Identity Based Cryptography for Smart-grid Protection

Identity Based Cryptography for Smart-grid Protection MICKAEL AVRIL mavril@assystem.com ABDERRAHMAN DAIF adaif@assystem.com LAURIE BASTA lbasta@assystem.com GREGORY LANDAIS glandais@assystem.com LAURENT BOUILLET lbouillet@assystem.com CÉDRIC TAVERNIER ctavernier@assystem.com Abstract: The smart grid offers secure and intelligent energy distribution systems that delivers energy from suppliers to consumers based on two-way demand and response digital communication technologies to control appliances at consumers homes to save energy and increase reliability. The smart grid improves existing energy distribution systems with digital information management and advanced metering systems. Increased interconnectivity and automation over the grid systems presents new challenges for security and its management. Cryptographic key management involved multiple components of the Smart Grid such as: advanced metering infrastructure, demand response systems, home area networks (HANs), neighborhood area networks that connect the home to utility systems, supervisory control and data acquisition (SCADA) systems that control generation, transmission and distribution systems and plugin electric vehicles. Smart grid requires the design of a mutual authentication scheme and a key management protocol that keep the exchanges safe between the consumers and suppliers. This paper proposes efficient techniques that use the advantages of identity based cryptography to improve the resiliency against an insider or outsider attacker. We present how a hierarchical form of identity based cryptography is particularly in phase with the complex networks requirements such as the Smart grid ones. Key Words: Cryptography, IBE, IBS, HIBE, Smart-grids 1 Introduction A Smart grid delivers electricity from suppliers to consumers using analogue or digital information and communications technologies to gather and act on information, such as information about the behaviours of suppliers and consumers, in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity. In other terms Smart grid can be seen as a complex Scada network. This kind of technologies are the favorite field of game for the hackers since the virus stuxnet [1] has caused damaged in the nuclear project of Iran. Nevertheless cyber security must address not only deliberate attacks launched by cy- Figure 1: Smart grid example [2] ber criminals, but also inadvertent compromises of the information structures due to user errors, equipment

failures etc. Finally, additional risks to the grid include [3]: Increasing the complexity of the grid could introduce vulnerabilities and increase exposure to potential attackers and unintentional errors Interconnected networks can introduce common vulnerabilities; Increasing vulnerabilities to communication disruptions and the introduction of malicious software/firmware or compromised hardware could result in denial of service (DoS) or other malicious attacks; Increased number of entry points and paths are available for potential adversaries to exploit; Interconnected systems can increase the amount of private information exposed and increase the risk when data is aggregated; Increased use of new technologies can introduce new vulnerabilities; and Expansion of the amount of data that will be collected that can lead to the potential for compromise of data confidentiality, including the breach of customer privacy. Logical security architecture overview. Smart Grid technologies will introduce millions of new components to the electric grid. Many of these components are critical to interoperability and reliability, will communicate bidirectionally, and will be tasked with maintaining confidentiality, integrity, availability (CIA) vital to power systems operation and nonrepudiation for the transaction. By definition, we denote: Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Integrity: means maintaining and assuring the accuracy and consistency of data over its en-tire life-cycle Availability: means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. Non-repudiation: Implies one s intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Except for the availability which is not directly concerned, these criterion can be solved by using a key management system like the well known PKI (public key infrastructure). Unfortunately, as the dimension and the complexity of the smart grids are such that a PKI brings more problems than it can solve (see [3]). Key Management Issues. All security protocols rely on the existence of a security association (SA). SAs contain all the information required for execution of various network security services. An SA can be authenticated or unauthenticated. The establishment of an authenticated SA requires that at least one party possess some sort of credential that can be used to provide assurance of identity or device attributes to others. In general two types of credentials are common: secret keys that are shared between entities (e.g., devices), and (digital) public key certificates for key establishment (i.e. for transporting or computing the secret keys that are to be shared). Public key certificates are used to bind user or device names to a public key through some third-party attestation model, such as a PKI. Applying the defense-in-depth strategy with the classical Onion structure (see Fig 2) could require many appliances and protocols (radius servers, VPN, SSH, Firewall,...) and ideally a notion of role based access because specific action is authorized by only specific authorized people. In fact, as each layer has to be protected almost independently from the other, it complexifies a lot the architecture and the key management which is crucial for these concerned appliances and protocols. Theoretically, Public key infrastructure (PKI) solutions address many of the problems that surround key management, but Operating it for generating and handling certificates can also require a significant amount of overhead and is typically not appropriate for small and some mid-sized systems. A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) can provide this information on behalf of CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the

