IEEE Research Paper on Secure Smart Metering Protocol Over PLC

2370 IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

A Secure Smart-Metering ProtocolOver Power-Line Communication

Sungwook Kim, Eun Young Kwon, Myungsun Kim, Jung Hee Cheon, Seong-ho Ju, Yong-hoon Lim, andMoon-seok Choi

AbstractA smart-metering system is a system that meters elec-tricity, gas, and water consumption and manages their supply bycontrolling measuring devices remotely. Power-line communica-tion (PLC) does not require a separate communication line and canbe easily installed by utilizing power-line infrastructure. PLC alsoallows users to easily connect measuring devices to the PLC net-work by plugging the power cord into an electrical outlet. There-fore, a smart-metering system over PLC has been considered as oneof the most appropriate technologies for meter reading and auto-matic control, which are essential in realization of a smart grid. Wepropose a secure smart-metering protocol including: 1) key mate-rials generation and provisioning to devices without exposure; 2)initialization to authenticate devices in the network and share keysbetween devices before exchanging data, (3) secure transmission ofmeter-reading data, and 4) revocation management to handle dis-carded devices from the network. Especially, our protocol providesstrong authentication of devices and data: It prevents a single pointof failure by adopting secret sharing through multiple certificateauthorities. It also reduces the risk of denial-of-service attacks onthe server by hop-by-hop authentication for data transmitted fromterminal nodes to the server.

Index TermsPower-line communication (PLC), security, smartmetering.

I. INTRODUCTION

P OWER-LINE communication (PLC) is technology car-rying data as well as transmitting electric power onpower lines. Since power lines have been established widely,PLC does not require a separate communication line and canbe easily installed. And it also can be connected to variousnetworks through a backbone network. Moreover, devices canaccess a system easily by plugging the power cord into anelectrical outlet. Therefore, PLC has been considered as oneof the most appropriate technologies for remote meter-readingsystems and automatic control systems to realize advancedmetering infrastructure (AMI) systems, which is an essentialpart of a smart grid.

Manuscript received September 24, 2010; revised March 08, 2011; acceptedMay 15, 2011. Date of publication July 11, 2011; date of current version Oc-tober 07, 2011. This work was supported by the Power Generation & Elec-tricity Delivery of the Korea Institute of Energy Technology Evaluation andPlanning (KETEP) Grant funded by the Korea government Ministry of Knowl-edge Economy (No. R-2005-1-397-004). Paper no. TPWRD-00732-2010.

S. Kim, E. Y. Kwon, M. Kim, and J. H. Cheon are with ISaC and Depart-ment of Mathematical Sciences, Seoul National University, Seoul 151-747,Korea (e-mail: [email protected]; [email protected]; [email protected];[email protected]).

S. Ju, Y. Lim, and M. Choi are with the Korea Electric Power Re-search Institute, Daejeon 305-380, Korea (e-mail: [email protected];[email protected]; [email protected]).

Digital Object Identifier 10.1109/TPWRD.2011.2158671

Smart metering refers to the procedure of installing intelligentmeter-reading systems, reading meters remotely, and sendingthe readings to users. The readings can include details on gas,water, and electricity consumption. The individual technologiesnecessary for smart metering are in a state of having been se-cured mostly and one of the current major issues in this area is toprevent tampering of meters and readings during meter readingor data transmission.

In recent years, many countries over the world are adoptingsmart-metering systems for remote meter reading. Research isunderway to improve the accuracy of meter readings, to de-sign network for transmitting the meter readings, and to developmethods for protecting the meter readings. The United States ofAmerica (USA) set the security requirements for the advancedmetering infrastructure (AMI) in December 2008 [13]. The Na-tional Institute of Standards and Technology (NIST) presentedthe framework for smart-grid interoperability including stan-dards for the cybersecurity of smart grids [10] in January 2010,and the strategy and requirements for smart grid cybersecurity[11] in August 2010. Besides research on security requirements,an implementation based on the security solution provided byCerticom is in progress, however, a detailed description of thesystem is not released.

The European Union (EU) is promoting the standardizationof smart grid security as a part of smart-grid standardizationthroughout the project SmartGrids: European Technology Plat-form, which comprised 19 detailed studies carried out at fiveresearch sections [16]. OPEN meter project [12] is also un-derway in EU and it laid down the specification of the securityrequirements in July 2009 [15]. The Smart Grid Strategic Group(SG3) of the International Electrotechnical Commission (IEC)presented the road map for its smart-grid standardization in June2010 [14]. It includes the presentation of an inventory of existingstandards, analysis of the gaps between actual standards and fu-ture requirements, and recommendations for evolution.

