When a sender discloses a key, all parties potentially have access to that key. An adversary can create a bogus message and forge a MAC using the disclosed key. So as packets arrive, the receiver must verify that their MACs are based on safe keys: a safe key is one that is only known by the sender, and safe packets or safe messages have MACs computed with safe keys.
Receivers must discard any packet that is not safe, because it may have been forged.
We now explain TESLA authentication in detail: A sender sends packet in interval . When the receiver receives packet , the receiver can use the self-authenticating key disclosed in to determine . It then checks the latest possible time interval the sender could currently be in (based on the loosely synchronized clock). If (recall that is the key disclosure delay, or number of intervals that the key disclosure is delayed), then the packet is safe. The sender has thus not yet reached the interval where it discloses key , the key that will verify packet .
The receiver cannot yet verify the authenticity of packet sent in interval . Instead, it adds the triplet to a buffer, and verifies the authenticity after it learns .
What does a receiver do when it receives the disclosed key ? First, it checks whether it already knows or a later key . If is the latest key received to date, the receiver checks the legitimacy of by verifying, for some earlier key that . The receiver then computes and verifies the authenticity of packets of interval , and of previous intervals if the receiver did not yet receive the keys for these intervals (the receiver can derive them from ).
Note that the security of TESLA does not rely on any assumptions on network propagation delay, since each receiver locally determines the packet safety, i.e.whether the sender disclosed the corresponding key. However, if the key disclosure delay is not much longer than the network propagation delay, the receivers will find that the packets are not safe.