Secure communication mechanism for ubiquitous ... - Springer Link

J Supercomput (2013) 64:435–455 DOI 10.1007/s11227-011-0674-5

Secure communication mechanism for ubiquitous Smart grid infrastructure Binod Vaidya · Dimitrios Makrakis · Hussein Mouftah

Published online: 15 December 2011 © Springer Science+Business Media, LLC 2011

Abstract Smart grid and advanced metering infrastructure (AMI) technologies have recently been the focus of rapid advancement and significant investment by many utilities and other service providers. For proper Smart grid deployment, smart energy home area network (HAN) must deploy smart meter along with other utility HAN devices and customer HAN devices. Energy service interface (ESI) is deployed as a HAN gateway which can provide two-way communications between HAN devices and utilities or service providers. However, in order to meet the envisioned functional, reliability, and scalability requirements of the Smart grid, cyber security must no longer be neglected. Thus, the development of a comprehensive security mechanism for AMI network is predominantly essential. A remote access to HAN devices may be required for either the customer that using his ubiquitous mobile device at the remote site or maintenance personals (either from utilities or service providers) those using handheld devices, which must be done securely. In this paper, we propose a security mechanism for remote access to HAN networks which is comprised of a lightweight and effective ECC-based entity authentication mechanism and ECCbased digital signature scheme. ECC-based entity authentication mechanism allows ESI as a gatekeeper to monitor the authentication process between two communicating entities. With a modified ECC-based digital signature scheme, secure data transfer between mobile devices and HAN devices has occurred. We have conducted security analysis, efficiency analysis as well as formal verification of the proposed mechanism. B. Vaidya () · D. Makrakis · H. Mouftah School of Information Technology & Eng, University of Ottawa, Ottawa, ON, Canada e-mail: [email protected] D. Makrakis e-mail: [email protected] H. Mouftah e-mail: [email protected]

436

B. Vaidya et al.

Keywords Smart grid · AMI · HAN · Remote access · Security · Authentication mechanism · Digital signature scheme

1 Introduction A vision of Smart grid is a modern, resilient, and reliable electric grid that is costeffective and provides greener environmental stewardship. Realizing value in a Smart grid deployment, energy-efficiency, demand response, and direct load control are major components. Advanced Meter Infrastructure (AMI) technologies have recently been a focus of rapid advancement and significant investment by both utilities and third parties as AMI systems, along with other integrated systems, provide a powerful means to achieve the Smart grid vision. With such AMI systems, many third parties can exploit this direct connection with customers and their facilities. Home are network (HAN) may have several utility HAN devices (i.e., smart meter, Energy Services Interface (ESI)), and customer HAN devices (i.e., smart appliances, In-Home Displays (IHDs)) having the capability of connecting to a communications network. Among them, ESI and smart meter are major components in AMI networks. By utilizing ESI, HAN devices and service provider(s) gain the ability to engage in two-way communications. Since all communications between HAN devices and remote devices are accomplished through ESI/HAN gateway, the ESI/HAN gateway could be the critical component that would make this secure communication possible. Considering cyber security requirements in the Smart grid, integrity is considered the most critical requirement [27]. For instance, to provide entity authentication in the AMI network, HAN devices must be securely authenticated to AMI Headend and vise versa [23]. Different stakeholders (utility, non-utility service providers, vendors, customer) may require secure remote access to HAN devices for various purposes [3]. However, provisioning authentication to HAN applications, and HAN devices in AMI networks may be challenging. Although utility HAN devices may be preprovisioned with an authentication credential, customer HAN devices obtained from retail stores or a third-party may be burdened with provisioning authentication credentials. Thus, not only inter-operability of authentication is essential but also the authentication mechanism must be simple and fairly automatic in order to support customer HAN devices at the HAN. In this paper, we propose a security mechanism for remote access to HAN devices in AMI networks which comprises of a lightweight and effective (Elliptic curve cryptography) ECC-based entity authentication mechanism and ECC-based digital signature scheme. ECC-based entity authentication mechanism allows ESI as a gatekeeper to monitor the authentication process between two communicating entities. With a modified ECC-based digital signature scheme, secure data transfer between mobile devices and HAN devices has occurred. The rest of this paper is organized as follows. In Sect. 2, we discuss the relevant backgrounds and motivations including the network model, identification protocols, problem statement/motivation, possible HAN applications, and related works. And Sect. 3 presents our proposed security mechanism for AMI network which includes

Secure communication mechanism for ubiquitous Smart grid

437

Fig. 1 Smart grid Conceptual model

entity authentication and digital signature schemes, while Sect. 4 discusses the system analysis including security proof, security analysis, efficiency analysis, and correctness proof. Finally, Sect. 5 provides concluding remarks as well as future works.

