An Efficient Certificate Revocation Scheme for Large-Scale AMI Networks Mohamed Mahmoud∗ , Kemal Akkaya† , Khaled Rabieh∗ , Samet Tonyali† ∗ Department
of Electrical & Computer Engineering, Tennessee Tech University, Cookeville, TN 38505 USA {rabieh, mmahmoud}@tntech.edu † Department of Computer Science, Southern Illinois University, Carbondale, IL 62901 USA
[email protected]—
[email protected]
Abstract—Given the large geographic deployment and scalability of the Advanced Metering Infrastructure (AMI) networks, it is inefficient to create one large certificate revocation list (CRL) for all the networks. It is also inefficient to create a CRL for each meter having the certificates it needs because too many CRLs will be required. It is beneficial to balance the size of the CRLs and the overhead of forming and distributing them. In this paper, the certificate authority (CA) groups the AMI networks and composes one CRL for each group. We use Bloom filter to reduce the number of CRLs by increasing the groups size with acceptable overhead on the meters. However, Bloom filters suffer from false positives which is not acceptable in AMI networks because meters may miss important messages. We propose a novel scheme to identify and mitigate the false positives by making use of the fact that Bloom filters are free of false negatives. The meters should contact the gateway to resolve the false positives. We use Merkle tree to enable the gateway to provide efficient proof for certificate revocation without contacting the CA. We derive a mathematical formula to the probability of contacting the gateway as a function of the filter’s parameters. We will show that this probability can be low by properly designing the Bloom filter. In order to assess the performance and the applicability of the proposed scheme, we use ns-3 network simulator to implement the scheme in a IEEE 802.11s-based mesh AMI networks. The results demonstrate that our scheme can be used efficiently for AMI networks.
Keywords: Certificate revocation; public key cryptography; smart grid security; Public key infrastructure; AMI. I. I NTRODUCTION The Smart Grid (SG) is a revolutionary upgrade to the existing power grid. It will have complex networks of intelligent electronic devices, distributed generators, and dispersed loads that require communication networks for management and coordination. It aims to enhance the current grid’s reliability and efficiency [1]. By providing the real-time electricity price, the smart grid will enable the consumers to manage the use of electricity to balance supply and demand. The security of the SG communications is crucial for the success of this new technology [2], [3]. Attackers can exploit any security flaw to launch malicious attacks to sabotage the grid. A security breach may cause the instability of the power grid or even result in widespread blackouts. One part of the SG that is currently being implemented is the Advanced Metering Infrastructure (AMI) networks, which provide two-way communications between the smart meters (SMs) and the grid. SM can be connected via a wireless mesh network with one gateway serving as a relay between the
meters and the utility company. The AMI network is used to monitor the power demands over short periods, provide more accurate billing as well as utilize dynamic pricing to facilitate the reduction of peak demand [4]. The primary security requirements for the AMI communications are identity and message authentication, message integrity, non-repudiation, accountability, and access control. The public-key cryptography (PKC) is the most practical and common cryptosystem that can achieve these security requirements [5], [6], [7]. In PKC, two keys are issued for each SM. The public key should be widely known and the private key should be kept secret. The announcement of the public key is usually performed by using a signed document called a public key certificate that binds the certificate holder’s identity to its public key. For more information on the format of certificates, we refer to reference [8]. The entity that signs the certificate is called the certificate authority (CA). The CA supports the creation, renewal, and revocation of the public key certificates. To authenticate a message, the SM signs the message with using its private key and a digital signature algorithm. The verifier of the message’s signature first verifies the certificate, and then verifies the signature with using the signer’s public key (extracted from the certificate) and signature verification algorithm. When a certificate is issued, its lifetime is limited by an expiration date. After this date, the certificate is considered expired and will not be accepted by the meters. However, there are several causes that necessitate revoking certificates before the expiry date, such as key compromise, excluding malicious meters, etc. Certificate revocation is the act of invalidating the certificate before the expiration. Thus, verifying the expiration of a certificate is necessary but insufficient. A check is required to determine the certificate revocation status. The meters should discard the messages that are signed by revoked certificates. In this way, a malicious node can be excluded from the network by revoking its certificate. AMI networks will be implemented by multi-hop wireless mesh topology. In this topology, each meter should act as a router to relay other meters’ packets. After receiving a packet, each meter should verify the sender’s certificate to ensure that the packet is sent from a legitimate member before relaying it. Without this check, external attackers can simply flood the network with bogus packets to disable the communications.
