Identity Based Cryptography for Smart-grid

Identity Based Cryptography for Smart-grid Protection
M ICKAEL AVRIL
Assystem
Department of Cybersecurity
Assystem E&OS.
23, Place de Wicklow 78067
St-Quentin en Yvelines
France
[email protected]
L AURIE BASTA
Assystem
Department of Cybersecurity
Assystem E&OS.
23, Place de Wicklow 78067
St-Quentin en Yvelines
France
[email protected]
L AURENT B OUILLET
Assystem
Department of Cybersecurity
Assystem E&OS.
23, Place de Wicklow 78067
St-Quentin en Yvelines
France
[email protected]
A BDERRAHMAN DAIF
Assystem
Department of Cybersecurity
Assystem E&OS.
23, Place de Wicklow 78067
St-Quentin en Yvelines
France
[email protected]
G REGORY L ANDAIS
Assystem
Department of Cybersecurity
Assystem E&OS.
23, Place de Wicklow 78067
St-Quentin en Yvelines
France
[email protected]
C E´ DRIC TAVERNIER
Assystem
Department of Cybersecurity
Assystem E&OS.
23, Place de Wicklow 78067
St-Quentin en Yvelines
France
[email protected]
Abstract: The smart grid offers secure and intelligent energy distribution systems that delivers energy from suppliers to consumers based on two-way demand and response digital communication technologies to control appliances
at consumers homes to save energy and increase reliability. The smart grid improves existing energy distribution
systems with digital information management and advanced metering systems. Increased interconnectivity and
automation over the grid systems presents new challenges for security and its management. Cryptographic key
management involved multiple components of the Smart Grid such as: advanced metering infrastructure, demand
response systems, home area networks (HANs), neighborhood area networks that connect the home to utility
systems, supervisory control and data acquisition (SCADA) systems that control generation, transmission and distribution systems and plugin electric vehicles. Smart grid requires the design of a mutual authentication scheme
and a key management protocol that keep the exchanges safe between the consumers and suppliers. This paper proposes efficient techniques that use the advantages of identity based cryptography to improve the resiliency against
an insider or outsider attacker. We present how a hierarchical form of identity based cryptography is particularly
in phase with the complex networks requirements such as the Smart grid ones.
Key–Words: Cryptography, IBE, IBS, HIBE, Smart-grids
1
Introduction
A Smart grid delivers electricity from suppliers to
consumers using analogue or digital information and
communications technologies to gather and act on information, such as information about the behaviours
of suppliers and consumers, in an automated fashion to improve the efficiency, reliability, economics,
and sustainability of the production and distribution
of electricity. In other terms Smart grid can be seen
as a complex Scada network. This kind of technologies are the favorite field of game for the hackers since
the virus stuxnet [1] has caused damaged in the nuclear project of Iran. Nevertheless cyber security must
address not only deliberate attacks launched by cy-
Figure 1: Smart grid example [2]
ber criminals, but also inadvertent compromises of the
information structures due to user errors, equipment
failures etc. Finally, additional risks to the grid include [3]:
• Increasing the complexity of the grid could introduce vulnerabilities and increase exposure to
potential attackers and unintentional errors
• Interconnected networks can introduce common
vulnerabilities;
• Increasing vulnerabilities to communication disruptions and the introduction of malicious software/firmware or compromised hardware could
result in denial of service (DoS) or other malicious attacks;
• Increased number of entry points and paths are
available for potential adversaries to exploit;
• Interconnected systems can increase the amount
of private information exposed and increase the
risk when data is aggregated;
• Increased use of new technologies can introduce
new vulnerabilities; and
• Expansion of the amount of data that will be
collected that can lead to the potential for compromise of data confidentiality, including the
breach of customer privacy.
Logical security architecture overview. Smart
Grid technologies will introduce millions of new components to the electric grid. Many of these components are critical to interoperability and reliability,
will communicate bidirectionally, and will be tasked
with maintaining confidentiality, integrity, availability (CIA) vital to power systems operation and nonrepudiation for the transaction. By definition, we denote:
• Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy
and proprietary information.
