Cryptanalysis of
LSPA-SGs: A lightweight and secure protocol for authentication and key
agreement based Elliptic Curve Cryptography in smart grids
Publish,
Meenakshi
Srinivasa
Ramanujan Department of Mathematics, Central University of Himachal Pradesh,
Dharamshala
(176215), India
*Corresponding Author E-mail: thakurlovii0@gmail.com
ABSTRACT:
Smart
grids are becoming more and more significant as more nations adopt the smart
city concept and boost energy sector efficiency to create a more sustainable
and secure future. However, it is
critical to address the security issues with smart grids. Security and privacy
are essential components of SG communication. Recently, the LSPA-SGs scheme was
created, and according to its creators, it is an effective and secure protocol.
We reviewed their scheme and observed that it does not provide security and privacy.
It contain some security vulnerabilities; user anonymity, stolen-verifier
attack, password guessing attack, physical attack, privileged insider attack,
user impersonation attack.
This
study exposed the weaknesses of Susan A. Mohammed et al design's and
demonstrated how many security issues allowed for powerful attacks.
KEYWORDS: Smart grids,
Elliptic curve cryptography, Authentication, key agreement, Security.
1
INTRODUCTION:
The first AC electric grid was built in Great
Barrington, Massachusetts, in 1886 [1]. In this period, the distribution,
transmission, and demand-driven regulation of energy were all handled by a
single, consolidated grid. Local grids in the 20th century expanded
throughout time and finally joined for practical and reliable reasons. Daily
peaks in demand caused by residential heating and cooling were addressed by a
variety of high-power generators that were only turned on briefly each day. Due
to the low utilization of these peaking generators and the need for grid
redundancy, gas turbines were typically used, which have lower capital costs
and faster start up times. The electrical providers were hit with significant
expenses as a result, which were subsequently passed on to customers in the
form of higher prices. This electrical grid was not fulfilling the demands of
20th century populations due to a lack of natural gas, coal, water,
and various fossil fuels, for which we had to introduce modern technology so
that the electrical grid would become smarter. A better electrical power grid,
a "smart grid," works with infrastructure communication technology to
distribute electricity more effectively and to communicate with users and power
communication providers. The 20th century's constantly evolving and expanding
power needs cannot be met by the existing power grid architecture, making
efficient power grid utilization essential today [1]. Among its many benefits,
the smart grid allows for better management and expansion of renewable energy
sources. Rapid advancements in communication and information technology in
recent years have resulted in secure and ongoing technological advancements
[2]. Just a few of the options it provides for developing a growing intelligent
platform include power control, internet communication, and smart meters [3,
4]. A platform called SG enables two-way contact between users and service
providers on a regular basis for computation and communication [5]. SG may be
suspended from cyberattacks due to its sensitivity [6]. Physical attacks,
cyberattacks, and natural disasters pose the greatest risks to the deployment
of smart grids since they can result in blackouts, infrastructure failure,
consumer data breaches, energy theft, and the safety of operating personnel,
among other things [7]. As a result, extensive research is being done to
increase the security of smart grids [8]. In order to provide solutions that
are resistant to cyber-attacks in smart grid applications, security measures
are essential [9, 10]. The smart grid security issue needs to be taken care of
immediately. It is crucial to provide SG with a safe and secure authentication
system that maintains trust between genuine users and satisfies other security
requirements like anonymity authentication and privacy.
2.
RELATED WORK:
Several models are being used in current study. The
foundation for HAN and BAN authentication was created in 2011 by Fouda et al.
This system uses exponential operations and time-consuming procedures like
public key encoding and decoding. Weizheng Wang et al. created their system in
2011 by combining block chain technology with ECC. Khan proposed the PALAK
smart grid system in 2020 [16], which is a unique system. They talked about a
lot of PALK's security features and attack resilience. An efficient and secure
design between the user and the utility centre was what Moghadam et al. sought
to achieve in 2020 with their design for key agreement and authentication. Li
et al. [13] created an anonymous authentication system for SG architects. The
sender's identity and the multiplication of two points over the curve are both
unknowns during the login and verification phase of the PALK system, SA
Chaudhary [17] showed in 2021.Some smart grid-connected devices are unable to
finish a single authentication cycle as
a result of the weaknesses in this protocol. Scheme [17] proposes an immediate
remedy for the significant problems of the palak. However, [17] overlooked a
few issues that may have been fixed
in LSPA-SGs [18] . Consequently, we provided the LSPA-SGs
[18] cryptanalysis in this work.
3.
ORGANIZATION OF THE PAPER:
The
paragraphs that make up the framework of the paper are as follows: Section 4
revisits the [18] system, and Section 5
addresses its shortcomings. We summarize our conclusions in the final
part.
