lecture13-broadcast-authentication-signature-haowen

lecture13-broadcast-authentication-signature-haowen - 1 1...

Info iconThis preview shows pages 1–6. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 2/25/09 1 1 Lecture 13 Broadcast Authentication and Stream Signatures Adrian Perrig / Haowen Chan 18-731: Network Security Spring 2009 2 Signatures vs Authentication Sender sends data to a receiver Attacker can sit on wire – full control Authentication (weaker) • Receiver can only convince herself that the data was generated by the sender • Sufficient for many apps – packet authentication Signature (stronger) • Receiver knows it can prove to a third party that the data was generated by the sender • Important for proxy/cache application that receives data and needs to convince final receiver data ok 2/25/09 2 3 Broadcast Authentication Broadcasts data over wireless network Packet injection usually easy Goal: each receiver can verify data origin Sender Bob M Carol M Dave Alice M M 4 Authentication Needs Asymmetry Sender K Alice K Bob K Msg, MAC(K,Msg) Forged Msg , MAC(K, Forged Msg ) Msg, MAC(K,Msg) MAC: Message Authentication Code (authentication tag) K = shared key 2/25/09 3 5 Digital Signatures Impractical Signatures are expensive, e.g., RSA 1024: • High generation cost (~10 milliseconds) • High verification cost (~1 millisecond) • High communication cost (128 bytes/packet) Very expensive on low-end processors If we use one signature over multiple packets, intolerant to packet loss 6 TESLA T imed E fficient S tream L oss-tolerant A uthentication Uses only symmetric cryptography Asymmetry via time • Sender is the only principal who could have computed a MAC at time t • Delayed key disclosure for verification • Requires loose time synchronization 2/25/09 4 7 Basic Authentication Mechanism t F( K ) Authentic Commitment P MAC( K ,P) K disclosed 1: Verify K 2: Verify MAC 3: P Authentic! F: public one-way function 8 Security Condition Receiver knows key disclosure schedule Security condition (for packet P): on arrival of P, receiver is certain that sender did not yet disclose K If security condition not satisfied, drop packet 2/25/09 5 9 Bootstrapping Receivers Loose time synchronization • Receiver knows maximum time synchronization error, upper bound on sender’s time Session setup, authenticated parameters...
View Full Document

This note was uploaded on 03/31/2009 for the course ECE 18731 taught by Professor Perrig during the Spring '08 term at Carnegie Mellon.

Page1 / 15

lecture13-broadcast-authentication-signature-haowen - 1 1...

This preview shows document pages 1 - 6. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online