Government Documents

Secure and Privacy-Preserving Concentration of Metering Data in AMI Networks

Description
The industry has recognized the risk of cyber- attacks targeting to the advanced metering infrastructure (AMI). A potential adversary can modify or inject malicious data, and can perform security attacks over an insecure network. Also, the network
Published
of 7
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  Secure and Privacy-Preserving Concentration of Metering Data in AMI Networks Neetesh Saxena 1 , Bong Jun Choi 2 , and Santiago Grijalva 3 1 Department of Computing & Informatics, Bournemouth University, UK 2 Department of Computer Science, The State University of New York, South Korea & Stony Brook University, USA 3 School of Electrical & Computer Engineering, Georgia Institute of Technology, USAEmail: nsaxena@ieee.org, bjchoi@sunykorea.ac.kr, sgrijalva@ece.gatech.edu  Abstract —The industry has recognized the risk of cyber-attacks targeting to the advanced metering infrastructure (AMI).A potential adversary can modify or inject malicious data,and can perform security attacks over an insecure network.Also, the network operators at intermediate devices can revealprivate information, such as the identity of the individual homeand metering data units, to the third-party. Existing schemesgenerate large overheads and also do not ensure the securedelivery of correct and accurate metering data to all AMI entities,including data concentrator at the utility and the billing center.In this paper, we propose a secure and privacy-preserving dataaggregation scheme based on additive homomorphic encryptionand proxy re-encryption operations in the Paillier cryptosystem.The scheme can aggregate metering data without revealingthe actual individual information (identity and energy usage)to intermediate entities or to any third-party, hence, resolvesidentity and related data theft attacks. Moreover, we propose ascalable algorithm to detect malicious metering data injected bythe adversary. The proposed scheme protects the system againstman-in-the-middle, replay, and impersonation attacks, and alsomaintains message integrity and undeniability. Our performanceanalysis shows that the scheme generates manageable compu-tation, communication, and storage overheads and has efficientexecution time suitable for AMI networks. I. I NTRODUCTION The Smart Grid (SG) is a next-generation power system withintelligent electricity generation, transmission, and distribution[1]. Advanced Metering Infrastructure (AMI) network has two-way communication with the Smart Meter ( SM  ), Aggregator(  AG ) with Gateway ( GW  ), Communication Server ( CS  ), DataConcentrator Unit (  DCU  ) at the utility, and Billing Center(  BC  ). The smart meters in the AMI network periodicallysend metering data to the the  DCU   through aggregators. Asillustrated in Figure 1, the metering data from a group of smartmeters collected by an aggregator is forwarded to the operatorat the control center to take necessary actions by monitoringthe  DCU  .Delivering secure and privacy-preserving metering data overthe network has become more challenging due to potentialcyber-attacks and weak network security [2]. An adversarycan inject or modify data over the network, and can alsotrace behavioral patterns of the household owner to whomthe metering data belongs to. The adversary can also modifyindividual meter readings or intermediate aggregated resultscomputed by the aggregators.The Open Smart Grid Protocol (OSGP), a family of specifi-cations published by the European Telecommunications Stan-dards