A Configurable and Efficient Key-Management ...

International Journal of Research and Reviews in Information Security and Privacy (IJRRISP) Vol. 1, No. 2, June 2011 ISSN: 2046-5718 Copyright © Science Academy Publisher, United Kingdom www.sciacademypublisher.com Science Academy Publisher

A Configurable and Efficient Key-Management scheme for SCADA Communication Networks Zia Saquib1, Ravi Batra1, Om Pal1, Ashwin Nevangune1, Dhiren Patel2, and M. Rajarajan3 1

Centre for Development of Advanced Computing, Mumbai, India National Institute of Technology Surat, India 3 City University London, UK 2

Email: (saquib, ravibatra, ompal, ashwin}@cdacmumbai.in, [email protected], [email protected]

Abstract – Key management in SCADA (Supervisory Control And Data Acquisition) networks is a major challenge today. Due to resource constraints and latency requirements in such networks, it is infeasible to use traditional key management schemes such as RSA based PKC (Public key cryptography). In this paper, we propose a key management scheme, making use of Id-NIKDS (Id-based Non Interactive Key Distribution System) along with Polynomial based Pair-wise Key Establishment in a manner that the resulting scheme is efficient and highly secure for large SCADA networks. The level of security provided is configurable and can vary from resilience against compromise of a few nodes to 100 % resilient against node compromise attacks. The protocol achieves energy efficiency by minimizing the number of communications for key establishment, also provides flexibility for dynamic cluster formation after deployment, easy key updates, node addition and revocation. The scheme has been formulated considering the fact that the remote terminal units & nodes are low range devices and most frequently communicate with only the nearby nodes so as to achieve admissible latencies. Small clusters may be formed in such networks, each responsible for collectively providing sensed data and controlling actuators in respective regions. We also present the analysis of the proposed scheme and show in what ways the proposed scheme is advantageous over the existing schemes. Keywords – Key management, Key distribution, Communication security, Id-based encryption, Polynomial based key distribution, WSN

1.

Introduction

SCADA Communication Networks are one of the most important technologies in 21st century. Currently SCADA networks are being used in industrial applications such as power distribution automation, factory automation and process automation. Other applications include water and waste water management, scientific exploration, monitoring of nuclear power plants etc. Most of the researchers and technology analysts believe that, in the near future, micro sensors & actuators will be used everywhere: in our homes, factories, bodies, animals, cars or rivers. As the usage of these networks continues to increase, more will be the need to integrate them to the traditional networks and in turn the security threats to the networks would increase greatly in number as well as severity. In such a scenario, it becomes essential to look for security solutions which provide very high level of security and are easy to manage for the user. Along with these properties, the solution should be efficient in terms of resource consumption (power, computation and memory consumptions), so that it is feasible to use with these resource constrained devices.

A large number of applications require computing devices to form clusters which collectively perform a certain task such as monitoring a subpart of a region or perform calculations collectively, verify the accuracy of readings among themselves, aggregate the results and forward the final result to the required destination. Several Cluster-based communication protocols (e.g., [1]) have been proposed for ad hoc networks in general and sensor networks in particular for various reasons including scalability and efficiency. We make use of this property to propose a scheme which is perfectly suited for SCADA Systems. Rest of this paper is organized as follows: Section 2 discusses related work and background. Section 3 discusses Authenticated ID based non-interactive key distribution in sensor networks, while Section 4 discusses Polynomial based key pre-distribution for sensor networks. Section 5 discusses SCADA network architecture. Detailed proposed scheme is introduced in Section 6, with additional features in Section 7. In Section 8 and 9, security proof and analysis of proposed protocol are discussed with conclusions in section 10, and references at the end.

International Journal of Research and Reviews in Information Security and Privacy (IJRRISP)

2.

