2370

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

A Secure Smart-Metering Protocol Over Power-Line Communication

Sungwook Kim, Eun Young Kwon, Myungsun Kim, Jung Hee Cheon, Seong-ho Ju, Yong-hoon Lim, and Moon-seok Choi
AbstractA smart-metering system is a system that meters electricity, gas, and water consumption and manages their supply by controlling measuring devices remotely. Power-line communication (PLC) does not require a separate communication line and can be easily installed by utilizing power-line infrastructure. PLC also allows users to easily connect measuring devices to the PLC network by plugging the power cord into an electrical outlet. Therefore, a smart-metering system over PLC has been considered as one of the most appropriate technologies for meter reading and automatic control, which are essential in realization of a smart grid. We propose a secure smart-metering protocol including: 1) key materials generation and provisioning to devices without exposure; 2) initialization to authenticate devices in the network and share keys between devices before exchanging data, (3) secure transmission of meter-reading data, and 4) revocation management to handle discarded devices from the network. Especially, our protocol provides strong authentication of devices and data: It prevents a single point of failure by adopting secret sharing through multiple certicate authorities. It also reduces the risk of denial-of-service attacks on the server by hop-by-hop authentication for data transmitted from terminal nodes to the server. Index TermsPower-line communication (PLC), security, smart metering.

I. INTRODUCTION

OWER-LINE communication (PLC) is technology carrying data as well as transmitting electric power on power lines. Since power lines have been established widely, PLC does not require a separate communication line and can be easily installed. And it also can be connected to various networks through a backbone network. Moreover, devices can access a system easily by plugging the power cord into an electrical outlet. Therefore, PLC has been considered as one of the most appropriate technologies for remote meter-reading systems and automatic control systems to realize advanced metering infrastructure (AMI) systems, which is an essential part of a smart grid.
Manuscript received September 24, 2010; revised March 08, 2011; accepted May 15, 2011. Date of publication July 11, 2011; date of current version October 07, 2011. This work was supported by the Power Generation & Electricity Delivery of the Korea Institute of Energy Technology Evaluation and Planning (KETEP) Grant funded by the Korea government Ministry of Knowledge Economy (No. R-2005-1-397-004). Paper no. TPWRD-00732-2010. S. Kim, E. Y. Kwon, M. Kim, and J. H. Cheon are with ISaC and Department of Mathematical Sciences, Seoul National University, Seoul 151-747, Korea (e-mail: avell7@snu.ac.kr; white483@snu.ac.kr; msunkim@snu.ac.kr; jhcheon@snu.ac.kr). S. Ju, Y. Lim, and M. Choi are with the Korea Electric Power Research Institute, Daejeon 305-380, Korea (e-mail: shju1052@kepco.co.kr; adsac@kepco.co.kr; cms96@kepco.co.kr). Digital Object Identier 10.1109/TPWRD.2011.2158671

Smart metering refers to the procedure of installing intelligent meter-reading systems, reading meters remotely, and sending the readings to users. The readings can include details on gas, water, and electricity consumption. The individual technologies necessary for smart metering are in a state of having been secured mostly and one of the current major issues in this area is to prevent tampering of meters and readings during meter reading or data transmission. In recent years, many countries over the world are adopting smart-metering systems for remote meter reading. Research is underway to improve the accuracy of meter readings, to design network for transmitting the meter readings, and to develop methods for protecting the meter readings. The United States of America (USA) set the security requirements for the advanced metering infrastructure (AMI) in December 2008 [13]. The National Institute of Standards and Technology (NIST) presented the framework for smart-grid interoperability including standards for the cybersecurity of smart grids [10] in January 2010, and the strategy and requirements for smart grid cybersecurity [11] in August 2010. Besides research on security requirements, an implementation based on the security solution provided by Certicom is in progress, however, a detailed description of the system is not released. The European Union (EU) is promoting the standardization of smart grid security as a part of smart-grid standardization throughout the project SmartGrids: European Technology Platform, which comprised 19 detailed studies carried out at ve research sections [16]. OPEN meter project [12] is also underway in EU and it laid down the specication of the security requirements in July 2009 [15]. The Smart Grid Strategic Group (SG3) of the International Electrotechnical Commission (IEC) presented the road map for its smart-grid standardization in June 2010 [14]. It includes the presentation of an inventory of existing standards, analysis of the gaps between actual standards and future requirements, and recommendations for evolution. As mentioned before, most current research on secure smart metering focuses on drawing security requirements. Research on the development of a protocol that satises security requirements is in the early stage. Only a few concrete protocols are suggested so far, and furthermore, little information about their descriptions is released. To the best of our knowledge, this is the rst protocol for secure smart metering in public. In this paper, we dene and design a secure smart-metering protocol (SSMP). We describe all of the data structures and procedures for a SSMP including: 1) key materials generation and provisioning to devices without exposure; 2) initialization to authenticate devices in the network and share keys between devices before sending and receiving data; 3) secure transmission

