next up previous
Next: Authentication at Receiver Up: The TESLA Broadcast Authentication Previous: Bootstrapping Receivers

Broadcasting Authenticated Messages

 

Each key in the one-way key chain corresponds to a time interval. Every time a sender broadcasts a message, it appends a MAC to the message, using the key corresponding to the current time interval. The key remains secret for the next d-1 intervals, so messages sent in interval j effectively disclose key Kj-d. We call d the key disclosure delay.

 
 

Figure 3: At the top of the figure is the one-way key chain (using the one-way function F), and the derived MAC keys (using the one-way function F'). Time advances left-to-right, and the time is split into time intervals of uniform duration. At the bottom of the figure, we can see the packets that the sender sends in each time interval. For each packet, the sender uses the key that corresponds to the time interval to compute the MAC of the packet. For example for packet Pj+3, the sender computes a MAC of the data using key K'i+1. Assuming a key disclosure delay of two time intervals (d=2), packet Pj+3 would also carry key Ki-1.

As a general rule, using the same key multiple times in different cryptographic operations is ill-advised -- it may lead to cryptographic weaknesses. So we do not want to use key Kj both to derive key Kj-1 and to compute MACs. Using a pseudo-random function family f', we construct the one-way function F': F'(k) = f'k(1). We use F' to derive the key to compute the MAC of messages: K'i = F'(Ki). Figure 3 depicts the one-way key chain construction and MAC key derivation. To broadcast message Mj in interval i the sender constructs packet Pj = {Mj || MAC(K'i,Mj) || Ki-d}.

Figure 3 depicts the one-way key chain derivation, the MAC key derivation, the time intervals, and some sample packets that the sender broadcasts.


next up previous
Next: Authentication at Receiver Up: The TESLA Broadcast Authentication Previous: Bootstrapping Receivers

Adrian Perrig
Mon Aug 5 22:55:55 PDT 2002