Related work

A cryptographic key management and Key Establishment approach for SCADA (SKE) was proposed by Sandia National Laboratories [2] in 2002, which divides the communication into two categories: first is 'controller to subordinate (C-S) communication' and second is 'subordinate to subordinate (S-S) communication'. The C-S is a masterslave kind of communication and is ideal for symmetric key technique. The C-C is a peer-to-peer communication and it can use asymmetric key approach. Information Security Institute, Queensland University of Technology, Australia [3] also proposed a Key Management Architecture for SCADA systems (SKMA). In this scheme a new entity 'Key Distribution Center (KDC)' was introduced, which is maintains long term keys for every node. In 2002, Mingyan Li [4] proposed a key management approach with multicast and broadcast facility. This approach specifies the shared keys to be stored in the database of MTU (2n-1 keys) and RTU (1+log 2n keys) and these keys are used at run time, where 'n' is number of RTUs. However, this approach provides multicasting in a limited manner.Quite a few symmetric key and public key schemes have been proposed that solve the problem of key management to a certain extent. The symmetric key schemes like [5] ,[6] require predistribution of a certain number of symmetric keys on each node before deployment. They suffered from drawbacks such as: a small number of compromised nodes may affect a large fraction of pair wise keys and the network size is strictly limited by the probability that two sensors share a pair wise key and the number of neighbor nodes that a sensor can communicate with. Liu et al [7] extended the idea of polynomial based pairwise key sharing proposed by Blundo et al [8] to a pool of polynomials. They also used the idea of grid based predistribution of polynomial shares which ensures that any two nodes are able to establish a pairwise key for secure communication. This scheme gives better performance in terms of number of non-compromised links affected due to compromised nodes. But their scheme does not completely solve the problem as there is no surety of direct links and lack of knowledge of the network topology may lead to heavy communication overheads for pair-wise key establishment.. Also, a number of un- compromised links is affected due to compromised nodes. On the other hand, the public key schemes (RSA, Diffie Hellman etc.) do not suffer such problem. No uncompromised node is affected due to any compromised nodes in the network. But traditional public key schemes are too resource intensive and consume considerable amount of bandwidth and computation time. The studies specifically targeted to PKC have tried either to use conventional algorithms (e.g. RSA) to nodes or to employ more efficient techniques (e.g. ECC) e.g. [9] [10] [11]. These works show that ECC based schemes outperform RSA based schemes and are feasible for resource constrained nodes. The notion of Identity Based Cryptography dates back from Shamir’s original work [12], but it has only become practical with the advent of PBC (Pairing Based cryptography)[13], [14], [15],[16]. Doyle et al [15] gave the

17

idea of ID-Based Non Interactive Key Distribution System (ID-NIKDS). Liu et al [17] demonstrated how to use IDNIKDS on sensor networks and gave implementation results using the Tiny PBC library. The computation time and energy required by ECC and PBC based methods still exceeds the time and energy requirements of symmetric key schemes, which makes it difficult to use these schemes in scenarios where nodes have to frequently communicate with several different nodes in the cluster one after other.

3.

Authenticated Identity-Based Non-Interactive Key Distribution in Sensor Networks

Liu et al [16] demonstrated how to use ID-NIKDS on sensor networks and gave implementation results using the TinyPBC library. In this section we briefly review IDNIKDS. The main idea is that known information that uniquely identifies users (e.g. IP or email address) can be used to derive public keys. As a result, keys are self-authenticated and additional means of public key authentication, e.g. certificates, are thus unnecessary. Bilinear pairing is the underlying mathematical formulation that makes ID-NIKDS possible. 3.1. Bilinear Pairings: Definition Let n be a positive integer. Let G be an additively-written group of order n with identity O, and let GT be a multiplicatively-written group of order n with identity 1. A bilinear pairing is a computable, non-degenerate function

 The most important property of pairings in cryptographic constructions is the bilinearity, namely:

 We have

([ ]

[ ] )

(

(

[ ] ) ) 

([ ]

)

3.2. Applying ID based non interactive Key Distribution Scheme in sensor networks In ID-NIKDS each node x is preloaded with the following information: (i) the node’s ID idx , (ii) the node’s private key Sx. (iii) Each node is also equipped with the function  so that it can take any ID (e.g. idy) as input and outputs the public key corresponding to the ID (e.g. Py). Suppose two nodes A and B that know each other’s IDs wish to decide on a secret key. Node A feeds its private key SA and B’s public key PB into the bilinear pairing function to get the value e(SA , PB ). Similarly node B feeds its private key SB and A’s public key PA into the bilinear pairing function to get the value e(SB , PA). The property of Bilinear pairing ensures that:

International Journal of Research and Reviews in Information Security and Privacy (IJRRISP)

k A, B  e(S A , PB )  e(S B , PA )

5.



So by using ID –NIKDS, any two nodes are able to derive pairwise keys without interacting with each other. Fig. 1 shows the process.

4.

Polynomial-Based Key Predistribution for Sensor Networks

In this section, we briefly review the polynomial-based key predistribution protocol in [7,8]. The protocol in [8] was developed for group key predistribution. In [7] the authors used the special case of [8] in context of wireless sensor networks and also proposed a grid based polynomial share predistribution scheme. We are also using the polynomial based pairwise key establishment [7] as a subpart of our scheme. Alex

Bob

Bob’s identity

Alex’s identity Pairing function

Pairing function

Encryption key Ek(A,B)

Alex’s pvt key

ENCRYPT

Bob’s pvt key

Decryption key Ek(A,B) DECRYPT Cipher text

5.1. Conventions and notations  A node in the network is represented by Ni where i is the identity of the node and is a member of a finite field of integers Zp, where p is a large prime.  A cluster head is represented by Gi where i is the identity of the cluster head  A cluster whose cluster head is Gi is represented by Ci .  When a node with identity j belongs to the cluster Ci, we represent it as Ni,j .  eK(A,B) represents the Bilinear pairing based Elliptic curve key between nodes A and B as in IdNI-KDS.  pK(A,B) represents the polynomial shares based pairwise key between nodes A and B.  pi(j,y) represents the polynomial share of the polynomial pi generated for the node whose id is j.