0885-8977/$26.00 2011 IEEE

KIM et al.: SECURE SMART-METERING PROTOCOL

2371

of meter-reading data; and 4) revocation management to handle discarded devices from the network. The proposed protocol exploits a number of cryptographic primitives. Public key cryptosystems, such as public-key encryption schemes and digital signatures, are used to generate and authenticate keys; to authenticate devices in the PLC network and to share keys between devices. Since the reading data need to be encrypted frequently, an authenticated encryption scheme is used for efciency and security of a system, guaranteeing the condentiality, integrity, and authenticity of data. And the digital signature is used optionally to provide nonrepudiation for the meter readings. In the protocol, discarded devices are handled by the management of the certicate revocation list (CRL). The proposed protocol provides strong authentication of devices and data in two ways. First, security in certifying a public key is strengthened in order to prevent a single point of failure. In a protocol based on a public-key cryptosystem, it is core to guarantee security of a key for certifying public keys (i.e., exposure of a certication key causes security failure of the entire system). Hence, the protocol is designed to decentralize the certicate authority by splitting a certication key and distributing key shares to multiple certication authorities. With this method, no information about a certication key is revealed even if there is collusion between a certain number of authorities. In addition, multiple certication keys are used to limit the damage to a specic range even when a certication key is compromised. Second, the proposed protocol performs hop-by-hop authentication in order to reduce the risk of denial-of-service (DoS) attacks on the server. In the PLC network, malicious users are able to crash the server by saturating it with overwhelming amounts of data. In the protocol, devices on the middle node authenticate all of the data transmitted from terminal nodes to the server so that invalid data can be ltered. II. ARCHITECTURE AND FEATURES OF SSMP In this section, we introduce the components and network topology of the SSMP. We also consider security requirements for remote meter-reading systems and cryptographic primitives, which are used as building blocks in the proposed protocol. A. Components of SSMP Server: the server can be divided into certicate authority (CA), registration authority (RA), and metering authority (MA) servers. The SSMP logically handles these three functional servers as one server. Manufacturer: this means companies manufacturing IRM and PLC modems, which compose the PLC remote meterreading network. IRM: this is an intermediate node connecting the servers PLC and the PLC modem in a network. It has up to modems. It transmits each measured value sent by the PLC modems to the relevant server and performs primary message authentication. PLC modem: it receives the electricity meter readings of each household and transmits them to the IRM. Since the electricity meter reading is directly connected to the PLC

Fig. 1. Network topology of SSMP.

modem, the PLC modem and electricity meter are considered to be the same in the SSMP. Both have the same keys. Fig. 1 shows the topology of the SSMP. B. Types of Attacks and Goals of Attackers The weakest attackers are eavesdroppers that eavesdrop communications between nodes. These attackers can collect only encrypted meter readings. Examples of attacks are given below in increasing order of strength. ciphertext only attack (COA): in a COA, the attacker tries to deduce the decryption key or plaintext from the ciphertext by eavesdropping; known plaintext attack (KPA): in a KPA, the attacker can obtain pairs of plaintext and the corresponding ciphertext. The attacker, which can include a householder, can obtain these pairs by reading the meter and then eavesdropping the encrypted value sent by the meter; chosen plaintext attack (CPA): in a CPA, the attack can choose plaintext and the corresponding ciphertext; a householder may control the amount of electricity consumed and eavesdrop he encrypted value sent by the meter; chosen ciphertext attack (CCA): in the SSMP, since a message authentication code is generated for each encrypted meter reading, the attacker cannot forge a valid ciphertext for an arbitrary value; however, he/she can launch this attack for public-key cryptosystems in the SSMP. The goals of attackers can be broadly classied into four categories: 1) to overload the server or IRM, for example, DoS attack; 2) to forge the encrypted meter reading in an authenticated manner; 3) to estimate the meter reading that is encrypted and transmitted; and 4) to determine the private key or secret key of a network component. C. Security Requirements The security of the SSMP is based on the security of its four cryptographic protocols, which use various keys. The rst protocol of the SSMP handles the production management and initialization of devices. It denes the method to securely generate keys for each network device and issue public-key certicates, and transmit these to the respective device. The second protocol handles the mutual authentication and key sharing between network devices, on the basis of the embedded keys. This protocol uses the keys generated by the rst

