Professional Documents
Culture Documents
11
This paper addresses security problems and interoperability issues in • The “HLS” is a mutual authentication mode using a pre-shared
the secret key distribution procedure in the DLMS/COSEM. While secret key and random value between a client and a server.
in this paper we propose new DLMS/COSEM authentication and
Second of all, the data transport security feature provides data
key management schemes based on an Extensible Authentication
confidentiality and integrity for xDLMS Application Protocol Data
Protocol (EAP) framework [9] as solutions to these problems, to the
Units (APDU) between a client device and a server during
best of our knowledge, there has not been not only an investigation
exchanging or communicating data process over networks as well as
extensive enough to point out security correlated interoperability
presenting a procedure for secret key distribution used for data
issues but also a comprehensive solutions to lift the security level of
protection.
AMI. The following are the holistic view of the proposed scheme:
(1) smart meters and DCSs perform the authentication and key
exchange processes with an AMI server. (2) DLMS/COSEM secret
keys are generated and distributed by a pre-formed secured channel
among the smart meter, the DCS, and the AMI server. This paper
details a series of secured procedures for generating and exchanging
secret keys in order to ensure interoperability and security on AMI
in which DLMS/COSEM protocol is applied.
The remainder of this paper is organized as follows. Section 2
discusses DLMS/COSEM security problems and the existing
authentication and key management schemes for AMI. We propose Figure 1. DLMS/COSEM key sharing and setup
an EAP-based DLMS/COSEM authentication and key management t t
framework and procedure in Section 3. Section 4 considers about Fig. 1 depicts the DLMS/COSEM key sharing and setup structure
security and efficiency of the proposed scheme and Section 5 according to the DLMS/COSEM system structure, and a secret key
concludes this work. used in DLMS/COSEM is generated and employed based on a
symmetric key concept. The classification and the definition of the
2. Related Works keys to be accommodated by their purposes are the following:
2.1 DLMS/COSEM (IEC 62056) • A Master Key (MK) is a key to be configured in a COSEM server
and a Central DCS through a secured method in advance. This
2.1.1 Preliminaries key is to be employed for the procedure of encrypting GKs but
The DLMS/COSEM protocol [3] is not only a next-generation not shared by DCS that plays the role of a Concentrator.
power metering communication protocol based on the IEC 62056
international standards, which are being planned to deploy for Smart • GKs, called Global Unicast Encryption Key, Global Broadcast
Grid in Europe and Korea currently but also a protocol for gas and Encryption Key, and Authentication Key (Global), are created in
water control systems. Especially, the protocol has been expanding a Central DCS and transferred to a COSEM server after the
its use gradually as a standard protocol for power metering encryption through the AES-128 algorithm with the MK. Once
communication networks in Europe. The birth background of the after receiving the GKs encrypted by the MK from the Central
protocol is interoperability for efficient communication among DCS, the Concentrator transfers these GKs to the COSEM servers
devices in electrical power systems, so that all devices equipped associated with the Concentrator.
with the standard would be able to communicate or exchange • DKs, called Dedicated (unicast) encryption keys, are created in the
messages without any other additional intermediate overhead Central DCS and the Concentrator, and the Application
between them even from different manufacturers. The Association Request (AARQ) APDU user-information field is
administration over the DLMS/COSEM protocol has been shifted to encrypted by the Global Unicast Encryption Key. Then, these
the Device Language Message Specification User Association keys are transferred to each COSEM server in a corresponding
(DLMS UA) in which currently (as of March 2013), 258 members DCS.
have participated in the DLMS UA actively.
2.2 DLMS/COSEM Security Analysis
2.1.2 Security Features The DLMS/COSEM standard does not specify detailed steps
DLMS/COSEM protocol provides a wide coverage over regarding the way to distribute MKs and the GKs in the data
specifications regarding metering communications including transport security specification. In other words, DLMS/COSEM
securities on data access and transport. Most of all, data access does not guide the design of a comprehensive security features or
security contains the following three authentication modes: Lowest procedures about how the MKs are to be created in the Central
Level Security (No Security), Low Level Security (LLS), and High DCS, how the keys are to be shared with a COSEM server.