msg,seq,# Verify # and seq If ok, then process

Figure 1. Id-based Non-Interactive key distribution system

Following are the steps that are followed in polynomial based key distribution which ensures that any two nodes can derive a pairwise key securely, without any communication. The (key) setup server randomly generates a bivariate tdegree polynomial: t

a

i, j x

i

yj

SCADA Network Architecture

The architecture of the SCADA network is given in the Figure 2. Following are the assumptions about the network which is the target of our proposed scheme  The network consists of a number of clusters each having several sensor nodes/ remote telemetry units(RTU) as its members.  Each cluster has a cluster head or the Gateway node represented by Gi where i denotes the cluster index.  We allow these clusters to be formed dynamically after deployment of the nodes. Prior to deployment, the CA (Controlling Authority) doesn’t know anything about the network topology.  Each cluster is responsible for monitoring and control of a specific area and each node may have to frequently communicate with any node in the cluster for verifying and processing and forwarding the sensed & control data.  The gateways aggregate the data for the entire cluster and forward it to the CA. The communication between the different clusters is generally done through the gateways.

msg, seq, #

f ( x, y ) 

18

(1)

i, j

over a finite field Fq, where q is a prime number that is large enough to accommodate a cryptographic key, such that it has the property of f(x,y) = f(y,x). It is assumed that each sensor has a unique ID. For each sensor i, the setup server computes a polynomial share of f(x,y), that is, f(i,y). The polynomial share will be a polynomial expression in one variable. For any two sensor nodes i and j, node i can compute the common key f(i,j) by evaluating f(i,y)at point j, and node j can compute the same key f(j,i)=f(i,j) by evaluating f(i,y) at point i. The security proof in [8] ensures that this scheme is unconditionally secure and t-collusion resistant. That is, the coalition of no more than t compromised sensor nodes knows nothing about the pairwise key between any two noncompromised nodes. There is no communication overhead during the pairwise key establishment process.

6.

Proposed Scheme

6.1. Pre-installation phase Each node goes through a pre-installation phase before deployment. In pre- installation phase, each node is loaded with:  A private key as generated by the controlling authority (CA). This key corresponds to the private key generated by ECC based Id-NIKDS (sec- III).  Identity of node which would be used for addressing as well as Identity Based Encryption.  The elliptic curve parameters, required to perform computations on elliptic curves. After this, the CA generates a pool P of random bi-variate polynomials of degree t as in polynomial share based scheme (section IV). No polynomial shares are loaded on any node in

International Journal of Research and Reviews in Information Security and Privacy (IJRRISP) pre installation phase. 6.2. Post-installation phase Once the nodes are deployed in the area to be monitored, a clustering algorithm is run and cluster heads are selected in each cluster. Any secure communications required during clustering can be provided by pairwise keys derived using ID-NIKDS. 6.2.1. Establishing keys for secure communication within clusters (intra-cluster communication)  The cluster head (Gi) of cluster Ci makes a list Li of nodes belonging to the cluster Ci, generates a pairwise elliptic-curve key eK(Gi,CA) using its pre-installed private key and the id of the CA and sends the list Li along with a sequence number(for freshness) and a hash of the message (for integrity) to the CA ,encrypting it with eK(Gi,CA). Gi  CA : {Li , seq, # msg}eK (Gi ,CA)  Upon receiving the message the CA will also derive the same pairing based elliptic-curve key eK(Gi,CA) using its private key and identity of the cluster head from which it receives the message. Hence only the CA will be able to decrypt the message. After getting the list Li, CA randomly selects a bivariate t-degree polynomial pi from the pool P and associates this polynomial with the cluster Ci whose request is being serviced.  Now the CA calculates the polynomial shares pi(j,y) of each of the nodes Ni,j belonging to the cluster Ci (including Gi) using the respective node ids (as in section IV) and unicasts them to the respective nodes, encrypting with the bilinear pairing based elliptic curve key eK(CA,Ni,j). CA  N i, j : { pi ( j, y), seq, # msg}eK (CA, Ni , j )

19

6.2.2. Establishing keys for secure communication among clusters (inter-cluster communication) In case any two clusters wish to communicate with each other, it will be through the cluster heads.  The CA randomly chooses a polynomial(PG)form the pool P calculates and unicasts the polynomial share of this polynomial to the head of each cluster, encrypting the message with bilinear pairing based elliptic curve pairwise key eK(CA,Gi) CA  Gi : {PG (i, y), seq; # msg}eK (CA,Gi )  Gi will send the acknowledgement upon receiving the share. Gi  CA : { ack , seq, # msg}eK (Gi ,CA)  Now any two cluster heads {Gi, Gj} including the CA can establish a pairwise polynomial share based key pK(Gi, Gj) and communicate securely and efficiently with each other. Gi  G j : {msg , seq, # msg} pK (Gi ,G j ) In this way the cluster heads form a super cluster to communicate securely with each other using their polynomial shares (of a common polynomial) and respective identities. Bilinear pairing is being used to dynamically initialize the network. After this it needs to be used rarely in situations such as secure key updation or where a node is not reachable via the common polynomial’s share (i.e. not present in the same cluster).

