next up previous
Next: Discussion Up: The TESLA Broadcast Authentication Previous: Broadcasting Authenticated Messages

Authentication at Receiver

When a sender discloses a key, all parties potentially have access to that key. An adversary can create a bogus message and forge a MAC using the disclosed key. So as packets arrive, the receiver must verify that their MACs are based on safe keys: a safe key is one that is only known by the sender, and safe packets or safe messages have MACs computed with safe keys.

Receivers must discard any packet that is not safe, because it may have been forged.

We now explain TESLA authentication in detail: A sender sends packet Pj in interval i. When the receiver receives packet Pj, the receiver can use the self-authenticating key Ki-d disclosed in Pj to determine i. It then checks the latest possible time interval x the sender could currently be in (based on the loosely synchronized clock). If x < i+d (recall that d is the key disclosure delay, or number of intervals that the key disclosure is delayed), then the packet is safe. The sender has thus not yet reached the interval where it discloses key Ki, the key that will verify packet Pj.

The receiver cannot yet verify the authenticity of packet Pj sent in interval i. Instead, it adds the triplet ( i, Mj, MAC( K'i, Mj) ) to a buffer, and verifies the authenticity after it learns K'i.

What does a receiver do when it receives the disclosed key Ki? First, it checks whether it already knows Ki or a later key Kj (j>i). If Ki is the latest key received to date, the receiver checks the legitimacy of Ki by verifying, for some earlier key Kv (v<i) that Kv = Fi-v(Ki). The receiver then computes K'i = F'(Ki) and verifies the authenticity of packets of interval i, and of previous intervals if the receiver did not yet receive the keys for these intervals (the receiver can derive them from Ki).

Note that the security of TESLA does not rely on any assumptions on network propagation delay, since each receiver locally determines the packet safety, i.e.whether the sender disclosed the corresponding key. However, if the key disclosure delay is not much longer than the network propagation delay, the receivers will find that the packets are not safe.


next up previous
Next: Discussion Up: The TESLA Broadcast Authentication Previous: Broadcasting Authenticated Messages

Adrian Perrig
Mon Aug 5 22:55:55 PDT 2002