- Research Article
- Open Access
Energy-Efficient Source Authentication for Secure Group Communication with Low-Powered Smart Devices in Hybrid Wireless/Satellite Networks
© A. Roy-Chowdhury and J. S. Baras. 2011
- Received: 1 June 2010
- Accepted: 14 September 2010
- Published: 28 September 2010
We describe a new class of lightweight, symmetric-key digital certificates called extended TESLA certificates and a source authentication protocol for wireless group communication that is based on the certificate. The certificate binds the identity of a wireless smart device to the anchor element of its key chain; keys from the chain are used for computing message authentication codes (MACs) on messages sourced by the device. The authentication protocol requires a centralized infrastructure in the network: we describe the protocol in a hybrid wireless network with a satellite overlay interconnecting the wireless devices. The satellite is used as the Certificate Authority (CA) and also acts as the proxy for the senders in disclosing the MAC keys to the receivers. We also design a probabilistic nonrepudiation mechanism that utilizes the satellite's role as the CA and sender proxy. Through analysis, we show that the authentication protocol is secure against malicious adversaries. We also present detailed simulation results that demonstrate that the proposed protocol is much cheaper than traditional public key-based authentication technologies for metrics like processing delay, storage requirements, and energy consumption of the smart devices.
- Malicious Node
- Authentication Protocol
- Certificate Authority
- Smart Device
- Hybrid Network
Large networks of mobile wireless devices have the ability to provide rapid connectivity in disaster areas or military battlefields, or to interconnect users in far-flung geographical locations. However, present limitations on performance, robustness, and security issues have delayed the adoption of such networks. In , we have shown that the addition of a satellite overlay to such wireless networks can lead to a great improvement in the network performance. We term this network architecture a hybrid network, which has wireless smart devices in terrestrial clusters with dual satellite connectivity providing alternate high-bandwidth and robust forwarding paths through satellite links.
Security is a necessary parameter in hybrid wireless networks if the communication between a pair of smart devices (henceforth also referred to as network nodes interchangeably), or a group of devices, is to be protected from unauthorized access. Due to the open nature of the wireless channel, intruders can eavesdrop on the communication between other nodes if the messages are sent in the clear; they can inject fake messages into the network, purporting to come from other nodes, or attempt to modify or delete messages between other nodes. Therefore, strong security mechanisms to prevent such attacks are important, especially for scenarios like military operations where hybrid networks can be of great use.
Many envisioned applications for hybrid networks are collaborative in nature, and it is necessary to ensure that routing control messages and the application data between communicating devices or nodes are properly authenticated to enable communication. In this work we therefore focus on source authentication and associated message integrity protocols to facilitate secure communication between groups of wireless smart devices in the field. These security mechanisms are required to prevent attacks against the network protocols and thereby ensure their correct and robust operation.
Authentication in group communication is traditionally based on asymmetric techniques such as public key-based digital signatures that are appended to the messages . This requires universal access to a trusted Certificate Authority (CA) to generate the certificate binding a node's identity to its public key. Digital signatures also provide nonrepudiation—a noncompromised node cannot deny later that it generated a message that has been signed using its private key.
Public key-based authentication is however computationally very expensive (both in CPU cycles and energy expenditure) to generate digital signatures for messages, and also to verify them [3–6]. The public and private keys are larger in size compared to symmetric keys (e.g., 2048-bit RSA public key against 112-bit equivalent symmetric key ); the certificates can also take up significant storage space (e.g., X.509 certificate with 1024-bit RSA key is 1 kilobytes while PGP certificate is 1024 bits). In wireless networks where many devices/nodes might have resource constraints, public key cryptography can become a drawback. For example, handheld wireless devices in hybrid networks can have limited processor power, limited storage capacity, and limited available energy supplied by a battery. Performing digital signature generation and verification frequently will consume significant processor capacity and drain the battery quickly. Therefore in hybrid wireless networks it is preferable to use authentication protocols that are based on symmetric cryptography, which expend less node energy. However, designing authentication protocols for group communication using symmetric cryptography is a significant challenge. The primary difficulty is how to create the asymmetry such that each participant has a unique secret with which to authenticate its messages, while allowing all the receivers the capability for validation.
The problem, therefore, is to design an asymmetric source authentication protocol for group communication with resource-constrained devices, that is efficient in terms of energy needs. As a solution to this problem, we propose a digital certificate construct that uses symmetric cryptographic primitives to achieve asymmetric authentication. The certificate is based on a new class of certificates called TESLA Certificate. The TESLA certificate concept was originally proposed in . We modify and enhance the original TESLA certificate design and apply the new certificate to hybrid wireless networks to propose an energy-efficient source authentication protocol for nodes in group communication that takes advantage of the centralized infrastructure present in the network, which is the satellite overlay in this particular example of the hybrid network. In the proposed protocol, source authentication using TESLA certificate is based on MAC computation using keyed hash functions, with delayed disclosure of the key by the Certificate Authority (CA), to achieve the asymmetry required for authentication. Due to the use of MACs to generate and verify certificates, the scheme is fast, has low processing overhead, and consumes much less energy than digital signature algorithms. It also avoids the assumption that the user nodes have some sort of security association established a priori, as many other protocols assume. Using the centralized satellite infrastructure, we also design a probabilistic nonrepudiation algorithm for the source authentication protocol.
