TCP.

WarningCommon Misconception: “DTLS is just TLS over UDP”

The Misconception: Many developers assume DTLS is simply TLS running on UDP sockets without modification, leading to implementation failures and security vulnerabilities.

The Reality: DTLS required fundamental protocol redesign to handle UDP’s unreliability. Real-world impact:

2020 IoT Camera Incident (quantified): - Vendor: Major smart camera manufacturer - Mistake: Implemented “TLS-like” security over UDP without proper DTLS - Missing: Cookie mechanism, sequence number tracking, handshake retransmission - Result: - DoS vulnerability: 1 attacker -> 40x amplification -> took down 500 cameras - Replay attacks: Captured packets replayed 48 hours later still accepted - Connection failures: 23% handshake failure rate in lossy Wi-Fi (packets lost, no retransmit) - Recall cost: $2.3M for firmware updates + customer service - Reputation damage: 37% customer churn to competitor products

Key DTLS Adaptations Beyond “TLS on UDP”:

  1. HelloVerifyRequest Cookie (not in TLS):
    • Prevents amplification DoS attacks
    • Stateless server verification
    • Without it: 40x amplification factor
  2. Explicit Sequence Numbers (13-byte header vs 5-byte TLS):
    • In-band sequence tracking (UDP has no stream concept)
    • Replay protection without TCP sequence numbers
    • Without it: Replay attacks succeed
  3. Handshake Retransmission (timer-based):
    • TLS relies on TCP retransmits
    • DTLS implements own timers (exponential backoff)
    • Without it: 20-30% connection failures on lossy networks
  4. Message Fragmentation (handles large certificates):
    • TLS uses TCP segmentation
    • DTLS fragments at record layer
    • Without it: Handshakes fail when Certificate > MTU

Correct Understanding: DTLS is TLS’s security model redesigned for datagram transport, requiring cookie exchange, explicit sequencing, retransmission logic, and fragmentation handling.

749.6 Summary

Attack Defenses: - Amplification DoS: Cookie mechanism reduces factor from 40x to 2x - Session Hijacking: MAC ensures integrity and authenticity - Downgrade Attack: Finished message verifies entire handshake transcript

Authentication Choice: - PSK: Simple, fast, low memory - use for < 100 devices - Certificates: Scalable, revocable, PFS - use for enterprise deployments

Key Considerations: - PSK requires manual provisioning but uses 70% less memory - Certificates provide automated PKI but require more resources - ECDHE-PSK adds forward secrecy to PSK mode

749.7 What’s Next?

Continue to DTLS Performance and Implementation to learn performance benchmarks, session resumption optimization, Connection ID for mobility, and best practices for production deployments.