2 Relevant backgrounds and motivations 2.1 Network model The Conceptual model defined by National Institute of Standards and Technology (NIST) is shown in Fig. 1 that provides a high-level overview of the Smart grid, its stakeholders, and their expected interactions [14]. The Smart grid conceptual model depicts not only how data collection can be expected to proliferate as networked grid components increase but also how new entities may seek to collect, access, and use smart meter data. Furthermore, it also shows how “smart” appliances will communicate even more specific information directly to utilities, consumers, and other entities [14]. Architectural consideration includes key components such as Advanced Metering Infrastructure (AMI) and Smart energy Home area networks (HAN) and Communications network. Advanced Metering Infrastructure (AMI) AMI is the deployment of a metering solution with two-way communications to the smart meter to enable key features such as demand response, direct load control, etc. For instance, demand response (DR) signals can support utilities by providing

438

B. Vaidya et al.

customers with near real-time energy costs and power system reliability indices, and can thus help customers voluntarily manage their energy needs based on this information. HAN devices can automatically react to DR signals, which may deal on immediate needs or on longer term needs. The AMI Head-end is responsible for two-way communications with AMI meters to retrieve data and execute commands. It not only balances load on the communications network and monitors the AMI networks, but also remotely manages and implements firmware updates, configuration changes, provisioning functions, control, and diagnostics. Smart Energy Home area network The Smart energy devices on a customer’s premises form a Home Area Network (HAN). Several intelligent HAN devices may be deployed in HAN. These HAN devices can be consumer HAN devices or utility HAN devices. Consumer HAN devices are devices that are procured by the consumer or a third party which is not the utility. For instance, these devices include smart appliances, IHDs, and energy management systems. Whereas utility HAN devices within the premise are those devices which are typically provided by the utility, for instance, ESI, smart metering devices and load control devices. ESI and Smart meter are the major components in AMI networks. The ESI is an unique interface between the service provider and customer domains that connects HAN to the utility’s backhaul network, providing real-time energy usage information from HAN to utility’s center office. The ESI acts as a HAN gateway, which enables communication between authorized parties (e.g., utility, consumer, third-party service providers, etc.) and HAN devices. As such, the ESI and communications network may carry various types of data, including sensitive, confidential, and control data. Security and privacy protections are paramount; therefore, appropriate levels of protection must be provided for these types of communications. And security on this interface should be robust and comprehensive in order to protect utility assets (e.g., electric grid, AMI). Communication networks Communication networks will be central to the performance and availability of the envisioned Smart grid infrastructure. HANs may be implemented as wireless networks (e.g., WiFi, ZigBee, Bluetooth) or power line networks (e.g., HomePlug). The wireless solution may be the preferred choice as it minimizes installation costs and effort. Communication networks connecting outside the HAN may be utility-owned AMI network or public/private network. Many different types of media, are increasingly available, including the public Internet over cable or digital subscriber line (DSL), broadband over powerline (BPL), cellular networks (GPRS), and neighborhood WiMAX and WiFi networks. 2.2 Identification protocols The Schnorr identification protocol [22] allows entity authentication using a zero knowledge proof-of-knowledge, i.e., the second party does not learn anything about the used secret. The Schnorr protocol [22] is a well-known identification protocol whose security properties can be formally proven.


439

Girault–Poupard–Stern (GPS) protocol [12], proposed by M. Girault et al., is also a zero-knowledge identification protocol that allows small hardware implementations of the prover wanting to assure its identity. GPS protocol is more computationally efficient than Schnorr protocol due to the fact that the former eliminates the modular reduction during the response calculation and makes use of pre-computed coupons [15]. These interactive identification protocols are preferred for many resource-constrainted devices (i.e., Radio frequency identification (RFID), mobile devices, smart cards). 2.3 Problem statement/motivation Considering cyber security requirements in the Smart grid, integrity is considered the most critical requirement [27]. For instance, a HAN device needs capability to authenticate any control commands from the AMI head-end in order to prevent control by an adversary. Without such authentication, coordinated falsification of control commands across many HAN devices and/or at rapid rates could lead to grid stability problems. Moreover, it is also important that the AMI head-end authenticate the HAN device both to ensure that commands are delivered to the correct device and that responses from that device are not forged. However, provisioning authentication to HAN applications, and HAN devices in AMI networks may be challenging. Although utility HAN devices may be preprovisioned with authentication credential, customer HAN devices purchased from retail stores, or third-party may be burdened with provisioning authentication credentials. Thus, not only inter-operability of authentication is essential, but also the authentication mechanism must be simple and fairly automatic in order to support customer HAN devices at consumer premises. It can be noted that if authentication mechanism does not sufficiently authenticate devices or exposes authentication keys, then malicious attacks including Denial of service (DoS) attacks, Man-in-the-Middle (MitM) attacks, session hijacking, authentication sniffing, and session injection are possible. Viewing complexity of the HAN applications, we have considered a device authentication [5] which is stated in US patent (US2010/0101970). In this mechanism, during communication between two electronic devices, the third device acts as a gatekeeper, which can allow or deny such communication based on permissions defined for these communicating devices. Even though an entity authentication mechanism [5] is appealing for distributed environments, it has several limitations. The resource-constrained devices need to maintain large number of pre-shared secrets. These pre-shared secret keys are vulnerable to compromise attacks (i.e., easily confiscated by the adversaries). And finally, they are not easy to renew. Our idea is motivated from above mechanism [5] in the benefits that our identification scheme inherits the concept of their scheme on one side but reduce the burden of computing online witness and maintaining pre-shared secret key. Thus, the third entity (i.e., ESI) will be able to verify two communicating parties (i.e., HAN devices and mobile devices) during the network connection. Furthermore, we have also considered a digital signature scheme converted from an identification scheme, which was originally proposed by Fait and Shamir [10].