 Each node then sends the acknowledgement message to the cluster head encrypting it with polynomial based key pK(Ni,j ,Gi). Ni, j  Gi : {ack , seq, # msg} pK( Ni , j ,G j )  Gi will then forward the acknowledgements of the entire cluster in a single aggregated message to the CA encrypting it with pK(Gi .CA). Gi  CA : {ack ci , seq, # msg} pK (Gi ,CA)  So each node in the cluster has received its polynomial share. Now each pair of nodes {Ni,j ,Ni,k} in the cluster Ci can communicate securely by establishing a pairwise key pK(Ni,j,Ni,k) using the polynomial shares and the node ids. N i, j  Ni.k : {msg , seq, # msg} pK ( Ni , j , Ni ,k ) Now data and computation can be easily shared among members of clusters which can securely and efficiently communicate with each other using polynomial shares. The same procedure is followed for each cluster in the network. CA associates a different Polynomial Pi to each different cluster Ci. The sequence of message exchanges for setting up intra cluster communication is is shown in figure 3.

Figure 2 .Cluster based Network architecture Ni,j

Ni,k

Gi

CA {Li , seq, #}(ek(Gi,CA) {pi(i,y), seq, #} ek(CA,Gi)

Derive key ,decrypt, calculate polynomial shares

{pi(k,y), seq, #} ek(CA,Ni,k) {pi(j,y), seq, #} ek(CA,Ni,j) {ack, seq, #} pk(Ni,j, Gi) {ack, seq, #} pk(Ni,k ,Gi) {ackCi , seq, #} ek(Gi,CA) {msg,seq, #} pk(Ni,j , Ni,k)

Figure 3. Sequence of message exchanges for bootstrapping intra cluster communication

Gj International Journal of Research and Reviews in Information Security and Privacy (IJRRISP) Gi CA {P G(i,y), seq, #}

ek(CA,Gi)

{PG(j,y), seq, #} ek(CA,Gj)

{ack, seq, #} ek(Gj,CA) {ack, seq, #} ek(Gi,CA)

{msg,seq, #} Pk(Gj,Gk)

Figure 4. Sequence of message exchanges for bootstrapping inter cluster communication

The sequence of message exchanges for setting up inter cluster communication is shown in Figure 4.

7.

20

Additional Features

Apart from pairwise secure communication to the existing network, a key management scheme for SCADA should provide flexibility to add new nodes, to remove or revoke keys from the compromised nodes, to update keys and allow for group communication. The proposed scheme easily achieves these features because of the inherent flexibility it provides. In this section, we give a brief overview of such features 7.1. Node addition We present a few simple steps to show how a new node can be dynamically added to the network along with the bootstrapping of the security keys  When a new node is to be added to the network, then it goes through the pre-installation phase, and receives pre installation information (as in section VI-A). After this the node is deployed in the target area.  The new node(Nj) broadcasts its identity along with the request to join a cluster N j  All : {id of node N j , req}  The cluster head Gi of the region where the node belongs forwards the request to the CA telling the cluster number and node identity. Gi  CA : {id N j , seq, # msg} pk(Gi , CA)  CA then calculates the polynomial share of the node from the polynomial (Pi) belonging to that cluster and sends to the node encrypting it with elliptic curve key for the node. CA  N j : { pi ( j, y), cluster id i, seq, # msg}eK (CA, N j ) The node Ni,j can now communicate with any member Ni,k of the cluster securely and efficiently using the polynomial share received from the CA. 7.2. Key revocation The information possessed by any node is only its elliptic curve private key and polynomial share. No information about any other link is possessed by any node. The only step to be taken is to invalidate the (ID) of the node that has to be removed from the network so that no pairwise keys(polynomial or elliptic curve based) can be derived from those identities . For this purpose a database of the nodes whose key has been revoked can be maintained in different

clusters and at the CA. 7.3. Secure Key updation In the proposed scheme, the polynomial based keys are completely bootstrapped dynamically using the elliptic curve keys. So the change of polynomials belonging to any cluster or the entire network will be done in the same way as in bootstrapping of the network. Polynomial share based keys can be used for updating the elliptic curve keys using the following steps.  The CA shares a polynomial with all the cluster heads and all the nodes in the network. So CA will send the updated Elliptic curve ID based private keys (SNi,j ) to all the nodes using the polynomial based pairwise keys. CA  Gi : {S N i , j , seq , # msg} pK (CA, N i , j )

8.

