A Lightweight Authentication and Key Agreement Protocol for IoT-Enabled Smart Grid System

Abstract

The IoT-enabled Smart Grid uses IoT smart devices to collect the private electricity data of consumers and send it to service providers over the public network, which leads to some new security problems. To ensure the communication security in a smart grid, many researches are focusing on using authentication and key agreement protocols to protect against cyber attacks. Unfortunately, most of them are vulnerable to various attacks. In this paper, we analyze the security of an existent protocol by introducing an insider attacker, and show that their scheme cannot guarantee the claimed security requirements under their adversary model. Then, we present an improved lightweight authentication and key agreement protocol, which aims to enhance the security of IoT-enabled smart grid systems. Furthermore, we proved the security of the scheme under the real-or-random oracle model. The result shown that the improved scheme is secure in the presence of both internal attackers and external attackers. Compared with the original protocol, the new protocol is more secure, while keeping the same computation efficiency. Both of them are 0.0552 ms. The communication of the new protocol is 236 bytes, which is acceptable in smart grids. In other words, with similar communication and computation cost, we proposed a more secure protocol for smart grids.

1. Introduction

With the rapid growth of Internet of Things (IoT), the IoT-enabled smart grid is gradually replacing the traditional power grid and becoming one of the important infrastructures in real society [1,2,3,4]. The IoT-enabled smart grid integrates wireless sensor networks into the power system, and obtains physical information such as grid operation status and parameters through wireless sensor networks. In smart grids, the wireless sensor network has become a useful supplement to the production, transmission, distribution and consumption of electric energy.

According to the latest NIST Framework and Roadmap for Smart Grid Interoperability Standards 4.0 [5], released in 2021, the smart grid model can be roughly abstracted into seven domains: customer, markets, service provider (SP), operations, generation (including DER), transmission and distribution, as shown in Figure 1. The solid blue line indicates secure communication flows and the dotted yellow line indicates electrical flows. The Customer is the end user of electricity, who may also generate, store, and manage the use of energy, which relies on smart meters (SMs) to access the smart grid. The Markets are the facilitators and participants in electricity markets and other economic mechanisms used to drive action and optimize system outcomes.The Service Provider is the organization providing services to electrical customers and to utilities.The Operations are the managers of the movement of electricity. The Generation Including DER is the producer of electricity, and may also store energy for later distribution. Transmission refers to the carriers of high voltage electricity over long distances. Distribution is the distributor of electricity to and from customers.

The smart grid (SG) is superior to the traditional grid in several aspects [6], such as flexible control, efficient operation, convenient use, etc.. However, as mentioned above, the SM is deployed on the side of consumers, so it is easy for most people to contact the SM, which gives a great opportunity to malicious attackers [7,8]. On the contrary, due to the large number of SMs, it may be difficult for service providers to carry out effective security monitoring and physical protection. In other words, the security of the smart grid relies on the security of the communication protocol used in the communication between SMs and SPs in the power grid, and whether the identity authentication and information transmission can be carried out securely. On 23 December 2015, some attackers successfully forged identity authentication and attacked the control system of the smart grid by taking advantage of the loopholes in the smart grid of Ukraine’s energy supply company, which resulted in unexpected hours of large-scale blackout and great damage to the normal management of the society [9].

1.1. Related Work

Many researchers have paid attention to the authentication and key agreement protocols under smart grid circumstances. In 2011, Wu and Zhou et al. presented an authentication protocol [10] which applied elliptic curve cryptography (ECC) into a smart grid to provide fault tolerance and scalability. However, it was soon pointed out that the scheme could not resist the man-in-the-middle attack. In 2012, Xia and Wang et al. proposed a new key distribution protocol [11] combined with the lightweight directory access protocol (LDAP), which improved both the security and the efficiency. Unfortunately, their scheme cannot resist impersonation attack and cannot guarantee the anonymity of users [12]. Also in 2012, Wang et al. presented an authentication protocol in identity [13], which ignores that smart meters need to be anonymous. Afterwards, Tsai and Lo [14] proposed a new smart grid authentication protocol using identity based encryption technology. However, their scheme was pointed out to be unable to guarantee the privacy of smart meter credentials [15], and cannot provide session key security under the widely accepted Canetti–Krawczyk adversary (CK-adversary) model [16,17]. In 2014, Nicanfar et al. suggested a security protocol [18] for authentication, with a key generator to update the grid’s key. However, his scheme’s computation cost is expensive, thus is not suitable for smart grids.