Level Security (HLS) [3]. Furthermore, DLMS/COSEM protocol has not even defined a set of
detailed key distribution procedures with respect to the GKs that are
• The “No Security” authentication mode is a type of mode by to be shared between Central DCSs and Concentrators. This
which a client would collect data via accessing a server without standard might raise interoperability problems from the aspect of
entering any authentication procedures. communication security between device manufacturers producing
• The “LLS” is a password-based one-way authentication mode in smart meters or DCS with implementation of the DLMS/COSEM
which a server authenticates a client by verifying a password standards and power companies, which construct and operate the
submitted from a client. AMI systems using the devices.
The procedure for the distribution of the DKs specified in the data
transport security of DLMS/COSEM is not secured but vulnerable.
12
For example, in DLMS/COSEM, the DKs are defined as ones that Consequently, efficient and detailed authentication and key
are used for the encryption of unicast xDLMS APDU. That is, the management techniques are required to AMI systems employing
DKs are unique session secret keys between two communication DLMS/COSEM.
devices, which protect xDLMS APDU transmitted between a
COSEM client, Central DCS or Concentrator, and a COSEM server.
3. Proposed Scheme
However, DKs are transmitted after being encrypted using a Global
In this section, we propose an EAP-based DLMS/COSEM
Unicast Encryption Key that is shared among the Central DCS,
authentication and key management procedure, which would
Concentrator and COSEM servers. It implies the fact that we lost
enhance the security level of current version of DLMS/COSEM,
the role of the DKs as a unique session secret key between the
and detailed illustration regarding the secure procedures for secret
Central DCS and a COSEM server or between a Concentrator and a
key generation and distribution to resolve interoperability and
COSEM server. Consequently, there embeds vulnerability that a
security issues is to be provided so as to construct the secure AMI
Concentrator and other COSEM servers can also decrypt the DKs
networks. The EAP is an authentication framework frequently
between the Central DCS and a COSEM server.
utilized for access authentication in wireless networks as described
2.3 Existing Authentication Schemes for AMI in [9]. The proposed scheme can be studied by two different cases:
one in which a DCS, which plays the role of a Concentrator,
and Problem Statements presents, and the other in which it does not present.
There are critical issues for employment of existing authentication
and key management techniques to AMI even though many have 3.1 Basic Assumption and Idea
been already introduced. Nabeel et al. proposed an approach based In this paper, we assume that a COSEM server and DCS perform
on Physically Unclonable Functions (PUF) technology for the Security Association (SA) with an AMI server. Security
providing strong hardware based authentication of smart meters and association refers to an authentication and key exchange procedure
efficient key management between smart meters and the AMI server between two systems/devices. Because a non-repudiation service of
[4]. Xia et al. proposed a secure key distribution for the smart grid metering data is required in the case of a COSEM server, certificate-
[5], and Nicanfar et al. proposed a smart grid authentication and key based Transport Layer Security (TLS) authentication in [10] is
management for unicast and multicast communications [6]. These performed; on the other hand, a non-repudiation service is not
methods support the authentication and key exchange for required in the case of DCS, and hence, pre-shared key-based TLS
confidentiality and integrity between smart meters and AMI servers. in [11] is performed. If there are too many DCSs to be managed,
Although they are addressed a class of authentication techniques for certificate-based TLS authentication can be conducted between
smart meters and servers in generalized AMI systems, they are not DCSs and an AMI server. The main idea of our scheme is to
applicable to the AMI employing DLMS/COSEM protocol. For generate and distribute a secret key between two DLMS/COSEM
instance, it is feasible to use existing authentication technologies in communication devices using a secure channel built by the
the network segments, such as smart meters-DCSs, DCSs-servers authentication and key exchange processes that smart meters and
and smart meters-servers, in DLMS/COSEM exploring AMI DCS conduct with an AMI server. The proposed scheme presents an
respectfully. However, there might be computational overhead on authentication and key management procedure, which can be
the requirement of performing the same authentication procedures in applied for the generation and sharing of MK, GKs, and DKs in the
each aforementioned network segments due to the duplicate DLMS/COSEM standard without any modifications of the
authentication architectures in each compartment of networks. specification as far as possible by using the security association.