Analysis

8.1. Security 8.1.1. Node compromise attack First we analyze the security of the scheme with respect to node compromise. It has been proved in [8] that the polynomial share based key establishment is completely secure till the number of compromised nodes is less than or equal to t. In the proposed scheme, if the value of t is chosen such that the size of the cluster is equal to t, then each node in the cluster has to be compromised so as to determine the complete polynomial and compromise the entire cluster. This is possible in the proposed scheme because the polynomial shares are being distributed dynamically after the cluster formation and hence the cluster size is known while assigning a polynomial to the cluster. Different clusters are using different polynomials so no link between the nodes of an uncompromised cluster is affected. So this means that to break the entire network, adversary has to compromise each and every node. In this way the proposed scheme can provide 100% collusion resistance. Hence the proposed scheme can achieve higher level of security than the polynomial share predistribution based schemes [7]. However when the cluster sizes are very large or in applications where computational efficiency is more important than the level of security, then it may suffice to set the value of t to a value less than actual cluster size. Hence the proposed scheme provides the flexibility to choose the level of security. Also no nodes (even the cluster heads ) know anything about the keys of any other node in the network , which makes the scheme highly secure. 8.1.2. Random attacks against the network Suppose an adversary randomly picks up the nodes to compromise so as to compromise the network. In this case we derive an equation which gives the number of nodes a random attacker has to compromise to gain access to a single polynomial belonging to any cluster. And hence eaves drop on the communications of the cluster. Suppose there are N nodes in the network and the adversary, who randomly chooses the nodes to compromise, has compromised m nodes. We assume that the size of each

International Journal of Research and Reviews in Information Security and Privacy (IJRRISP) cluster is approximately equal to k (so k nodes have the shares of same polynomial). The probability that exactly d shares of a polynomial have been compromised is : d

P(d ) 

k! m m    1   d!(k  d )!  N   N

k d

(2)

Then the probability that the adversary is able to compromise the security of any particular cluster (by compromising t polynomial shares ) will be: t

Pc  1 

 P(i)

(3)

i 0

Using this equation we can find the required value of t for maintaining the desired level of security for the network. 8.2. Communication costs The proposed scheme has been designed so as to minimize the number of communications for setting up the key related information as communication can be very expensive operation for resource constrained networks. Each member node (Ni,j) receives only one encrypted message from the base station and sends only one acknowledgement to the cluster head. Only one message has to be sent per node. The cluster heads send two messages to the base station. So compared to schemes like [7] communication costs for setting up the keys is very low and even the cluster heads do not know anything about the keys of the member nodes. 8.3. Computation costs We give a comparison of computation costs of polynomial share based pairwise key establishment and ECC based ID-NIKDS so as to find the approximate range of values of t(degree of the polynomial), for which polynomial share based method is more efficient than ECC based NIKDS. Now to derive the polynomial share based pairwise key, a node i requires to evaluate a t degree polynomial f (i,y) at point j. The evaluation of the polynomial requires t field multiplications and t field additions over a finite field Fq. To provide security equivalent to 80-bit AES , q should be approximately equal to 280. We only consider the number of multiplications as it much more expensive operation as compared to field addition To derive a pairwise key ID-NIKDS requires to solve pairing function using Miller’s Algorithm [18]., which repeatedly performs double and add ECC operations plus some other field operations in a loop which runs log2n times, where n is the prime order of the base point of the elliptic curve sub-group. Each iteration of the loop requires one point doubling , a possible point addition if the current bit of the binary expansion of n is 1 and a few more field multiplication and addition operations.[19][16][20] provide the estimate of the field operations required for each step of miller’s algorithm. Assuming the number of field multiplications in a single iteration to be a modest 5 multiplications over Fp(the actual multiplications is a lot more than this [19] [16][20]), we perform further calculations. To provide x bit AES equivalent security, the prime field member should be 2x bits

21

long. So to provide 80 bit security the prime field should be 160 bits long (Fp160). Hence number of iterations in Miller’s loop will be 160. So a minimum of (160*5) = 800 field multiplications will be needed over 160- bit field values. Using Karatsuba-Ofman method [21] , multiplication of 2n-bit numbers is 2log23 times as costly as the multiplication of n bit numbers. So 800 field multiplications over Fp160 = 800 * 2log23 = 2400 multiplications over Fp80. Therefore the evaluation of polynomial is more efficient then pairing computation till the value of t is less than 2400 which is a large value for a single cluster. For example in a cluster of any size which is kept secure till less than 50 nodes are compromised, the polynomial evaluation is at least 32 times more efficient than the pairing evaluation. 8.4. Memory foot print The proposed scheme requires storage of one polynomial share of degree t on each cluster member and the storage of elliptic curve parameters and a private key corresponding to the id based elliptic curve cryptosystem. The cluster heads need to store two polynomial shares along with the elliptic curve parameters and elliptic curve based private key. Storage of 1 polynomial share requires (t+1) log2 q bits of storage (where q is the size of the field).(A standard value of q for an algorithm like RC5 is 280).

9.

