Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes

TL;DR

This paper examines the vulnerabilities of existing progressive message authentication schemes to packet loss and proposes R2-D2 and SP-MAC, which enhance resilience and efficiency for resource-constrained environments.

Contribution

It introduces R2-D2 with randomized dependencies for improved resilience and SP-MAC for efficient implementation on constrained devices, addressing security flaws in prior schemes.

Findings

R2-D2 increases robustness against packet loss and jamming.

SP-MAC achieves resource-efficient implementation with comparable speed.

The proposed schemes outperform existing methods in security and efficiency.

Abstract

Message authentication guarantees the integrity of messages exchanged over untrusted channels. However, to achieve this goal, message authentication considerably expands packet sizes, which is especially problematic in constrained wireless environments. To address this issue, progressive message authentication provides initially reduced integrity protection that is often sufficient to process messages upon reception. This reduced security is then successively improved with subsequent messages to uphold the strong guarantees of traditional integrity protection. However, contrary to previous claims, we show in this paper that existing progressive message authentication schemes are highly susceptible to packet loss induced by poor channel conditions or jamming attacks. Thus, we consider it imperative to rethink how authentication tags depend on the successful reception of surrounding packets. To this end, we propose R2-D2, which uses randomized dependencies with parameterized security guarantees to increase the resilience of progressive authentication against packet loss. To deploy our approach to resource-constrained devices, we introduce SP-MAC, which implements R2-D2 using efficient XOR operations. Our evaluation shows that SP-MAC is resilient to sophisticated network-level attacks and operates as resources-conscious and fast as existing, yet insecure, progressive message authentication schemes.