Lightweight Privacy-Preserving Authentication Scheme ... - IEEE Xplore

2015 IEEE Trustcom/BigDataSE/ISPA

Lightweight Privacy-Preserving Authentication Scheme for V2G Networks in the Smart Grid Neetesh Saxena, Bong Jun Choi, and Shinyoung Cho Department of Computer Science The State University of New York, Korea & Stony Brook University, USA Email: [email protected], {bjchoi, sycho}@sunykorea.ac.kr A. Security Requirements in the V 2G Network

Abstract—Vehicle-to-grid (V2G) is one of the future key technologies for the smart grid. Electric vehicles (EV) are potential power consumers that can play a crucial role by delivering the power back to the grid in order to meet the power demand. However, the V2G network has some crucial security and privacy challenges. Also the existing solutions generate a huge overhead cost and do not provide resistance against well known security attacks. In order to address the identified security and privacy challenges in the V2G smart grid network. We propose a scheme based on bilinear pairing technique with an accumulator that provides mutual authentication, and privacy preservation of EV’s information such as identity, battery status, location, and charging/discharging selection and time duration. The proposed scheme defeats various security attacks, including man-in-the-middle attack, replay attack, impersonation attack, redirection attack, and repudiation attack while generating lower communication and computation overhead than existing privacypreserving V 2G mutual authentication schemes.

There are various security requirements in the V 2G smart grid network as follows. 1) Mutual Authentication: Mutual authentication is one of the mandatory requirements for an authentication scheme so that it can defeat the redirection and impersonation attacks. In V 2G networks, the EV should be able to verify the Local Aggregator (LAG) and the EV must be authenticated by the LAG before the communication starts. 2) Information Confidentiality and Integrity: The secret information sent over the network should be well protected and only the respective recipient should be able to extract that information. Also, the integrity of each message sent over the network must be maintained. This can be achieved using a well known Hash (H)/Message Authentication Code (M AC).

Keywords—authentication, bilinear pairing, privacy-preserving, security attacks, V2G;

I.

B. Privacy Requirements in the V 2G Network There are also privacy requirements in the V 2G smart grid network whenever an EV accesses the charging station for charging/discharging operation.

I NTRODUCTION

In the future, Vehicle-to-Grid (V 2G) system is proposed to be one of the most powerful system in the smart grid by integrating with renewable energy sources to provide ancillary services and keeps track of the power demand utilized by the Electric Vehicles (EV )/Battery Vehicles (BV ). These vehicles communicate with the smart grid for charging and discharging the battery by consuming the power from the grid and delivering the power back to the grid, respectively. A Dedicated Short Range Communication (DSRC), an automotive standard protocol specifically designed for Vehicle-to-Vehicle (V 2V ) and Vehicle-to-Infrastructure (V 2I) support, includes IEEE 802.11p and IEEE 1609 Wireless Access in Vehicular Environments (W AV E) [1].

1) Vehicle’s Location, Battery, and Personal Information: The vehicle’s private information should not be revealed during the authentication. For example, the LAG should not be able to retrieve the location of the EV making a request. The protection of location information also helps to prevent redirection attacks. Similarly, the LAG must not be able to track the EV based on its battery status. The required information should directly be sent to the intended recipient in a secure manner. 2) Vehicle Selections and Operations: The LAG must be unaware of the EV ’s timing selection and the choice of operation when charging/discharging. Similarly, the LAG must not be able to track the EV based on other similar information such as Charging Station Identity (CSID).

V2G communication system is different from other existing communication systems in several aspects such as vehicle mobility, geographical location of the vehicle, charging and discharging operations, driving pattern, limited communication range, and etc. Further, the V 2G system requires fast authentication as in the future a large number of EV s will participate in charging/discharging process [2]. Moreover, confidential information in V 2G, V 2V , and V 2I such as vehicle identity, vehicle type, charging and discharging time, and charging station identity needs to be protected over the network. The charging and discharging operations also depend upon the type of vehicle and their batteries. It takes almost 10 hours to charge a 15-kWh battery using a standard 120-volt outlet [3]. 978-1-4673-7952-6/15 $31.00 © 2015 IEEE DOI 10.1109/Trustcom.2015.425 10.1109/Trustcom-BigDataSe-ISPA.2015.425

C. Research Problem EV s perform charging and discharging operations in order to meet their energy demand and to balance the power in the grid. However, there exist various security and privacy challenges in the V 2G system as stated above. The information shared by the EV s and other V 2G entities such as Aggregator (AG), Certification/Registration Authority (CA/RA), and Control Center (CC) must be secured over the network and the privacy of the information must be maintained. The V 2G 604

E. Organization of the Paper

TABLE I: Symbols And Abbreviations Symbol

Description

Size (bits)

EV LAG CA/RA H() ID P ID CSID Γ μ λ γ ξ δ r Option request Expected time Decision k H T

Electric vehicle Local aggregator Certification/Registration Authority One-way hash function Identity of the EV Pseudo-identity of the EV Charging station identity A public key at CA/RA A variable for a product of identities A random number generated by CA/RA A random number generated by EV A variable for a product of identity Signature of the EV A random number for key label A variable to store selected option Time duration for charging/discharging Decision to conduct operation Shared secret key between EV and LAG Hash value Timestamp

128 128 128 128 256 128 128 256 128 16 1 64 1 128 64 64

This paper is organized as follows. Section II presents the related work with the V 2G security and privacy issues. Section III discusses the system and attack models in the V 2G network. Our authentication scheme is presented in detail in section IV. The security and performance analysis of the proposed scheme is evaluated in section V. Finally, section VI concludes the work. Table I represents various symbols and acronyms used in the paper with their descriptions and sizes. II.

