Enhancing O-RAN Fronthaul Synchronization Security: TESLA and ASCON as a MACsec Alternative

Ensuring synchronization in the O-RAN Fronhaul S-Plane is crucial to accurately align timing between network elements and enable latency-sensitive features such as time division duplexing and carrier aggregation. The Precision Time Protocol (PTP) plays a key role in this context, but any vulnerability that compromises synchronization can cause serious impacts on network efficiency and quality of user experience. Although traditional solutions such as MACsec offer link-level encryption and authentication, they introduce a processing overhead that is potentially incompatible with the stringent requirements of O-RAN fronthaul. As an alternative, this work proposes an authentication-based security mechanism that combines the Timed Efficient Stream Loss-Tolerant Authentication (TESLA) protocol with ASCON, a lightweight cryptographic algorithm optimized for integrity. With its delayed key disclosure mechanism, TESLA reduces the risks of spoofing, replay attacks by allowing only legitimate parties to authenticate messages on the fronthaul. In addition, the use of ASCON as an authentication function provides high throughput with minimal computational impact. Authenticated encryption with associated data as implemented in ASCON, ensures that synchronization messages remain readable while still being protected from unauthorized modifications. The results show that the combination of TESLA and ASCON offers a comparable or higher level of security to MACsec, with lower overhead and better compatibility with real-time synchronization constraints, making it a scalable and efficient model for protecting O-RAN fronthaul synchronization.