DTLS stands for Datagram Transport Layer Security.
DTLS provides the same security guarantees as TLS (encryption, authentication, integrity) but operates over UDP instead of TCP. Since WebRTC media flows over UDP, TLS cannot be used directly, making DTLS essential for WebRTC’s security model.
DTLS in WebRTC
DTLS serves two critical roles in WebRTC:
- Key exchange via DTLS-SRTP: DTLS performs a handshake between peers to securely negotiate the encryption keys used for SRTP media encryption. This is the mandatory key exchange mechanism in WebRTC, replacing the older SDES method
- Data Channel security: The SCTP-based Data Channel runs over DTLS, ensuring that application data is also encrypted
DTLS handshake
During connection setup, after ICE connectivity is established, a DTLS handshake occurs between the peers. This handshake:
- Authenticates both peers using self-signed certificates (fingerprints are exchanged in the SDP)
- Negotiates encryption parameters
- Derives the keys used for SRTP encryption
DTLS 1.3 and PQC
The WebRTC community is working on adopting DTLS 1.3, which brings improved performance (fewer round-trips) and enables PQC (Post-Quantum Cryptography) support to protect against future quantum computing threats.
