In this section, we detail the description of µTESLA. In fact, this protocol has three phases: i) sender setup; ii) message sending procedure executed by the broadcaster; and iii) message receiving procedure executed by the receiver. For more details, we refer the reader to the work in [13].
Sender Setup In µTESLA, the sender generates a key chain, which is a sequence of secret
keys. The generation of the one-way key chain of length n is as follows. First, the sender chooses randomly the last key (denoted here by Kn), and then generates the remaining
values by applying successively a one-way function f (e.g., a cryptographic hash function as
M D5), Ki = f (Ki+1). As f is a one-way hash function, every device can compute forward,
e.g., compute K0, K1, ..., and Kj given the value of key Kj+1. However, no one could compute backward, e.g., compute Kj+1 given only K0, K1, ..., and Kj. This is due to the one-wayness of the hash function f .
Message Sending Procedure Executed by the Broadcaster In µTESLA, the time
is divided into time intervals and the sender (the broadcaster) associates each key of the one- way key chain with one time interval (see Figure 2.3). Let us assume that the sender wants to send a message at time interval Ti. In this case, the sender generates a packet adding the message, the message authentication code (MAC) of that packet using the authentication key Ki. We should keep in mind that this authentication key is still secret in that time interval (Ti). This key will only be disclosed after a delay d (few time intervals, which is in general superior than the round trip time between the sender and the receiver). That is why µTESLA based schemes are classified as temporal asymmetry approaches. The data packet format using µTESLA is as follows: < M |M AC(Ki, M )|Ki−d>; with the0|0symbol denotes message concatenation, M generated message at time interval Ti, M AC(Ki, M ) is the authentication information using the key Ki.
Key Generation Key Disclosure T1 T2 Tn-1 Tn K1 K2 Kn-2 Kn-1 Kn P f(Kn) f(Kn-1) f(K2) ... f(Kn-2) ... Tn-2 T3 K3 f(K3) ... P K1 K2 K3 Kn-2 Kf(K0 1)
Figure 2.3. – µTESLA Scheme
Message Receiving Procedure executed by the receiver An emergent property of
one-way key chain is that, once a receiver has an authenticated key of the chain, then it could reveal subsequent keys of this chain, by applying the one-way function f . This means that when the receiver has an authenticated value Ki of the key chain, it can easily authenticate
Ki+1, by verifying Ki = f (Ki+1). Therefore, a receiver should have one authenticated key of the chain as a commitment to the entire chain. Moreover, in µTESLA based schemes,
nodes should be loosely synchronized. Initially, all nodes know the key disclosure schedule of keys of the one way key chain.
Authenticating broadcast packets When a receiver receives the packets, it needs to
ensure that the packet could not be spoofed by an adversary. To verify this condition, the receiver should check for each incoming packet that the sender did not yet disclose the key which corresponds to the packet, which means that no adversary could have forged the packets. In order to verify this security condition, sender and receivers should be loosely synchronized, and that the key disclosure delay is known by all the participants in the network (sender and receivers).
When a receiver receives an incoming broadcast packet in time interval Ti, it checks the following security condition: Tc+δ−T0
Tint < Ti+d, where Tc is the local time when the packet is received, T0 is the start time of the first time interval, Tint is the duration of each time interval, δ is the maximum clock difference between the sender and itself, d is the disclosure key delay. Moreover, d is represented in terms of number of time intervals. For instance, when the node receives a broadcast packet in time interval T3 (i = 3), and d= 2. It has to check whether Tc+δ−T0
Tint < 3+2. In the case when the packet verifies the security condition, the receiver will store it in its buffer. The receiver could verify this packet only when receiving the corresponding key. If the security condition is violated, which means that the packet had an unusually long delay, thus the receiver drops the packet since an adversary might have altered it. When receiving a key Ki of a previous time interval, the receiver verifies its authenticity by checking whether this key matches the last authenticated stored key Kj, by verifying Ki= f|j−i|(Kj). If the check is successful, the new key Ki is authentic and the receiver can authenticate all packets that were sent within the time intervals Ti to
Tj. The receiver also stores the key Ki instead of key Kj.
µTESLA is an extension to TESLA. The only difference between these two protocols is
in their key chain commitment distribution schemes. TESLA uses asymmetric cryptography to boostrap new receivers, which is impractical for resource constrained devices due to its high computation and storage overheads. µTESLA depends on symmetric cryptography with the master key, shared between the sender and each receiver, to bootstrap the new receivers individually. In this scheme, the receiver first sends a request to the sender, and then the sender replies with a packet containing the current time Tcfor time synchronization, a key Ki of one way key chain used in a past interval, the start time of the time interval
Ti, the duration Tint of each time interval and the disclosure delay d.