With the development of sensor equipment, lightweight authentication and key agreement schemes in smart grids have become popular. In 2018, Mohammadali et al. presented an identity-based authentication with light burden and key agreement scheme, where elliptic curve cryptography is used to establish a session key [19]. In the same year, Mahmood et al. also paid attention to the efficiency of the authentication scheme in a smart grid and designed a lightweight user authentication protocol [20] based on ECC. Unfortunately, although these two schemes are designed cleverly, they are not anonymous enough. Therefore, Kumar et al. [21] proposed a lightweight security protocol for anonymity in smart grids, but a synchronization problem was also pointed out. In 2019, Zhang et al. proposed an identity authentication communication scheme [22] in smart grids, which uses a novel dynamic verification table to protect the anonymous data, either in authentication or in the smart meters. Meanwhile, this new protocol is a fault-tolerant mechanism, and also ensures the untraceability of the user’s identity. In 2020, Ferrag et al. [23] pointed out that Zhang et al.’s scheme cannot ensure authentication of all nodes, but they did not give a detailed explanation. Sadhukhan et al. [24] showed the potential performance problems of Zhang et al.’s scheme. However, there are few articles on the security analysis of Zhang et al.’s scheme. In the same year, Abbasinezhad-Mood et al. proposed an anonymous ECC-based self-certified key distribution scheme [25], the scheme is not only free from the overhead of the certificate management and the key escrow issue, but is also more efficient than anonymous schemes in terms of both communication and computational costs.

In 2020, Khan et al. [26] suggested a novel system for smart grids PALK as a means for authenticating communication between two SG entities. Additionally, they analyzed many of PALK’s security characteristics and attack resilience. However, in 2022, Mohammed Taqi et al. [27] revealed that Khan et al.’s [26] scheme is vulnerable to well-known security threats, such as user anonymity and password guessing attack. They also proposed a new protocol LSPA-SG that they claimed would withstand every known attack. In 2022, Deebak et al. proposed a seamless authentication framework with privacy-preserving (SAF-PP) protocol [28] to deal with the security and privacy issues of smart eHealth intelligence. The formal analysis proves that SAF-PP can adhere to significant security properties while improving the system efficiency rate.

In a smart grid, where communication information is vulnerable to various attack threats, a secure authentication and key agreement protocol is essential for secure communication. We present a summary of the security problems and limitations of the recently available AKE schemes in

Table 1. Overview of authentication protocols.

Scheme	Limitations	Primitive Used	Year
[19]	Cannot resist replay attack, SK compromised attack, SM impersonation attack, and MINM attacks, cannot ensure anonymity, does not consider internal attackers	ECC, XOR, and Hash	2018
[20]	Cannot ensure the anonymity of SM, does not consider internal attackers	ECC, XOR, and Hash	2018
[21]	Cannot ensure the anonymity of SM, does not consider internal attackers	ECC, XOR, and Hash	2018
[22]	Cannot resist insider attacks, impersonation attack, SK compromise attack, loss the anonymity of SM	AES, XOR, and Hash	2019
[27]	Does not consider internal attackers	ECC, XOR, and Hash	2022
our scheme	Can resist known attacks, considers internal attackers	AES, XOR, and Hash

. Meanwhile, most of the existing protocols [29,30,31] do not take into account the presence of insider attackers. In conjunction with the actual deployment environment of the smart grid, it is essential to consider how the protocol can guarantee the security of communication in the presence of insider attackers. In addition, it is necessary to consider a secure authentication protocol for IoT smart devices in resource-constrained scenarios in the smart grid.

1.2. Motivation

In the smart grid environment, it is critical to realize anonymity and untraceability for the smart meter with the presence of internal attackers during the authentication process. Zhang et al. [22] presented a practical authentication and key agreement scheme, and claimed that their proposal can satisfy security requirements and outperform the current solutions. This paper analyzes the security of Zhang et al.’s protocol [22], and points out that their scheme cannot really guarantee the claimed security requirements under their adversary model. More precisely, they regard the attacker as a third party, but ignore that the attacker may also be a legitimate consumer of the smart grid, who can obtain a legal identity of a smart meter.