We refer to our proposed modifications to the TESLA certificate, as the extended TESLA certificate. The extended TESLA certificate and the source authentication protocol that is based on it, have been described briefly in , while the proposed nonrepudiation algorithm has appeared in . In this paper, we provide an integrated and more extensively detailed description of the proposed algorithms, and add the previously unreported algorithm for key disclosure delay. We also provide more in-depth evaluation of the proposed design, including a detailed security analysis of the proposed protocol and extensive simulation results with detailed analyses. The simulation results demonstrate how much energy efficient the protocol is, in comparison to public key based technologies.
The rest of this paper is organized as follows. We review related work in source authentication algorithms for group communication in Section 2. In Section 3, we describe the TESLA broadcast authentication protocol on which the TESLA certificate is based. The original TESLA certificate algorithm is reviewed in Section 4. We describe our modifications to the original TESLA certificate, and the source authentication protocol based on the extended certificate, in Section 5. The associated probabilistic nonrepudiation protocol is described in Section 6. Security analysis of the proposed protocol is in Section 7. Performance analysis of the authentication protocol is given in Section 8, along with detailed simulation results. We conclude with a brief discussion in Section 9.
There has been significant research on efficient multicast source authentication algorithms based on symmetric cryptography that attempt to minimize the computation expense of the devices. In the following paragraphs we highlight some of the better known proposals.
Canetti et al.  proposed one of the early solutions to use symmetric MACs for multicast source authentication. In their scheme, the source has keys and computes MACs on each packet. Each recipient holds a subset of the keys, and verifies the MAC according to the keys it holds. The authentication protocol has probabilistic security—the choice of key subsets held by each recipient is critical in insuring that with high probability no coalition of up to colluding members know all the keys held by a good member (where is the security parameter), and thus maintaining the security of the scheme. The scheme also requires the multicast group members to store a large number of keys.
Gennaro and Rohatgi  have proposed a method known as stream signing, where one regular digital signature is transmitted at the beginning of a stream, and each packet either contains a cryptographic hash of the next packet, or a one-time public key using which the one-time signature on the next packet can be verified. However, this approach requires reliable packet transmission, since the loss of even one packet means that the information required to authenticate future packets will be lost. For most multicast protocols, such reliability cannot be guaranteed, since the transmission protocol is UDP, which is best effort.
Wong and Lam  have proposed an approach where the source is allowed to delay and group together several consecutive packets. The source collects the packets in a time interval into an authentication tree and signs the root of the tree. The root signature and hash information on the nodes of the tree are included in each transmitted packet. The signing and verification operations are thus amortized over many packets, and the protocol operations are one to two orders of magnitude faster compared to individual packet signatures.
Rohatgi has proposed a hybrid scheme  using offline/online signature generation scheme for creating -time public/private key pairs so that the cost of signature generation can be amortized over signatures. The size of the keys is reduced by using hash functions with target collision resistance. The size overhead of the proposed scheme is however still considerable on a per-packet basis (of the order of 300 bytes per packet).
Anderson et al. have proposed the Guy Fawkes protocol in , which achieves source authentication using a small number of hash computations. In this protocol, the source selects a series of one-time secrets ; the source commits to in message and reveals it in message . The commitment for has the form , while the first secret is committed by some external mechanism such as a conventional digital signature. In the Guy Fawkes protocol, the secrets are not related to one another, and the authentication mechanism cannot tolerate packet losses—if a commitment is lost, the corresponding secret cannot be authenticated.
Perrig has proposed a broadcast authentication scheme named BiBa  which exploits the birthday paradox in trying to find two or more colliding hash computations on a given message, where the hash values are computed using a set of self-authenticating values (SEALs) . The two or more SEALs for which the hash on the message collide form the signature. The scheme exploits the asymmetric property that the source has more SEALs than the adversary, and hence it can easily generate the BiBa signature with high probability. However, the adversary only knows the few SEALs disclosed by the source, and hence has a low probability of forging a valid BiBa signature. The algorithm is probabilistic in nature in the signature generation, and has a significant computation overhead at the source to find a valid signature. Also, the probability of an adversary to forge a signature increases with time as more and more SEALs are disclosed by the source.
As the description in the following sections make clear, our proposed authentication algorithm differs significantly from the ones highlighted in this section. We introduce a new type of certificate, which none of the above attempt to do. The most closely related existing work in this regard is the initial work on TESLA certificates by Bohge and Trappe , which we describe separately in Section 4, due to its relation to our design. Also unlike the aforementioned algorithms, our design uses time to provide the asymmetry which makes the individual source authentication in groups possible. The use of time is due to the underlying TESLA broadcast authentication protocol [17, 18], which is reviewed in Section 3.
Some of the related work described in this section uses public key-based digital signatures for most authentication, with the cost of signature processing amortized over several packets. In contrast, our protocol does not need public key-based digital signatures, except for the initial bootstrapping phase. In addition, our design is robust to packet losses during transmission such that the authentication of individual packets are not dependent on reliable reception of previous or future packets in the transmission. Moreover, the receivers have to process only one MAC per packet for authentication, where the MAC is computed only on the contents of the associated packet. Either of the former two cannot be claimed of some of the protocols described earlier.
The TESLA broadcast authentication protocol [17, 18] achieves asymmetric authentication between a source and receivers through the use of symmetric cryptographic MAC functions. The asymmetry is obtained through the delayed disclosure of the authentication keys.