Figure 2: Onion model of defense in depth [4] binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the registration authority (RA). The RA ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation. Hence PKI-based solution IBE (Identity based encryption), IBS (Identity based signature) as an alternative solution. The idea of IBC (Identity based cryptography) appeared in 1984 in [6], but without the introduction of elliptic curves. The bilinear pairing appears in 2001 [7]. Identity-based systems allow any party to generate a public key from a known identity value such as an ASCII string. A trusted third party, called the Private Key Generator (), generates the corresponding private keys. To operate, the first publishes a master public key, and retains the corresponding master private key (referred to as master key). Given the master public key, any party can compute a public key corresponding to the identity ID by combining the master public key with the identity value. To obtain a corresponding private key, the party authorized to use the identity ID contacts the, which uses the master private key to generate the private key for identity ID. As a result, parties may encrypt messages (or verify signatures) with no prior distribution of keys between individual participants. This is extremely useful in cases where pre-distribution of authenticated keys is inconvenient or infeasible due to technical restraints. However, to decrypt or sign messages, the authorized user must obtain the appropriate private key from the. The steps involved are depicted in this diagram: We go more deeply in the Figure 4: ID Based Encryption: Offline and Online Steps [8] Figure 3: Public key infrastructure scheme[5] can have a high cost of entry, but requires only one certificate per device (as opposed to one key per pair of communicating devices), and may be more appropriate for large systems, depending on the number of possible communicating pairs of devices. In fact, the largest users of digital certificates are the Department of Defense and large enterprises. We refer directly to the rapport of Nist ([3]) for a complete description of the issues of using a PKI for Smart grids. details in the next sections of this paper. Smart grid application.hence, we claim as in certain previous paper [9] that we can provide: Advanced metering infrastructure (AMI): Establish two-way communications between advanced meters and utility business systems. Millions of meters will be deployed in Smart Grid systems and keys must be embedded in these meters to protect the AMI networks. Providing keys to this equipment is a challenge, for generation, de-

ployment, revocation, etc. Mechanisms to redistribute or re-establish keys are a real challenge. Managing all of these keys and their lifecycle is very complex. This problem must be addressed in a way that one key having problem must not compromise the entire system or affect the others. Cyber security: Ensure the confidentiality, integrity and availability of the electronic information. Demand response and consumer energy efficiency: Provide mechanisms and incentives for customers to cut energy use during times of peak demand. Distribution grid management: Maximize the performance of feeders, transformers and other components of distribution systems. Electric transportation: Enable large-scale integration of plug-in electric vehicles. Energy storage: Provide the means to store energy. Network communications: Identify performance metrics and core operational requirements of various Smart Grid applications. Wide-area situational awareness: Monitoring and display of power-system components over large geographic areas in near real time to optimize management of grid components and performance and respond to problems before disruptions arise. Contribution. We propose in this article to use a modified version of the IBE and IBS system to provide an efficient security for Smart grids. We succeed to remove the disadvantage linked to the that could be corrupted in our model. In the same time we show that these technologies are perfectly adapted with huge dimension and complex architecture where role based access could not be ignored. 2 Boneh & Franklin IBE We present in this section the first efficient IBE scheme due to Boneh and Franklin [10], it is based on the bilinear Diffie-Hellman problem (BDHP) over elliptic curves. This scheme involves a third autority that is denoted. It could be compared to the CA (certificate autority) of a PKI. It is defined by the following algorithms: Initialization: A prime number q. Two cyclic groups G 1 and G T of order q. A pairing e : G 1 G 1 G T. A generator P R G 1. The master key s R Z q. P 0 = sp. M = {0, 1} n the set of messages. C = G 1 M All cryptograms. Two hash functions: H 1 : {0, 1} G 1 and H 2 : G T M. The public parameters: P P = (q, G 1, G T, e, n, P, P 0, H 1, H 2 ). Output : (P P, s). Extraction : Input: An identity ID. The public key of the identity: Q ID = H 1 (ID) G 1. The secrete key of the identity: S ID = sq ID G 1. Output: (Q ID, S ID ). Encryption: Input: A message M M and an identity ID. Q ID = H 1 (ID) G 1. Choose r R Z q. g ID = e(q ID, P 0 ) G T. Output: The cryptogram C = (rp, M H 2 (g r ID )) G 1 M. Decryption: Input: A cryptogram C = (U, V ) G 1 M. Output: The message M = V H 2 (e(s ID, U)). Proof. We have: V H 2 (e(s ID, U)) = M H 2 (g r ID ) H2 (e(s ID, U)). Thus we have to show that: g r ID = e(s ID, U).