2
There are applications that necessitate the communication of an SM with other SMs in case of collective demand response [9]. Meters may also need to exchange information to optimally decide how to reduce the load. Other applications requires plug in electric vehicles communications via SMs. Certificate Revocation List (CRL) is a widely used scheme for certificate revocation [10]. The CRL has the list of revoked certificates’ serial numbers. To verify the status of a certificate, the meter has to check whether the certificate’s serial number is in the list. When a certificate is revoked, the CA should add its serial number to the CRL and distribute it to the parties which will need it to verify the certificate holder’s signatures. However, given the large geographic deployment and scalability of the AMI networks, it is not efficient to create a CRL for each meter having the certificates it needs because too much overhead will be required to create, sign and distribute them. It is also inefficient to create a single CRL for all the AMI networks, because as time passes, the CRL size will grow significantly due to the network scalability, and thus becomes a major overhead in terms of distribution, search, and storage. In addition, the ability of a SM to send a query to the CA to verify a certificate is not possible due to communication overhead and Internet accessibility of the SMs. A good certificate revocation scheme for AMI networks should balance the size of the CRLs and the overhead of forming and distributing the CRLs. It should also take into account the limited storage and computation power of the meters, and address the scalability and the large geographic deployment of the networks and require low communication overhead. In this paper, the CA groups the AMI networks and composes a single revocation list for each group. Obviously, there is a tradeoff between the groups’ size and the number of different revocation lists that should be issued by the CA. Increasing the groups’ size decreases the number of CRLs but increases the size of the CRLs. Instead of distributing deterministic CRLs, we use Bloom filter to distribute shorter probabilistic revocation lists. This can reduce the number of the revocation lists (by increasing the groups size) with acceptable overhead on the meters. Although the Bloom filter can effectively reduce the size of the revocation list which is desirable to balance the groups’ number with the CRL size, it suffers from false positives, where there is a chance that a search may indicate a certificate is in the filter (e.g., revoked) when it actually is not. In the context of vehicular ad hoc networks (VANETs), Raya et al. [11] argue that low false positive is acceptable for most VANETs’ applications. Unlike VANETs, the communication availability is a priority in smart grid and false positives will not be acceptable. A meter may miss a command to disconnect power because of false positives. They can also cause financial losses if a meter misses power pricing information. Haas et al. [12] investigate the certificate revocation problem in the anonymous communications of VANETs where each vehicle uses several certified pseudonyms instead of a unique identity to preserve its privacy. The authors argue that a vehicle can avoid triggering a false positive by discarding any of its
own certificates that will trigger a false positive before it is ever sent. Obviously, this cannot be applied to AMI networks because each meter uses one certificate. Different from [11], [12], our paper studies using Bloom filter for AMI networks and propose a novel scheme to identify and mitigate the false positives. Our scheme makes use of the fact that Bloom filters are free of false negatives, i.e., if a search indicates a certificate is not in the list, this is certainly true. Instead of distributing only one Bloom filter vector for revoked certificates, our scheme distributes fixed-size and short vectors for both revoked and valid certificates. To verify a certificate, a SM uses an efficient hash function and checks a few bits in the vector. A certificate is valid if it is not found in the revoked certificate vector. Similarly, a certificate is revoked if it is not found in the valid certificate vector. If a certificate is found in the two vectors, this indicates that one of the filters triggered false positive. In this case, the meters should contact the gateway to return the correct answer. We use Merkle tree to enable the gateway to provide efficient proof for certificate revocation without contacting the CA. The tree is constructed by the CA and stored in the gateway. We will derive a mathematical formula to the probability of contacting the gateway as a function of the two filters’ parameters. We will show that the probability to contact the gateway to resolve the false positives can be low by properly designing the Bloom filters. In addition, if an attacker uses the certificate of a meter in a different group, the certificate’s serial number will not be found in the revoked Bloom filter vector and the meters may accept it. Therefore, the CA should include the group number in the certificates and the meters should verify the certificate’s group before verifying its revocation. The CA should ensure that the Bloom filters of a group stores all the certificates of the group. To asses the performance and the applicability of our scheme in SG AMI networks, a mathematical model and simulation results are provided. We tested the applicability in a realistic setting where the underlying communication infrastructure for the AMI network is based on IEEE 802.11sbased wireless mesh networks. Current version of 802.11s [13] standard implemented under ns-3 [14] has been used. The experiment results demonstrate that the scheme can be used efficiently in scalable SG AMI networks. To the best of our knowledge, the design of an efficient certificate revocation scheme for SG AMI networks has not been well studied yet. This is the first work that uses two Bloom filters for revoked an valid certificates and Merkle trees for certificate revocation in SG AMI networks . Our additional contribution is the design and implementation of a novel technique to enable the SMs to identify the false positives and resolve them. The remainder of the paper is organized as follows. In the next section, we discuss the network models and motivations. In section III, we present our proposed scheme. Section IV is dedicated to security analysis and performance evaluation. In Section V, we provide a summary of the related work. Finally, we conclude the paper in Section VI.