The sender uses the keys in the reverse order of their generation, that is, starting with in interval 1, followed by in interval 2, and so on. Owing to the one-way property of and , it is computationally infeasible for any node to generate knowing , or to generate knowing .
For each packet generated in time slot , the source uses the authentication key to compute a MAC on the packet. When a node receives a packet, it first checks whether the packet is fresh, that is, it was sent in a time interval whose corresponding TESLA key has not been disclosed. Each receiver discards any packet that does not meet the security criterion, and buffers only the packets that satisfy the freshness condition. The receiver cannot authenticate the packets immediately since it does not know the corresponding key . The sender discloses the key at a later instant in time by broadcasting the corresponding key seed . Upon receiving , each receiver first verifies the authenticity of by checking (and therefore ultimately verifying against the anchor element which has already been authenticated). If verifies correctly, each receiver can compute and subsequently use the computed to verify the MAC on the packets received during interval .
Once is disclosed, any node with knowledge of can compute and attempt to masquerade as the sender by forging MACs using . Therefore, is used to compute MACs on packets generated only during the interval . is disclosed only time slots after so that no malicious node can compute and forge packets in the intervening period. is computed based on the maximum network delay from the source to all the receivers. This is the principle of delayed disclosure of keys.
The above is a basic description of TESLA. The algorithm has several enhancements to mitigate various drawbacks; they are described in .
is known only to the CA and during period , while is known only to the CA. indicates the time at which the CA will disclose to the nodes, that is, it is the expiration time of the certificate. The CA sends to along with , which is encrypted with key that is shared between the CA and .
When receives the authentication message, it checks the timestamp of to make sure it has arrived before time . If the certificate is "fresh", buffers the authentication packet. At time , the CA discloses . Upon receiving the key, verifies by checking the MAC in the certificate using . If the MAC verifies correctly, obtains from the certificate by decrypting with . Subsequently, checks to verify the authenticity of . Therefore, is able to verify the identity of only if it receives before . Once the CA discloses its TESLA key , any node could forge a certificate for the time interval .
The TESLA certificate algorithm described above allows a node to add authentication to packets for a single period in time. Therefore, a source node that transmits for multiple time intervals will need several TESLA certificates from the CA. If there are many sources that send data over long intervals, this can add up to a substantial overhead.
The authors describe an application of TESLA certificates for authentication in hierarchical ad hoc sensor networks in . The focus of the work is on authentication between sensor nodes and the base stations/applications, that is, point-to-point authentication between nodes of varying capabilities. The paper does not address authentication between peer nodes, or authentication in group communication.
We extend the original TESLA certificate design and propose a new source authentication protocol based on the extended TESLA certificate, by incorporating the following primary modifications:
we extend the lifetime of the TESLA certificate from single use to multiple uses;
we allow disclosure of source TESLA keys via proxy;
we add a probabilistic nonrepudiation mechanism to the source authentication protocol.
A detailed description of the extended TESLA certificate and the source authentication protocol are given in the following sections. We start with a statement of the assumptions that we have made for our solution.
5.1. Network Requirements and Security Assumptions
The extended TESLA certificate implementation requires the presence of a Certificate Authority (CA) to generate the certificates. In our source authentication algorithm, the CA broadcasts the TESLA keys of the source nodes to the network at periodic key disclosure intervals. In the exemplary hybrid network topology discussed in this paper, we use the satellite for providing the services of the CA. The reasons for using the satellite as the CA are as follows.
The satellite is a network node that is always available, connected to the entire network, and is physically secure.
The satellite has higher computing power with on-board processing capability and higher storage compared to terrestrial wireless nodes.
The energy available to the satellite is renewable via solar power. Therefore the satellite can perform intensive security and network operations without the risk of draining its energy.
Therefore the presence of the satellite allows the implementation of efficient and secure centralized authentication protocols that would have been difficult to implement in terrestrial wireless networks without comparable centralized infrastructure. Hence we consider the satellite as the root CA in our authentication protocol design and assume that it is trusted by all other nodes in the network. In the proposed source authentication protocol, the satellite generates the TESLA certificates for all the terrestrial user nodes, and it acts as the proxy for the terrestrial nodes for disclosing the TESLA MAC keys used by the nodes for authentication and message integrity—instead of the source node, the satellite broadcasts the TESLA keys to the network at regular time intervals. Therefore the TESLA keys reach all the user nodes in one broadcast transmission. This saves the delay in TESLA authentication, and reduces the processing load on the source nodes, and also the network transmission overhead.
In order to describe the operation of the authentication protocol, let us consider, without loss of generality, a group of three wireless nodes , , and , where sends messages to and . Our objective is to design an authentication mechanism that allows and to securely authenticate messages from using a computationally efficient algorithm that expends low node energy. We make the following assumptions about the initial security setup of the network for authentication purposes:
all three nodes have limited energy and processing power, and none has any pre-existing security information about the others;
the public key of the CA is available to all nodes;
all nodes are time-synchronized with the CA;
appropriate security policies are in place to allow each node to securely identify itself to the CA during the initial bootstrapping phase, and each node shares a unique secret key with the CA;
one-way functions and  are publicly available;
message transmission from to and start at time ;
time is divided into intervals, each of duration .
The three-user network above can be extended to larger networks with multiple sources and receivers; the extended TESLA certificate and the source authentication protocol described in the following sections would be equally applicable to the larger networks.