As mentioned before, most current research on secure smartmetering focuses on drawing security requirements. Researchon the development of a protocol that satisfies security require-ments is in the early stage. Only a few concrete protocols aresuggested so far, and furthermore, little information about theirdescriptions is released. To the best of our knowledge, this is thefirst protocol for secure smart metering in public.

In this paper, we define and design a secure smart-meteringprotocol (SSMP). We describe all of the data structures and pro-cedures for a SSMP including: 1) key materials generation andprovisioning to devices without exposure; 2) initialization to au-thenticate devices in the network and share keys between de-vices before sending and receiving data; 3) secure transmission

0885-8977/$26.00 2011 IEEE

KIM et al.: SECURE SMART-METERING PROTOCOL 2371

of meter-reading data; and 4) revocation management to handlediscarded devices from the network. The proposed protocol ex-ploits a number of cryptographic primitives. Public key cryp-tosystems, such as public-key encryption schemes and digitalsignatures, are used to generate and authenticate keys; to au-thenticate devices in the PLC network and to share keys betweendevices. Since the reading data need to be encrypted frequently,an authenticated encryption scheme is used for efficiency andsecurity of a system, guaranteeing the confidentiality, integrity,and authenticity of data. And the digital signature is used op-tionally to provide nonrepudiation for the meter readings. In theprotocol, discarded devices are handled by the management ofthe certificate revocation list (CRL).

The proposed protocol provides strong authentication of de-vices and data in two ways. First, security in certifying a publickey is strengthened in order to prevent a single point of failure.In a protocol based on a public-key cryptosystem, it is core toguarantee security of a key for certifying public keys (i.e., ex-posure of a certification key causes security failure of the en-tire system). Hence, the protocol is designed to decentralizethe certificate authority by splitting a certification key and dis-tributing key shares to multiple certification authorities. Withthis method, no information about a certification key is revealedeven if there is collusion between a certain number of authori-ties. In addition, multiple certification keys are used to limit thedamage to a specific range even when a certification key is com-promised.

Second, the proposed protocol performs hop-by-hop authen-tication in order to reduce the risk of denial-of-service (DoS) at-tacks on the server. In the PLC network, malicious users are ableto crash the server by saturating it with overwhelming amountsof data. In the protocol, devices on the middle node authenticateall of the data transmitted from terminal nodes to the server sothat invalid data can be filtered.

II. ARCHITECTURE AND FEATURES OF SSMPIn this section, we introduce the components and network

topology of the SSMP. We also consider security requirementsfor remote meter-reading systems and cryptographic primitives,which are used as building blocks in the proposed protocol.

A. Components of SSMP

Server: the server can be divided into certificate authority(CA), registration authority (RA), and metering authority(MA) servers. The SSMP logically handles these threefunctional servers as one server.

Manufacturer: this means companies manufacturing IRMand PLC modems, which compose the PLC remote meter-reading network.

IRM: this is an intermediate node connecting the serversand the PLC modem in a network. It has up to PLCmodems. It transmits each measured value sent by the PLCmodems to the relevant server and performs primary mes-sage authentication.

PLC modem: it receives the electricity meter readings ofeach household and transmits them to the IRM. Since theelectricity meter reading is directly connected to the PLC

Fig. 1. Network topology of SSMP.

modem, the PLC modem and electricity meter are consid-ered to be the same in the SSMP. Both have the same keys.

Fig. 1 shows the topology of the SSMP.

B. Types of Attacks and Goals of AttackersThe weakest attackers are eavesdroppers that eavesdrop com-

munications between nodes. These attackers can collect only en-crypted meter readings. Examples of attacks are given below inincreasing order of strength.

ciphertext only attack (COA): in a COA, the attacker triesto deduce the decryption key or plaintext from the cipher-text by eavesdropping;

known plaintext attack (KPA): in a KPA, the attacker canobtain pairs of plaintext and the corresponding ciphertext.The attacker, which can include a householder, can obtainthese pairs by reading the meter and then eavesdroppingthe encrypted value sent by the meter;

chosen plaintext attack (CPA): in a CPA, the attack canchoose plaintext and the corresponding ciphertext; a house-holder may control the amount of electricity consumed andeavesdrop he encrypted value sent by the meter;

chosen ciphertext attack (CCA): in the SSMP, since a mes-sage authentication code is generated for each encryptedmeter reading, the attacker cannot forge a valid ciphertextfor an arbitrary value; however, he/she can launch this at-tack for public-key cryptosystems in the SSMP.

