"Boradcasting" MAC'd data
From: Michael Brown (see_at_signature.below)
Date: 04/18/05
- Next message: Nora Baron: "Re: Talking Rationally About Surrogate Factoring"
- Previous message: thomasptacek_at_gmail.com: "Re: Successful remote AES key extraction"
- Next in thread: Roger Schlafly: "Re: "Boradcasting" MAC'd data"
- Reply: Roger Schlafly: "Re: "Boradcasting" MAC'd data"
- Reply: David Wagner: "Re: "Boradcasting" MAC'd data"
- Reply: Joseph Ashwood: "Re: "Boradcasting" MAC'd data"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Apr 2005 01:19:14 +1000
I've got a somewhat interesting problem that I'd like a bit of advice on. I
have some data, usually in the order of a few KB, that needs to be sent out
to a large number of clients over UDP. The data is not secret, so no
encryption is required. What is required is authentication and replay
prevention; noone should be able to impersonate the server (MITM excluded),
and noone should be able to resend the packet they received (or
eavesdropped) and fool another client.
On approach is obviously to use public key crypto and have the server sign
the packets. However, I suspect the CPU usage of all these signings would be
excessive.
My current idea is to have the client and server "connect" through DH key
exchange. The server stores IP address, port, and the key. When a broadcast
needs to be done, the server sends each client a packet. However, each
packet is specifically for the client: it contains the IP address, port, and
a sequence number. This packet is then protected using a MAC (keyed with the
value obtained from the DH key exchange). I think this covers all the bases
... assuming the MAC cannot be forged, then the only clients that will not
drop the packet are those with the same secret key (ie: the same instance of
the client), and these will only accept it if the sequence number is right.
Now, I'd still like to reduce the CPU impact further :) One thing that (IMO)
seems wasteful is that the same data is being MACed over and over again.
What would be ideal is if the bulk of the data, the stuff that is being
broadcast, is only processed once. None of the standard MACs seem to be able
to do this, as they all do keying prior to processing. However, what about
padding the broadcast data to 512 bits, shoving these blocks through MD5,
then doing a final MD5 block consisting only of the IP and port for each of
the connections (replace MD5 and 512 bits with your hash function of choice
and it's block size). The two obvious options from this are to include the
key in the final block, or to encrypt the resulting hash with the key. I
remember both of these approaches being discussed on sci.crypt in the past,
but can't seem to find the threads any more. Are either of these secure
enough for short-term use (client sessions will not, in general, last for
more than a week or two; most are probably going to be in the order of a
day)? If not, or even if so, are there better alternatives with something of
a track record behind them?
-- Michael Brown Add michael@ to emboss.co.nz ---+--- My inbox is always open
- Next message: Nora Baron: "Re: Talking Rationally About Surrogate Factoring"
- Previous message: thomasptacek_at_gmail.com: "Re: Successful remote AES key extraction"
- Next in thread: Roger Schlafly: "Re: "Boradcasting" MAC'd data"
- Reply: Roger Schlafly: "Re: "Boradcasting" MAC'd data"
- Reply: David Wagner: "Re: "Boradcasting" MAC'd data"
- Reply: Joseph Ashwood: "Re: "Boradcasting" MAC'd data"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
