Introduction

Traditional grid : In the Second Industrial Revolution to electric

power involved large, centralized power plants that feed power over an
electro-mechanical grid. In this producer-controlled model power flows
in one direction only. There is no two-way communication that allows
interactivity between end users and the grid.

Cont
Smart Grid: In Third Industrial Revolution, a new concept emerged in how
electricity is managed. Under this model, the grid becomes less of a one-way
highway and more of an integrated, interactive network. Many smaller power
plants are distributed throughout this network, including renewable energy
generation.
They are flexible in operations, responsive to consumers and capable of
integrating digital information technology to improve reliability, security,
and efficiency of the electric grid.
Like so many other digital networks, the Smart Grid consists of three basic
pieces:
1. Smart devices
2. Two-way communications
3. Advanced software


Cont
Smart grid utilities alone cannot provide all electricity services, and thus
third-party service providers (SPs) are required to help in servicing utilities
and users for cutting commercial cost and providing high-quality services.
Smart grids have the capability to allow users to interact with their
electricity usage information via the Internet, although Internet
communications are generally insecure.
Furthermore, unlike electric utilities, third party SPs can include legitimate
businesses with agreements with energy users to assist them in better
managing energy consumption, but can also include adversaries seeking to
abuse data.
Hence, securing third-party service provisions is critical in smart grids.
Authentication is required to be done in the first step.
Cont
He et al. provided an authentication scheme among the electric utility,
users and SPs. However, the authors do not differentiate carefully
between the utility and third-party SPs, thus their system model cannot
capture specific cyber security threats in the third-party service provision
in which multiple, probably malicious, third-party SPs exist.
We propose an efficient authentication scheme for multiple third-party
service providers in smart grids, named EA-MTSP. The main contributions
are paper as follows:
1. Model the third-party service provision in smart grids and distinguish carefully
between the utility SP and the third party ones.
2. A novel EA-MTSP scheme that achieves efficient authentication for multiple third party
SPs and satisfy multiserver authentication, conditional anonymity, and other important
security requirements.
RELATED WORKS
Fouda et al. [2] presented a message authentication scheme for smart grid
communications where RSA algorithms and Diffie-Hellman key exchange protocols were
adopted. As we know, these cryptographic primitives are used in the certificate-based
setting and thus it is necessary for certificates to be transmitted and verified. Hence,
communication and computation are costly.
Nicanfar et al. [3] demonstrated a portable and lightweight mutual authentication
scheme between utilities and SMs, which used the design idea from an identity-based
authentication mechanism for the mesh networks proposed by Boud guiga et al. [8].
Li et al. [5] proposed a new one-time signature algorithm an efficient multicast
authentication scheme in smart grids, which has short authentication delay and low
computation cost.
He et al. [7] first identified cyber security challenges on the service provision of smart
grids. Furthermore, they provided an authentication scheme among the utility, users
and SPs. In particular, their scheme can protect users identity privacy and provide
accountability based on the modified Boneh et al.s group signature algorithm [9]. They
do not distinguish carefully between the utility SP and the Third-party ones, thus their
model cannot capture specific cyber security threats in the setting of multiple third-
party SPs.
System Model
The system model focuses on how to provide multiple secure third-party
services for users under the control of the utility in the smart grid
communication (Figure 1).
Cont
The following assumptions are considered :
Single utility (UT)
m users U
i
for I = 1m
N distributed third-party SP
j
for j =1n.
For simplicity, we also assume that each SP provides only one service.
In U
i
s house, there are all kinds of smart appliances (SA) which form a
home area network (HAN).
SM
i
is assigned to HAN
i
as its gateway, enabling an automated and two-
way communication between HAN
i
and other entities in smart grids.
SM
i
can electronically record real-time data about electricity use, and is
usually resource-constrained, equipped typically with 16KB random access
memory, 120 KB flash memory, and 120 MHz CPU.
Proposed System Model
The user and the third-party SP are both required to be registered to UT.
U
i
registers an account to UT for SM
i
.
SP
j
registers its service to UT.
U
i
can check the available services on UTs portal and subscribe the
necessary ones. By signing up its SA with SP
j
, Ui grants SP
j
rights to
communicate with or control its SA.
Consequently, SP
j
may have interfaces to SM
i
to read electricity usage
data.
In addition, SP
j
may also have interfaces to UT to get pricing or other
information.
In this way, it can make automated control of energy consumption more
efficiently.
Communication Setting
HAN
i
connects SAs to the gateway SM
i
, through which SAs
communicates with SP
j
.

