Next: Sender Setup
Up: The TESLA Broadcast Authentication
Previous: The TESLA Broadcast Authentication
We first outline the main ideas behind TESLA.
Broadcast authentication requires a source of asymmetry, such that the receivers
can only verify the authentication information, but not generate valid
authentication information.
TESLA uses time for asymmetry. We assume that
receivers are all loosely time synchronized with the sender -- up to some time
synchronization error , all parties agree on the current time. Here is a
sketch of the basic approach:
- The sender splits up the time into time intervals of uniform duration.
Next, the sender forms a one-way chain of self-authenticating values,
and assigns the values sequentially to the time intervals (one key per time
interval). The one-way chain is used in the reverse order of generation, so
any value of a time interval can be used to derive values of previous time
intervals.
The sender defines a disclosure time for one-way chain values, usually on
the order of a few time intervals. The sender publishes the value after the
disclosure time.
- The sender attaches a MAC to each packet. The MAC is computed over the
contents of the packet. For each packet, the sender determines the time
interval and uses the corresponding value from the one-way chain as a
cryptographic key to compute the MAC. Along with the packet, the sender also
sends the most recent one-way chain value that it can disclose.
- Each receiver that receives the packet performs the following operation.
It knows the schedule for disclosing keys and, since the clocks are loosely
synchronized, can check that the key used to compute the MAC is still secret
by determining that the sender could not have yet reached the time interval
for disclosing it. If the MAC key is still secret, then the receiver buffers
the packet.
- Each receiver also checks that the disclosed key is correct (using
self-authentication and previously released keys) and then checks the
correctness of the MAC of buffered packets that were sent in the time interval
of the disclosed key. If the MAC is correct, the receiver accepts the packet.
One-way chains have the property that if intermediate values of the one-way
chain are lost, they can be recomputed using later values. So, even if some
disclosed keys are lost, a receiver can recover the key chain and check the
correctness of packets.
The sender distributes a stream of messages , and the sender sends each
message in a network packet along with authentication information.
The broadcast channel may be lossy, but the sender does not retransmit lost
packets. Despite packet loss, each receiver needs to authenticate all the
messages it receives.
We now describe the stages of the basic TESLA protocol in this order: sender
setup, receiver bootstrap, sender transmission of authenticated broadcast
messages, and receiver authentication of broadcast messages.
Next: Sender Setup
Up: The TESLA Broadcast Authentication
Previous: The TESLA Broadcast Authentication
Adrian Perrig
Mon Aug 5 22:55:55 PDT 2002