Based on above assumption, we review and analyze Zhang et al.’s protocol [22] and point out that their work is not secure enough to prevent an impersonation attack from an insider attacker. We then improved Zhang et al.’s protocol so that it can resist against various attacks from both outsider and insider attackers.

1.3. Contribution

The contribution of this paper is as follows:

• We introduce an insider attack and take Zhang et al.’s protocol [22] as an example to improve the security. We first analyze the security of Zhang et al.’s protocol [22] and point out the reasons why their protocol cannot resist insider attack. Then, we describe the detailed steps of an insider attack, and show the potential threats of insider attack. In addition, we have made improvements to Zhang et al.’s protocol to resist insider attack.
• We analyze the security and performance of our proposed protocol and the results show that the protocol has strong security and efficiency. We analyze the security of the improved protocol in detail and prove the security of the protocol under the real-or-random oracle model. Through informal analysis, it has been shown that this protocol can resist common attacks, including insider attack. After that, we compare the proposed protocol with other schemes, indicating that the improved protocol is still lightweight.

The rest of the paper is introduced as follows. Section 3 analyzes the security of Zhang et al.’s scheme. In Section 3, an improved lightweight authentication and key agreement protocol is presented in details. Section 4 introduces the secure analysis of the improved scheme. In Section 5, a detailed comparison of the security and computational cost is conducted between the improved protocol and several other schemes. Section 7 concludes the whole paper.

2. Preliminaries

2.1. Communication Model

This paper focuses on the authentication between Service Provider and Customer, and thus it is based on the sub-network, which consists of the service provider and the smart meters. A smart meter is a hardware device deployed on the legitimate user side of the power grid, which can be used to transmit information in the power grid, undertake power consumption monitoring, electricity price information and other sensing functions [32,33,34]. Service providers provide power services for consumers, i.e., receive power information through SMs, charge the users, analyze the consumer’s data, and so on [35,36,37].

A secure protocol is used between SMs and SPs to provide identity authentication and key agreement. A smart meter usually registers a legal identity through a secret channel before communication. After that, the SM and SP authenticate each other through the public network and generate a secret session key at the same time. The session key is used for SM and SP subsequent session encryption, as shown in Figure 2. From a practical point of view, a smart meter is easy to be access by anyone, and is thus vulnerable to eavesdropping, modification or physical attacks. Note that it is also a tamper resistant device so that the information stored in it is difficult to be stolen, changed or destroyed.

2.2. Threat Model

Assume an attacker is a probability polynomial time (PPT) attacker, which means he can obtain all the messages transmitted in the public channel, i.e., can intercept, modify or replay all the messages, can obtain access to all the normal released information in the grid, and can access and control smart meters, but cannot obtain sensitive data stored in the tamper-resistant devices. Moreover, according to Zhang et al. [22], an attacker can acquire SPs’ master keys or IDs, but not both. An attacker can also obtain the validation table used in the scheme from the providers’ servers.

2.3. Security Goals

The security scheme in smart grid should meet the following security objectives:

• Mutual authentication: Each session between the smart meter and service provider requires complete mutual authentication. This is to ensure that both sides of the communication are credible.
• Generate security session key: The security scheme should generate a temporary session key, which is confidential and unpredictable to any third party.
• Resist known security attacks: The security scheme should resist common attacks, such as man in the middle attack, replay attack, and so on.
• Provide SM’s anonymity: The scheme usually only needs to ensure that the third party cannot obtain the identity information of the smart meter. However, a good security protocol should make the service provider unable to figure out whether two sessions are possessed by the same SM or not.

3. Some Flaws of Zhang et al.’s Scheme

This section firstly exhibits Zhang et al.’s scheme, then shows how to mount an insider attack on Zhang et al.’s scheme.

3.1. Review of Zhang et al.’s Scheme

Zhang et al.’s scheme involves a registration phase and key agreement phase with authentication, which are executed by the smart meter $S{M}_i$ and the service provider $S{P}_j$.