HAN
i
located usually in an apartment, with limited coverage, its
communication is considered to be a relatively inexpensive using
ZigBee or WiFi.

The distances among SM
i
, SP
j
, and UT are far away, thus
communications should be through wired links with high bandwidth
and low delay.

Many communication infrastructures are IP-based communications
among SM
i
, SP
j
and UT are through the Internet.
Security Setting
We can assume that UT is trustworthy.

Unlike UT, third-party SPs can can also include adversaries seeking to
abuse or misuse data.

For the sake of convenience, SM
i
is usually installed outside of the house
and thus adversaries might easily compromise it and further obtain stored
secret information.

SM
i
, SP
j
, and UT interact over the public Internet. Internet communication
is generally insecure owing to unauthorized interception, manipulation or
other threats.

Hence an efficient multiserver authentication scheme is critical for secure
third-party service provisions in smart grids.
Cont
For authentication, there exist two probable considerations:
a. If the service goes through the smart grid, it has to involve UT.
There is no pass-through capability that allows Ui enter into an
agreement with third parties.
b. Third parties can offer services directly to Ui via SMi, not through
UT.
Cont
Consideration a is preferred for following reasons:
1. From the viewpoint of communication security, especially
considering easy-compromised SMi and probably malicious third
party SPs, UTs management can mitigate the damage as much as
possible, for example, by revocation of service permissions or
update of secret keys stored in SM
i
.
2. U
i
requires only one registration with UT. While in the latter, U
i

requires multiple registrations with different distributed SPs. This
is not only burdensome and inconvenient, but also adds significant
overhead of communication.
3. Distributing the users personal registration information in multiple
SPs would be very likely to create more privacy risks.
Cont
In addition, the involvement of multiple third-party SPs would still
raise other privacy challenges as follows:
1. The introduction of third-party SPs significantly expands the
amount of data available in more granular form, which results in
greater privacy concerns.
2. Third party SPs can determine the users personal behaviour
pattern by used appliances, and also perform real-time remote
surveillance.
3. It is difficult to ensure that third-party SPs access to electricity
usage data is being used solely in accordance with the agreement.
4. The users data should be protected from SPs non-grid
commercial uses.
Trusted authority (TA) is necessary to establish the initial trust
relationship.
Security Requirement
For authentication of multiple third-party SPs in the smart
grid, we consider the following security requirements needing
to be satisfied:
1. Multiserver authentication SAs in a users HAN authenticate
themselves to different SPs to access subscribed services
securely.
2. Conditional anonymity the users identity is anonymous to
third-party SPs to protect privacy. However in case of
dispute, UT can reveal the users real identity.
3. Confidentiality, authenticity, integrity and freshness of
transmitted messages these are the same as common
authentication schemes.
Notations
Relationships of different keys
There are two groups of hierarchical levels of keys in our scheme.
1. Based on the master key s of TA
2. Based on the master key s1 of UT.
Level-1 keys can be generated from the master keys by the extraction
algorithm as in Boneh and Franklin [14]
Level-2 keys can be generated by the key agreement protocol as in Chen
and Kudla [15].
Proposed System
The scheme consists of the following four
phases:
1. System initialization
2. Registration
3. Service subscription
4. Multiserver authentication.
System Initialization
TA acts as a key generator centre to set up all parameters. Following steps
take place:
1. Given the security parameter , TA runs G() to generate a six-tuple (q,
P,G1,G2,GT, ).
2. TA chooses a random number s Z
q
*
, keeps it as the system master key
secretly, and computes P
TA
=sP.
3. TA chooses one secure symmetric encryption algorithm E(), for example,
AES, and two secure cryptographic hash functions H
1
: {0, 1}
*
G
1
and
H
2
: G
2
Z
q
*
.
4. Finally, the public parameters are published as
{fq, P, G
1
, G
2
,G
T
, , H
1
, H
2
, P
TA,
,E()}-------------- (1)
Cont
TA computes the private keys for UT, U
i
, and SP
j
as SK
UT
=sH
1
(UT), SK
Ui

=sH
1
(U
i
), and SK
SPj
= sH
1
(SP
j
), respectively.

