Sage Journals: Discover world-class research

Abstract

Smart grid is a modernized electrical grid. It is used to collect information about behaviors of suppliers and consumers and improve the efficiency, reliability, and economics of electricity. Recently, advanced metering infrastructure is proposed as a critical part of the smart grid. The security of advanced metering infrastructure is special importance for smart grid. In order to achieve data confidentiality, privacy, and authentication in advanced metering infrastructure, a lightweight authentication and key agreement scheme is proposed in this article. The scheme provides mutual authentication, key agreement, key refreshment, and multicast mechanism which can prevent various attacks. Furthermore, we analyze the security and performance of the scheme. The analysis shows that the proposed scheme is suitable for smart grid.

Keywords

Key agreement mutual authentication smart meter smart grid

Introduction

Smart grid (SG) is designed to replace traditional electric power infrastructure and used to manage electricity demand in a sustainable, reliable, and economic manner. There are bi-directional flows of power and communication between the provider and consumers of electronic power in SG. Figure 1 shows the communication architecture for SG, which includes home area network (HAN), building area network (BAN), and neighborhood area network (NAN). There is a control center (CC) in each NAN which is designed to manage NAN. The building gateways collect electricity consumption and customers’ requirements and then transmit to CC. CC allows customers to control their own electricity situation and further adjustment of electricity consumption at any time, which save energy and money.^1–3 The SG can also detect power outages before it becomes large-scale black out, which helps electricity to recover quickly after an emergency. The security and privacy of information which exchanges between customers and the CC has become important and challenging topics in the SG. SG is vulnerable to a variety of malicious attacks, such as man-in-the-middle (MIMT), denial of service (DOS), impersonation, brute-force, and replay.¹ The impact of these attacks can cause a significant loss and harm on society. As a result, a security protocol should be provided in SG.^1,4–13

Figure 1.

Communication architecture for smart grid.

In order to complete the bi-directional communication, an advanced metering infrastructure (AMI) which contains a key component (smart meter (SM)) should be used in SG. SM is a rather limited resource with low memory and computational capacity. The privacy of SMs need to be considered^1,14 since the SG requires a lightweight secure authentication and key agreement framework.

The security of SG has gained substantial attention. In 2011, a key distribution and management scheme for AMI was proposed by Kamto et al.¹⁵ The aim of the protocol is to provide communication security between group of devices and SMs in HAN. Fouda et al.¹⁶ proposed a message authentication scheme between HAN gateway (GW) and BAN GW. Wu and Zhou¹⁷ presented a key management scheme for SG based on symmetric key and elliptic curve public key technique. The scheme contains three major mutual authentication schemes, and it includes a trusted third party. However, the scheme is vulnerable to MIMT attack.¹⁸ The researchers proposed a secure key distribution protocol for the SMs in a non-public key infrastructure (PKI) environment which includes a trusted third party.¹⁸ Based on the concept of certificateless public key cryptography (CL-PKC), Seo et al.¹⁹ proposed a key management scheme for securing end-to-end communication in the AMI. Li et al.²⁰ proposed an authentication scheme for SG based on Merkle hash tree. Nicanfar et al.²¹ proposed an authentication and key management mechanisms for SG which includes key refreshment mechanism, multicast and broadcast mechanism.

In this article, we propose an authentication and key agreement scheme for SG. Based on hash-based message authentication code, the proposed scheme allows SMs and BAN GW to make mutual authentication and key agreement in a lightweight. Compared to related scheme, the proposed protocol provides lower computation cost and better security without the trust third party. The scheme also provides secure and efficient mechanisms for key updates.

In our scheme, we use the Dolev–Yao threat model.²² Two communicating parties communicate over an insecure public channel. All participants are not to be trusted in our scheme. Moreover, an adversary can obtain sensitive information stored in smart card, then he or she can launch attack.