• Integrity: means maintaining and assuring the
accuracy and consistency of data over its en-tire
life-cycle
• Availability: means that the computing systems
used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.
• Non-repudiation: Implies one’s intention to fulfill their obligations to a contract. It also implies
that one party of a transaction cannot deny having received a transaction nor can the other party
deny having sent a transaction.
Except for the availability which is not directly
concerned, these criterion can be solved by using a
key management system like the well known PKI
(public key infrastructure). Unfortunately, as the dimension and the complexity of the smart grids are
such that a PKI brings more problems than it can solve
(see [3]).
Key Management Issues. All security protocols
rely on the existence of a security association (SA).
SAs contain all the information required for execution
of various network security services. An SA can be
authenticated or unauthenticated. The establishment
of an authenticated SA requires that at least one party
possess some sort of credential that can be used to provide assurance of identity or device attributes to others. In general two types of credentials are common:
secret keys that are shared between entities (e.g., devices), and (digital) public key certificates for key establishment (i.e. for transporting or computing the secret keys that are to be shared). Public key certificates
are used to bind user or device names to a public key
through some third-party attestation model, such as a
PKI.
Applying the defense-in-depth strategy with the
classical Onion structure (see Fig 2) could require
many appliances and protocols (radius servers, VPN,
SSH, Firewall,...) and ideally a notion of role based
access because specific action is authorized by only
specific authorized people. In fact, as each layer has
to be protected almost independently from the other,
it complexifies a lot the architecture and the key management which is crucial for these concerned appliances and protocols. Theoretically, Public key infrastructure (PKI) solutions address many of the problems
that surround key management, but Operating it for
generating and handling certificates can also require
a significant amount of overhead and is typically not
appropriate for small and some mid-sized systems. A
public-key infrastructure (PKI) is a set of hardware,
software, people, policies, and procedures needed to
create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The
user identity must be unique within each CA domain.
The third-party validation authority (VA) can provide
this information on behalf of CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the
Figure 2: Onion model of defense in depth [4]
binding has, may be carried out by software at a CA,
or under human supervision. The PKI role that assures this binding is called the registration authority
(RA). The RA ensures that the public key is bound
to the individual to which it is assigned in a way that
ensures non-repudiation. Hence PKI-based solution
IBE (Identity based encryption), IBS (Identity
based signature) as an alternative solution. The
idea of IBC (Identity based cryptography) appeared
in 1984 in [6], but without the introduction of elliptic curves. The bilinear pairing appears in 2001 [7].
Identity-based systems allow any party to generate a
public key from a known identity value such as an
ASCII string. A trusted third party, called the Private Key Generator (PKG), generates the corresponding private keys. To operate, the PKG first publishes
a master public key, and retains the corresponding
master private key (referred to as master key). Given
the master public key, any party can compute a public key corresponding to the identity ID by combining the master public key with the identity value. To
obtain a corresponding private key, the party authorized to use the identity ID contacts the PKG, which
uses the master private key to generate the private key
for identity ID. As a result, parties may encrypt messages (or verify signatures) with no prior distribution
of keys between individual participants. This is extremely useful in cases where pre-distribution of authenticated keys is inconvenient or infeasible due to
technical restraints. However, to decrypt or sign messages, the authorized user must obtain the appropriate private key from the PKG. The steps involved are
depicted in this diagram: We go more deeply in the
Figure 4: ID Based Encryption: Offline and Online
Steps [8]
Figure 3: Public key infrastructure scheme[5]
can have a high cost of entry, but requires only one
certificate per device (as opposed to one key per pair
of communicating devices), and may be more appropriate for large systems, depending on the number of
possible communicating pairs of devices. In fact, the
largest users of digital certificates are the Department
of Defense and large enterprises. We refer directly to
the rapport of Nist ([3]) for a complete description of
the issues of using a PKI for Smart grids.
details in the next sections of this paper.
Smart grid application.Hence, we claim as in
certain previous paper [9] that we can provide:
• Advanced metering infrastructure (AMI): Establish two-way communications between advanced
meters and utility business systems. Millions of
meters will be deployed in Smart Grid systems
and keys must be embedded in these meters to
protect the AMI networks. Providing keys to
this equipment is a challenge, for generation, de-
ployment, revocation, etc. Mechanisms to redistribute or re-establish keys are a real challenge. Managing all of these keys and their lifecycle is very complex. This problem must be addressed in a way that one key having problem
must not compromise the entire system or affect
the others.