2372

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

protocol to verify the authenticity of device pair and denes the method to share the key, called the shared key, securely. The third protocol handles encryption/decryption to securely deliver the meter reading, which is the core of the SSMP. It also denes the method to derive the keys for this purpose; the method to deduce the key for encryption/decryption of meter reading from the shared key between each pair of devices, generated by the second protocol; and the method to transmit the encrypted meter reading; and the method to provide nonrepudiation for the encrypted meter reading generated by the respective device. The fourth protocol denes the method to manage device whose certicate has been revoked, that is, the management of the certicate revocation list (CRL). The security features of the SSMP are as follows. In order to minimize the probability of the leakage of the secret key, the device key and public key/private key will be generated in each device and key escrow will not be allowed. In order to avoid a single point of failure, which can occur when certicates are issued using a certication key by one person in charge of certication, the authority for certication is decentralized. In order to reduce the risk of attacks when the certication key used to issue certicates for each device is damaged, several certication keys are generated, and one certication key is used to certify only a limited number of devices. In order to guarantee the integrity of program installed in meters, PLC modems, and IRM, all program codes in the SSMP have to be authenticated by the certication server. The SSMP nodes have to perform explicit key authentication and mutual entity authentication before transmitting and receiving data from other devices. The SSMP node has to check whether the certicate of the target device has been revoked before it transmits or receives data from the target device. Since the IRM, which connects each meter and the MA server in the PLC network, is most susceptible to security threats, it provides end-to-end security. Data integrity is guaranteed for all meter readings transmitted between the SSMP devices. It provides nonrepudiation for the meter readings transmitted from the meters to the server. It can prevent DoS attacks on the server. The SSMP is to be designed, taking into consideration the expandability feature in order to easily include more services in the future. D. Cryptographic Primitives In this section, we briey introduce cryptographic primitives used in the SSMP with the required security notions. For the denition of each security notion, refer to [1]. A block cipher algorithm is used in the transmission protocol of meter readings and the process of deducing a session key from the shared key. The block cipher algorithm in the SSMP should be at least IND-CPA secure with a 128-b key. The SSMP uses an authenticated encryption scheme for encrypting the meter readings. This scheme guarantees the con-

dentiality, integrity, and authenticity of data. Authenticated encryption involves obtaining the ciphertext of a message by using a block cipher algorithm and an MAC for the plaintext or ciphertext. There are three methods to combine encryption and MAC, namely, Encrypt-and-MAC, MAC-then-Encrypt, and Encryptthen-MAC. The authenticated encryption with associated data (AEAD) proposed by Rogaway in [7] is an authenticated encryption that guarantees the condentiality and integrity of data and the integrity of associated data by adding plain associated data to the ciphertext. The representative methods for AEAD are CCM [9], CWC [5], OCB [8], EAX [2], and GCM [6]. The SSMP considers the use of AEAD. The block cipher and MAC algorithms in an authenticated encryption should be IND-CPA and SUF-CMA secure, respectively. In the case of Encryptthen-MAC, the block cipher algorithm should be IND-CCA secure [1]. The inputs for the authenticated encryption scheme of the SSMP are the secret key for the block cipher, the initial value , message , and the associated data . The output is a pair of ciphertext and the tag necessary for checking the data integrity, i.e.,

Here, is a distinct nonce chosen at each run. When transmitand are included in the header. Hereafter, ting data, we denote authenticated encryption by