3
Fig. 1: The considered AMI communication network. II. N ETWORK M ODELS The AMI network provides two-way communication between the utility company and the consumers’ smart meters. The considered network is similar to the one used in [4]. It consists of SMs that are connected via a wireless mesh network with one gateway working as a relay between the SMs and the grid as shown in Fig. 1. The network is large and may cover a complete neighborhood. The gateway communicates with the utility company and the CA via a long distance communication (e.g., 4G, WiMax). The mesh network is created using the new IEEE 802.11s standard [13]. The gateway communicates with the SMs via multi-hop routes, probably via multi-hop routes. It can initiate communication session to any SM, and similarly, every SM can initiate communication session to the gateway. The communication between the gateway and a SM is unicast. The gateway and each SM has a unique identity, public/private key pair and certificate. All the SMs know the gateway’s identity and public key. The utility company will use the AMI networks to collect fine grained power consumption readings to perform state estimation to the power grid. The readings’ transmission rate can be less than a second for businesses premises and less than 15 minutes for residential ones [15]. The power consumption readings can also facilitate more accurate billing. The gateway sends some data to the meters, e.g., firmware updates and cryptographic and security data such as keys, renewed certificates, and revocation information. These data are sent on a regular basis when the gateway receives them from the CA. The gateway can transmit commands to the SMs, e.g., if a consumer does not pay the electricity bill, the utility can send a command to turn off the power [16]. The AMI network can be used to transmit real-time pricing information to the consumers to keep real-time balance between energy production and consumption and facilitate the reduction of peak demand. It can also guide the consumers to use less power during peak-demand period to pay less bills. Consumers can also store energy, e.g., charging electric vehicles batteries, during low-price period and inject it to the grid during highprice period to achieve financial gains. For the threat model, some attackers will attempt to manipulate the revocation information to mistakenly add a valid
Fig. 2: The Bloom filter concept. certificate or remove a revoked one. This attack can be serious in the sense that the attackers can exclude the victim meters from the network. The attackers may attempt to impersonate the gateway or the CA to transmit false revocation information. Attackers can replay valid packets or manipulate them if this can help achieve their goals. III. C ERTIFICATE R EVOCATION S CHEME The CA groups the AMI networks and prepares the revocation information for each group. The grouping scheme is out of scope of this work but a scheme like the one proposed in [?] can be used. For each group, the CA creates a Bloom filter bit vector for the valid (unrevoked) certificates and another one for the revoked certificates. It also creates Merkle trees for the revoked and valid certificates. The gateway should distribute to the SMs the two vectors and the roots of the trees, all signed by the CA. SMs use the vectors to verify a certificate status, and when a false positive is found, they contact the gateway to resolve it. The gateway can send an undeniable proof for the certificate status using the Merkle tree without contacting the CA. A. Creating/Distributing Bloom Filter Bit Vectors The essential idea of the Bloom filter is illustrated in Fig. 2. The filter is a data structure (or bit array) to store a set of elements compactly in a bit-vector B = {B1 , ..., Bm } with length of m bits [17]. It is used to check whether an element is a member of a definite set. It can reduce the overhead of distributing and searching the set. The Bloom filter has been used in computing applications and for different purposes [18], [19]. Initially, all the vector’s m bits are zeroes. Each certificate serial number SNi to be stored should be hashed with K independent hash functions, H1 (), H2 (), ..., HK (). Each hash function maps a given certificate serial number to a number in the range {0, 1, 2, .., m − 1} which represents the address of a bit location in B. The result of hashing SNi K times is a sequence of K hash values n1 , ..., nk ∈ {0, ..., m − 1}. To store an element SNi , the bits that are pointed by the addresses resulted from the K hashes should
4
Fig. 4: Merkle tree for eight revoked certificates.
