Elliptic Curve Cryptography-Based Authentication with Identity Protection for Smart Grids

Liping Zhang; Shanyu Tang; He Luo

doi:10.1371/journal.pone.0151253

Abstract

In a smart grid, the power service provider enables the expected power generation amount to be measured according to current power consumption, thus stabilizing the power system. However, the data transmitted over smart grids are not protected, and then suffer from several types of security threats and attacks. Thus, a robust and efficient authentication protocol should be provided to strength the security of smart grid networks. As the Supervisory Control and Data Acquisition system provides the security protection between the control center and substations in most smart grid environments, we focus on how to secure the communications between the substations and smart appliances. Existing security approaches fail to address the performance-security balance. In this study, we suggest a mitigation authentication protocol based on Elliptic Curve Cryptography with privacy protection by using a tamper-resistant device at the smart appliance side to achieve a delicate balance between performance and security of smart grids. The proposed protocol provides some attractive features such as identity protection, mutual authentication and key agreement. Finally, we demonstrate the completeness of the proposed protocol using the Gong-Needham- Yahalom logic.

Citation: Zhang L, Tang S, Luo H (2016) Elliptic Curve Cryptography-Based Authentication with Identity Protection for Smart Grids. PLoS ONE 11(3): e0151253. https://doi.org/10.1371/journal.pone.0151253

Editor: Kim-Kwang Raymond Choo, University of South Australia, AUSTRALIA

Received: December 24, 2015; Accepted: February 25, 2016; Published: March 23, 2016

Copyright: © 2016 Zhang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: The authors have no support or funding to report.

Competing interests: The authors have declared that no competing interests exist.

Introduction

Compared with traditional power networks, smart grid networks can avoid excess electricity generation by adjusting the amount of electricity based on the customer’s real-time requirements. In general, the smart grid network can be divided into three levels: control center, substations and smart appliances [1]. In a smart grid network, smart appliances communicate with substations by using smart meters. The smart meters send user’s requirements to the substations, and then the substations transmit the requirements to the control center. Next, according to the received requirements, the control center can allocate adequate power supplies to customers. The Supervisory Control and Data Acquisition system is used to protect the communications between the control center and the substations [2], but the security problems between other two levels remain unsolved. Although the security mechanisms between substations and smart appliances have been researched in recent years, existing security protocols are not robust enough to resist several types of attacks. Therefore, a determined effort should be made to address the security issues associated with the communications between the substations and the smart appliances [3].

As smart meters are used to transmit the real-time electricity demands from customers, the data transmission process could easily suffer from several types of security threats and attacks. To protect the transmitted data, an efficient authentication scheme should be provided. Compared with the authentication protocols designed for other scenarios such as VoIP and Ad Hoc networks, it is more challenging to provide a suitable authentication protocol for smart grids due to its complicated architecture and diverse security requirements. On one hand, the authentication protocols should secure against various types of possible attacks and provide several security features to satisfy the secure requirements of smart grids. For example, the user privacy should be fully considered especially the user’s identity protection, to prevent the adversary from obtaining the information about user’s daily patterns, which may not be important in other application environments. On the other hand, smart grid communications are more sensitive to transmission latency, and so existing security approaches with intensive computation are impractical in smart grid networks.

Recently, several authentication protocols have been proposed [4–19] to protect the data transmission between communication entities. In an attempt to prevent the adversary from obtaining the daily habit of the customer through analyzing the electricity usage pattern, T.W. Chim et al. [4] designed an authentication protocol by using a tamper-resistant device at the smart appliance and a pseudo identity for the smart grid network to protect the privacy of the customer. However the proposed protocol was suffered from impersonation attacks. Since only substations could authenticate smart appliances, the adversary could easily impersonate the substations to cheat the smart appliances. Besides, their protocol failed to provide a key agreement function capable of protecting the communication between substations and smart appliances. Furthermore, since a timestamp was used in the signing module of their protocol, the clock synchronization problem could not be avoided. In order to reduce the computational cost, Mostafa et al. [5] proposed a message authentication mechanism by using the Computational Diffie-Hellman assumption for smart grids. In their protocol, mutual authentication and key agreement were realized by using Diffie-Hellman exchange protocol between the smart meters distributed at different hierarchical networks of the smart grid system, and the subsequent messages could be authenticated by using a shared session key established previously and the hash-based authentication code technique. However, the computational costs of both protocols were still very high due to the usage of expansive exponential operations. In the same year, Qing et al. [6] designed a multicast authentication protocol for smart grids by using one-time signature to reduce the storage cost and the signature size. Because the one-time signature-based multicast authentication could provide short authentication delay and low computation cost, their protocol achieved a good performance. However their work only focused on designing a light-weight authentication protocol, remained the key agreement issue unsolved.

In order to strengthen the security of smart grid communications, Soohyun Oh et al. [7] suggested a mutual authentication and key establishment mechanism based on public key certificates for smart grid. In their protocol, the data concentration unit’s public key certificate and pre-shared long-term key were used to realize the mutual authentication between the data concentration unit and the intelligent devices. But the problem of distributing the shared long-term key limited this protocol’s scalability and applicability. Biometric technique such as fingerprint was also adopted to achieve strong authentication for smart grids [10]. But these protocols are very complex due to the use of biometrics. In 2013, Binod Vaidya et al. proposed an authentication and authorization mechanism for smart grid networks [13]. They realized multi-factor authentication and attribute-based authorization in a smart grid environment by using public key certificates, zero-knowledge and access control technologies. But the heavy computational load could not be avoided since the implement of the public key certificates management and public key cryptography calculation. In the same year, Nicanfar et al. presented a password authenticated group key agreement protocol for smart grid [15]. Although the proposed protocol provided forward and backward secrecy and enhanced the security of communications among the devices, the usage of expansive exponential operations decreased the practical application of the protocol. To reduce the computational cost, a password authenticated key exchange based on Elliptic Curve Cryptography (ECC) was proposed [17]. Compared with previous studies, this protocol was more efficient due to the usage of ECC, but a primitive password should be preloaded between an appliance and the Home Area Network controller, which made this solution hard to scale and might arouse an intractable problem of password table maintenance. Recently, Li et al. proposed fault-diagnosable authentication architecture for advanced metering infrastructure in smart grid [19]. Since this work only focused on authentication, key negotiation was not considered in the proposed authentication mechanism.

