Some Notes on the Security of the Timed Efficient Stream Loss-Tolerant Authentication Scheme

  • Goce Jakimoski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4356)


RFC4082 specifies the Timed Efficient Stream Loss-tolerant Authentication (TESLA) scheme as an Internet standard for stream authentication over lossy channels. In this paper, we show that the suggested assumptions about the security of the building blocks of TESLA are not sufficient. This can lead to implementations whose security relies on some obscure assumptions instead of the well-studied security properties of the underlying cryptographic primitives. Even worse, it can potentially lead to insecure implementations. We also provide sufficient security assumptions about the components of TESLA, and present a candidate implementation whose security is based on block ciphers resistant to related-key cryptanalysis.


message authentication multicast stream authentication TESLA cryptanalysis block ciphers related-key attacks 


  1. 1.
    Anderson, R., Bergadano, F., Crispo, B., Lee, J., Manifavas, C., Needham, R.: A New Family of Authentication Protocols. ACM Operating Systems Review 32(4), 9–20 (1998)CrossRefGoogle Scholar
  2. 2.
    Bergadano, F., Cavagnino, D., Crispo, B.: Chained Stream Authentication. In: Proceedings of Selected Areas in Cryptography 2000, pp. 142–155 (2000)Google Scholar
  3. 3.
    Bellare, M., Kohno, T.: A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications. In: Biham, E. (ed.) Advances in Cryptology – EUROCRPYT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Biham, E.: New Types of Cryptanalytic Attacks Using Related Keys. Journal of Cryptology 7(4), 229–246 (1994)zbMATHCrossRefGoogle Scholar
  5. 5.
    Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 225–320. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Canneti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: A taxonomy and some efficient constructions. In: Infocom 1999 (1999)Google Scholar
  7. 7.
    Carrara, E., Baugher, M.: The Use of TESLA in SRTP. Internet draft,
  8. 8.
    Cheung, S.: An Efficient Message Authentication Scheme for Link State Routing. In: Proceedings of the 13th Annual Computer Security Application Conference (1997)Google Scholar
  9. 9.
    FIPS PUB 197, The Advanced Encryption StandardGoogle Scholar
  10. 10.
    FIPS PUB 198, The Keyed-Hash Message Authentication Code (HMAC)Google Scholar
  11. 11.
    Gennaro, R., Rohatgi, P.: How to Sign Digital Streams. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 180–197. Springer, Heidelberg (1997)Google Scholar
  12. 12.
    Goldreich, O.: Foundations of Cryptography. Cambridge University Press, Cambridge (2001)zbMATHGoogle Scholar
  13. 13.
    Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)Google Scholar
  14. 14.
    Jakimoski, G., Desmedt, Y.: Related-key Differential Cryptanalysis of 192-bit Key AES Variants. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 208–221. Springer, Heidelberg (2004)Google Scholar
  15. 15.
    Kelsey, J., Schneier, B., Wagner, D.: Related-key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2 and TEA. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 233–246. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  16. 16.
    Perrig, A., Canneti, R., Tygar, J.D., Song, D.: Efficient Authentication and Signing of Multicast Streams Over Lossy Channels. In: Proceedings of the IEEE Security and Privacy Symposium (2000)Google Scholar
  17. 17.
    Perrig, A., Canneti, R., Song, D., Tygar, J.D.: Efficient and Secure Source Authentication for Multicast. In: Proceedings of the Network and Distributed System Security Symposium (2001)Google Scholar
  18. 18.
    Perrig, A., Canneti, R., Tygar, J.D., Song, D.: The TESLA Broadcast Authentication Protocol. RSA CryptoBytes 5(2) (2002)Google Scholar
  19. 19.
    Perrig, A., Song, D., Canneti, R., Tygar, J.D., Briscoe, B.: Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction. Internet Request for Comments, RFC 4082 (June, 2005)Google Scholar
  20. 20.
    Perrig, A., Tygar, J.D.: Secure Broadcast Communication in Wired and Wireless Networks. Kluwer Academic Publishers, Dordrecht (2002)Google Scholar
  21. 21.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, Springer, Heidelberg (1994)Google Scholar
  22. 22.
    Rivest, R.L.: The MD5 message digest algorithm. Internet Request for Comments, RFC 1321 (April 1992)Google Scholar
  23. 23.
    Rohatgi, P.: A compact and fast hybrid signature scheme for multicast packet authentication. In: 6th ACM Conference on Computer and Communications Security (November 1999)Google Scholar
  24. 24.
    Syverson, P.F., Stubblebine, S.G., Goldschlag, D.M.: Unlinkable serial transactions. In: FC 1997. LNCS, vol. 1318, Springer, Heidelberg (1997)Google Scholar
  25. 25.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis for Hash Functions MD4 and RIPEMD. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)Google Scholar
  26. 26.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar
  27. 27.
    Wong, C.K., Lam, S.S.: Digital Signatures for Flows and Multicasts. In: Proceedings of IEEE ICNP 1998 (1998)Google Scholar
  28. 28.
    Zhang, K.: Efficient Protocols for Signing Routing Messages. In: Proceedings of the Symposium on Network and Distributed System Security (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Goce Jakimoski
    • 1
  1. 1.Department of Electrical and Computer Engineering, Stevens Institute of Technology, Burchard 212, Hoboken, NJ 07030USA

Personalised recommendations