Institute (ETSI), is used for smart grid applications alongwith ISO/IEC 14908 control networking standard. The OSGPaims to provide reliable and efficient delivery of commandand control information for different smart grid devices, suchas smart meters, direct load control modules, solar panels,and gateways. Over 4 million OSGP-based smart meters anddevices have already been deployed worldwide [3]. However,certain weaknesses have been identified in the OSGP protocol,such as the use of a weak digest function that leaks keyinformation and several key recovery attacks [4], [5].  A. Research Problem In this paper, we address the problem of securely deliveringmetering data from the smart meters to the utility and thebilling center through intermediate devices, such as aggrega-tors and the communication server. The existing schemes gen-erate large overheads and do not secure the communicationsbetween all entities in AMI. These schemes also do not addressthe detection of malicious smart metering data, if any, andits data removal. In addition, if the transmission of meteringdata over the network is not secure, the adversary can modifyor inject malicious data, re-send previous meter reading, andimpersonate entities. We also address the privacy problem of revealing the identity of the individual home and meteringdata units, which may occur at the intermediate devices duringperiodic data transmission. The network operators operatingintermediate devices can reveal such private information andFig. 1: A scenario of home area network in the smart grid.  pass to the third-party for financial benefits. Therefore, weneed a complete secure and privacy-preserved scheme that canwork efficiently and accurately, even when a large number of smart meters is deployed in AMI.  B. Our Contribution In this paper, we present a secure and privacy-preservedscheme for transmitting the metering data from different SM  s through  AG s to the  DCU   at utility and the  BC  . Ourscheme, based on the homomorphic encryption and proxyre-encryption, allows  AG s to perform operations over theencrypted data for different smart grid applications. The detailsof our contribution are as follow. The proposed scheme1) Provides authentication between all AMI network enti-ties,  i.e. ,  SM  ,  AG ,  CS  ,  BC  , and  DCU  .2) Provides privacy-preservation while aggregating meteringdata from different  SM  s and makes the aggregated dataavailable to the  DCU   at utility. Different from existingschemes, our scheme also securely transmits individualmetering data to the  BC   for billing purposes.3) Protects the system against Man-in-the-Middle (MITM),replay, and impersonation attacks.4) Generates low and manageable computation and commu-nication overheads, maintains data integrity, and uses farless storage space than what currently deployed smartmeters are equipped with, and has lower execution timethan the existing schemes.II. R ELATED  W ORK In this section, we present existing works on aggregatingmetering data in the AMI network. F. Li  et al.  [6], [7]presented distributed in-network aggregation approaches toefficiently aggregate smart metering data along a spanningtree. However, these approaches do not consider authenticationand integrity protection. Efthymiou  et al.  [8] proposed athird party escrow mechanism for authenticating anonymousmeter readings. However, aggregators in the scheme do notperform any operation over the transmitted data. Garcia  et al.  [9] proposed a privacy-preserving protocol to aggregatepartial shares of each metering data, but the protocol isnot scalable and does not discuss scheme’s overhead andefficiency. Rial and Danesiz [10] proposed a privacy preservingprotocol using zero knowledge proof that enables the paymentwithout revealing electricity consumption information. F. Li et al.  [11] introduced an end-to-end signature scheme thatsupports batch verification of the aggregated results. However,both schemes do not present the scenario of transmittingaggregated data to the billing center and the utility. H. Li et al.  [12] proposed a demand response scheme to achieveprivacy-preserving demand aggregation and efficient response.However, the scheme generates a large number of keys as wellas a large overhead. C. Li  et al.  [13] proposed a dual-functionalaggregation scheme in which each user reports one data andthen multiple statistic values of all users are computed by thedata and control center. However, the scheme does not discussthe scenario of transmitting data to the billing center.III. D ESIGN  G OALS AND  P RELIMINARIES In this section, we present our design goals and preliminar-ies for the proposed scheme.  A. Design Goals We consider that the  DCU   and the  BC   are trusted by allentities in the network, and it is infeasible for an adversaryto compromise them. The aggregators are honest but curious.Specifically, we consider the following design goals to beachieved for security and privacy:1) Intermediate devices must be authenticated before for-warding the metering data.2) The metering data must not be revealed to the interme-diate devices, such as the  AG  and the  CS  . Even if anadversary can access the messages at the  AG  or the  CS  ,it cannot retrieve the actual meter readings.3) Message integrity must be provided, and generated over-heads must be low in order to support a large number of deployed smart meters in AMI.  B. Preliminaries This section presents a preliminary discussion on bilinearpairing and homomorphic encryption schemes. 1) Bilinear Pairing:  Let G be an additive group and G T   bea multiplicative group on a symmetric pairing function  e . Bothgroups are of order  q  , where  q   is a large prime. Let  P   be anarbitrary generator of   G . Assume that the discrete logarithmproblem (  DLP ) is hard in both  G  and  G T  .  Definition:  A bilinear pairing on ( G ,  G T  ) is a map  e  :  G × G → G T   that satisfies the following properties:(a)  Bilinearity:  e ( aP,bQ )  =  e ( P, Q ) ab ;  ∀  a, b  ∈  Z ∗ q , and  ∀ P, Q  ∈  G (b)  Non-degeneracy:  e ( P, P  )   = 1 (c)  Computability:  There exists an efficient algorithm tocompute  e ( P,Q )  for  ∀ P,Q  ∈  G .Here, given  P,aP,bP,cP   ∈  G , and  a,b,c  ∈  Z ∗ q , it is easyto verify whether  c  =  ab  mod  q  . However, it is difficult tocompute  abP  . 2) Homomorphic Encryption Scheme:  In order to performaddition and multiplication operations over the encrypted data,a homomorphic encryption is used to compute the aggregatedsum or product of a group of data values. We use a homomor-phic encryption scheme [14] to perform additive operations,which we restate for better clarity as follows:(a)  Key generation:  Here, the public keys and global param-eters are generated given a security parameter. Considertwo primes as  p  and  q  , and  N   =  pq  . Choose a generatorof the group  g  ∈  Z ∗ N  2  having an order (multiple of   N  ).Let  λ ( N  ) =  lcm (  p − 1 ,q  − 1) , where  lcm (  p − 1 ,q  − 1) represents least common multiple of   p  −  1  and  q   −  1 .Then, public and secret keys of the receiver are generatedas  PK   = ( N,g )  and  SK   = ( λ ( N  )) , respectively.  (b)  Encryption:  The sender chooses a message  M   ∈ Z N   anda random number  r  ∈  Z ∗ N  2 . Then, the ciphertext  C   iscomputed as C   =  E  ( M  ) =  g M  r N  mod N  2 , where  r N  is used to generate different ciphertexts, evenwhen the same message is encrypted more than once.(c)  Decryption:  The receiver retrieves the srcinal messagefrom  C   to by computing M   =  D ( C  ) =  L ( C  λ ( N  ) mod N  2 ) L ( g λ ( N  ) mod N  2 )  mod N, where input from the set  { u < N  2 | u  = 1  mod N  }  isgiven to the function  L  to compute  L ( u ) = ( u − 1) /N  .In additive homomorphism, two different ciphertexts C  1  =  E  ( M  1 )  and  C  2  =  E  ( M  2 )  are computed from  M  1 , M  2  ∈  Z N   by the sender and the sum of the plaintextsis retrieved by the receiver as  D ( C  1 .C  2  mod N  2 ) =( M  1  + M  2 )  mod N  .IV. P ROPOSED  S CHEME In this section, we propose a scheme that unlike the existingschemes, provides a secure delivery of metering data to the  BC  and the  DCU   using homomorphic and proxy encryptions andalso authenticates each entity involved. We also describe analgorithm to detect malicious data at the  AG .  A. System Architecture We present a system architecture for secure concentrationin the AMI network. Our system architecture, as shown inFigure 2, includes  SM  s,  AG s,  CS  ,  DCU  , and  BC  . The  SM  sare deployed in homes, the  AG s are located in the wide areanetwork between the homes and the  DCU   along with a  CS  . TheAMI geographical area is divided into a number of clustersconsisting of homes. Each  SM   sends its metering data to thenearest  AG , which then transmits metering data to the  CS  . The CS   processes and further sends the data to the  BC   and theFig. 2: Proposed system architecture in the AMI network.  DCU  . The communication network between the  SM-AG  andthe  AG-CS-BC-DCU   can be provided using Zigbee/Wi-Fi, andLTE/WiMAX, respectively.  B. Proposed Scheme We present our proposed scheme that provides mutualauthentication between different entities in the AMI network,as shown in Figure 3. Different from existing schemes, theproposed scheme ensures the secure periodic delivery of individual metering data to the  BC   for billing purpose as wellas an aggregated consumed metering data to the  DCU   for gridcontrol purpose. We describe our scheme in two parts: schemeinitialization and scheme execution. 1) Scheme Initialization:  The initialization of the proposedscheme consists of keys generation at different entities in theAMI network. The corresponding secret and public keys ( SK  and  PK  ) are generated as follows:(a)  SM  i :  SK  SM  i  =  s i  ∈ Z ∗ q  and  PK  SM  i  =  g s i , where  i  = 1,2, ... n  and  n  is the total number of   SM  .(b)  AG:  SK  AG  =  a  ∈ Z ∗ q  and  PK  AG  =  g a .(c)  BC:  SK  BC   =  b  ∈ Z ∗ q  and  PK  BC   =  g b .(d)  DCU:  SK  DCU   =  d  ∈ Z ∗ q  and  PK  DCU   =  g d .(e)  CS:  SK  CS   =  c  ∈ Z ∗ q  and  PK  CS   =  g c .The  CS   also generates two re-encryption keys as  RK  CS  → BC   =  g b/c ∈  G  and  RK  CS  → DCU   =  g d/c ∈  G  forthe  BC   and  DCU  , respectively. 2) Scheme Execution:  The scheme execution consists of computations and communications at different entities in theAMI network from  SM  s to  DCU   and  BC  .