5.2. Initial Setup: Key Generation by CA and Source Node
At the time of the initial setup, before any messages are transmitted in the network, the CA and all sources generate the keys that each will need for message authentication. The sets of keys are generated using the TESLA algorithm.
where is equal to the number of unique MAC keys that the CA expects to use for authenticating the certificates and messages it generates during its operational lifetime. The value depends on the length of each time interval and the total duration that the CA node will perform the function of the CA. We assume that in each time interval, the CA uses only one key for computing the MACs on all the messages it generates in that time interval. Therefore, if the CA's operational lifetime is and the interval for key disclosure is , we have .
It is not necessary that (and hence, ) are associated with the entire lifetime of the CA. could be a duration that is less than the CA operational life. When time has elapsed, and the CA has disclosed , the CA can start with a new hash chain with starting element corresponding to a new duration and a new disclosure interval (which can be the same as ). The CA will have to broadcast the anchor element of the new chain to the network in the manner described in (5), or the new chain can be generated such that one can securely derive from the new one. We describe the rest of the algorithms assuming that is equal to the CA lifetime, since this is not central to the algorithm development.
The anchor element itself is authenticated using traditional public key cryptography: the CA generates a signature on the message containing the anchor element and broadcast the message with the signature. All network nodes receiving the broadcasts message verify the signature on the message using the public key of the CA. If the signature is verified, the nodes store in local memory the key along with the broadcast message.
Here is equal to the number of unique MAC keys that expects to use for authenticating its messages. The value depends on the length of each time interval and the total duration of 's transmission. We assume that in each time interval , a source uses only one key for computing the MACs on all the messages it generates in that time interval Therefore, if the total time of 's transmission is , we have .
At time , sends , to the CA, along with details on 's key disclosure interval. The message from to the CA is secured using the shared secret between and the . The CA can obtain all the elements of 's TESLA key chain from and , as in (3).
5.3. Extended TESLA Certificate
Here is the key disclosure delay for the CA TESLA signature key.
5.4. Message Transmission from Source to Receiver
Each of and checks the freshness of the certificate by checking the timestamp of to make sure it has arrived within the period . The receivers also check that is not publicly known, that is, cannot yet be computed by them. If all the checks pass, and store in their respective buffers, else they discard the message.
Checking the timestamp on is critical for the security of the algorithm. Once the CA discloses at time , any node in the network can create a fake certificate with timestamp , allegedly generated by the CA, similar to (7). Therefore receivers will only accept certificates for which the CA TESLA key has not been disclosed at the time of receiving the certificate.
5.5. Message Authentication at Receiver
Otherwise, or can verify from the signature using . If verification is successful, each receiver derives from (4) and uses to verify the MAC on . If the MAC is correct, receiver obtains from by decrypting with . obtains from (6). Then checks using and accepts if the MAC verifies correctly. saves and the anchor element of s key chain in long-term memory—they are used for authenticating future keys and messages from .
where has been verified before using . does not need to check CA's signature to verify .
Thus messages from to and can be authenticated. The source authentication protocol requires that perform one signature verification to verify the certificate it receives from the CA (7). Each receiver also performs one signature verification on the anchor element broadcast message from the CA (5). Since is not a receiver, it does not need the verification in (5). All other messages from the CA and the sources can be authenticated using low-computation symmetric MACs. Moreover, sources and receivers do not have to perform clock synchronization directly with one another, synchronizing with the CA is a necessary and sufficient condition for the protocol. This saves additional message rounds and protocol complexity and also breaks the cyclical dependency between authentication and clock synchronization.
5.6. Certificate Revocation
The receiver buffers the message and waits for the CA to disclose at time . The traffic received from in the intermediate period is also buffered, awaiting the verification of the revocation message, due to the possibility that the revocation message might be a fake. At time , the CA broadcasts to the network. can verify the authenticity of from (14) and thus validate the revocation message. If the revocation message is correctly verified, the receiver discards the buffered messages from and adds the sender to the revoked users list.
where the REVOKE field will contain the TESLA certificates to be revoked, the MAC is computed on the revoked certificates and the signature verifies for nodes that might need the verification (instead of verifying using (14)).
Equation (16) implies that the revocation list is sent out at regular intervals with the key disclosure message. The revocation list will contain only those revoked certificates that are otherwise unexpired. Therefore revocation lists in multiple messages might repeat revoked certificates. This helps to make the revocation messages resilient to random channel losses of CA messages.
5.7. Key Disclosure Delay
5.7.1. Time Synchronization
The time synchronization algorithm works as follows.
At periodic intervals, the CA broadcasts its local time to the network, authenticated with a digital signature. As shown in Figure 4, let the local times at that instant at a terrestrial source node and receiver node be and , respectively.
- (2)Sender receives the CA time broadcast at its local time . The sender computes the maximum difference in time from the CA as
- (3)Receiver receives the CA time broadcast at its local time . The receiver computes the maximum difference in time from the CA as
If and are well synchronized with the CA: .
5.7.2. Computation of the Key Disclosure Delay
The key disclosure delay is a critical parameter affecting both the security and the performance of the proposed protocol. It depends on the duration of each time interval and the network propagation delay from the sources to the receivers. As is shown below, if the message transmission from the sources to the receivers happens exclusively over the satellite links, then the key disclosure delay depends only on and the satellite link propagation delay, which is known and fixed.
where and are the propagation delay from the CA to the receiver and the time synchronization error at , respectively, as explained in Section 5.7 and shown in Figure 4
where is the time synchronization error for .