Table
1 The
meaning of the symbols
|
Symbols
|
Description
|
|
P
|
Base
point on an elliptic curve
|
|
TA
|
Trust
Authority
|
|
IDi
|
Identity
(particular user)
|
|
ENC\DEC
|
Encryption\Decryption
|
|
PrT\PKT
|
Private
key\public key (TA)
|
|
SKi\PKi
|
Private
key\public key (participant)
|
|
SKij
|
Shared
key (between participant)
|
4.
THE BRIEF OVERVIEW OF SUSAN SCHEME:
Step 1:
The
UA enters his identification (Id), password (Pw).Computes N and A,
respectively, as well as P and verifies AA =?A. UA sets
timestamp T1 and sends "AA,NA, T1"
to UB over public channel if the verification step is successful.
Step 2:
After
receiving AA, NA, and T1, the UB
sets timestamp T2 and tests its freshness using the relation | T2-T1
|≤ ∆T. If this is successful, the UB chooses a random number, gB,
and computes GB= gB.P, KB = gB.(AA+PKT+NA.PKT),
SKBA = h(gB.AA||T2||qB),
and AutB = h(SKBA||qB). Now, UB
uses computed key KB to encrypt EB = ENCKB (qB||T2).
Finally, UB transmits to UA "EB, GB,
AutB, T2".
Step 3:
UA
sets timestamp T3, and upon success, computes KA = SKA.GB
and decrypts DEC(EB)KA = (qB, T2)
to determine whether the timestamp is fresh. In addition, UA
calculates SKAB=h(NA.GB||T2||qB),
AutA = h(SKAB||qB), and confirm AutA =? AutB.
In the event that the verification is successful, UA chooses the
random number XA, computes FA = h(AutA||XA),
and then encrypts EA = ENCKA(FA||XA)
using the computed key KA. Then, UA uses a public channel
to send "EA, FA, T3" to UB.
Step 4:
After
receiving EA, FA, and T3 from UA, UB
sets timestamp T4 and, upon success, determines if the timestamp is
current using the relation | T4- T3|≤ ∆T, DEC(EA)KB
= (AutA, XA). The authentication and session key are
therefore successful if UB calculates FB = h (AutA||XA)
and then verifies FB =? FA.
Password change
phase:
The user provides
his ID and PWi of choice in the registration process. After entering
its ID, for example, entity A, one of the entities will then proceed. Using PWA,
the parameters NA = h(IdA||PWA||aA)
and AA = NA.P are calculated. Then, the verification
between AA’ and AA is checked. Then the user enters his
or her new password, say "PWA," and computes the
relationships NA = h(IdA||PWA||aA)
and AA = NA.P. If the computation is successful, Finally,
parameter AA’ takes the place of parameter AA in the
target entity's memory.
5.
THE CRYPTANALYSIS OF SUSAN SCHEME:
This
section demonstrates some security flaws discovered in the technique, including
privileged insider, stolen verifies, password guessing, user impersonation,
user anonymity, and password modification attacks.
5.1 Privileged
insider:
In
the literature, there are several schemes that demonstrate the viability of
privileged insider attacks, as we stated in the security models. Therefore, the
insider attack is practically valid in Susan's system. Because in the
registration phase, Ui sends Idi, Ni to TA via
secure channels. Then malicious insider might obtaining the information i.e Ni
, Idi. and also extract the parameter xA, Ai
from the memory using side channel attack. A can guess PWDi of Ui.
5.2
Password guessing attack:
Input
the values of xi and Idi in Ni =h(Idi||PWi||xi),
then the attacker guess the password by inputing the variable values to
equating it with Ni value and thus, the output is correct password PWDi of
Ui. In this way, Attacker can register himself/herself with Ui’s
Idi and PWDi.
5.3
User impersonation attack:
Suppose A uses side channel attacks to obtain Idi and
PWDi in addition to the parameters xi, Ai, and other information
from the memory. Attacker A calculates Ni = h(Idi||PWi||xi)
by first creating a random number yi in place of xi. Then through secure
channel A send Idi , Ni to TA . After receiving Idi,
Ni; TA computes Ai =Ni.P, Ci=PKT
+Ai, hci =h(Ci), msi = PrT
+hci*PrT and SKi = Ni +msi.
TA sends Ci, PKT, SKi to Ui through
secure channel. As a result of the judgement above, we can conclude that A uses
a computer in a legal manner.