3.1.1. Registration Phase

• The smart meter $S{M}_i$ firstly chooses a random value with high entropy $r_1$. Then, $S{M}_i$ sends its identification $I{D}_i$ and $r_1$ to the service provider $S{P}_j$ securely.
• After receiving the messages from $S{M}_i$, $S{P}_j$ computes $Q_i=h(s \oplus r_1 \oplus (I{D}_j\left|\right|I{D}_i\left)\right)$, where $I{D}_j$ means the identification of $S{P}_j$ and s means the master key of $S{P}_j$. Then, $S{P}_j$ calculates $M_i=E_s((I{D}_i \oplus r_1)\left|\right|\left(h\right(I{D}_j\left|\right|s) \oplus I{D}_i\left)\right)$ where $E_s\left(\right)$ means the secure symmetric encryption with secret key s. Finally, $S{P}_j$ stores $Q_i$ into its dynamic verification table and returns $M_i$ to $S{M}_i$ via a secure channel.
• $S{M}_i$ receives $M_i$ from $S{P}_j$, and stores $\{I{D}_i,r_1,M_i\}$ into its own tamper-resistant device.

3.1.2. Authentication and Key Agreement Phase

• When the smart meter $S{M}_i$ attempts to start the communication with the service provider $S{P}_j$, $S{M}_i$ produces a random value with high entropy $r_2$ temporarily. After that, $S{M}_i$ calculates $X_i=h(I{D}_i\left|\right|r_1) \oplus r_2$ and sends $\{X_i,M_i\}$ to $S{P}_j$ through a public channel.
• $S{P}_j$ decrypts $M_i$ with its master key s where $D_s\left(M_i\right)=({I{D}_i}^{\prime } \oplus {r_1}^{\prime })\left|\right|\left(h\right({I{D}_j}^{\prime }\left|\right|s^{\prime }) \oplus {I{D}_i}^{\prime })$. Then, $S{P}_j$ calculates $I{D}_i^{*}=h(I{D}_j\left|\right|s) \oplus h({I{D}_j}^{\prime }\left|\right|s^{\prime }) \oplus {I{D}_i}^{\prime }$, $r_1^{*}=I{D}_i^{*} \oplus {I{D}_i}^{\prime } \oplus {r_1}^{\prime }$ and $Q_i^{*}=h(r_1^{*} \oplus s \oplus (I{D}_j\left|\right|I{D}_i^{*}\left)\right)$, and checks whether $Q_i^{*}$ is in its dynamic verification table or not. There are two columns, $Q_i$ and $Q_{i}o$, in the table, and the values of both columns are blank at the beginning. When $S{M}_i$ is successfully registered, the generated $Q_i$ would be stored in column $Q_i$. If $Q_i^{*}$ is found in $Q_{i}o$, $S{P}_j$ fills in the value of $Q_{i}o$ to $Q_i$. Once the value of $Q_i^{*}$ can be found in the table, $S{P}_j$ obtains $N_2^{*}=h(I{D}_i^{*}\left|\right|r_1^{*}) \oplus X_i$ and computes $M_i^{*}=E_s((I{D}_i^{*} \oplus r_2^{*})\left|\right|\left(h\right(I{D}_j\left|\right|s) \oplus I{D}_i^{*}\left)\right)$. Next, $S{P}_j$ chooses a random value with high entropy $r_3$ and generates a temporary key $k=h(r_1^{*} \oplus r_2^{*} \oplus I{D}_i^{*})$. After this, $S{P}_j$ gets the session key $SK=h(r_1^{*} \oplus r_2^{*} \oplus r_3 \oplus I{D}_i^{*})$. To authenticate $S{M}_i$, $S{P}_j$ calculates $M_2=E_k(M_i^{*}\left|\right|h(I{D}_i^{*}\left|\right|r_1^{*}\left|\right|r_2^{*}\left)\right|\left|\right(h((I{D}_i^{*} \oplus r_2^{*})\left|\right|r_1^{*}) \oplus r_3\left)\right)$ with the secret key k and returns $\left\{r_2\right\}$ to $S{M}_i$.
• $S{M}_i$ calculates $k^{*}=h(r_1 \oplus r_2 \oplus I{D}_i)$ and uses $k^{*}$ to decrypt $\left\{M_2\right\}$ that $D_{k^{*}}\left(M_2\right)=M_i^{**}\left|\right|h(I{D}_i^{**}\left|\right|r_1^{**}\left|\right|r_2^{**}\left)\right|\left|\right(h((I{D}_i^{**} \oplus r_2^{**})\left|\right|r_1^{**}) \oplus r_3^{*})$. Then, $S{M}_i$ checks whether $h(I{D}_i^{**}\left|\right|r_1^{**}\left|\right|r_2^{**})=h(I{D}_i\left|\right|r_1\left|\right|r_2)$ or not. If this verification is valid, $S{M}_i$ computes $r_3^{*}=\left(h\right((I{D}_i \oplus r_2)\left|\right|r_1) \oplus (h((I{D}_i^{**} \oplus r_2^{**})\left|\right|r_1^{**}) \oplus r_3^{*}$. Next, $S{M}_i$ computes $S{K}^{*}=h(r_1 \oplus r_2 \oplus r_3^{*} \oplus I{D}_i)$ and sends $M_3=h(S{K}^{*}\left|\right|r_3^{*})$ to $S{P}_j$.
• After receiving $M_3$ from $S{M}_i$, $S{P}_j$ checks whether $h\left(SK\right|\left|r_3\right)$ matches with $M_3$. If it holds, $S{P}_j$ displaces $(Q_i,Q_{i}o)$ with $(Q_{i}new,Q_i)$ where $Q_{i}new=h(s \oplus r_2 \oplus (I{D}_j\left|\right|I{D}_i^{*}\left)\right)$. Then, $S{P}_j$ calculates $M_4=h(r_1^{*}\left|\right|(r_2^{*} \oplus r_3))$ and returns $\left\{M_4\right\}$ to $S{M}_i$.
• $S{M}_i$ checks whether $h\left(r_1\right||(r_2 \oplus r_3^{*})=M_4)$. If this verification is valid, $S{M}_i$ replaces $(r_1,M_i)$ with $(r_2,M_i^{**})$. After that, $S{M}_i$ and $S{P}_j$ apply the session key $SK=S{K}^{*}$ into the communication.