We have: g r ID = e(q ID, P 0 ) r = e(q ID, sp ) r = e(sq ID, rp ) (accorgind to the properties of e) = e(s ID, U). Remark 1. Let P a generator in G 1, then the function: H 1 : {0, 1} G 1 m mp can be considered as a hash function. 2.1 Network exchanges: We propose to describe graphically the network exchanges and the role of. Master Key : Public Key : : @mail.fr Public Key : Secret Key : Figure 5: Key generation in Boneh & Franklin scheme The figure 5 corresponds to the secret key generation which is done periodically while the user has not been revoked. In this scheme, authenticates and generate a secret key S B that will stay valid during a certain time denoted period. The public key can be generated by anyone throught the calculation: H(ID Periode). Alice The message :. The master key : The public key : Figure 6: Public key transfer in Boneh & Franklin scheme In the Figure 6, Alice wants to send a confidential message to, then she sends a request to that sends his master public key P 0. In the figure 7, Alice encrypts M with a pairing based function. Then can decrypt the message with this pairing based function. Alice The message :. Encryption : : @mail.fr Secret Key : Public Key : Decryption : Figure 7: Encryption, Decryption in Boneh & Franklin scheme 2.2 Advantages and disadvantages Certificates periods and certificates revocations based on CRL rely on the system time for their validation. If the system time is incorrect, an expired certificate may be considered as valid and/or a valid certificate may be considered as expired; a revoked certificate may be listed in the CRL but the CRL will not be taken into account. Synchronization of the time is really important for PKI systems, VPN and another tunnels based on certificate authentication. This IBE scheme avoids the management of certificates since public keys are computed directly from the identities. Revocation is almost free because simply the revoked user won t receive the valid secret key. Also, this scheme involves less traffic network. Unfortunately the has a full power and if it is corrupted, the system falls. In order to fix these disadvantages, we propose a new scheme that we denote IBE-2 3 IBE-2, an improved version We have described in the previous section a certificate-less scheme that owns certain advantages on PKI, but which is not enough practically for complex systems as Smart grid. is very sensitive and it is not acceptable that the security of the full system holds on only it. In our proposed scheme we use the trick considered in [11] that consists in involving a new authority called KPA (key protection authority). Among the advantages of this new scheme, we note that now the users contribute in the generation of the secret key in a sense that only him can compute it. To reach to this and KPA provide together the public key Q 1 containing the private master keys s 0 and s 1, the user identity Q ID and a mask H 3 (e(s 0 X, P 0 )) H 3 (e(s 1 X, P 1 )) only known from the user. The seven main steps are decribed in this scheme: Initialization of parameters: (done by )

A huge prime number q. Two cyclic groups G 1 and G T of order q. A pairing e : G 1 G 1 G T. A generator P R G 1. s 0 R Z q and compute P 0 = s 0 P G 1. C = G 1 M the set of cryptograms. Three hash functions: H 1 : {0, 1} G 1, H 2 : G T M and H 3 : G T Z q. publishes : P P = (q, G 1, G T, e, P, P 0, H 1, H 2, H 3 ). The secret Key: s 0. Initialization of the public Key: (Done by KPA) The KPA secret Key s 1 R Z q. The KPA public key P 1 = s 1 P G 1. Computes Y = s 1 P 0 = s 0 s 1 P the public key. can check if Y has been computed with the correct P 0 by testing: e(y, P )? = e(p 0, P 1 ) (1) Providing to users keys: (Done by ) The user choose a temporary secret x R Z q and compute X = xp. Then he sends X to that computes: Q ID = H 1 (ID, P KG, KP A) G 1. Q 0 = H 3 (e(s 0 X, P 0 ))s 0 Q ID (2) sign(q 0 ) = s 0 Q 0. Providing Keys to users: (Done by KPA) KPA receives X, Q ID, Q 