next up previous
Next: Security Discussion and Robustness Up: Our Extensions Previous: Delayed Time Synchronization

Determining the Key Disclosure Delay

An important parameter to determine for TESLA is the key disclosure delay d. A short disclosure delay will cause packets to violate the security condition and cause packet drop, while a long disclosure delay causes a long authentication delay. Note that although the choice of the disclosure delay does not affect the security of the system, it is an important performance factor. We describe a new method on how to choose a good disclosure delay d. In particular, we show as follows that if RTT is a reasonable upper bound on the round trip time between the receiver and the sender, then in case of using direct time synchronization, we can choose d = RTT / Tint+ 1, where Tint is the interval duration. In case of indirect time synchronization, we can choose d = (DSR + ε) / Tint+ 1, where ε is the sum of both the sender and receiver time synchronization error, and DSR is a reasonable upper bound on the network delay of a packet traveling from the sender to the receiver.

Consider a packet Pi that is constructed using the MAC key K'j in time interval Ij which will be disclosed d time intervals later. The packet Pi arrives at the receiver at its local time tRi. Hence the security condition is that

  {tRi + Δ- T0Tint}- Ij < d,

where T0 is the beginning time of the 0th time interval and Tint is the time interval duration. Assume packet Pi was sent at the sender's local time tSi. Hence tSi < Tj + Tint = Ij Tint + T0 + Tint. We denote the average network delay time from the sender to the receiver with DSR and the average network delay time from the receiver to the sender is DRS, and hence RTT = DRS + DSR.

In case of a direct time synchronization, using the same notation as in section 3.3, Δ= δ+ (t3 - tR) δ+ DRS, tRi + δ- tSi DSR, and hence we can derive at the end that a tight bound for d to satisfy the equation 1 is d = RTT / Tint+ 1, which allows most of packets to satisfy the security condition and still the receiver would not need to wait much extra longer than necessary to authenticate the packets. Similarly in case of an indirect time synchronization, we can derive that a good d is d = (DSR + ε) / Tint+ 1.


next up previous
Next: Security Discussion and Robustness Up: Our Extensions Previous: Delayed Time Synchronization

Adrian Perrig
Sun Nov 5 19:29:44 PST 2000