3.2. Security Flaws of Zhang et al.’s Scheme

Under the assumption of the threat model in Zhang et al.’s scheme [22], an adversary is able to obtain either the service providers’ master key or ID, but not both. Unfortunately, in the smart grid, the attacker is likely to be a insider attack, which is introduced by Kumar et al. [4] in 2019. An insider attacker $\mathcal{A}$ can not only intercept messages through the channel, but also register as a legitimate user.

Next, we look into Zhang et al.’s scheme and show how an insider attacker attacks the scheme step by step using the identity of consumers and the master key s.

• Step 1. The attacker firstly registers to $S{P}_j$ as a legitimate user, and obtains his identity information $I{D}_A$, $r_{1A}$ and $M_A$ after successful registration. He/she can decrypt $M_A$ with key s to obtain $\left(h\right({I{D}_j}^{\prime }\left|\right|s^{\prime }) \oplus I{D}_A)$, where $I{D}_A={I{D}_A}^{\prime }$. The phase is shown in Figure 3.
• Step 2. During the protocol process between a registered smart meter $S{M}_i$ and $S{P}_j$, the attacker intercepts $\{X_i,M_i\}$ sent by $S{M}_i$ to $S{P}_j$. Then, he/she decrypts the information $M_i$ with key s to obtain $({I{D}_i}^{\prime } \oplus {r_1}^{\prime })$ and $\left(h\right({I{D}_j}^{\prime }\left|\right|s^{\prime }) \oplus {I{D}_i}^{\prime })$, where $I{D}_i={I{D}_i}^{\prime }$ generally.
• Step 3. The attacker computes $I{D}_i=\left(h\right({I{D}_j}^{\prime }\left|\right|s^{\prime }) \oplus I{D}_i) \oplus (h({I{D}_j}^{\prime }\left|\right|s^{\prime }) \oplus I{D}_A) \oplus I{D}_A$, where $\left(h\right({I{D}_j}^{\prime }\left|\right|s^{\prime }) \oplus I{D}_i)$ comes from step 2 and $\left(h\right({I{D}_j}^{\prime }\left|\right|s^{\prime }) \oplus I{D}_A)$ comes from step 1. This phase is shown in Figure 4.

At this time, the attacker has successfully attacked the legitimate $S{M}_i$. The attacker may then use, but is not limited to, the following means of attacks.