According to above analysis, protocol [4] was suffered from impersonate attacks and protocols [5, 19] were vulnerable to eavesdropping since these protocols could not provide key agreement to protect the further communications. Moreover, protocol [17] faced some attacks associated with password. Although some of these protocols achieved good performance, they could not provide security at an acceptable level. Furthermore, other protocols such as [13, 15] were secure against several attacks, but the use of expansive exponential operations, the signature generation, and the verification lead to high computational overhead and communication delay. Therefore, these protocols are not suitable for smart grid. In general, the existing authentication protocols for smart grids mentioned above are insecure against some cryptographic attacks or impractical due to high computational costs. In addition, all the protocols discussed above could not provide privacy protection which is very important in smart grids. Based on these motivations, we proposed a robust and efficient authenticate protocol based on Elliptic Curve Cryptography (ECC) with identity protection for smart grids by using tamper-resistant attractive security properties. As ECC can achieve the same level security with a smaller key size, it offers better performance compared with other public key cryptosystems such as RSA or D-H. Thus, we adopted ECC to realize a mitigation authentication device at the smart appliance without involving time-consuming operations.

Compared with other security approaches, public key cryptosystems can resist most of possible attacks and provide more security properties to achieve a good balance between performance and security. By using ECC, the proposed protocol can achieve the authenticated key agreement with privacy protection at a lower computational cost. Furthermore, according to the characteristics of the smart grid, the control center can be considered fully trustable since it is managed by the government administrators; the substations that have higher computational power are difficult to be compromised than smart appliances; the smart appliances with limited power are more vulnerable to various attacks, and it can be combined with a tamper-resist device to protect the stored information. Taking advantage of above features, in the proposed protocol, a tamper-resist device was used to store secret information to help providing privacy protection through the authentication process. In addition, the control center and the substations can cooperate to complete the initialization process of the authenticated key agreement protocol.

In the proposed protocol, the smart meters are used to transmit the real-time electricity demands from customers intelligently. In order to protect the transmitted data, mutual authentication and a shared key should be provide to protect the further communication between the substation and the smart appliances. In the proposed protocol, the smart meters could control when the authentication protocol begins and which appliances need to be authenticated. Furthermore, the shared key updating could be realized by restarting the authentication process and the smart meter could also control the period of key updating during the communication. Therefore, the smart meter could manage the smart devices intelligently during the authentication process. In this paper, our study focused on the design of the authentication protocol with privacy protection, so the intelligent management of smart meters is beyond the scope of our work.

Burrows-Abadi-Needham (BAN) Logic [20] is the first belief logic widely used to formally analyze the completeness of a cryptographic protocol, but it has some limitations [21]. Gong-Needham-Yahalom (GNY) logic [22] is one of the famous extensions to overcome the inherent limitations of BAN; and it has successfully disclosed redundancies or found defects in several protocols. Today, GNY has been used to demonstrate the completeness of several protocols successfully [23]. Therefore, we used the GNY logic to evaluate the security of the proposed protocol in this study.

The rest of this paper is organized as follows. Section 2 briefly describes the Elliptic Curve Cryptosystem. Our newly designed authentication protocol is detailed in Section 3. In Section 4, the completeness of the proposed protocol is proved through Gong-Needham-Yahalom logic. The performance of the proposed protocol is evaluated in Section 5, and the paper is concluded in Section 6.

Preliminaries

In this section we briefly introduce the basic concepts of the elliptic curve cryptosystem and the corresponding problems associated with it. We also explain the reason for adopting the elliptic curve cryptography.

ECC has been formally applied to public key cryptosystems since 1986. In an elliptic curve cryptosystem, the elliptic curve equation is defined as the form E_p(a,b): y² = x³ + ax + b(mod p) over a prime finite field F_p, where p>3, a,b ∈ F_p and 4a³ + 27b² ≠ 0(mod p). Given an integer and a point P ∈ E_p(a,b), the scalar multiplication tP over E_p(a,b) can be defined as tP = P + P + … + P_{(t times)} [24]. And the corresponding problems associated with ECC are shown as follows:

Definition 1. Given two points P and Q over E_p(a,b), the elliptic curve discrete logarithm problem (ECDLP) is to find an integer such that Q = tP.
Definition 2. Given three points P, sP and tP over E_p(a,b) for , the computational Diffie-Hellman problem (CDHP) is to find the point stP over E_p(a,b).
Definition 3. Given two points P and Q = sP + tP over E_p(a,b) for , the elliptic curve factorization problem (ECFP) is to find two points sP and tP over E_p(a,b).

We assume that the three problems above are intractable. That is, there is no polynomial time algorithm that can solve these problems with non-negligible probability.

Next, we explain why we adopted ECC to design the authentication protocol for smart grid networks.

1) More complex: Since ECC can be implemented in different ways rather than a single encryption algorithm; it is more complex than RSA. Moreover, the elliptic curve discrete logarithm problem is more difficult to break than the factorization and discrete logarithm problem. Although many researchers have tried to attack ECC, it is still infeasible to break ECC with existing computational resources. Therefore, the security strength of ECC is much stronger than other public key cryptosystems such as RSA or Diffie-Hellman (D-H).