The rest of this article is organized as follows. Section “AMI communication architecture” describes the communication architecture about the AMI. We present the scheme in section “The proposed scheme.” The security and performance analysis are given in sections “Security analysis” and “Performance analysis.” Finally, we draw our conclusion in the last section.

AMI communication architecture

AMI is one of the critical parts in SG system. Figure 2 shows our considered SG communication architecture for AMI. It consists of the following components: a BAN GW, several SMs, and electronic household appliances. The BAN GW is responsible for gathering, analyzing, and storing data from SMs, then transmitting to NAN GW. It also receives instructions from NAN GW and sends to SMs. To facilitate the communication, WIFI will be adopted. Meantime, a SM comprising MSP430-F4270 which memory size is up to 8 KB random access memory (RAM) and 120 KB Flash memory. The BAN GW is also a SM which is equipped with a high-power server, 160 MHz CPU, 128 KB RAM, and 1 MB flash memory is considered.²³

Figure 2.

Smart grid architecture for AMI.

In this article, we focus on secure mutual communication between the BAN GW and SM in HAN. Since SM has limited computing power and storage resources, BAN GW has to mange thousands of SMs. The computational efficiency should be considered in the proposed protocol.

The proposed scheme

When a SM joins the SG, it must first register with the BAN GW. After successful registration, the SM builds a session key with BAN GW. Then, they communicate with the help of the session key. The proposed scheme has four phases: Registration, Authentication and Key agreement phase, Key refreshment, and Multicast key generation. The notations used throughout the article are shown in Table 1.

Table 1.

Notations used in the article.

Symbol	Definition
ID_i	Unique identity of SM_i
h(SN_i )	Unique serial number of SM_i
K	GW’s symmetric key
DID_i	Dynamic identity of SM_i
h(·)	The one-way hash function such as MD5
GW	BAN gateway
⊕	The bitwise XOR operation
‖	The bitwise concatenation operator

Registration phase

When a new SM_i joins in BAN, it submits its ID_i and h(SN_i ) to the BAN GW in a secure channel, where SN_i is an initial secret password and h(SN_i ) is embedded by the manufacturer. Upon receiving the registration request, the GW computes N_i = h(ID_i ‖ h(SN_i )) ⊕h(K ‖ X_i ) and h(h(SN_i )), where X_i is a secret value generated by the BAN GW. K and X_i are only known by the BAN GW, and “‖” is a concatenation operator. Then, BAN GW personalizes the SM_i with the parameters h(·), ID_i, N_i, h(h(SN_i )), and X_i , where h(·) is a one-way secure hash function. The SM_i needs to store h(·), ID_i, N_i, h(SN_i ), and X_i . GW only needs to store ID_i, h(·), K, and X_i . We illustrate SM_i ’s registration phase in Figure 3.

Figure 3.

The registration phase of the SM.

The administrator uses ID_i and SN_i to access data of SM. The SM verifies them validity with the stored values ID_i and h(SN_i ).

Authentication and key agreement phase

During the registration phase, the SM joins in the BAN. Before it exchanges data with GW, they need to verify each other and establish a session key.

During the verification phase, SM_i computes data and sends to the BAN GW.

Step-SM1: Computes DID_i = h(ID_i ‖ h(SN_i )) ⊕h(X_i ‖ T ₁) where T ₁ is current timestamp of SM_i ’s system.

Randomly selects K_i , computes PK_i = h(h(K ‖ X_i )‖ T ₁)) ⊕ K_i and B_i = h(N_i ‖ X_i ‖ T ₁ ‖ PK_i ) where h(K ‖ X_i ) = N_i ⊕ h(ID_i ‖ h(SN_i )).

Then sends <ID_i, DID_i, B_i, T ₁, PK_i > to BAN GW and stores K_i .

Step-GW2:

After receiving the message <ID_i, DID_i, B_i, T ₁, PK_i > at time T*, BAN GW authenticates SM_i by the following steps:

Checks if (T* − T ₁) ≤ ΔT then BAN GW proceeds to next step, else abort, where ΔT denotes the maximum allowed transmission delay.