R ELATED W ORK

Recently, the research work are carried out on the authentication protocols/schemes for the V 2G smart grid network [2], [4], [5], privacy preserving authentication [6], privacyenhanced data aggregation [7], privacy preserving communication [8], virtual ring architecture for smart grid privacy [9], and etc. However, various possible attacks in the V 2G smart grid network are not well investigated. A role-dependent privacy preservation scheme (ROP S) is presented in [4], in which three BV roles, i.e., energy demand, energy storage, and energy supply are considered. Similarly, a battery status-aware authentication scheme is presented in [5] where charging, fully charging, and discharging status of the battery are considered. Further, an aggregated-proofs based privacy-preserving authentication scheme (AP 3A) is proposed in [6] to achieve secure identification of the BV . However, all these protocols/schemes generate huge overheads and do not completely fit in the V 2G network where a fast and efficient authentication is required. Since, a huge number of EV s would be involved in the future, the scheme must be lightweight.

system must provide a mutual authentication between an EV and the respective AG in order to ensure the communication involvement by the legitimate entities only. Further, the AG must not be able to recognize and keep track the EV by its information and behavior pattern. Otherwise, the AG can misuse the information that may result in the insider attacks. The existing protocols/schemes do not discuss possible attack scenarios over the V 2G network such as man-in-themiddle (M IT M ) attack, replay attack, impersonation attack, redirection attack, known key attack, and repudiation attack. Also, computational load and communication overhead are one of the critical challenges when secure solutions are to be designed. Since a huge number of entities (EV s, LAGs, and CA/RAs) would be involved in the future V 2G smart grid network, the generated overhead must be kept as low as possible. These overheads reflect their impact in the optimal performance-security trade-off. However, the existing schemes generate huge overheads. Therefore, a secure, lightweight, and privacy-preserved authentication scheme for the V 2G network in the smart grid is needed.

A batch authentication protocol (U BAP V 2G) takes into account the vehicle communication in order to provide authentication in the V 2G network [2]. However, the scheme is just a variant of standard DSA algorithm and does not consider the important aspects in the V 2G network such as privacy preservation, prevention against attacks, key management, and etc. The privacy of the users and communication security of the smart grid are studied in [7] where a batch-oriented powerusage data aggregation scheme for the smart grid is proposed. The scheme does not provide mutual authentication, discusses a very generic adversary model, and does not consider any security attack scenario. Further, a precise reward scheme for the V 2G network is presented in [8] to provide privacy protection. However, the scheme also generates a large amount of overhead. Moreover, to protect sensitive energy usage information of the user, a privacy protection scheme is proposed in [9]. However, the scheme is only for the smart grid without considering the V 2G network. In summary, one of the major limitations of the existing schemes/protocols is that they do not present security attacks scenarios and most of them generate a huge overhead.

D. Our Contribution We make the following main contributions. Our scheme: 1. Provides mutual authentication between the EV and the LAG and between the EV and the CA/RA so that no malicious entity can participate in the communication over the network. 2. Preserves the privacy of the EV ’s identity, location, charging/discharging selection, expected time, battery status, and other personal information. This ensures that the LAG and an attacker cannot keep track and extract the information regarding the EV ’s behavior pattern and its private information. 3. Generates lower communication overhead (by transmitting limited information over the network) and computation overhead (by reducing the pairing, exponential, and scalar multiplication operations) than existing schemes in [8] and [6]. 4. Defeats various security attacks such as M IT M attack, replay attack, impersonation attack, redirection attack, repudiation attack, and etc., and maintains message integrity.

III.

S YSTEM , AND P RIVACY AND ATTACK M ODELS

This section presents an overview of our V 2G system model and discusses the attack model. A. System Model Consider a V 2G smart grid system model as shown in Figure 1. It includes mainly three entities: EV s, local aggregators (LAGs), and a CA/RA. An EV can charge its

605

generate future session keys based on the current session key. This may otherwise result in known key attack. IV.

P ROPOSED AUTHENTICATION S CHEME

This section presents some preliminary discussion on the bilinear pairing and our scheme in detail. A. Preliminaries Preliminaries include our bilinear pairing technique and dynamic accumulator. 1) Bilinear Pairing: We define the bilinear pairing of our system as follows: Definition 1. Let G1 and G2 be cyclic multiplicative groups of prime order p generated by g1 and g2 for which there exists an isomorphism ϕ : G2 → G1 such that ϕ(g2 ) = g1 . Consider P ∈ G1 and Q ∈ G2 . Let GT be a cyclic multiplicative group with the same order p where e : G1 × G2 → GT is a bilinear pairing with the following properties: ab Properties: (i) Bilinearity: e(P a , Qb ) = e(P, Q) , ∀P ∈ G1 , ∗ Q ∈ G2 and a, b ∈ Zp . (ii) Non-degeneracy: e(g1 , g2 ) = 1 (iii) Computability: There exists an efficient algorithm to compute e(P, Q), ∀P ∈ G1 and Q ∈ G2 .