440

B. Vaidya et al.

Fig. 2 HAN use cases

2.4 Possible HAN applications HAN applications are one of the most important categories from the utility, thirdparty service provider, vendor, and consumer’s perspective. Any application that is enabled through the HAN will have one or more of the following characteristics: control, measurement and monitor, processing, and human-machine interface [27]. Viewing HAN applications, major stakeholders, which are capable of remote access to HAN devices at the HAN, can be categorized into three categories—Utility, Non-utility entity (third-party service provider, vendor) and Customer. Thus, we have identified three HAN Use cases. Figure 2 shows the possible HAN Use cases in HAN applications. Use Case 1: AMI Head-end to HAN devices AMI Head-end may communicate with HAN devices for demand response (DR) applications. However, there are some challenges. HAN devices at HAN, which are either bought or rented, may be from different vendors. In order to have entity authentication, these devices must share common secret keys. Thus, it may not be practical for AMI Head-end to maintain pre-shared secrets with these devices. And the adversaries may acquire these long-term secrets. Use Case 2: Customer at remote site to HAN devices Customer may interact with HAN systems and appliances via third party system. For instance, he may need to control (turn on/off) Heating, Ventilation, and Air conditioning (HVAC) from remote site using Internet or General packet radio service (GPRS). For this purpose, he may use different mobile devices (personal digital assistant (PDA), smart phone, notebook). In this regard, all the mobile devices must have pre-shared keys with all the HAN devices. Use Case 3: Vendor at remote site to HAN devices Vendor may have interactions with HAN systems and appliances for maintenance, upgrades, and other authorized activities. Vendor’s mobile handheld devices have to maintain pre-shared keys with many smart appliances located at different HAN sites. Storing pre-shared keys for all these appliances occupy a lot of spaces and renewing these keys are difficult.


441

2.5 Related works Conducting literature review shows the significance of AMI communication infrastructures and applications [9, 25] as well as cyber security for Smart grid/AMI communications [8, 21, 24]. Some research works focus on AMI authentications, e.g., [2, 11, 19, 28], while other on data confidentiality [4, 30]. The paper [18] shows that the collaboration between a Smart house and a Smart grid is a promising approach, which can fully unleash the capabilities of the Smart electricity network with the help of Information and communications technology (ICT). The paper [20] has evaluated the security measures of the myriad of devices being deployed into the multi-vendor environments in AMI infrastructure. The paper [19] discusses challenges regarding authentication and authorization such as the possibility of losing the authenticated user identity when various applications are interfaced, privilege escalation, and challenge of defining and enforcing consistent authorization policy. In papers [2, 28], it was shown how to secure AMI based home energy network by using certificate-based authentication and key management. Fouda et al. [11] propose message authentication mechanism based on Diffie– Hellman key establishment protocol and hash based message authentication code. Yan et al. [30] propose in-network collaborative scheme to provide secure and reliable AMI communications in Smart grid, with smart meters interconnected through a multi-hop wireless network.

3 Proposed security mechanism In this section, we propose a lightweight and effective security mechanism including identification protocol and its signature scheme that can be used for remote access to HAN devices in AMI network. Table 1 shows the notations used in the proposed security mechanism for Smart grid environment. Table 1 Proposed security mechanism notations Notation

Definition

sI

Private key of entity; H for home device, D for mobile device

VI

Public key of entity; H for home device, D for mobile device

rJ

commitment of entity; H for home device, D for mobile device

XJ

witness of entity; H for home device, D for mobile device

cJ

challenge of entity; H for home device, D for mobile device

yJ

response of entity; H for home device, D for mobile device

ks

shared secret key

H (·)

One way hash function

⊕

XOR operation

442

B. Vaidya et al.

Fig. 3 Initialization phase

3.1 Proposed identification scheme This sub-section presents lightweight and effective entity authentication for remote access to HAN devices in AMI network. Viewing the shortcomings of the mechanism stated in [5], we have proposed its modified version. Even though operation of the proposed protocol is similar to the above mentioned protocol, there is couple of differences. Firstly, the proposed scheme does not use pre-shared secret key, which is vulnerable to compromise attacks as well as is not easy to maintain and not easy to renew. Secondly, our proposed scheme uses GPS identification protocol [12] instead of Schnorr identification protocol [22] since the former is more computationally efficient than latter in terms od response calculation and pre-computed coupons. The aim of the proposed scheme is provide interactive on-the-fly authentication among parties involved in the communication. This protocol is based on Elliptic curve cryptography (ECC) [17] which is an approach to public-key cryptography based on the elliptic curves over finite fields. ECC has significant advantages like smaller key sizes, faster computations compared with other public-key cryptography. The principal parameters for ECC are the elliptic curve E defined over a finite field Fq , and a designated point P on E called the base point. A n is order of P in E(Fq ), and h is cofactor of n, i.e., h = E(Fq )/n. In the proposed protocol, if the coupons are exhausted, then they can be recalculated off-line as per a demand. So, the device does not have to compute witness during the protocol run. However, it has to compute short-term shared secret key between communicating parties during the protocol run. In the proposed protocol, there are three phases: initialization, pre-computation, and verification. 3.1.1 Initialization During the initialization phase, HAN device acquires system parameters for trusted authority. Then it will compute long-term public key VH with secret private key sH . Similarly, the mobile device also will have system parameters, sD , VD . Figure 3 shows the initialization phase. 3.1.2 Pre-computation During the pre-computation phase, both mobile device and HAN devices compute coupons. However, it is assumed that these devices are capable of re-computing coupons when needed.


