Efficient and Secure Source Authentication for Multicast 報告者 : 李宗穎 Proceedings of the Internet Society Network and Distributed System Security Symposium (NDSS 2001), February 2001, pp Adrian Perrig, Ran Canetti, Dawn Song and J. D. Tygar

Outline Problem other receivers of the data are not trusted lost packets are not retransmitted Solve scheme authentication packet the received data originated with the claimed source and was not modified enroute

An Overview of TESLA Low space overhead based on symmetric-key cryptography (about 20bytes per packet) Tolerate arbitrary packet loss Each packet that is received in time can be authenticated

Sender Setup In each interval, the sender may send zero or multiple packets K i = F(K i+1 ) T int : each time intervals T i : starting time of interval I i T i =T 0 +i*T int

Sending Authenticated Packets Many messages are sent in each interval This allows the sender to send packets at any rate and to adapt the sending rate dynamically MjMj MAC(K ’ i, M j )K i-d Disclosure delay = 2 intervals

TESLA Extensions Immediate authentication Optimizations concerning key chains Time synchronization issues

Immediate Authentication replace receiver buffering with sender buffering (avoid DoS attack) To achieve flexibility for dynamic sending rate and robustness to packet loss, the sender can add the hash values of multiple future packets to a packet H(M j+vd )MjMj DjDj

Concurrent TESLA instances - 1 receivers with a long network delay could not operate with a short disclosure delay because most of the packets will violate the security condition and hence cannot be authenticated Using extra TESLA instance also causes extra space overhead in each packet (each instance requires 20 bytes per packet)

Concurrent TESLA instances - 2 use the same key chain but a different key schedule for all instances K u i+du = HMAC (K i+du, u)

Direct Time Synchronization the receiver knows an upper bound of the difference between the sender’s local time and the receiver’s local time △ t S - t 3 = δ △ = t S - t R

Indirect Time Synchronization The sender just needs to periodically broadcast digitally signed packets that contain its time synchronization with the time reference

Determining the Key Disclosure Delay Loosely bound d = ceil (RTT/T int ) + 1 Time Synchronization (tightly bound) d = ceil (D SR + ε) + 1

DoS Attack on the Sender/Receiver Indirect Time Synchronization sender does not keep per-receiver state or perform per-receiver operations DoS attacks on the receiver A duplicated packet is only accepted by the receiver within a short time period prevent the replay attack by adding a sequence number to each packet and by including the sequence number in the MAC

DoS Attack on the packet buffer Dropping all packets of a particular interval once the buffer is full is a poor policy the receiver uses a random replacement policy once the buffer is full

Conclusion The extensions TESLA protocol provide immediate authentication reduce the communication overhead when multiple TESLA instances derive a tight lower bound on the disclosure delay Harden the sender and the receiver against denial-ofservice attacks