• The loss of smart meter anonymity: Through Step 3 above, the attacker obtains $I{D}_i$ of legitimate $S{M}_i$, which directly leads to the loss of the user’s anonymity.
• Impersonate attack: The attacker can also obtain $r_1$ stored in $S{M}_i$ by calculating $r_1=({I{D}_i}^{\prime } \oplus {r_1}^{\prime }) \oplus I{D}_i$ and $M_i$ from the intercepted message. This means that all information $\{I{D}_i,r_1,M_i\}$ stored by $S{M}_i$ is obtained by the attacker. The attacker can impersonate $S{M}_i$ and communicate with $S{P}_j$.
• Session key compromise attack: If the attacker knows the information $\{I{D}_i,r_1,M_i\}$, he/she can compute $X_i=h(I{D}_i\left|\right|r_1) \oplus r_2$ and fake $S{M}_i$ by sending $\{X_i,M_i\}$ to $S{P}_j$. After receiving the message $\left\{M_2\right\}$ from $S{P}_j$, the attacker is able to execute all operations performed by $S{M}_i$ step by step, and gets the correct $S{K}^{*}$ and returns correct $M_3$ to $S{P}_j$.
• Permanent denial of service attack: Because the scheme uses a dynamic authentication table to verify $S{M}_i$’s identity, $S{M}_i$ will lose the ability of communication with $S{P}_j$ permanently when the attacker disguises $S{M}_i$ twice in succession. In abstract, this scheme only retains the current and last session credentials of $S{M}_i$ in the verification table of $S{P}_j$. Once the attacker successfully disguises $S{M}_i$ more than two times, the session credentials of $S{M}_i$ will expire, and this process is irreversible.

3.3. Reasons for the Weakness

The direct reason for the weakness of Zhang et al.’s scheme [22] is that $S{P}_j$ assigns the same information for all smart meters, which is used to meet the untraceability and the anonymity of smart meters. However, this also results in the consequence that $S{P}_j$ is unable to store the identity credentials used to distinguish different smart meters. To authenticate the smart meter $S{M}_i$ successfully, $S{P}_j$ has to know s and $h\left(I{D}_j\right|\left|s\right)$ for obtaining $I{D}_i$. Unfortunately, the insider attacker can also take advantage of this to obtain $S{M}_i$’s identity information, i.e., an attacker $\mathcal{A}$ obtains the certificate $h\left(I{D}_j\right|\left|s\right)$ at the time of his registration through his legal identity, and then uses $h\left(I{D}_j\right|\left|s\right)$ to obtain the authentication information of other SMs, and finally realizes the insider attack.

4. The Improved Scheme

To avoid the above insider attack, different SMs should have different authentication information. Note that the anonymity of the SM cannot be destroyed when distinguishing different SMs. Based on this analysis, this section presents an improved protocol, which involves two phases: a registration phase, and an authentication and key agreement phase.

Table 2. Symbols and notations in our scheme.

Symbols and Notations	Description
$S{M}_i,I{D}_i$	the ith smart meter and $S{M}_i$’s identity
$S{P}_j,I{D}_j$	the jth service provider and $S{P}_j$’s identity
K	service providers’ master secret key
$tk$	a temporary key between $S{M}_i$ and $S{P}_j$
$\left|\right|$	concatenating operation
⊕	exclusive OR
$h(\dot{)}$	a one-way hash function
$E_K$	Symmetric encryption using key K
$D_K$	Symmetric decryption using key K
$N_1,N_2,N_3,N_{SM}$	High entropy random numbers
$S_i$	$S{M}_i$’s unique identification stored in the table

lists the notations used in the improved scheme.

4.1. Registration Phase

Before $S{M}_i$ communicates with $S{P}_j$, $S{M}_i$ firstly applies to $S{P}_j$ for registration, as shown in Figure 5.

• The smart meter $S{M}_i$ firstly generates a random integer $N_1$. Then, $S{M}_i$ sends its identification $I{D}_i$ and $N_1$ to $S{P}_j$ via a secure channel.
• After receiving the message from $S{M}_i$, $S{P}_j$ computes $S_i=h(N_1 \oplus (I{D}_j\left|\right|I{D}_i) \oplus K)$, where K means the master key of the service providers. Next, $S{P}_j$ calculates $X_i=E_K((I{D}_i \oplus N_1)\left|\right|N_{SM}\left|\right|\left(\right(h(I{D}_j\left|\right|K\left|\right|N_{SM}\left)\right) \oplus I{D}_i\left)\right)$, where $N_{SM}$ is a high entropy random number generated for $S{M}_i$. Then, $S{P}_j$ stores $S_i$ into its dynamic verification table. The dynamic verification table is shown in Figure 6. There are two columns $S_1$ and $S_2$ in the table, and the values of both columns are blank at the beginning. When $S{M}_i$ is successfully registered, the generated $S_i$ will be stored in a new blank of column $S_1$. Each row in the table represents a registered smart meter. Finally, $S{P}_j$ returns $X_i$ to $S{M}_i$ securely.
• $S{M}_i$ receives $X_i$ from $S{P}_j$, and stores $\{I{D}_i,N_1,X_i\}$ into its own tamper-resistant device.