Fig. 1: A V2G smart grid system model.

battery any time from the charging station (CS) and can also discharge its stored power back to the grid through the charging stations. An aggregator (AG) is an entity located between the control center (CC) or CA/RA and the CSs. A CA/RA is a trusted certification/registration authority that maintains a secure database containing information of various EV s and LAGs. The LAG is curious about knowing the EV ’s related information. Each EV first registers itself to the CA/RA by specifying the LAG of its area.

Domain of hash functions are as follows: H1 : G1 × {0, 1}∗ × Zp∗ → G1 , H2 : GT × {0, 1}∗ × Zp∗ → GT , H3 = H(f1 ) = h(f2 ) : G1 × G2 → GT , H4 = H(QS ) : Zp∗ × G2 → G2 . Various input parameters of each hash function (including integer modulo prime p and elliptic group) are converted in bitstring, and then it produces 256-bit output by SHA256 [10]. Further, we define a bilinear pairing instance generator that takes a security parameter l as input and returns a uniformly random tuple t = (p, G1 , G2 , GT , e, g1 , g2 ) of bilinear pairing parameters such that p grows exponentially with l.

An EV can charge its battery from a group of charging stations connected to a LAG. Furthermore, a number of LAGs are connected to a single CA/RA based on the capacity of the CA/RA to handle the EV s’ requests. As an example, we consider that a single CA/RA is responsible for 4 LAGs. The CA/RA is further connected to the CC using a wireless/wired communication technology. The communications between the charging stations and a LAG, and between a LAG and a CA/RA are done through wireless networks. The communication between the Electric Vehicle Supply Equipment (EV SE) and the Electric Vehicle Communication Controller (EV CC) and between the EV SE and the load balance controller at CC are governed respectively by V 2G ISO/IEC15118−2 and IEC62056 with EV specific extensions.

2) Accumulator from Bilinear Pairing: An accumulator is a one-way function that verifies whether a candidate is a member of the given set without revealing the identity of other members in a set. We define a dynamic accumulator for our system. Let N be the set of positive integers. Definition 2. An accumulator is a tuple ({Xl }l∈N , {Fl }l∈N ), where {Xl }l∈N is the value domain of the accumulator, and {Fl }l∈N is a sequence of the families of pairs of functions such that each (f, g) ∈ Fl is defined as f : Uf × Xfext → Uf for some Xfext ⊇ Xl , and g : Uf → Ug is a bijective function [11], [12]. The following properties are satisfied: Properties: (i) Efficient Generation: There exists an efficient algorithm that takes a security parameter l as input and outputs a random element (f, g) ∈R Fl with auxiliary information β. (ii) Quasi Commutativity: For every l ∈ N , (x1 , x2 ) ∈ Xl , u ∈ Uf : f (f (u, x1 ), x2 ) = f (f (u, x2 ), x1 ). The g(f (u, X)) is computable in polynomial time in l, even without the knowledge of β, where X = {x1 , ...., xq } ⊂ Xl .

B. Privacy and Attack Model In our privacy model, the original identity of each EV should be protected, otherwise the attackers (even the LAG) can trace the user pattern and behavior, and further can extract the relevant information. In our attack model of V 2G network, an outsider attacker (EV ) may (1) perform a man−in−the−middle (M IT M ) attack by creating an active connection between an EV and a LAG, (2) delay or repeat the transmitted message to the EV /LAG over the network resulting in a replay attack, (3) perform integrity violations, if the attacker is successful at modifying the transmitted messages over the network, (4) perform an impersonation attack where it tries to impersonate the EV s involved in the V 2G system. In addition, prevention against a repudiation attack is also required so that the involved EV cannot deny after transmitting the data. The attacker must not be able to

B. Our Scheme We present the details of our scheme including initial setup, EV registration, and protocol execution as shown in Figure 2. In our scheme, a dynamic accumulator is used by the LAG and the CA/RA in order to verify whether an EV belongs to a set of all registered EV s at that point of time. Further, a bilinear pairing map is used to generate a shared secret

606

Fig. 2: Proposed scheme for the V2G smart grid network.