2) Smaller key size: as shown in Table 1, compared with RSA, ECC offers equivalent security with smaller key sizes which implies lower power, bandwidth, and computational requirements. These advantages are very important when public-key cryptography is implemented for low power environments.

Download:

Table 1. Comparison of the key length between RSA and ECC on the same security level.

https://doi.org/10.1371/journal.pone.0151253.t001

3) Computational efficiency: ECC is much more efficient than RSA and D-H public protocols in terms of computation, since implementing scalar multiplication in software and hardware is much more feasible than performing multiplications or exponentiations in them.

According to above attractive properties of ECC, we chose it to design the proposed robust and efficient authentication protocol for smart grids.

Our Proposed Authentication Scheme

This section details our newly designed authentication protocol based on elliptic curve cryptography for smart grids. Considering the efficiency, ECC version for El-Gamal has been adopted for asymmetric encryption in the proposed protocol where the cycle group used in El-Gamal is taken from elliptic-curve. For the details, please see [24]. There were two phases in the proposed protocol: initialization phase and authentication phase. The procedure of our protocol is described in detail as follows:

Initialization phase

In this phase, several security parameters used for authentication and key agreement are calculated by the control center and the substations.

1) First, an elliptic curve equation E_p(a,b): y² = x³ + ax + b(mod p) over a prime finite field F_p is selected by the control center. Here a,b ∈ F_p and 4a³ + 27b² ≠ 0(mod p). Next the control center chooses a base point P over E_p(a, b) and writes P to the tamper-resistant device of U_i as well as the substations.

2) The control center allocates an identity ID_i for each smart appliance U_i and preloads ID_i into the memory of the corresponding tamper-resistant devices. Then the identity ID_i of smart appliance U_i is written in an ID table by the control center. Next, the control center submits the identity table to the substation over a secure channel and assigns an identity SID_j for each substation S_j. The substation S_j stores the identity SID_j in its memory securely. Finally, a one-way hash function h(∙): {0,1}* → {0,1}^k is selected by the control center. And the substations as well as the tamper-resistant devices store the hash function in their memories.

3) The substation chooses a random integer as a secret key for symmetric encryption/decryption. And then it generates a random integer sk<n as a private key and computes its corresponding public key pk = skP, where n is the order of the base point P. The computed public/private key pair (pk, sk) is used for asymmetric encryption/decryption. Then the substation calculates C₁ = E_s(ID_i) and C₂ = SID_jP for every smart appliance U_i. The system key s and the public/private key pair (pk, sk) are kept secret by the substation. Furthermore, the substation writes the public key pk and the pair secret (C₁, C₂) into each corresponding tamper-resistant device.

If a new smart appliance U_j wants to incorporate into the smart grid, the control center and the substation should cooperate to complete the initialization of the new appliance. First, the control center allocates a new identity ID_j for U_j and records it in the ID table. Then it sends the identity of the new smart appliance to the corresponding substation over a secure channel. Having received the message, the substation records the identity in its ID table and then computes a secret (C₁, C₂) for the new smart appliance. Finally, the substation writes the point P, the one-way hash function, the identity ID_j, the public key pk and the pair secret (C₁, C₂) into the tamper-resistant device of U_j to achieve the initialization of the new smart appliance.

Authentication phase

During the authentication process, the substation and the smart appliance U_i perform the following four steps to realize mutual authentication and key agreement.

1) First, the tamper-resistant device of U_i selects an integer randomly to compute C₃ = e_pk(ID_i‖C₁‖r₁), where e_pk(•) denotes the public key encryption function using the substation S_j’s public key pk and C₁ = E_s(ID_i) is a secret stored in the tamper-resistant device of U_i. Then, the smart appliance U_i sends C₃ = e_pk(ID_i‖C₁‖r₁) to the substation S_j.

2) In this step, the substation S_j obtains ID_i, C₁ and r₁ by decrypting the receiving message C₃ via its private key sk. Then, it checks whether ID_i is valid by matching it in the ID table. If not valid, the authentication process stops. Otherwise, the substation S_j uses the system key s to decrypt C₁ and then gets the ID_i. Next, it compares the value of ID_i in C₃ with that of ID_i in decrypted message C₁. If they are not equivalent, the substation terminates the authentication process; otherwise, the substation chooses two random integers and to calculate the shared session key SK = h(r₁‖r₂) and authentication message , where denotes the secure symmetric encryption algorithm with the secret key r₁. Finally, the substation S_j submits the message (C₄, r₃) to U_i.

Here the random integer r₃ needs not be encrypted because it is used to check the freshness of the message only and is not connected with the final session key in any way. Even if the adversary obtained the random integer r₃, the shared key could not be compromised. Thus, the random integer r₃ is transmitted in plaintext, and this method has been widely used in authentication protocols to check the freshness of the message.

3) After receiving the message (C₄, r₃), the smart appliance U_i adopts r₁ to decrypt C₄ and then obtains r₂ and SID_j. Then it calculates SID_jP and checks whether the following equation holds . If the equation holds, the smart appliance U_i calculates the shared session key SK' = h(r₁‖r₂) and the authentication message C₅ = h(SK'‖(r₃ + 1)). And then U_i submits the authentication message C₅ to the substation S_j. Otherwise, the smart appliance U_i rejects the message and terminates the authentication process.

4) Upon receiving the message C₅, the substation S_j checks whether the value of the received C₅ equals to the value of the computed h(SK‖(r₃ + 1)). If true, the substation S_j sets SK as the shared session key with the smart appliance U_i; otherwise, it terminates the authentication process.

