1 / 20

BROADCAST AUTHENTICATION

BROADCAST AUTHENTICATION. TESLA EMMS. What Is Broadcast Authentication?. One sender; multiple receivers All receivers need to authenticate messages from the sender. Challenges in Broadcast Authentication. Can we use symmetric cryptography in the same way as in point-to-point authentication?

cgrandison
Download Presentation

BROADCAST AUTHENTICATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BROADCAST AUTHENTICATION TESLA EMMS CS/ECE 519/599 -- Adv Applied Cryptography

  2. What Is Broadcast Authentication? • One sender; multiple receivers • All receivers need to authenticate messages from the sender.

  3. Challenges in Broadcast Authentication • Can we use symmetric cryptography in the same way as in point-to-point authentication? • How about public key cryptography? • Effectiveness? • Cost? • Research in broadcast authentication • Reduce the number of public key cryptographic operations

  4. Outline • Two schemes • TESLA • Sender authentication • Strong loss robustness • High scalability • Minimal overhead • (-) Lack of immediate verification • EMSS • Non-repudiation • High loss robustness • Low overhead • (-) Lack of immediate verification

  5. TESLA – Overview • Timed Efficient Stream Loss–tolerant Authentication • Based on timed and delayed release of keys by the sender • High level ideas • Sender commits to a random key K and transmits the commitment to the receivers without revealing it • Sender attaches a MAC to the next packet Pi with K as the MAC key • Sender releases the key in packet Pi+1 and receiver uses this key K to verify Pi

  6. Ki’=F’(Ki) TESLA – Scheme I • Each packet Pi+1 authenticates Pi • Problems? • Security?Robustness?

  7. TESLA – Scheme I (Cont’d ) • If attacker gets Pi +1 before receiver gets Pi, it can forge Pi • Security Condition • ArrTi + t < Ti +1 • Sender’s clock is no more than tseconds ahead of that of the receivers • One simple way: constant data rate • Packet loss not tolerated

  8. TESLA – Scheme II • Generate a sequence of keys {Ki} with one-way function F • Randomly generate Kn • Ki = Fn-i(Kn) • Commitment Ko = Fn (Kn) • Attacker cannot invert F or compute any Kj given Ki, where j>i • Receiver can compute all Kj from Ki, where j < i • Kj = Fi-j (Ki); K’i = F’ (Ki)

  9. TESLA – Scheme II (Cont’d)

  10. TESLA – Scheme III • Remaining problems with Scheme II • Inefficient for fast packet rates • Sender cannot send Pi+1 until all receivers receive Pi • Scheme III • Does not require that sender wait for receiver to get Pibefore it sends Pi+1 • Basic idea: Disclose Ki in Pi+d instead of Pi+1

  11. TESLA – Scheme III (Cont’d) • Disclosure delay d = (tMax + dNMax)r • tMax: maximum clock discrepancy • dNMax: maximum network delay • r: packet rate • Security Condition: • ArrTi + t < Ti+d

  12. TESLA – Scheme IV • Deal with dynamic transmission rates • Idea • Divide time into intervals • Use the same Kito compute the MAC of all packets in the same interval i • All packets in the same interval disclose the key Ki-d • Achieve key disclosure based on intervals rather than on packet indexes

  13. TESLA – Scheme IV (Cont’d)

  14. TESLA – Scheme IV (Cont’d) • Interval index: i = (t – To)/T • Ki’ = F’(Ki) for each packet in interval i • Pj = <Mj, i, Ki-d, MAC(Ki’, Mj, i, Ki-d) >

  15. TESLA – Scheme V • In Scheme IV: • A small d will force remote users to drop packets • A large d will cause unacceptable delay for fast receivers • Scheme V • Use multiple authentication chains with different values of d • Receiver verifies one security condition for each chain Ci, and drops the packet if none is satisfied

  16. TESLA--Immediate Authentication • Mj+vd can be immediately authenticated once packet j is authenticated • Not to be confused with packet j+vd being authenticated

  17. EMSS • Efficient Multichained Streamed Signature • Useful where • Non Repudiation required • Time synchronization may be a problem • Based on signing a small number of special packets in the stream • Each packet linked to a signed packet via multiple hash chains

  18. EMSS – Basic Signature Scheme

  19. EMSS – Basic Signature Scheme (Cont’d) • Sender sends periodic signature packets • Pi is verifiable if there exists a path from Pi to any signature packet Sj

  20. EMSS – Extended Scheme • More resiliency: • Split hash into k chunks, where any k’ chunks are sufficient to allow the receivers to validate the information • Rabin’s Information Dispersal Algorithm • Sosme upper few bits of hash • Requires any k’ out of k packets to arrive • More robust

More Related