(a)  SM:  Each  SM  i  generates encrypted metering data usingan additive homomorphic encryption scheme to allowaddition over the encrypted data (while preserving dataprivacy). The scheme uses a public key of the  BC   andits private key for individual data retrieval at the  BC  (preserving data confidentiality). Consider  w  =  e ( g,g ) and  r i  ∈  N ∗ is a random number. Each  SM  i  sends itsencrypted metering data  m i  periodically, say 15 minutes,using the  AG ’s public key  ( N,g )  along with meter’sidentity  ID i  by computing C  1 i  =  g m i r N i  mod N  2 . Thereafter, each  SM  i  computes M  i  =  m i  ⊕ ( PK  BC  ) SK  SM i || ID i  =  m i  ⊕ ( g b ) s i || ID i ,C  2 a  =  w r i .M  i ,C  2 b  = ( PK  AG ) r i = ( g a ) r i =  g a.r i , and C  2 i  = ( C  2 a ,C  2 b ) = ( w r i .M  i ,g a.r i ) . Each  SM  i  generates its efficient and short signature σ SM  i  =  H  ( C  1 i || C  2 i ) SK  SM i =  H  ( C  1 i || C  2 i ) s i . Then, each  SM  i  sends  ( C  1 i ,C  2 i ,T  1 i ,σ SM  i )  to the  AG ,where  T  1 i  is the timestamp when the  SM  i  sends meteringdata.  SM AG CS BC DCU (1) :  C  1 i , C  2 i , T  1 i ,σ SM  i −−−−−−−−−−−−−−−−−−−−− ⊲ (2) :  C  3 i , T  2 ,σ  AG −−−−−−−−−−−−−−−− ⊲ (3) :  C  3 b , C  4 a , T  3 ,σ CS-BC  −−−−−−−−−−−−−−−−−−−−−−−−− ⊲ (4) :  C  3 c , C  4 b , T  4 ,σ CS-DCU  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− ⊲ C  1 i  =  g m i r N i  mod N  2 ,  C  2 a  =  w r i .M  i ,  M  i  =  m i  ⊕ ( g b ) s i || ID i ,  C  2 b  = ( g a ) r i ,  C  2 i  = ( C  2 a ,C  2 b ) = ( w r i .M  i ,g a.r i ) , σ SM  i  =  H  ( C  1 i || C  2 i ) s i ,  C  3 i  = ( C  3 a ,C  3 b ,C  3 c ) ,  C  3 a  =  g c.t ,  C  3 b  =  w t .M  ,  C  3 c  =  w t .M  AG ,  M   =  M  1 || M  2 || M  3 || ... || M  i , C  4 a  =  e ( C  3 a ,g b/c ) ,  C  4 b  =  e ( C  3 a ,g d/c ) ,  σ CS  − BC   =  H  ( C  3 b || C  4 a ) c ,  σ CS  − DCU   =  H  ( C  3 c || C  4 b ) c ,  PK   = ( N,g ) ,  SK   =( λ ( N  )) ,  w  =  e ( g,g ) ,  r i  ∈ N ∗ ,  m i : metering data.Fig. 3: Proposed scheme for the AMI network.(b)  AG:  Upon receiving the message, the  AG  first computes H  ′ ( C  1 i || C  2 i )  and verifies the signatures in a batch as e ( g,σ SM  i )  ? = n  i =1 e ( PK  SM  i ,H  ′ ( C  1 i || C  2 i )) ? = n  i =1 e ( g s i ,H  ′ ( C  1 i || C  2 i )) ? = n  i =1 e ( g,H  ′ ( C  1 i || C  2 i ) s i ) . Computing only one hash per  SM   and verifying thesignatures in a batch improve the overall efficiency of thesystem. This process ensures the authenticity of each  SM  as well as messages integrity. Similarly, the verificationof the signatures at the  CS  ,  BC  , and  DCU   can be derivedas will be discussed in the following subsections. If theverification is successful, the  AG  collects all the datareceived during a specific time interval as C  AG  = n  i =1 ( C  1 i )=  g m 1 + m 2 + ... + m n ( r 1 r 2 ...r n ) N  mod N  2 , and applies homomorphic decryption using  λ ( N  )  key as M  AG  =  D ( C  AG )=  L ( C  λ ( N  ) AG  mod N  2 ) L ( g λ ( N  ) mod N  2 )  mod N  =  L ( g ( m 1 + m 2 + ... + m n ) λ ( N  ) mod N  2 ) L ( g λ ( N  ) mod N  2 )  mod N  =  m 1  + m 2  + ... + m n . Thereafter, the  AG  decrypts message  M  i  using  C  2 i  as C  2 a /e ( C  2 b ,g 1 /SK  AG ) =  w r i .M  i /e ( g a.r i ,g 1 /a )=  w r i .M  i /e ( g,g ) r i =  w r i .M  i /w r i =  M  i . Hence, only the legitimate  AG  can decrypt  M  i  using oneexponential operation and one pairing operation per  SM  .Also, the  AG  chooses  t  ∈ Z ∗ , and computes C  3 a  = ( g c ) t =  g c.t ,C  3 b  =  w t .M, and C  3 c  =  w t .M  AG , where  M   =  M  1 || M  2 || M  3 || ... || M  i . Then, the  AG computes  σ AG  =  H  ( C  3 i ) a and sends  ( C  3 i ,T  2 ,σ AG ) to the  CS  , where  C  3 i  = ( C  3 a ,C  3 b ,C  3 c )  and  T  2  is atimestamp.