Approaches for privacy-friendly Smart Metering: Architecture using homomorphic encryption and homomorphic MACs

Transcription

1 Approaches for privacy-friendly Smart Metering: Architecture using homomorphic encryption and homomorphic MACs Seminar Trustworthy and Energy-Efficient Smart Grids

2 Overview on Approach Introduced in: [B. Vetter, O. Ugus, D. Westhoff, C. Sorge: Homomorphic Primitives for a Privacy-Friendly Smart Metering Architecture. Proceedings of the International Conference on Security and Cryptography (SECRYPT) 2012.] Protect privacy of customers Allows processing of SQL-queries on encrypted aggregated measurements Flexible to support future thirs party services Can be deployed as a cloud service 2

3 Basic Idea Store encrypted and authenticated measurements in a database (EMS), allow SQL queries on encrypted measurements supporting various aggregations Encrypted and authenticated measurements Spatial grouping: Measurements of different costumers in a region Temporal grouping: Measurements of single customers over a period of time Homomorphic encryption Homomorphic MACs (Message Authentication Code) Trusted Third Party (TTP) 3

4 Stakeholders typically involved Energy Provider (EP): sells energy, provides price information to its customers, buy energy, make forecasts, and controls production of energy Gateway (GW): connects the Smart Meters to the Smart Grid, collects Smart Meter data and protects them before sending to the grid Grid Provider (GP): operates the grid, passes aggregated energy consumptions to the EP, need to know accurate energy consumption in a certain region of the grid, operates the meters Smart Meters (SM), customers (C) 4

5 Suggested Architecture Key authority (KA): trusted third party; responsible for managing certificates and keys for Smart Meters, knows the secret keys of all Smart Meters Set of services S = {s 1, s 2,, s n } representing the GP, the EP, and other services Set of customers C, grouped according to specific aspects, e.g., their location Consumption measured by SM sid for period j: e sid,j Encrypted measurements c sid,j stored in EMS, operated by GP 5

6 Necessary Keys KA,,, EP SM,,, unique secret encryption key for Smart Meter sid aggregated key for all sid of group G gid for period j MAC key k = (k 1, k 2 ) of EP aggregated MAC keys (k 2 ) for all sid of group G gid for period j 6

7 Overview SM, enc c sid = enc(k sid, j, e sid ), MAC sid = mac(k mac, c sid ) EMS (GP) EP,,, gid, j, c sid, MAC sid, sid, j sid, zip, city, enc(k,m): encryption of message m using key k mac(k, m): compute MAC for message m using key k 7

8 Homomorphic Encryption (1) Encrypted measurements of single customers stored in database, services (e.g., EP) are only allowed to decrypt aggregated measurements Additively homomorphic encryption necessary enc(k,m) / dec(k, c) encryption / decryption using key k, ;,, enc(k,m) additively homomorph if there is a and k = f(k 1, k 2 ) such that dec(k, (enc(k 1, m 1 ) enc(k 2, m 2 )) = m 1 + m 2 8

9 Homomorphic Encryption (2) Suggested approach introduced by Castelluccia et al. [C. Castelluccia, E. Mykletun, G. Tsudik: Efficient Aggregation of Encrypted Sensor Data in Wireless Sensor Networks. Proc. of MobiQuitous, 2005.] enc(k,m) = m + k mod n; dec(k, c) = c k mod n Keys used only once Here: keys for period j computed from SM s unique enc secret key using a one-way hash function h: enc 9

10 Homomorphic MAC (1) Requesting service must be able to check the validity of the aggregated value (valid if it is composed from the corresponding single measurements only) Additively homomorphic authentication scheme necessary additively homomorphic MAC mac(k, m): compute MAC (t) for message m using key k mac(k,m) additively homomorph (, ) if there is a ( Combine ) such that mac(k, m 1 + m 2 ) = mac(k 1, m 1 ) mac(k 2, m 2 ) 10

11 Homomorphic MAC (2) Suggested approach introduced by Agrawal and Boneh [S. Agrawal, D. Boneh: Homomorphic MACs: MAC-based Integrity for Network Coding. Proc. Of ACNS, 2009.] Pseudo Random Number Generator G Pseudo Random Function F 0, 1,,, 0, 1 Identifier, 1,, 11

12 Homomorphic MAC (3) mac(k 1, k 2, m i, id i ):,, Combine((m 1, t 1 ), (m 2, t 2 ),, (m n, t n )): Verify(k 1, k 2, y, t):,,, if output 1, otherwise 0 12