Advantages

9.1. Comparison with schemes which use purely polynomial based key predistribution The proposed scheme is easier to manage and more resilient than a schemes using purely polynomial based key predistribution in which the polynomial shares are predistributed but if the topology of the network is not known beforehand, the nodes sharing the same polynomials may actually be very far away from each other after the deployment. So the nodes that need to form a cluster might not have the shares of the same polynomial and a lot of communication overheads will be required to set up the common keys between these nodes. In the proposed scheme the polynomials to be shared are not pre installed, but are dynamically boot -strapped securely based on the network topology. In this way the polynomials can be used most efficiently and are more suited according to the topology and communication needs of the network. Also the number of nodes sharing a single polynomial can be easily maintained to be approximately equal to t for applications where high level of security is required 9.2. Comparison with the schemes which use purely Elliptic Curve ID -Based based Key Management The proposed scheme uses Elliptic Curve Pairing Based Pairwise Key Establishment for bootstrapping the polynomial share based scheme and providing the flexibility to the network nodes to communicate with and authenticate outside the cluster if required. It has been shown that the elliptic curves based scheme is more expensive in terms of both time as well as energy and time consumption. So the use of ECC pairing based scheme should minimized as much as possible. We are using the advantages of pairing based system such as easy key management and high connectivity and resiliency in

International Journal of Research and Reviews in Information Security and Privacy (IJRRISP) the proposed scheme so as to make the proposed scheme easy to manage and provide high resiliency and connectivity.

10. Conclusion The proposed scheme provides an optimized key management scheme for the cluster based wireless sensor networks in following ways  It caters to the needs of secure and efficient communication within and among clusters in which the members need to frequently exchange data and resources.  It minimizes the number of communications for setting up the keys, which is one of the most resource consuming operations in these networks.  It enables flexible and dynamic network and easy key management  It is resilient to node compromise attacks.  It provides configurable level of security. The drawback of the scheme as of now is the increased storage requirement. However, modern RTU and nodes are equipped with enough storage capacity to handle such schemes.

11. Future work Future work will include study of the adverse effects of cyber threats on estimation and control algorithms in power distribution SCADA.

References [1]

Wendi Rabiner Heinzelman, Anantha Chandrakasan, and Hari Balakrishnan. Energy-efficient communication protocol for wireless microsensor networks. In HICSS ’00: Proceedings of the 33rd Hawaii International Conference on System Sciences-Volume 8, page 8020, Washington, DC, USA, 2000. IEEE Computer Society [2] C. L. Beaver, D.R. Gallup, W. D. NeuMann, and M.D. Torgerson: Key Management for SCADA (SKE): printed at Sandia Lab (March 2002). [3] obert Dawson Colin Boyd Ed Dawson Juan Manuel Gon alez Nieto: SKMA – A Key Management Architecture for SCADA Systems: Fourth Australasian Information Security Workshop AISWNetSec (2006). [4] Mingyan Li, R. Poovendran and C. Berenstein: Design of Secure Multicast Key Management Schemes With Communication Budget Constraint: IEEE Communications Letters, Vol. 6, No. 3, (March 2002). [5] L. Eschenauer and V. Gligor. A Key-Management Scheme for Distributed Sensor Networks. In Proc. of ACM CCS’02 November 2002. [6] H. Chan, A. Perrig, D. Song Random Key Predistribution Schemes for Sensor Networks. In 2003 IEEE Symposium on Research in Security and Privacy [7] D. Liu, P. Ning, Establishing Pairwise Keys in Distributed Sensor Networks, 10th ACM CCS '03, Washington D.C., October, 2003. [8] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung. Perfectly-secure key distribution for dynamic conferences. In Advances in Cryptology – CRYPTO ’92, LNCS 740, pages 471–486, 1993. [9] N. Gura, A. Patel, and A.Wander. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In Proceedings of the 2004 Workshop on Cryptographic Hardware and Embedded Systems (CHES 2004), pages 119–132, August 2004. [10] D. J. Malan, M. Welsh, and M. D. Smith. A public-key infrastructure for key distribution in tinyos based on elliptic curve cryptography. In1st IEEE International Conference on Sensor and Ad Hoc Communications and Networks (SECON’04) Santa Clara California October 2004 [11] A. Liu and P. Ning. TinyECC: A configurable library for elliptic curve cryptography in wireless sensor networks. Technical Report TR-2007-

[12] [13]

[14]

[15]

[16]

[17]

22

36, North Carolina State University, Department of Computer Science, 2007. A. Shamir “Identity-based cryptosystems and signature schemes ” in C YPTO’84. Springer-Verlag, 1984, pp. 47–53. A. Menezes, T. Okamoto, and S. Vanstone, “ educing elliptic curve logarithms to logarithms in a finite field ” IEEE Trans. on Information Theory, vol. 39, no. 5, pp. 1639–1646, 1993. . Sakai K. Ohgishi and M. Kasahara “Cryptosystems based on pairing ” in Symposium on Cryptography and Information Security (SCIS’00) Jan 2000 pp. 26–28. Y. Zhang, W. Liu, W. Lou, and Y. Fang. Securing sensor networks with location-based keys. In IEEE Wireless Communications and Networking Conference (WCNC’05) 2005 Craig Costello, Tanja Lange and Michael Naehrig, Faster Pairing Computations on Curves with High-Degree Twists, Lecture Notes in Computer Science, 2010, Volume 6056/2010, 224-242 Leonardo B. Oliveira,Michael Scott,Julio L´opez Ricardo Dahab