• Cyber security: Ensure the confidentiality, integrity and availability of the electronic information.
• Demand response and consumer energy efficiency: Provide mechanisms and incentives for
customers to cut energy use during times of peak
demand.
• Distribution grid management: Maximize the
performance of feeders, transformers and other
components of distribution systems.
• Electric transportation: Enable large-scale integration of plug-in electric vehicles.
• Energy storage: Provide the means to store energy.
• Network communications: Identify performance
metrics and core operational requirements of various Smart Grid applications.
• Wide-area situational awareness: Monitoring
and display of power-system components over
large geographic areas in near real time to optimize management of grid components and performance and respond to problems before disruptions arise.
Contribution. We propose in this article to use
a modified version of the IBE and IBS system to provide an efficient security for Smart grids. We succeed
to remove the disadvantage linked to the PKG that
could be corrupted in our model. In the same time
we show that these technologies are perfectly adapted
with huge dimension and complex architecture where
role based access could not be ignored.
2
Boneh & Franklin IBE
We present in this section the first efficient IBE
scheme due to Boneh and Franklin [10], it is based
on the bilinear Diffie-Hellman problem (BDHP) over
elliptic curves. This scheme involves a third autority
that is denoted PKG. It could be compared to the CA
(certificate autority) of a PKI. It is defined by the following algorithms:
Initialization:
• A prime number q.
• Two cyclic groups G1 and GT of order
q.
• A pairing e : G1 × G1 → GT .
• A generator P ∈R G1 .
• The master key s ∈R Z∗q .
• P0 = sP .
• M = {0, 1}n the set of messages.
• C = G∗1 × M All cryptograms.
• Two hash functions: H1 : {0, 1}∗ →
G∗1 and H2 : GT → M.
• The public parameters: P P
(q, G1 , GT , e, n, P, P0 , H1 , H2 ).
=
• Output : (P P, s).
Extraction :
• Input: An identity ID.
• The public key of the identity: QID =
H1 (ID) ∈ G∗1 .
• The secrete key of the identity: SID =
sQID ∈ G∗1 .
• Output: (QID , SID ).
Encryption:
• Input: A message M ∈ M and an
identity ID.
• QID = H1 (ID) ∈ G∗1 .
• Choose r ∈R Z∗q .
• gID = e(QID , P0 ) ∈ G∗T .
• Output: L The cryptogram C
r )) ∈ G∗ × M.
(rP, M
H2 (gID
1
=
Decryption:
• Input: A cryptogram C = (U, V ) ∈
G∗1 × M.
• Output:
The message
L
V
H2 (e(SID , U )).
M
=
Proof.
L
L
r )
We
H2 (e(SID , U )) = M
H2 (gID
L have: V
H2 (e(SID , U )). Thus we have to show that:
r
gID
= e(SID , U ).
r
We have: gID
= e(QID , P0 )r = e(QID , sP )r =
e(sQID , rP ) (accorgind to the properties of e) =
e(SID , U ).
Remark 1. Let P a generator in G∗1 , then the function:
H1 : {0, 1}∗ → G∗1
m
7→ mP
Alice
The message :
Encryption
:
.
Bob
: [email protected]
Secret Key
:
Public Key
:
Decryption
:
can be considered as a hash function.
Figure 7: Encryption, Decryption in Boneh &
Franklin scheme
2.1
2.2
Network exchanges:
We propose to describe graphically the network exchanges and the role of PKG.
PKG
Master Key
:
Public Key
:
Bob
: [email protected]
Public Key
:
Secret Key
:
Figure 5: Key generation in Boneh & Franklin scheme
The figure 5 corresponds to the secret key generation which is done periodically while the user has not
been revoked. In this scheme, PKG authenticates Bob
and generate a secret key SB that will stay valid during a certain time denoted “period”. The public key
can be generated by anyone throught the calculation:
H(ID|Periode).
