This package integrates ALTA (Asymmetric Loss-Tolerant Authentication) into the ALC/LCT multicast protocol, replacing TESLA authentication.
- Drop-in replacement for TESLA: Compatible with existing LCT header extension system
- Lower overhead: 6.91% vs TESLA's 10-20%
- Zero latency: Real-time verification without time synchronization
- Loss tolerant: Hash chain + MAC cross-references handle packet loss
- Ed25519 signatures: Fast, secure, 128-bit security level
import (
"github.com/blockcast/multicast/alta"
)
// Generate keys
publicKey, privateKey, err := alta.GenerateKeys()
if err != nil {
log.Fatal(err)
}
// Create session
session, err := alta.NewSession(publicKey, privateKey)
if err != nil {
log.Fatal(err)
}
defer session.Close()// Create context with ALTA
ctx := alta.CreateALTAContext(context.Background(), session)import (
"github.com/blockcast/multicast/lct"
"github.com/blockcast/multicast/alta"
)
// Create LCT packet
header := &lct.LCTHeader{
TSI: 123,
TOI: 456,
// ... other fields
}
payload := []byte("multicast data")
// Add ALTA authentication
err := alta.AddALTAToPacket(ctx, header, payload)
if err != nil {
log.Fatal(err)
}
// Send packet...// Receive LCT packet...
// Verify ALTA authentication
result, err := alta.VerifyALTAPacket(ctx, header, payload)
if err != nil {
log.Printf("Verification failed: %v", err)
return
}
if !result.Valid {
log.Printf("Invalid packet: %v", result.Error)
return
}
// Process verified payload
processPayload(result.Payload)To integrate ALTA into the existing ALC session:
- Add ALTA field to Session struct (alc/session.go):
type Session struct {
// ... existing fields
Auth *tesla.Session // Keep for backward compatibility
ALTAAuth *alta.Session // New ALTA authentication
// ... other fields
}- Check for ALTA in send path (around line 471):
// After creating the unit, before sealing with TESLA
if s.ALTAAuth != nil && s.ALTAAuth.Initialized() {
if err := alta.AddALTAToPacket(s.ctx, &unit.LCTHeader, unit.Payload()); err != nil {
return err
}
} else if teslaAuthMsg != nil {
// Fall back to TESLA
if err = teslaAuthMsg.Content.Seal(&unit.LCTHeader, [][]byte{unit.Payload()}); err != nil {
return err
}
}- Check for ALTA in receive path (around line 1160):
// Try ALTA verification first
if result, err := alta.VerifyALTAPacket(s.ctx, &cur.LCTHeader, cur.Payload()); err == nil {
if !result.Valid {
return fmt.Errorf("ALTA verification failed: %w", result.Error)
}
// ALTA verification successful
} else {
// Fall back to TESLA verification
if err := authMsg.Verify(cur.Payload()); err != nil {
return err
}
}import "github.com/blockcast/alta"
// Create custom config
config := alta.DefaultConfig().
WithKeys(privateKey, publicKey).
WithSignatureInterval(20). // Signature every 20 packets
WithMACConfig(2, []int{1, 4}). // 2 MACs at offsets 1 and 4
WithBufferDepth(200) // Larger buffer for high rates
// Create session with custom config
session, err := alta.NewSessionWithConfig(config)ALTA provides significant performance improvements over TESLA:
| Metric | ALTA | TESLA |
|---|---|---|
| Overhead | 6.91% | 10-20% |
| Latency | 0ms | 100-6000ms |
| Throughput | ~19,000 pkt/s | ~8,000 pkt/s |
| Time Sync | Not required | Required |
ALTA uses a hybrid authentication approach:
- Hash Chain (Backward): SHA-256 of previous packet prevents modification
- MAC Cross-References (Forward): HMAC-SHA256 provides loss tolerance
- Digital Signatures (Periodic): Ed25519 every 10th packet for non-repudiation
See the multicast integration tests in cmd/caddy/multicast_test.go:
cd /Users/oramadan/go/src/github.com/blockcast/multicast
go test -v -tags=integration ./cmd/caddy -run TestAuthedStream