443

Fig. 4 Protocol run of the verification phase

In case of the mobile device, For j = 1 to n Choose random number rDj ∈ Zq∗ Compute witness XDj = rDj .P Store coupons

n

{rDj , XDj }

j =1

Similarly, for the HAN device, For j = 1 to n, Choose random number rHj ∈ Zq∗ Compute witness XHj = rHj .P Store coupons

n

{rHj , XHj }

j =1

3.1.3 Verification When the mobile device needs to have remote access with HAN device, it will start the verification phase. During this phase, the protocol will be executed. Figure 4 shows the protocol run of the verification phase. It proceeds the following steps: Step 1. Mobile device will select one of (rD , XD ) from sets of coupons and send XD to ESI/HAN Gateway. Step 2. ESI will relay XD to the HAN device after storing it in its memory.

444

B. Vaidya et al.

Step 3. After receiving XD , the HAN device will select one of (rH , XH ) from sets of coupons and generate challenge cH randomly, then it will send {cH , XH } to ESI. Step 4. After saving {cH , XH }, ESI will send them to the mobile device. Step 5. The mobile device will compute kv1 = (xv1 , yv1 ) = cH .sD .VH as well as derive shared secret value ks = xv1 . Step 6. The mobile device will compute response yD = ks − cH .rD , but also generate cD randomly, then send {yD , γ , cD } to ESI. Step 6. After saving {yD , cD }, ESI will forward {yD , γ , cD } to the HAN device. Step 7. The HAN device will compute kv2 = (xv2 , yv2 ) = cH .sH .VD as well as derive shared secret value ks = xv2 . Obviously, it is xv1 = xv2 ; and compute yH = ks − cD .rH , and then send yH to ESI. Step 8. After storing yH , ESI will send it to the mobile device. Step 9. The mobile device and the HAN device verify the authenticity of each other by checking yH .P + cD .XH = ks .P and yD .P + cH .XD = ks .P , respectively. And ESI verifies the authenticity of both communicating parties by checking yH .P + cD .XH = yD .P + cH .XD . If any one of verification equations does not satisfy, the concerned party will send termination message to the respective parties. It should be noted that the shared secret key ks is renewed in each protocol run to avoid key compromise attacks. 3.2 Proposed digital signature scheme During data transfer, we have considered digital signature scheme based on our proposed identification scheme. A technique for transforming an identification scheme into the digital signature scheme was originally proposed by Fait and Shamir [10]. While converting an identification scheme into a digital signature scheme, the challenge from the verifier is replaced by the hash function. A digital signature scheme resulting from the above paradigm has equal complexity as the starting identification scheme. Owing to its efficiency and simple design, this technique rapidly gained popularity and has been widely used. Viewing the proposed identification scheme, in order to use it as a signature scheme, the challenge c is no longer randomly chosen by the verifier but computed by the prover using a one-way hash function H such SHA-1 or MD5. Mobile device and HAN devices use key pair (i.e., sD , VD ) and shared secret key ks are used during signature generation and verification phases. Figure 5 shows the protocol run for proposed digital signature scheme. To send message m to the HAN device, the mobile device runs the following protocol: Step 1. Step 2. Step 3. Step 4. Step 5.

Compute encrypted message using bitwise XOR operation as m1 = m ⊕ ks Choose a random number r ∈ Zq∗ to compute X = (xD , yD ) = r.P Derive xD to compute c = H (xD , m1 ) Compute y = r − c.sD Send encrypted message m1 with signature (c, y).


445

Fig. 5 Protocol run for proposed digital signature scheme

Upon receiving (m1 , c, y) from mobile device, HAN device does the following: Step 1. Compute X1 = yP + cVD = (xD1 , yD1 ) Step 2. Derive xD1 and verify H (xD1 , m1 ) =?c. If it holds, it accepts that encrypted message Step 3. Obtain original message using XOR operation as m = m1 ⊕ ks . 4 System analysis This section provides system analysis of the proposed mechanism. It includes security proof, security analysis of identification scheme, and signature scheme, efficiency analysis of identification scheme and signature scheme, and correctness proof of the identification protocol. It can be seen that our proposed mechanism is an effective solution for many HAN applications. 4.1 Security proof This sub-section provides security proofs for the proposed security mechanism. Theorem 1 If the mobile device and the HAN device follow the above identification protocol, the mobile device always accepts HAN device’s proof of identity. Proof yH P + cD xH = ks .P (ks − cD rH )P + cD rH P = ks .P ks − cD rH P + cD rH P = ks .P ks .P = ks .P

446

B. Vaidya et al.

Theorem 2 If the HAN device and the mobile device follow the above identification protocol, the HAN device always acknowledges proof of identity of the mobile device. Proof yD P + cH xD = ks .P (ks − cH rD )P + cH rD P = ks .P ks .P − cH rD P + cH rD P = ks .P ks .P = ks .P

