EldoS | Feel safer!

Software components for data protection, secure storage and transfer

DTLS application data header

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#35725
Posted: 01/27/2016 09:29:25
by Peter  (Basic support level)
Joined: 01/14/2016
Posts: 13

Hi.

I'm using the SSLBlackBox library and i have a question

When the DTLS handshake is finished the app data is sent cipher and with the header of DTLS. It has an option to set that the app data are send without cipher but in this option the data is sent without the DTLS header.
It is possible to send the app data ciphered and without the DTLS header?

Thanks.
#35726
Posted: 01/27/2016 09:32:13
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

I’ve noticed there is no Support Access Ticket linked to your user account on EldoS site. Technical Support is provided to customers with the linked Support Access Ticket. You will find your Support Access Ticket together with all the details about how to use it in the registration e-mail that we’ve sent to you upon the purchase.

If you are evaluating the product and don't have a license yet, please let us know and then you can have support according to Basic support level. Basic support level includes answering basic technical questions that appear during product evaluation period. We also offer Premium support for a purchase from https://www.eldos.com/support/calc.php . You can use Premium Support to get higher level of assistance during your evaluation of our products.
#35727
Posted: 01/27/2016 09:37:42
by Peter  (Basic support level)
Joined: 01/14/2016
Posts: 13

Hi.

I have an evaluation license key.

I have already posted this topic: https://www.eldos.com/forum/read.php?FID=7&TID=6427
#35728
Posted: 01/27/2016 10:27:37
by Ken Ivanov (EldoS Corp.)

Hi Peter,

Could you please provide some details about what you mean by 'sending data without the DTLS header'? The presence of the header itself is fairly important, as it contains certain fields needed to establish the order and encryption parameters of the record.

Ken
#35730
Posted: 01/27/2016 10:52:51
by Peter  (Basic support level)
Joined: 01/14/2016
Posts: 13

Hi.

I need that the data sent after the DTLS handshake, it be like this Wireshark capture but not encapsuled on a DTLS packet:

It is possible?


#35731
Posted: 01/27/2016 11:02:09
by Ken Ivanov (EldoS Corp.)

Peter,

I'm afraid it's not - not only because it will be violating the DTLS standard, but also because such records will be undecryptable. Sorry.

Ken
#35745
Posted: 01/28/2016 07:02:36
by Peter  (Basic support level)
Joined: 01/14/2016
Posts: 13

Ok, thanks.

I have another question.
The DTLS Client hello message have extension parameters. I would like that i can define to use the use_srtp extension. How can i do this?

Thanks.
#35746
Posted: 01/28/2016 08:17:24
by Ken Ivanov (EldoS Corp.)

Hi Peter,

Right, so all your former questions concern DTLS-SRTP then. That makes the things clearer.

As SecureBlackbox does not support use_srtp extension out of the box, you need to implement its format yourself as described here. What you need to be able to do is serialize the content of the extension (p. 4.1.1) to array of bytes and decode it back to the form that can be processed by your SRTP engine.

To attach the encoded extension to the DTLS component (either client or server), use its Extensions property. On the client the extension should be added before calling the Open() method; the best place to do that on the server is inside the OnExtensionsReceived event handler.

The extension should be attached in the following way:

Code
int idx = dtls.Extensions.OtherCount;
dtls.Extensions.OtherCount = dtls.Extensions.OtherCount + 1;
lTElCustomSSLExtension ext = dtls.Extensions.get_OtherExtensions(idx);
ext.ExtensionData = encodedSrtpExtension; // a byte array you created from your extension content
ext.ExtensionType = 14; // registered use_srtp extension identifier
ext.Enabled = true;


The dtls object here is your SecureBlackbox DTLS component.

To read the contents of use_srtp extension received from the remote party, use dtls.PeerExtensions extensions object. The received extension will be populated in the dtls.PeerExtensions.get_OtherExtensions() list for you; you can find it by looking for an extension object with ExtensionType of 14.

Ken
#35841
Posted: 02/04/2016 09:48:31
by Peter  (Basic support level)
Joined: 01/14/2016
Posts: 13

Hi.

Thanks, It works!

Well, with the use_srtp extension, i receive RTP packets that i expected.

These RTP packets arrived encrypted with a key negotiated in the DTLS handshake.

I need to decrypt these packets with the key.

This key is in the DTLS object? How i access to it?

Thanks.
#35842
Posted: 02/04/2016 11:13:27
by Ken Ivanov (EldoS Corp.)

Peter,

Great, we are glad that you've managed to make the things work for you.

As per this document, you need to generate encryption keys yourself basing on the DTLS master secret value.

While the master secret is not publicly available in SecureBlackbox implementation of DTLS, the value is declared in the 'protected' section of TElDTLSClient component interface, and as such you can access it by creating your own descendant of TElDTLSClient and switching from TElDTLSClient to that descendant. In that case you could create a new property, say MasterSecret, and return the value of FTLS1MasterSecret field from the getter of that property:

Code
byte[] MasterSecret
{
    get { return this.FTLS1MasterSecret; }
}


The master secret value will be available upon successful setup of DTLS session.

Ken
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 4399 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!