The goals of attackers can be broadly classified into four cat-egories: 1) to overload the server or IRM, for example, DoS at-tack; 2) to forge the encrypted meter reading in an authenticatedmanner; 3) to estimate the meter reading that is encrypted andtransmitted; and 4) to determine the private key or secret key ofa network component.

C. Security RequirementsThe security of the SSMP is based on the security of its four

cryptographic protocols, which use various keys.The first protocol of the SSMP handles the production

management and initialization of devices. It defines the methodto securely generate keys for each network device and issuepublic-key certificates, and transmit these to the respectivedevice.

The second protocol handles the mutual authentication andkey sharing between network devices, on the basis of the em-bedded keys. This protocol uses the keys generated by the first

2372 IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

protocol to verify the authenticity of device pair and defines themethod to share the key, called the shared key, securely.

The third protocol handles encryption/decryption to securelydeliver the meter reading, which is the core of the SSMP. Italso defines the method to derive the keys for this purpose; themethod to deduce the key for encryption/decryption of meterreading from the shared key between each pair of devices, gen-erated by the second protocol; and the method to transmit theencrypted meter reading; and the method to provide nonrepudi-ation for the encrypted meter reading generated by the respec-tive device.

The fourth protocol defines the method to manage devicewhose certificate has been revoked, that is, the management ofthe certificate revocation list (CRL).

The security features of the SSMP are as follows. In order to minimize the probability of the leakage of the

secret key, the device key and public key/private key willbe generated in each device and key escrow will not beallowed.

In order to avoid a single point of failure, which can occurwhen certificates are issued using a certification key by oneperson in charge of certification, the authority for certifica-tion is decentralized.

In order to reduce the risk of attacks when the certificationkey used to issue certificates for each device is damaged,several certification keys are generated, and one certifica-tion key is used to certify only a limited number of devices.

In order to guarantee the integrity of program installed inmeters, PLC modems, and IRM, all program codes in theSSMP have to be authenticated by the certification server.

The SSMP nodes have to perform explicit key authentica-tion and mutual entity authentication before transmittingand receiving data from other devices.

The SSMP node has to check whether the certificate ofthe target device has been revoked before it transmits orreceives data from the target device.

Since the IRM, which connects each meter and the MAserver in the PLC network, is most susceptible to securitythreats, it provides end-to-end security.

Data integrity is guaranteed for all meter readings trans-mitted between the SSMP devices.

It provides nonrepudiation for the meter readings trans-mitted from the meters to the server.

It can prevent DoS attacks on the server. The SSMP is to be designed, taking into consideration the

expandability feature in order to easily include more ser-vices in the future.

D. Cryptographic PrimitivesIn this section, we briefly introduce cryptographic primitives

used in the SSMP with the required security notions. For thedefinition of each security notion, refer to [1].

A block cipher algorithm is used in the transmission protocolof meter readings and the process of deducing a session key fromthe shared key. The block cipher algorithm in the SSMP shouldbe at least IND-CPA secure with a 128-b key.

The SSMP uses an authenticated encryption scheme for en-crypting the meter readings. This scheme guarantees the confi-

dentiality, integrity, and authenticity of data. Authenticated en-cryption involves obtaining the ciphertext of a message by usinga block cipher algorithm and an MAC for the plaintext or cipher-text. There are three methods to combine encryption and MAC,namely, Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC. The authenticated encryption with associated data(AEAD) proposed by Rogaway in [7] is an authenticated en-cryption that guarantees the confidentiality and integrity of dataand the integrity of associated data by adding plain associateddata to the ciphertext. The representative methods for AEADare CCM [9], CWC [5], OCB [8], EAX [2], and GCM [6]. TheSSMP considers the use of AEAD. The block cipher and MACalgorithms in an authenticated encryption should be IND-CPAand SUF-CMA secure, respectively. In the case of Encrypt-then-MAC, the block cipher algorithm should be IND-CCA se-cure [1].

The inputs for the authenticated encryption scheme of theSSMP are the secret key for the block cipher, the initial value

, message , and the associated data . The output is apair of ciphertext and the tag necessary for checking thedata integrity, i.e.,

Here, is a distinct nonce chosen at each run. When transmit-ting data, and are included in the header. Hereafter,we denote authenticated encryption by

In the SSMP, the public-key encryption scheme is used for theencryption of the shared key in the shared key transportationprotocol. This scheme should be IND-CCA secure. A key forpublic-key cryptosystem is required to achieve 80-b security.

Every protocol in the SSMP exploits the digital signaturescheme. The digital signature scheme in the SSMP should beEU-CMA secure [4]. In order to distribute the CA, the thresholddigital signature scheme [3] is required. The security of thethreshold digital signature is based on the underlying digital sig-nature scheme.