Fig. 3: Verification whether SNi is a member in a bit vector. be set. The CA creates two bit vectors for each group. One vector is for the serial numbers of the revoked certificates that the meters need and the second one is for the valid certificates. The CA should refine the list of the revoked certificates by deleting the expired ones. There is no need to keep these certificates in the list because expired certificates are not accepted by the meters. It should also add new revoked certificates that was not in the last vectors. It may be difficult to modify the vectors to do this update because deleting a certificate is not straightforward. Resetting the ones resulted from a certificate cannot delete the certificate because a bit can be set by several certificates. However, creating new vectors does not require much resources because of using efficient hashing operations to compose them. To check whether a given certificate’s serial number is in the list of certificates of a Bloom filter vector, the certificate’s serial number is hashed by the K hash functions resulting in K bit locations in the vector. As illustrated in Fig. 3, the corresponding filter bits are checked: if all the bit locations are set, the certificate is in the list with high probability, otherwise it is definitely not in the list. It is possible that a certificate’s serial number is not stored in the vector but (by coincidence) the K bit locations in the vector are all set. This comes from the fact that a bit can be set to one multiple times when the hashes of different serial numbers point at the same location. This situation is called false positive and the probability that this occurs is called false-positive rate. Adding more elements to the list results in larger false positive rate. In Section III-C, we will derive a mathematical equation for the false positive rate. We will also discuss how this rate can be configured to be kept below an acceptable limit. B. Creating Merkle Hash Tree The CA uses one-way hash function H() [20] to create Merkle trees for the certificates that an AMI group needs. Fig. 4 shows a Merkle tree for eight revoked certificates with serial number {SN1 , .., SN8 }. The eight leaf nodes are the hash values of the certificates’ serial numbers, i.e., hi = H(SNi ) ∀ i = {1, ..., 8}, respectively. The internal nodes are derived
from their child nodes. For instance, the value of the node h3,4 is H(h3 |h4 ), and the value of the root node is h1,8 = H(h1,4 |h5,8 ). In order to authenticate the tree, the root node should be signed by the CA, as will be explained in Section III-C. Each leaf node has a unique path to h1,8 that is called verification path (VP). Using this path, it can be verified that a leaf node belongs to the tree. For instance, when a node asks the gateway whether the certificate SN1 is revoked, the gateway replies with the verification path of SN1 as follows VP = {SN2 , h3,4 , h5,8 }. The path length equals log2 (Nr ), where Nr is the number of revoked certificates. The number of hashing operations required to verify the path equals to the path length plus one. The SM can verify the revocation of SN1 by first computing h1 = H(SN1 ), h2 = H(SN2 ), h1,2 = H(h1 |h2 ), and h1,4 = H(h1,2 |h3,4 ). Then, it makes sure that h1,8 is similar to H(h1,4 |h5,8 ). This is an undeniable proof that the CA has revoked the certificate because the root node is signed by the CA and it is infeasible to modify the tree after it is created or fabricate the CA’s signature. Since only the efficient hashing operations are required to verify a revoked certificate, the computational overhead is low. Similarly, another tree can be formed for the valid certificates. The advantage of using the Merkle tree is that the gateway can prove the revocation status of a certificate without contacting the CA each time a SM wants to verify a certificate. It does not require trusting the gateway because the tree is constructed by the CA. Another advantage is that it can reduce the computation overhead on the SMs because the meters need to use the efficient hashing operations to verify the gateway response and one signature verification during the lifetime of the tree. The Merkle tree needs efficient hashing operations and one signature from the CA. A tree of height ~ has Nr = 2~ leaves and Nr − 1 interior nodes. If the tree is big and requires large storage area, the gateway can store only the certificates’ serial numbers and some nodes and computes the rest of the nodes when required. This is proper for our scheme because the tree may not be used very often during its lifetime. Computing the root node requires Nr hashing operations to calculate the leaves and 2~ − 1 hashing operations to compute the interior nodes. Several schemes have been proposed to balance between the storage area and the computational overhead of the Merkle tree. For
5
Fig. 5: Verifying a certificate revocation status. example, in [21], M. Szydlo proposed an algorithm for Merkle tree traversal which requires only logarithmic space and time. For a tree with Nr leaves, the algorithm computes sequential tree leaves and verification path in time 2log2 (Nr ) and space less than 3log2 (Nr ), where the units of computation are hash function evaluations or leaf value computations, and the units of space are the number of node values stored. C. Certificate Verification The CA sends to the gateway a signed packet having two Bloom filter vectors, the roots of the Merkle trees, and the issuance and expiry dates. One of the vector is for the revoked certificates and the other is for the valid (unrevoked) ones. The gateway forwards this packet to the meters. The CA’s signature can guarantee the packet’s integrity and authenticity. In the next section, we will show that this packet is much shorter than the certificate revocation list having the revoked certificates’ serial numbers. Each meter should verify the signature and store the vectors and trees roots. In order to check whether a certificate is revoked, the SMs use the technique illustrated in Fig. 5. The SM first checks whether the certificate’s serial number is in the revoked certificates’ Bloom filter vector. If the serial number is not in the vector, the certificate is certainly valid, otherwise the SM checks whether the certificate’s serial number is in the valid certificates’ Bloom filter vector. If it is not found, the certificate is certainly revoked. Finally, if the certificate’s serial number is found in the two vectors, this indicates that one of the Bloom filters triggered false positive and the SM should contact the gateway to query about the certificate status. The gateway responds with ”Valid”, ”Revoked”, or ”Unknown”, and sends the verification path in the Merkle tree. It is impossible to not find a certificate’s number in the two vectors because the CA must have added it to one of the them. For the same reason, it is impossible to find a certificate in the two vectors without false positive case.