Theorem 3 Following the above identification protocol, the ESI gateway always approbates the authenticity of both communicating parties, i.e., the HAN device and the mobile device. Proof y H P + cD xH = yD P + cH xD (ks − cD rH )P + cD rH P = (ks − cH rD )P + cH rD P ks .P − cD rH P + cD rH P = ks .P − cH rD P + cH rD P ks .P = ks .P

Theorem 4 Following the applied protocol, xD1 and xD are mutually convertible using signature parameter y, then the digital signature is validated. Proof X1 = yP + cVD = (r − csD )P + csD P = rP − csD P + csD P = rP = (xD1 , yD1 ) From the above derivation, since X1 = (xD1 , yD1 ) = r.P = X = (xD , yD ), then xD1 = xD ; it can be affirmed that H (xD1 , m1 ) = H (xD , m1 ). Theorem 5 If two communicating entities have their key pairs and know each other’s public key, then they can have a shared secret key. Proof kv1 = (xv1 , yv1 ) = cH .sD .VH = cH .sD .sH .P = cH .sH .VD = kv2 = (xv2 , yv2 )


447

Thus, k s = x v1 = x v2 . As the result, ks is used as a shared secret key between H and D.

4.2 Security analysis 4.2.1 Security analysis of identification scheme We have analyzed various potential threats to our proposed identification scheme. It is seen that proposed scheme not only can mitigate various attacks such as impersonation and MiTM but also can provide mutual authentication. The mathematical assumptions of our proposed scheme are the elliptic curve discrete logarithm problem (ECDLP). 1. Impersonation attack: If the adversary tries to impersonate a mobile user, he needs to know shared secret key ks and commitment rD to compute valid response yD . Deriving ks and rD are not feasible due the intractability of the ECDLP. 2. Man-in-The-Middle (MiTM) Attack: If the attacker can perform MiTM attacks in the network, then he has to be capability for capturing and modifying all communication flows between D and H. However, our protocol is resist to MiTM attacks since the adversary cannot know the secrets rD , rH , and shared secret key ks . Due the intractability of the ECDLP, deriving rH ,rD and ks are not feasible. 3. 3-party Authentication: It can be observed that all three verification equations need be satisfied for a successful attempt. If any one of them fails, the process will be terminated. In this way, mobile device and HAN device can provide mutual confirmation. Furthermore, the HAN gateway also verifies the authenticity of both communicating entities without knowing secrets involved in the protocol. 4.2.2 Security analysis of signature scheme In this sub-section, we analyze the security considerations from three perspectives: confidentiality, unforgeability and undeniability. The mathematical assumptions of our proposed signature scheme are the elliptic curve discrete logarithm problem (ECDLP) [16] and the one-way hash function (OHF). 1. Confidentiality: To recover the message m, the adversary has to know the shared secret key ks as m is encrypted with ks . 2. Unforgeability: The proposed signature scheme is unforgeable, because based on the intractability of the ECDLP and OHP, the adversary cannot obtain ks , rD as well as sD to forge a valid signature. 3. Undeniability: The proposed signature scheme is undeniable, because once a signer creates a valid signature, he cannot repudiate it, as the shared secret key ks is known only to two communicating parties.

448

B. Vaidya et al.

Table 2 Time complexity notations Notation

Definition

Tmul

Time complexity for executing modular multiplication

Tadd

Time complexity for executing modular addition

TECmul

Time complexity for executing multiplication of a number and EC point

TECadd

Time complexity for executing addition of two points in EC curve

Th

Time complexity for executing hash function

TXOR

Time complexity for executing XOR operation

Table 3 Computational cost comparison of entity authentications Item

D

ESI

H

Init.

1TECmul

–

1TECmul

Precom.

nTECmul

–

nTECmul

Ver.

4TECmul + 1TECadd

4TECmul + 2TECadd

4TECmul + 1TECadd

Proposed scheme

+ 1Tmul + 1Tadd

+ 1Tmul + 1Tadd

Scheme [5] Init.

1TECmul

–

1TECmul

Precom.

–

–

–

Ver.

4TECmul + 1TECadd

4TECmul + 2TECadd

4TECmul + 1TECadd

+ 1Tmul + 1Tadd

+ 1Tmul + 1Tadd

From the above discussions, it can be observed that the proposed scheme is secure against known active attacks even under the semantic security based on the intractability of ECDLP and the OHF assumptions. 4.3 Efficiency analysis In this sub-section, we focus on the performance of the proposed schemes and analyze the efficiency. For convenience, we first define some notations to denote the performance time complexity as shown in Table 2. 4.3.1 Efficiency analysis of identification scheme We can divide the computational cost over three phases: initialization (Init.), precomputation (Precom.), and verification (Ver.). From Table 3, it can be that the computational cost of the proposed scheme is the same as that of the device authentication scheme [5] during the protocol run. Furthermore, our protocol is more robust than device authentication scheme [5] since the latter is difficult in renewing the shared secret key and is susceptible to compromise attacks.


