In the proposals for Global Navigation Satellite Systems (GNSS) Navigation Message Authentication (NMA) that are based on adapting the Timed Efficient Stream Loss-Tolerant Authentication (TESLA) protocol, the length of the one-time keys is limited (e.g. to 80 bits) by the low transmission rate. As a consequence, the hash function that is used to build the one-way key chain is constructed having a longer, secure hash function (e.g. SHA-256), preceded by a time-varying yet deterministic padding of the input and followed by a truncation of the output. We evaluate the impact of this construction on the collision resistance of the resulting hash function and of the whole chain, and show that with current proposed parameters, combined with the use of efficient hashing hardware, it can lead to a feasible attack with significant collision probability. The collision can be leveraged to mount a long lasting spoofing attack, where the victim receiver accepts all the one time keys and the navigation messages transmitted by the attacker as authentic. We conclude by suggesting possible modifications to make TESLA-based NMA more robust to such attacks.
Evaluating the security of one-way key chains in TESLA-based GNSS navigation message authentication schemes
CAPARRA, GIANLUCA;STURARO, SILVIA;LAURENTI, NICOLA;
2016
Abstract
In the proposals for Global Navigation Satellite Systems (GNSS) Navigation Message Authentication (NMA) that are based on adapting the Timed Efficient Stream Loss-Tolerant Authentication (TESLA) protocol, the length of the one-time keys is limited (e.g. to 80 bits) by the low transmission rate. As a consequence, the hash function that is used to build the one-way key chain is constructed having a longer, secure hash function (e.g. SHA-256), preceded by a time-varying yet deterministic padding of the input and followed by a truncation of the output. We evaluate the impact of this construction on the collision resistance of the resulting hash function and of the whole chain, and show that with current proposed parameters, combined with the use of efficient hashing hardware, it can lead to a feasible attack with significant collision probability. The collision can be leveraged to mount a long lasting spoofing attack, where the victim receiver accepts all the one time keys and the navigation messages transmitted by the attacker as authentic. We conclude by suggesting possible modifications to make TESLA-based NMA more robust to such attacks.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