PKG
The master key :
The public key :
Alice
The message :
.
Figure 6: Public key transfer in Boneh & Franklin
scheme
In the Figure 6, Alice wants to send a confidential
message to Bob, then she sends a request to PKG that
sends his master public key P0 .
In the figure 7, Alice encrypts M with a pairing
based function. Then Bob can decrypt the message
with this pairing based function.
Advantages and disadvantages
Certificates periods and certificates revocations based
on CRL rely on the system time for their validation. If
the system time is incorrect, an expired certificate may
be considered as valid and/or a valid certificate may
be considered as expired; a revoked certificate may be
listed in the CRL but the CRL will not be taken into
account. Synchronization of the time is really important for PKI systems, VPN and another tunnels based
on certificate authentication.
This IBE scheme avoids the management of certificates since public keys are computed directly from
the identities. Revocation is almost free because simply the revoked user won’t receive the valid secret key.
Also, this scheme involves less traffic network. Unfortunately the PKG has a full power and if it is corrupted, the system falls.
In order to fix these disadvantages, we propose a
new scheme that we denote IBE-2
3
IBE-2, an improved version
We have described in the previous section a
certificate-less scheme that owns certain advantages
on PKI, but which is not enough practically for complex systems as Smart grid. PKG is very sensitive and
it is not acceptable that the security of the full system holds on only it. In our proposed scheme we use
the trick considered in [11] that consists in involving
a new authority called KPA (key protection authority). Among the advantages of this new scheme, we
note that now the users contribute in the generation
of the secret key in a sense that only him can compute it. To reach to this PKG and KPA provide together the public key Q1 containing the private master keys s0 and s1 , the user identity QID and a mask
H3 (e(s0 X, P0 )) × H3 (e(s1 X, P1 )) only known from
the user. The seven main steps are decribed in this
scheme:
Initialization of parameters:
(done by PKG)
• A huge prime number q.
• Two cyclic groups G1 and GT of order
q.
• A pairing e : G1 × G1 → GT .
• A generator P ∈R G1 .
• s0 ∈R Z∗q and compute P0 = s0 P ∈
G1 .
• C = G∗1 × M the set of cryptograms.
• Three hash functions: H1 : {0, 1}∗ →
G∗1 , H2 : GT → M and H3 : GT →
Z∗q .
• PKG publishes :
PP
=
(q, G1 , GT , e, P, P0 , H1 , H2 , H3 ).
• The PKG secret Key: s0 .
Initialization of the public
Key: (Done by KPA)
?
Extraction of secret Keys:
by the user)
After receiving Q1 and sign(Q1 ) :
?
e(sign(Q1 ), P ) = e(Q1 , P1 )
Providing to users keys: (Done by
PKG)
The user choose a temporary secret x ∈R Z∗q
and compute X = xP . Then he sends X to
PKG that computes:
(5)
• He computes the secret Key:
1
SID = H3 (e(P0 ,P0 )xQ)H
x
3 (e(P1 ,P1 ) )
= s0 s1 QID
(6)
• The user can check the correctness of
the key by testing:
?
(1)
(Done
• He checks:
e(SID , P ) = e(QID , Y )
• The KPA secret Key s1 ∈R Z∗q .
• The KPA public key P1 = s1 P ∈ G1 .
• Computes Y = s1 P0 = s0 s1 P the
public key.
PKG can check if Y has been computed with the correct P0 by testing:
e(Y, P ) = e(P0 , P1 )
• Computes sign(Q1 ) = s1 Q1 .
(7)
Encryption:
For the encryption, it is exactly done as in the
previous scheme by using Y as public key:
gID = e(QID , Y )
(8)
M
r
C = (U, V ) = (rP, M
H2 (gID
))
∈ G∗1 × M.
Decryption:
For the decryption:
M
M =V
H2 (e(SID , U ))
(9)
• QID = H1 (ID, P KG, KP A) ∈ G1 .
•
(2)
This scheme allows a secure key exchange between the user and the authorities PKG and KPA
through the following test:
Providing Keys to users: (Done by
KPA)
KPA receives X, QID , Q0 , sign(Q0 ) from
the user and:
• The test 1 gives the proof to PKG and the user
that Y = s0 s1 P , (KPA could choose s0 and
could send Y = s0 s1 P .