In the proposed protocol, if the substation D_n needs to be changed, it submits all the shared keys between itself and corresponding smart appliance to the control center over a secure channel and then deletes the ID table and the shared keys from its memory. Next the control center transforms ID table including all identities of the smart appliance associated with substation D_n and all the session keys submitted from D_n to the new substation D_l over a secure channel. In addition, the control center also chooses a secure one-way hash function and transforms it to the substation D_l. After the substation D_l finishes the initialization procedure, it adopts the corresponding shared key to encrypt the secret information including the pair secret (C₁, C₂), the public key pk and the hash function. Then the substation D_l can transmit the secret information securely to the corresponding smart appliance. Consequently, the tamper-resistant devices can update the secret information securely. And the new session key between the new substation D_l and the smart appliance can be achieved by running the proposed key agreement protocol to realize the secure and easy change of the substation.

In the proposed protocol, instead of preloading the shared key, the secret (C₁,C₂) as “material” is stored in the tamper-resistant device of the smart appliance to help realize mutual authentication and key agreement. The session key is constructed by two high-entropy random integers chosen by the substation and the smart appliance freely, and the session key varies in each authentication and key agreement process, that is, the secret (C₁,C₂) is not connected with the final computed session key. Thus, even the secret (C₁, C₂) stored in the tamper-resistant device was compromised, the session key would not be leaked and the adversary could not obtain the information transmitted between the smart appliance and the substation encrypted by the session key. Under this case, if the secret (C₁, C₂) was compromised, the message relayed between the smart appliance and the substation would not be exposed to the adversary. On the contrary, if the shared key was preloaded into a tamper-resistant device, the adversary could launch the capture attack to obtain the shared key, and then could use it to decrypt the message communicated between the smart appliance and the substation. In addition, the solution of preloading the shared key requires the substation storing the shared keys for each smart appliance. Once the substation was compromised by the adversary, all the shared keys would be revealed. Furthermore, the associated problems of shared key updating and maintaining make this security measure hard to scale up.

Security Analysis

Burrows-Abadi-Needham Logic [20] is the first belief logic which has been widely used to formally analyze the completeness of protocols. A great effort has been put into overcoming its limitations [21]. Gong-Needham-Yahalom (GNY) logic [22] is one of these extensions. And it has successfully disclosed redundancies or found defects in several protocols. Therefore, we adopted the GNY logic to evaluate the security of our proposed protocol.

In this section, some formulae and statements used in the GNY logic are introduced first; then the goals and the assumptions of the proposed protocol are set; finally the GNY logic is adopted to prove that the proposed protocol is valid and practical.

Formulae and statements

In the GNY logic, a formula is a name used to refer to a bit string, which has a particular value in a run [22]. In order to describe the GNY logic, first let symbols X and Y range over formulae. Then, some formulae used in our authentication proof are introduced and the complete list of all logical postulates is described in [22].

(X, Y): conjunction of two formulae X and Y.
{X}_K and : symmetrically encrypt and decrypt X with the key K.
{X}_+K and {X}_-K: asymmetrically encrypt and decrypt X with the public key +K and the private key -K.
h(X): a one-way function of X.
*X: X is not originated here.

A basic statement reflects some property of a formula. Let symbols P and Q be principals. The following are statements used in our authentication proof.

P◁X: P is told formula X.
P∍X: P possesses formula X.
P|∼X: P once conveyed formula X.
P|≡#(X): P believes that X is fresh.
P|≡ϕ(X): P believes that X is recognizable.
: P believes that S is a suitable secret for P and Q.
P|⇒X: P has jurisdiction over X.
P⊲*X: P is told that a formula X which did not convey previously in the current run.

Protocol descriptions and goals

In this subsection, some notations are changed to fit the GNY logic and the proposed protocol are transformed into the form of P→Q:(X). In addition, the server’s private key is denoted as–K and the corresponding public key is denoted as +K.

U → S: ({ID_i‖{ID_i}_s‖r₁}_+K)
U → S: (h(h(r₁‖r₂)‖(r₃ + 1)))

Next, our goals which consist of three aspects are described in detail.

(1) Message content authentication

Goal 1: S believes the message in the first run is recognizable.

Goal 2: U believes the message in the second run is recognizable.

Goal 3: S believes the message in the third run is recognizable.

(2) Message origin authentication

Goal 4: U believes S conveyed the message in the second run.

Goal 5: S believes U conveyed the message in the third run.

(3) Session key material establishment

Goal 6: U believes that S believes that SK is a secret shared between U and S.

Goal 7: U believes that SK is a secret shared between U and S.

Goal 8: S believes that U possesses SK.

Goal 9: S believes that U believes that SK is a secret shared between U and S.

Assumption list

In this subsection, some assumptions are made as follows:

The secret key s is generated by S in the proposed protocol, so S possesses s. S also possesses the private key–K and the public key +K.
Since S keeps the identity table, S believes that ID_i is recognizable.
Since U stores C₂ = SID_jP secretly and holds the base point P. Then U can check the SID_j and believes that SID_j is recognizable.
The random integer r₁ is generated by U in the protocol, so U possesses r₁ and believes that r₁ is fresh. U ∍ r₁,U|≡#(r₁)
The random integer r₁ is generated by U as part of the temporal session key in the current run. So, we assume that U believes r₁ is a suitable secret for himself and S.
The random integer r₂ and r₃ are generated by S in the protocol, so S possesses r₂ and r₃, and believes that r₃ is recognizable and r₂ is fresh.
The SK generated by S is a temporal session key in the current run. So we assume that S believes that SK is a suitable secret between itself and U.
U believes that the server S is an authority on generating a suitable session key material SK shared between U and S.

Authentication proof using GNY logic

In this subsection, we adopt the GNY logic to analyze our protocol. A complete list of all logical postulates and the index in the list is provided [22], such as (T1, P1), to show how to achieve the goals.

(1) The first run: (R1, R2)

If S believes that ID_i is recognizable and S possesses the key s, then S is entitled to believe that the encryption of ID_i with the key s is recognizable and then the formula {ID_i‖{ID_i}_s‖r₁} is also recognizable.