The false-positive probability of a Bloom filter can be driven as follows. The probability that any particular bit Bi has zero is (1 − 1/m)KN , since the location Bi must be avoided by all KN hash values, where N is the number of elements in the vector. Therefore, the probability that a particular bit is set P r(Bi = 1) = 1 − (1 − 1/m)KN . In case of false positive, each of the K hash values must point at a bit location that is set to 1. The probability that this occurs is P r(B1 = 1 and B2 = 1 and . . . and BK = 1) which is (1 − (1 − 1/m)KN )K . In light of this, Equations 1 and 2 give the false positive probabilities of the unrevoked and revoked certificates Bloom filters, respectively. Nr , Kr , and mr are the number of certificates, the number of hash functions, and the vector length of the revoked certificates’ filter. Similarly, Nu , Ku , and mu are for the unrevoked (valid) certificates’ filter. For more information on the computations of the Bloom filter we refer to [22]. 1 Ku Nu Ku ) (1) ) F P Ru = (1 − (1 − mu 1 Kr Nr Kr ) ) (2) mr The certificate verification fails in case of false positive at either the revoked certificates’ filter or the valid certificates’ filter. The certificate verification failure probability (Pf ) is given in Equation 3. Pf equals to the probability that a certificate is revoked and the unrevoked certificate filter causes false positive or the certificate is unrevoked and the revoked certificate filter causes false positive. It can be seen that the failure probability can be determined by setting six parameters: the number of revoked and valid certificates (Nr and Nu ), the size of the Bloom vectors (mr and mu ), and the number of hash functions (Ku and Kr ). In the next section, we will demonstrate how these parameters can make the verification failure probability low. F P Rr = (1 − (1 −
Pf = P r(the certificate is revoked) × F P Ru + P r(the certificate is unrevoked) × F P Rr
(3)
IV. E VALUATIONS A. Communication Overhead Fig. 6 gives the probability of certificate verification failure versus mu at different values of mr . In the figure, we select Kr = Ku = 5, and mr and mu are proportional to Nr and Nu , respectively. For example, mr = 8Nr means that the size of mr in number of bits is 8 times the number of revoked certificates, i.e., this corresponds to adding 8 bits for each certificate in the vector. We also assume that the probability that a certificate is revoked is 0.1, and thus the probability that a certificate is unrevoked is 0.9. The number of unrevoked certificates (Nu ) is 100 and Nr = 10. It can be seen that the revoked certificate filter can have significant impact on the certificate verification failure if mr is not well selected. The increase of mr can reduce the impact of the revoked certificate Bloom filter on the verification failure. This also will not result in much overhead comparing to the increase of mu because Nr is expected to be smaller than
6
Fig. 6: The probability of certificate verification failure versus mu at different values of mr .
identifier, timestamp and signature. The total size of the packet is 72 bytes. The CSR packet should have the gateway signature, certificate serial number, time stamp, identity of the meter, and a proof if required. The size of the CSR packet without a proof is 73 bytes. With proof, it is 73 bytes + the path length × the size of the hash tags. For the public key cryptography, we used the Elliptic Curve Digital Signature Algorithm (ECDSA). This was chosen since its overhead is the minimal in comparison to other public cryptography techniques. It also uses a key size comparable to current symmetric cryptographic schemes, avoiding the higher computation of other public key schemes due to the larger key size. It is an approved signature algorithm for the US government use [23]. For the hash function, we used the ASN.1 secp128r1 standard curve with SHA-1 [24]. B. Computational Overhead of Bloom Filter
Fig. 7: The size of the revocation information versus the number of unrevoked certificates for CRL and our scheme. Nu . There is a tradeoff between the bit vector size and the verification failure probability, i.e., the increase of the vector length reduces the probability but at the cost of increasing the communication overhead. Selecting good values for the bit vectors can reduce the failure probability with acceptable overhead. For example, the increase of mu from 2Nu to 3Nu has little impact on the verification failure probability but undoubtedly increases the amount of revocation information. If we select mr = 8Nr and mu = 1.5Nu , mr + mu = 230 bits and the verification failure probability would be 0.1. Fig. 7 gives the size of the revocation information versus the number of unrevoked certificates for CRL and our scheme. This figure depicts how a revocation scheme scales up in large networks. It can be seen that our scheme required much less communication overhead comparing to CRL scheme. This improvement is larger when the number of certificates increases with larger networks. It can also be seen that our scheme can decrease the amount of revocation information with increasing the verification failure probability but the gateway will be contacted more. Our scheme performs much better in scalable networks. It can also be seen that the increase of certificate failure probability will decrease the amount of distributed data but the nodes will ask the gateway more. If certificate verification fails at the node, it has to send a Certificate Status Inquiry (CSI) packet to the gateway. The gateway replies with Certificate Status Response (CSR) packet. CSI packet has the serial number of the certificate, the meter’s