EV s. Similarly, once the session is expired for an EVi , its P IDi is removed from the database at CA/RA and then the CA/RA recomputes μ. Hence, this registration process creates a dynamic accumulator that supports efficient evaluation, efficient addition, and efficient deletion of an EVi . We define our dynamic collision resistant accumulator with the following properties: 1. EV’s Evaluation: Consider a set of pseudo-identities P ID of various registeredEV s as {P ID1 , P ID2 , ..., P IDi }. The CA computes μ= i P IDi that maps g(f (g2 , P ID)) as i P IDi . 2. EV’s Addition: The CA computes μ=g(f (g2 , P ID)) P IDj ∈P ID, and considering P IDi ∈P ID, g(f (g −1 (ξ), P IDi ))=μ. When a new EVj is registered, the updated μ is computed as μ = g(f (g2 , P ID {P IDj })) = μ.P IDj . Here, the value ξ is such that μ = g(f (g −1 (ξ ), P IDi )) where ξ = ξ.P IDj . The ξ is a witness for the fact that P IDi ∈ P ID has been accumulated in μ whenever g(f (g −1 (ξ), P IDi )) = μ. 3. EV’s Deletion: The CA computes μ = g(f (g2 , P ID)) considering P IDi , P IDj ∈ P ID, P IDi = P IDj , and g(f (g −1 (ξ), P IDi )) = μ. After performing operations by the EVj within a session, its P IDj must be deleted and the updated μ is computed as μ =g(f (g2 , P ID\{P IDj })) = μ/P IDj . Here, the value ξ is such that μ =g(f (g −1 (ξ ), P IDi )) where ξ = ξ/P IDj .

key between the EV and the LAG. This key is used for all the subsequent authentications within a session. In addition, a hash of signatures are computed and used to provide nonrepudiation and confidentiality of the transmitted messages over the network. 1) Initial Setup: All EV s, LAGs, and CA/RA randomly generate their private keys as (SEV , SLAG , SCA ) ∈R Z∗p , and further computes their public keys as QEV = g2SEV , QLAG = g2SLAG , and QCA = g2SCA , respectively, where g2 ∈ G2 . These public keys are stored in an off-line key repository. Further, we define (f, g) ∈ Fl as g(f (g2 , P ID)) where P ID = {P ID1 , P ID2 , ..., P IDq } is a set of pseudoidentities of the EVs. Consider f : Zp × G2 → G2 , g : G2 → Zp , f : (g2 , P ID) → P ID.H(σCA−LAG ), g : g2 → g2 /H(σLAG−CA ), where signature σCA−LAG is computed at CA/RA as (QLAG )SCA while σLAG−CA is computed at LAG as (QCA )SLAG . 2) EV Registration: First of all, each EVi has to register itself with the CA/RA of its home region. This registration can be done either by physically reaching CA/RA or remotely with a pre-shared login credentials. Each EVi generates a random secret αi ∈R Z∗p and computes Γi = g1αi ∈ G1 . Thereafter, the EVi submits its original identity IDi to the CA/RA along with Γi . This αi is used by the EVi for its signature generation during a request for charging/discharging to the LAG. M essage(1) : EVi → CA/RA : {IDi , Γi }

3) CA-LAG Communication: Whenever a new EVj is registered at CA/RA, the CA/RA updates the LAG by transmitting the updated μ, i.e., μ as μ .H(σCA−LAG ) where SCA . The CA/RA also a signature σCA−LAG = (QLAG ) generates a random λ ∈ Z∗p for each LAG associated with it and sends it (only first time) to the respective LAG. On using its signature’s hash as receiving, the LAG extracts μ μ /H(σLAG−CA ), where σLAG−CA = (QCA )SLAG .

The CA stores its IDi , generates a pseudo-identity of the EVi , i.e., P IDi , and sends it to the EVi . M essage(2) : CA/RA → EVi : {P IDi } After each successful registration of a new EVj , the P ID CA computes μ=( i ).H(σCA−LAG ).P IDj , where i=j P IDi is the product of all the P IDs of the registered 607

Fig. 3: The CA/RA periodically transmits μ and λ to different LAGs associated with it. Fig. 5: Charging and discharging time selection window.

and this key can be used for further communications within a session. The LAG keeps the P IDj in its database until the expiry (session time) of the key k. Further, the EVj computes δj = xj + λ(αj + P IDj ) and sends it to the LAG. M essage(7) : EVj → LAG : {Ek [δj , T3 ], rj }

Fig. 4: Verification of the EVs at CA/RA by the information received from different LAGs.

After receiving the message (7), the LAG sends LAG ). (γj , δj , P IDj ) to the CA/RA signed by H(QSCA M essage(8) : LAG → CA/RA : LAG {(γj , δj , P IDj , Tj ).H(QSCA )}

M essage(3) : CA/RA → LAG : {μ , λ} As shown in Figure 3, the CA/RA sends a unique λi ∈ Z∗p to each LAG associated with it along with the updated μ of the registered EV s served by the respective LAGs. During first authentication, a shared secret key k is generated at EVj and LAG. For all the subsequent authentication requests, the EVj sends Ek [P IDj , Tj ] to the LAG as message (7) in our scheme (discussed in the next subsection). After expiry of session time, the LAG discards the session key k and sends the corresponding P IDj to the CA/RA. On receiving, the CA/RA deletes P IDj from its database. M essage(4) : LAG → CA/RA : {P IDj }