Chooses the X_i based on ID_i . Computes h(ID_i ‖ h(SN_i ))* = DID_i ⊕ h(X_i ‖ T ₁) and B_i * = h(h(ID_i ‖ h(SN_i ))* ⊕ h(K ‖ X_i ) ‖ X_i ‖ T ₁ ‖ PK_i ).

If B_i * = B_i then BAN GW accepts the request, otherwise request is rejected.

Computes K_i = h(h(K ‖ X_i ) ‖ T ₁)) ⊕ PK_i .

Randomly selects K_GW , computes PK_GW =K_GW ⊕ h(K_i ‖ T ₂ ‖ X_i) and C_i = h(DID_i ‖ T ₂ ‖ K_i ‖ PK_GW ) ⊕ h(K ‖ X_i ) where T ₂ is current timestamp of BAN GW.

Then BAN GW sends the message <ID_i, C_i, T ₂, PK_GW > to SM_i .

Step-SM3: After receiving the message <ID_i , C_i, T₂, PK_GW > at time T′, the SM_i authenticates BAN GW by the following steps:

SM_i first validates the timestamp and checks ID_i . If (T′ − T ₂) ≤ ΔT and a correct ID_i , then proceeds to next step, else abort.

SM_i computes C_i * = h(DID_i ‖ T ₂ ‖ K_i ‖ PK_GW ) ⊕h(K ‖ X_i ) and checks whether it is equal to C_i where h(K ‖ X_i ) = N_i ⊕ h(ID_i ‖ h(SN_i )). If this checks pass correctly, SM_i accepts the message.

The GW and SM_i separately obtain the shared session key K_s = h(K_i ⊕ K_GW ). The authentication and key agreement phase is shown in Figure 4.

Figure 4.

The authentication and key agreement phase.

The SM and BAN GW mutual authenticate to each other and establish a session key.

Key refreshment

In order to protect the session key, the scheme presents a key refreshment mechanism. The system sets the values of two times FR and LR which are saved in SMs and BAN GW as system parameters. FR is a short-term refreshment process, and LR is a long-term refreshment process.

In the short-term refreshment process, the SM_i and BAN GW separately recompute a new session key K_s ′ = h(K_s ⊕ h(K ‖ X_i )).

In the long-term refreshment process, the SM_i and BAN GW perform authentication and key agreement phase again.

Multicast key generation

Sometimes BAN GW needs to send multicast messages to SMs. For example when peak energy consumption, BAN GW sends a command to a group of SMs asking them to temporarily turn off or switch to lower power level. Furthermore, the security of multicast message is also important. In the scheme, we present a mechanism about multicast key.

Establishing a multicast group

When establishing a communication group, BAN GW first sends an message <ID_a, T_a , (MID_i, T_a, X_a, K_g )_Ksa> to each SM who will join the multicast group, where ID_a is the id of SM_a, T_a is current timestamp of BAN GW, MID_i is a unique identify of the group, X_a is a secret value only known by the BAN GW, and SM_a, K_g is the group key which is generated by BAN GW, K and X_a are only known by the BAN GW. The message (MID_i, T_a, X_a, K_g )_Ksa is encrypted by K_sa , where K_sa is the symmetric key shared between BAN GW and SM_a .

Joining multicast group

When receiving the message <ID_a, T_a , (MID_i, T_a, X_a, K_g )_Ksa> at time T*, the SM_a verifies BAN GW by the following steps. Checks if (T* − T_a ) ≤ ΔT where ΔT denotes the maximum allowed transmission delay, and checks ID_a whether it is SM_a ’s identification, If these check pass correctly, to next step, else abort.

SM_a decrypts the packet and checks X_a , obtains the MID_i and K_g , then sends <ID_a, T_b , (MID_i, ID_a, T_b )_Kg > to BAN GW.

BAN GW verifies the message, records the ID_a and adds SM_a to the list of the multicast group, then they can communicate with K_g . The multicast key generation phase is shown in Figure 5.