When a signed message is received, the SM has to check if the certificate is revoked. The latency of this check should be minimized to expedite message authentication. In CRL scheme, the certificate verification latency equals to the time to find a certificate’s serial number in the CRL. This time depends on the location of the serial number in the list and also the list size. For our scheme, the certificate verification latency mainly depends on the computation time of the K hashing operations. This time is fixed and does not depend on the number of revoked certificates. Hash functions are very efficient in computation. To evaluate the computational overhead of our scheme, we implemented a Bloom filter, using K = 5 hash functions based on SHA-1 and a vector of m = 9.77 K bytes that store 10,000 certificate identifiers. The identifiers of the certificates are 6 bytes and generated randomly. To derive 5 hash functions using SHA-1, we used the technique used in [22]. A single hash function can be used as 5 different functions by concatenating the certificates’ identifier with random values. Each function has a different random values and the random values are fixed and known to the meters. We used Crypto++5 library [25] to implement the SHA-1. We also used a laptop with an Intel processor at 1.6 GHZ and 1 GB RAM to implement the filter. Although the computational power of a meter is less than a laptop, we scale the results with the factor of five to obtain a realistic estimation to the expected overhead. Our measurement results demonstrate that a revoked certificate could be added to the Bloom filter in 214 µs. To measure a certificate verification time, we take the average to 30,000 certificates checks. Half of the certificates’ identifiers were in the filter and half of them were not in the filter. We compute one hash value and check its corresponding bit. If it is one, we proceed, otherwise we quit. The average certificate revocation latency is around 175.48 µs. The certificate verification time is less than the certificate adding time because K hashing operations should be performed to add a certificate but once a hash value’s output points at a location that stores zero, the search ends so less than K hashes may be required to conclude the search.
7
TABLE I: Revocation Information Distribution Performance Approach Delay (ms) PDR (%) Throughput (bit/sec) Case 1 Our scheme Pf = 0.1 0.29 94.46 2.63 Our scheme Pf = 0.15 0.28 94.48 2.29 CRL 0.39 94.33 4.38 Case 2 Our scheme Pf = 0.1 0.38 93.96 3.24 Our scheme Pf = 0.15 0.30 94.16 2.47
C. Simulation of Packet Distributions The proposed scheme has been implemented in a more realistic setting where the underlying communication infrastructure is assumed to be based on 802.11s-based wireless mesh networks (WMNs). We created a scenario where the gateway distributes the Bloom filter vectors to each of the SMs in the network. In order to assess the impact of the data traffic on the revocation information distribution, we assumed that all the SMs are sending their power readings to the gateway at the time of distributing the revocation information. The SMs are sending their power readings at every 10 secs which is used by some utilities in the real-life applications of AMI [26]. We assume a transmission range of 120 m for each of the SMs. The size of the network can be assumed to be smaller than the whole network of SMs in a city. The simulations are performed under ns-3 which has a built-in implementation of 802.11s using a 81 nodes grid topology. The underlying MAC protocol used was 802.11g. The simulations were run for 100 secs. The results are the snapshot at the end of 100th Sec. We considered the following three performance metrics to assess the network performance when the revocation information is to be distributed: • End-to-end Delay: This metric indicates the time it takes for a bloom filter vector to reach the intended SM. • Packet Delivery Ratio: This metric indicates the ratio of the number of packets sent from the gateway to the number of packets received at the SMs. • Throughput: This metric indicates the amount of data received at the SMs per second. This metric will show how much data is transmitted in the network and thus hint about the bandwidth usage. As indicated in Table I, we consider two cases. The number of certificates in the network is 300 and 600 in cases 1 and 2, respectively. In case of 0.15 verification failure probability, the performance in terms of delay can be achieved but the meters will contact the gateway more. We can see slight increase in the delay in case 2 due to increased packet sizes. Note that our scheme does not negatively impact the packet delivery ratio. Finally, the throughput for our scheme is slightly less due to sending smaller data with the packets. Overall, revocation information can be distributed in our scheme with little impact on the network performance. D. Security Analysis It is not secure to allow the nodes to communicate when the updated revocation information is not available. This means that the nodes cannot communicate when the certificate revocation scheme fails. In addition, if the information