In the SSMP, the public-key encryption scheme is used for the encryption of the shared key in the shared key transportation protocol. This scheme should be IND-CCA secure. A key for public-key cryptosystem is required to achieve 80-b security. Every protocol in the SSMP exploits the digital signature scheme. The digital signature scheme in the SSMP should be EU-CMA secure [4]. In order to distribute the CA, the threshold digital signature scheme [3] is required. The security of the threshold digital signature is based on the underlying digital signature scheme. III. DESIGN OF SSMP In this section, we describe our protocol. The proposed protocol includes all processes for production management and initialization of devices, key management, secure transmission of meter readings, and management of the CRL. Table I lists the notations used in this paper. A. Production Management and Initialization of Devices In this section, the server means the CA server handled by certication personnel. The production management and initialization stage of the devices handle the process to generate public-key/private-key pairs and issue them certicates. This stage is implemented by the server and manufacturers, and the following matters are considered: secure generation and storage of the public-key/private-key pair for a device; decentralization of the CA;

KIM et al.: SECURE SMART-METERING PROTOCOL

2373

TABLE I TERMS

reduction of the damage due to the certication key leakage. The secure generation and storage of the public-key/private-key pair for devices become a critical security element during device installation and the remote meter. These operations require absolute security for the private key. Therefore, the public-key/private-key pair should be generated by using a random number using heat or noise which can be identied only by the relevant device. Furthermore, the private key should be stored in a secure area or by a safe method so that it cannot be found or modied during device installation. That implies that the device key should be saved in physically secure memory. Other keys should be saved in this area or usual memory after being encrypted by using the device key. Authentication is required to use the public-key/private-key pair generated by devices during remote meter reading. The certication should be performed by the person in charge of certication, and the certicate should be hard to forge. Further, when the manufacturer embeds the certicate in the device, it is necessary to check whether this certicate is for the relevant public key. The decentralization of the CA is required to avoid a single point of failure that may occur when the certicate is issued by using the certication key operated by one person in charge of certication. If one person in charge of certication issues the certicate, the security of the entire PLC system will depend on this person. This risk can be avoided by issuing certicates using the certication key certied by multiple certication personnel. Even when though all certication personnel approve to generate the certication key, if this certication key is disclosed

or lost, and damaged, the PLC system will be exposed to risk. Therefore, if the certication key is damaged, the certicates issued by using the key have to be revoked. This implies that if the certicates are issued for all devices with the same certication key, the certicates of all devices in the network have to be revoked. The extent of damage in this case will be tremendous. Therefore, when issuing a certicate, care should be taken to limit the damage to a specic range even when the certicate key is damaged. 1) Generation of Master Key and Certication Key: Suppose , and one there are certication personnel, say certication key issues certicates. Then, in order to satisfy the security requirements, the master key and certication keys are generated as follows: The master key generated to authenticate certication keys -threshold signatures. The master key by generating is generated by the server and consists of the master public and the master private key . is dikey . Then, each vided into secret shares, possesses . can be reconstructed by more than certication personnel, but less than or equal . to personnel learn nothing about Certication keys are generated by the server for several times depending on and the number of produced devices. The th certication key consists of the th certiand the th certication private cation public key . A certication key pair is valid with its cerkey ticate , which is issued by . One certication key issues up to certicates. For example, if is 100 000 and the number of produced devices is 100 000 000, certication keys are generated 1 000 times. for convenience. Hereafter, we omit in 2) Embedding of Certicates: After the server has completed the generation of the master key and published it, every manufacturer embeds the certicate in the relevant devices, as shown in Fig. 2. The security of the production management and initialization stage depends on that of the digital signature scheme. If the digital signature is EU-CMA secure and threshold signature based on it has the same security level, it is impossible to forge a certicate even with the given certicate, and the master public key and the corresponding certication public key. Further, in this case, it is impossible to deduce the master private key and certication private key from the given certicate and certication public key. The master key is generated only once. In case the total and one certication key number of produced devices is issues certicates, the certication key has to be generated times, and the threshold signature by the master key will be required for authentication of each certication key. threshold signatures and digital Therefore, a total of signatures will be required in the production management and initialization stage of devices. B. Initial Certication and Shared Key Setup Each pair of servers and IRM, server and PLC modem, as well as IRM and PLC modem shares a shared key in order to generate a session key, which is used to encrypt meter readings

2374

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

Fig. 2. Certicate embedding protocol.