Nonrepudiation is not provided by the TESLA authentication algorithm  or the original TESLA certificate proposal . The symmetric nature of the basic cryptographic primitive used here—MACs—does not allow for nonrepudiation. Once the hash key for a particular MAC is disclosed, any group member would be able to generate the MAC for the given message. Therefore, at a later instant in time, it is impossible to prove that the message was generated by a particular source. The lack of nonrepudiation is a major drawback of the previous TESLA-based source authentication algorithms, compared to public key-based authentication.
In our extended TESLA certificate algorithm, we propose to add nonrepudiation by taking advantage of the satellite infrastructure and the proposed mechanism of key disclosure by proxy. This is achieved as follows.
The source authenticates each message by two or more MACs, computed using keys from two or more key chains, respectively. The root key of each chain is shared between the source and the CA (the satellite) as described in Section 5.2, and the anchor elements of all the key chains used by the source is included in the extended TESLA certificate for that source. The source includes all the MACs with each message transmission. Each receiver buffers the message along with all the MACs if the basic security check is satisfied, as described in the protocol in Section 5.5. At the time of key disclosure, the CA broadcasts only one of the MAC keys out of the set of MAC keys for the given source and message. Each receiver verifies the single MAC associated with the key broadcast by the CA, and accepts the message as correct if the MAC is verified. If any receiver wants to be able to check the message for nonrepudiation at a later time instant, it saves the message along with all its MACs.
The MAC key that is disclosed by the CA is chosen at every disclosure instant, with uniform probability from the set of available keys for that time interval. Therefore, the source cannot know in advance, with a high degree of probability, which key will be used by the receivers for authentication. Hence, if the source would like its messages to be accepted by the receivers, it will have to include all the MACs correctly computed with the corresponding keys.
If at a later instant in time, a receiver would like to prove that a message was indeed generated by the source (i.e., nonrepudiation), the receiver can simply send a nonrepudiation request to the CA. Upon receiving the request, the CA discloses one of the previously undisclosed MAC keys for the message in question. The receiver can compute the MAC for the message with the newly disclosed key and compare the MAC with the set of MACs it had saved previously. If the CA and the receiver operates correctly, the newly computed MAC will match one of the saved MACs. Since (i) the undisclosed MAC keys were known only to the source and the CA, and (ii) the CA is universally trusted, therefore the saved MAC must have been computed by the source using its MAC key and hence the message must have been generated by the source. Thus nonrepudiation is achieved.
The security of the above algorithm is proportional to the number of MACs included with each message. For two MACs per message, the probability of a particular key being disclosed by the CA is 0.5. We term this probability the -factor, where is acronym for repudiation. It is computed as the inverse of the number of MACs included with each message. A nonconforming source which includes only one correctly computed MAC with its message in order to avoid nonrepudiation, can expect the message to be accepted by the receivers only with 50% probability. If four MACs are included with every message, the -factor is to 0.25, and so on. There is hence a tradeoff between the strength of the nonrepudiation algorithm and the security overhead per message in terms of number of MACs involved. There is also the processing overhead at the source since its node has to compute , number of MACs per message where .
The number of MACs per message also affects the security of the algorithm in the context of the receivers. If there are two MACs per message, the nonrepudiation mechanism will be successful for the request from one receiver. For any subsequent request from other receivers for that particular message, nonrepudiation will fail since both MAC keys are now known to the receivers. The number of successful nonrepudiation requests for a given message is therefore directly proportional to the number of MACs per message. This drawback can be solved by modifying the protocol steps for nonrepudiation. Instead of sending a request for an undisclosed key, the receiver can send the entire message along with the saved MACs, to the CA. The CA itself will compute the MACs on the message with any one of the undisclosed keys and compare with the saved MACs sent by the receiver. Since the undisclosed keys are known only to the CA and the source, in the event of a match, the CA can confirm to the receiver that the message was indeed generated by the source. The security of this mechanism depends only on the amount of trust placed on the CA and is independent of the number of MACs per message. The tradeoff is the additional load on the CA and the network overhead in transmission of the message with the MACs, to the CA.
The source authentication protocol based on the extended TESLA certificate is resistant to active attacks by malicious nodes in the network. In the following sections we discuss the security provided by the protocol against specific active attacks. In our analysis, we assume that the CA is always secure, since compromise of the CA is a single point of failure for security in the network.
7.1. Malicious Node with Connectivity to Source and Receiver
We consider the case where a malicious node attempts to create fake packets from a source to the receiver(s). Without loss of generality, we consider one source is sending data to one receiver , the data being authenticated using the proposed source authentication protocol. We assume that can hear packet transmissions from , and can also transmit to . can also receive the broadcast messages from the CA. Therefore, shortly after time , has knowledge of , message from to , broadcast by the CA, and from the certificate. can verify that belongs to the authentication hash chain of by performing the verification procedure. Having obtained a verified element of s authentication chain, can attempt to spoof messages as coming from , starting at time , where . To achieve this, needs to generate from where . Due to the one-way property of , this is computationally infeasible for and is of complexity , where each element of the hash chain is bits and is assumed to be large (for example, is 160 bits for SHA-1 HMAC ). Without a valid , it would be impossible for to spoof a message that would be successfully authenticated by .
