In CryptoBytes, 5:2, Summer/Fall 2002, pp. 2-13
The TESLA Broadcast Authentication Protocol∗
Adrian Perrig Ran Canetti J. D. Tygar Dawn Song
Abstract 1 Introduction
One of the main challenges of securing broad- Broadcast communication is gaining popularity cast communication is source authentication, or for efficient and large-scale data dissemination. enabling receivers of broadcast data to verify Examples of broadcast distribution networks are that the received data really originates from the satellite broadcasts, wireless radio broadcast, or claimed source and was not modified en route. IP multicast. While many broadcast networks can This problem is complicated by mutually un- efficiently distribute data to multiple receivers, trusted receivers and unreliable communication they often also allow a malicious user to imper- environments where the sender does not retrans- sonate the sender and inject broadcast packets — mitlostpackets. we call this a packet injection attack. (Source- Specific Multicast (SSM, EXPRESS) is a no- This article presents the TESLA (Timed table exception, and attempts to prevent this at- Efficient Stream Loss-tolerant Authentication) tack [17, 40].) broadcast authentication protocol, an efficient protocol with low communication and computa- Because malicious packet injection is easy in tion overhead, which scales to large numbers of many broadcast networks, the receivers want to receivers, and tolerates packet loss. TESLA is ensure that the broadcast packets they receive re- based on loose time synchronization between the ally originate from the claimed source. A broad- sender and the receivers. cast authentication protocol enables the receivers to verify that a received packet was really sent by Despite using purely symmetric cryptographic the claimed sender. functions (MAC functions), TESLA achieves asymmetric properties. We discuss a PKI appli- Simply deploying the standard point-to-point cation based purely on TESLA, assuming that all authentication mechanism (i.e., appending a mes- network nodes are loosely time synchronized. sage authentication code (MAC) to each packet, computed using a shared secret key) does not pro- vide secure broadcast authentication. The prob- lem is that any receiver with the secret key can forge data and impersonate the sender. Conse- quently, it is natural to look for solutions based
∗ on asymmetric cryptography to prevent this at- Most of this work was done at UC Berkeley and IBM tack; a digital signature scheme is an example of Research. The authors can be reached at [email protected], [email protected], an asymmetric cryptographic protocol. Indeed, [email protected], [email protected]. signing each data packet provides secure broad- 2 cast authentication; however, it has high over- Another approach to providing broadcast au- head, both in terms of the time required to sign thentication uses only symmetric cryptography, and verify, and in terms of the bandwidth. Several more specifically on message authentication codes schemes were proposed that mitigate this over- (MACs), and is based on delayed disclosure of head by amortizing a single signature over sev- keys by the sender. This technique was indepen- eral packets, e.g., [14, 25, 28, 33, 38, 39]. How- dently discovered by Cheung [8] in the context of ever, none of these schemes is fully satisfactory authenticating link state routing updates. A re- in terms of bandwidth overhead, processing time, lated approach was used in the Guy Fawkes proto- scalability, robustness to denial-of-service attacks, col for interactive unicast communication [1]. In and robustness to packet loss. Even though some the context of multicast streamed data it was pro- schemes amortize a digital signature over multiple posed by several authors [2, 3, 5, 27, 28]. data packets, a serious denial-of-service attack is usually possible where an attacker floods the re- The main idea of TESLA is that the sender at- ceiver with bogus packets supposedly containing taches to each packet a MAC computed with a key a signature. Since signature verification is often k known only to itself. The receiver buffers the computationally expensive, the receiver is over- received packet without being able to authenti- whelmed verifying bogus signatures. cate it. A short while later, the sender discloses k and the receiver is able to authenticate the packet. Researchers proposed information-theoretically Consequently, a single MAC per packet suffices to secure broadcast authentication mechanisms [10, provide broadcast authentication, provided that 11, 12, 13, 20, 34, 35, 36]. These protocols have a the receiver has synchronized its clock with the high overhead in large groups with many receivers. sender ahead of time.
Canetti et al. construct a broadcast authentica- This article is an overview of the TESLA broad- tion protocol based on k different keys to authen- cast authentication protocol. A more detailed de- ticate every message with k different MAC’s [7]. scription is in a forthcoming book [30] and in our Every receiver knows m keys and can hence ver- earlier publications [27, 28]. A standardization ef- ify m MAC’s. The keys are distributed in such fort for TESLA is under way in the Multicast Se- a way that no coalition of w receivers can forge a curity (MSEC) working group of the IETF [26]. packet for a specific receiver. The security of their TESLA is used in a wide variety of applications, scheme depends on the assumption that at most ranging from broadcast authentication in sensor a bounded number (which is on the order of k)of networks [29], to authentication of messages in receivers collude. ad hoc network routing protocols [18].
Boneh, Durfee, and Franklin show that one can- not build a compact collusion resistant broad- 2 Background and Assumptions cast authentication protocol without relying on digital signatures or on time synchronization [4]. TESLA requires that the receivers are loosely time They show that any secure broadcast authenti- synchronized with the sender. In this section, cation protocol with per-packet overhead slightly we review a simple protocol to achieve this time less than the number of receivers can be converted synchronization. TESLA also needs an efficient into a signature scheme. mechanism to authenticate keys at the receiver — we first review one-way chains for this purpose.
3 2.1 One-Way Chains Generate
Many protocols need to commit to a sequence of F (s1) F (s2) F (s−1) F (s) s s ... s s s random values. For this purpose, we repeatedly 0 1 −2 −1 use a one-way hash function to generate a one-way chain. One-way chains are a widely-used crypto- Use / Reveal graphic primitive. One of the first uses of one- Figure 1: One-way chain example. The sender way chains was for one-time passwords by Lam- generates this chain by randomly selecting s and port [21]. Haller later used the same approach for repeatedly applying the one-way function F .The the S/KEY one-time password system [16]. One- sender then reveals the values in the opposite or- way chains are also used in many other applica- der. tions.
Figure 1 shows the one-way chain construction. To generate a chain of length we randomly pick the last element of the chain s . We generate the 2.2 Time Synchronization chain by repeatedly applying a one-way function F . Finally, s0 is a commitment to the entire one- TESLA does not need the strong time synchro- way chain, and we can verify any element of the nization properties that sophisticated time syn- chain through s0, e.g. to verify that element si chronization protocols provide [22, 24, 37], but is indeed the element with index i of the hash only requires loose time synchronization, and that i chain, we check that F (si)=s0. More gener- the receiver knows an upper bound on the sender’s ally, si commits to sj if i