(R3)

If S believes (ID_i‖{ID_i}_s‖r₁) is recognizable and S possesses a public key +K, then it believes that the encryption {ID_i‖{ID_i}_s‖r₁}_+K is recognizable. Therefore, in the proposed protocol, the server S can recognize the message {ID_i‖{ID_i}_s‖r₁}_+K in the first run. (Goal 1)

(2) The second run: (R1, R2)

If U believes that SID_j is recognizable, then U is entitled to believe that the formula (SID_j‖r₂) of which SID_j is a component, is recognizable. Since U possesses r₁, it also believes that the encryption is recognizable.

(R1)

If S believes is recognizable, then it is entitled to believe that , of which is a component, is recognizable. So, we can conclude that in the proposed protocol, U can recognize the message in the second run. (Goal 2) (I1)

If the following five conditions hold: 1) U receives the formula (SID_j‖r₂) encrypted with the key r₁ and marked with a not-originated-here mark; 2) U possesses r₁; 3) U believes that r₁ is a suitable secret for himself and S; 4) U believes that the formula (SID_j‖r₂) is recognizable; and 5) U believes that r₁ is fresh. Then U is entitled to believe that 1) S once conveyed (SID_j‖r₂) encrypted with r₁ and 2) U believes that the S possesses r₁. (Goal 4)

According to the GNY logic, we assume that U|≡S|⇒S|≡*, that is, U believes that S is honest and competent, and then we can deduce the following statement: (J2)

If U believes that S is honest and competent; and U receives a message , which it believes S conveyed, then U ought to believe that S really believes . Therefore, U believes that S believes that SK is a suitable secret between U and S. (Goal 6) (J1)

If U believes that S is an authority on the statement and S believe in , then U ought to believe in as well. So, U believes that SK is a suitable secret between U and S. (Goal 7)

(3) The third flow: (T3, T4)

If S is told a formula (ID_i‖{ID_i}_s‖r₁) encrypted with the public key +K and it possesses the corresponding private key–K, then it is considered to have been told the decrypted contents of that encrypted formula. And it has also been told r₁ as the formula’s components.

(P1, P2, P4)

If S is told r₁, it is capable of possessing r₁. And if S also possesses r₂, it is capable of possessing (r₁‖r₂) and h(r₁‖r₂). For the same reason, if S possesses r₃ then it possesses (r₃+1).

(P2)

If S possesses h(r₁‖r₂) and (r₃+1), then it possesses (h(r₁‖r₂)‖(r₃ + 1)) as well.

(R1)

If S believes that r₃ is recognizable, then S believes that (r₃+1) is recognizable and (h(r₁‖r₂)‖(r₃ + 1)), of which (r₃+1) is a component, is also recognizable.

(R5)

If S believes that (h(r₁‖r₂)‖(r₃ + 1)) is recognizable and it also possesses (h(r₁‖r₂)‖(r₃ + 1)), and then it is entitled to believe that h(h(r₁‖r₂)‖(r₃ + 1)) is recognizable. So, we can say that S believes that the message h(h(r₁‖r₂)‖(r₃ + 1)) in the third run is recognizable. (Goal 3) (F1, F10)

If S believes r₂ is fresh then it is entitled to believe that h(r₁‖r₂) is fresh. And then if S also possesses (r₁‖r₂), it is entitled to believe that h(r₁‖r₂) is fresh.

(I3)

If all of the following conditions hold: 1) S receives a formula consisting of a one way function of (r₃+1) and SK marked with a not-originated-here mark; 2) S possesses (r₃+1) and SK; 3) S believes SK is a suitable secret for itself and U; 4) S believes that SK is fresh. Then S is entitled to believe that U once conveyed ((r₃+1), SK) and h(h(r₁‖r₂)‖(r₃ + 1)).Therefore, we can say that S believes that the message h(h(r₁‖r₂)‖(r₃ + 1)) in the third run of the proposed protocol is conveyed from the U. (Goal 5) (I6, I7)

If S believes that U once conveyed the formula ((r₃+1), SK), then it is entitled to believe that U once conveyed SK. And if S also believes that SK is fresh, then it is entitled to believe that U possesses SK. Therefore, S believes that SK is possessed by U. (Goal 8)

According to the GNY logic, we assume that U|≡S|⇒S|≡*, that is, S believes that U is honest and competent, and then we can deduce the following statement: (J2)

If S believes that U is honest and competent, and S receives a message which it believes is conveyed by U, then S ought to believe that U really believes . So, we can conclude that in the proposed protocol, S believes that SK is a suitable secret between U and S. (Goal 9)

Complexity Analysis

In this section, we first summarize the functionalities of the proposed protocol, and then evaluate the computational cost of the protocol.

As an attractive feature, our protocol provides identity protection including the identities of the smart appliance and the substation. In the proposed protocol, the adversary cannot obtain the real identities of the smart appliance and the substation since the identities are transmitted in ciphertext. So even if the adversary compromises the secret (C₁, C₂) stored in the tamper-resistant device and intercepts all the messages transmitted between the smart appliance and the substation, she/he cannot obtain the real identities of the smart appliance and the substation. In addition, the proposed protocol also provides mutual authentication and key agreement to protect the communications between the smart appliance and the substation. Next, we compare the computational cost of the proposed protocol with other related protocols. Some notations are defined as follows:

T_m: the time for executing a modular exponentiation operation.
T_e: the time for executing a scalar multiplication operation of elliptic curve.
T_h: the time for executing a one-way hash function.
T_se: the time for executing a symmetric key encryption operation.
T_sd: the time for executing a symmetric key decryption operation.
T_ae: the time for executing an asymmetric key encryption operation.
T_ad: the time for executing an asymmetric key decryption operation.
T_hmac: the time for executing a Hash-based Message Authentication Code (HMAC) operation