X could also attempt to spoof packets from at any time between . This would require that successfully generates an element of s hash chain without knowledge of any legitimate element of the hash chain. This has the same computational complexity of and is computationally infeasible for any with finite resources.
A third approach attempt would be to generate an independent hash chain that produces the hash value that is computationally indistinguishable from . This would allow to use element of its own hash chain to authenticate messages purportedly generated by . However, this is computationally infeasible due to the collision-resistance property of and .
Failing any attack on s hash chain as above, could attempt to masquerade as the CA and generate a fake certificate for A as in (7), and also generate fake CA key disclosure broadcast message similar to (10). However, unless knows the CA private key , it will not be able to correctly sign the fake , and therefore the fake certificate will be rejected by . Likewise, the fake CA broadcast message from will be rejected by the receivers unless the signature in the message is verified as correct using . As per our assumption of the security of the CA, is known only to the correct CA, and therefore would not be successful in this attack.
could attempt to fake CA key disclosure messages subsequent to (10), but (a) the fake hash element will not verify successfully to the anchor element and (b) this does not allow to fake elements of s hash chain.
7.2. Attack on the CA Revocation Messages
A malicious node in the network can attempt to broadcast fake revocation messages, similar to (15), and thereby attempt to disqualify legitimate sources in the network. To generate a fake revocation message that will be successfully accepted by the receivers, should be able to compute a MAC on the fake revocation message using the key , with knowledge of at most the key , where . Using reasoning similar to the previous section, owing to the one-way property of , this has computational complexity and is infeasible for . At most, can trick the receivers in buffering the fake revocation message, till the next message disclosure from the CA, when the MAC on the fake message will not verify correctly using the recently disclosed (correct) , and therefore be discarded.
Therefore, the source authentication protocol based on the extended TESLA certificate approach is secure against message spoofing attacks by malicious nodes in the network.
7.3. Signal Jamming Attacks
Adversarial nodes can attempt to prevent the successful transmission of protocol messages by jamming the channel with unwanted signals. This is a physical layer attack and not an attack against the authentication algorithms per se. Methods to achieve resiliency against such attacks are ideally the domain of the physical and link layer algorithms, for example, spreading algorithms and acknowledgment-retransmission algorithms, amongst other measures.
For the hybrid network architecture described in this work, a large network-wide signal corruption is mostly infeasible, due to the vast footprint of the satellite. Channel losses are localized to small regions at any given time; the satellite physical and link layer protocols incorporate sufficient mechanisms to recover from such losses.
At the same time, the proposed authentication algorithm is robust to random channel losses of protocol messages.
Authentication of any individual packet is independent of authentication of prior packets. If the source key disclosure message containing the keys for a set of buffered packets, is lost due to channel errors, then only that set of buffered packets cannot be authenticated; it does not affect packets whose MAC keys are not in the lost disclosure message.
If a certificate revocation message (associated with the CA key disclosure message) is lost due to channel errors, the receivers will not be aware of any newly revoked certificate that is contained in the lost message. Consequently the packets from the corresponding source will continue to be treated as valid, till the next revocation message is received, or the certificate expires, whichever is earlier.
We have run simulations of the proposed source authentication protocol to analyze the demands the protocol can make of node resources, and also to compare it with public key-based authentication protocols. For our performance analysis, we consider that all security protocol and data messages from the source to the receivers are sent over the satellite channel where the satellite is in Ka-band and geostationary orbit. Therefore, the one-way satellite propagation delay is of the order of 130 ms and the terrestrial propagation delays from the group nodes to the local gateways are negligible in comparison. Moreover, the satellite uplink bandwidth is much less in comparison to the satellite downlink bandwidth and usually also lower than the terrestrial wireless bandwidth (assuming the wireless MAC protocol is IEEE 802.11). By our assumption, all data has to traverse the satellite uplink and hence we limit the overall network bandwidth to be equivalent to the satellite uplink bandwidth. In the following analyses, the uplink bandwidth is varied between 64 Kbps and 10 Mbps.
8.1. Size of the Buffer at the Receivers
In theory, the receiver buffer size depends on the time interval of key use (since the key disclosure delay is a function of that) and the network bandwidth. As Figure 6 shows, the buffer size varies little with the key disclosure delay since it is limited to a narrow range by the network propagation delay. However, the buffer size is significantly affected by the rate at which data is received—for higher rates, larger buffer is required. Even so, the buffer requirement is only in the order of hundreds of kilobytes, which is a small fraction of the memory present in wireless smart devices today.
8.2. Comparison of the Certificate Size
The size of the TESLA certificate and the MACs computed on each message, compare favorably to digital certificates and signatures used in public key-based cryptography. If the MAC algorithm is based on SHA-1 , the key used is 160 bits. For a TESLA certificate with fields as shown in 2, the certificate size is computed as follows.
32 bits for the ID—this will cover 4 billion nodes;
160 bits for the encrypted anchor element (128 bits if MD5 is used instead of SHA-1);
64 bits for the time field—this gives the current time in UTC since January 1, 1900, with a resolution of 200 picoseconds ;
160 bits for the MAC;
1024 bits for the CA digital signature (assuming PKCS no. 1-based  digital signature with modulus 1024 bits).
Therefore, the total size of the certificate is 1440 bits or 180 bytes. In contrast, a typical X.509 certificate size is of the order of 1 KB.
8.3. Comparison of Signature Size Overhead
The size of the MAC appended to each message in our protocol is 128 bits for HMAC-MD5 or 160 bits for HMAC-SHA1 (and with -factor 1). In comparison, if RSA-based digital signature is used, the signature size would be 512 bits, 1024 bits, or 2048 bits for RSA modulus , respectively. For DSA or ECDSA-based digital signatures, the signature size is 320 bits for a security level of 80 bits .
8.4. Number of MAC Keys Required
8.5. Comparison of Processing Delay Overhead
RSA signature timings (ms) per packet on 500 MHz Pentium III .
Key length (bits)
Figure 11(a) validates a key feature of each algorithm compared here. For the HMAC algorithms, the processing delay is proportional to the number of 512-bit blocks being processed. As the packet sizes increase, the number of blocks per packet also increase, and therefore the processing delay for HMAC increases. Also, HMAC-SHA1 performs more operations (1110 per 512-bit block) compared to HMAC-MD5 (744 per 512-block) and this fact is reflected in the graphs. For RSA, the processing delay depends only on the size of the modulus and is independent of the size of the message. The cheapest RSA delay, 14.6 ms per packet (for modulus 1024 bit), is still significantly higher than the most expensive HMAC delay, 0.43 ms (for HMAC-SHA1 with eight MACs). This is a major advantage of our protocol over signature-based schemes.
The total processing delay for authenticating 500 MB data is shown in Figure 11(b). The total number of 512-bit blocks in the overall message is independent of the size of each packet, and hence also the HMAC processing delay for the entire message. However, for RSA the processing delay is directly proportional to the number of message chunks processed. Here also our protocol performs significantly better than using RSA signatures—the worst-case delay is 204 seconds (for HMAC-SHA1, 8 MACs), while the best-case delay for RSA is a prohibitive 5321 seconds (for , 1528-byte packets).
8.6. Analysis of Energy Consumption
Energy cost of digital signature algorithms and HMAC, for Compaq iPAQ H3670 .
Key size (bits)
1.16 ( J/B)
It is to be noted that the energy consumption figures above are only for the computation costs of various protocol functions. Another primary source of energy consumption is message transmission. An evaluation of the computation and transmission costs based on the packet sizes, traded off against the packet error probability in transmission, may yield a packet size that is optimal in terms of overall energy consumption. Such analysis is beyond the scope of the current work.
In this paper, we have proposed a modified version of a new class of lightweight, symmetric-key certificates called TESLA certificate, and described a source authentication protocol for group communication in hybrid satellite/wireless networks that is based on the extended TESLA certificate. The extended TESLA certificate and the authentication protocol are ideally suited for wireless smart devices with limited energy availability. The certificate binds the identity of a sender device to the anchor element(s) of the device's MAC key chain(s). Binding the identity of a device to its key chain extends the lifetime of the device's certificate to multiple uses. Messages sent from the device are authenticated by MACs computed with keys from the chain. For the authentication protocol, we have used the satellite as the Certificate Authority to generate and distribute the extended TESLA certificates to all the nodes in the network. We have also used the satellite as the proxy node for the senders in disclosing the MAC keys to the receivers in the network. Furthermore, we have proposed a novel concept of probabilistic nonrepudiation that is based on having the satellite node as the proxy for key disclosure to the receivers. In terms of performance, due to the use of symmetric MAC functions, the proposed source authentication protocol expends much less processing power and node energy of the smart devices, in comparison to authentication protocols based on public key-based digital signatures. Through analysis and simulations, we have shown that the performance of the proposed authentication protocol is superior to using public key-based authentication mechanisms, for the metrics node energy and processing delay. We have also shown through security analysis that the source authentication protocol is secure against malicious adversaries.
There has been limited research in group authentication protocols that address the unique characteristics and requirements of wireless devices in hybrid networks such as the one we have described in this paper. We believe our proposed protocol makes a worthwhile contribution to address the paucity. Although we have described the source authentication protocol primarily in the context of hybrid wireless/satellite networks, with minor modifications the protocol can be made applicable to devices in generic wireless networks, provided that some centralized infrastructure is present for performing the functions of the CA and the proxy. Also, the nonrepudiation mechanism can be separately used with other symmetric MAC-based source authentication protocols for group communications, provided a trusted infrastructure is present for proxy key disclosure and to provide arbitration.
The authors would like to thank the anonymous reviewers whose valuable critique has contributed to improvements in this paper. The material presented in this paper is based upon work supported by National Aeronautics and Space Administration under award No. NCC8235, and by the Defence Advanced Research Projects Agency (DARPA) award number 013641-001 to the University of California-Berkeley, under the MuSyC center. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsoring agencies.
- Roy-Chowdhury A, Baras JS: Improving network performance in hybrid wireless networks using a satellite overlay. In Proceedings of the 13th Ka and Broadband Communications Conference, September 2007, Turin, Italy. Instituto Internazionale delle Comunicazioni (IIC);Google Scholar
- National Institute of Standards and Technology (NIST) : Digital signature standard (DSS). NIST Information Technology Laboratory, Gaithersburg, Md, USA; March 2006.Google Scholar
- Gupta V, Gupta S, Chang S, Stebila D: Performance analysis of elliptic curve cryptography for SSL. In Proceedings of the ACM Wireless Internet Security Workshop (WiSe '02), September 2002, Atlanta, Ga, USA. ACM; 87-94.View ArticleGoogle Scholar
- Prasithsangaree P, Krishnamurthy P: On a framework for energy-efficient security protocols in wireless networks. Computer Communications 2004,27(17):1716-1729. 10.1016/j.comcom.2004.05.022View ArticleGoogle Scholar
- Seys S, Preneel B: Power consumption evaluation of efficient digital signature schemes for low power devices. In Proceedings of the IEEE International Conference on Wireless and Mobile Computing, Networking and Communications, (WiMob '05), 2005. Volume 1. IEEE; 79-86.Google Scholar
- Freeman W, Miller E: Experimental analysis of cryptographic overhead in performance-critical systems. Proceedings of the IEEE International Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOT '99), October 1999, College Park, Md, USA 348-357.Google Scholar
- Kaliski B: Twirl and RSA key size. In CryptoBytes Technical Newsletter. RSA Laboratories, Bedford, Mass, USA; 2003.Google Scholar
- Bohge M, Trappe W: TESLA certificates: an authentication tool for networks of compute-constrained devices. Proceedings of the 6th International Symposium on Wirless Personal Multimedia Communications (WPMC '03), October 2003, Yokosuka, JapanGoogle Scholar
- Roy-Chowdhury A, Baras JS: A lightweight certificate-based source authentication protocol for group communication in hybrid wireless/satellite networks. In Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM '08), December 2008, New Orleans, La, USA. IEEE; 1897-1902.Google Scholar
- Roy-Chowdhury A, Baras JS: Probabilistic non-repudiation for source authentication with TESLA certificates in hybrid satellite/wireless networks and performance analysis of the authentication protocol. In Proceedings of the 15th Ka and Broadband Communications Navigation and Earth Observation Conference, September 2009, Cagliari, Italy. Italian Space Agency;Google Scholar
- Canetti R, Garay J, Itkis G, Micciancio D, Naor M, Pinkas B: Multicast security: a taxonomy and some efficient constructions. Proceedings of the 18th Annual Joint Conference of the IEEE Computer and Communications Societie (INFOCOM '99), March 1999 708-716.Google Scholar
- Gennaro R, Rohatgi P: How to sign digital signatures. In Advances in Cryptology—CRYPTO. Springer, Berlin, Germany; 1997:180-197.Google Scholar
- Wong CK, Lam SS: Digital signatures for flows and multicasts. Proceedings of the 1998 International Conference on Network Protocols (ICNP '98), October 1998, Austin, Tex, USA 198-209.Google Scholar
- Rohatgi P: Compact and fast hybrid signature scheme for multicast packet authentication. In Proceedings of the 6th ACM Conference on Computer and Communications Security (ACM CCS '99), November 1999, Singapore. ACM; 93-100.View ArticleGoogle Scholar
- Anderson R, Bergadano F, Crispo B, Lee J-H, Manifavas C, Needham R: A new family of authentication protocols. Operating Systems Review (ACM) 1998,32(4):9-20. 10.1145/302350.302353View ArticleGoogle Scholar
- Perrig A: The BiBa one-time signature and broadcast authentication protocol. Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS '01), November 2001 28-37.View ArticleGoogle Scholar
- Perrig A, Canetti R, Song D, Tygar JD: TheTESLA broadcast authentication protocol. RSA CryptoBytes 2002,5(2):2-13.Google Scholar
- Perrig A, Canetti R, Song D, Tygar JD: Efficient and secure source authentication for multicast. Proceedings of the Network and Distributed System Security Symposium (NDSS '01), 2001Google Scholar
- Bohge M, Trappe W: An authentication framework for hierarchical ad hoc sensor networks. In Proceedings of the ACM Workshop on Wireless Security (WiSE '03), August 2003, San Diego, Calif, USA. ACM; 79-87.Google Scholar
- Naor M, Yung M: Universal one-way hash functions and their cryptographic applications. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC '89), 1989, New York, NY, USA. ACM; 33-43.View ArticleGoogle Scholar
- Secure Hash Standard http://www.itl.nist.gov/fipspubs/fip180-1.htm
- Mills DRFC 1305—Network Time Protocol (Version 3) Specification, Implementation and Analysis, Internet Engineering Task Force (IETF), March 1992Google Scholar
- Jonsson J, Kaliski BPublic-Key Cryptography Standards (PKCS) # 1: RSA Cryptography Specifications Version 2.1 (RFC 3447), Internet Engineering Task Force (IETF), February 2003Google Scholar
- Ding X, Mazzocchi D, Tsudik G: Equipping smart devices with public key signatures. ACM Transactions on Internet Technology 2007.,7(1, article 3):Google Scholar
- Compaq iPAQ Pocket PC H3600 series http://h18002.www1.hp.com/products/quickspecs/10632div/10632div.HTML#QuickSpecs
- Potlapally NR, Ravi S, Raghunathan A, Jha NK: A study of the energy consumption characteristics of cryptographic algorithms and security protocols. IEEE Transactions on Mobile Computing 2006,5(2):128-143.View ArticleGoogle Scholar
- ARM1176JZ(F)-S processor http://www.arm.com/products/CPUs/ARM1176.html
- iPod and iPhone battery and power specifications http://www.ipodbatteryfaq.com/ipodbatteryandpower.html
This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.