449

Table 4 Computational cost comparison Item

Signature generation

Chung et al’s scheme

Proposed scheme

Time complexity

Time complexity

2TECmul + 1TECadd

1TECmul + 1Tmul + 1Tadd

+ 2Tmul + 2Tadd + 1Th Signature verification

3TECmul + 2TECadd + 1Th

+ 1Th + 1TXOR 2TECmul + 1TECadd +1Th + 1TXOR

4.3.2 Efficiency analysis of signature scheme We can divide the computational cost over two phases: signature generation and signature verification. Since Chung et al. scheme is designed for resource-constrained devices in distributed environments, it can also be used for HAN applications. So, we will compare our proposed signature scheme with Chung et al. scheme. Table 4 shows computational cost of two different ECC-based signature schemes derived from identification protocols. In Table 4, time complexity of the proposed scheme includes coupon computation during signature generation. However, since it is done off-line as mentioned in the pre-computation phase, the time complexity of the proposed scheme can be computed without TECmul in signature generation. It can be seen that both the signature generation phase and signature verification phase require much lesser TECmul and TECadd than Chung et al. scheme [7]. Hence, the proposed signature scheme yields highly efficient signature generation and signature verification phases. 4.4 Correctness proof of identification protocol In this subsection, we prove the correctness of the proposed identification protocol. Specifically, the correctness means that after the protocol execution, the communicating parties believe that they are sharing fresh secrets and make sure that this belief is confirmed by the other side. For correctness proof, we have considered SVO [26], which presents a logic for analyzing cryptographic protocols encompassing a unification of four of its predecessors in the BAN family of logics, namely BAN [6], GNY [13], AT [1], and VO [29]. SVO is compatible with the above mentioned logics. Furthermore, SVO offers significant advantages over its predecessors. SVO has many more notations, which are not expressible by other logics. SVO notations are shown in Table 5. In the following notations, P and Q are Principals, K is key, whereas ϕ and ψ are formulae. Since the existing SVO logics does not cover ECC based public key cryptography, we have extended SVO logics to accommodate ECC based public key cryptography. We have added two important notations which deal on ECC system parameters and verification statements (VS) to check or verify the verification equations to identify

450

B. Vaidya et al.

Table 5 Notations of SVO logic

Symbol

Explanation

P X

P sees X

(X)

X is fresh

P X

P received X

P |∼ X

P said X

P |≈ X

P says X

K

P ←→ Q

P and Q share common secret key K

X≡Y

X equivalent to Y

P |≡ X

P believes X

P |⇒ X

P controls X

P Kψ (P , K)

K is a public ciphering key of P

P Kσ (P , K)

K is a public signature key of P

P Kδ (P , K)

K is a public key-agreement key of P

[X]K

X signed with key K

XK

X is encrypted with K

desired opponent. EC(T , P ) : ECC system parameter VS(ϕ, ψ) : Verify if ϕ = ψ if not true, reject the process In order to analyze a protocol, basic steps followed by SVO are: Mention Initial State Assumptions, Received Message Assumptions (annotated protocol), State Comprehension Assumptions, State Interpretation Assumptions, and Derivations— First order and Second Order. Basic rules and axioms underlying SVO logic are as follows: SVO Rules Modus Ponens (MP) : Necessitation (Nec) :

ψ ∧ (ϕ ⊃ ψ) ψ

ϕ P |≡ ϕ

SVO Axioms Believing Ax1 : P |≡ ϕ ∧ P |≡ (ϕ ⊃ ψ) ⊃ P |≡ ψ Ax2 : P |≡ ϕ ⊃ P |≡ (P |≡ ϕ) Source Association K

Ax3 : (P ←→ Q ∧ R {X Q }K ) ⊃ (Q |∼ X ∧ Q K) Ax4 : (P Kσ (Q, K) ∧ R {X} ∧ SV (X, K, Y )) ⊃ Q |∼ Y


451

Key Agreement Ax5 : (P Kδ (P , Kp ) ∧ P Kδ (Q, Kq )) ⊃ P

Fo (Kp ,Kq )

←→

Q

Ax6 : ϕ ≡ ϕ[Fo (K, K )/Fo (K , K)] Receiving Ax7 : P (X1 , . . . , Xn ) ⊃ P Xi Ax8 : P {X}K ∧ P K¯ ⊃ P X Ax9 : P [X]K ⊃ P X Seeing Ax10 : P X ⊃ P X Ax11 : P (X1 , . . . , Xn ) ⊃ P Xi Ax12 : (P X1 ∧ · · · ∧ P Xn ) ⊃ P F (X1 , . . . , Xn ) Comprehending Ax13 : P |≡ (P F (X)) ⊃ P |≡ (P X) Saying Ax14 : P |∼ (X1 , . . . , Xn ) ⊃ (P |∼ Xi ∧ P Xi ) Ax15 : P |≈ (X1 , . . . , Xn ) ⊃ (P |∼ (X1 , . . . , Xn ) ∧ P |≈ Xi ) Juridiction Ax16 : P |⇒ ϕ ∧ P |≈ ϕ ⊃ ϕ Freshness Ax17 : (Xi ) ⊃ (X1 , . . . , Xn ) Ax18 : (X1 , . . . , Xn ) ⊃ (F (X1 , . . . , Xn )) Nonce verification Ax19 : (Xi ) ∧ P |∼ X ⊃ P |≈ X Symmetric goodness of shared keys K

K

Ax20 : P ←→ Q ≡ Q ←→ P We have added one more axiom to correctly evaluate the verification statement in the ECC-based authentication mechanism. Ax21 : (P |≈ ϕ) ∧ (P ψ) ∧ V S(ϕ, ψ) ⊃ ϕ ≡ ψ For the analysis, some notations of the proposed scheme are listed in Table 6. In the proposed scheme, the ESI/HAN gateway is used as gatekeeper, which does not provide any input in the message exchange between the mobile device (A) and