“TinyPBC: Pairings for Authenticated Identity-Based Non-Interactive Key Distribution in Sensor Networks”. [18] V. Miller. The Weil pairing, and its efficient calculation. Journal of Cryptology, 17(4):235–261, September 2004 [19] Christophe Arene, Tanja Lange, Michael Naehrig, and Christophe Ritzenthaler.Faster pairing computation. Cryptology ePrint Archive, Report 2009/155, 2009. [20] Christophe Arene, Tanja Lange, Michael Naehrig, and Christophe Ritzenthaler.Faster pairing computation. Cryptology ePrint Archive, Report 2009/155, 2009. [21] Sanjit Chatterjee, Palash Sarkar, and Rana Barua. Efficient computation of Tate pairing in projective coordinate over general characteristic fields. In ICISC 2004 [27], pages 168–181, 2005 [22] D.E. Knuth. The Art of Computer Programming, volume Vol. 2: Seminumerical Algorithms. Addison-Wesley, third edition, 1997. ISBN: 0-201-89684-2. [23] G. Jolly, M. Kusçu, P. Kokate, M. Younis. A Low-Energy Key Management Protocol for Wireless Sensor Networks. Eighth IEEE International Symposium on Computers and Communications. [24] S. D. Galbraith “Pairings ” in Advances in Elliptic Curve Cryptography, ser. London Mathematical Society Lecture Notes, I. F. Blake, G. Seroussi, and N. Smart, Eds. Cambridge Univ. Press, 2005, vol. 317, ch. IX, pp. 183–213. [25] B. Doyle S. Bell A. F. Smeaton K. McCusker and N. O’Connor. “Security considerations and key negotiation techniques for power constrained sensor networks ” The Computer Journal vol. 49 no. 4 pp. 443–453, 2006. [26] D. Hankerson, A. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer, 2004. [27] L. Eschenauer and V. Gligor. A Key-Management Scheme for Distributed Sensor Networks. In Proc. of ACM CCS’02 November 2002. [28] R. J. Watro, D. Kong, S. fen Cuti, C. Gardiner, C. Lynn, and P. Kruus. Tinypk: securing sensor networks with public key Technology. In 2nd ACM Workshop on Security of ad hoc and Sensor Networks (SASN’04) pages 59–64, 2004. [29] Yongge Wang and Bei-Tseng Chu: sSCADA: Securing SCADA Infrastructure Communications: (August 2004). [30] W. Du, J. Deng, Y. Han, S. Chen, P. Varshney. A Key Management Scheme for Wireless Sensor Networks Using Deployment Knowledge. IEEE Infocom 2004.

International Journal of Research and Reviews in Information Security and Privacy (IJRRISP)

Appendix

f) Soundness of idealized message a:

We offer proof by formal methods of our proposed protocol by using BAN logic. Formal proof of proposed protocol is given below:

Gi  # seq : holds by A1

a) Notations K A  B A X A X #X {X } K

23

(R1)

g) CA’s beliefs after a: CA  { seq}eK (Gi ,CA)

(R2)

means k is the symmetric key b/w A and B.

CA  Gi ~ (seq) by ( R2) and ( A2)

(R3)

means A believes X.

CA # (seq ) by ( A1) and ( R3)

(R4)

means A controls X means fresh X

h) Ni,j’s beliefs after message b

means X encrypted with K

A X A~X

means A receives X

N i, j  { CA i   N i, j , seq}eK (CA, Ni , j ) p ( j, y)

(R5)

means A said X

b) Goal Cluster head Gi wants to establish polynomial share P i(j,y) between CA and node Ni,j. c) Proposed Protocol CA and Gi share the long term key eK(Gi,CA).

p ( j, y) N i , j  CA ~ ( CA i   N i, j , seq ) by (A3) and (R5)

(R6) pi ( j , y ) N i , j  # ( CA    N i, j , seq ) by (R6) and (A0) and

freshness implicit rule.

(R7)

i) CA’s beliefs after message c

Gi  CA : {Li , seq, # msg}eK (Gi ,CA) CA  N i, j : { pi ( j, y), seq, # msg}eK (CA, Ni , j ) N i, j  CA : {ack , seq, # msg} pK ( Ni , j ,CA)

pi ( j , y ) CA  {CA   , seq}eK ( Ni , j ,CA)

(R8)

pi ( j , y ) CA  N i , j ~ (CA   , seq ) by (R8) and (A4)

(R9)

pi ( j , y ) CA #{CA    N i , j , seq} by (R9),(A0) and freshness

implicit rule.

d) Idealization of protocol Gi  CA : { seq}eK (Gi ,CA)