III. DESIGN OF SSMPIn this section, we describe our protocol. The proposed pro-

tocol includes all processes for production management and ini-tialization of devices, key management, secure transmission ofmeter readings, and management of the CRL. Table I lists thenotations used in this paper.

A. Production Management and Initialization of DevicesIn this section, the server means the CA server handled by

certification personnel. The production management and ini-tialization stage of the devices handle the process to generatepublic-key/private-key pairs and issue them certificates. Thisstage is implemented by the server and manufacturers, and thefollowing matters are considered:

secure generation and storage of the public-key/private-keypair for a device;

decentralization of the CA;

KIM et al.: SECURE SMART-METERING PROTOCOL 2373

TABLE ITERMS

reduction of the damage due to the certification keyleakage.

The secure generation and storage of the public-key/pri-vate-key pair for devices become a critical security elementduring device installation and the remote meter. These opera-tions require absolute security for the private key. Therefore,the public-key/private-key pair should be generated by using arandom number using heat or noise which can be identified onlyby the relevant device. Furthermore, the private key should bestored in a secure area or by a safe method so that it cannot befound or modified during device installation. That implies thatthe device key should be saved in physically secure memory.Other keys should be saved in this area or usual memory afterbeing encrypted by using the device key.

Authentication is required to use the public-key/private-keypair generated by devices during remote meter reading. The cer-tification should be performed by the person in charge of certifi-cation, and the certificate should be hard to forge. Further, whenthe manufacturer embeds the certificate in the device, it is nec-essary to check whether this certificate is for the relevant publickey.

The decentralization of the CA is required to avoid a singlepoint of failure that may occur when the certificate is issued byusing the certification key operated by one person in charge ofcertification. If one person in charge of certification issues thecertificate, the security of the entire PLC system will depend onthis person. This risk can be avoided by issuing certificates usingthe certification key certified by multiple certification personnel.

Even when though all certification personnel approve to gen-erate the certification key, if this certification key is disclosed

or lost, and damaged, the PLC system will be exposed to risk.Therefore, if the certification key is damaged, the certificates is-sued by using the key have to be revoked. This implies that ifthe certificates are issued for all devices with the same certifi-cation key, the certificates of all devices in the network have tobe revoked. The extent of damage in this case will be tremen-dous. Therefore, when issuing a certificate, care should be takento limit the damage to a specific range even when the certificatekey is damaged.

1) Generation of Master Key and Certification Key: Supposethere are certification personnel, say , and onecertification key issues certificates. Then, in order to satisfythe security requirements, the master key and certification keysare generated as follows:

The master key generated to authenticate certification keysby generating -threshold signatures. The master keyis generated by the server and consists of the master publickey and the master private key . is di-vided into secret shares, . Then, each

possesses . can be reconstructed bymore than certification personnel, but less than or equalto personnel learn nothing about .

Certification keys are generated by the server for severaltimes depending on and the number of produced de-vices. The th certification key consists of the th certi-fication public key and the th certification privatekey . A certification key pair is valid with its cer-tificate , which is issued by . Onecertification key issues up to certificates. For example,if is 100 000 and the number of produced devices is100 000 000, certification keys are generated 1 000 times.Hereafter, we omit in for convenience.

2) Embedding of Certificates: After the server has completedthe generation of the master key and published it, every manu-facturer embeds the certificate in the relevant devices, as shownin Fig. 2.

The security of the production management and initializationstage depends on that of the digital signature scheme. If the dig-ital signature is EU-CMA secure and threshold signature basedon it has the same security level, it is impossible to forge a cer-tificate even with the given certificate, and the master public keyand the corresponding certification public key. Further, in thiscase, it is impossible to deduce the master private key and cer-tification private key from the given certificate and certificationpublic key.

The master key is generated only once. In case the totalnumber of produced devices is and one certification keyissues certificates, the certification key has to be generated

times, and the threshold signature by the master keywill be required for authentication of each certification key.Therefore, a total of threshold signatures and digitalsignatures will be required in the production management andinitialization stage of devices.

B. Initial Certification and Shared Key SetupEach pair of servers and IRM, server and PLC modem, as

well as IRM and PLC modem shares a shared key in order togenerate a session key, which is used to encrypt meter readings

2374 IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

Fig. 2. Certificate embedding protocol.

by the authenticated encryption scheme in certain sessions. Thelifetime of a session key may depend on the policy of the system.The shared key setting is achieved by applying the shared keytransport protocol by using the public-key encryption scheme.The shared key transport protocol is employed in the followingfour cases:

1) When a new device is introduced in the network: The pro-tocol will be applied when a new IRM in the network isconnected to the server and a new PLC modem in the net-work is connected to the IRM.

