Network Security right from the Beginning – Introducing DHCP-over-TLS (DoT)

René Pfeiffer/ April 1, 2019/ High Entropy

A generic description of the Request For Comments (RFC), fragement from presentation slide.Every security researcher knows: If you want to secure a system, do it as early as possible. This is why Trusted Computing, Secure Boot, Trusted Execution Technology, and many more technologies were invented – to get the operating system safely off the ground right at boot time. After the booting process additional components have to be initialised. Dependencies are common in this stage. The second most important resource next to the local machine is the network. Most modern programming languages highly rely on network connection to get any work done. Local storage and memory is merely a big cache for temporary data to them. So how do you create a trusted boot process beyond the initial network configuration? The answer is easy. You just combine two highly mature and reliable protocols – Dynamic Host Configuration Protocol (DHCP) and Transport Layer Security (TLS). Everything is done via TLS these days, because encryption is the answer to every single security problem.

DHCP-over-TLS (DoT) clients carry a list of trustworthy certificate authorities (TCAs). These authorities are strictly controlled and adhere to the highest security standards. The DHCP discovery phase itself is not different from the classic protocol. The client will still get an answer from a DoT-enable DHCP server, but the offer packet will include additional DHCP options indicating that a TLS handshake is required. Both client and server then engage in a TLS connection where the DHCP offer packet is repeated (for security reasons, always transmit sensitive data twice), followed by the normal request, acknowledgement, inform, or release packets. DoT servers can opt to deny access to clients without a valid certificate. In turn DoT clients can be fitted with a custom list of certificate authorities to allow configuration of restricted networks.

Overall it is a good compromise between SeND and 802.11X. It is the best of all worlds, so to speak. DoT bound to revolutionise the IoT world, and it will probably come with a free blockchain, too.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.