(R10)

j) Summary of the protocol

CA  N i , j : { CA   N i, j , seq}eK (CA, Ni , j ) pi ( j , y )

pi ( j , y ) CA CA    N i , j

pi ( j , y ) N i , j  CA : {CA    N i, j , seq}eK ( Ni , j ,CA)

pi ( j , y ) CA  N i , j  CA    N i, j

e) Assumptions N i , j  # seq

(A0)

k) Ni,j’s guarantees

Gi  # seq

(A1)

N i , j  CA i   N i, j

eK (Gi ,CA) CA  CA    Gi

(A2)

pi ( j , y ) N i, j  CA  CA    N i , j

p ( j, y)

eK (CA, N

)

,j N i , j  CA i  N i, j

eK (CA, N i , j

(A3)

CA  CA  N i , j

(A4)

N i , j  CA  CA i   N i, j

(A5)

pi ( j , y ) N i , j  CA # CA    N i, j

(A6)

CA # CA i   N i, j

(A7)

p ( j, y)

p ( j, y)

l) Result Protocol is ok

International Journal of Research and Reviews in Information Security and Privacy (IJRRISP) Zia Saquib received a Bachelors degree in Electrical Engineering from Regional Engineering CollegeRourkela, and a M.S. Degree in Electrical (Communication) Engineering from Florida Institute of Technology, USA. He is presently Executive Director, Centre for Development of Advanced Computing, Mumbai, India and is actively involved in research programmes such as immunity based intrusion detection, cyber-security for critical infrastructure, level-3 fingerprint biometrics and iSCSi-based storage networking. Some of this work has culminated into transferable technology and is being deployed in projects under National e-Governance Plan of Government of India.

Dhiren Patel is currently professor in the Department of Computer Engineering at NIT Surat, India. He has been a faculty of Computer Science and Engineerin for over 20 years (Visiting Professor at Indian Institute of Technology Gandhinagar and a Security Research Advisor at City University London). He has published widely in national and international workshops, conferences and journals. He has delivered more than 30 distinguished/invited talks in the area of Identity Management and Security in India and abroad. His book “Information Security: Theory and Practice” (published by Prentice Hall India) is well recognized text book at undergraduate and postgraduate level. He has taught over 20 courses in Computer Science & Engg./Electronics and supervised over 15 M.Tech/Ph. D. students. Dr. Dhiren has worked as Technology Advisor to various organizations for fostering research and development initiatives in Information Security / Web Engineering. He also serves as a core committee member of Information Security Education and Awareness Program of Govt. of India.

Shri Om Pal received a Bachelors Degree (B.E) in Computer Science and Engineering from Dr. B. R. Ambedkar University Agra (India), MBA in Operation Management from Indira Gandhi National Open University, Maidan Garhi, New Delhi (India) and pursuing PhD in area of network security from Indian Institute of Technology (IIT)Bombay, Mumbai (India). He Joined NTPC (National Thermal PowerCorporation) in 2005 as IT Resource Person. He joined C-DAC(Centre for Development of Advanced Computing) in 2006 and presently working as Staff Scientist. His present research interests are in areas of network security. He is interested in cryptography, key management schemes and in area of intrusion detection and prevention system. He has published papers in International Journals and International Conferences.

Ravi Batra received a Bachelors degree in computer science from National Institute of Technology, Patna in 2009. He is presently working in CDAC as a Project Engineer since 2009.His research interests are Key Management, Cryptgraphy and Information Security for constrained environments such as Wireless Sensor Networks and SCADA systems.

Raj muth Krishna Rajarajan graduated with a B.Eng. degree in Electrical Electronic and Information Engineering from City University London in 1994. He then stayed at City University as a research student and worked on computer modeling of compact photonic devices for optical communications. His PhD. project was funded by the Overseas Research Studentship (ORS). In 1999, he took a Research Fellow position at City University and worked on an EPSRC/DERA funded project. The project involved the accurate modeling of Compact Optical Bends using the Finite Element (FE) and the Beam Propogation methods (BPM). In August 2000, he moved to Logica as a Network and Service Management Consultant and worked on various Telecommunications related projects. In January 2002, he moved to City University as a Lecturer, where he became involved in the research at the Measurement and Instrumentation Center and teaching in the School of Engineering. Dr Rajarajan has published more than 60 Journal and Conference papers in the area of Photonic Research interest Photonic Device and System Modelling

24

Ashwin Nivangune graduated with a B.E degree in electronic Engg . and Computer Technology , university of mumbai 2006. He is presently working in CDAC as a Staff Scientist. Duration around 2 years 7 months Project profile. Guard your Network (GYN): A Hardware accelerated Intrusion Detection and Prevention System (IDPS), developed on Net-FPGA with packet capturing and packet decoding functionalities implemented on hardware. Synchronous Modules in ad hoc distributed embedded real-time system: We modify or design a translator for Esterel programs that enables the executable translated code to carry on a protocol with an underlying state full run time environment. A protocol anomaly based IDPS for SCADA based networks underway. Real time Video Compression Decompression application for E-learning (project underway).