4.2. Authentication and Key Agreement Phase

When $S{M}_i$ attempts to set up a new session with $S{P}_j$, it needs to perform the following steps. The details of the whole session are shown in Figure 7.

• When $S{M}_i$ is willing to build the communication with the $S{P}_j$, $S{M}_i$ needs to produce a high entropy random number $N_2$ temporarily. After that, $S{M}_i$ calculates $Y_i=h(I{D}_i\left|\right|N_1) \oplus N_2$ and sends $\{X_i,Y_i\}$ to $S{P}_j$ through a public channel.
• $S{P}_j$ decrypts $M_i$ with its master key K where $D_K\left(X_i\right)=({I{D}_i}^{\prime } \oplus {N_1}^{\prime })\left|\right|N_{SM}\left|\right|\left(h\right({I{D}_j}^{\prime }\left|\right|K^{\prime }$$\left|\right|N_{SM}) \oplus {I{D}_i}^{\prime })$. Then, $S{P}_j$ can calculate $I{D}_i^{*}=h(I{D}_j\left|\right|K\left|\right|N_{SM}) \oplus h({I{D}_j}^{\prime }\left|\right|K^{\prime }\left|\right|N_{SM}) \oplus {I{D}_i}^{\prime }$, $N_1^{*}=I{D}_i^{*} \oplus {I{D}_i}^{\prime } \oplus {N_1}^{\prime }$ and $S_i^{*}=h(N_1^{*} \oplus K \oplus (I{D}_j\left|\right|I{D}_i^{*}\left)\right)$, and checks whether $S_i^{*}$ can be found in its dynamic verification table or not. If $S_i^{*}$ is found in $S_2$, $S{P}_j$ fills in the value of $S_2$ to $S_1$. Once the value of $S_i^{*}$ can be found in the table, $S{P}_j$ can obtain $N_2^{*}=h(I{D}_i^{*}\left|\right|N_1^{*}) \oplus Y_i$. Next, $S{P}_j$ chooses high entropy random numbers $N_3$ and $N_{SM}^{*}$. It can compute $X_i^{*}=E_K((I{D}_i^{*} \oplus N_2^{*})\left|\right|N_{SM}^{*}\left|\right|\left(h\right(I{D}_j\left|\right|K\left|\right|N_{SM}^{*}) \oplus I{D}_i^{*}\left)\right)$ and generate a temporary key $tk=h(N_1^{*} \oplus N_2^{*} \oplus I{D}_i^{*})$. After this, $S{P}_j$ can obtain the session key $SK=h(N_1^{*} \oplus N_2^{*} \oplus N_3 \oplus I{D}_i^{*})$. To authenticate $S{M}_i$, $S{P}_j$ calculates $Z_i=E_{tk}(X_i^{*}\left|\right|h(I{D}_i^{*}\left|\right|N_1^{*}\left|\right|N_2^{*}\left)\right|\left|\right(h((I{D}_i^{*} \oplus N_2^{*})\left|\right|N_1^{*}) \oplus N_3\left)\right)$ with secret key $tk$ and returns $\left\{Z_i\right\}$ to $S{M}_i$.
• $S{M}_i$ calculates $tk=h(N_1 \oplus N_2 \oplus I{D}_i)$ and uses $tk$ to decrypt $\left\{Z_i\right\}$ that $D_{tk}\left(Z_i\right)=X_i^{**}\left|\right|h(I{D}_i^{**}\left|\right|N_1^{**}\left|\right|N_2^{**}\left)\right|\left|\right(h((I{D}_i^{**} \oplus N_2^{**})\left|\right|N_1^{**}) \oplus N_3^{*})$. Then, $S{M}_i$ checks whether $h(I{D}_i^{**}\left|\right|N_1^{**}\left|\right|N_2^{**})=h(I{D}_i\left|\right|N_1\left|\right|N_2)$ or not. If this verification is valid, $S{M}_i$ can compute $N_3^{*}=\left(h\right((I{D}_i \oplus N_2)\left|\right|N_1) \oplus (h((I{D}_i^{**} \oplus N_2^{**})\left|\right|N_1^{**}) \oplus N_3^{*}$. Next, $S{M}_i$ computes $S{K}^{*}=h(N_1 \oplus N_2 \oplus N_3^{*} \oplus I{D}_i)$ and sends $P_i=h(S{K}^{*}\left|\right|N_3^{*})$ to $S{P}_j$.
• After receiving message $P_i$ from $S{M}_i$, $S{P}_j$ makes a check on whether $h\left(SK\right|\left|N_3\right)$ matches with $P_i$. If it holds, $S{P}_j$ displaces $(S_1,S_2)$ with $(S_{i}new,S_1)$ where $S_{i}new=h(K \oplus N_2 \oplus (I{D}_j\left|\right|I{D}_i^{*}\left)\right)$. Then, $S{P}_j$ calculates $Q_i=h(N_1^{*}\left|\right|(N_2^{*} \oplus N_3))$ and returns $\left\{Q_i\right\}$ to $S{M}_i$.
• $S{M}_i$ checks whether $h\left(N_1\right||(N_2 \oplus N_3^{*})=Q_i)$. If this verification is valid, $S{M}_i$ replaces $(N_1,X_i)$ with $(N_2,X_i^{**})$. After that, $S{M}_i$ and $S{P}_j$ apply the session key $SK=S{K}^{*}$ in the communication.