is manipulated, attackers can sabotage the communications, e.g., by adding unrevoked certificates to the list or removing revoked ones. In our scheme, the two filter vectors and the root of the Merkle tree are timestamped and digitally signed by the CA. Modifying or fabricating them is impossible without knowing the CA’s private keys. Attackers may try to change the vectors and/or the Merkle tree root before relaying the packet sent from the CA to the victim meters. However, any change in them will fail the CA’s signature verification. In our scheme, we mitigated the false positive issue of the Bloom filters by using the fact that there is no false negative, i.e., Bloom filters give correct result when an item is not in the list. To thwart replay attacks, the timestamps can be verified to ensure the freshness of the packets. To break our scheme, attackers may try to impersonates the gateway or the CA and send fabricated packets to the smart meters. Digital signature are used to secure the communications between the meters and the gateway. The attackers cannot impersonate the gateway or the CA because they can not compute correct signatures. With using secure hash function, Merkle tree cannot be manipulated because it is impossible to find two certificate serial numbers that can generate the same hash values. Since the messages are digitally signed, they cannot be modified without invalidating the digital signature. V. R ELATED W ORK In [27], Khurana et al. have discussed the main security issues in SG. The authors have identified public key management as a challenge due to the system scalability and complexity. In [28], the authors study the problem of secure key management for the SG and proposed a novel key management scheme. The proposed key management scheme combines symmetric key technique and elliptic curve public key technique. In [16], a protocol is proposed to ensure that customers who default on their payments can be switched off remotely. In order to prevent attackers from launching attacks to interrupt the citizens’ electricity supply, the scheme uses public key cryptography to secure the protocol without addressing certificate revocation. Metke et al. [29] survey the existing key security technologies for extremely large and wide-area communication networks and study their applicability for the smart grid. Based on studying the security requirements as well as the scale of the smart grid, the authors strongly believe that the PKC is the most effective key management solution for securing the SG. Existing works on AMI network security such as [4] propose the use of PKC but do not provide any mechanisms for certificate revocation, although it is a required component. Different aspects of certificate revocation problem in SG applications were discussed in [30] without providing a solution to AMI networks. In [31], we have introduced the problem of certificate revocation in AMI networks. We proposed two mechanisms to group each AMI network into groups of meters that need to communicate with each other. The CA generates a single revocation list for each group. However, the scheme
8
is not scalable because the CA has to compute many CRLs and distribute them. Online certificate status protocols (OCSPs) [32] can serve as an alternative to distributing CRLs. For an OSCP to be practical, each meter would need a constantly-available connection to the CA. The scalability of the network will create bottleneck at the CA. The gateways are not trusted enough to act as a CA. In [33], Wohlmacher et al survey the different revocation methods. VI. C ONCLUSION We have proposed a certificate revocation scheme for large scale AM I networks. Our objective is to balance the size of the CRLs and the overhead of forming and distributing them. The CA grouped the AMI networks and composed one CRL for each group. To reduce the number of CRLs by increasing the groups size with acceptable overhead on the meters, we used Bloom filter to compactly distribute/store the revocation information. To address the false positive issue of the Bloom filter, we proposed a novel scheme to identify and mitigate the false positives by making use of the fact that Bloom filters are free of false negatives. We used Merkle tree to enable the gateway to provide efficient proof for certificate revocation without contacting the CA. We have shown that the probability of contacting the gateway can be controlled by the Bloom filter’s parameters. To evaluate the performance of our scheme, mathematical model and N S − 3 simulation results have been presented. The results have demonstrated that the scheme not only can decrease the certificate verification time but also reduce the overhead of distributing and storing the revocation information. In addition, the distribution of the revocation information will have little impact on the network performance. VII. ACKNOWLEDGEMENT This work is supported in part by US National Science Foundation under the grant number 1318872. R EFERENCES [1] H. Farhangi, “The path of the smart grid,” IEEE Power and Energy Magazine, vol. 8, no. 1, pp. 18–28, January 2010. [2] P. McDaniel and S. McLaughlin, “Security and privacy challenges in the smart grid,” IEEE Security and Privacy, vol. 7, no. 3, pp. 75–77, May 2009. [3] NIST, “Guidelines for smart grid cyber security: vol. 3 supportive analyses and references,” NISTIR 7628, The Smart Grid Interoperability Panel - Cyber Security Working Group, August 2010. [4] A. Beussink, K. Akkaya, I. Senturk, and M. Mahmoud, “Preserving consumer privacy on ieee 802.11s-based smart grid ami networks using data obfuscation,” IEEE INFOCOM Workshop on Communications and Control for Smart Energy Systems, Toronto, Canada, April 2014. [5] M. Mahmoud and X. Shen, “Esip: Secure incentive protocol with limited use of public-key cryptography for multihop wireless networks,” IEEE Transactions on Mobile Computing, vol. 10, no. 7, pp. 997–1010, 2011. [6] ——, “Fescim: Fair, efficient, and secure cooperation incentive mechanism for multihop cellular networks,” Mobile Computing, IEEE Transactions on, vol. 11, no. 5, pp. 753–766, May 2012. [7] M. E. Mahmoud and X. Shen, “Pis: A practical incentive system for multihop wireless networks,” Vehicular Technology, IEEE Transactions on, vol. 59, no. 8, pp. 4012–4025, 2010.
