Image Processing Reference
In-Depth Information
One basic idea for obtaining asymmetry, while at same time deploying a symmetrical crypto-
graphic algorithm, is to send a message that has been authenticated with a key
K
i
and to disclose
this key at a later point in time, so that the authenticity of the message can be verified. Of course,
from the moment on in which the key disclosure message has been sent, a potential attacker could
use this key to create MACs for forged messages. herefore, it is important that all receivers have at
least loosely synchronized clocks and only use a key
K
i
to verify messages that have been received
before the key disclosure message was sent.
However, it must also be ensured that a potential attacker cannot succeed in tricking genuine nodes
into accepting bogus authentication keys generated by himself. One elegant way to achieve this is the
inverse use of a “chain of hash codes” for obtaining integrity keys, basically a variation of the so-called
“one-time password” idea [HMNS].
he
TESLA
protocol uses a reversed chain of hash values to authenticate broadcast data streams
[PT]. The μTESLA protocol proposed to be used in sensor networks is a minor variation of the
TESLA protocol, with the basic difference being the cryptographic scheme used to authenticate the
initial key. While TESLA uses asymmetric cryptography for this, μTESLA deploys the SNEP protocol,
so that the base station calculates for each sensor node one individual MAC that authenticates the
initial key
K
. Furthermore, while TESLA discloses the key in every packet, μTESLA discloses the
key only once per time interval to reduce protocol overhead, and only base stations authenticate
broadcast packets because sensor nodes are not capable of storing entire key chains (see also below).
To setup a sender, first the length
n
ofthekeychaintobecomputedischosenandthelastkey
of the key chain
K
n
is randomly generated. Second, the entire hash key chain is computed according to
the equation
K
n
, stored at the sender, and the key
K
is communicated and authenticated
to all participating sensor nodes. For this, each sensor node
A
sends a random number
N
A
to the
base station and the base station answers with a message containing its current time, the currently
disclosed key
K
i
(in the initial case:
i
∶=
H
(
K
n
)
−
), the time period
T
i
in which
K
i
was valid for authenticating
messages, the interval length
T
Int
,thenumberofintervalsδ the base station waits before disclosing
a key, and an MAC computed with the integrity key
K
BS
,
A
over these values:
=
A
→
BS
∶
N
A
∣
A
BS
→
A
∶
T
BS
∣
K
i
∣
T
i
∣
T
Int
∣
δ
∣
RC
−
CBC
(
IK
BS
,
A
∣
N
A
∣
T
BS
∣
K
i
∣
T
i
∣
T
Int
∣
δ
)
After this preparatory phase, broadcasting authenticated packets is then realized as follows:
•
Time is divided in uniform length intervals
T
i
and all sensor nodes are loosely synchro-
nized to the clock of the base station.
•
In time interval
T
i
, the sender authenticates packets with key
K
i
.
•
Key
K
i
is disclosed in time interval
i
+
δ (e.g., δ
=
).
Figure . illustrates this reverse use of the chain of hash values for authenticating packets. To
check the authenticity of a received packet, a sensor node first has to store the packet together with
T
i
andwaituntiltherespectivekeyhasbeendisclosedbythebasestation.Upondisclosureofthe
appropriate key
K
i
, the authenticity of the packet can be checked.
Ofcourse,itiscrucialtodiscardallpacketsthathavebeenauthenticatedwithanalreadydisclosed
key for this scheme to be secure. his requires at least a loose time synchronization with an appro-
priate value of δ that needs to be selecting in accordance with the maximum clock drift. However,
as nodes cannot store many packets, key disclosure cannot be postponed for a long time so that the
maximum clock drift should not be too big.
If a sensor node should need to send a broadcast packet, it would send a SNEP-protected packet to
the base station, which in turn would then send an authenticated broadcast packet. he main reason