Q0 = H3 (e(s0 X, P0 ))s0 QID
• sign(Q0 ) = s0 Q0 .
• The test 3 gives the proof to KPA that the received data (X, Q0 , Sign(Q0 )) come from PKG.
• Checks the signature Q0 by testing
?
e(sign(Q0 ), P ) = e(Q0 , P0 )
(3)
• After checking the signature, he computes:
Q1 = H3 (e(s1 X, P1 ))s1 Q0
(4)
• The test 5 gives the proof to the user that the received data (Q1 , Sign(Q1 )) come from KPA.
• The test 7 gives the proof to the user that his
secret key is computed from the correct master
Keys s0 and s1 .
PKG
: Master Key 1.
: Public Key.
KPA
: Master Key 2.
: Public Key.
Bob
: [email protected]
Secret Key
:
Public key
:
Figure 8: Key distribution in IBE-2
The figure 8 summarizes the key distribution between PKG, KPA and the user.
Remark 2. It is important to note that KPA is involved only during the enrollment stage. Concerning
the encryption and decryption, PKG is in charge of
distributing public keys as showed in figure 9. Thus
concretely, PKG is a server that changes periodically
its secret key whereas the KPA secret key won’t change
and can be kept in a secure way such that only a
lawyer authority could access in case of corruption
for example.
PKG
KPA
4
Identity based signature
Smart grids generate a business activity. As for many
activities, there is suppliers and consumers. In the
case of Smart grids, consumers can be also suppliers for example with smart houses that use photovoltaic and or wind generators. . . This fact complexifies a lot the exchanges. Managing a PKI for the transaction would be a difficult task, furthermore the identity based cryptography does not solve all problems
because it requires third party (PKG). Unfortunately,
for many countries this is not acceptable because potentially this third part could sign instead of the user
(PKG could usurp the identity). We propose to describe in this section a signature based on a method
introduced in [12]. We aim to give the possibility to
the user to prove that the signature belongs to PKG
when this is the case. The notion of arbiter lawyer
authority is introduced to reach to this proof. This is
the arbiter that check if the signature is valid or not
as explained in this following scheme composed of 6
stages:
Parameters:
• A huge prime number q.
• A pairing (Tate Pairing) e : G1 ×G1 →
GT .
Alice
The message:
Bob
: [email protected]
Secret Key
:
Public Key
:
• Two hash functions: H : {0, 1}∗ →
G∗1 et h : {0, 1}∗ × G∗T → Z∗q .
• s ∈ Z∗q the master Key of PKG.
• P0 = sP the public Key of PKG.
Figure 9: Encryption and decryption in IBE-2
• P P = (G1 , GT , q, P, P0 , e, H, h).
• P S = (s).
Initialization:
3.1
IBE-2 advantages
Compared to a PKI, IBE-2 offers the following:
• This key management is certificate-less, thus
there no need to check any certificate before encryption operation and the famous LDAP server
is no more required.
• A simplified management of the “CRL”, because
any revoked key can be recalculated algorithmically.
• IBE-2 brings more security because the security
is spread over two authorities instead of one and
because the system is more dynamical.
• s1 ∈ Z∗q the secret Key of the user.
• Q1 = s1 P the public key of the user.
Extraction:
• Q2 = H(ID, Q1 ).
• S2 = sQ2 .
Signing: Input: a message M ∈ M
• k ∈R Z∗q .
• r = e(Q2 , P0 )k .
• v = h(M, r).
• U = kS2 − vs1 Q2 .
PKG
The master Key :
The public Key :
• σ = (v, U ) ∈ (Z∗q , G1 ).
Checking: Input: σ = (v, U ) ∈ (Z∗q , G1 )
• r = e(U, P )e(Q2 , Q1 )v .
• test:
?
v = h(M, r)
?