Then, TA sends these private keys to UT, U
i
, and SP
j
through secure
channels, respectively.

UT also chooses s
1
Z
q
*
randomly as its own master key and publishes its
own public parameter P
UT
=
s1
P.

With the master key s
1
, the entities in UT domain can establish the
authenticated communications.
Cont
For two clients with identities, A and B with the private keys SK
A
and SK
B

respectively, the shared key K
A-B
is given by using non-interactive identity-
based key agreement protocol [15] as

K
A-B
= H
2
((SK
A
=H
1
(B)))
= H
2
((H
1
(A),H
1
(B))
S
)-------------------------(2)
= H
2
((H
1
(A),SK
B
)

Therefore, after TA grants UT, U
i
and SP
j
the private keys given by SK
UT
, SK
Ui

and SK
SPj
respectively, a session key K
UT-Ui
can be established between UT
and U
i
and also a session key K
UT-SPj
can be establish between UT and SP
j

by the non-interactive key agreement as in Equation (2).
Registration
This phase includes registrations for SM usage permission and SP service
permission.
Registration of SM usage permission Perm
SMi

Step1: When U
i
registers SM
i
to UT, U
i
forms a message M
i
=U
i
||UT||TS||SM
i
,
encrypts it with K
Ui-UT
as C
i
= E
KUi=UT
(M
i
), and sends {U
i
,UT, TS, C
i
} to UT.

Step 2: Upon the receipt of {U
i
,UT, TS, C
i
} , UT decrypts C
i
with the shared key
K
UT-Ui
to recover M
i
, checks freshness, authenticity and integrity of M
i
, and
checks validity of U
i
and SM
i
. If they hold, UT computes SM usage
permission as Perm
SMi
=s
1
H
1
(Sm
i
).

Cont
Step 3: UT forms M
i
= U
i
||UT||TS|| Perm
SMi
encrypts it as C
i
=E
KUT-Ui
(M
i
), and sends {UT, U
i
, TS, C
i
} to U
i
.

Step 4: After receiving {UT, U
i
, TS, C
i
} , U
i
decrypts C
i
to recover M
i
and
checks freshness, authenticity and integrity of M
i
. If they hold, U
i
stores
Perm
SMi
in SM
i
. Here, Perm
SMi
can be used to establish a shared key K
UT-SMi
between SM
i
and UT.

Registration of SP service permission Perm
SPj

Similarly, SP
j
registers its service to UT and then gets the service
permission as Perm
SPj
=s
1
H
1
(SP
j
). After registration, UT refreshes the
available service list on its portal for user subscription.
Service Subscription
Step 1: SM
i
subscribes SP
j
s service for one SA, SM
i
chooses a pseudonym
PID
ij
and a subscription period d
ij
for the SA; forms M
i
= SM
i
||UT || TS ||
SP
j
|| PID
ij
|| d
ij
, encrypts it as C
i
=E
KSMi-UT
(M
i
), and sends {SM
i
, UT, TS, C
i
}
to UT.

Step 2: After receiving {SM
i
, UT, TS, C
i
} decrypts C
i
to recover M
i
, checks
freshness, authenticity and integrity of M
i
, and checks validity of M
i
, SP
j
,
PID
ij
and d
ij
. If they hold, UT establishes a contract between PID
ij
and SP
j
, in
which SM
i
grants SP
j
rights to manage the corresponding SA, and
computes PID
ij
s subscription key as K
PIDij
= s
1
H
1
(PID
ij
).

Step 3: UT forms M
i
= UT|| SM
i
||TS||K
PIDij
, encrypts it as C
i
= E
KUT-SMi
(M
i
), and sen ds {UT,Sm
i,
TS, C
i
} to SM
i
.

Step 4: Upon the receipt of {UT, SM
i ,
TS, C
i
}, SM
i
decrypts C
i
to recover M
i

and checks freshness, authenticity and integrity of M
i
. If they hold, SM
i
forwards K
PIDij
to the corresponding SA.