As shown in Table 2, in the proposed protocol, the computational cost at the substation S_j side is T_e+T_se during the initialization phase. One scalar multiplication operation T_e is used to compute the secret C₂ = SID_jP. And one symmetric key encryption operation T_se is used to generate another secret C₁ = E_s(ID_i) through using the system key s. In the authentication phase, the computational cost at the substation S_j side is T_ad +T_h +T_sd+ T_se, and the computational cost at the smart appliance U_i side is T_ae + T_sd + T_e + T_h. The smart appliance U_i takes one asymmetric key encryption operation via the substation S_j’s public key pk to generate C₃ = e_pk(ID_i‖C₁‖r₁); takes one symmetric key decryption operation to get SID_j and r₂; takes one scalar multiplication operation to compute SID_jP; and takes a one-way hash function operation to calculate C₅ = h(SK'‖(r₃ + 1)). The substation S_j takes one asymmetric key decryption operation to get the smart appliance U_i’s identity ID_i, the random integer r₁ and the authentication message C₁; takes a one-way hash function operation to obtain h(SK‖(r₃ + 1)); and takes one symmetric key decryption operation and one symmetric key encryption operation. So, the total computational cost of the proposed protocol is 2T_e+T_ae+T_ad +2T_sd+2T_se+2T_h. The theoretical analysis and experimental results [25] show that the modular exponentiation operation T_m and the asymmetric key encryption/decryption operations T_ae/T_ad are much higher than that of the symmetric key encryption/decryption operations T_se/T_sd and the scalar multiplication operation of elliptic curve T_e. In addition, compared with the asymmetric key encryption/decryption operations T_ae/T_ad and the modular exponentiation operation T_m, the computational cost of hash function operation T_h could be ignored. Close analysis of the data in Table 2, shows that our proposed protocol is more efficient than and Mostafa et al.’s protocol [5], because it eliminates the expansive modular exponentiation operations and reduces the numbers of asymmetric key encryption/decryption operations. In addition, compared with Chim et al.’s protocol [4], our protocol reduces the computational cost at the smart appliance side. Although Chim et al.’s protocol possesses better performance at the substation side in comparison with the proposed protocol, their protocol cannot support mutual authentication and fails to provide a key agreement.

Download:

Table 2. Computational costs comparison between our protocol and others.

https://doi.org/10.1371/journal.pone.0151253.t002

Then, we discuss the communication and storage overhead by comparing our proposed protocol with other protocols. Since Mostafa et al.’s protocol do not use tamper-resistant device, we only compared storage overhead with Chim et al.’s protocol at the smart appliance side. In our protocol, the smart appliance needs to store a hash function and the secure information (C₁, C₂, pk, P), where C₁, C₂, and P are 1024 bits, and pk is 128 bits. The total storage overhead needed at the tamper-resistant devices in our protocol is 3200 bits. In Chim et al.’s protocol, the tamper-resistant needs to store the public key Pub_cc, the secret key S_r, a pair private and public key, the identity of smart appliance RID_i and HMAC function. Where Pub_cc is 1024 bits, S_r is 128 bits, RID_i is 32 bits and a pair key is 2048 bits. Therefore, the total overhead at the tamper-resistant devices side in Chim et al.’s protocol is larger than 3232 bits. As shown in Table 3, Compared with Chim et al.’s protocol, our proposed protocol reduced the storage overhead at the tamper-resistant side.

Download:

Table 3. Communication costs and storage overhead comparison between our protocol and others.

https://doi.org/10.1371/journal.pone.0151253.t003

We hereby present the communication overhead of the proposed protocol. In our experiments, the user’s ID was 32 bits, the timestamp was 32 bits, the random number was 64 bits, the signature was 160 bits, and a modular exponentiation was 512 bits. In addition, the output of a 256-bit AES was based on the input of the plaintext. We assume that RSA was adopted as public key encryption/decryption algorithm in protocols [4, 5].The communication cost comparisons between our protocol and others are shown in Table 3. In our proposed protocol, the average communication cost was 608 bits. Compared with the protocols in [4, 5], the proposed protocol scaled down the communication cost significantly.

Conclusion

An efficient authentication protocol with identity protection for smart grids has been proposed in this paper. In the proposed protocol, based on elliptic curve cryptography the substations and smart appliances realized mutual authentication and key agreement via a tamper-resistant device. In addition, the identities of the smart appliance and the substation are transmitted in ciphertext in the proposed protocol. So the adversary cannot obtain the real identities of the smart appliance and the substation. Furthermore, the completeness of the proposed protocol is demonstrated by Gong, Needham, and Yahalom (GNY) logic. And performance analysis shows that our proposed protocol increases efficiency in comparison with other related protocols. Therefore, the proposed protocol is more suitable for the smart grids.

Acknowledgments

The authors are indebted to the staff at the secure communication institute at China University of Geosciences.

Author Contributions

Conceived and designed the experiments: LZ ST. Performed the experiments: HL. Analyzed the data: LZ HL. Contributed reagents/materials/analysis tools: LZ HL. Wrote the paper: LZ.