0, sign(q 0 ) from the user and: Checks the signature Q 0 by testing e(sign(q 0 ), P )? = e(q 0, P 0 ) (3) After checking the signature, he computes: Q 1 = H 3 (e(s 1 X, P 1 ))s 1 Q 0 (4) Computes sign(q 1 ) = s 1 Q 1. Extraction of secret Keys: by the user) After receiving Q 1 and sign(q 1 ) : He checks: (Done e(sign(q 1 ), P )? = e(q 1, P 1 ) (5) He computes the secret Key: Q S ID = 1 H 3 (e(p 0,P 0 ) x )H 3 (e(p 1,P 1 ) x ) = s 0 s 1 Q ID (6) The user can check the correctness of the key by testing: e(s ID, P )? = e(q ID, Y ) (7) Encryption: For the encryption, it is exactly done as in the previous scheme by using Y as public key: g ID = e(q ID, Y ) (8) C = (U, V ) = (rp, M H 2 (g r ID)) Decryption: For the decryption: G 1 M. M = V H 2 (e(s ID, U)) (9) This scheme allows a secure key exchange between the user and the authorities and KPA through the following test: The test 1 gives the proof to and the user that Y = s 0 s 1 P, (KPA could choose s 0 and could send Y = s 0 s 1 P. The test 3 gives the proof to KPA that the received data (X, Q 0, Sign(Q 0 )) come from. The test 5 gives the proof to the user that the received data (Q 1, Sign(Q 1 )) come from KPA. The test 7 gives the proof to the user that his secret key is computed from the correct master Keys s 0 and s 1.

: Master Key 1. : Public Key. : @mail.fr2014 Secret Key : Public key : Figure 8: Key distribution in IBE-2 KPA : Master Key 2. : Public Key. The figure 8 summarizes the key distribution between, KPA and the user. Remark 2. It is important to note that KPA is involved only during the enrollment stage. Concerning the encryption and decryption, is in charge of distributing public keys as showed in figure 9. Thus concretely, is a server that changes periodically its secret key whereas the KPA secret key won t change and can be kept in a secure way such that only a lawyer authority could access in case of corruption for example. Alice The message: KPA : @mail.fr2014 Secret Key : Public Key : Figure 9: Encryption and decryption in IBE-2 3.1 IBE-2 advantages Compared to a PKI, IBE-2 offers the following: This key management is certificate-less, thus there no need to check any certificate before encryption operation and the famous LDAP server is no more required. A simplified management of the CRL, because any revoked key can be recalculated algorithmically. IBE-2 brings more security because the security is spread over two authorities instead of one and because the system is more dynamical. 4 Identity based signature Smart grids generate a business activity. As for many activities, there is suppliers and consumers. In the case of Smart grids, consumers can be also suppliers for example with smart houses that use photovoltaic and or wind generators... This fact complexifies a lot the exchanges. Managing a PKI for the transaction would be a difficult task, furthermore the identity based cryptography does not solve all problems because it requires third party (). Unfortunately, for many countries this is not acceptable because potentially this third part could sign instead of the user ( could usurp the identity). We propose to describe in this section a signature based on a method introduced in [12]. We aim to give the possibility to the user to prove that the signature belongs to when this is the case. The notion of arbiter lawyer authority is introduced to reach to this proof. This is the arbiter that check if the signature is valid or not as explained in this following scheme composed of 6 stages: Parameters: A huge prime number q. A pairing (Tate Pairing) e : G 1 G 1 G T. Two hash functions: H : {0, 1} G 1 et h : {0, 1} G T Z q. s Z q the master Key of. P 0 = sp the public Key of. P P = (G 1, G T, q, P, P 0, e, H, h). P S = (s). Initialization: s 1 Z q the secret Key of the user. Q 1 = s 1 P the public key of the user. Extraction: Q 2 = H(ID, Q 1 ). S 2 = sq 2. Signing: Input: a message M M k R Z q. r = e(q 2, P 0 ) k. v = h(m, r). U = ks 2 vs 1 Q 2.