by the authenticated encryption scheme in certain sessions. The lifetime of a session key may depend on the policy of the system. The shared key setting is achieved by applying the shared key transport protocol by using the public-key encryption scheme. The shared key transport protocol is employed in the following four cases: 1) When a new device is introduced in the network: The protocol will be applied when a new IRM in the network is connected to the server and a new PLC modem in the network is connected to the IRM. 2) When the network topology changes according to a policy. 3) When the network topology was to be recongured due to unexpected failures in the network. 4) When the lifetime of the shared key has expired. In the shared key transport protocol between two devices, the shared key is determined by a child node and transmitted to a parent node. The protocol begins by the request of a child node. Each server is located in the root node; IRM, in the middle node; and PLC modem, in the terminal node. During the application of the shared key transport protocol, both entities of the protocol should be able to authenticate each other. Since only the server can authenticate devices for the efcient management of the CRL, when the IRM and PLC modem try to transmit the shared key, their validity should be veried by the server. Therefore, there are two cases for the shared key transport protocol: the server and IRM sharing a key and the server, IRM, and PLC modem sharing a key. In both cases, a child node generates a 128-b random number and the shared to share with a parent node . The lifetime of the key shared key is equal to that of the certicate. 1) Shared Key Transport Protocol Between Server and IRM: Fig. 3 shows the shared key transport protocol between the server and the IRM. In step 2 of the shared key transport protocol, the server veries whether the IRM is a legitimate component of the network. In step 3, the IRM authenticates the server by verifying the sigwith , which is given in the certicate emnature in bedding protocol. Therefore, the shared key transport protocol between the server and the IRM enables both entities to authenticate each other. In the protocol, the random number generated by the IRM in step 1 is identied in step 3, and the random number generated in step 2 is identied in step 4: therefore, the protocol provides mutual explicit key authentication and is secure against replay attacks. The shared key transport protocol between the server and the IRM is a three-pass protocol. The IRM performs two public-key

operations, in each of step 1 and 3. The server performs four public-key operations in step 2. 2) Shared Key Transport Protocol Among Server, IRM, and PLC Modem: Between the IRM and the PLC modem, up to two other PLC modems may be located in the communication path. In this case, all intermediate devices just relay communication between the two ends. The shared key transport protocol among the server, IRM, and PLC modem is described in Fig. 4. As a result of the protocol, two shared keys are established between the server and the PLC modem and between the IRM and the PLC modem. In step 5 of the protocol, the server veries whether the IRM and PLC modems are legitimate components of the network and sends the result to the IRM. The IRM checks the result in step 5, and PLC modems also conrm it in step 7. Thus, the shared key transport protocol enables all pairs to authenticate each other. In the protocol, mutual explicit key authentication is provided and genas follows. Each of the random numbers erated by the PLC modem in step 3 are identied by the PLC modem in step 7 via the server in step 5 and the IRM in step generated in step 5 is identied by 8. The random number the server in step 9 via the PLC modem in step 7. The random generated by the IRM in step 8 is identied by the number IRM in the step 8 via the PLC modem in step 7. and are conSince a timestamp is used when structed in step 5 of the protocol, it is proved within a limited time that the IRM and PLC modem are legitimate components of the network. The shared key transport protocol among the server, IRM, and PLC modem is an eight-pass protocol. The PLC modem performs four public-key operations in step 3 and ve in step 7. The IRM performs public-key operations ve times in step 6, and the server performs public-key operations six times in step 5. C. Meter-Reading Transmission 1) Generation and Management of Session Key: A session key is updated regularly once in a month. A session key between two components and is computed from a shared and session information obtained from the key counter . The counter does not contain secret information and consists of 20xx-year, xx-month, xx-day, xx-th meter as 20xxreading. In the rst day of each month, taking , and compute year, xx-month of the counter

KIM et al.: SECURE SMART-METERING PROTOCOL

2375

Fig. 3. Shared key transport protocol between server and IRM.