References

1. Northcote-Green J,Wilson R. Control and Automation of Electrical Power Distribution Systems. Boca Raton, Florida: CRC press, 2006.
2. ARC Advisory Group, SCADA Systems for Smart Grid, Available: http://www.arcweb.com/Research/Studies/Pages/SCADA-Power.aspx.
3. Salem AA. Electricity agents in smart grid markets. Computers in Industry. 2013; 64(3):235–241.
- View Article
- Google Scholar
4. Chim TW, Yiu SM, Hui LCK, Li VOK. PASS: Privacy-preserving Authentication Scheme for Smart Grid Network. Proceedings of Cyber and Physical Security and Privacy. 2011; 196–201.
- View Article
- Google Scholar
5. Mostafa M, Fadlullah ZM, Kato N, Lu R,Shen X. A Light-weight Message Authentication Scheme for Smart Grid Communications. IEEE Transaction on Smart Grid. 2011; 2(4): 675–685.
- View Article
- Google Scholar
6. Li QH, Cao GH. Multicast Authentication in the Smart Grid with One-Time Signature. IEEE Transaction on Smart Grid. 2012; 2(4) 686–696.
- View Article
- Google Scholar
7. Oh S,Kwak J. Mutual Authentication and Key establishment mechanism using DCU certificate in Smart Grid. Applied Mathematics & Information Sciences. 2012; 6(1S): 257S–264S.
- View Article
- Google Scholar
8. Nam J, Choo KKR, Han S, Kim M, Paik J, Won D. Efficient and Anonymous Two-Factor User Authentication in Wireless Sensor Networks: Achieving User Anonymity with Lightweight Sensor Computation. Plos one, 2015; 10(4): 1–21.
- View Article
- Google Scholar
9. He D, Kumar N, Chilamkurti N. A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Information Sciences. 2015; 321: 263–277.
- View Article
- Google Scholar
10. Gao QH. Biometric Authentication in Smart Grid. Proceedings of Energy and Sustainability Conference. 2012; pp.1–5.
- View Article
- Google Scholar
11. He D, Zeadally S. Authentication protocol forambient assisted living system. IEEE Communications Magazine, 2015; 53(1):71–77.
- View Article
- Google Scholar
12. Wang CQ, Zhang X, Zheng ZM. Cryptanalysis and Improvement of a Biometric-Based Multi-Server Authentication and Key Agreement Scheme. Plos one, 2016; 11(12):1–25.
- View Article
- Google Scholar
13. Vaidya B, Makrakis D, Mouftah HT. Authentication and Authorization Mechanisms for Substation Automation in Smart Grid Networks. IEEE Network. 2013; 5–11.
- View Article
- Google Scholar
14. Liu H, Ning HS, Zhang Y, Guizani M. Battery Status-aware Authentication Scheme for V2G Networks in Smart Grid. IEEE Transactions on Smart Grid. 2013; (4)(1):99–110.
- View Article
- Google Scholar
15. Nicanfar H,Leung VCM. Password-authenticated cluster-based group key agreement for smart grid communication. Security and Communication Networks. 2014; 7(1): 221–233.
- View Article
- Google Scholar
16. Zhang L, Tang S, Jiang Y, Ma Z. Robust and Efficient Authentication Protocol Based on Elliptic Curve Cryptography for Smart Grids. 2013 IEEE International Conference on Green Computing and Communications and IEEE Internet of Things and IEEE Cyber, Physical and Social Computing, 201; 2089–2093. https://doi.org/10.1109/GreenCom-iThings-CPSCom.2013.392
17. Nicanfar H,Leung VCM. Multilayer Consensus ECC-Based Password Authenticated Key-Exchange (MCEPAK) Protocol for Smart Grid System. IEEE Transaction on Smart Grid. 2013; 4(1): 253–264.
- View Article
- Google Scholar
18. He D, Kumar N, Lee JH. An efficient and privacy-preserving data aggregation scheme for the smart grid against internal attackers. Wireless Networks. 2016; 22(2): 491–502.
- View Article
- Google Scholar
19. Li D, Aung Z, Williams JR, Sanchez A. Efficient and fault-diagnosable authentication architecture for AMI in smart grid. Security and Communication Networks. 2015; 8(4):598–616,
- View Article
- Google Scholar
20. Burrows M, Abadi M, Needham R. A logic of authentication. ACM Transaction on Computer Systems. 1990; (8): 18–36.
- View Article
- Google Scholar
21. Nessett DM. A critique of the Burrows, Abadi, and Needham logic. ACM SIGOPS Operating Systems Review. 1990; 24(2):35–38.
- View Article
- Google Scholar
22. Li G, Needham R, Yahalom R. Reasoning about belief in cryptographic protocols. Proceedings of IEEE Computer Society Symp. Research in Security and Privacy. 1990; 234–248.
- View Article
- Google Scholar
23. Fan CI, Lin YH. Provably Secure Remote Truly Three-Factor Authentication Scheme with Privacy Protection on Biometrics. IEEE Transactions on Information Forensics and Security. 2009; 4(4):933–945.
- View Article
- Google Scholar
24. Darrel H, Alfred M, Scott Vanstone. Guide to elliptic curve cryptography. 2004; Springer-Verlag, Berlin.
25. Kilinc HH, Yanik T. A Survey of SIP Authentication and Key Agreement Schemes. IEEE Communications Surveys& Tutorials. 2013; 1–19.
- View Article
- Google Scholar

[ref1] 1. Northcote-Green J,Wilson R. Control and Automation of Electrical Power Distribution Systems. Boca Raton, Florida: CRC press, 2006.

[ref2] 2. ARC Advisory Group, SCADA Systems for Smart Grid, Available: http://www.arcweb.com/Research/Studies/Pages/SCADA-Power.aspx.