Q2 = H(ID, Q1 )
(10)
(11)
Arbiter:
If the signer denies to be the owner of the
signature, the arbiter is involved and choose
a random α ∈ Z∗q , then he identifies the
signer by sending a demand to check if he
owns S2 via a zero knowledge proof. After proving that the user owns S2 , the arbiter sends him αP , then the signer returns
the value e(S2 , αP ) and the arbiter tests
?
e(S2 , αP ) = e(Q2 , P0 )α . If the test is satisfied, it means that PKG is the owner of
this signature because he is the only one that
could produce a fake S2 .
Figure 10: The secret Key generation
PKG
Master key
Public key
e(U, P )e(Q2 , Q1 )v
e(kS2 − vs1 Q2 , P )e(Q2 , Q1 )v
e(ksQ2 − vs1 Q2 , P )e(vQ2 , s1 P )
e(ksQ2 − vs1 Q2 , P )e(vs1 Q2 , P )
e(ksQ2 − vs1 Q2 + vs1 Q2 , P )
e(ksQ2 , P ) = e(kQ2 , sP )
e(Q2 , P0 )k
It is clear that the test (11) is satisfied for a valid signature. This test is required only to identify the user
key Q1 .
The figure 10 describes the enrollment stage that
corresponds to the Initialization. This stage
allows the user to generate his own secret Key s1 and
public Key Q1 . Then the user sends his public to PKG
that must generate the pair (S2 , Q2 ) via the algorithm
Extraction. The second key Q2 creates the link
between the user identity and the public Key Q1 .
The figures 11 and 12 describes the signature
with Alice that wants to send to Bob the message M
signed.
Hence, we have described an efficient Identity
based signature that could be an alternative to the standard one for Smart grid applications.
:
:
Bob
: [email protected]
Secret key 1
:
Public key
:
Secret key 2
:
Public key 2
:
Proof.
To test (10), it is enough to show that r = e(Q2 , P0 )k :
r =
=
=
=
=
=
=
PKG
La clé maitre :
La clé publique :
Bob
: [email protected]
Secret Key 1 :
Public Key 1
:
Secret Key 2 :
Public Key 2
:
Alice
The message :
.
Figure 11: The signature stage
PKG
Master key
Public key
Bob
: [email protected]
Secret key 1
:
Public key
:
Secret key 2
:
Public key 2
:
:
:
Alice
The message :
.
Figure 12: The checking stage
5
Hierarchical IBE
For huge Smart grids with ten millions of users, we
cannot imagine that one server PKG will succeed to
satisfy the demand, then it is mandatory to consider
a hierarchical organization to these Smart grids. It
could be organized in function of regions where consumers are located and also according to the type of
consumer (factories, home, building, etc). Thus a nice
key management should be hierarchical and attributebased. Fortunately, it is well known that IBE can be
extended in HIBE with several PKGs that deliver keys
hierarchically (see [13]). Hence, each authority has to
generate keys to PKGs directly under its responsibility
(leafs).
Encryption:
• Input: The message M ∈ {0, 1}n .
• Output: The cryptogram C ∈ Gt1 ×
{0, 1}n .
• r ∈R Z∗q .
Root PKG
• g = e(Q0 , P1 ).
• C = (rP0 , rP2 , ..., rPt , M
PKG 1
...
PKG 2
PKG k
L
H(g r )).
Decryption:
• Input:
The cryptogram C
=
(U0 , U2 , ..., Ut , V ) ∈ Gt1 × {0, 1}n .
Groupe of
users 1
Groupe of
users 2
...
• Output: M ∈ {0, 1}n .
L
0 ,St )
• M =V
H( Qt e(U
).
e(Q
,U )
Groupe of
users k’
i=2
i−1
i
Figure 13: HIBE architecture
5.1
Proof.
It is enough to prove that:
have:
Key distribution in HIBE [13]:
e(U0 ,St )
i=2 e(Qi−1 ,Ui )
Qt
Initialization: (Done by Root PKG0 )
=
• Choose: P0 ∈ G1 a public generator.