Message (8) may contain information of multiple EV s associated with that LAG. It may also be the case where different LAGs send message (8) simultaneously (or in a very short time) to the CA/RA. Hence, it is recommended that the CA/RA authenticates these requests in a batch for better efficiency. First, the CA/RA separates out requests that belong CA to each LAG using H(QSLAG ) and then verifies all the EV s in abatch corresponding to each LAG in the following manner: δi P IDi Γi )λ i g1 = i γi .(g1 If it holds, all the EV s are successfully verified. Otherwise, one or more EV (s) are invalid. In such a case, we need to find out invalid requests are located and removed from a batch. Then, a re-batch verification is performed. The detection of invalid requests can be performed using a divide and conquer approach stated in [13]. Similarly, different LAGs connected to a CA/RA send the received EV s’ information to the respective CA/RA and the CA/RA verifies all the requests as shown in Figure 4. After successful authentication, the CA/RA sends a command that opens a window for the EV to select charging/discharging duration (time) as illustrated in Figure 5. The smart grid’s CC computes power supply and demand load based on the operation selected by the EV . All the EVi preferences are captured in a message Mi where Mi = (P IDi , CSID, Option request, Expected time). Here, Option request has two options, one is request for charging and other is request for discharging. Each EVi SEV computes Mi as Mi .H(QCA i ) and sends it to the CA/RA. M essage(9) : EVi → CA/RA : {Mi , T4 }

4) Protocol Execution: Whenever an EVj wishes to charge/discharge its vehicle’s battery, it generates a random x xj ∈R Z∗p and computes γj = g1 j ∈ G1 . Thereafter, the EVj sends γj to the LAG along with its P IDj , a timestamp T1 , and a hash value H1 = H(γj , T1 , P IDj ). M essage(5) : EVj → LAG : {γj , P IDj , T1 , H1 } ? On receiving the message (5), the LAG verifies H1 = H1 and extracts μ as μ .H(σCA−LAG )/H(σLAG−CA ), where signature σCA−LAG =(QLAG )SCA and σLAG−CA=(QCA )SLAG . ( P IDi )/P IDj Thereafter, the LAG computes ξ as ξ = g2 i . It is worth to note that P IDialso includes P IDj as it is a P IDi , which ensures that registered EV . Hence, ξ = g2 i,i=j the EVj belongs to μ and thereby the EVj is authenticated by the LAG. This process can be achieved in a batch of multiple EV s that send their P IDs to the respective LAG. H(σ ) Next, the LAG computes f1 as f1 = e(g1μ , g2 LAG ) and sends (H(f1 ), λ, ξ, T2 , H2 ) to the EVj where λ was received LAG from the CA/RA, H(σLAG ) = H(QSEV ), rj ∈ Zp is a j random number, and H2 = H(f1 , λ, ξ, rj , T2 ). M essage(6) : LAG → EVj : {H(f1 ), λ, ξ, Ek [rj ], T2 , H2 } ?

On receiving the message Mi , the CA/RA retrieves the original message Mi from the received message as Mi = CA ). The CA/RA sends an one time password Mi /H(QSEV i (OT P ) to the EVi for its identity verification. Thereafter, the CA/RA asks to the CC to compute the power based on the charging/discharging request by the EVi . Further, it computes the dynamic power load and announces its decision of allowing charging/discharging decision, i.e., Decision, to the EVi . CA ), T5 } M essage(10) : CA/RA → EVi : {Decision.H(QSEV i

On receiving message (6), the EVj verifies H2 = H2 , (P IDj )

computes f2 as f2 = e(g1

SEV H(QLAGj ),

H(σEV ) j

, ξ) where H(σEVj ) = ?

and checks whether H(f1 ) = H(f2 ). If f1 = f2 = k (shared secret key) holds, the LAG is authenticated by the EVj . The rj is associated with this session key k at LAG

Finally, the EVi 608

performs the required operation

( P ID )/P ID

based on the decision received from the CA/RA as SEV Decision/H(QCA i ). After completion of the desired operation by the EVi , the CA/RA sends the required information to the control center (CC) for billing purpose.

i j the EVj by verifying ξ = g2 i , and each EVj authenticates the LAG by comparing H(f2 ) with the received ? H(f1 ), i.e., H(f1 ) = H(f2 ). Further, the original message M can only be extracted by the CA/RA with QEVj and SCA . Similarly, the Decision can only be retrieved by the EVj with SEVj and QCA .

For all the subsequent requests within a valid session of the key k, the EVj sends message (7) as Ek [P IDj , Tj ], rj to the LAG. On receiving the message, the LAG decrypts the message using an session secret key k identified by rj and verifies the P IDj . If it is valid within a session, the LAG LAG sends a verification command with H(QSCA ) to the CA/RA. In addition, the LAG sends a new random rj as Ek [rj ] to the respective EVj and the EVj sends next authentication request along with this number so that the LAG could extract the respective session key of the EVj . The CA/RA extracts the CA verification command using H(QSLAG ) and sends a command to open a selection window for the EVj . Thereafter, the protocol executes message (9) and message (10) as it is. After session expiration of the key k, the LAG discards the key k and sends its related P IDj to the CA/RA. On receiving, the CA/RA removes P IDj from its database. V.

ii) Session Key Establishment: Each k key is used as a session shared secret key for each authentication between the EVj and the LAG. The same key is used for a session within the expiry time. iii) Privacy Preservation: The privacy of each EVj is protected during the authentication over the network. Each EVj ’s P IDj initially generated by the CA/RA is sent only once over the network. For a session, the shared secret key k is used to encrypt the message information, i.e., {P IDj , Tj }. Hence, the cipher itself changes for every message within a session for each EVj . Hence, an attacker cannot retrieve any information from the cipher message, even the same key is used to encrypt the message within a session. After each session, the EVj request for a new P IDj to the CA/RA. iv) Integrity Protection: The proposed scheme provides integrity protection by using the hash values with each transmitted message over the network. If an adversary intentionally changes any transmitted message parameter, the received and computed hash values will not match at receiver and the connection will be terminated. Further, our scheme generates a temporary identity, i.e., P IDj , for each EVj , therefore, the adversary cannot track the actual identity of the EVj .