(c)  CS:  Upon receiving the message, the  CS   computes H  ′ ( C  3 i )  and verifies the signature of   AG  as e ( g,σ AG )  ? =  e ( PK  AG ,H  ′ ( C  3 i )) . If the verification is successful, the  CS   computes re-encryption of data for the  BC   and the  DCU  . Re-encryption performs one exponential and one pairing op-erations, which remains the system with low computationoverhead. Also, only the  BC   and the  DCU   will be ableto retrieve actual data from the messages they receive.-  Re-encryption for the BC with  ( C  3 a ,C  3 b ) : C  4 a  =  e ( C  3 a ,g b/c ) =  e ( g c.t ,g b/c ) =  e ( g,g ) b.t =  w b.t . The  CS   computes  σ CS  − BC   =  H  ( C  3 b || C  4 a ) c and sends ( C  3 b ,C  4 a ,T  3 ,σ CS  − BC  )  to the  BC  .-  Re-encryption for the DCU with  ( C  3 a ,C  3 c ) : C  4 b  =  e ( C  3 a ,g d/c ) =  e ( g c.t ,g d/c ) =  e ( g,g ) d.t =  w d.t . The  CS   computes  σ CS  − DCU   =  H  ( C  3 c || C  4 b ) c and sends ( C  3 c ,C  4 b ,T  4 ,σ CS  − DCU  )  to the  DCU  .  T  3  and  T  4  aretimestamps when the data is sent to the  BC   and the  DCU  , respectively.(d)  BC:  Upon receiving the message  ( C  3 b ,C  4 a ,σ CS  − BC  ) ,the  BC   computes  H  ′ ( C  3 b || C  4 a )  and verifies the signatureof the  CS   as e ( g,σ CS  − BC  )  ? =  e ( PK  CS  ,H  ′ ( C  3 b || C  4 a )) .  If the verification is successful, the  BC   retrieves  M   bycomputing only one exponential operation as C  3 b / ( C  4 a ) 1 /b =  w t .M/ ( w b.t ) 1 /b =  M. The  BC   retrieves the public key of   ID i , computes ( PK  SM  i ) SK  BC = ( g s i ) b and retrieves message  m i  as m i  =  M  i  ⊕  g s i .b . Then, the  BC   uses  m i  and  ID i  togenerate electricity bills. Hence, intermediate devices,such as  AG  and  CS   cannot extract the actual meteringdata.(e)  DCU:  Upon receiving message  ( C  3 c ,C  4 b ,σ CS  − DCU  ) ,the  DCU   computes  H  ′ ( C  3 c || C  4 b )  and verifies the sig-nature of the  CS   as e ( g,σ CS  − DCU  )  ? =  e ( PK  CS  ,H  ′ ( C  3 c || C  4 b )) . If the verification is successful, the  DCU   computes  M  AG by only one exponential operation as C  3 c / ( C  4 b ) 1 /d =  w t .M  AG / ( w d.t ) 1 /d =  M  AG . The  DCU   uses this aggregated demand  ( M  AG )  in makingdecisions to balance the overall power supply-demand of the power. C. Malicious Smart Metering Data Detection In a real AMI network scenario, there can be adversariesthat try to steal or alter the transmitted data, or inject maliciousdata to the transmitted packets over the network. Hence, it is animportant and required task to detect malicious smart meteringdata from the aggregated data at the  AG  before forwarding thedata further to other entities. In order to detect malicious smartmetering data sent to the  AG , we propose an algorithm basedon binary search approach as follows: Algorithm 1  Malicious Smart Metering Data Detection Input:  The  AG  receives a set of   n -smart metering data as SMD  =  {  MD 1 ,  MD 2 ,  MD 3 ,...,  MD n } . Output:  Returns a set of malicious metering data  MD i ,otherwise return True. while  ( e ( g,σ SM  i )   =  ni =1 e ( PK  SM  i ,H  ′ ( C  1 i || C  2 i )) )  do e ( g,σ SM  i )  ? =  ⌈ n/ 2 ⌉ i =1  e ( PK  SM  i ,H  ′ ( C  1 i || C  2 i )) e ( g,σ SM  i )  ? =  ni = ⌈ n/ 2 ⌉ +1 e ( PK  SM  i ,H  ′ ( C  1 i || C  2 i )) if   ( n  == 1 &&  e ( g,σ SM  i )   =  ni =1 e ( PK  SM  i ,H  ′ ( C  1 i || C  2 i )) )  thenreturn  SMD  =  {  MD i }  and malicious  SM   =  { SM  i } . if   ( e ( g,σ SM  i ) ==  ni =1 e ( PK  SM  i ,H  ′ ( C  1 i || C  2 i )) )  thenreturn  True.The proposed algorithm detects malicious data from theaggregated data by verifying ( n  == 1 &&  e ( g,σ SM  i )   =  ni =1 e ( PK  SM  i ,H  ′ ( C  1 i || C  2 i )) ). If the condition holds, thealgorithm computes  SMD  =  {  MD i }  and malicious  SM   = { SM  i } . At the end, this algorithm returns a set of maliciousmetering data  MD i  if any, in  log n  time. The  AG  removes themalicious data from the aggregated data, and then forward thelegitimate and correct data to the other entities.V. S ECURITY AND  P ERFORMANCE  A NALYSIS In this section, we present security and performance analysisof the proposed scheme.  