RE: Why TCP is more secure than UDP?

["Wilfred Smith" <wilfred () esprit-omnimedia com>]

It's not.  If the UDP packet is encrypted, and the packets are not necessarily interchangeable, it can be more secure 
than TCP.  UDP is highly underrated for its security attributes.  It's much quicker for a server to determine that a 
UDP packet doesn't belong and discard it.  An AES stream over TCP is a stronger challenge to a degree, but slightly 
less breakable packets + a quicker moving, unpredictable target means you need to act fast to break in.  The usual 
caveats about exchanging keys through a separate, non-public mechanism apply.

If you're sniffing encrypted UDP packets, don't know the internal protocol and don't have the key, not only do you see 
indecipherable junk, but you also don't know which piece of indecipherable junk comes next, and if you can't send a 
synchronizing attack and capture response before the proper respondent can, there's no hope.

But then, I strongly believe that obscurity can be a major contributor (partial, but major) to more secure data 
exchanges over a public network.

W

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Gillett
Sent: Wednesday, July 11, 2007 9:05 AM
To: pal_adam () gmx net; security-basics () securityfocus com
Cc: paavan.shah () gmail com
Subject: RE: Why TCP is more secure than UDP?

  In order to spoof a UDP packet, *all* you need to do is spoof the source IP address.
  To successfully spoof a TCP packet, you need to also successfully spoof TCP header fields relating to the state of 
the connection, such as the sequence number.  Rather difficult to do reliably unless you've also been sniffing the 
conversation. 

  It would be possible to build a UDP-based application protocol that tracked state and sequence number, and so was "as 
secure as TCP".  In the process, you would probably lose all of UDP's performance advantage, and your implementation 
would likely still be a little weaker than what is already built into TCP.

David Gillett


> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of pal_adam () gmx net
> Sent: Tuesday, July 10, 2007 1:37 AM
> To: security-basics () securityfocus com
> Cc: paavan.shah () gmail com
> Subject: Re: Why TCP is more secure than UDP?
>
> Hi
>
> I dont understand what you mean by spoofing, since wherever you use 
> UDP or TCP the underlying layer still remains IP so when you spoof a 
> source you spoof an IP source.
> If you talk about a man-in-the-middle attack then taking a closer look 
> at both protocols will show that UDP doesnt establish any connection 
> before starting the communication.
> Using TCP you`ll need to ACK incomming data using a pre-established 
> sequence number which makes the attack on TCP harder but not 
> impossible.
>
>
> regards
>
> Adam Pal
>
>
>
> -------- Original-Nachricht --------
> Datum: 10 Jul 2007 02:11:12 -0000
> Von: paavan.shah () gmail com
> An: security-basics () securityfocus com
> Betreff: Why TCP is more secure than UDP?
>
> > It is said that UDP is considered more vulnerable to
> spoofing than TCP?
> > Can anyone point me to any document/link which describes
> TCP is more
> > secure than UDP
>
> --
> Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
> Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer