Broadcast authentication guarantees that multiple recipients of a message can ver- ify its origin and integrity. Perrig et al. [2] proposed a broadcast authentication mechanism named µTESLA. Many techniques are used to extend the capabilities of µTESLA in [28,29,30]. The scheme in [29] tailors µTESLA to local broadcast authentication. The scheme in [28] overcomes the length limit of the hash chain. The scheme in [30] extends µTESLA to support multicast scenarios.
µTESLA divides the time period for broadcasting into multiple time intervals
and assigns different authentication keys to different time intervals. µTESLA em- ploys a key chain of authentication keys. Each key in the key chain is the image of the next key under a pseudo random function. µTESLA achieved broadcast au- thentication through delayed disclosure of authentication keys in the key chain. The sender selects a random value Knas the last key in the key chain and repeatedly per- forms the pseudo random function F to compute all the other keys: Ki = F (Ki+1) (0 ≤ i ≤ n − 1), where Ki is assigned to the i-th time interval. With the pseudo random function F , given Ki in the key chain, anybody can compute all the pre- vious keys Ki (1 ≤ i ≤ j), but nobody can compute any of the later keys Ki (j + 1 ≤ i ≤ n). Thus, with the knowledge of the initial key K0, which is called
the ‘commitment of the key chain’, a receiver can authenticate any key in the key chain by merely performing pseudo random function operations. When a broadcast message is available in i-th time interval, the sender generates MAC for this mes- sage with the key derived from Ki and then broadcast this message along with its MAC and discloses the key Ki−d assigned to the time interval Ii−d, where d is the disclosure lag of the authentication keys. The sender prefers a long delay in order to make sure that all or most of the receiver s can receive its broadcast messages. But, for the receivers, a long delay could result in a high storage overhead to buffer the messages. As far as authentication is concerned, µTESLA is efficient because only a one-way random function and Symmetric Key Cryptography based crypto- graphic operations are needed to authenticate a broadcast message. However, the base station has to unicast the parameters to the sensor nodes individually in the initialization phase. Such a method for bootstrapping new receivers in µTESLA does not scale to large WSNs. Therefore, the major barrier to using µTESLA is the mismatch between the unicast-based distribution of key chain commitments and the authentication of broadcast messages.
µTESLA is not suitable for local broadcast because µTESLA does not provide
authentication immediately. In µTESLA, nodes need to keep the packets in their buffers until the authenticating key arrives. Local broadcast usually requires imme- diate authentication. Pairwise keys cannot be used for local broadcast authentication because, if a node has n neighbors, the approach requires the sender node to calcu- late n MACs for each message. Local broadcast needs a method where a node can
broadcast a message to all its neighbors using a single MAC and cluster keys, with a problem as follows. If an adversary can compromise a node, the cluster key from that node is available and can be used to attack the network by impersonating that node or a neighboring node. If nodes X, U, and V are three vertices of a triangle,
X is compromised, and U wants to send messages to X and V , X can use node U0s cluster key to impersonate it and send false messages to V [41].
Zhu et al. [29] designed a one-way key chain based authentication scheme which is based on µTESLA for defeating this attack. In the proposed authentication scheme, each node generates a one-way key chain and sends the commitment of it to their neighbors. If a node wants to send a message to its neighbors, it attaches the next authorization key from its key chain to the message. The receiving node can verify the validation of the key based on the commitment it has already received. The one-way key chain based authentication is designed based on two observations [41]: a node only needs to authenticate to its neighbors and that a node V will receive a packet before a neighboring X receives it and re-sends it to V . This observation is true because of the triangular inequality among the distances of nodes involved. An adversary may still try to attack the nodes by shielding node V while U is transmitting a message, and then later send a modified packet to V with the same authorization key; but this attack can be prevented by combining the authorization keys with the cluster keys. When this is done, the adversary does not have the cluster key and so cannot impersonate node U. However, this scheme does not provide a solution for attacks from inside where the adversary knows U’s cluster key.
The original idea of [28] is to predetermine and broadcast the initial parameters required by µTESLA instead of unicast-based message transmission. The authors presented a multi-level key chain scheme to efficiently distribute the key chain com- mitments for µTESLA. Several techniques are also proposed to improve the surviv- ability of the scheme and defeat some DoS attacks. By using pre-determination and broadcast, the final multi-level approach removes µTESLA’s requirement of a unicast-based distribution of initial key chain commitments and satisfies several nice properties, including low overhead, tolerance of message loss, scabridity to large networks, and resistance to replay attacks as well as DoS attacks. Despite these advantages, several issues are not yet properly addressed. None of µTESLA and multi-level µTESLA are scalable in terms of the number of senders. Though
multi-level µTESLA schemes are scalable in terms of receivers, they either use substantial bandwidth and storage at sensor nodes, or require significant resources at senders to deal with DoS attacks. Subsequently, Liu et al. presented efficient techniques in [30] to support a potentially large number of broadcast senders using
µTESLA instances as building blocks. The scheme has three advantages over the
multi-level µTESLA schemes. Firstly, the scheme allows broadcast authentication with a large number of senders. Secondly, the scheme is not subject to the DoS at- tacks against the distribution of µTESLA parameters. Thirdly, the proposed scheme revokes the broadcast authentication capabilities from compromised senders with two complementary approaches: a Merkle hash tree based scheme and a proactive distribution based scheme. The former approach removes the authentication de- lay as well as the vulnerability to DoS attacks during the distribution of µTESLA parameters, while the latter proactively controls the distribution of the broadcast authentication capability of each sender to allow the revocation of compromised senders.