2) When the network topology changes according to a policy.3) When the network topology was to be reconfigured due to

unexpected failures in the network.4) When the lifetime of the shared key has expired.In the shared key transport protocol between two devices, the

shared key is determined by a child node and transmitted to aparent node. The protocol begins by the request of a child node.Each server is located in the root node; IRM, in the middle node;and PLC modem, in the terminal node.

During the application of the shared key transport protocol,both entities of the protocol should be able to authenticate eachother. Since only the server can authenticate devices for the effi-cient management of the CRL, when the IRM and PLC modemtry to transmit the shared key, their validity should be verifiedby the server. Therefore, there are two cases for the shared keytransport protocol: the server and IRM sharing a key and theserver, IRM, and PLC modem sharing a key. In both cases, achild node generates a 128-b random number and the sharedkey to share with a parent node . The lifetime of theshared key is equal to that of the certificate.

1) Shared Key Transport Protocol Between Server and IRM:Fig. 3 shows the shared key transport protocol between theserver and the IRM.

In step 2 of the shared key transport protocol, the server veri-fies whether the IRM is a legitimate component of the network.In step 3, the IRM authenticates the server by verifying the sig-nature in with , which is given in the certificate em-bedding protocol. Therefore, the shared key transport protocolbetween the server and the IRM enables both entities to authen-ticate each other.

In the protocol, the random number generated by the IRMin step 1 is identified in step 3, and the random numbergenerated in step 2 is identified in step 4: therefore, the protocolprovides mutual explicit key authentication and is secure againstreplay attacks.

The shared key transport protocol between the server and theIRM is a three-pass protocol. The IRM performs two public-key

operations, in each of step 1 and 3. The server performs fourpublic-key operations in step 2.

2) Shared Key Transport Protocol Among Server, IRM, andPLC Modem: Between the IRM and the PLC modem, up to twoother PLC modems may be located in the communication path.In this case, all intermediate devices just relay communicationbetween the two ends.

The shared key transport protocol among the server, IRM, andPLC modem is described in Fig. 4. As a result of the protocol,two shared keys are established between the server and the PLCmodem and between the IRM and the PLC modem.

In step 5 of the protocol, the server verifies whether the IRMand PLC modems are legitimate components of the network andsends the result to the IRM. The IRM checks the result in step 5,and PLC modems also confirm it in step 7. Thus, the shared keytransport protocol enables all pairs to authenticate each other.

In the protocol, mutual explicit key authentication is providedas follows. Each of the random numbers and gen-erated by the PLC modem in step 3 are identified by the PLCmodem in step 7 via the server in step 5 and the IRM in step8. The random number generated in step 5 is identified bythe server in step 9 via the PLC modem in step 7. The randomnumber generated by the IRM in step 8 is identified by theIRM in the step 8 via the PLC modem in step 7.

Since a timestamp is used when and are con-structed in step 5 of the protocol, it is proved within a limitedtime that the IRM and PLC modem are legitimate componentsof the network.

The shared key transport protocol among the server, IRM,and PLC modem is an eight-pass protocol. The PLC modemperforms four public-key operations in step 3 and five in step 7.The IRM performs public-key operations five times in step 6,and the server performs public-key operations six times in step5.

C. Meter-Reading Transmission

1) Generation and Management of Session Key: A sessionkey is updated regularly once in a month. A session keybetween two components and is computed from a sharedkey and session information obtained from thecounter . The counter does not contain secret informa-tion and consists of 20xx-year, xx-month, xx-day, xx-th meterreading. In the first day of each month, taking as 20xx-year, xx-month of the counter , and compute

KIM et al.: SECURE SMART-METERING PROTOCOL 2375

Fig. 3. Shared key transport protocol between server and IRM.

After transmitting or receiving a meter reading, and usethe counter to synchronize a session between them. It isimportant to synchronize the session in and . The sessioninformation can also be synchronized by a ciphertext.Since the associated data of the authenticated encryption gen-erated by the sender contains session information, the receiver

can compare it with its own and obtain session information.

2) Meter-Reading Transmission Protocol: The meter-reading transmission protocol exploits an authenticated encryp-tion scheme to encrypt and authenticate meter readings and apublic-key cryptosystem to create signatures. In the SSMP, theassociated data for authenticated encryption consists ofa device UID and counter information.

