tesla-cryptobytes - The TESLA Broadcast Authentication...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
The TESLA Broadcast Authentication Protocol * Adrian Perrig Ran Canetti J. D. Tygar Dawn Song Abstract One of the main challenges of securing broadcast communication is source authentication , or enabling receivers of broadcast data to verify that the received data really originates from the claimed source and was not modified en route. This problem is complicated by mutually untrusted receivers and unreliable com- munication environments where the sender does not retransmit lost packets. This article presents the TESLA (Timed Efficient Stream Loss-tolerant Authentication) broadcast au- thentication protocol, an efficient protocol with low communication and computation overhead, which scales to large numbers of receivers, and tolerates packet loss. TESLA is based on loose time synchro- nization between the sender and the receivers. Despite using purely symmetric cryptographic functions (MAC functions), TESLA achieves asym- metric properties. We discuss a PKI application based purely on TESLA, assuming that all network nodes are loosely time synchronized. 1 Introduction Broadcast communication is gaining popularity for efficient and large-scale data dissemination. Exam- ples of broadcast distribution networks are satellite * Most of this work was done at UC Berkeley and IBM Re- search. The authors can be reached at adrian+@cs.cmu.edu , canetti@watson.ibm.com , tygar@cs.berkeley.edu , skyxd@cs.cmu.edu . broadcasts, wireless radio broadcast, or IP multicast. While many broadcast networks can efficiently dis- tribute data to multiple receivers, they often also allow a malicious user to impersonate the sender and inject broadcast packets — we call this a packet injection at- tack . (Source-Specific Multicast (SSM, EXPRESS) is a notable exception, and attempts to prevent this at- tack [17, 40].) Because malicious packet injection is easy in many broadcast networks, the receivers want to ensure that the broadcast packets they receive really originate from the claimed source. A broadcast authentication protocol enables the receivers to verify that a received packet was really sent by the claimed sender. Simply deploying the standard point-to-point au- thentication mechanism (i.e., appending a message au- thentication code (MAC) to each packet, computed us- ing a shared secret key) does not provide secure broad- cast authentication. The problem is that any receiver with the secret key can forge data and impersonate the sender. Consequently, it is natural to look for solutions based on asymmetric cryptography to prevent this at- tack; a digital signature scheme is an example of an asymmetric cryptographic protocol. Indeed, signing each data packet provides secure broadcast authenti- cation; however, it has high overhead, both in terms of the time required to sign and verify, and in terms of the bandwidth. Several schemes were proposed that mitigate this overhead by amortizing a single signa- ture over several packets, e.g., [14, 25, 28, 33, 38, 39]. However, none of these schemes is fully satisfactory in
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 03/31/2009 for the course ECE 18731 taught by Professor Perrig during the Spring '08 term at Carnegie Mellon.

Page1 / 11

tesla-cryptobytes - The TESLA Broadcast Authentication...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online