S ECURITY P ROOFS , A NALYSIS , AND P ERFORMANCE E VALUATION

This section presents computation proofs in the scheme, and security and performance analysis of our scheme. A. Computation Proofs Theorem 1. The proposed scheme generates a shared secret key k between the EVj and the LAG. Proof: Generation of a shared secret key k at EVj and

H(σLAG )

LAG: Secret key k at LAG: f1 = e(g1μ , g2 LAG H(σLAG ) = H(QSEV ) j =e(g1

i

P IDi

H(σLAG )

, g2

H(σLAG )

) =e(g1 , g2

Secret key k at EVj : f2 = e((g1 ) SEV H(σEVj ) = H(QLAGj ) H(σEV ) j

P IDi

)

i

v) Prevention Against Various Attacks: The proposed scheme defeats the following security attacks:

), where

a. Impersonation Attack: The adversary Adv needs to know P IDj of the target/impersonating EVj assigned by the CA/RA. The CA/RA considers any other identity as fake and will discard the request. Further, a secret key is required to access the communicated information between the EVj and the LAG. Here, the attacker cannot obtain/generate secret shared key without knowing its parameters. There are two possible cases for an impersonation attack as follows:

P IDi

H(σEV ) j P IDj

, ξ), where

H(σEV )

j , g2 i,i=j ) =e(g1 , g2 ) i P IDi , =e((g1 )P IDj a a = e(P, Q ) = e(P, Q)a and since e(P , Q) H(σLAG ) = H(σEVj ).

•

Case-1: Adversary (Adv) impersonates the EVj : 1. The Adv changes P IDj with a fake P ID as P IDl , keeping other parameters same. On receiving the mes ? sage (5), the LAG verifies H1 = H1 . Since, they do not match, the connection is terminated by the LAG. 2. The adversary Adv sends a fake P IDl while changing the keys and the corresponding message with a new hash AH1 . As obviously, P IDl = P IDj , LAG rejects the request and terminates the connection.

•

Case-2: Adv impersonates the LAG: If Adv tries to impersonate the LAG, the rogue Adv−LAG would SAdv−LAG ) = not be able to retrieve correct μ as H(QCA SLAG H(QCA ). Further, H(f1 ) = H(f2 ) at EVj . Hence, the EVj terminates the connection.

In a similar way, the other EV s can generate a shared secret key with their respective LAG. Theorem 2. If all the requests are made by the legitimate EV s to the respective LAG, the CA/RA verifies all the requests correctly. Proof: verification at CA/RA: R.H.S. = P IDiBatch (g1 )λ (γi )(Γi )λ = i (g1λP IDi )(g1xi )(g1αi )λ i x +λ(αi +P IDi ) = i g1 i x +λ(αi +P IDi ) L.H.S.= i g1δi = i g1 i Hence, i g1δi = i γi .(g1P IDi Γi )λ is true. B. Security Analysis In this subsection, authentication, session key establishment, and privacy preservation are discussed along with prevention against different attacks.

b. M IT M Attack: An adversary tries to build a connection between the two communicated parties by setting up two secret keys, one for each party. There are two possible cases for this attack that are as follows:

i) Mutual Authentication: A mutual authentication is provided between the EVj and the LAG. The LAG authenticates

• 609

Case-1: Key-exchange by an adversary: The adv

a new timestamp AT1 and a new hash AH1 instead of T1 and H1 . Under this scenario, if previously the authentication of legitimate EVj was successful, next time the LAG expects a cipher message. If the message comes in plaintext and P IDj exists in the list for which the session is currently active, the LAG discards the request and terminates the connection. If the Adv − EVj sends message (5) with a fake P IDl , the received message is sent by the LAG to the CA/RA for P IDl and the CA/RA finds a mismatch between the received Adv − EVj ’s identity and the stored identities of all the EV s.

TABLE II: Security and Privacy Requirements Analysis Goals achieved Mutual authentication Privacy of EV’s identity Message integrity Replay attack MITM attack Redirection attack Impersonation attack

[8]

[6]

[4]

[5]

[7]

[2]

Our Scheme

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

No

No

Yes

Yes No Yes No Yes No Yes Yes PartialNo

No No Yes Yes No

No No No Yes No

No No No No No

No Yes Yes No No

Yes Yes Yes Yes Yes

•

Case-2: Adv−CA/RA replay and injection attacks: 1. When Adv−CA/RA replays a message (10) to the EVj , the scenario is similar to case-1 (1). 2. A message (10) is sent with a new AT5 and a fake CA ), then the EVj extracts the actual Decision.(QSEV j Decision from the received message. In this case, the EVj will not be able to retrieved Decision correctly. Hence, the connection will be terminated.