[8] M. Mahmoud, J. Misic, and X. Shen, “A scalable public key infrastructure for smart grid communications,” Proc. of IEEE Global Communication Conference (IEEE GLOBECOM’13), Atlanta, GA, USA, December 2013. [9] W. Wang, Y. Xu, and M. Khanna, “Survey paper: A survey on the communication architectures in smart grid,” p. 36043629, Oct 2011. [10] R. Housley, W. Polk, W. Ford, and D. Solo, “Internet x.509 public key infrastructure certificate and certificate revocation list (crl) profile,” RFC 3280, IETF, April 2002. [11] M. Raya, P. Papadimitratos, I. Aad, D. Jungels, and J.-P. Hubaux, “Eviction of misbehaving and faulty nodes in vehicular networks,” Selected Areas in Communications, IEEE Journal on, vol. 25, no. 8, pp. 1557–1568, Oct 2007. [12] J. Haas, Y.-C. Hu, and K. Laberteaux, “Efficient certificate revocation list organization and distribution,” IEEE Journal on Selected Areas in Communications, vol. 29, no. 3, pp. 595–604, March 2011. [13] G. Hiertz, S. Max, R. Zhao, D. Denteneer, and L. Berlemann, “Principles of ieee 802.11s,” in International Conference on Computer Communications and Networks (ICCCN’7), August 2007, pp. 1002 –1007. [14] T. R. Henderson, M. Lacage, G. F. Riley, C. Dowell, and J. B. Kopena, “Network simulations with the ns-3 simulator,” SIGCOMM’08 Demos, 2008, code available: http://www.nsnam.org/releases/ns-3.1.tar.bz2. [15] R. Castellanos and P. Millan, “Design of a wireless communications network for advanced metering infrastructure in a utility in colombia,” in Proc. of IEEE Communications Conference (COLCOM), May 2012, pp. 1–6. [16] R. Anderson and S. Fuloria, “Who controls the off switch?” in First IEEE International Conference on Smart Grid Communications (SmartGridComm), October 2010, pp. 96–101. [17] B. H. Bloom, “Space/time trade-offs in hash coding with allowable errors,” CACM, vol. 13, no. 7, pp. 422–426, 1970. [18] A. Kumar, J. J. Xu, J. Wang, O. Spatschek, and L. E. Li, “Space-code bloom filter for efficient per-flow traffic measurement,” in Proc. of IEEE INFOCOM, 2004, pp. 1762–1773. [19] H. Shi, B. Schmidt, W. Liu, and W. Muller-Wittig, “A parallel algorithm for error correction in high-throughput short-read data on cuda-enabled graphics hardware,” Journal of Computational Biology, vol. 17, no. 4, pp. 603–615, 2010. [20] NIST, “Digital hash standard,” Fed. Information Processing Standards Publication 180-1, April 1995. [21] M. Szydlo, “Merkle tree traversal in log space and time,” Advances in Cryptology - EUROCRYPT - Lecture Notes in Computer Science, vol. 3027, pp. 541–554, 2004. [22] L. Fan, P. Cao, J. Almeida, and A. Broder, “Summary cache: a scalable wide-area web cache sharing protocol,” Networking, IEEE/ACM Transactions on, vol. 8, no. 3, pp. 281–293, Jun 2000. [23] NIST, “Fips 186-3: Digital signature standard,” 2009. [24] A. J. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of applied cryptography,” CRC Press, 1996. [25] W. Dai, “Crypto++ library 5.6.0,” http://www.cryptopp.com, last retrieved 2014. [26] “Korean electric power research institute,” 2013. [Online]. Available: http://www.kepri.re.kr/ [27] H. Khurana, M. Hadley, N. Lu, and D. Frincke, “Smart-grid security issues,” IEEE Security and Privacy, vol. 8, no. 1, pp. 81–85, 2010. [28] D. Wu and C. Zhou, “Fault-tolerant and scalable key management for smart grid,” IEEE Transactions on Smart Grid, vol. 2, no. 2, pp. 375 – 381, June 2011. [29] A. Metke and R. Ekl, “Security technology for smart grid networks,” IEEE Transactions on Smart Grid, vol. 1, no. 1, pp. 99–107, June 2010. [30] M. Mahmoud, J. Misic, and X. Shen, “Efficient public-key certificate revocation schemes for smart grid,” Proc. of IEEE Global Communication Conference, Atlanta, GA, USA, December 9-13 2013. [31] K. Akkaya, K. Rabieh, M. Mahmoud, and S. Tonyali, “Efficient generation and distribution of crls for ieee 802.11s-based smart grid ami networks,” 2014. [32] M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams, “X.509 internet public key infrastructure online certificate status protocolocsp,” Available: http://www.ietf.org/rfc/rfc2560.txt, June 1999. [33] P. Wohlmacher, “Digital certificates: A survey of revocation methods,” in Proc. of the ACM Workshops on Multimedia, Los Angeles, California, USA, 2000, pp. 111–114.