452

B. Vaidya et al.

Table 6 Notations of proposed scheme

Table 7 Message exchange in the protocol

Symbol

Explanation

A

mobile device

B

HAN device

sI

Private key; I = A or B

VI

Public key; I = A or B

KSI

Shared secret key between A and B; I = A or B

rI

Commitment; I = A or B

XI

Witness; I = A or B

cI

Challenge; I = A or B

yI

Response; I = A or B

M1

A → B : XA

M2

B → A : cB , XB

M3

A → B : yA , cA

M4

B → A : yB

HAN device (B). Thus, we can omit the message exchanged by ESI/HAN gateway. We can give a generalized type of the protocol for the proposed scheme, which only A and B are involved. The message exchange in the protocol is shown in Table 7. It can be observed that mobile device is the initiator in the message exchange in this protocol. The shared secret keys are generated at A and B as follows: A and B compute KA = cB sA VB = (xA , yA ) and KB = cB sB VA = (xB , yB ) as well as derive KSA = xA and KSB = xB respectively. It is also important to note that verification equations for both entities (A and B) will be checked at the end of the protocol, which are as follows: yB P + cA XB = KSA P ,

(1)

yA P + cB XA = KSB P

(2)

Equations (1) and (2) will be satisfied, Only If, 1. Secret key KSA and secret key KSB are equivalent. 2. rA is ephemeral private parameter which is known only to A. 3. rB is ephemeral private parameter which is known only to B. Since ESI/HAN gateway is neglected during formal verification, we will not provide the verification equation for ESI/HAN gateway. The goal should be taken such that our protocol will meet the requirements of mutual key agreement and entity authentication. In order to fulfill above requirements, communicating party (A or B) should be aware of public key of the opponent and possess shared secret key known only to entities A and B. Since goals for B and A are the same, we will only consider for entity B. Thus, we have defined following


453

four goals: KS −

G1 : B |≡ A |≈ P Kδ (A, XA )

G2 : B |≡ B ←→ A

G3 : B |≡ (KS )

G4 : B |≡ A |≈ A ←→ B

KS −

Looking at initial assumptions for the proposed protocol, we can have following premise set: P 1.B |≡ EC(T , P ) P 2.B |≡ B (sB , VB , rB , XB ) P 3.B |≡ P Kδ (B, (VB , XB )) P 4.B |≡ (rB ) P 5.B |≡ P Kδ (A, VA ) P 6.B XA ⊃ B XA P 7.B |≡ B cB ∧ B |≡ (cB ) P 8.B yA , cA ⊃ B yA ∧ cA where, yA = F (KSA , cB .rA ) and KA = F (cB .sA .VB ), KSA = xA P 9.B |≡ B KSB , yB where, KB = F (cB .sB .VA ), KSB = xB and yB = F (KSB , cA .rB ) P 10.B |≡ V S(F (KSB .P ), F (yA .P , cB .XA )) Ultimately, we can provide following formal derivations for the proposed protocol: KSB

1.B |≡ B B ←→ A KSB

2.B |≡ B ←→ A KS −

3.B |≡ B ←→ A 4.B |≡ (KS ) 5.B |≡ B P Kδ (A, XA ) 6.B |≡ A |≈ P Kδ (A, XA ) 7.B |≡ B F (KSA .cB .rA ) KSA

8.B |≡ A |≈ A ←→ B KS −

9.B |≡ A |≈ A ←→ B

454

B. Vaidya et al.

As shown above, the proof goals G1–G4 are accomplished by proof analysis steps (6.), (3.), (4.), and (9.), respectively.

5 Conclusions and future works In this paper, we have proposed security mechanism including an entity authentication scheme and signature scheme for remote access applications in Smart grid infrastructure. It is basically zero-knowledge identification protocol and is based on ECC. In the proposed authentication scheme, ESI/HAN gateway can verify two communicating devices (i.e., mobile device and HAN device) without knowing the secrets. Thus, our proposed authentication scheme has advantage over the scheme stated in [5] as our scheme uses not only pre-computed coupons but also on-the-fly secret key agreement. Furthermore, we have proposed signature scheme, which is derived from above identification protocol. We have provided security analysis of the proposed identification scheme as well as signature scheme. It shows that our proposed identification protocol can resist several active attacks such as impersonation attacks, MiTM attacks as well as provide 3-party authentication. In case of the proposed signature scheme, it satisfies security conditions such as unforgeability, undeniability, and confidentiality. We have also provided efficiency analysis of the proposed signature scheme in terms of computational cost. It can be seen that it is more efficient than the existing scheme. We have analyzed the proposed identification scheme by formal analysis methods using SVO logics. It can be seen that our protocol satisfies the goals of the authentication and key agreement. Our future works will be conducting experiments to implement our proposed protocols and to evaluate their performance. Acknowledgements This work was supported by the Government of Ontario under the ORF-RE WISENSE project and the Natural Sciences and Engineering Research Council (NSERC) of Canada under NSERC Discovery Grant 2011-16.

References 1. Abadi M, Tuttle MR (1991) A semantics for a logic of authentication. In: Proceedings of the tenth annual ACM symposium on principles of distributed computing PODC’91, Aug 1991. ACM Press, New York, pp 201–216 2. Alfred J (2009) Securing smart meters and the home energy network. In: Proc of EDIST conference 3. AMI System Security Requirements V1.01 (2008) UCAIUG: AMI-SEC-ASAP, Dec 2008 4. Bohli JM, Sorge C, Ugus O (2010) A privacy model for Smart metering. In: Proc of IEEE international conference on communications workshops (ICC), pp 1–5, May 2010 5. Brown MK, Little HA, Davis DL (2010) Device authentication. US2010/0106970, Apr 2010 6. Burrows M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans Comput Syst 8(1):18–36 7. Chung YF, Huang KH, Lai F, Chen TS (2007) ID-based digital signature scheme on the elliptic curve cryptosystem. Comput Stand Interfaces 29(6):601–604 8. Cleveland FM (2008) Cyber security issues for advanced metering infrastructure (AMI). In: Proc of IEEE PES general meeting—conversion and delivery of electrical energy in the 21st century, p 15, Jul 2008


455

9. Depuru SSSR, Wang L, Devabhaktuni V, Gudi N (2011) Smart meters for power grid—challenges, issues, advantages and status. In: Proc of IEEE/PES power systems conference and exposition (PSCE 2011), pp 1–7, Mar 2011 10. Fiat A, Shamir A (1987) How to prove yourself: practical solutions to identification and signature problems. In: Advances in Cryptology—Proc of Crypto’86. LNCS, vol 263. Springer, Berlin, pp 186–194 11. Fouda MM, Fadlullah ZM, Kato N, Lu R, Shen X(S) (2011) Towards a light-weight message authentication mechanism tailored for Smart grid communications. In: Proc of the IEEE INFOCOM’11 workshop—SCNC, pp 1035–1040, Apr 2011 12. Girault M, Poupard G, Stern J (2006) On the fly authentication and signature schemes based on groups of unknown order. J Cryptol 19(4):463–487 13. Gong L, Needham R, Yahalom R (1990) Reasoning about belief in cryptographic protocols. In: Proc of the IEEE symposium on research in security and privacy, Oakland, CA, USA, pp 234–248 14. Guidelines for Smart Grid Cyber Security (2010) NISTIR 7628, vol 1–3, NIST, US Dept of Commerce, Aug 2010 15. Hofferek G, Wolkerstorfer J (2010) Coupon recalculation for the GPS authentication scheme. In: Smart card research and advanced applications. LNCS, vol 5189. Springer, Berlin, pp 162–175 16. Koblitz N (1987) Elliptic curve cryptosystems. Math Comput 48(177):203–209 17. Koblitz N, Menezes A, Vanstone S (2000) The state of elliptic curve cryptography. Des Codes Cryptogr 19(2–3):173–193 18. Kok K, Karnouskos S, Nestle D, Dimeas A, Weidlich A, Warmer C, Strauss P, Buchholz B, Drenkard S, Hatziargyriou N, Lioliou V (2009) Smart houses for a smart grid. In: Proc of 20th international conference on electricity distribution (CIRED 2009), Jun 2009 19. Lakshminarayanan S (2011) Authentication and authorization for Smart grid application interfaces. In: Proc of IEEE/PES power systems conference and exposition (PSCE 2011), pp 1–5, Mar 2011 20. McLaughlin S, Podkuiko D, Miadzvezhanka S, Delozier A, McDaniel P (2010) Multi-vendor penetration testing in advanced metering infrastructure. In: Proc of 26th annual computer security applications conference ACSAC’10. ACM Press, New York 21. Metke AR, Ekl RL (2010) Security technology for Smart grid networks. IEEE Trans Smart Grid, 1(1):99–107 22. Schnorr C (1990) Efficient identification and signature schemes for smart cards. In: Advances in cryptology. Lecture notes in computer science, vol 435. Springer, Berlin, pp 235–251 23. Security Profile for Advanced Metering Infrastructure Ver 1.9 (2010) UCAIUG & NIST cyber security coordination task group, May 2010 24. Shein R (2010) Security measures for advanced metering infrastructure components. In: Proc of AsiaPacific power and energy engineering conference (APPEEC 2010), pp 1–3 25. Smart Meters and Smart Meter Systems: a metering industry perspective. EEI-AEIC-UTC White Paper, Mar 2011 26. Syverson PF, van Oorschot PC (1994) On unifying some cryptographic protocol logics. In: Proceedings of IEEE symposium on research in security and privacy, pp 14–28, May 1994 27. UCAIug Home Area Network System Requirements Specification Ver 2.0 (2010) OpenHAN task force, Aug 2010 28. Vaidya B, Makrakis D, Mouftah HT (2011) Device authentication mechanism for Smart energy home area networks. In: Proc IEEE international conference on consumer electronics (ICCE 2011), pp 787– 788, Jan 2011 29. van Oorschot PC (1993) Extending cryptographic logics of belief to key agreement protocols. In: Proc of the ACM conference on computer communications security, pp 232–243, Nov 1993 30. Yan Y, Qian Y, Sharif H (2011) A secure and reliable in-network collaborative communication scheme for advanced metering infrastructure in smart grid. In: Proc of IEEE wireless communications and networking conference (WCNC 2011), pp 909–914, Mar 2011