A. Security Analysis This section presents the security properties achieved by theproposed scheme. Property 1.  The proposed scheme provides mutual authen-tication between the SMs, AG, CS, DCU and BC. As presented in Section IV-A, each  SM  i ,  AG , and  CS  generate and forward their signatures along with the messagesto the  AG , and  CS  , and (  BC   and  DCU  ), respectively. Uponreceiving the messages, the signature of the sender is alwaysfirst verified. The receiving entity proceeds further only if theverification is successful. Hence, all senders are authenticatedin the flow of information. Property 2.  The proposed scheme provides confidentialityof the concentrated data from the users to the DCU. The  AG  collects encrypted metering data received fromdifferent smart meters and derives aggregated sum of data M  AG  =  m 1  +  m 2  +  ...  +  m n  by performing a decryption.However, adversary  A  cannot obtain the sum because itdoes not know the private key  λ ( N  ) . The  AG  and the  CS  compute  C  3 c  =  w t .M  AG  and  C  4 b  =  w d.t , respectively,which are sent to the  DCU  . Upon receiving the message, the  DCU   extracts  M  AG  by computing  C  3 c / ( C  4 b ) 1 /d . Adversary A  cannot extract  M  AG , as it does not have  d  key of the  DCU  . Property 3.  The proposed scheme provides undeniability of data sent from the sender to the receiver. The signatures at the  SM  i ,  AG , and  CS   are generated usingtheir private keys,  i.e. ,  s i ,  a , and  c , which are only knownto themselves. Hence, no other entity including the adversarycan generate the actual signatures. Therefore, the  SM  i ,  AG ,and  CS   cannot deny access after the data has been sent to the  AG ,  CS  , and (  BC  , and  DCU  ), respectively, as the signaturesserve as the undeniable evidence for the sent data. Property 4.  The proposed scheme defeats MITM, replayand impersonation attacks over the network. Each  SM  i  sends encrypted metering data to the  AG  as  C  1 i  =( g m i r N i  mod N  2 )  and  C  2 i  = ( w r i .M,g a.r i ) , where  M   = m i  ⊕ ( PK  BC  ) SK  SM i || ID i  =  m i  ⊕ ( g b ) s i || ID i . Clearly, theadversary  A  performing MITM or the legitimate  AG  cannotretrieve the srcinal individual message, as they do not knowthe private key of the  BC  . The adversary  A  cannot alter thetransmitted data over the network, as the hash of each receivedmessage is verified (a part of signature verification). Hence,the protocol provides prevention against MITM attack.Each message in the protocol is transmitted with a times-tamp value. If   A  resends a previously sent message in thecurrent session, the receiving entity discards the message, asit finds the condition does not hold by verifying  T  receive  ≤ T  send  +  T  threshold , where  T  receive ,  T  send , and  T  threshold are the receiving, sending, and threshold timestamp values,respectively.If   A  tries to impersonate a sender’s entity, it will not besuccessful as the signature of each sender entity is required
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x