σ = (v, U) (Z q, G 1 ). Checking: Input: σ = (v, U) (Z q, G 1 ) r = e(u, P )e(q 2, Q 1 ) v. test: v =? h(m, r) (10)? Q 2 = H(ID, Q1 ) (11) Arbiter: : @mail.com Secret Key 1 : Public Key 1 : Secret Key 2 : Public Key 2 : The master Key : The public Key : La clé maitre : La clé publique : If the signer denies to be the owner of the signature, the arbiter is involved and choose a random α Z q, then he identifies the signer by sending a demand to check if he owns S 2 via a zero knowledge proof. After proving that the user owns S 2, the arbiter sends him αp, then the signer returns the value e(s 2, αp ) and the arbiter tests e(s 2, αp )? = e(q 2, P 0 ) α. If the test is satisfied, it means that is the owner of this signature because he is the only one that could produce a fake S 2. Figure 10: The secret Key generation : @mail.fr2014 Secret key 1 : Public key : Secret key 2 : Public key 2 : Master key : Public key : Alice The message :. Proof. To test (10), it is enough to show that r = e(q 2, P 0 ) k : Figure 11: The signature stage r = e(u, P )e(q 2, Q 1 ) v = e(ks 2 vs 1 Q 2, P )e(q 2, Q 1 ) v = e(ksq 2 vs 1 Q 2, P )e(vq 2, s 1 P ) = e(ksq 2 vs 1 Q 2, P )e(vs 1 Q 2, P ) = e(ksq 2 vs 1 Q 2 + vs 1 Q 2, P ) = e(ksq 2, P ) = e(kq 2, sp ) = e(q 2, P 0 ) k It is clear that the test (11) is satisfied for a valid signature. This test is required only to identify the user key Q 1. : @mail.fr2014 Secret key 1 : Public key : Secret key 2 : Public key 2 : Master key : Public key : Alice The message :. The figure 10 describes the enrollment stage that corresponds to the Initialization. This stage allows the user to generate his own secret Key s 1 and public Key Q 1. Then the user sends his public to that must generate the pair (S 2, Q 2 ) via the algorithm Extraction. The second key Q 2 creates the link between the user identity and the public Key Q 1. The figures 11 and 12 describes the signature with Alice that wants to send to the message M signed. Hence, we have described an efficient Identity based signature that could be an alternative to the standard one for Smart grid applications. Figure 12: The checking stage 5 Hierarchical IBE For huge Smart grids with ten millions of users, we cannot imagine that one server will succeed to satisfy the demand, then it is mandatory to consider a hierarchical organization to these Smart grids. It could be organized in function of regions where consumers are located and also according to the type of consumer (factories, home, building, etc). Thus a nice

key management should be hierarchical and attributebased. Fortunately, it is well known that IBE can be extended in HIBE with several s that deliver keys hierarchically (see [13]). Hence, each authority has to generate keys to s directly under its responsibility (leafs). Root 1 2... k Encryption: Input: The message M {0, 1} n. Output: The cryptogram C G t 1 {0, 1} n. r R Z q. g = e(q 0, P 1 ). C = (rp 0, rp 2,..., rp t, M H(g r )). Decryption: Input: The cryptogram C = (U 0, U 2,..., U t, V ) G t 1 {0, 1}n. Groupe of users 1 Groupe of users 2... Groupe of users k Output: M {0, 1} n. e(u 0,S t) M = V H( ). t i=2 e(q i 1,U i ) Figure 13: HIBE architecture 5.1 Key distribution in HIBE [13]: Initialization: (Done by Root 0 ) Choose: P 0 G 1 a public generator. Choose: s 0 Z q the master Key. Calculate : Q 0 = s 0 P 0 the public Key. A pairing: e : G 1 G 