• Choose: s0 ∈
Z∗q
=
Qt
e(U0 ,St )
e(Qi−1 ,Ui )
= g r . We
i=2
P
e(rP0 , ti=1 si−1 Pi )
Qt
Qti=2 e(si−1 P0 ,rPi )
e(rP0 ,si−1 Pi )
Qi=1
t
i=2 e(rP0 ,si−1 Pi )
= e(rP0 , s0 P1 )
= e(s0 P0 , P1 )r
= e(Q0 , P1 )r
= gr
the master Key.
• Calculate : Q0 = s0 P0 the public Key.
• A pairing: e : G1 × G1 → GT .
• Two hash functions:
– H1 : {0, 1}∗ → G1
– H2 : GT → {0, 1}∗
• Output:
P P0
(G1 , G2 , e, P0 , Q0 , H1 , H2 ), SP0
(s0 ).
Remark 3.
1. Obviously the HIBE scheme is an extension of the
Boneh & Franklin scheme.
=
=
Initialization: (Done by PKGt at the
floor t)
• Compute Pt = H1 (id1 , id2 , . . . , idt )
with idi for 1 ≤ i < t the identity of
the i-th PKG father of PKGt .
• Choose st ∈ Z∗q the master key of the
sub tree for which the root is PKGt .
P
• St = St−1 + st−1 Pt = ti=1 si−1 Pi
provided by the PKG father of the floor
t − 1.
• Qi = si P0 for 1 ≤ i ≤ t − 1 computed
by the PKGs fathers above.
2. This scheme is compliant with IBE-2 and only
one KPA is required to protect all user keys.
The figure 14 describes the encryption and decryption stages between Alice and Bob. Alice first
determines the address of Bod in the tree and compute
her public key PB , then she encrypts her message by
using the public keys Pi of the previous PKGs of Bob.
Bob decrypts the message with the public key Qi of
its previous PKGs and his secret key SB generated by
his PKG father.
6
Conclusion
In this paper, we have presented a certificate-less key
management system which is more scalable and more
[7]
Alice
Message :
[8]
Bob
[9]
Encryption:
[10]
[11]
Decryption:
[12]
Figure 14: Encryption and decryption in HIBE
efficient than a PKI. This scheme is working for asymmetric encryption and signature which is important for
Smart grid business. This scheme is compliant with
hierarchical IBE and gives the advantage to address
access control in smart grids. Obviously, this techniques allows less storage than for PKI.
Acknowledgements: The work of L. Basta, G.
Landais And C. Tavernier was partially supported by
SCISSOR ICT project no. 644425, funded by the European Commissions Information & communication
technology H2020 Framework Program.
References:
[1] http://en.wikipedia.org/wiki/
Stuxnet.
[2] http://www.hitachi.com/
environment/showcase/solution/
energy/smartgrid.html.
[3] Introduction to NISTIR 7628 Guidelines for
Smart Grid Cyber Security, Nist Cyber Security
Working Group. September 2010.
[4] http://en.wikipedia.org/wiki/
Information_security.
[5] http://en.wikipedia.org/wiki/
Public_key_infrastructure
[6] Adi Shamir, Identity-Based Cryptosystems and
Signature Schemes. Advances in Cryptology:
[13]
Proceedings of CRYPTO 84, Lecture Notes in
Computer Science, 7:47-53, 1984
Dan Boneh, Matthew K. Franklin, IdentityBased Encryption from the Weil Pairing Advances in Cryptology - Proceedings of CRYPTO
2001
http://en.wikipedia.org/wiki/
ID-based_encryption
Priti V. Jasud, Manish D. Katkar, S. D. Kamble. Authentication Mechanism for Smart Grid
Network. International Journal of Soft Computing and Engineering (IJSCE) ISSN: 2231-2307,
Volume-4, Issue-1, March 2014,
Dan Boneh, Matthew Franklin, Identity-Based
Encryption from the Weil Pairing, 2001.
Byoungcheon Lee, Colin Boyd, Ed Dawson,
Kwangjo Kim, Jeongmo Yang, Seungjae Yoo,
Secure Key Issuing in ID-based Cryptography,
2004.
Jingwei Liu, Rong Sun, Weidong Kou, Xinmei Wang, Efficient ID-based Signature Without
Trusted PKG, 2007.
C.Gentry, A. Silverberg, Hierarchical ID-Based
Cryptography, 2002.