There has been literature about designing authentication protocols We redefine DLMS/COSEM keys and introduce our notations as
with the consideration of overall AMI systems. Kim et al. proposed following:
a secure smart-metering protocol in which shared keys are
established among a smart meter, a DCS, and AMI server [7]. • MK: a pre-shared master key between a central DCS (or
However, it is difficult to apply this scheme in an AMI system with Concentrator) and AMI server
multiple different utilities due to their various authentication policies. • MKTLS: a master key generated as a result of a TLS security
For instance, in the case of AMI networks shared by water, gas and association between a central DCS (or Concentrator) and AMI
electricity utilities in order to boost the efficiency of resource server
utilization, it is inevitable for DCSs to adopt the various
authentication schemes from individual utilities. • SKTLS: a session key derived from MKTLS for encrypting key
materials between a central DCS (or Concentrator) and AMI
Das et al. studied an EAP based authentication and key server
management framework for AMI systems in order to not only
simplify authentication procedures but also adopt various • EMSK: an extended master session key generated as a result of an
authentication technologies [8]. It explained a unified key EAP-based security association between a COSEM server and
management mechanism based on EAP, Protocol for Carrying AMI server
Authentication for Network Access (PANA), and Authentication, • MKDLMS, GKsDLMS, DKDLMS: a traditional DLMS/COSEM keys
Authorization, and Accounting (AAA) protocols, and integrated it defined IEC 62056-5-3 standard
with an ANSI C12.22 based smart metering application. It is
feasible for AMI systems to adopt various authentication techniques • EKDLMS: a encryption key for encrypting DKDLMS between a central
and minimize their duplicity at smart meters since the framework DCS (or Concentrator) and COSEM server
facilitates EAP approach. However, a detailed key distribution
• Ek(m): a encryption function with a symmetric key k and a
architecture that is fitted on the DLMS/COSEM protocol is still
message m
required to resolve the interoperability.
13
COSEM Server Central DCS AMI Server
EAP-Success{ESK_TLS(MKDLMS||EKDLMS)}
Store MKDLMS, EKDLMS
EAP-Success
Generate GKsDLMS, DKDLMS
Store GKsDLMS, {EMK_DLMS(GKsDLMS)||EEK_DLMS(DKDLMS)}
DKDLMS
3.2 DLMS/COSEM Security Association with transferring them along with the EAP-Success message to the
COSEM server.
Central DCS (Case 1)
The procedure for the authentication and key management of Step 3. The COSEM server decrypts GKsDLMS and DKDLMS using
DLMS/COSEM is shown in Fig. 2 for the case where DCS, which MKDLMS and EKDLMS derived from the EMSK and stores them.
performs the role of a Concentrator, does not present in the AMI.
Once the authentication and key management procedure of
First of all, the Central DCS performs authentication with the AMI
DLMS/COSEM has completed, the COSEM server and the Central
server in order to share the master key MKTLS, and the Central DCS
DCS can provide integrity and confidentiality with respect to
and the AMI server generate a Session Key SKTLS from MKTLS.
metering data according for the DLMS/COSEM standards
Second of all, the COSEM server performs EAP-based
specification.
authentication with the AMI server in order to share the Extended
Master Session Key (EMSK) as illustrated in [12]. The COSEM
server and the AMI server generate MKDLMS and EKDLMS from the 3.3 DLMS/COSEM Security Association with
EMSK, where EKDLMS is used to encrypt DKDLMS. The master key Concentrator (Case 2)
MKDLMS and dedicated keys DKDLMS are secret keys defined in the Fig. 4 shows the authentication and key exchange procedure of
DLMS/COSEM specification. The generation and the distribution DLMS/COSEM when a DCS, which performs the role of a
hierarchy of these secret keys are shown in Fig. 3. Concentrator, presents in the AMI. TLS authentication is performed
COSEM Server Central DCS AMI Server between the Central DCS and the AMI server, and the Concentrator
and the AMI server, respectively, to generate MKTLS1 and MKTLS2.
MKTLS MKTLS
TLS SA
Moreover, session keys SKs are generated from MKTLS1 and MKTLS2
SKTLS SKTLS as shown in Fig. 5. The COSEM server performs the EAP-based
EMSK EMSK authentication with the AMI server as shown in Case 1 to share the
EAP based SA EMSK, and generate MKDLMS and EKDLMS from the EMSK. The
MKDLMS EKDLMS MKDLMS EKDLMS
generation and distribution hierarchy of these secret keys are shown
MKDLMS, GKsDLMS, MKDLMS, GKsDLMS, in Fig. 5.
DLMS SA
DKDLMS, EKDLMS DKDLMS, EKDLMS
The following is a detailed illustration regarding a procedure for the
authentication and key exchange of DLMS/COSEM.
Figure 3. Hierarchical key structure for Case1.
Step 1. Once the EAP authentication procedure with the COSEM
server has completed successfully, the AMI server encrypts MKDLMS
The following is a detailed description of the procedure for the
and EKDLMS using SK1TLS2 shared with the Concentrator and
DLMS/COSEM authentication and key exchange scheme.
encrypts SK2TLS2 using SKTLS1 shared with the Central DCS
Step 1. Once the EAP authentication procedure with the COSEM {ESK1_TLS2(MKDLMS||EKDLMS)||ESK_TLS1(SK2TLS2)}. And then, the AMI
server has completed successfully, the AMI server encrypts MKDLMS server sends the EAP-Success message including the encrypted key
and EKDLMS using SKTLS {ESK_TLS(MKDLMS||EKDLMS)} and sends the materials to the Central DCS. Note that SK2TLS2 is used as a secret
EAP-Success message including the encrypted value to the Central key to deliver GKsDLMS, which is defined in the DLMS/COSEM
DCS. standards specification, between the Central DCS and the
Concentrator.
Step 2. The Central DCS that received the EAP-Success message
decrypts MKDLMS and EKDLMS using SKTLS and stores. Further, the Step 2. The Central DCS that received the EAP-Success message
Central DCS creates GKsDLMS and DKDLMS defined in the decrypts SK2TLS2 using SKTLS1. Then, the Central DCS generates
DLMS/COSEM standards using a key generation function such as a GKsDLMS, and the EAP-Success message including
Pseudorandom Function (PRF). Then, GKsDLMS is encrypted using ESK1_TLS2(MKDLMS||EKDLMS) and ESK2_TLS2(GKsDLMS) is transmitted to
MKDLMS, and DKDLMS is encrypted using EKDLMS, followed by the Concentrator.
14
COSEM Server DCS(Concentrator) Central DCS AMI Server
EAP-Success
{ESK1_TLS2(MKDLMS||EKDLMS)||ESK_TLS1(SK2TLS2)}
15
The proposed EAP-based framework is a structure that can accept The proposed scheme employed an EAP-based authentication
various authentication protocols including those that are currently framework, thereby presenting an authentication and key
used and those that will be developed in the future for the AMI relay management procedure for not only the sections between the smart
system, such as the DCS. AMI can be used for a communication meters and he DCS but also the entire AMI section, including the
network shared by various power companies for power metering AMI servers. This paper described in detail reliable authentication
data monitoring. It can be also used for a communication network and key management procedures required for an AMI environment
for collecting gas and water metering data in gas and water where DLMS/COSEM was applied as well as the minimizing of the
companies. For such cases, the DCS, which is an AMI relay system, authentication and key exchange procedure.
should take authentication policies of various power, gas, and water
companies into consideration. The proposed EAP-based
6. ACKNOWLEDGMENTS
authentication framework can bring about a reduction in cost
This work was supported by the Power Generation & Electricity
because of the application of various authentication protocols in the
Delivery of the KETEP grant funded by the Korea government
DCS for smart meters, gas meters, and water meters.
Ministry of Trade, Industry and Energy (No. 2012101050004A).
16