In a remote meter-reading environment, each IRM managesPLC modems, say . For every meter-

reading cycle, the IRM makes a request for the transmissionof a meter reading to the PLC modems under its management.Acting on this request, each PLC modem computes two cipher-texts and sends them to the IRM. The first ciphertext is an au-thenticated encryption of a meter reading using a session keyshared with the server. The second ciphertext is an authenti-cated encryption of some additional information about the PLCmodem which should be sent to the IRM using a session keyshared with the IRM.

The IRM decrypts the second ciphertext in the message re-ceived from each PLC modem and authenticates it. If the au-thentication fails, the message is discarded. Otherwise, the IRMreads the additional information and stores the first ciphertext ina buffer. While receiving a request for meter reading from theserver, the IRM sends the reading in the buffer to the server. In

this way, the IRM can filter invalid data by authenticating ci-phertexts. This hop-by-hop authentication prevents DoS attackson the server. Fig. 5 shows the meter-reading transport protocol.

Since the authenticated encryption scheme is IND-CCAsecure if it consists of the IND-CPA secure block cipher andSUF-CMA secure MAC algorithm, all ciphertexts are secure.From the timestamps used in steps 1 and 4, it is found that thestatements in these steps are valid within a certain time period.This prevents an attacker from launching the same attack. Sincethe meter-reading data are encrypted by a session key withthe server, the protocol provides end-to-end security for meterreadings.

In step 2, in order to reduce communication cost,is put in the second term in the header of

, instead of . In step 3, the IRM can recoverby concatenating and the hash

value of .The protocol provides the nonrepudiation of the meter read-

ings since in step 2, the first ciphertext contains a signatureon a meter reading. One block cipher operation is required togenerate a session key. In step 2, the PLC modem performsone authenticated encryption operation for authenticating thestatement from , two for generating two ciphertexts, and onepublic-key operation for generating a signature. The IRM per-forms two authenticated encryption operations for the encryp-tion or decryption of statements in steps 1 and 5 and for thedecryption of in step 3.

D. Management of CRLThe CRL has to be managed in order to handle discarded

devices. There are two methods to manage the CRL. In the first

2376 IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

Fig. 4. Shared key transport protocol among server, IRM, and PLC modem.

method, the server that maintains the CRL sends it to the IRMperiodically. Then, the IRM saves the given CRL and checksthe list to determine the validity of a device, which requestsauthentication. The second method is to send a query regardingthe validity of a device to the server.

In the former case, the servers communication cost is givenby [the number of IRMs the number of discarded devices].

In the latter case, the cost is [the number of registered devices+ the number of discarded devices]. Let the number of IRMs,discarded devices, and PLC modems under the supervision ofone IRM be , , and , respectively. Then, from

, it is found that the latter method is more efficient when. Therefore, the SSMP takes the latter method for the

management of CRL.

KIM et al.: SECURE SMART-METERING PROTOCOL 2377

Fig. 5. Meter-reading transmission protocol.

In the shared key transport, IRMs and PLC modems storethe opponents certificate or public key. These data are updatedwhen relevant devices are discarded. If IRM is discarded, theserver generates a timestamp and sends

Revoke Revoke

to all PLC modems under . Then, the PLC modems delete theinformation about from their memory. If a PLC modemis discarded, the server generates a timestamp and sends

Revoke

to the IRM managing the PLC modem. Then, IRM deletesthe information about the PLC modem .

IV. DISCUSSIONIn this section, we discuss the storage size of each device and

the extent of damage caused when secret information leaks out.

A. Storage Size of IRMs and PLC ModemsA PLC modem has to store its own certificate and device key,

servers certificate, shared keys, counters, and session keys withthe IRM that manages it and the server. It is also required to savethe IRMs and servers UID. Table II lists the type and amount

2378 IEEE TRANSACTIONS ON POWER DELIVERY, VOL. 26, NO. 4, OCTOBER 2011

TABLE IITYPE AND AMOUNT OF INFORMATION: A PLC MODEM

TABLE IIITYPE AND AMOUNT OF INFORMATION: IRM 200)

of the information and its summation which a PLC modem hasto save.

In the case of the IRM, first of all, it has to store its own certifi-cate and servers certificate. If the IRM controls up to PLCmodems, it has to store each PLC modems UID, public key,shared key, counter, and session key with the device. Further, ithas to save the servers UID, counter, and session key with theserver. Table III lists the type, contents, and sum of the infor-mation that has to be stored by the IRM when 200. Thesize of the public key is assumed when a 160-b elliptic curvepublic-key cryptosystem is used.

B. Extent of Damage Caused by Leakage of Secret InformationIn case the private keys of the PLC modem are exposed to

an attacker, he/she can implement the shared key transport pro-tocol in all upper-level nodes of the PLC modem and completelyeliminate it from the network. Further, the attacker can modifythe meter readings of the PLC modem where the private key isexposed and transmit it to the server, which will affect the se-crecy and integrity of the meter reading. Although the extent ofdamage is limited to the PLC modem, which has exposed theprivate key, it may continue to modify until its certificate ex-pires. Therefore, complete security must be maintained for theprivate key.

In case only the shared key of the PLC modem is exposedto an attacker, he/she can modify the meter-reading value andimplement the meter-reading transmission protocol. However,the attacker cannot implement the shared key transport protocol.Therefore, the damage will be limited to the PLC modem withan exposed shared key, and the attack will be effective until thelifetime of the shared key expires.

If the session key of the PLC modem is exposed to at-tackers, they can modify the meter reading by applying themeter-reading transmission protocol. However, they cannotimplement the shared key transport protocol. In this case, thedamage is limited to the PLC modem, where the share key is

exposed, and the attack will be effective until the session keyis renewed.

If the private key of the IRM is exposed to the attacker, he/shecan implement the share key transport protocol to control theshared keys with all devices, which share the shared keys withthe IRM, where the private key is exposed. Therefore, thedamage will extend to all of the PLC modems managed by theIRM. However, since the meter reading is transmitted after byencryption with the session key between the server and eachPLC modem, even when an attacker obtains the private key ofthe IRM, it does not affect the security of the encrypted meterreadings in the meter-reading transmission protocol.

If the shared key or session key of the IRM is exposed torisks, it can only damage the devices that share such shared keysor session keys. In this case, it does not affect the security ofthe encrypted meter readings in the meter-reading transmissionprotocol. Further, the attack is only effective before the sharedkey transport protocol is executed again in the case of the sharedkey and before the session key is renewed in the case of thesession key.

V. CONCLUSIONPLC does not need a separate communication line and can be

easily installed. It provides convenient accessibility since usersjust need to plug the power cord into an electrical outlet in theirhomes. Furthermore, since it can be connected to various net-works through a backbone network, it is evaluated as one of themost appropriate technologies for meter-reading systems andautomatic control systems.

In this study, we analyzed the security requirements of remotemeter-reading systems based on PLC and proposed a protocolto satisfy the security requirements. The proposed protocol ap-plies to the key-management systems based on the public-keycryptosystem to guarantee extendibility and security of the re-mote meter-reading system based on PLC. Further, it is designedby taking into consideration all processes required for the re-mote meter-reading system from the production managementof the devices in the network to the generation of keys and ini-tialization of devices, a method to manage keys, a method toshare keys, a method to transport the meter readings safely, anda method to transport meter readings and revoke the certifica-tion.

REFERENCES[1] M. Bellare and C. Namprempre, Authenticated encryption: Relations

among notions and analysis of the generic composition, paradigm, J.Cryptol., vol. 21, no. 4, pp. 469491, Sep. 2008.

[2] M. Bellare, P. Rogaway, and D. Wagner, The EAX mode of opera-tion, in Proc. Fast Software Encryption, Feb. 2004, vol. 3017, LectureNotes Comput. Sci., pp. 389407.

[3] Y. Desmest, Threshold cryptography, Eur. Trans. Telecommun., vol.5, no. 4, pp. 449457, Jul. 1994.

[4] S. Goldwasser, S. Micali, and R. Rivest, A digital signature schemesecure against adaptive chosen message attacks, SIAM J. Comput., vol.17, no. 2, pp. 281308, Apr. 1988.

[5] T. Kohno, J. Viega, and D. Whiting, CWC: A high-performanceconventional authenticated encryption mode, in Proc. Fast SoftwareEncryption, Feb. 2004, vol. 3017, Lecture Notes Comput. Sci., pp.408426.

[6] D. McGrew and J. Viega, The security and performance of the Galois/Counter Mode (GCM) of operation, in Proc. Progr. Cryptol., Dec.2004, vol. 3348, Lecture Notes Comput. Sci., pp. 377413.

KIM et al.: SECURE SMART-METERING PROTOCOL 2379

[7] P. Rogaway, Authenticated-encryption with associated-data, in Proc.9th ACM Conf. Comput. Commun. Security, Nov. 2002, pp. 98107.

[8] P. Rogaway, T. M. Bellare, J. Black, and T. Krovetz, OCB: A block-ci-pher mode of operation for efficient authenticated encryption, in Proc.8th ACM Conf. Comput. Commun. Security, Nov. 2001, pp. 196205.

