Message authentication guarantees the integrity of messages exchanged over untrusted channels. However, the required per-message authentication tags considerably expand packet sizes, which is especially problematic in constrained environments. To address this issue, progressive message authentication aggregates and distributes integrity protection over multiple messages, promising to reduce overheads while upholding strong security of traditional integrity protection. However, as we show in this paper, existing progressive message authentication schemes are susceptible to packet drops: By inferring with just two selected packets, an attacker can remove integrity protection from a complete sequence of messages. Revisiting the security of progressive message authentication, we consider it imperative to thwart such attacks by rethinking how authentication tags depend on the successful reception of packets. We propose R2-D2, which relies on (i) optimal message dependencies, (ii) parametrizable security guarantees, (iii) randomized bit dependencies, and (iv) optional immediate protection bits to address this problem. To deploy our approach to resource-constrained devices, we introduce SP-MAC, which implements R2-D2 using efficient XOR operations. Our evaluation shows that SP-MAC protects against sophisticated network-layer attacks and even operates more resource-conscious and faster than existing progressive message authentication schemes.
翻译:然而,正如我们在本文件中所表明的那样,现有的渐进式信息认证计划可以保证在不受信任的渠道上交换的信息的完整性。然而,所需要的每封邮件认证标签可以大大扩大封包的大小,这在受限制的环境中特别成问题。为了解决这一问题,进步式信息认证总量和分配对多条信息的完整性保护,有望减少间接费用,同时维护传统完整性保护的强大安全。然而,正如我们在本文件中所表明的那样,现有的渐进式信息认证计划很容易被包滴出:通过仅用两个选定的包,攻击者可以将完整性保护从完整的信息序列中去除。重新审视渐进式信息认证的安全,我们认为必须重新思考认证标签如何依赖成功接收包。我们建议R2-D2,这取决于(一) 最佳信息依赖性,(二) 平行的安全保障,(三) 随机化的零位依赖性,以及(四) 为解决这一问题而选择的即时保护部分。为了对资源受限制的装置采用我们的方法,我们引入了SP-MAC,它使用高效的 XOR 操作来实施R2-D2。我们的评估表明,SP-MAC对先进型网络袭击进行比先进式的资源系统更快地保护。