1 G T. Two hash functions: H 1 : {0, 1} G 1 H 2 : G T {0, 1} Output: P P 0 = (G 1, G 2, e, P 0, Q 0, H 1, H 2 ), SP 0 = (s 0 ). Initialization: (Done by t floor t) at the Compute P t = H 1 (id 1, id 2,..., id t ) with id i for 1 i < t the identity of the i-th father of t. Choose s t Z q the master key of the sub tree for which the root is t. S t = S t 1 + s t 1 P t = t i=1 s i 1P i provided by the father of the floor t 1. Q i = s i P 0 for 1 i t 1 computed by the s fathers above. Proof. It is enough to prove that: have: Remark 3. e(u 0,S t) t i=2 e(q i 1,U i ) e(u 0,S t) t i=2 e(q i 1,U i ) = gr. We = e(rp 0, t i=1 s i 1P i ) t i=2 e(s i 1P 0,rP i ) t i=1 = e(rp 0,s i 1 P i ) t i=2 e(rp 0,s i 1 P i ) = e(rp 0, s 0 P 1 ) = e(s 0 P 0, P 1 ) r = e(q 0, P 1 ) r = g r 1. Obviously the HIBE scheme is an extension of the Boneh & Franklin scheme. 2. This scheme is compliant with IBE-2 and only one KPA is required to protect all user keys. The figure 14 describes the encryption and decryption stages between Alice and. Alice first determines the address of Bod in the tree and compute her public key P B, then she encrypts her message by using the public keys P i of the previous s of. decrypts the message with the public key Q i of its previous s and his secret key S B generated by his father. 6 Conclusion In this paper, we have presented a certificate-less key management system which is more scalable and more

Alice Message : Encryption: Decryption: Figure 14: Encryption and decryption in HIBE Proceedings of CRYPTO 84, Lecture Notes in Computer Science, 7:47-53, 1984 [7] Dan Boneh, Matthew K. Franklin, Identity- Based Encryption from the Weil Pairing Advances in Cryptology - Proceedings of CRYPTO 2001 [8] http://en.wikipedia.org/wiki/ ID-based_encryption [9] Priti V. Jasud, Manish D. Katkar, S. D. Kamble. Authentication Mechanism for Smart Grid Network. International Journal of Soft Computing and Engineering (IJSCE) ISSN: 2231-2307, Volume-4, Issue-1, March 2014, [10] Dan Boneh, Matthew Franklin, Identity-Based Encryption from the Weil Pairing, 2001. [11] Byoungcheon Lee, Colin Boyd, Ed Dawson, Kwangjo Kim, Jeongmo Yang, Seungjae Yoo, Secure Key Issuing in ID-based Cryptography, 2004. [12] Jingwei Liu, Rong Sun, Weidong Kou, Xinmei Wang, Efficient ID-based Signature Without Trusted, 2007. [13] C.Gentry, A. Silverberg, Hierarchical ID-Based Cryptography, 2002. efficient than a PKI. This scheme is working for asymmetric encryption and signature which is important for Smart grid business. This scheme is compliant with hierarchical IBE and gives the advantage to address access control in smart grids. Obviously, this techniques allows less storage than for PKI. Acknowledgements: The work of L. Basta, G. Landais And C. Tavernier was partially supported by SCISSOR ICT project no. 644425, funded by the European Commissions Information & communication technology H2020 Framework Program. References: [1] http://en.wikipedia.org/wiki/ Stuxnet. [2] http://www.hitachi.com/ environment/showcase/solution/ energy/smartgrid.html. [3] Introduction to NISTIR 7628 Guidelines for Smart Grid Cyber Security, Nist Cyber Security Working Group. September 2010. [4] http://en.wikipedia.org/wiki/ Information_security. [5] http://en.wikipedia.org/wiki/ Public_key_infrastructure [6] Adi Shamir, Identity-Based Cryptosystems and Signature Schemes. Advances in Cryptology: