Efficient Key Management Schemes for Smart Grid

With the increasing digitization of different components of Smart Grid by incorporating smart(er) devices, there is an ongoing effort to deploy them for various applications. However, if these devices are compromised, they can reveal sensitive information from such systems. Therefore, securing them against cyber-attacks may represent the first step towards the protection of the critical infrastructure. Nevertheless, realization of the desirable security features such as confidentiality, integrity and authentication relies entirely on cryptographic keys that can be either symmetric or asymmetric. A major need, along with this, is to deal with managing these keys for a large number of devices in Smart Grid. While such key management can be easily addressed by transferring the existing protocols to Smart Grid domain, this is not an easy task, as one needs to deal with the limitations of the current communication infrastructures and resource-constrained devices in Smart Grid. In general, effective mechanisms for Smart Grid security must guarantee the security of the applications by managing (1) key revocation; and (2) key exchange. Moreover, such management should be provided without compromising the general performance of the Smart Grid applications and thus needs to incur minimal overhead to Smart Grid systems. This dissertation aims to fill this gap by proposing specialized key management techniques for resource and communication constrained Smart Grid environments. Specifically, motivated by the need of reducing the revocation management overhead, we first present a distributed public key revocation management scheme for Advanced Metering Infrastructure (AMI) by utilizing distributed hash trees (DHTs). The basic idea is to enable sharing of the burden among smart meters to reduce the overall overhead. Second, we propose another revocation management scheme by utilizing cryptographic accumulators, which reduces the space requirements for revocation information significantly. Finally, we turn our attention to symmetric key exchange problem and propose a 0-Round Trip Time (RTT) message exchange scheme to minimize the message exchanges. This scheme enables a lightweight yet secure symmetric key-exchange between field devices and the control center in Smart Gird by utilizing a dynamic hash chain mechanism. The evaluation of the proposed approaches show that they significantly out-perform existing conventional approaches

Securing the Internet of Things Communication Using Named Data Networking Approaches

The rapid advancement in sensors and their use in devices has led to the drastic increase of Internet-of-Things (IoT) device applications and usage. A fundamental requirement of an IoT-enabled ecosystem is the device’s ability to communicate with other devices, humans etc. IoT devices are usually highly resource constrained and come with varying capabilities and features. Hence, a host-based communication approach defined by the TCP/IP architecture relying on securing the communication channel between the hosts displays drawbacks especially when working in a highly chaotic environment (common with IoT applications). The discrepancies between requirements of the application and the network supporting the communication demands for a fundamental change in securing the communication in IoT applications. This research along with identifying the fundamental security problems in IoT device lifecycle in the context of secure communication also explores the use of a data-centric approach advocated by a modern architecture called Named Data Networking (NDN). The use of NDN modifies the basis of communication and security by defining data-centric security where the data chunks are secured directly and retrieved using specialized requests in a pull-based approach. This work also identifies the advantages of using semantically-rich names as the basis for IoT communication in the current client-driven environment and reinforces it with best-practices from the existing host-based approaches for such networks. We present in this thesis a number of solutions built to automate and securely onboard IoT devices; encryption, decryption and access control solutions based on semantically rich names and attribute-based schemes. We also provide the design details of solutions to sup- port trustworthy and conditionally private communication among highly resource constrained devices through specialized signing techniques and automated certificate generation and distribution with minimal use of the network resources. We also explore the design solutions for rapid trust establishment and vertically securing communication in applications including smart-grid operations and vehicular communication along with automated and lightweight certificate generation and management techniques. Through all these design details and exploration, we identify the applicability of the data-centric security techniques presented by NDN in securing IoT communication and address the shortcoming of the existing approaches in this area

