I'm looking for options for securing UDP traffic (mainly real-time video) on a wireless network (802.11). Any suggestions apart from Datagram Transport Layer Security (DTLS)?
Thanks.
A:
You can look into ssh with port forwarding. That comes at the cost of maintaining a TCP connection over which the UDP traffic can be secured.
Amardeep
2010-06-04 14:28:04
We want to avoid using any TCP connections because of the ad hoc nature of the network.
Soumya Simanta
2010-06-04 14:37:03
Depending on your key exchange requirements, it might be as simple as using blowfish over each UDP packet's payload with a shared key. It is lightweight and doesn't load the CPU much on either end.
Amardeep
2010-06-04 14:41:19
@Amardeep First of all blowfish is old, twofish is the next version. Also block ciphers are difficult to properly implement . At that point why not use dtls's twofish implementation?
Rook
2010-06-04 18:27:52
Thanks for the update on blowfish.
Amardeep
2010-06-04 18:36:09
@Rook - can you recommend an open source implementation of dtls's twofish ? I want to run this on Android.
Soumya Simanta
2010-06-05 01:49:25
A:
You must be more clear about the attacks you are trying to defend against. For instance if your only concern is spoofing then you can use a Diffie–Hellman key exchange to transfer a secret between 2 parties. Then this secret can be used to generate an Message Authentication Code for each packet.
If you need any more protection I strongly recommend using DTLS. It should be noted that all TLS/SSL connections can be resumed so you can cut down on the number of handshakes. Also, certificates are free.
Rook
2010-06-04 17:16:31
A DH Key exchange would be vulnerable to an active MITM attack and you couldn't rely on it to authenticate packets.
Chris Clark
2010-07-20 11:47:11
+1
A:
Have you considered IPSEC? This article provides some good guidance on when and when not to use it.
Andrew Strong
2010-07-19 13:24:07
+1
A:
Are you trying to wrap an existing application or writing your own? What client server setup do you have? Do you want to prevent snooping or tampering?
I am assuming here that you
- are developing an application
- are trying to prevent snooping
- have access to client and server.
The simple approach is to use any off the self strong encryption. To prevent tampering use any singing algorithm with a private/public key scheme. As a matter of fact you can use the same key pair for encryption and authentication.
The drawback of this approach is that it is on layer 7 and you have to do most of the work on your own. On the other hand, DTLS is a viable option...
Sean Farrell
2010-07-21 15:22:52