5.4
Password change phase:
The
user first completes the registration process by entering the ID and PW of his
choice. As of right now, A has entered his PW and ID, calculated Ni*
and Ai*, and verified that Ai*=Ai. If successful
(obviously), A enters its new password, i.e., Pwi**, computes all of these
parameters (Ai**, Ni**), and replaces the parameters AA
in the target entity's memory.
6.
CONCLUSION:
In this study, we performed cryptanalysis on the Susan
scheme and discovered a number of significant flaws that let attackers launch
powerful attacks such as impersonation attack, password guessing attacks,
privileged insider attacks, and password change attacks. To address these
issues, we must encrypt that value, which is kept in the database (memory
card). Attackers who gain access to the memory card will be unable to use the
relation Ni=h(idi||PWi||ai) to
determine the password of the desired user. If so, this approach is secure
and also works with smart grid systems.
7.
REFERENCES:
1.
Chr.
Lamnatou, D. Chemisana, C. Cristofari, Smart grids and smart technologies in
relation to photovoltaics, storage systems, buildings and the environment,
Renew Energy 185 (2021) 1376–1391.
2.
Muhammed
Zekeriya Gunduz, Resul Das, Cyber-security on smart grid: Threats and potential
solutions, Comput Netw 169 (2020).
3.
M.Z.
Gunduz, R. Das, Analysis of cyber-attacks on smart grid applications, in: 2018
international conference on artificial intelligence and data processing (IDAP),
2018, pp. 1–5.
4.
S.
Garg, K. Kaur, G. Kaddoum, Secure and lightweight authentication scheme for
smart metering infrastructure in smart grid, IEEE Trans Ind Inform (2019).
5.
M.H.
Yaghmaee, A. Leon-Garcia, M. Moghaddassian, On the performance of distributed
and cloud-based demand response in smart grid, IEEE Trans Smart Grid 9 (5)
(2017) 5403–5417.
6.
K.
Kimani, V. Oduol, K. Langat, Cyber security challenges for IoT-based smart grid
networks, Int J Crit Infrastruct Prot 25 (2019) 36–49.
7.
Abdulrahaman
Okino Otuoze, Mohd Wazir Mustafa, Raja Masood Larik, Smart grids security
challenges: Classification by sources of threats, J Electr Syst Inf Technol 5
(2018) 468–483.
8.
I.
Colak, S. Sagiroglu, G. Fulli, M. Yesilbudak, C.-F. Covrig, A survey on the
critical issues in smart grid technologies, Renew Sustain Energy Rev 54 (2016)
396–405.
9.
S.
Shitharth, D.P. Winston, A novel IDS technique to detect DDoS and sniffers in
smart grid. In: Proc. world conf. futuristic trends res. innov. soc. welfare
(Startup Conclave). 2016, p. 1–6.
10.
D.
Ding, Q.-L. Han, Y. Xiang, X. Ge, X.-M. Zhang, A survey on security control and
attack detection for industrial cyber–physical systems, Neurocomputing 275
(2018) 1674–1683.
11.
W.
Wang, H. Huang, L. Zhang, C. Su, Secure and efficient mutual authentication protocol
for smart grid under blockchain, Peer-to-Peer Netw Appl 14 (5) (2021)
2681–2693.
12.
Mostafa
Farhadi Moghadam, et al., A lightweight key management protocol for secure
communication in smart grids, Electr Power Syst Res 178 (2020) 106024.
13.
X.
Li, F. Wu, S. Kumari, L. Xu, A.K. Sangaiah, K.-K.R. Choo, A provably secure and
anonymous message authentication scheme for smart grids, J Parallel Distrib
Comput (2017).
14.
D.
Abbasinezhad-Mood, M. Nikooghadam, Design and extensive hardware performance
analysis of an efficient pairwise key generation scheme for smart grid, Int J
Commun Syst 31 (5) (2018).
15.
A.
Braeken, P. Kumar, A. Martin, Efficient and provably secure key agreement for
modern smart metering communications, Energies 11 (10) (2018) 2662.
16.
A.A.
Khan, V. Kumar, M. Ahmad, S. Rana, D. Mishra, PALK: Password-based anonymous
lightweight key agreement framework for smart grid, Int J Electr Power Energy
Syst 121 (2020) 1–12.
17.
Shehzad
Ashraf Chaudhry, Correcting PALK: Password-based anonymous lightweight key
agreement framework for smart grid, Int J Electr Power Energy Syst 125 (2021)
1–6.
18.
LSPA-SGs:
A lightweight and secure protocol for authentication and key agreement based
Elliptic Curve Cryptography in smart grids Susan A. Mohammed Taqia, Saeed
Jalilib https://doi.org/10.1016/j.egyr.2022.06.096