[9] D. Whiting, R. Housley, and N. Ferguson, Counter with CBC-MAC(CCM). [Online]. Available: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ccm/ccm.pdf

[10] NIST, NIST framework and roadmap for smart grid interoper-ability standards, Release 1.0. Jan. 2010. [Online]. Available:http://www.nist.gov/public_affairs/releases/upload/smartgrid_inter-operability_final.pdf

[11] NIST, Smart grid cyber security strategy and requirements. Aug. 2010.[Online]. Available: http://csrc.nist.gov/publications/nistir/ir7628/ni-stir-7628_vol1.pdf

[12] The OPEN Meter Consortium. [Online]. Available: http://www.open-meter.com

[13] Open Smart Grid Users Group, AMI System Security Requirementsv1.01 Dec. 2008. [Online]. Available: http://www.oe.energy.gov/Doc-umentsandMedia/14-AMI_System_Security_Requirements.pdf

[14] SMB Smart Grid Strategic Group (SG3), IEC Smart Grid Standardiza-tion Roadmap Edition 1.0. Jun. 2010. [Online]. Available: http://www.iec.ch/zone/smartgrid/pdf/sg3_roadmap.pdf

[15] The Open Meter Consortium, Report on the identification andspecification of functional, technical, economical and general require-ments of advanced multi-metering infrastructure, including securityrequirements D1.1 Jun. 2009. [Online]. Available: http://www.open-meter.com/files/deliverables/Open%20Meter_D1%201_Require-ments_v1.0_20090701.pdf

[16] SmartGrids: European Technology Platform. [Online]. Available:http://www.smartgrids.eu

Sungwook Kim received the B.S. degree in math-ematics from Seoul National University (SNU) in2005.

He is a graduate student in the Department ofMathematical Sciences, SNU. His research interestsinclude computational number theory, cryptography,and information security.

Eun Young Kwon received the B.S. degree in math-ematics from Duksung Womens University, Seoul,Korea, in 2004.

Currently, she is a graduate student in the Depart-ment of Mathematical Sciences, Seoul National Uni-versity, Seoul. Her current research focuses on math-ematical cryptology and information security.

Myungsun Kim received the B.S. degree incomputer science and engineering from SogangUniversity, Seoul, Korea, in 1994 and the M.S.degree in computer science and engineering fromthe Information and Communications University,Daejeon, in 2002.

Currently, is a graduate student in the ISaC and De-partment of Mathematical Sciences. He was with theDigital MediaResearch Center, Samsung Electronics,until 2008. His research interests include encryptionand multiparty computation in cryptography.

Jung Hee Cheon received the B.S. and Ph.D. de-grees in mathematics from the Korea Advanced In-stitute of Science and Technology in 1991 and 1997,respectively.

Currently, he is a Professor in the Department ofMathematical Sciences, Seoul National University(SNU). In 1997, he joined the Electronics andTelecommunications Research Institute (ETRI) andthen Information and Communications University(ICU), Daejeon, Korea. In 2000, he was a VisitingScientist with Brown University, Providence, RI.

His research interests include computational number theory, cryptography, andinformation security. He is an associate editor of Journal of KIISC and CSIjournal.

Prof. Cheon co-chaired ICISC 2008. He has served as Program CommitteeMembers for many conferences, including Crypto, Eurocrypt, and Asiacrypt.He received the best paper award in Asiacrypt 2008.

Seong-ho Ju received the B.S. degree in electricalengineering from Yonsei University, Seoul, Korea, in2001, and the M.S. degree in electrical and computerengineering from Seoul National University, Seoul,in 2004.

In 2001, he joined Samsung SDS, where heworked on Network Business part for one year.Since he joined Korea Electric Power Cooperation in2004, he has developed power-line communication,network security, and network-management systemsas a Senior Researcher.

Yong-hoon Lim received the B.S. and M.S. degreesin electronic engineering from Konkuk University,Seoul, Korea, in 1996 and 1998, respectively.

He joined Korea Electric Power Cooperation in1996. He has worked on optic network, wirelesssensor network, and radio-frequency identifica-tion/ubiquitous sensor network) as a Project Leader.His recent research topic is power-line communi-cation, IPv6 network, and distribution automationsystems (DAS) in power systems.

Moon-seok Choi received the B.S. degree in elec-trical wave engineering from Chungnam NationalUniversity, Chungnam, Korea, in 2003 and theM.S. degree in electronic engineering from KoreaAdvanced Institute of Science and Technology,Daejeon, in 2005.

Since 2005, he has been a Researcher with KoreaElectric Power Corporation, Korea. His researchinterests include power-line communication, net-work-management systems, and automatic meteringreading.