Zero-configuration identity-based signcryption scheme for Smart Grid

The success of future intelligent power deliver and transmission systems across the globe relies critically on the availability of a fast, scalable, and most importantly secure communication infrastructure between the energy producers and consumers. One major obstacle to ensure secure communication among various parties in a smart grid network hinges on the technical and implementation difficulties associated with key distribution in such large-scale network with often-time disinterested consumers. This paper proposes the use of an identity-based signcryption (IBS) system to provide a zero-configuration encryption and authentication solution for end-to-end secure communications. The suitability of employing such identity-based cryptosystems in the context of smart grids is studied from the perspective of security requirements, implementation overhead and ease of management. Using the design and implementation experience of our proposed system as an example, we illustrate that IBS is a viable solution to providing a secure and easy-to-deploy solution with close to zero user setup required.published_or_final_versionThe 1st IEEE International Conference on Smart Grid Communications (SmartGridComm 2010), Gaithersburg, MD., 4-6 October 2010. In Proceedings of the 1st SmartGridComm, 2010, p. 321-32

Grid Cryptographic Simulation: A Simulator to Evaluate the Scalability of the X.509 Standard in the Smart Grid

PKI may be pushed beyond known limits when scaled to some visions of the smart grid; our research developed a simulation, Grid Cryptographic Simulation (GCS), to evaluate these potential issues, identify cryptographic bottlenecks, and evaluate tradeoffs between performance and security. Ultimately, GCS can be used to identify scalability challenges and suggest improvements to make PKI more efficient, effective, and scalable before it is deployed in the envisioned smart grid

Some Implementation Issues for Security Services based on IBE

Identity Based Encryption (IBE) is a public key cryptosystem where a unique identity string, such as an e-mail address, can be used as a public key. IBE is simpler than the traditional PKI since certificates are not needed. An IBE scheme is usually based on pairing of discrete points on elliptic curves. An IBE scheme can also be based on quadratic residuosity. This paper presents an overview of these IBE schemes and surveys present IBE based security services. Private key management is described in detail with protocols to authenticate users of Private Key Generation Authorities (PKG), to protect submission of generated private keys, and to avoid the key escrow problem. In the security service survey IBE implementations for smartcards, for smart phones, for security services in mobile networking, for security services in health care information systems, for secure web services, and for grid network security are presented. Also the performance of IBE schemes is estimated

PBCert: Privacy-Preserving Blockchain-Based Certificate Status Validation Toward Mass Storage Management

© 2013 IEEE. In the recent years, the vulnerabilities of conventional public key infrastructure are exposed by the real-world attacks, such as the certificate authority's single-point-of-failure or clients' private information leakage. Aimed at the first issue, one type of approach is that multiple entities are introduced to assist the certificate operations, including registration, update, and revocation. However, it is inefficient in computation. Another type is to make the certificate information publicly visible by bringing in the log servers. Nevertheless, the data synchronization among log servers may lead to network latency. Based on the second approach, the blockchain-based public key infrastructure schemes are proposed. Through these type of schemes, all the certificate operations are stored in the blockchain for public audit. However, the issue of revoked certificates' status storage is worth paying attention, especially in the setting with massive certificates. In addition, the target web server that a client wants to access is exposed in the process of certificate status validation. In this paper, we propose a privacy-preserving blockchain-based certificate status validation scheme called PBCert to solve these two issues. First, we separate the revoked certificates control and storage plane. Only the minimal control information (namely, certificate hashes and related operation block height) is stored in the blockchain and it uses external data stores for the detailed information about all revoked certificates. Second, we design an obscure response to the clients' certificate status query for the purpose of privacy preserving. Through the security analysis and experiment evaluation, our scheme is significant in practice

On the Digital Certificate Management in Advanced Metering Infrastructure Networks

The smart grid (SG), generally referred to as the next-generation power system, is considered as a revolutionary and evolutionary regime of existing power grids. Among the emerging SG applications, the advanced metering infrastructure (AMI) enables automated, two-way communication between a smart meter (SM) and a public utility company. To authenticate a message, the sender (e.g., a SM) signs the message with its private key using a pre-defined digital signature algorithm. To verify the message, the recipient verifies the sender's certificate and then the sender's signature using the sender's public key. In some cases, however, a previously issued certificate for a network node needs to be revoked. In this paper we investigate two possible approaches for the certificate management of SMs in AMI networks. These are based on the traditional certificate revocation lists (CRLs) and on the Bloom filters. We compare the two approaches in terms of the required packet size for the distribution of the revoked certificate serial numbers. We also discuss the advantages and limitations of each approach