After transmitting or receiving a meter reading, and use to synchronize a session between them. It is the counter important to synchronize the session in and . The session information can also be synchronized by a ciphertext. Since the associated data of the authenticated encryption generated by the sender contains session information, the receiver can compare it with its own and obtain session information . 2) Meter-Reading Transmission Protocol: The meterreading transmission protocol exploits an authenticated encryption scheme to encrypt and authenticate meter readings and a public-key cryptosystem to create signatures. In the SSMP, the for authenticated encryption consists of associated data a device UID and counter information. In a remote meter-reading environment, each IRM manages PLC modems, say . For every meterreading cycle, the IRM makes a request for the transmission of a meter reading to the PLC modems under its management. Acting on this request, each PLC modem computes two ciphertexts and sends them to the IRM. The rst ciphertext is an authenticated encryption of a meter reading using a session key shared with the server. The second ciphertext is an authenticated encryption of some additional information about the PLC modem which should be sent to the IRM using a session key shared with the IRM. The IRM decrypts the second ciphertext in the message received from each PLC modem and authenticates it. If the authentication fails, the message is discarded. Otherwise, the IRM reads the additional information and stores the rst ciphertext in a buffer. While receiving a request for meter reading from the server, the IRM sends the reading in the buffer to the server. In

this way, the IRM can lter invalid data by authenticating ciphertexts. This hop-by-hop authentication prevents DoS attacks on the server. Fig. 5 shows the meter-reading transport protocol. Since the authenticated encryption scheme is IND-CCA secure if it consists of the IND-CPA secure block cipher and SUF-CMA secure MAC algorithm, all ciphertexts are secure. From the timestamps used in steps 1 and 4, it is found that the statements in these steps are valid within a certain time period. This prevents an attacker from launching the same attack. Since the meter-reading data are encrypted by a session key with the server, the protocol provides end-to-end security for meter readings. In step 2, in order to reduce communication cost, is put in the second term in the header of , instead of . In step 3, the IRM can recover by concatenating and the hash . value of The protocol provides the nonrepudiation of the meter readings since in step 2, the rst ciphertext contains a signature on a meter reading. One block cipher operation is required to generate a session key. In step 2, the PLC modem performs one authenticated encryption operation for authenticating the statement from , two for generating two ciphertexts, and one public-key operation for generating a signature. The IRM performs two authenticated encryption operations for the encryption or decryption of statements in steps 1 and 5 and for the decryption of in step 3. D. Management of CRL The CRL has to be managed in order to handle discarded devices. There are two methods to manage the CRL. In the rst

2376

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

Fig. 4. Shared key transport protocol among server, IRM, and PLC modem.

method, the server that maintains the CRL sends it to the IRM periodically. Then, the IRM saves the given CRL and checks the list to determine the validity of a device, which requests authentication. The second method is to send a query regarding the validity of a device to the server. In the former case, the servers communication cost is given by [the number of IRMs the number of discarded devices].

In the latter case, the cost is [the number of registered devices + the number of discarded devices]. Let the number of IRMs, discarded devices, and PLC modems under the supervision of one IRM be , , and , respectively. Then, from , it is found that the latter method is more efcient when . Therefore, the SSMP takes the latter method for the management of CRL.

KIM et al.: SECURE SMART-METERING PROTOCOL

2377

Fig. 5. Meter-reading transmission protocol.

In the shared key transport, IRMs and PLC modems store the opponents certicate or public key. These data are updated when relevant devices are discarded. If IRM is discarded, the server generates a timestamp and sends Revoke Revoke

to the IRM managing the PLC modem. Then, IRM . the information about the PLC modem IV. DISCUSSION

deletes

In this section, we discuss the storage size of each device and the extent of damage caused when secret information leaks out. A. Storage Size of IRMs and PLC Modems A PLC modem has to store its own certicate and device key, servers certicate, shared keys, counters, and session keys with the IRM that manages it and the server. It is also required to save the IRMs and servers UID. Table II lists the type and amount

to all PLC modems under . Then, the PLC modems delete the information about from their memory. If a PLC modem is discarded, the server generates a timestamp and sends Revoke

2378

IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

TABLE II TYPE AND AMOUNT OF INFORMATION: A PLC MODEM

TABLE III TYPE AND AMOUNT OF INFORMATION: IRM (N = 200)

exposed, and the attack will be effective until the session key is renewed. If the private key of the IRM is exposed to the attacker, he/she can implement the share key transport protocol to control the shared keys with all devices, which share the shared keys with the IRM, where the private key is exposed. Therefore, the damage will extend to all of the PLC modems managed by the IRM. However, since the meter reading is transmitted after by encryption with the session key between the server and each PLC modem, even when an attacker obtains the private key of the IRM, it does not affect the security of the encrypted meter readings in the meter-reading transmission protocol. If the shared key or session key of the IRM is exposed to risks, it can only damage the devices that share such shared keys or session keys. In this case, it does not affect the security of the encrypted meter readings in the meter-reading transmission protocol. Further, the attack is only effective before the shared key transport protocol is executed again in the case of the shared key and before the session key is renewed in the case of the session key. V. CONCLUSION

of the information and its summation which a PLC modem has to save. In the case of the IRM, rst of all, it has to store its own certiPLC cate and servers certicate. If the IRM controls up to modems, it has to store each PLC modems UID, public key, shared key, counter, and session key with the device. Further, it has to save the servers UID, counter, and session key with the server. Table III lists the type, contents, and sum of the infor200. The mation that has to be stored by the IRM when size of the public key is assumed when a 160-b elliptic curve public-key cryptosystem is used. B. Extent of Damage Caused by Leakage of Secret Information In case the private keys of the PLC modem are exposed to an attacker, he/she can implement the shared key transport protocol in all upper-level nodes of the PLC modem and completely eliminate it from the network. Further, the attacker can modify the meter readings of the PLC modem where the private key is exposed and transmit it to the server, which will affect the secrecy and integrity of the meter reading. Although the extent of damage is limited to the PLC modem, which has exposed the private key, it may continue to modify until its certicate expires. Therefore, complete security must be maintained for the private key. In case only the shared key of the PLC modem is exposed to an attacker, he/she can modify the meter-reading value and implement the meter-reading transmission protocol. However, the attacker cannot implement the shared key transport protocol. Therefore, the damage will be limited to the PLC modem with an exposed shared key, and the attack will be effective until the lifetime of the shared key expires. If the session key of the PLC modem is exposed to attackers, they can modify the meter reading by applying the meter-reading transmission protocol. However, they cannot implement the shared key transport protocol. In this case, the damage is limited to the PLC modem, where the share key is

PLC does not need a separate communication line and can be easily installed. It provides convenient accessibility since users just need to plug the power cord into an electrical outlet in their homes. Furthermore, since it can be connected to various networks through a backbone network, it is evaluated as one of the most appropriate technologies for meter-reading systems and automatic control systems. In this study, we analyzed the security requirements of remote meter-reading systems based on PLC and proposed a protocol to satisfy the security requirements. The proposed protocol applies to the key-management systems based on the public-key cryptosystem to guarantee extendibility and security of the remote meter-reading system based on PLC. Further, it is designed by taking into consideration all processes required for the remote meter-reading system from the production management of the devices in the network to the generation of keys and initialization of devices, a method to manage keys, a method to share keys, a method to transport the meter readings safely, and a method to transport meter readings and revoke the certication. REFERENCES
[1] M. Bellare and C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition, paradigm, J. Cryptol., vol. 21, no. 4, pp. 469491, Sep. 2008. [2] M. Bellare, P. Rogaway, and D. Wagner, The EAX mode of operation, in Proc. Fast Software Encryption, Feb. 2004, vol. 3017, Lecture Notes Comput. Sci., pp. 389407. [3] Y. Desmest, Threshold cryptography, Eur. Trans. Telecommun., vol. 5, no. 4, pp. 449457, Jul. 1994. [4] S. Goldwasser, S. Micali, and R. Rivest, A digital signature scheme secure against adaptive chosen message attacks, SIAM J. Comput., vol. 17, no. 2, pp. 281308, Apr. 1988. [5] T. Kohno, J. Viega, and D. Whiting, CWC: A high-performance conventional authenticated encryption mode, in Proc. Fast Software Encryption, Feb. 2004, vol. 3017, Lecture Notes Comput. Sci., pp. 408426. [6] D. McGrew and J. Viega, The security and performance of the Galois/ Counter Mode (GCM) of operation, in Proc. Progr. Cryptol., Dec. 2004, vol. 3348, Lecture Notes Comput. Sci., pp. 377413.

KIM et al.: SECURE SMART-METERING PROTOCOL

2379

[7] P. Rogaway, Authenticated-encryption with associated-data, in Proc. 9th ACM Conf. Comput. Commun. Security, Nov. 2002, pp. 98107. [8] P. Rogaway, T. M. Bellare, J. Black, and T. Krovetz, OCB: A block-cipher mode of operation for efcient authenticated encryption, in Proc. 8th ACM Conf. Comput. Commun. Security, Nov. 2001, pp. 196205. [9] D. Whiting, R. Housley, and N. Ferguson, Counter with CBC-MAC (CCM). [Online]. Available: http://csrc.nist.gov/groups/ST/toolkit/ BCM/documents/proposedmodes/ccm/ccm.pdf [10] NIST, NIST framework and roadmap for smart grid interoperability standards, Release 1.0. Jan. 2010. [Online]. Available: http://www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability_nal.pdf [11] NIST, Smart grid cyber security strategy and requirements. Aug. 2010. [Online]. Available: http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf [12] The OPEN Meter Consortium. [Online]. Available: http://www.openmeter.com [13] Open Smart Grid Users Group, AMI System Security Requirements v1.01 Dec. 2008. [Online]. Available: http://www.oe.energy.gov/DocumentsandMedia/14-AMI_System_Security_Requirements.pdf [14] SMB Smart Grid Strategic Group (SG3), IEC Smart Grid Standardization Roadmap Edition 1.0. Jun. 2010. [Online]. Available: http://www. iec.ch/zone/smartgrid/pdf/sg3_roadmap.pdf [15] The Open Meter Consortium, Report on the identication and specication of functional, technical, economical and general requirements of advanced multi-metering infrastructure, including security requirements D1.1 Jun. 2009. [Online]. Available: http://www.openmeter.com/les/deliverables/Open%20Meter_D1%201_Requirements_v1.0_20090701.pdf [16] SmartGrids: European Technology Platform. [Online]. Available: http://www.smartgrids.eu

Myungsun Kim received the B.S. degree in computer science and engineering from Sogang University, Seoul, Korea, in 1994 and the M.S. degree in computer science and engineering from the Information and Communications University, Daejeon, in 2002. Currently, is a graduate student in the ISaC and Department of Mathematical Sciences. He was with the Digital MediaResearch Center, Samsung Electronics, until 2008. His research interests include encryption and multiparty computation in cryptography.

Jung Hee Cheon received the B.S. and Ph.D. degrees in mathematics from the Korea Advanced Institute of Science and Technology in 1991 and 1997, respectively. Currently, he is a Professor in the Department of Mathematical Sciences, Seoul National University (SNU). In 1997, he joined the Electronics and Telecommunications Research Institute (ETRI) and then Information and Communications University (ICU), Daejeon, Korea. In 2000, he was a Visiting Scientist with Brown University, Providence, RI. His research interests include computational number theory, cryptography, and information security. He is an associate editor of Journal of KIISC and CSI journal. Prof. Cheon co-chaired ICISC 2008. He has served as Program Committee Members for many conferences, including Crypto, Eurocrypt, and Asiacrypt. He received the best paper award in Asiacrypt 2008.

Seong-ho Ju received the B.S. degree in electrical engineering from Yonsei University, Seoul, Korea, in 2001, and the M.S. degree in electrical and computer engineering from Seoul National University, Seoul, in 2004. In 2001, he joined Samsung SDS, where he worked on Network Business part for one year. Since he joined Korea Electric Power Cooperation in 2004, he has developed power-line communication, network security, and network-management systems as a Senior Researcher.

Sungwook Kim received the B.S. degree in mathematics from Seoul National University (SNU) in 2005. He is a graduate student in the Department of Mathematical Sciences, SNU. His research interests include computational number theory, cryptography, and information security.

Yong-hoon Lim received the B.S. and M.S. degrees in electronic engineering from Konkuk University, Seoul, Korea, in 1996 and 1998, respectively. He joined Korea Electric Power Cooperation in 1996. He has worked on optic network, wireless sensor network, and radio-frequency identication/ubiquitous sensor network) as a Project Leader. His recent research topic is power-line communication, IPv6 network, and distribution automation systems (DAS) in power systems.

Eun Young Kwon received the B.S. degree in mathematics from Duksung Womens University, Seoul, Korea, in 2004. Currently, she is a graduate student in the Department of Mathematical Sciences, Seoul National University, Seoul. Her current research focuses on mathematical cryptology and information security.

Moon-seok Choi received the B.S. degree in electrical wave engineering from Chungnam National University, Chungnam, Korea, in 2003 and the M.S. degree in electronic engineering from Korea Advanced Institute of Science and Technology, Daejeon, in 2005. Since 2005, he has been a Researcher with Korea Electric Power Corporation, Korea. His research interests include power-line communication, network-management systems, and automatic metering reading.