Figure 5.

The multicast key generation phase.

Security analysis

The section shows the security analysis of our proposed protocol, and we refer to the discussion about the most well-known attacks such as integrity, replay, impersonation, and MIMT attack. The main security features of the protocol are given as follows:

Mutual authentication and key agreement. The proposed scheme provides mutual authentication and establishes a secure shared key between the SM and BAN GW.

Replay attack. In the protocol, SM sends <ID_i, DID_i, B_i, T ₁, PK_i > to GW where DID_i, B_i, PK_i have a timestamp T ₁. And GW sends <ID_i , C_i, T ₂, PK_GW > to SM where C_i, PK_GW also have a timestamp T ₂. When the SM and BAN GW receive messages, they first validate the timestamp. Therefore, a replay attack does not work in the protocol.

Resiliency of stolen SMs attack. Anyone must use the ID and SN to access data of SM. When he or she inputs ID_i and SN_i , the SM verifies the validity of ID_i and SN_i with the stored values ID_i and h(SN_i ). So, SN is not stored in any device which prevents the protocol from stolen-verifier attack.

Integrity assurance. In the proposed scheme, GW computes B_i * = h(h(ID_i ‖ h(SN_i ))* ⊕h(K ‖ X_i ) ‖ X_i ‖ T ₁ ‖ PK_i ) when it receives <ID_i, DID_i, B_i, T ₁, PK_i >, then checks if B_i * = B_i . SM computes C_i * = h(DID_i ‖ T ₂ ‖K_i ‖ PK_GW ) ⊕ h(K ‖ X_i ) and checks whether it is equal to C_i. So SM and BAN GW confirm the message not be tampered by B_i and C_i .

MIMT. The adversary may receive messages <ID_i, DID_i, B_i, T ₁, PK_i > and <ID_i , C_i, T ₂, PK_GW > which transmit between SMs and BAN GW. The adversary cannot compute B_i, PK_i, C_i , and PK_GW because he or she does not know X_i and K. He or she cannot inject new valid data during the communication.

Ephemeral key compromise impersonation. Suppose that an adversary performs an offline dictionary attack or brute-force attack and obtains the shared key. Because the shared key need to be updated in a short-term, and the refreshment requires old session key K_s and h(K ‖ X_i ), the adversary is still not able to compute the new session key.

Table 2 shows the comparison of security features among different works.

Table 2.

Security comparison of proposed protocol and related works.

Security features	Proposed	Kamto et al.¹⁵	Fouda et al.¹⁶	Wu and Zhou¹⁷	Xia and Wang¹⁸	Seo et al.¹⁹	Li et al.²⁰	Nicanfar et al.²¹
Key agreement	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes
Mutual authentication	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Shared key update	Yes	Yes	No	No	No	Yes	No	Yes
Multicast key generation	Yes	Yes	No	No	No	No	No	Yes
Replay attack	Yes	No	Yes	Yes	Yes	No	Yes	Yes
Resiliency of stolen smart meters attack	Yes	No	No	No	No	No	No	No
Integrity assurance	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Ephemeral key compromise impersonation	Yes	Yes	No	No	No	Yes	No	Yes
MIMT	Yes	No	Yes	No	Yes	No	Yes	Yes

MIMT: man-in-the-middle.

In summary, our scheme provides the password update phase, session key agreement, multicast key generation, and mutual authentication and achieves more security features. The proposed scheme is secure and suitable for SG environment.

Performance analysis

In this section, we summarize performance analysis of our proposed protocol. We first compare our proposed protocol with the protocol in Nicanfar et al.²¹ In our scheme, the SMs and BAN GW only perform hash computation and EXCLUSIVE-OR operation. The computation complexity of EXCLUSIVE-OR operation is negligible, so we focus on hash computation. Every SM needs seven hashes and BAN GW costs seven hashes for every SM in our protocol during the authentication and key agreement phase. In Nicanfar et al.,²¹ every SM costs eight hashes and two modular exponentiation computation, and BAN GW also needs eight hashes and two modular exponentiation computation for every SM.