[ref3] 3. Salem AA. Electricity agents in smart grid markets. Computers in Industry. 2013; 64(3):235–241.
View Article
Google Scholar

[4] View Article

[5] Google Scholar

[ref4] 4. Chim TW, Yiu SM, Hui LCK, Li VOK. PASS: Privacy-preserving Authentication Scheme for Smart Grid Network. Proceedings of Cyber and Physical Security and Privacy. 2011; 196–201.
View Article
Google Scholar

[7] View Article

[8] Google Scholar

[ref5] 5. Mostafa M, Fadlullah ZM, Kato N, Lu R,Shen X. A Light-weight Message Authentication Scheme for Smart Grid Communications. IEEE Transaction on Smart Grid. 2011; 2(4): 675–685.
View Article
Google Scholar

[10] View Article

[11] Google Scholar

[ref6] 6. Li QH, Cao GH. Multicast Authentication in the Smart Grid with One-Time Signature. IEEE Transaction on Smart Grid. 2012; 2(4) 686–696.
View Article
Google Scholar

[13] View Article

[14] Google Scholar

[ref7] 7. Oh S,Kwak J. Mutual Authentication and Key establishment mechanism using DCU certificate in Smart Grid. Applied Mathematics & Information Sciences. 2012; 6(1S): 257S–264S.
View Article
Google Scholar

[16] View Article

[17] Google Scholar

[ref8] 8. Nam J, Choo KKR, Han S, Kim M, Paik J, Won D. Efficient and Anonymous Two-Factor User Authentication in Wireless Sensor Networks: Achieving User Anonymity with Lightweight Sensor Computation. Plos one, 2015; 10(4): 1–21.
View Article
Google Scholar

[19] View Article

[20] Google Scholar

[ref9] 9. He D, Kumar N, Chilamkurti N. A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Information Sciences. 2015; 321: 263–277.
View Article
Google Scholar

[22] View Article

[23] Google Scholar

[ref10] 10. Gao QH. Biometric Authentication in Smart Grid. Proceedings of Energy and Sustainability Conference. 2012; pp.1–5.
View Article
Google Scholar

[25] View Article

[26] Google Scholar

[ref11] 11. He D, Zeadally S. Authentication protocol forambient assisted living system. IEEE Communications Magazine, 2015; 53(1):71–77.
View Article
Google Scholar

[28] View Article

[29] Google Scholar

[ref12] 12. Wang CQ, Zhang X, Zheng ZM. Cryptanalysis and Improvement of a Biometric-Based Multi-Server Authentication and Key Agreement Scheme. Plos one, 2016; 11(12):1–25.
View Article
Google Scholar

[31] View Article

[32] Google Scholar

[ref13] 13. Vaidya B, Makrakis D, Mouftah HT. Authentication and Authorization Mechanisms for Substation Automation in Smart Grid Networks. IEEE Network. 2013; 5–11.
View Article
Google Scholar

[34] View Article

[35] Google Scholar

[ref14] 14. Liu H, Ning HS, Zhang Y, Guizani M. Battery Status-aware Authentication Scheme for V2G Networks in Smart Grid. IEEE Transactions on Smart Grid. 2013; (4)(1):99–110.
View Article
Google Scholar

[37] View Article

[38] Google Scholar

[ref15] 15. Nicanfar H,Leung VCM. Password-authenticated cluster-based group key agreement for smart grid communication. Security and Communication Networks. 2014; 7(1): 221–233.
View Article
Google Scholar

[40] View Article

[41] Google Scholar

[ref16] 16. Zhang L, Tang S, Jiang Y, Ma Z. Robust and Efficient Authentication Protocol Based on Elliptic Curve Cryptography for Smart Grids. 2013 IEEE International Conference on Green Computing and Communications and IEEE Internet of Things and IEEE Cyber, Physical and Social Computing, 201; 2089–2093. https://doi.org/10.1109/GreenCom-iThings-CPSCom.2013.392

[ref17] 17. Nicanfar H,Leung VCM. Multilayer Consensus ECC-Based Password Authenticated Key-Exchange (MCEPAK) Protocol for Smart Grid System. IEEE Transaction on Smart Grid. 2013; 4(1): 253–264.
View Article
Google Scholar

[44] View Article

[45] Google Scholar

[ref18] 18. He D, Kumar N, Lee JH. An efficient and privacy-preserving data aggregation scheme for the smart grid against internal attackers. Wireless Networks. 2016; 22(2): 491–502.
View Article
Google Scholar

[47] View Article

[48] Google Scholar

[ref19] 19. Li D, Aung Z, Williams JR, Sanchez A. Efficient and fault-diagnosable authentication architecture for AMI in smart grid. Security and Communication Networks. 2015; 8(4):598–616,
View Article
Google Scholar

[50] View Article

[51] Google Scholar

[ref20] 20. Burrows M, Abadi M, Needham R. A logic of authentication. ACM Transaction on Computer Systems. 1990; (8): 18–36.
View Article
Google Scholar

[53] View Article

[54] Google Scholar

[ref21] 21. Nessett DM. A critique of the Burrows, Abadi, and Needham logic. ACM SIGOPS Operating Systems Review. 1990; 24(2):35–38.
View Article
Google Scholar

[56] View Article

[57] Google Scholar

[ref22] 22. Li G, Needham R, Yahalom R. Reasoning about belief in cryptographic protocols. Proceedings of IEEE Computer Society Symp. Research in Security and Privacy. 1990; 234–248.
View Article
Google Scholar

[59] View Article

[60] Google Scholar

[ref23] 23. Fan CI, Lin YH. Provably Secure Remote Truly Three-Factor Authentication Scheme with Privacy Protection on Biometrics. IEEE Transactions on Information Forensics and Security. 2009; 4(4):933–945.
View Article
Google Scholar

[62] View Article

[63] Google Scholar

[ref24] 24. Darrel H, Alfred M, Scott Vanstone. Guide to elliptic curve cryptography. 2004; Springer-Verlag, Berlin.

[ref25] 25. Kilinc HH, Yanik T. A Survey of SIP Authentication and Key Agreement Schemes. IEEE Communications Surveys& Tutorials. 2013; 1–19.
View Article
Google Scholar

[66] View Article

[67] Google Scholar

Figures

Abstract

Introduction

Preliminaries

Our Proposed Authentication Scheme

Initialization phase

Authentication phase

Security Analysis

Formulae and statements

Protocol descriptions and goals

Assumption list

Authentication proof using GNY logic

Complexity Analysis

Conclusion

Acknowledgments

Author Contributions

References