At the same time, UT sends concerned subscription message to SP
j

Step 3: UT forms M
j
=UT||SP
j
||TS||PID
ij
||d
ij
, encrypts it as C
j
= E
K
UT-SPj

(M
j
), and sends {UT, SP
j
TS, C
j
} to SP
j
.

Step 4: After receiving {UT, SP
j
,TS, C
j
}, SP
j
decrypts C
j
to recover M
j
and
checks freshness, authenticity and integrity of M
j
. If they hold, SP
j
stores
(PID
ij
, d
ij
) in SP
j
s subscriber list to verify the service access later.
Multiserver Authentication
A service contract is established between SP
j
and one SA with the pseudo-
identity PID
ij
. To access the subscribed service, PID
ij
and SP
j
could
authenticate mutually by the contract key K
PID
ij
-SP
j
.

This key can be established by the non-interactive key agreement as in
Equation (2), using SP
j
s Perm
SP
j
and PID
ij
s K
PID
ij
, which both are already
granted by UT upon the master secret key s
1
.

If SM
i
subscribes multiple services, say, SP
j1
and SP
j2
, the multiserver
authentications follow the same procedure as the above. As a result, in
the following, with the contract keys, SAs and multiple SPs can
communicate in an authenticated manner.
Security Analysis
We analyse the security of the proposed scheme to verify
whether the following 3 requirements have been satisfied.

1. Multiserver Authentication
2. Conditional Anonymity
3. Confidentiality, Authenticity, Integrity and Freshness of
Transmitted Messages
Multiserver Authentication

In EPAA, we consider authentication of multiple SPs, that is,
SAs in a users HAN authenticate themselves to different SPs
to access the subscribed services securely.

For simplicity, we assume that in one HAN, one SA accesses
service from only one SP, which provides only one service.
Multiserver context two attacks
In the multiserver context, we consider two attacks:
1. Collusion : Two or more SPs collude to attack a SA, with which these SPs
have no contract, to get the SAs real identity or to eavesdrop
communication content between SA and its corresponding SP thereby
violating privacy and confidentiality. Here corresponding refers to the
contract established between the SA and the SP.

1. Competition : In our environment, there is a possibility of commercial
competition among SPs. For example, SP
1
can impersonate its
competitive SP
2
in order to interact with SP
2
s subscriber, say SP
2
. From
the interaction, SP
1
can discover the competitors commercial secret.
This commercial secret may help SP
1
with improving its service quality
which is vital to win the competition.

Resist attacks
EPAA can both resist them as below:
1. Resistance against collusion attack :
We consider the identity privacy of SAs. For EPAA, SAs interact with their
corresponding SPs only using pseudonyms {PID
i1,
PID
i2
,..}. These
pseudonyms are chosen randomly thus independent of each other and
also independent of the users real identity U
i
. Hence, even if all SPs
collude, still they cannot infer the aimed SAs real identity.
We consider the communication confidentiality of SAs. The
communications between PID
ij
and SP
j
are encrypted with the contract key
K
PID
ij
-SP
j
established by K
PID
ij
and Perm
SPj
as in Equation (2). However even
by collusion, other SPs cannot get K
PID
ij
of the aimed SA and Perm
SPj
of the
corresponding SP. Therefore, communication confidentiality can be
achieved.
Cont
2. Resistance against competition attack
If SP
1
wants to impersonate its competitive SP
2
to
communicate with SP
2
, it needs to know SP
2
s service
permission Perm
SP
2
. As we know, Perm
SP
1
=s
1
SP
1
and
Perm
SP
2
= s
1
SP
1
. Hence, it is infeasible to get Perm
SP
2
from
Perm
SP
1
owing to the difficulty of the discrete logarithm
problem.
Conditional Annonimity
In service subscription phase when a service contract is established
between SP
j
and PID
ij
, which grants SP
j
rights to manage PID
ij
.

PID
ij
is one pseudonym of the SA in the contract, which is only applicable
and limited in the contract transactions, and outside of HAN
i
, no one,
including SP
j
, knows the real identity of the corresponding U
i
. Thus, only
UT knows the relationship between a pseudonym and U
i
s real identity.

In case of dispute, UT can identify the corresponding U
i
s real identity or
link two transactions initiated by the same SA and thus revoke the
anonymity of U
i
.
Confidentiality, Authenticity, Integrity and
Freshness of Transmitted Messages