In communication overload, compared with Nicanfar et al.,²¹ the number of packets needed for authentication and key agreement is from three to two. To estimate the required communication bits, the bit lengths of parameters are assumed as follows.^24,25 The nonce, identity ID, and hash output are 128 bits. The timestamp is 32 bits, and the output of modular exponentiation computation is 320 bits. The communication cost required in our scheme is 128 * 7+32 * 2 = 960 bits. The scheme of Nicanfar et al.²¹ requires 960 bits, two encrypted and signed parameters. Compared with the scheme in Nicanfar et al.,²¹ our scheme has less communication cost.

On the other hand, rivest-shamir-adleman (RSA) algorithm was suggested to secure SG.²¹ RSA is one of the fist practical public key algorithms, and it is widely used for secure data transmission. We compare our protocol with RSA-based authentication and key agreement scheme. In computation complexity, we mainly consider RSA and hash computations. In RSA-based protocol, at least every SM performs a RSA encryption to encrypt data and a RSA signature to sign messages. And BAN GW performs a RSA decryption to decrypt the package and a RSA signature verification to verify the signature for every SM.

Experiments have been conducted to study the execution. We adopt the benchmarks of the modular exponentiation computation, hash computation, and RSA-based cryptography^26,27 as shown in Table 3. The implementation was executed on an Intel(R) Core(TM) i5-4300M 2.6 GHz machine.

Table 3.

Benchmarks of cryptographic operations.

Description	Execution time (ms)
Modular exponentiation	0.05
Hash(MD5)	0.04
RSA encryption	0.36
RSA decryption	1.10
RSA signature	1.27
RSA signature verification	0.25

Figure 6 shows the computation time in our scheme, RSA-based scheme, and the protocol in Nicanfar et al.²¹ Figure 6(a) shows the computation cost of BAN GW and Figure 6(b) shows the computation cost of SMs. According to Figure 6, with the increasing number of SMs, the total computation cost significantly increases in RSA-based scheme. On the contrary, the computation cost is constantly low in the proposed scheme. Therefore, the proposed scheme achieves more computation efficient than RSA-based scheme and protocol in Nicanfar et al.²¹

Figure 6.

The computation time of smart meters and BAN GW in related protocol: (a) computation cost of the BAN gateway and (b) computation cost of smart meters.

Conclusion

In this article, we have proposed a secure and efficient scheme for SG. The proposed scheme provides mutual authentication, key agreement, key refreshment, and multicast mechanism. Detailed security analysis has demonstrated that the proposed protocol meets the security and privacy requirements for SG. Extensive performance evaluation further shows that its efficiency in terms of computation complexity and communication overhead. Our protocol is suitable for resource-constrained SG applications.

Footnotes

Academic Editor : Fei Yu

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: This work was supported by the Foundation of Cyberspace Security Key Laboratory of Sichuan Higher Education Institutions,China paper no. szjj2014-074,and Scientific Research Foundation of CUIT,China paper no. KYTZ201421.

References

The Smart Grid Interoperability Panel Cyber Security Working Group. Introduction to NISTIR 7628 guidelines for smart grid cyber security, 2010, http://www.nist.gov/smartgrid/upload/nistir-7628_total.pdf

Liu

Ning

Zhang

. Aggregated-proofs based privacy-preserving authentication for V2G networks in the smart grid. IEEE T Smart Grid 2012; 3(4): 1722–1733.

Liang

. EDR: an efficient demand response scheme for achieving forward secrecy in smart grid. In: Proceedings of the IEEE GLOBECOM, Anaheim, CA, 3–7 December 2012, pp.929–934. New York: IEEE.

Hamlyn

Cheung

Mander

. Network security management and authentication of actions for smart grids operations. In: Proceedings of the IEEE international conference on electrical power, Montreal, QC, Canada, 25–26 October 2007.

Moslehi

Kumar

A reliability perspective of the smart grid. IEEE T Smart Grid 2010; 1(1): 57–64.

Ericsson

GN.

Cyber security and power system communication—essential parts of a smart grid infrastructure. IEEE T Power Del 2010; 25(3): 1501–1507.

Kursawe

Danezis

Kohlweiss

. Privacy-friendly aggregation for the smart-grid. In: Proceedings of the 11th international conference on privacy enhancing technologies, Waterloo, ON, Canada, 27–29 July 2011.

Krishna

Reddy

. Securing smart grid technology. In: Proceedings of the international conference on graphic and image processing, Singapore, 5 October 2012.

Yan

Qian

Sharif

. A survey on cyber security for smart grid communications. IEEE Commun Surv Tut 2012; 14(4): 998–1010.

10.

Fang

Misra

Xue

. Smart grid—the new and improved power grid: a survey. IEEE Commun Surv Tut 2012; 14(4): 944–980.

11.

Wang

Cyber security in smart grid: survey and challenges. Comput Netw 2013; 57(5): 1344–1371.

12.

Habash

Groza

Krewski

. A risk assessment framework for the smart grid. In: Proceedings of the IEEE international conference on electrical power and energy, Ottawa, ON, Canada, 21–23 August 2013.

13.

Ambrosin

Hosseini

Mandal

. Verifiable and privacy-preserving fine-grained data-collection for smart metering. In: Proceedings of the 1st workshop on security and privacy in cybermatics, Florence, 28–30 September 2015, pp.655–658. New York: IEEE.

14.

Cuijpers

Koops

BJ.

Het Wetsvoorstel “Slimme Meters,” Een Privacytoets op Basis van art. 8 EVRM. Tilburg: Tilburg University, 2008.

15.

Kamto

Qian

Fuller

. Light-weight key distribution and management for advanced metering infrastructure. In: Proceedings of the IEEE GLOBECOM workshops, Houston, TX, 5–9 December 2011, pp.1216–1220. New York: IEEE.

16.

Fouda

Fadlullah

Kato

. A lightweight message authentication scheme for smart grid communication. IEEE T Smart Grid 2011; 2(4): 675–685.

17.

Zhou

Fault-tolerant and scalable key management forsmart grid. IEEE T Smart Grid 2011; 2(2): 371–378.

18.

Xia

Wang

Secure key distribution for the smart grid. IEEE T Smart Grid 2012; 3(3): 1437–1443.

19.

Seo

Ding

Bertino

. Encryption key management for secure communication in smart advanced metering infrastructures. In: 2013 IEEE international conference on smart grid communications, Vancouver, BC, Canada, 21–24 October 2013, pp.21–24. New York: IEEE.

20.

Zhou

. An efficient Merkle-Tree-based authentication scheme for smart grid. IEEE Syst J 2014; 8(2): 655–663.

21.

Nicanfar

Jokar

Beznosov

. Efficient authentication and key management mechanisms for smart grid communications. IEEE Syst J 2014; 8(2): 629–640.

22.

Dolev

Yao

AC.

On the security of public key protocols. IEEE T Inform Theory 1983; 29(2): 198–208.

23.

O’Connell

De Vries

. Digital energy metering for electrical system management. In: Proceedings of the ACM symposium applied computing, Sierre, 22–26 March 2010, pp.516–520. New York: ACM.

24.

Odelu

Das

Goswami

A secure biometrics-based multi-server authentication protocol using smart cards. IEEE T Inf Foren Sec 2015; 10(9): 1953–1966.

25.

Odelu

Das

Wazid

. Provably secure authenticated key agreement scheme for smart grid. IEEE T Smart Grid. DOI: 10.1109/TSG.2016.2602282.

26.

Lynn

PBC library manual 0.514 benchmarks

2013, http://crypto.stanford.edu/pbc/

27.

Dai

. Crypto++ 5.6.2 benchmarks, 2013, http://www.cryptopp.com/