•

Case-3: Adv−LAG replay and injection attacks: 1. When the Adv−LAG sends a message (6) as a replay message without any modification to the EVj , the scenario is similar to case-1 (1). 2. The Adv−LAG modifies the timestamp value T2 of message (6) to a new value AT2 keeping other message parameters same. The EVj computes a hash ? H2 and compares H2 = H2 . If EVj finds a mismatch, it terminates the connection. 3. The Adv−LAG injects a new timestamp AT2 and a new hash AH2 in message (6) and sends it to ? the EVj . The EVj checks H(f1 ) = H(f2 ). Since H(f1 ) = H(f2 ), the EVj discards the request. 4. The Adv−LAG injects a fake message instead of message (8). On receiving, the message cannot be decrypted correctly by the CA/RA. Hence, the CA/RA terminates the connection.

cannot establish a connection with the EVj and the LAG LAG as it cannot compute or retrieve H(QSEV ) or j SEV

H(QLAGj ). Further, the Adv cannot compute correct f1 or f2 . Hence, the Adv cannot generate any secret key that can work for the connection between the EVj and the CA/RA. Moreover, the Adv cannot keep a track over the EVj ’s identity over the network. •

Case-2: Adversary as a rogue LAG: The Adv may install a fake Adv−LAG instead of a legitimate LAG. In such case, the Adv can extract the information provided by the EVj and can later use that information to access the system from a valid LAG. In order to prevent such access, after receiving the message from the LAG, the LAG sends an one-time password (OT P ) to the EVj in order to verify its identity. Hence, two-factor authentication prevents the system against any rogue LAG, one by sending an OT P and other by verifying P IDj .

•

Case-3: Adversary tries to extract information from the message: The Adv may try to extract some information from the message (7) that is being sent over the network. The Adv cannot decrypt the message as it cannot generate the secret key for the same. Hence, the Adv cannot perform the M IT M attack.

d. Redirection Attack: Since each EVj sends the identity of the charging station to the CA/RA, the CA/RA verifies the location of each EVj by matching the received information from the EVj with the information stored in the database. If the EVj access permission does not match with the location information, the CA/RA discards the connection.

c. Replay and Injection Attacks: The Adv can intercept a message in order to perform a replay attack. It can also inject a message information during the communication over the network. Our scheme can resist the replay attack by using timestamp values in all transmitted messages between the EVj and the LAG over the network. If the Adv replays a previous message or injects some information to a message, there can be three different cases as follows: •

e. Other Attacks: Our scheme prevents Known Key Attack against the V 2G smart grid system as each session key k is different and is newly generated for each session between the EVj and the LAG. Also, the identity and hash-signature verification used in the scheme prevents Repudiation Attack.

Case-1: Adv−EVj replay and injection attacks: 1. The Adv−EVj captures and later sends message (5) to the LAG. The LAG performs a quick check on the received message and detects that message was resent as the received timestamp T1 is outdated. The message is considered valid only when T1 ≤ Tcurrent +Tthreshold , where Tthreshold is the threshold timestamp that is a maximum time considered for reaching a message from one node to another (e.g., between the EVj and the LAG). Hence, the replay attack is detected and the connection is terminated. 2. The Adv−EVj sends message (5) to the LAG with

Table II summarizes the security and privacy goals achieved by various schemes discussed in this paper. Our scheme fulfills all the mentioned requirements. C. Performance Analysis We consider a V 2G smart grid network scenario with an authentication server CA/RA remotely connected with various LAGs. The specification of our system is 1.70 GHz Core i3-4005U CP U with 4GB RAM and 500 GB drive. We performed simulation in M AT LAB. Further, the performance

610

VI.

TABLE III: Communication Overhead (in bits) Overhead (bits)

P 2 [8]

AP 3A [6]

Our Scheme

Initial authentication Subsequent authentication

3392 3392

3264 3263

2977 737

Our scheme provides mutual authentications between various EV s and the LAGs (and CA/RA) with lower communication and computation costs by sending a limited information over the network and using hash functions, and protects the privacy of each EV over the network. Also, our scheme provides resistance against various well known security attacks. In the future, we will extend this work by considering the scenario where an EV can charge its battery from a charging station located anywhere (also in visiting area). The security and privacy requirements are more critical in such a scenario such as receiving a PID by the EV , EV authentication by visiting LAG, and etc. Further, we will consider privacy challenges when the EV s are discharging their power to the grid through a centralized LAG.

TABLE IV: Computation Overhead Operations

P 2 [8]

AP 3A [6]

Our Scheme

Pairing operation Exponentiation Scalar multiplication Addition Invertible operation Hash (H) Auth. code (HMAC) Encryption/decryption XOR Total

19×n 14×n 28×n 11×n n 6×n 7×n – – 76×n

– 12×n n 3×n-3 2×n+2 8×n+1 2×n 4×n 17×n+5 49×n+5

2×n 11×n+9 8×n+1 2×n – 12×n+6 – 4×n – 39×n+16

C ONCLUSION AND F UTURE W ORK

ACKNOWLEDGMENT This research was supported by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the ICT Consilience Creative Program (IITP-2015-R0346-15-1007) supervised by the IITP (Institute for Information & communications Technology Promotion) and under the Basic Science Research Program (2013010489) through the NRF (National Research Foundation).

of our scheme is evaluated in terms of communication and computation overhead. We compare our scheme with the schemes presented in [8] and [6]. The scheme presented in [7] does not provide mutual authentication and is vulnerable to attacks. The scheme in [2] is not fit to V 2G network as it does not focus on vehicle behavior and V 2G security and privacy features. The schemes proposed in [4] and [5] are the extended works of the scheme in [6], which has a huge overhead. We did not consider the overhead generated by the schemes in [4] and [5] since they generate even greater overhead.

R EFERENCES [1]

[2]

[3]

i) Communication Overhead: Communication overhead is the total number of bits transmitted over the network during the protocol/scheme execution. As shown in Table III, the overhead of our scheme for initial and subsequent authentication are 2977 bits and 737 bits, respectively. The total communication overhead of our scheme is lesser than the schemes in [8] and [6]. If we assume that there are n number of EV s that are requesting for authentications simultaneously, the total communication cost (for the first attempt) of our scheme would be 2977×n. Further, if we assume that r number of authentication requests are allowed by each EV to the CA/RA within a session. For any subsequent authentication, our scheme generates 737×r communication overhead while the schemes (with no session) in [8] and [6] produce 3392×r and 3264×r, respectively. Our scheme is efficient in terms of communication overhead as a few variables/parameters are required to send over the network.

[4]

[5]

[6]

[7]

[8]

[9]

[10]

ii) Computation Overhead: We compute the overhead as presented in Table IV considering n−EV s simultaneously requesting for authentications. The total computation cost for schemes in [8], [6], and our scheme are 76×n, 49×n+5, and 39×n+16, respectively. Assuming a unit value for each operation, our scheme is efficient than the existing schemes. The actual computation time by each scheme is depend upon the actual time taken by each operation. Our scheme generates a low overhead by reducing the pairing, exponential and scalar multiplication operations, and utilizing hash-based signatures.

[11]

[12]

[13]

611

IEEE 1609 - Family of Standards for Wireless Access in Vehicular Environments (WAVE). [Online]. http://www.standards.its.dot.gov/factsheets/factsheet/80 H. Guo, Y. Wu, F. Bao, H. Chen, and M. Ma, “UBAPV2G: A Unique Batch Authentication Protocol for Vehicle-to-Grid Communications,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 707-714, Dec. 2011. Batteries for Electric Cars: Challenges, Opportunities, and the Outlook to 2020, The Boston Consulting Group. [Online]. www.bcg.co.kr/documents/file36675.pdf. H. Liu, H. Ning, Y. Zhang, and L. T. Yang, “Role-Dependent Privacy Preservation for Secure V2G Networks in the Smart Grid,” IEEE Trans. on Infor. Forensics & Security, vol. 9, no. 2, pp. 208-220, Feb. 2014. H. Liu, H. Ning, Y. Zhang, and M. Guizani, “Battery Status-aware Authentication Scheme for V2G Networks in Smart Grid,” IEEE Trans. on Smart Grid, vol. 4, no. 1, pp. 99-110, Mar. 2013. H. Liu, H. Ning, Y. Zhang, and L. T. Yang, “Aggregated-proof Based Privacy-Preserving Authentication for V2G Networks in the Smart Grid,” IEEE Trans. on Smart Grid, vol. 3, no. 4, pp. 1722-1733, Dec. 2012. C. I. Fan, S. Y. Huang, and Y. L. Lai, “Privacy-Enhanced Data Aggregation Scheme Against Internal Attackers in Smart Grid,” IEEE Trans. on Industrial Informatics, vol. 10, no. 1, pp. 666-675, Feb. 2014. Z. Yang, S. Yu, W. Lou, and C. Liu, “P 2 : Privacy-Preserving Communication and Precise Reward Architecture for V2G Networks in Smart Grid,” IEEE Trans. on Smart Grid, vol. 2, no. 4, pp. 697-706, Dec. 2011. M. Badra and S. Zeadally, “Design and Performance Analysis of a Virtual Ring Architecture for Smart Grid Privacy,” IEEE Trans. on Information Forensics & Security, vol. 9, no. 2, pp. 321-329, Feb. 2014. Standards for Efficient Cryptography, “SEC1: Elliptic Curve Cryptography,” Certicom Research, 2000. [Online]. www.secg.org/SEC1-Ver1.0.pdf. E. Tremel, “Real-World Performance of Cryptographic Accumulators,” 2013. [Online]. http://citeseerx.ist.psu.edu/viewdoc/summary? doi=10.1.1.388.2825. L. Nguyen, “Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation,” Topics in Cryptology (CT-RSA’05), LNCS vol. 3376, Feb. 2005, pp. 275-292 N. Saxena and N. S. Chaudhari, “VAS-AKA: An Efficient Batch Verification Protocol for Value Added Services,” IEEE International Conference on System, Man, and Cybernetics, Oct. 2013, pp. 1560-1565.