Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Internet Engineering Task Force (IETF) V. Roca
- Request for Comments: 5776 A. Francillon
- Category: Experimental S. Faurite
- ISSN: 2070-1721 INRIA
- April 2010
- Use of Timed Efficient Stream Loss-Tolerant Authentication (TESLA) in
- the Asynchronous Layered Coding (ALC) and
- NACK-Oriented Reliable Multicast (NORM) Protocols
- Abstract
- This document details the Timed Efficient Stream Loss-Tolerant
- Authentication (TESLA) packet source authentication and packet
- integrity verification protocol and its integration within the
- Asynchronous Layered Coding (ALC) and NACK-Oriented Reliable
- Multicast (NORM) content delivery protocols. This document only
- considers the authentication/integrity verification of the packets
- generated by the session's sender. The authentication and integrity
- verification of the packets sent by receivers, if any, is out of the
- scope of this document.
- Status of This Memo
- This document is not an Internet Standards Track specification; it is
- published for examination, experimental implementation, and
- evaluation.
- This document defines an Experimental Protocol for the Internet
- community. This document is a product of the Internet Engineering
- Task Force (IETF). It represents the consensus of the IETF
- community. It has received public review and has been approved for
- publication by the Internet Engineering Steering Group (IESG). Not
- all documents approved by the IESG are a candidate for any level of
- Internet Standard; see Section 2 of RFC 5741.
- Information about the current status of this document, any errata,
- and how to provide feedback on it may be obtained at
- http://www.rfc-editor.org/info/rfc5776.
- Roca, et al. Experimental [Page 1]
- RFC 5776 TESLA in ALC and NORM April 2010
- Copyright Notice
- Copyright (c) 2010 IETF Trust and the persons identified as the
- document authors. All rights reserved.
- This document is subject to BCP 78 and the IETF Trust's Legal
- Provisions Relating to IETF Documents
- (http://trustee.ietf.org/license-info) in effect on the date of
- publication of this document. Please review these documents
- carefully, as they describe your rights and restrictions with respect
- to this document. Code Components extracted from this document must
- include Simplified BSD License text as described in Section 4.e of
- the Trust Legal Provisions and are provided without warranty as
- described in the Simplified BSD License.
- This document may contain material from IETF Documents or IETF
- Contributions published or made publicly available before November
- 10, 2008. The person(s) controlling the copyright in some of this
- material may not have granted the IETF Trust the right to allow
- modifications of such material outside the IETF Standards Process.
- Without obtaining an adequate license from the person(s) controlling
- the copyright in such materials, this document may not be modified
- outside the IETF Standards Process, and derivative works of it may
- not be created outside the IETF Standards Process, except to format
- it for publication as an RFC or to translate it into languages other
- than English.
- Roca, et al. Experimental [Page 2]
- RFC 5776 TESLA in ALC and NORM April 2010
- Table of Contents
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
- 1.1. Scope of This Document . . . . . . . . . . . . . . . . . . 6
- 1.2. Conventions Used in This Document . . . . . . . . . . . . 7
- 1.3. Terminology and Notations . . . . . . . . . . . . . . . . 7
- 1.3.1. Notations and Definitions Related to Cryptographic
- Functions . . . . . . . . . . . . . . . . . . . . . . 7
- 1.3.2. Notations and Definitions Related to Time . . . . . . 8
- 2. Using TESLA with ALC and NORM: General Operations . . . . . . 9
- 2.1. ALC and NORM Specificities That Impact TESLA . . . . . . . 9
- 2.2. Bootstrapping TESLA . . . . . . . . . . . . . . . . . . . 10
- 2.2.1. Bootstrapping TESLA with an Out-Of-Band Mechanism . . 10
- 2.2.2. Bootstrapping TESLA with an In-Band Mechanism . . . . 11
- 2.3. Setting Up a Secure Time Synchronization . . . . . . . . . 11
- 2.3.1. Direct Time Synchronization . . . . . . . . . . . . . 12
- 2.3.2. Indirect Time Synchronization . . . . . . . . . . . . 12
- 2.4. Determining the Delay Bounds . . . . . . . . . . . . . . . 13
- 2.4.1. Delay Bound Calculation in Direct Time
- Synchronization Mode . . . . . . . . . . . . . . . . . 14
- 2.4.2. Delay Bound Calculation in Indirect Time
- Synchronization Mode . . . . . . . . . . . . . . . . . 14
- 2.5. Cryptographic Parameter Values . . . . . . . . . . . . . . 15
- 3. Sender Operations . . . . . . . . . . . . . . . . . . . . . . 16
- 3.1. TESLA Parameters . . . . . . . . . . . . . . . . . . . . . 16
- 3.1.1. Time Intervals . . . . . . . . . . . . . . . . . . . . 16
- 3.1.2. Key Chains . . . . . . . . . . . . . . . . . . . . . . 16
- 3.1.3. Time Interval Schedule . . . . . . . . . . . . . . . . 20
- 3.1.4. Timing Parameters . . . . . . . . . . . . . . . . . . 20
- 3.2. TESLA Signaling Messages . . . . . . . . . . . . . . . . . 21
- 3.2.1. Bootstrap Information . . . . . . . . . . . . . . . . 21
- 3.2.2. Direct Time Synchronization Response . . . . . . . . . 22
- 3.3. TESLA Authentication Information . . . . . . . . . . . . . 22
- 3.3.1. Authentication Tags . . . . . . . . . . . . . . . . . 23
- 3.3.2. Digital Signatures . . . . . . . . . . . . . . . . . . 23
- 3.3.3. Group MAC Tags . . . . . . . . . . . . . . . . . . . . 24
- 3.4. Format of TESLA Messages and Authentication Tags . . . . . 25
- 3.4.1. Format of a Bootstrap Information Message . . . . . . 26
- 3.4.2. Format of a Direct Time Synchronization Response . . . 31
- 3.4.3. Format of a Standard Authentication Tag . . . . . . . 32
- 3.4.4. Format of an Authentication Tag without Key
- Disclosure . . . . . . . . . . . . . . . . . . . . . . 33
- 3.4.5. Format of an Authentication Tag with a "New Key
- Chain" Commitment . . . . . . . . . . . . . . . . . . 34
- 3.4.6. Format of an Authentication Tag with a "Last Key
- of Old Chain" Disclosure . . . . . . . . . . . . . . . 35
- 4. Receiver Operations . . . . . . . . . . . . . . . . . . . . . 36
- 4.1. Verification of the Authentication Information . . . . . . 36
- Roca, et al. Experimental [Page 3]
- RFC 5776 TESLA in ALC and NORM April 2010
- 4.1.1. Processing the Group MAC Tag . . . . . . . . . . . . . 36
- 4.1.2. Processing the Digital Signature . . . . . . . . . . . 37
- 4.1.3. Processing the Authentication Tag . . . . . . . . . . 37
- 4.2. Initialization of a Receiver . . . . . . . . . . . . . . . 38
- 4.2.1. Processing the Bootstrap Information Message . . . . . 38
- 4.2.2. Performing Time Synchronization . . . . . . . . . . . 38
- 4.3. Authentication of Received Packets . . . . . . . . . . . . 40
- 4.3.1. Discarding Unnecessary Packets Earlier . . . . . . . . 43
- 4.4. Flushing the Non-Authenticated Packets of a Previous
- Key Chain . . . . . . . . . . . . . . . . . . . . . . . . 43
- 5. Integration in the ALC and NORM Protocols . . . . . . . . . . 44
- 5.1. Authentication Header Extension Format . . . . . . . . . . 44
- 5.2. Use of Authentication Header Extensions . . . . . . . . . 45
- 5.2.1. EXT_AUTH Header Extension of Type Bootstrap
- Information . . . . . . . . . . . . . . . . . . . . . 45
- 5.2.2. EXT_AUTH Header Extension of Type Authentication
- Tag . . . . . . . . . . . . . . . . . . . . . . . . . 48
- 5.2.3. EXT_AUTH Header Extension of Type Direct Time
- Synchronization Request . . . . . . . . . . . . . . . 49
- 5.2.4. EXT_AUTH Header Extension of Type Direct Time
- Synchronization Response . . . . . . . . . . . . . . . 49
- 6. Security Considerations . . . . . . . . . . . . . . . . . . . 50
- 6.1. Dealing with DoS Attacks . . . . . . . . . . . . . . . . . 50
- 6.2. Dealing With Replay Attacks . . . . . . . . . . . . . . . 51
- 6.2.1. Impacts of Replay Attacks on TESLA . . . . . . . . . . 51
- 6.2.2. Impacts of Replay Attacks on NORM . . . . . . . . . . 52
- 6.2.3. Impacts of Replay Attacks on ALC . . . . . . . . . . . 53
- 6.3. Security of the Back Channel . . . . . . . . . . . . . . . 53
- 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54
- 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 55
- 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 55
- 9.1. Normative References . . . . . . . . . . . . . . . . . . . 55
- 9.2. Informative References . . . . . . . . . . . . . . . . . . 56
- Roca, et al. Experimental [Page 4]
- RFC 5776 TESLA in ALC and NORM April 2010
- 1. Introduction
- Many applications using multicast and broadcast communications
- require that each receiver be able to authenticate the source of any
- packet it receives as well as the integrity of these packets. This
- is the case with ALC [RFC5775] and NORM [RFC5740], two Content
- Delivery Protocols (CDPs) designed to transfer objects (e.g., files)
- reliably between a session's sender and several receivers. The NORM
- protocol is based on bidirectional transmissions. Each receiver
- acknowledges data received or, in case of packet erasures, asks for
- retransmissions. On the opposite, the ALC protocol is based on
- purely unidirectional transmissions. Reliability is achieved by
- means of the cyclic transmission of the content within a carousel
- and/or by the use of proactive Forward Error Correction (FEC) codes.
- Both protocols have in common the fact that they operate at the
- application level, on top of an erasure channel (e.g., the Internet)
- where packets can be lost (erased) during the transmission.
- The goal of this document is to counter attacks where an attacker
- impersonates the ALC or NORM session's sender and injects forged
- packets to the receivers, thereby corrupting the objects
- reconstructed by the receivers.
- Preventing this attack is much more complex in the case of group
- communications than it is with unicast communications. Indeed, with
- unicast communications, a simple solution exists: the sender and the
- receiver share a secret key to compute a Message Authentication Code
- (MAC) of all messages exchanged. This is no longer feasible in the
- case of multicast and broadcast communications since sharing a group
- key between the sender and all receivers implies that any group
- member can impersonate the sender and send forged messages to other
- receivers.
- The usual solution to provide the source authentication and message
- integrity services in the case of multicast and broadcast
- communications consists of relying on asymmetric cryptography and
- using digital signatures. Yet, this solution is limited by high
- computational costs and high transmission overheads. The Timed
- Efficient Stream Loss-tolerant Authentication (TESLA) protocol is an
- alternative solution that provides the two required services, while
- being compatible with high-rate transmissions over lossy channels.
- This document explains how to integrate the TESLA source
- authentication and packet integrity protocol to the ALC and NORM CDP.
- Any application built on top of ALC and NORM will directly benefit
- from the services offered by TESLA at the transport layer. In
- particular, this is the case of File Delivery over Unidirectional
- Transport (FLUTE).
- Roca, et al. Experimental [Page 5]
- RFC 5776 TESLA in ALC and NORM April 2010
- For more information on the TESLA protocol and its principles, please
- refer to [RFC4082] and [Perrig04]. For more information on ALC and
- NORM, please refer to [RFC5775], [RFC5651], and [RFC5740],
- respectively. For more information on FLUTE, please refer to
- [RMT-FLUTE].
- 1.1. Scope of This Document
- This specification only considers the authentication and integrity
- verification of the packets generated by the session's sender. This
- specification does not consider the packets that may be sent by
- receivers, for instance, NORM's feedback packets. [RMT-SIMPLE-AUTH]
- describes several techniques that can be used to that purpose. Since
- this is usually a low-rate flow (unlike the downstream flow), using
- computing intensive techniques like digital signatures, possibly
- combined with a Group MAC scheme, is often acceptable. Finally,
- Section 5 explains how to use several authentication schemes in a
- given session thanks to the "ASID" (Authentication Scheme IDentifier)
- field.
- This specification relies on several external mechanisms, for
- instance:
- o to communicate securely the public key or a certificate for the
- session's sender (Section 2.2.2);
- o to communicate securely and confidentially the group key, K_g,
- used by the Group MAC feature, when applicable (Section 3.3.3).
- In some situations, this group key will have to be periodically
- refreshed;
- o to perform secure time synchronization in indirect mode
- (Section 2.3.2) or in direct mode (Section 2.3.1) to carry the
- request/response messages with ALC, which is purely
- unidirectional;
- These mechanisms are required in order to bootstrap TESLA at a sender
- and at a receiver and must be deployed in parallel to TESLA.
- Besides, the randomness of the Primary Key of the key chain
- (Section 3.1.2) is vital to the security of TESLA. Therefore, the
- sender needs an appropriate mechanism to generate this random key.
- Several technical details of TESLA, like the most appropriate way to
- alternate between the transmission of a key disclosure and a
- commitment to a new key chain, or the transmission of a key
- disclosure and the last key of the previous key chain, or the
- disclosure of a key and the compact flavor that does not disclose any
- key, are specific to the target use case (Section 3.1.2). For
- Roca, et al. Experimental [Page 6]
- RFC 5776 TESLA in ALC and NORM April 2010
- instance, it depends on the number of packets sent per time interval,
- on the desired robustness and the acceptable transmission overhead,
- which can only be optimized after taking into account the use-case
- specificities.
- 1.2. Conventions Used in This Document
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in [RFC2119].
- 1.3. Terminology and Notations
- The following notations and definitions are used throughout this
- document.
- 1.3.1. Notations and Definitions Related to Cryptographic Functions
- Notations and definitions related to cryptographic functions
- [RFC4082][RFC4383]:
- o PRF is the Pseudo Random Function;
- o MAC is the Message Authentication Code;
- o HMAC is the keyed-Hash Message Authentication Code;
- o F is the one-way function used to create the key chain
- (Section 3.1.2.1);
- o F' is the one-way function used to derive the HMAC keys
- (Section 3.1.2.1);
- o n_p is the length, in bits, of the F function's output. This is
- therefore the length of the keys in the key chain;
- o n_f is the length, in bits, of the F' function's output. This is
- therefore the length of the HMAC keys;
- o n_m is the length, in bits, of the truncated output of the MAC
- [RFC2104]. Only the n_m most significant bits of the MAC output
- are kept;
- o N is the length of a key chain. There are N+1 keys in a key
- chain: K_0, K_1, ..., K_N. When several chains are used, all the
- chains MUST have the same length and keys are numbered
- consecutively, following the time interval numbering;
- Roca, et al. Experimental [Page 7]
- RFC 5776 TESLA in ALC and NORM April 2010
- o n_c is the number of keys in a key chain. Therefore, n_c = N+1;
- o n_tx_lastkey is the number of additional intervals during which
- the last key of the old key chain SHOULD be sent, after switching
- to a new key chain and after waiting for the disclosure delay d.
- These extra transmissions take place after the interval during
- which the last key is normally disclosed. The n_tx_lastkey value
- is either 0 (no extra disclosure) or larger. This parameter is
- sender specific and is not communicated to the receiver;
- o n_tx_newkcc is the number of intervals during which the commitment
- to a new key chain SHOULD be sent, before switching to the new key
- chain. The n_tx_newkcc value is either 0 (no commitment sent
- within authentication tags) or larger. This parameter is sender
- specific and is not communicated to the receiver;
- o K_g is a shared group key, communicated to all group members,
- confidentially, during the TESLA bootstrapping (Section 2.2);
- o n_w is the length, in bits, of the truncated output of the MAC of
- the optional group authentication scheme: only the n_w most
- significant bits of the MAC output are kept. n_w is typically
- small, a multiple of 32 bits (e.g., 32 bits).
- 1.3.2. Notations and Definitions Related to Time
- Notations and definitions related to time:
- o i is the time interval index. Interval numbering starts at 0 and
- increases consecutively. Since the interval index is stored as a
- 32-bit unsigned integer, wrapping to 0 might take place in long
- sessions.
- o t_s is the sender local time value at some absolute time (in NTP
- timestamp format);
- o t_r is the receiver local time value at the same absolute time (in
- NTP timestamp format);
- o T_0 is the start time corresponding to the beginning of the
- session, i.e., the beginning of time interval 0 (in NTP timestamp
- format);
- o T_int is the interval duration (in milliseconds);
- o d is the key disclosure delay (in number of intervals);
- Roca, et al. Experimental [Page 8]
- RFC 5776 TESLA in ALC and NORM April 2010
- o D_t is the upper bound of the lag of the receiver's clock with
- respect to the clock of the sender;
- o S_sr is an estimated bound of the clock drift between the sender
- and a receiver throughout the duration of the session;
- o D^O_t is the upper bound of the lag of the sender's clock with
- respect to the time reference in indirect time synchronization
- mode;
- o D^R_t is the upper bound of the lag of the receiver's clock with
- respect to the time reference in indirect time synchronization
- mode;
- o D_err is an upper bound of the time error between all the time
- references, in indirect time synchronization mode;
- o NTP timestamp format consists in a 64-bit unsigned fixed-point
- number, in seconds relative to 0h on 1 January 1900. The integer
- part is in the first 32 bits, and the fraction part in the last 32
- bits [RFC1305].
- 2. Using TESLA with ALC and NORM: General Operations
- 2.1. ALC and NORM Specificities That Impact TESLA
- The ALC and NORM protocols have features and requirements that
- largely impact the way TESLA can be used.
- In the case of ALC:
- o ALC is massively scalable: nothing in the protocol specification
- limits the number of receivers that join a session. Therefore, an
- ALC session potentially includes a huge number (e.g., millions or
- more) of receivers;
- o ALC can work on top of purely unidirectional transport channels:
- this is one of the assets of ALC, and examples of unidirectional
- channels include satellite (even if a back channel might exist in
- some use cases) and broadcasting networks like Digital Video
- Broadcasting - Handhelds / Satellite services to Handhelds (DVB-
- H/SH);
- o ALC defines an on-demand content delivery model [RFC5775] where
- receivers can arrive at any time, at their own discretion,
- download the content and leave the session. Other models (e.g.,
- push or streaming) are also defined;
- Roca, et al. Experimental [Page 9]
- RFC 5776 TESLA in ALC and NORM April 2010
- o ALC sessions are potentially very long: a session can last several
- days or months during which the content is continuously
- transmitted within a carousel. The content can be either static
- (e.g., a software update) or dynamic (e.g., a web site).
- Depending on the use case, some of the above features may not apply.
- For instance, ALC can also be used over a bidirectional channel or
- with a limited number of receivers.
- In the case of NORM:
- o NORM has been designed for medium-size sessions: indeed, NORM
- relies on feedback messages and the sender may collapse if the
- feedback message rate is too high;
- o NORM requires a bidirectional transport channel: the back channel
- is not necessarily a high-data rate channel since the control
- traffic sent over it by a single receiver is an order of magnitude
- lower than the downstream traffic. Networks with an asymmetric
- connectivity (e.g., a high-rate satellite downlink and a low-rate
- return channel) are appropriate.
- 2.2. Bootstrapping TESLA
- In order to initialize the TESLA component at a receiver, the sender
- MUST communicate some key information in a secure way, so that the
- receiver can check the source of the information and its integrity.
- Two general methods are possible:
- o by using an out-of-band mechanism, or
- o by using an in-band mechanism.
- The current specification does not recommend any mechanism to
- bootstrap TESLA. Choosing between an in-band and out-of-band scheme
- is left to the implementer, depending on the target use case.
- However, it is RECOMMENDED that TESLA implementations support the use
- of the in-band mechanism for interoperability purposes.
- 2.2.1. Bootstrapping TESLA with an Out-Of-Band Mechanism
- For instance, [RFC4442] describes the use of the MIKEY (Multimedia
- Internet Keying) protocol to bootstrap TESLA. As a side effect,
- MIKEY also provides a loose time synchronization feature from which
- TESLA can benefit. Other solutions, for instance, based on an
- extended session description, are possible, on the condition that
- these solutions provide the required security level.
- Roca, et al. Experimental [Page 10]
- RFC 5776 TESLA in ALC and NORM April 2010
- 2.2.2. Bootstrapping TESLA with an In-Band Mechanism
- This specification describes an in-band mechanism. In some use
- cases, it might be desired that bootstrapping take place without
- requiring the use of an additional external mechanism. For instance,
- each device may feature a clock with a known time-drift that is
- negligible in front of the time accuracy required by TESLA, and each
- device may embed the public key of the sender. It is also possible
- that the use case does not feature a bidirectional channel that
- prevents the use of out-of-band protocols like MIKEY. For these two
- examples, the exchange of a bootstrap information message (described
- in Section 3.4.1) and the knowledge of a few additional parameters
- (listed below) are sufficient to bootstrap TESLA at a receiver.
- Some parameters cannot be communicated in-band. In particular:
- o the sender or group controller MUST either communicate the public
- key of the sender or a certificate (which also means that a PKI
- has been set up) to all receivers, so that each receiver be able
- to verify the signature of the bootstrap message and direct time
- synchronization response messages (when applicable).
- o when time synchronization is performed with NTP/SNTP (Simple
- Network Time Protocol), the sender or group controller MUST
- communicate the list of valid NTP/SNTP servers to all the session
- members (sender included), so that they are all able to
- synchronize themselves on the same NTP/SNTP servers.
- o when the Group MAC feature is used, the sender or group controller
- MUST communicate the K_g group key to all the session members
- (sender included). This group key may be periodically refreshed.
- The way these parameters are communicated is out of the scope of this
- document.
- 2.3. Setting Up a Secure Time Synchronization
- The security offered by TESLA heavily relies on time. Therefore, the
- session's sender and each receiver need to be time synchronized in a
- secure way. To that purpose, two general methods exist:
- o direct time synchronization, and
- o indirect time synchronization.
- It is also possible that a given session includes receivers that use
- the direct time synchronization mode while others use the indirect
- time synchronization mode.
- Roca, et al. Experimental [Page 11]
- RFC 5776 TESLA in ALC and NORM April 2010
- 2.3.1. Direct Time Synchronization
- When direct time synchronization is used, each receiver asks the
- sender for a time synchronization. To that purpose, a receiver sends
- a direct time synchronization request (Section 4.2.2.1). The sender
- then directly answers each request with a direct time synchronization
- response (Section 3.4.2), signing this reply. Upon receiving this
- response, a receiver first verifies the signature, and then
- calculates an upper bound of the lag of his clock with respect to the
- clock of the sender, D_t. The details on how to calculate D_t are
- given in Section 2.4.1.
- This synchronization method is both simple and secure. Yet, there
- are two potential issues:
- o a bidirectional channel must exist between the sender and each
- receiver, and
- o the sender may collapse if the incoming request rate is too high.
- Relying on direct time synchronization is not expected to be an issue
- with NORM since (1) bidirectional communications already take place,
- and (2) NORM scalability is anyway limited. Yet, it can be required
- that a mechanism, that is out of the scope of this document, be used
- to spread the transmission of direct time synchronization request
- messages over time if there is a risk that the sender may collapse.
- But direct time synchronization is potentially incompatible with ALC
- since (1) there might not be a back channel, and (2) there are
- potentially a huge number of receivers and therefore a risk that the
- sender will collapse.
- 2.3.2. Indirect Time Synchronization
- When indirect time synchronization is used, the sender and each
- receiver must synchronize securely via an external time reference.
- Several possibilities exist:
- o sender and receivers can synchronize through an NTPv3 (Network
- Time Protocol version 3) [RFC1305] hierarchy of servers. The
- authentication mechanism of NTPv3 MUST be used in order to
- authenticate each NTP message individually. It prevents, for
- instance, an attacker from impersonating an NTP server;
- o they can synchronize through an NTPv4 (Network Time Protocol
- version 4) [NTP-NTPv4] hierarchy of servers. The Autokey security
- protocol of NTPv4 MUST be used in order to authenticate each NTP
- message individually;
- Roca, et al. Experimental [Page 12]
- RFC 5776 TESLA in ALC and NORM April 2010
- o they can synchronize through an SNTPv4 (Simple Network Time
- Protocol version 4) [RFC4330] hierarchy of servers. The
- authentication features of SNTPv4 must then be used. Note that
- TESLA only needs a loose (but secure) time synchronization, which
- is in line with the time synchronization service offered by SNTP;
- o they can synchronize through a GPS or Galileo (or similar) device
- that also provides a high precision time reference. Spoofing
- attacks on the GPS system have recently been reported. Depending
- on the use case, the security achieved will or will not be
- acceptable;
- o they can synchronize thanks to a dedicated hardware, embedded on
- each sender and receiver, that provides a clock with a time-drift
- that is negligible in front of the TESLA time accuracy
- requirements. This feature enables a device to synchronize its
- embedded clock with the official time reference from time to time
- (in an extreme case once, at manufacturing time), and then to
- remain autonomous for a duration that depends on the known maximum
- clock drift.
- A bidirectional channel is required by the NTP/SNTP schemes. On the
- opposite, with the GPS/Galileo and high precision clock schemes, no
- such assumption is made. In situations where ALC is used on purely
- unidirectional transport channels (Section 2.1), using the NTP/SNTP
- schemes is not possible. Another aspect is the scalability
- requirement of ALC, and to a lesser extent of NORM. From this point
- of view, the above mechanisms usually do not raise any problem,
- unlike the direct time synchronization schemes. Therefore, using
- indirect time synchronization can be a good choice. It should be
- noted that the NTP/SNTP schemes assume that each client trusts the
- sender and accepts aligning its NTP/SNTP configuration to that of the
- sender. If this assumption does not hold, the sender SHOULD offer an
- alternative solution.
- The details on how to calculate an upper bound of the lag of a
- receiver's clock with respect to the clock of the sender, D_t, are
- given in Section 2.4.2.
- 2.4. Determining the Delay Bounds
- Let us assume that a secure time synchronization has been set up.
- This section explains how to define the various timing parameters
- that are used during the authentication of received packets.
- Roca, et al. Experimental [Page 13]
- RFC 5776 TESLA in ALC and NORM April 2010
- 2.4.1. Delay Bound Calculation in Direct Time Synchronization Mode
- In direct time synchronization mode, synchronization between a
- receiver and the sender follows the following protocol [RFC4082]:
- o The receiver sends a direct time synchronization request message
- to the sender, that includes t_r, the receiver local time at the
- moment of sending (Section 4.2.2.1).
- o Upon receipt of this message, the sender records its local time,
- t_s, and sends to the receiver a direct time synchronization
- response that includes t_r (taken from the request) and t_s,
- signing this reply (Section 3.4.2).
- o Upon receiving this response, the receiver first verifies that he
- actually sent a request with t_r and then checks the signature.
- Then he calculates D_t = t_s - t_r + S_sr, where S_sr is an
- estimated bound of the clock drift between the sender and the
- receiver throughout the duration of the session. This document
- does not specify how S_sr is estimated.
- After this initial synchronization, at any point throughout the
- session, the receiver knows that: T_s < T_r + D_t, where T_s is the
- current time at the sender and T_r is the current time at the
- receiver.
- 2.4.2. Delay Bound Calculation in Indirect Time Synchronization Mode
- In indirect time synchronization, the sender and the receivers must
- synchronize indirectly using one or several time references.
- 2.4.2.1. Single Time Reference
- Let us assume that there is a single time reference.
- 1. The sender calculates D^O_t, the upper bound of the lag of the
- sender's clock with respect to the time reference. This D^O_t
- value is then communicated to the receivers (Section 3.2.1).
- 2. Similarly, a receiver R calculates D^R_t, the upper bound of the
- lag of the receiver's clock with respect to the time reference.
- 3. Then, for receiver R, the overall upper bound of the lag of the
- receiver's clock with respect to the clock of the sender, D_t, is
- the sum: D_t = D^O_t + D^R_t.
- Roca, et al. Experimental [Page 14]
- RFC 5776 TESLA in ALC and NORM April 2010
- The D^O_t and D^R_t calculation depends on the time synchronization
- mechanism used (Section 2.3.2). In some cases, the synchronization
- scheme specifications provide these values. In other cases, these
- parameters can be calculated by means of a scheme similar to the one
- specified in Section 2.4.1, for instance, when synchronization is
- achieved via a group controller [RFC4082].
- 2.4.2.2. Multiple Time References
- Let us now assume that there are several time references (e.g.,
- several NTP/SNTP servers). The sender and receivers first
- synchronize with the various time references, independently. It
- results in D^O_t and D^R_t. Let D_err be an upper bound of the time
- error between all of the time references. Then, the overall value of
- D_t within receiver R is set to the sum: D_t = D^O_t + D^R_t + D_err.
- In some cases, the D_t value is part of the time synchronization
- scheme specifications. For instance, NTPv3 [RFC1305] defines
- algorithms that are "capable of accuracies in the order of a
- millisecond, even after extended periods when synchronization to
- primary reference sources has been lost". In practice, depending on
- the NTP server stratum, the accuracy might be a little bit worse. In
- that case, D_t = security_factor * (1ms + 1ms), where the
- security_factor is meant to compensate several sources of inaccuracy
- in NTP. The choice of the security_factor value is left to the
- implementer, depending on the target use case.
- 2.5. Cryptographic Parameter Values
- The F (resp. F') function output length is given by the n_p (resp.
- n_f) parameter. The n_p and n_f values depend on the PRF function
- chosen, as specified below:
- +------------------------+---------------------+
- | PRF name | n_p and n_f |
- +------------------------+---------------------+
- | HMAC-SHA-1 | 160 bits (20 bytes) |
- | HMAC-SHA-224 | 224 bits (28 bytes) |
- | HMAC-SHA-256 (default) | 256 bits (32 bytes) |
- | HMAC-SHA-384 | 384 bits (48 bytes) |
- | HMAC-SHA-512 | 512 bits (64 bytes) |
- +------------------------+---------------------+
- The computing of regular MAC (resp. Group MAC) makes use of the n_m
- (resp. n_w) parameter, i.e., the length of the truncated output of
- the function. The n_m and n_w values depend on the MAC function
- chosen, as specified below:
- Roca, et al. Experimental [Page 15]
- RFC 5776 TESLA in ALC and NORM April 2010
- +------------------------+---------------------+-------------------+
- | MAC name | n_m (regular MAC) | n_w (Group MAC) |
- +------------------------+---------------------+-------------------+
- | HMAC-SHA-1 | 80 bits (10 bytes) | 32 bits (4 bytes) |
- | HMAC-SHA-224 | 112 bits (14 bytes) | 32 bits (4 bytes) |
- | HMAC-SHA-256 (default) | 128 bits (16 bytes) | 32 bits (4 bytes) |
- | HMAC-SHA-384 | 192 bits (24 bytes) | 32 bits (4 bytes) |
- | HMAC-SHA-512 | 256 bits (32 bytes) | 32 bits (4 bytes) |
- +------------------------+---------------------+-------------------+
- 3. Sender Operations
- This section describes the TESLA operations at a sender. For more
- information on the TESLA protocol and its principles, please refer to
- [RFC4082][Perrig04].
- 3.1. TESLA Parameters
- 3.1.1. Time Intervals
- The sender divides the time into uniform intervals of duration T_int.
- Time interval numbering starts at 0 and is incremented consecutively.
- The interval index MUST be stored in an unsigned 32-bit integer so
- that wrapping to 0 takes place only after 2^^32 intervals. For
- instance, if T_int is equal to 0.5 seconds, then wrapping takes place
- after approximately 68 years.
- 3.1.2. Key Chains
- 3.1.2.1. Principles
- The sender computes a one-way key chain of n_c = N+1 keys, and
- assigns one key from the chain to each interval, consecutively but in
- reverse order. Key numbering starts at 0 and is incremented
- consecutively, following the time interval numbering: K_0, K_1, ...,
- K_N.
- In order to compute this chain, the sender must first select a
- Primary Key, K_N, and a PRF function, f (Section 7, TESLA-PRF). The
- randomness of the Primary Key, K_N, is vital to the security and no
- one should be able to guess it.
- The function F is a one-way function that is defined as: F(k) =
- f_k(0), where f_k(0) is the result of the application of the PRF f to
- k and 0. When f is an HMAC (Section 7), k is used as the key, and 0
- as the message, using the algorithm described in [RFC2104].
- Roca, et al. Experimental [Page 16]
- RFC 5776 TESLA in ALC and NORM April 2010
- Similarly, the function F' is a one-way function that is defined as:
- F'(k) = f_k(1), where f_k(1) is the result of the application of the
- same PRF f to k and 1.
- The sender then computes all the keys of the chain, recursively,
- starting with K_N, using: K_{i-1} = F(K_i). Therefore, K_i = F^{N-
- i}(K_N), where F^i(x) is the execution of function F with the
- argument x, i times. The receiver can then compute any value in the
- key chain from K_N, even if it does not have intermediate values
- [RFC4082]. The key for MAC calculation can then be derived from the
- corresponding K_i key by K'_i = F'(K_i).
- The key chain has a finite length, N, which corresponds to a maximum
- time duration of (N + 1) * T_int. The content delivery session has a
- duration T_delivery, which may either be known in advance, or not. A
- first solution consists in having a single key chain of an
- appropriate length, so that the content delivery session finishes
- before the end of the key chain, i.e., T_delivery <= (N + 1) * T_int.
- But the longer the key chain, the higher the memory and computation
- required to cope with it. Another solution consists in switching to
- a new key chain, of the same length, when necessary [Perrig04].
- 3.1.2.2. Using Multiple Key Chains
- When several key chains are needed, all of them MUST be of the same
- length. Switching from the current key chain to the next one
- requires that a commitment to the new key chain be communicated in a
- secure way to the receiver. This can be done by using either an out-
- of-band mechanism or an in-band mechanism. This document only
- specifies the in-band mechanism.
- < -------- old key chain --------- >||< -------- new key chain --...
- +-----+-----+ .. +-----+-----+-----+||+-----+-----+-----+-----+-----+
- 0 1 .. N-2 N-1 N || N+1 N+2 N+3 N+4 N+5
- ||
- Key disclosures: ||
- N/A N/A .. K_N-4 K_N-3 K_N-2 || K_N-1 K_N K_N+1 K_N+2 K_N+3
- | || | |
- |< -------------- >|| |< ------------- >|
- Additional key F(K_N+1) || K_N
- disclosures (commitment to || (last key of the
- (in parallel): the new chain) || old chain)
- Figure 1: Switching to the Second Key Chain with the In-Band
- Mechanism, Assuming That d=2, n_tx_newkcc=3, n_tx_lastkey=3
- Roca, et al. Experimental [Page 17]
- RFC 5776 TESLA in ALC and NORM April 2010
- Figure 1 illustrates the switch to the new key chain, using the in-
- band mechanism. Let us say that the old key chain stops at K_N and
- the new key chain starts at K_{N+1} (i.e., F(K_{N+1}) and K_N are two
- different keys). Then, the sender includes the commitment F(K_{N+1})
- to the new key chain into packets authenticated with the old key
- chain (see Section 3.4.5). This commitment SHOULD be sent during
- n_tx_newkcc time intervals before the end of the old key chain.
- Since several packets are usually sent during an interval, the sender
- SHOULD alternate between sending a disclosed key of the old key chain
- and the commitment to the new key chain. The details of how to
- alternate between the disclosure and commitment are out of the scope
- of this document.
- The receiver will keep the commitment until the key K_{N+1} is
- disclosed, at interval N+1+d. Then, the receiver will be able to
- test the validity of that key by computing F(K_{N+1}) and comparing
- it to the commitment.
- When the key chain is changed, it becomes impossible to recover a
- previous key from the old key chain. This is a problem if the
- receiver lost the packets disclosing the last key of the old key
- chain. A solution consists in re-sending the last key, K_N, of the
- old key chain (see Section 3.4.6). This SHOULD be done during
- n_tx_lastkey additional time intervals after the end of the time
- interval where K_N is disclosed. Since several packets are usually
- sent during an interval, the sender SHOULD alternate between sending
- a disclosed key of the new key chain, and the last key of the old key
- chain. The details of how to alternate between the two disclosures
- are out of the scope of this document.
- In some cases, a receiver having experienced a very long
- disconnection might have lost the commitment of the new chain.
- Therefore, this receiver will not be able to authenticate any packet
- related to the new chain or any of the following ones. The only
- solution for this receiver to catch up consists in receiving an
- additional bootstrap information message. This can happen by waiting
- for the next periodic transmission (if sent in-band) or through an
- external mechanism (Section 3.2.1).
- 3.1.2.3. Values of the n_tx_lastkey and n_tx_newkcc Parameters
- When several key chains and the in-band commitment mechanism are
- used, a sender MUST initialize the n_tx_lastkey and n_tx_newkcc
- parameters in such a way that no overlapping occurs. In other words,
- once a sender starts transmitting commitments for a new key chain, he
- MUST NOT send a disclosure for the last key of the old key chain any
- more. Therefore, the following property MUST be verified:
- Roca, et al. Experimental [Page 18]
- RFC 5776 TESLA in ALC and NORM April 2010
- d + n_tx_lastkey + n_tx_newkcc <= N + 1
- It is RECOMMENDED, for robustness purposes, that, once n_tx_lastkey
- has been chosen, then:
- n_tx_newkcc = N + 1 - n_tx_lastkey - d
- In other words, the sender starts transmitting a commitment to the
- following key chain immediately after having sent all the disclosures
- of the last key of the previous key chain. Doing so increases the
- probability that a receiver gets a commitment for the following key
- chain.
- In any case, these two parameters are sender specific and need not be
- transmitted to the receivers. Of course, as explained above, the
- sender alternates between the disclosure of a key of the current key
- chain and the commitment to the new key chain (or the last key of the
- old key chain).
- 3.1.2.4. The Particular Case of the Session Start
- Since a key cannot be disclosed before the disclosure delay, d, no
- key will be disclosed during the first d time intervals (intervals 0
- and 1 in Figure 1) of the session. To that purpose, the sender uses
- the Authentication Tag without Key Disclosure, Section 3.4.4. The
- following key chains, if any, are not concerned since they will
- disclose the last d keys of the previous chain.
- 3.1.2.5. Managing Silent Periods
- An ALC or NORM sender may stop transmitting packets for some time.
- For instance, it can be the end of the session and all packets have
- already been sent, or the use case may consist in a succession of
- busy periods (when fresh objects are available) followed by silent
- periods. In any case, this is an issue since the authentication of
- the packets sent during the last d intervals requires that the
- associated keys be disclosed, which will take place during d
- additional time intervals.
- To solve this problem, it is recommended that the sender transmit
- empty packets (i.e., without payload) containing the TESLA EXT_AUTH
- Header Extension along with a Standard Authentication Tag during at
- least d time intervals after the end of the regular ALC or NORM
- packet transmissions. The number of such packets and the duration
- during which they are sent must be sufficient for all receivers to
- receive, with a high probability, at least one packet disclosing the
- last useful key (i.e., the key used for the last non-empty packet
- sent).
- Roca, et al. Experimental [Page 19]
- RFC 5776 TESLA in ALC and NORM April 2010
- 3.1.3. Time Interval Schedule
- The sender must determine the following parameters:
- o T_0, the start time corresponding to the beginning of the session,
- i.e., the beginning of time interval 0 (in NTP timestamp format);
- o T_int, the interval duration (in milliseconds), usually ranging
- from 100 milliseconds to 1 second;
- o d, the key disclosure delay (in number of intervals). It is the
- time to wait before disclosing a key;
- o N, the length of a key chain.
- The correct choice of T_int, d, and N is crucial for the efficiency
- of the scheme. For instance, a T_int * d product that is too long
- will cause excessive delay in the authentication process. A T_int *
- d product that is too short prevents many receivers from verifying
- packets. An N * T_int product that is too small will cause the
- sender to switch too often to new key chains. An N that is too long
- with respect to the expected session duration (if known) will require
- the sender to compute too many useless keys. Sections 3.2 and 3.6 of
- [RFC4082] give general guidelines for initializing these parameters.
- The T_0, T_int, d, and N parameters MUST NOT be changed during the
- lifetime of the session. This restriction is meant to prevent
- introducing vulnerabilities. For instance, if a sender was
- authorized to change the key disclosure schedule, a receiver that did
- not receive the change notification would still believe in the old
- key disclosure schedule, thereby creating vulnerabilities [RFC4082].
- 3.1.4. Timing Parameters
- In indirect time synchronization mode, the sender must determine the
- following parameter:
- o D^O_t, the upper bound of the lag of the sender's clock with
- respect to the time reference.
- The D^O_t parameter MUST NOT be changed during the lifetime of the
- session.
- Roca, et al. Experimental [Page 20]
- RFC 5776 TESLA in ALC and NORM April 2010
- 3.2. TESLA Signaling Messages
- At a sender, TESLA produces two types of signaling information:
- o The bootstrap information: it can be either sent out-of-band or
- in-band. In the latter case, a digitally signed packet contains
- all the information required to bootstrap TESLA at a receiver;
- o The direct time synchronization response, which enables a receiver
- to finish a direct time synchronization.
- 3.2.1. Bootstrap Information
- In order to initialize the TESLA component at a receiver, the sender
- must communicate some key information in a secure way. This
- information can be sent in-band or out-of-band, as discussed in
- Section 2.2. In this section, we only consider the in-band scheme.
- The TESLA bootstrap information message MUST be digitally signed
- (Section 3.3.2). The goal is to enable a receiver to check the
- packet source and packet integrity. Then, the bootstrap information
- can be:
- o unicast to a receiver during a direct time synchronization
- request/response exchange;
- o broadcast to all receivers. This is typically the case in
- indirect time synchronization mode. It can also be used in direct
- time synchronization mode, for instance, when a large number of
- clients arrive at the same time, in which case it is more
- efficient to answer globally.
- Let us consider situations where the bootstrap information is
- broadcast. This message should be broadcast at the beginning of the
- session, before data packets are actually sent. This is particularly
- important with ALC or NORM sessions in "push" mode, when all clients
- join the session in advance. For improved reliability, bootstrap
- information might be sent a certain number of times.
- A periodic broadcast of the bootstrap information message could also
- be useful when:
- o the ALC session uses an "on-demand" mode, clients arriving at
- their own discretion;
- Roca, et al. Experimental [Page 21]
- RFC 5776 TESLA in ALC and NORM April 2010
- o some clients experience an intermittent connectivity. This is
- particularly important when several key chains are used in an ALC
- or NORM session, since there is a risk that a receiver loses all
- the commitments to the new key chain.
- A balance must be found between the signaling overhead and the
- maximum initial waiting time at the receiver before starting the
- delayed authentication process. A period of a few seconds for the
- transmission of this bootstrap information is often a reasonable
- value.
- 3.2.2. Direct Time Synchronization Response
- In direct time synchronization, upon receipt of a synchronization
- request, the sender records its local time, t_s, and sends a response
- message that contains both t_r and t_s (Section 2.4.1). This message
- is unicast to the receiver. This direct time synchronization
- response message MUST be digitally signed in order to enable a
- receiver to check the packet source and packet integrity
- (Section 3.3.2). The receiver MUST also be able to associate this
- response and his request, which is the reason why t_r is included in
- the response message.
- 3.3. TESLA Authentication Information
- At a sender, TESLA produces three types of security tags:
- o an authentication tag, in case of data packets, and which contains
- the MAC of the packet;
- o a digital signature, in case of one of the two TESLA signaling
- packets, namely a bootstrap information message or a direct time
- synchronization response; and
- o an optional group authentication tag, that can be added to all the
- packets to mitigate attacks coming from outside of the group.
- Because of interdependencies, their computation MUST follow a strict
- order:
- o first of all, compute the authentication tag (with data packet) or
- the digital signature (with signaling packet);
- o finally, compute the Group Mac.
- Roca, et al. Experimental [Page 22]
- RFC 5776 TESLA in ALC and NORM April 2010
- 3.3.1. Authentication Tags
- All the data packets sent MUST have an authentication tag containing:
- o the interval index, i, which is also the index of the key used for
- computing the MAC of this packet;
- o the MAC of the message: MAC(K'_i, M), where K'_i=F'(K_i);
- o either a disclosed key (which belongs to the current key chain or
- the previous key chain), or a commitment to a new key chain, or no
- key at all.
- The computation of MAC(K'_i, M) MUST include the ALC or NORM header
- (with the various header extensions) and the payload (when
- applicable). The UDP/IP headers MUST NOT be included. During this
- computation, the "MAC(K'_i, M)" field of the authentication tag MUST
- be set to 0.
- 3.3.2. Digital Signatures
- The bootstrap information message (with the in-band bootstrap scheme)
- and direct time synchronization response message (with the indirect
- time synchronization scheme) both need to be signed by the sender.
- These two messages contain a "Signature" field to hold the digital
- signature. The bootstrap information message also contains the
- "Signature Encoding Algorithm", the "Signature Cryptographic
- Function", and the "Signature Length" fields that enable a receiver
- to process the "Signature" field. Note that there are no such
- "Signature Encoding Algorithm", "Signature Cryptographic Function",
- and "Signature Length" fields in the case of a direct time
- synchronization response message since it is assumed that these
- parameters are already known (i.e., the receiver either received a
- bootstrap information message before or these values have been
- communicated out-of-band).
- Several "Signature Encoding Algorithms" can be used, including
- RSASSA-PKCS1-v1_5, the default, and RSASSA-PSS (Section 7). With
- these encodings, SHA-256 is the default "Signature Cryptographic
- Function".
- The computation of the signature MUST include the ALC or NORM header
- (with the various header extensions) and the payload when applicable.
- The UDP/IP headers MUST NOT be included. During this computation,
- the "Signature" field MUST be set to 0 as well as the optional Group
- MAC, when present, since this Group MAC is calculated later.
- Roca, et al. Experimental [Page 23]
- RFC 5776 TESLA in ALC and NORM April 2010
- More specifically, from [RFC4359]: Digital signature generation is
- performed as described in [RFC3447], Section 8.2.1 for RSASSA-PKCS1-
- v1_5 and Section 8.1.1 for RSASSA-PSS. The authenticated portion of
- the packet is used as the message M, which is passed to the signature
- generation function. The signer's RSA private key is passed as K.
- In summary, (when SHA-256 is used), the signature generation process
- computes a SHA-256 hash of the authenticated packet bytes, signs the
- SHA-256 hash using the private key, and encodes the result with the
- specified RSA encoding type. This process results in a value S,
- which is the digital signature to be included in the packet.
- With RSASSA-PKCS1-v1_5 and RSASSA-PSS signatures, the size of the
- signature is equal to the "RSA modulus", unless the "RSA modulus" is
- not a multiple of 8 bits. In that case, the signature MUST be
- prepended with between 1 and 7 bits set to zero such that the
- signature is a multiple of 8 bits [RFC4359]. The key size, which in
- practice is also equal to the "RSA modulus", has major security
- implications. [RFC4359] explains how to choose this value depending
- on the maximum expected lifetime of the session. This choice is out
- of the scope of this document.
- 3.3.3. Group MAC Tags
- An optional Group MAC can be used to mitigate Denial-of-Service (DoS)
- attacks coming from attackers that are not group members [RFC4082].
- This feature assumes that a group key, K_g, is shared by the sender
- and all receivers. When the attacker is not a group member, the
- benefits of adding a Group MAC to every packet sent are threefold:
- o a receiver can immediately drop faked packets, without having to
- wait for the disclosure delay, d;
- o a sender can immediately drop faked direct time synchronization
- requests, and avoid checking the digital signature, a computation
- intensive task;
- o a receiver can immediately drop faked direct time synchronization
- response and bootstrap messages, without having to verify the
- digital signature, a computation-intensive task.
- The computation of the Group MAC, MAC(K_g, M), MUST include the ALC
- or NORM header (with the various header extensions) and the payload
- when applicable. The UDP/IP headers MUST NOT be included. During
- this computation, the "Group MAC" field MUST be set to 0. However,
- the digital signature (e.g., of a bootstrap message) and the "MAC"
- fields (e.g., of an authentication tag), when present, MUST have been
- Roca, et al. Experimental [Page 24]
- RFC 5776 TESLA in ALC and NORM April 2010
- calculated since they are included in the Group MAC calculation
- itself. Then, the sender truncates the MAC output to keep the n_w
- most significant bits and stores the result in the "Group MAC" field.
- This scheme features a few limits:
- o it is of no help if a group member (who knows K_g) impersonates
- the sender and sends forged messages to other receivers;
- o it requires an additional MAC computing for each packet, both at
- the sender and receiver sides;
- o it increases the size of the TESLA authentication headers. In
- order to limit this problem, the length of the truncated output of
- the MAC, n_w, SHOULD be kept small (e.g., 32 bits) (see [RFC3711],
- Section 9.5). As a side effect, the authentication service is
- significantly weakened: the probability of any forged packet being
- successfully authenticated becomes one in 2^32. Since the Group
- MAC check is only a pre-check that must be followed by the
- standard TESLA authentication check, this is not considered to be
- an issue.
- For a given use case, the benefits brought by the Group MAC must be
- balanced against these limitations.
- Note that the Group MAC function can be different from the TESLA MAC
- function (e.g., it can use a weaker but faster MAC function). Note
- also that the mechanism by which the group key, K_g, is communicated
- to all group members, and perhaps periodically updated, is out of the
- scope of this document.
- 3.4. Format of TESLA Messages and Authentication Tags
- This section specifies the format of the various kinds of TESLA
- messages and authentication tags sent by the session's sender.
- Because these TESLA messages are carried as EXT_AUTH Header
- Extensions of the ALC or NORM packets (Section 5), the following
- formats do not start on 32-bit word boundaries.
- Roca, et al. Experimental [Page 25]
- RFC 5776 TESLA in ALC and NORM April 2010
- 3.4.1. Format of a Bootstrap Information Message
- When bootstrap information is sent in-band, the following message is
- used:
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+ ---
- | V |resvd|S|G|A| ^
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
- | d | PRF Type | MAC Func Type |Gr MAC Fun Type| | f
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | i
- | SigEncAlgo | SigCryptoFunc | Signature Length | | x
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | e
- | Reserved | T_int | | d
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
- | | | l
- + T_0 (NTP timestamp format) + | e
- | | | n
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | g
- | N (Key Chain Length) | | t
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | h
- | Current Interval Index i | v
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---
- | |
- ~ Current Key Chain Commitment +-+-+-+-+-+-+-+-+
- | | Padding |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- + +
- ~ Signature ~
- + +-+-+-+-+-+-+-+-+
- | | Padding |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- |P| |
- +-+ D^O_t Extension (optional, present if A==1) +
- | (NTP timestamp diff, positive if P==1, negative if P==0) |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ~ Group MAC (optional) ~
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 2: Bootstrap Information Format
- Roca, et al. Experimental [Page 26]
- RFC 5776 TESLA in ALC and NORM April 2010
- The format of the bootstrap information is depicted in Figure 2. The
- fields are:
- "V" (Version) field (2 bits):
- The "V" field contains the version number of the protocol. For
- this specification, the value of 0 MUST be used.
- "Reserved" field (3 bits):
- This is a reserved field that MUST be set to zero in this
- specification.
- "S" (Single Key Chain) flag (1 bit):
- The "S" flag indicates whether this TESLA session is restricted to
- a single key chain (S==1) or relies on one or multiple key chains
- (S==0).
- "G" (Group MAC Present) flag (1 bit):
- The "G" flag indicates whether the Group MAC feature is used
- (G==1) or not (G==0). When it is used, a "Group MAC" field is
- added to all the packets containing a TESLA EXT_AUTH Header
- Extension (including this bootstrap message).
- "A" flag (1 bit):
- The "A" flag indicates whether the "P" flag and "D^O_t" fields are
- present (A==1) or not (A==0). In indirect time synchronization
- mode, A MUST be equal to 1 since these fields are needed.
- "d" field (8 bits):
- "d" is an unsigned integer that defines the key disclosure delay
- (in number of intervals). d MUST be greater than or equal to 2.
- "PRF Type" field (8 bits):
- The "PRF Type" is the reference number of the f function used to
- derive the F (for key chain) and F' (for MAC keys) functions
- (Section 7).
- "MAC Function Type" field (8 bits):
- The "MAC Function Type" is the reference number of the function
- used to compute the MAC of the packets (Section 7).
- Roca, et al. Experimental [Page 27]
- RFC 5776 TESLA in ALC and NORM April 2010
- "Group MAC Function Type" field (8 bits):
- When G==1, this field contains the reference number of the
- cryptographic MAC function used to compute the Group MAC
- (Section 7). When G==0, this field MUST be set to zero.
- "Signature Encoding Algorithm" field (8 bits):
- The "Signature Encoding Algorithm" is the reference number
- (Section 7) of the digital signature used to authenticate this
- bootstrap information and included in the "Signature" field.
- "Signature Cryptographic Function" field (8 bits):
- The "Signature Cryptographic Function" is the reference number
- (Section 7) of the cryptographic function used within the digital
- signature.
- "Signature Length" field (16 bits):
- The "Signature Length" is an unsigned integer that indicates the
- "Signature" field size in bytes in the "Signature Extension"
- field. This is also the signature key length, since both
- parameters are equal.
- "Reserved" fields (16 bits):
- This is a reserved field that MUST be set to zero in this
- specification.
- "T_int" field (16 bits):
- "T_int" is an unsigned 16-bit integer that defines the interval
- duration (in milliseconds).
- "T_0" field (64 bits):
- "T_0" is a timestamp in NTP timestamp format that indicates the
- beginning of the session, i.e., the beginning of time interval 0.
- "N" field (32 bits):
- "N" is an unsigned integer that indicates the key chain length.
- There are N + 1 keys per chain.
- Roca, et al. Experimental [Page 28]
- RFC 5776 TESLA in ALC and NORM April 2010
- "i" (Interval Index of K_i) field (32 bits):
- "i" is an unsigned integer that indicates the current interval
- index when this bootstrap information message is sent.
- "Current Key Chain Commitment" field (variable size, padded if
- necessary for 32-bit word alignment):
- "Key Chain Commitment" is the commitment to the current key chain,
- i.e., the key chain corresponding to interval i. For instance,
- with the first key chain, this commitment is equal to F(K_0), with
- the second key chain, this commitment is equal to F(K_{N+1}),
- etc.). If need be, this field is padded (with 0) up to a multiple
- of 32 bits.
- "Signature" field (variable size, padded if necessary for 32-bit word
- alignment):
- The "Signature" field is mandatory. It contains a digital
- signature of this message, as specified by the encoding algorithm,
- cryptographic function, and key length parameters. If the
- signature length is not a multiple of 32 bits, this field is
- padded with 0.
- "P" flag (optional, 1 bit if present):
- The "P" flag is optional and only present if the "A" flag is equal
- to 1. It is only used in indirect time synchronization mode.
- This flag indicates whether the D^O_t NTP timestamp difference is
- positive (P==1) or negative (P==0).
- "D^O_t" field (optional, 63 bits if present):
- The "D^O_t" field is optional and only present if the "A" flag is
- equal to 1. It is only used in indirect time synchronization
- mode. It is the upper bound of the lag of the sender's clock with
- respect to the time reference. When several time references are
- specified (e.g., several NTP servers), then D^O_t is the maximum
- upper bound of the lag with each time reference. D^O_t is
- composed of two unsigned integers, as with NTP timestamps: the
- first 31 bits give the time difference in seconds and the
- remaining 32 bits give the sub-second time difference.
- Roca, et al. Experimental [Page 29]
- RFC 5776 TESLA in ALC and NORM April 2010
- "Group MAC" field (optional, variable length, multiple of 32 bits):
- This field contains the Group MAC, calculated with the group key,
- K_g, shared by all group members. The field length, in bits, is
- given by n_w, which is known once the Group MAC function type is
- known (Section 7).
- Note that the first byte and the following seven 32-bit words are
- mandatory fixed-length fields. The "Current Key Chain Commitment"
- and "Signature" fields are mandatory but variable-length fields. The
- remaining "D^O_t" and "Group MAC" fields are optional.
- In order to prevent attacks, some parameters MUST NOT be changed
- during the lifetime of the session (Sections 3.1.3 and 3.1.4). The
- following table summarizes the parameter's status:
- +--------------------------+----------------------------------------+
- | Parameter | Status |
- +--------------------------+----------------------------------------+
- | V | set to 0 in this specification |
- | S | static (during whole session) |
- | G | static (during whole session) |
- | A | static (during whole session) |
- | T_O | static (during whole session) |
- | T_int | static (during whole session) |
- | d | static (during whole session) |
- | N | static (during whole session) |
- | D^O_t (if present) | static (during whole session) |
- | PRF Type | static (during whole session) |
- | MAC Function Type | static (during whole session) |
- | Signature Encoding | static (during whole session) |
- | Algorithm | |
- | Signature Crypto. | static (during whole session) |
- | Function | |
- | Signature Length | static (during whole session) |
- | Group MAC Func. Type | static (during whole session) |
- | i | dynamic (related to current key chain) |
- | K_i | dynamic (related to current key chain) |
- | signature | dynamic, packet dependent |
- | Group MAC (if present) | dynamic, packet dependent |
- +--------------------------+----------------------------------------+
- Roca, et al. Experimental [Page 30]
- RFC 5776 TESLA in ALC and NORM April 2010
- 3.4.2. Format of a Direct Time Synchronization Response
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+
- | Reserved |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- + t_s (NTP timestamp) +
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- + t_r (NTP timestamp) +
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- + +
- ~ Signature ~
- + +-+-+-+-+-+-+-+-+
- | | Padding |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ~ Group MAC (optional) ~
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 3: Format of a Direct Time Synchronization Response
- The response to a direct time synchronization request contains the
- following information:
- "Reserved" field (8 bits):
- This is a reserved field that MUST be set to zero in this
- specification.
- "t_s" (NTP timestamp, 64 bits):
- "t_s" is a timestamp in NTP timestamp format that corresponds to
- the sender local time value when receiving the direct time
- synchronization request message.
- "t_r" (NTP timestamp, 64 bits):
- "t_r" is a timestamp in NTP timestamp format that contains the
- receiver local time value received in the direct time
- synchronization request message.
- Roca, et al. Experimental [Page 31]
- RFC 5776 TESLA in ALC and NORM April 2010
- "Signature" field (variable size, padded if necessary for 32-bit word
- alignment):
- The "Signature" field is mandatory. It contains a digital
- signature of this message, as specified by the encoding algorithm,
- cryptographic function, and key length parameters communicated in
- the bootstrap information message (if applicable) or out-of-band.
- If the signature length is not a multiple of 32 bits, this field
- is padded with 0.
- "Group MAC" field (optional, variable length, multiple of 32 bits):
- This field contains the Group MAC, calculated with the group key,
- K_g, shared by all group members. The field length, in bits, is
- given by n_w, which is known once the Group MAC function type is
- known (Section 7).
- 3.4.3. Format of a Standard Authentication Tag
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+
- | Reserved |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | i (Interval Index of K'_i) |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- ~ Disclosed Key K_{i-d} ~
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- ~ MAC(K'_i, M) +-+-+-+-+-+-+-+-+
- | | Padding |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ~ Group MAC (optional) ~
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 4: Format of the Standard Authentication Tag
- A Standard Authentication Tag is composed of the following fields:
- "Reserved" field (8 bits):
- The "Reserved" field is not used in the current specification and
- MUST be set to zero by the sender.
- Roca, et al. Experimental [Page 32]
- RFC 5776 TESLA in ALC and NORM April 2010
- "i" (Interval Index) field (32 bits):
- "i" is the interval index associated with the key (K'_i) used to
- compute the MAC of this packet.
- "Disclosed Key" (variable size, non padded):
- The "Disclosed Key" is the key used for interval i-d: K_{i-d}.
- There is no padding between the "Disclosed Key" and "MAC(K'_i, M)"
- fields, and the latter MAY not start on a 32-bit boundary,
- depending on the n_p parameter.
- "MAC(K'_i, M)" (variable size, padded if necessary for 32-bit word
- alignment):
- "MAC(K'_i, M)" is the truncated message authentication code of the
- current packet. Only the n_m most significant bits of the MAC
- output are kept [RFC2104].
- "Group MAC" field (optional, variable length, multiple of 32 bits):
- This field contains the Group MAC, calculated with a group key,
- K_g, shared by all group members. The field length is given by
- n_w, in bits.
- Note that because a key cannot be disclosed before the disclosure
- delay, d, the sender MUST NOT use this tag during the first d
- intervals of the session: {0 .. d-1} (inclusive). Instead, the
- sender MUST use an Authentication Tag without Key Disclosure.
- 3.4.4. Format of an Authentication Tag without Key Disclosure
- The Authentication Tag without Key Disclosure is meant to be used in
- situations where a high number of packets are sent in a given time
- interval. In such a case, it can be advantageous to disclose the
- K_{i-d} key only in a subset of the packets sent, using a Standard
- Authentication Tag, and to use the shortened version that does not
- disclose the K_{i-d} key in the remaining packets. It is left to the
- implementer to decide how many packets should disclose the K_{i-d}
- key. This Authentication Tag without Key Disclosure MUST also be
- used during the first d intervals: {0 .. d-1} (inclusive).
- Roca, et al. Experimental [Page 33]
- RFC 5776 TESLA in ALC and NORM April 2010
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+
- | Reserved |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | i (Interval Index of K'_i) |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- ~ MAC(K'_i, M) +-+-+-+-+-+-+-+-+
- | | Padding |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ~ Group MAC (optional) ~
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 5: Format of the Authentication Tag without Key Disclosure
- 3.4.5. Format of an Authentication Tag with a "New Key Chain"
- Commitment
- During the last n_tx_newkcc intervals of the current key chain, the
- sender SHOULD send commitments to the next key chain. This is done
- by replacing the disclosed key of the Authentication Tag with a New
- Key Chain Commitment, F(K_{N+1}) (or F(K_{2N+2}) in case of a switch
- between the second and third key chains, etc.) Figure 6 shows the
- corresponding format.
- Note that since there is no padding between the "F(K_{N+1})" and
- "MAC(K'_i, M)" fields, the latter MAY not start on a 32-bit boundary,
- depending on the n_p parameter.
- Roca, et al. Experimental [Page 34]
- RFC 5776 TESLA in ALC and NORM April 2010
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+
- | Reserved |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | i (Interval Index of K'_i) |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- ~ New Key Commitment F(K_{N+1}) ~
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- ~ MAC(K'_i, M) +-+-+-+-+-+-+-+-+
- | | Padding |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ~ Group MAC (optional) ~
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 6: Format of the Authentication Tag
- with a New Key Chain Commitment
- 3.4.6. Format of an Authentication Tag with a "Last Key of Old Chain"
- Disclosure
- During the first n_tx_lastkey intervals of the new key chain after
- the disclosing interval, d, the sender SHOULD disclose the last key
- of the old key chain. This is done by replacing the disclosed key of
- the Authentication Tag with the Last Key of the Old Chain, K_N (or
- K_{2N+1} in case of a switch between the second and third key chains,
- etc.). Figure 7 shows the corresponding format.
- Note that since there is no padding between the "K_N" and "MAC(K'_i,
- M)" fields, the latter MAY not start on a 32-bit boundary, depending
- on the n_p parameter.
- Roca, et al. Experimental [Page 35]
- RFC 5776 TESLA in ALC and NORM April 2010
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+
- | Reserved |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | i (Interval Index of K'_i) |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- ~ Last Key of Old Chain, K_N ~
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- ~ MAC(K'_i, M) +-+-+-+-+-+-+-+-+
- | | Padding |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ~ Group MAC (optional) ~
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 7: Format of the Authentication Tag
- with an Old Chain Last Key Disclosure
- 4. Receiver Operations
- This section describes the TESLA operations at a receiver.
- 4.1. Verification of the Authentication Information
- This section details the computation steps required to verify each of
- the three possible authentication information of an incoming packet.
- The verification MUST follow a strict order:
- o first of all, if the Group MAC is present and if the session uses
- this feature (e.g., if the G bit is set in the bootstrap
- information message), then verify the Group MAC. A packet that
- does not contain a Group MAC tag, whereas the session uses this
- feature, MUST be dropped immediately. On the opposite, if a
- packet contains a Group MAC tag whereas the session does not use
- this feature, this tag MUST be ignored;
- o then, verify the digital signature (with TESLA signaling packets)
- or enter the TESLA authentication process (with data packets).
- 4.1.1. Processing the Group MAC Tag
- Upon receiving a packet containing a Group MAC tag, the receiver
- recomputes the Group MAC and compares it to the value carried in the
- packet. If the check fails, the packet MUST be dropped immediately.
- Roca, et al. Experimental [Page 36]
- RFC 5776 TESLA in ALC and NORM April 2010
- More specifically, recomputing the Group MAC requires saving the
- value of the "Group MAC" field, setting this field to 0, and doing
- the same computation as a sender does (see Section 3.3.3).
- 4.1.2. Processing the Digital Signature
- Upon receiving a packet containing a digital signature, the receiver
- verifies the signature as follows.
- The computation of the signature MUST include the ALC or NORM header
- (with the various header extensions) and the payload when applicable.
- The UDP/IP headers MUST NOT be included. During this computation,
- the "Signature" field MUST be set to 0 as well as the optional Group
- MAC, when present.
- From [RFC4359]: Digital signature verification is performed as
- described in [RFC3447], Section 8.2.2 (RSASSA-PKCS1-v1_5) and
- [RFC3447], Section 8.1.2 (RSASSA-PSS). Upon receipt, the digital
- signature is passed to the verification function as S. The
- authenticated portion of the packet is used as the message M, and the
- RSA public key is passed as (n, e). In summary (when SHA-256 is
- used), the verification function computes a SHA-256 hash of the
- authenticated packet bytes, decrypts the SHA-256 hash in the packet,
- and validates that the appropriate encoding was applied. The two
- SHA-256 hashes are compared, and if they are identical the validation
- is successful.
- It is assumed that the receivers have the possibility to retrieve the
- sender's public key required to check this digital signature
- (Section 2.2). This document does not specify how the public key of
- the sender is communicated reliably and in a secure way to all
- possible receivers.
- 4.1.3. Processing the Authentication Tag
- When a receiver wants to authenticate a packet using an
- authentication tag and when he has the key for the associated time
- interval (i.e., after the disclosing delay, d), the receiver
- recomputes the MAC and compares it to the value carried in the
- packet. If the check fails, the packet MUST be immediately dropped.
- More specifically, recomputing the MAC requires saving the value of
- the "MAC" field, setting this field to 0, and doing the same
- computation as a sender does (see Section 3.3.1).
- Roca, et al. Experimental [Page 37]
- RFC 5776 TESLA in ALC and NORM April 2010
- 4.2. Initialization of a Receiver
- A receiver MUST be initialized before being able to authenticate the
- source of incoming packets. This can be done by an out-of-band
- mechanism or an in-band mechanism (Section 2.2). Let us focus on the
- in-band mechanism. Two actions must be performed:
- o receive and process a bootstrap information message, and
- o calculate an upper bound of the sender's local time. To that
- purpose, the receiver must perform time synchronization.
- 4.2.1. Processing the Bootstrap Information Message
- A receiver must first receive a packet containing the bootstrap
- information, digitally signed by the sender. Once the bootstrap
- information has been authenticated (see Section 4.1), the receiver
- can initialize its TESLA component. The receiver MUST then ignore
- the following bootstrap information messages, if any. There is an
- exception though: when a new key chain is used and if a receiver
- missed all the commitments for this new key chain, then this receiver
- MUST process one of the future bootstrap information messages (if
- any) in order to be able to authenticate the incoming packets
- associated to this new key chain.
- Before TESLA has been initialized, a receiver MUST discard incoming
- packets other than the bootstrap information message and direct time
- synchronization response.
- 4.2.2. Performing Time Synchronization
- First of all, the receiver must know whether the ALC or NORM session
- relies on direct or indirect time synchronization. This information
- is communicated by an out-of-band mechanism (for instance, when
- describing the various parameters of an ALC or NORM session). In
- some cases, both mechanisms might be available and the receiver can
- choose the preferred technique.
- 4.2.2.1. Direct Time Synchronization
- In the case of a direct time synchronization, a receiver MUST
- synchronize with the sender. To that purpose, the receiver sends a
- direct time synchronization request message. This message includes
- the local time (in NTP timestamp format) at the receiver when sending
- the message. This timestamp will be copied in the sender's response
- for the receiver to associate the response to the request.
- Roca, et al. Experimental [Page 38]
- RFC 5776 TESLA in ALC and NORM April 2010
- The direct time synchronization request message format is the
- following:
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- + t_r (NTP timestamp) +
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ~ Group MAC (optional) ~
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 8: Format of a Direct Time Synchronization Request
- The direct time synchronization request (Figure 8) contains the
- following information:
- "t_r" (NTP timestamp, 64 bits):
- "t_r" is a timestamp in NTP timestamp format that contains the
- receiver local time value when sending this direct time
- synchronization request message;
- "Group MAC" field (optional, variable length, multiple of 32 bits):
- This field contains the Group MAC, calculated with the group key,
- K_g, shared by all group members. The field length, in bits, is
- given by n_w, which is known once the Group MAC function type is
- known (Section 7).
- The receiver then awaits a response message (Section 3.4.2). Upon
- receiving this message, the receiver:
- checks that this response relates to the request, by comparing the
- "t_r" fields;
- checks the Group MAC if present;
- checks the signature;
- retrieves the t_s value and calculates D_t (Section 2.4.1).
- Note that in an ALC session, the direct time synchronization request
- message is sent to the sender by an out-of-band mechanism that is not
- specified by the current document.
- Roca, et al. Experimental [Page 39]
- RFC 5776 TESLA in ALC and NORM April 2010
- 4.2.2.2. Indirect Time Synchronization
- With the indirect time synchronization method, the sender MAY provide
- out-of-band the URL or IP address of the NTP server(s) he trusts
- along with an OPTIONAL certificate for each NTP server. When several
- NTP servers are specified, a receiver MUST choose one of them. This
- document does not specify how the choice is made, but for the sake of
- scalability, the clients SHOULD NOT use the same server if several
- possibilities are offered. The NTP synchronization between the NTP
- server and the receiver MUST be authenticated, either using the
- certificate provided by the server or another certificate the client
- may obtain for this NTP server.
- Then the receiver computes the time offset between itself and the NTP
- server chosen. Note that the receiver does not need to update the
- local time, (which often requires root privileges), computing the
- time offset is sufficient.
- Since the offset between the server and the time reference, D^O_t, is
- indicated in the bootstrap information message (or communicated out-
- of-band), the receiver can now calculate an upper bound of the
- sender's local time (Section 2.4.2).
- Note that this scenario assumes that each client trusts the sender
- and accepts aligning its NTP configuration to that of the sender,
- using one of the NTP server(s) suggested. If this assumption does
- not hold, the client MUST NOT use the NTP indirect time
- synchronization method (Section 2.3.2).
- 4.3. Authentication of Received Packets
- The receiver can now authenticate incoming packets (other than
- bootstrap information and direct time synchronization response
- packets). To that purpose, he MUST follow different steps (see
- [RFC4082], Section 3.5):
- 1. The receiver parses the different packet headers. If none of the
- four TESLA authentication tags are present, the receiver MUST
- discard the packet. If the session is in "Single Key Chain" mode
- (e.g., when the "S" flag is set in the bootstrap information
- message), then the receiver MUST discard any packet containing an
- Authentication Tag with a New Key Chain Commitment or an
- Authentication Tag with a Last Key of Old Chain Disclosure.
- 2. Safe packet test: When the receiver receives packet P_j, it first
- records the local time T at which the packet arrived. The
- receiver then computes an upper bound t_j on the sender's clock
- at the time when the packet arrived: t_j = T + D_t. The receiver
- Roca, et al. Experimental [Page 40]
- RFC 5776 TESLA in ALC and NORM April 2010
- then computes the highest interval the sender could possibly be
- in: highest_i = floor((t_j - T_0) / T_int). He also retrieves
- the "i" interval index from the authentication tag. The receiver
- can now proceed with the "safe packet" test. If highest_i < i +
- d, then the sender is not yet in the interval during which it
- discloses the key K_i. The packet is safe (but not necessarily
- authentic). If the test fails, the packet is unsafe, and the
- receiver MUST discard the packet.
- 3. Group MAC test: if the optional Group MAC tag is present and if
- the session uses this feature, then verify the Group MAC
- (Section 4.1.1). If the verification fails, the packet MUST be
- immediately dropped. A packet that does not contain a Group MAC
- tag whereas the session uses this feature MUST be immediately
- dropped. On the opposite, if a packet contains a Group MAC tag
- whereas the session does not use this feature, this tag MUST be
- ignored.
- 4. Disclosed Key processing: When the packet discloses a key (i.e.,
- with a Standard Authentication Tag, or with an Authentication Tag
- with a Last Key of Old Chain Disclosure), the following tests are
- performed:
- * New key index test: the receiver checks whether a legitimate
- key already exists with the same index (i.e., i-d). If such a
- legitimate key exists, the receiver compares its value with
- the current disclosed key and if they are identical, skips the
- "Unverifiable key test" and "Key verification test". If such
- a legitimate key exists but the values differ, the receiver
- MUST discard the packet.
- * Unverifiable key test: when the disclosed key index is new, it
- is possible that no earlier disclosed and legitimate key
- exists for this key chain, thereby preventing the verification
- of the disclosed key. This happens when the disclosed key
- belongs to the old key chain and no commitment to this old key
- chain has ever been received (e.g., because the first
- bootstrap packet received by a latecomer is for the current
- key chain, and therefore includes a commitment to the current
- key chain, not the previous one). When this happens, the
- receiver MUST ignore the disclosed key (anyway useless) and
- skip the Key verification test.
- * Key verification test: If the disclosed key index is new and
- the key can be verified, the receiver checks the legitimacy of
- K_{i-d} by verifying, for some earlier disclosed and
- legitimate key K_v (with v < i-d), that K_v and F^{i-d-
- v}(K_{i-d}) are identical. In other words, the receiver
- Roca, et al. Experimental [Page 41]
- RFC 5776 TESLA in ALC and NORM April 2010
- checks the disclosed key by computing the necessary number of
- PRF functions to obtain a previously disclosed and legitimate
- (i.e., verified) key. If the key verification fails, the
- receiver MUST discard the packet. If the key verification
- succeeds, this key is said to be legitimate and is stored by
- the receiver, as well as all the keys between indexes v and
- i-d.
- 5. When applicable, the receiver performs any congestion control
- related action (i.e., the ALC or NORM headers are used by the
- associated congestion control building block, if any), even if
- the packet has not yet been authenticated [RFC5651]. If this
- feature leads to a potential DoS attack (the attacker can send a
- faked packet with a wrong sequence number to simulate packet
- losses), it does not compromise the security features offered by
- TESLA and enables a rapid reaction in front of actual congestion
- problems.
- 6. The receiver then buffers the packet for a later authentication,
- once the corresponding key will be disclosed (after d time
- intervals) or deduced from another key (if all packets disclosing
- this key are lost). In some situations, this packet might also
- be discarded later, if it turns out that the receiver will never
- be able to deduce the associated key.
- 7. Authentication test: Let v be the smallest index of the
- legitimate keys known by the receiver so far. For all the new
- keys K_w, with v < w <= i-d, that have been either disclosed by
- this packet (i.e., K_{i-d}) or derived by K_{i-d} (i.e., keys in
- interval {v+1,.. i-d-1}), the receiver verifies the authenticity
- of the safe packets buffered for the corresponding interval w.
- To authenticate one of the buffered packets P_h containing
- message M_h protected with a MAC that used key index w, the
- receiver will compute K'_w = F'(K_w) from which it can compute
- MAC( K'_w, M_h). If this MAC does not equal the MAC stored in
- the packet, the receiver MUST discard the packet. If the two
- MACs are equal, the packet is successfully authenticated and the
- receiver continues processing it.
- 8. Authenticated new key chain commitment processing: If the
- authenticated packet contains a new key chain commitment and if
- no verified commitment already exists, then the receiver stores
- the commitment to the new key chain. Then, if there are non-
- authenticated packets for a previous chain (i.e., the key chain
- before the current one), all these packets can be discarded
- (Section 4.4).
- Roca, et al. Experimental [Page 42]
- RFC 5776 TESLA in ALC and NORM April 2010
- 9. The receiver continues the ALC or NORM processing of all the
- packets authenticated during the authentication test.
- In this specification, a receiver using TESLA MUST immediately drop
- unsafe packets. But the receiver MAY also decide, at any time, to
- continue an ALC or NORM session in unsafe (insecure) mode, ignoring
- TESLA extensions. There SHOULD be an explicit user action to that
- purpose.
- 4.3.1. Discarding Unnecessary Packets Earlier
- Following strictly the above steps can lead to excessive processing
- overhead in certain situations. This is the case when a receiver
- receives packets for an unwanted object with the ALC or NORM
- protocols, i.e., an object in which the application (or the end user)
- explicitly mentioned it is not interested. This is also the case
- when a receiver receives packets for an already decoded object, or
- when this object has been partitioned in several blocks, for an
- already decoded block. When such a packet is received, which is
- easily identified by looking at the receiver's status for the
- incoming ALC or NORM packet, the receiver MUST also check that the
- packet is a pure data packet that does not contain any signaling
- information of importance for the session.
- With ALC, a packet containing an "A" flag ("Close Session") or a "B"
- flag ("Close Object") MUST NOT be discarded before having been
- authenticated and processed normally. Otherwise, the receiver can
- safely discard the incoming packet for instance just after step 1 of
- Section 4.3. This optimization can dramatically reduce the
- processing overhead by avoiding many useless authentication checks.
- 4.4. Flushing the Non-Authenticated Packets of a Previous Key Chain
- In some cases, a receiver having experienced a very long
- disconnection might have lost all the disclosures of the last key(s)
- of a previous key chain. Let j be the index of this key chain for
- which there remains non-authenticated packets. This receiver can
- flush all the packets of the key chain j if he determines that:
- o he has just switched to a chain of index j+2 (inclusive) or
- higher;
- o the sender has sent a commitment to the new key chain of index j+2
- (Section 3.1.2.3). This situation requires that the receiver has
- received a packet containing such a commitment and that he has
- been able to check its integrity. In some cases, it might require
- receiving a bootstrap information message for the current key
- chain.
- Roca, et al. Experimental [Page 43]
- RFC 5776 TESLA in ALC and NORM April 2010
- If one of the above two tests succeeds, the sender can discard all
- the awaiting packets since there is no way to authenticate them.
- 5. Integration in the ALC and NORM Protocols
- 5.1. Authentication Header Extension Format
- The integration of TESLA in ALC or NORM is similar and relies on the
- header extension mechanism defined in both protocols. More
- precisely, this document details the EXT_AUTH==1 header extension
- defined in [RFC5651].
- Several fields are added in addition to the "HET" (Header Extension
- Type) and "HEL" (Header Extension Length) fields (Figure 9).
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | HET (=1) | HEL | ASID | Type | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
- | |
- ~ ~
- | Content |
- ~ ~
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 9: Format of the TESLA EXT_AUTH Header Extension
- The fields of the TESLA EXT_AUTH Header Extension are:
- "ASID" (Authentication Scheme IDentifier) field (4 bits):
- The "ASID" identifies the source authentication scheme or protocol
- in use. The association between the "ASID" value and the actual
- authentication scheme is defined out-of-band, at session startup.
- "Type" field (4 bits):
- The "Type" field identifies the type of TESLA information carried
- in this header extension. This specification defines the
- following types:
- * 0: Bootstrap information, sent by the sender periodically or
- after a direct time synchronization request;
- * 1: Standard Authentication Tag for the ongoing key chain, sent
- by the sender along with a packet;
- Roca, et al. Experimental [Page 44]
- RFC 5776 TESLA in ALC and NORM April 2010
- * 2: Authentication Tag without Key Disclosure, sent by the
- sender along with a packet;
- * 3: Authentication Tag with a New Key Chain Commitment, sent by
- the sender when approaching the end of a key chain;
- * 4: Authentication Tag with a Last Key of Old Chain Disclosure,
- sent by the sender some time after moving to a new key chain;
- * 5: Direct time synchronization request, sent by a NORM
- receiver. This type of message is invalid in the case of an
- ALC session since ALC is restricted to unidirectional
- transmissions. Yet, an external mechanism may provide the
- direct time synchronization functionality;
- * 6: Direct time synchronization response, sent by a NORM sender.
- This type of message is invalid in the case of an ALC session
- since ALC is restricted to unidirectional transmissions. Yet,
- an external mechanism may provide the direct time
- synchronization functionality.
- "Content" field (variable length):
- This is the TESLA information carried in the header extension,
- whose type is given by the "Type" field.
- 5.2. Use of Authentication Header Extensions
- Each packet sent by the session's sender MUST contain exactly one
- TESLA EXT_AUTH Header Extension.
- All receivers MUST recognize EXT_AUTH but MAY not be able to parse
- its content, for instance, because they do not support TESLA. In
- that case, these receivers MUST ignore the TESLA EXT_AUTH extensions.
- In the case of NORM, the packets sent by receivers MAY contain a
- direct synchronization request but MUST NOT contain any of the other
- five TESLA EXT_AUTH Header Extensions.
- 5.2.1. EXT_AUTH Header Extension of Type Bootstrap Information
- The "bootstrap information" TESLA EXT_AUTH (Type==0) MUST be sent in
- a stand-alone control packet, rather than in a packet containing
- application data. The reason for that is the large size of this
- bootstrap information. By using stand-alone packets, the maximum
- payload size of data packets is only affected by the (mandatory)
- authentication information header extension.
- Roca, et al. Experimental [Page 45]
- RFC 5776 TESLA in ALC and NORM April 2010
- With ALC, the "bootstrap information" TESLA EXT_AUTH MUST be sent in
- a control packet, i.e., containing no encoding symbol.
- With NORM, the "bootstrap information" TESLA EXT_AUTH MUST be sent in
- a NORM_CMD(APPLICATION) message.
- Roca, et al. Experimental [Page 46]
- RFC 5776 TESLA in ALC and NORM April 2010
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---
- | HET (=1) | HEL (=46) | ASID | 0 | 0 | 0 |0|1|0| ^
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
- | d | 2 | 2 | 2 | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
- | 1 | 3 | 128 | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
- | 0 (reserved) | T_int | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
- | | |
- + T_0 (NTP timestamp format) + | 5
- | | | 2
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
- | N (Key Chain Length) | | b
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | y
- | Current Interval Index i | | t
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | e
- | | | s
- + + |
- | | |
- + Current Key Chain Commitment + |
- | (20 bytes) | |
- + + |
- | | |
- + + |
- | | v
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---
- | | ^ 1
- + + | 2
- | | | 8
- . . |
- . Signature . | b
- . (128 bytes) . | y
- | | | t
- + + | e
- | | v s
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---
- | Group MAC |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 10: Example: Format of the Bootstrap Information Message
- (Type 0) Using SHA-256/1024-Bit Signatures,
- the Default HMAC-SHA-256, and a Group MAC
- Roca, et al. Experimental [Page 47]
- RFC 5776 TESLA in ALC and NORM April 2010
- For instance, Figure 10 shows the bootstrap information message when
- using the HMAC-SHA-256 transform for the PRF, MAC, and Group MAC
- functions, along with SHA-256/128 byte (1024 bit) key digital
- signatures (which also means that the "Signature" field is 128 bytes
- long). The TESLA EXT_AUTH Header Extension is then 184 bytes long
- (i.e., 46 words of 32 bits).
- 5.2.2. EXT_AUTH Header Extension of Type Authentication Tag
- The four "authentication tag" TESLA EXT_AUTH Header Extensions (Type
- 1, 2, 3, and 4) MUST be attached to the ALC or NORM packet (data or
- control packet) that they protect.
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | HET (=1) | HEL (=10) | ASID | 1 | Reserved |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | i (Interval Index of K'_i) |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- + +
- | |
- + Disclosed Key K_{i-d} +
- | (20 bytes) |
- + +
- | |
- + +
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- + +
- | MAC(K'_i, M) |
- + (16 bytes) +
- | |
- + +
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 11: Example: Format of the Standard Authentication Tag
- (Type 1) Using the Default HMAC-SHA-256
- Roca, et al. Experimental [Page 48]
- RFC 5776 TESLA in ALC and NORM April 2010
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | HET (=1) | HEL (=5) | ASID | 2 | Reserved |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | i (Interval Index of K'_i) |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | |
- + +
- | MAC(K'_i, M) |
- + (16 bytes) +
- | |
- + +
- | |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Figure 12: Example: Format of the Authentication Tag without
- Key Disclosure (Type 2) Using the Default HMAC-SHA-256
- For instance, Figures 11 and 12 show the format of the authentication
- tags, respectively with and without the K_{i-d} key disclosure, when
- using the (default) HMAC-SHA-256 transform for the PRF and MAC
- functions. In these examples, the Group MAC feature is not used.
- 5.2.3. EXT_AUTH Header Extension of Type Direct Time Synchronization
- Request
- With NORM, the "direct time synchronization request" TESLA EXT_AUTH
- (Type==7) MUST be sent by a receiver in a NORM_CMD(APPLICATION) NORM
- packet.
- With ALC, the "direct time synchronization request" TESLA EXT_AUTH
- cannot be included in an ALC packet, since ALC is restricted to
- unidirectional transmissions, from the session's sender to the
- receivers. An external mechanism must be used with ALC for carrying
- direct time synchronization requests to the session's sender.
- In the case of direct time synchronization, it is RECOMMENDED that
- the receivers spread the transmission of direct time synchronization
- requests over the time (Section 2.3.1).
- 5.2.4. EXT_AUTH Header Extension of Type Direct Time Synchronization
- Response
- With NORM, the "direct time synchronization response" TESLA EXT_AUTH
- (Type==8) MUST be sent by the sender in a NORM_CMD(APPLICATION)
- message.
- Roca, et al. Experimental [Page 49]
- RFC 5776 TESLA in ALC and NORM April 2010
- With ALC, the "direct time synchronization response" TESLA EXT_AUTH
- can be sent in an ALC control packet (i.e., containing no encoding
- symbol) or through the external mechanism used to carry the direct
- time synchronization request.
- 6. Security Considerations
- [RFC4082] discusses the security of TESLA in general. These
- considerations apply to the present specification, namely:
- o great care must be taken in the timing aspects. In particular,
- the D_t parameter is critical and must be correctly initialized;
- o if the sender realizes that the key disclosure schedule is not
- appropriate, then the current session MUST be closed and a new one
- created. Indeed, Section 3.1.3 requires that these parameters be
- fixed during the whole session.
- o when the verifier that authenticates the incoming packets and the
- application that uses the data are two different components, there
- is a risk that an attacker located between these components inject
- faked data. Similarly, when the verifier and the secure timing
- system are two different components, there is a risk that an
- attacker located between these components inject faked timing
- information. For instance, when the verifier reads the local time
- by means of a dedicated system call (e.g., gettimeofday()), if an
- attacker controls the host, he may catch the system call and
- return a faked time information.
- The current specification discusses additional aspects with more
- details.
- 6.1. Dealing with DoS Attacks
- TESLA introduces new opportunities for an attacker to mount DoS
- attacks. For instance, an attacker can try to saturate the
- processing capabilities of the receiver (faked packets are easy to
- create but checking them requires computing a MAC over the packet or
- sometimes checking a digital signature as with the bootstrap and
- direct time synchronization response messages). An attacker can also
- try to saturate the receiver's memory (since authentication is
- delayed and non-authenticated packets will accumulate), or to make
- the receiver believe that a congestion has happened (since congestion
- control MUST be performed before authenticating incoming packets,
- Section 4.3).
- Roca, et al. Experimental [Page 50]
- RFC 5776 TESLA in ALC and NORM April 2010
- In order to mitigate these attacks, it is RECOMMENDED to use the
- Group MAC scheme (Section 3.3.3). No mitigation is possible if a
- group member acts as an attacker with Group MAC.
- Generally, it is RECOMMENDED that the amount of memory used to store
- incoming packets waiting to be authenticated be limited to a
- reasonable value.
- 6.2. Dealing With Replay Attacks
- Replay attacks, whereby an attacker stores a valid message and
- replays it later, can have significant impacts, depending on the
- message type. Two levels of impacts must be distinguished:
- o within the TESLA protocol, and
- o within the ALC or NORM protocol.
- 6.2.1. Impacts of Replay Attacks on TESLA
- Replay attacks can impact the TESLA component itself. We review here
- the potential impacts of such an attack depending on the TESLA
- message type:
- o bootstrap information: Since most parameters contained in a
- bootstrap information message are static, replay attacks have no
- consequences. The fact that the "i" and "K_i" fields can be
- updated in subsequent bootstrap information messages does not
- create a problem either, since all "i" and "K_i" fields sent
- remain valid. Finally, a receiver that successfully initialized
- its TESLA component MUST ignore the following messages (see
- Section 4.2.1 for an exception to this rule), which voids replay
- attacks, unless he missed all the commitments to a new key chain
- (e.g., after a long disconnection) (Section 3.2.1).
- o direct time synchronization request: If the Group MAC scheme is
- used, an attacker that is not a member of the group can replay a
- packet and oblige the sender to respond, which requires digitally
- signing the response, a time-consuming process. If the Group MAC
- scheme is not used, an attacker can easily forge a request anyway.
- In both cases, the attack will not compromise the TESLA component,
- but might create a DoS. If this is a concern, it is RECOMMENDED,
- when the Group MAC scheme is used, that the sender verify the
- "t_r" NTP timestamp contained in the request and respond only if
- this value is strictly larger than the previous one received from
- this receiver. When the Group MAC scheme is not used, this attack
- can be mitigated by limiting the number of requests per second
- that will be processed.
- Roca, et al. Experimental [Page 51]
- RFC 5776 TESLA in ALC and NORM April 2010
- o direct time synchronization response: Upon receiving a response, a
- receiver who has no pending request MUST immediately drop the
- packet. If this receiver has previously issued a request, he
- first checks the Group MAC (if applicable), then the "t_r" field,
- to be sure it is a response to his request, and finally the
- digital signature. A replayed packet will be dropped during these
- verifications, without compromising the TESLA component.
- o other messages, containing an authentication tag: Replaying a
- packet containing a TESLA authentication tag will never compromise
- the TESLA component itself (but perhaps the underlying ALC or NORM
- component, see below).
- To conclude, TESLA itself is robust in front of replay attacks.
- 6.2.2. Impacts of Replay Attacks on NORM
- We review here the potential impacts of a replay attack on the NORM
- component. Note that we do not consider here the protocols that
- could be used along with NORM, for instance, the congestion control
- protocols.
- First, let us consider replay attacks within a given NORM session.
- NORM defines a "sequence" field that can be used to protect against
- replay attacks [RFC5740] within a given NORM session. This
- "sequence" field is a 16-bit value that is set by the message
- originator (sender or receiver) as a monotonically increasing number
- incremented with each NORM message transmitted. It is RECOMMENDED
- that a receiver check this "sequence" field and drop messages
- considered as replayed. Similarly, it is RECOMMENDED that a sender
- check this sequence, for each known receiver, and drop messages
- considered as replayed. In both cases, checking this "sequence"
- field SHOULD be done before TESLA processing of the packet: if the
- "sequence" field has not been corrupted, the replay attack will
- immediately be identified; otherwise, the packet will fail the TESLA
- authentication test. This analysis shows that NORM itself is robust
- in front of replay attacks within the same session.
- Now let us consider replay attacks across several NORM sessions.
- Since the key chain used in each session MUST differ, a packet
- replayed in a subsequent session will be identified as unauthentic.
- Therefore, NORM is robust in front of replay attacks across different
- sessions.
- Roca, et al. Experimental [Page 52]
- RFC 5776 TESLA in ALC and NORM April 2010
- 6.2.3. Impacts of Replay Attacks on ALC
- We review here the potential impacts of a replay attack on the ALC
- component. Note that we do not consider here the protocols that
- could be used along with ALC, for instance, the layered or wave-based
- congestion control protocols.
- First, let us consider replay attacks within a given ALC session:
- o Regular packets containing an authentication tag: a replayed
- message containing an encoding symbol will be detected once
- authenticated, thanks to the object/block/symbol identifiers, and
- will be silently discarded. This kind of replay attack is only
- penalizing in terms of memory and processing load, but does not
- compromise the ALC behavior.
- o Control packets containing an authentication tag: ALC control
- packets, by definition, do not include any encoding symbol and
- therefore do not include any object/block/symbol identifier that
- would enable a receiver to identify duplicates. However, a sender
- has a very limited number of reasons to send control packets.
- More precisely:
- * At the end of the session, a "Close Session" ("A" flag) packet
- is sent. Replaying this packet has no impact since the
- receivers already left.
- * Similarly, replaying a packet containing a "Close Object" ("B"
- flag) has no impact since this object is probably already
- marked as closed by the receiver.
- This analysis shows that ALC itself is robust in front of replay
- attacks within the same session.
- Now let us consider replay attacks across several ALC sessions.
- Since the key chain used in each session MUST differ, a packet
- replayed in a subsequent session will be identified as unauthentic.
- Therefore, ALC is robust in front of replay attacks across different
- sessions.
- 6.3. Security of the Back Channel
- As specified in Section 1.1, this specification does not consider the
- packets that may be sent by receivers, for instance, NORM's feedback
- packets. When a back channel is used, its security is critical to
- the global security, and an appropriate security mechanism MUST be
- used. [RMT-SIMPLE-AUTH] describes several techniques that can be
- used to that purpose. However, the authentication and integrity
- Roca, et al. Experimental [Page 53]
- RFC 5776 TESLA in ALC and NORM April 2010
- verification of the packets sent by receivers on the back channel, if
- any, is out of the scope of this document.
- 7. IANA Considerations
- IANA has registered the following attributes according to this
- document. The registries are provided by [RFC4442] under the "Timed
- Efficient Stream Loss-tolerant Authentication (TESLA) Parameters"
- registry [TESLA-REG]. Following the policies outlined in [RFC4442],
- the values in the range up to 240 (including 240) for the following
- attributes are assigned after expert review by the MSEC working group
- or its designated successor. The values in the range from 241 to 255
- are reserved for private use.
- Cryptographic Pseudo-Random Function, TESLA-PRF: All implementations
- MUST support HMAC-SHA-256 (default).
- +------------------------+-------+
- | PRF name | Value |
- +------------------------+-------+
- | HMAC-SHA1 | 0 |
- | HMAC-SHA-224 | 1 |
- | HMAC-SHA-256 (default) | 2 |
- | HMAC-SHA-384 | 3 |
- | HMAC-SHA-512 | 4 |
- +------------------------+-------+
- Cryptographic Message Authentication Code (MAC) Function, TESLA-MAC:
- All implementations MUST support HMAC-SHA-256 (default). These MAC
- schemes are used both for the computing of regular MAC and the Group
- MAC (if applicable).
- +------------------------+-------+
- | MAC name | Value |
- +------------------------+-------+
- | HMAC-SHA1 | 0 |
- | HMAC-SHA-224 | 1 |
- | HMAC-SHA-256 (default) | 2 |
- | HMAC-SHA-384 | 3 |
- | HMAC-SHA-512 | 4 |
- +------------------------+-------+
- Furthermore, IANA has created two new registries. Here also, the
- values in the range up to 240 (including 240) for the following
- attributes are assigned after expert review by the MSEC working group
- or its designated successor. The values in the range from 241 to 255
- are reserved for private use.
- Roca, et al. Experimental [Page 54]
- RFC 5776 TESLA in ALC and NORM April 2010
- Signature Encoding Algorithm, TESLA-SIG-ALGO: All implementations
- MUST support RSASSA-PKCS1-v1_5 (default).
- +-----------------------------+-------+
- | Signature Algorithm Name | Value |
- +-----------------------------+-------+
- | INVALID | 0 |
- | RSASSA-PKCS1-v1_5 (default) | 1 |
- | RSASSA-PSS | 2 |
- +-----------------------------+-------+
- Signature Cryptographic Function, TESLA-SIG-CRYPTO-FUNC: All
- implementations MUST support SHA-256 (default).
- +-----------------------------+-------+
- | Cryptographic Function Name | Value |
- +-----------------------------+-------+
- | INVALID | 0 |
- | SHA-1 | 1 |
- | SHA-224 | 2 |
- | SHA-256 (default) | 3 |
- | SHA-384 | 4 |
- | SHA-512 | 5 |
- +-----------------------------+-------+
- 8. Acknowledgments
- The authors are grateful to Yaron Sheffer, Brian Weis, Ramu
- Panayappan, Ran Canetti, David L. Mills, Brian Adamson, and Lionel
- Giraud for their valuable comments while preparing this document.
- The authors are also grateful to Brian Weis for the digital signature
- details.
- 9. References
- 9.1. Normative References
- [RFC1305] Mills, D., "Network Time Protocol (Version 3)
- Specification, Implementation", RFC 1305,
- March 1992.
- [RFC2119] Bradner, S., "Key words for use in RFCs to
- Indicate Requirement Levels", BCP 14, RFC 2119,
- March 1997.
- Roca, et al. Experimental [Page 55]
- RFC 5776 TESLA in ALC and NORM April 2010
- [RFC4082] Perrig, A., Song, D., Canetti, R., Tygar, J., and
- B. Briscoe, "Timed Efficient Stream Loss-Tolerant
- Authentication (TESLA): Multicast Source
- Authentication Transform Introduction", RFC 4082,
- June 2005.
- [RFC5651] Luby, M., Watson, M., and L. Vicisano, "Layered
- Coding Transport (LCT) Building Block", RFC 5651,
- October 2009.
- [RFC5740] Adamson, B., Bormann, C., Handley, M., and J.
- Macker, "NACK-Oriented Reliable Multicast (NORM)
- Transport Protocol", RFC 5740, November 2009.
- [RFC5775] Luby, M., Watson, M., and L. Vicisano,
- "Asynchronous Layered Coding (ALC) Protocol
- Instantiation", RFC 5775, April 2010.
- [TESLA-REG] "TESLA Parameters IANA Registry",
- http://www.iana.org.
- 9.2. Informative References
- [NTP-NTPv4] Burbank, J., Kasch, W., Martin, J., Ed., and D.
- Mills, "The Network Time Protocol Version 4
- Protocol And Algorithm Specification", Work
- in Progress, October 2009.
- [Perrig04] Perrig, A. and J. Tygar, "Secure Broadcast
- Communication in Wired and Wireless Networks",
- Kluwer Academic Publishers ISBN 0-7923-7650-1,
- 2004.
- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
- Keyed-Hashing for Message Authentication",
- RFC 2104, February 1997.
- [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key
- Cryptography Standards (PKCS) #1: RSA Cryptography
- Specifications Version 2.1", RFC 3447,
- February 2003.
- [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E.,
- and K. Norrman, "The Secure Real-time Transport
- Protocol (SRTP)", RFC 3711, March 2004.
- Roca, et al. Experimental [Page 56]
- RFC 5776 TESLA in ALC and NORM April 2010
- [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP)
- Version 4 for IPv4, IPv6 and OSI", RFC 4330,
- January 2006.
- [RFC4359] Weis, B., "The Use of RSA/SHA-1 Signatures within
- Encapsulating Security Payload (ESP) and
- Authentication Header (AH)", RFC 4359,
- January 2006.
- [RFC4383] Baugher, M. and E. Carrara, "The Use of Timed
- Efficient Stream Loss-Tolerant Authentication
- (TESLA) in the Secure Real-time Transport Protocol
- (SRTP)", RFC 4383, February 2006.
- [RFC4442] Fries, S. and H. Tschofenig, "Bootstrapping Timed
- Efficient Stream Loss-Tolerant Authentication
- (TESLA)", RFC 4442, March 2006.
- [RMT-FLUTE] Paila, T., Walsh, R., Luby, M., Lehtonen, R., and
- V. Roca, "FLUTE - File Delivery over
- Unidirectional Transport", Work in Progress,
- August 2009.
- [RMT-SIMPLE-AUTH] Roca, V., "Simple Authentication Schemes for the
- ALC and NORM Protocols", Work in Progress,
- October 2009.
- Roca, et al. Experimental [Page 57]
- RFC 5776 TESLA in ALC and NORM April 2010
- Authors' Addresses
- Vincent Roca
- INRIA
- 655, av. de l'Europe
- Inovallee; Montbonnot
- ST ISMIER cedex 38334
- France
- EMail: [email protected]
- URI: http://planete.inrialpes.fr/~roca/
- Aurelien Francillon
- INRIA
- 655, av. de l'Europe
- Inovallee; Montbonnot
- ST ISMIER cedex 38334
- France
- EMail: [email protected]
- URI: http://planete.inrialpes.fr/~francill/
- Sebastien Faurite
- INRIA
- 655, av. de l'Europe
- Inovallee; Montbonnot
- ST ISMIER cedex 38334
- France
- EMail: [email protected]
- Roca, et al. Experimental [Page 58]
Advertisement
Add Comment
Please, Sign In to add comment
