[...] my idea is to generate a random key and send it over stream 0 with info that it is for securing stream 1. But is this safe even when stream 0 is already secure?

You can do that legwork yourself, but I don't think you'll have to.

RFC 3436 says that you can do a full TLS handshake on the first stream and then an abbreviated handshake (using TLS session resumption with the session ID from the full handshake) on the other streams.

Would this work for you?

Further reading

• There is a discussion of "TLS over SCTP" vs. "SCTP over IPSec" in this paper: JOURNAL OF COMPUTERS, VOL. 2, NO. 4, JUNE 2007, Secure End-to-End Transport Over SCTP

[...] my idea is to generate a random key and send it over stream 0 with info that it is for securing stream 1. But is this safe even when stream 0 is already secure?

You can do that legwork yourself, but I don't think you'll have to.

RFC 3436 says that you can do a full TLS handshake on the first stream and then an abbreviated handshake (using TLS session resumption with the session ID from the full handshake) on the other streams.

Would this work for you?

Further reading

• There is a discussion of "TLS over SCTP" vs. "SCTP over IPSec" in this paper: JOURNAL OF COMPUTERS, VOL. 2, NO. 4, JUNE 2007, Secure End-to-End Transport Over SCTP