5. Security Analysis of the Improved Scheme

5.1. Formal Security Analysis

This section presents the rigorous security analysis of the improved scheme in formal. First, the security model of the protocol is proposed.

Security Model

Suppose the attacker can control the messages transmitted on all public channels and obtain all public parameters. An attacker cannot obtain secret information (for example, information in the tamper-resistant device), but can obtain some leaked information (for example, either the SP’s master key or the SP’s identity). There are two kinds of identity, i.e., the smart meters’ identities and the service providers’ identities, where $S{M}_i$ is for a smart meter’s identity and $S{P}_j$ is for a service provider’s identity. The improved protocol’s security is proved in the real-or-random oracle model, and the details are represented by O. E is used to represent $S{M}_i$ or $S{P}_j$.

• Execute ($S{M}_i$, $S{P}_j$): This module is built to simulate a passive attack. An attacker can obtain all messages sent by $S{M}_i$ and $S{P}_j$ through this operation.
• Send (E, M): This operation aims at simulating an active attack. An attacker can send message M to any $S{M}_i$ or $S{P}_j$, and $S{M}_i$ or $S{P}_j$ would perform corresponding steps according to the protocol. The corresponding information would also be returned to the attacker.
• Corrupt (E): This operation is applied to simulate the forward security. The attacker can obtain the leaked long-term secret information, such as $S{P}_j$’s master key or $S{P}_j$’s identity (but not both).
• Test (E): This operation is used to return the session key or a randomly generated key. This response depends on a random bit b. If b is equal to 1, the query returns the session key; if b equals 0, the query returns a random key.

Semantic security: An attacker $\mathcal{A}$ can perform several test (E) operations. Each time, a key is obtained based on the result of b. This process indicates that the attacker distinguishes between the session key and the random key. $Pr\left[Success\right]$ is the probability of the attacker to be the game winner, which is expressed as follows:

$$Ad{v}_{\mathcal{A}}^{ake}=|2Pr\left[Succ\right]-1|$$

Now we will prove that in the improved protocol, the attacker’s advantage is non-negligible. We first show the difference lemma [38].

Lemma 1 

(Difference Lemma). Let X, Y and Z represent the events defined in some probability distribution. If $X\wedge \neg Z\iff Y\wedge \neg Z$, $\left|Pr\right[X]-Pr[Y\left]\right|\le Pr\left[Z\right]$.

Theorem 1. 

Let $Ad{v}_{\mathcal{A}}^{se}$ represent the advantage of $\mathcal{A}$ in breaking the symmetric cipher algorithm, and l represent a security parameter. Let $q_{send}$ and $q_c$ represent the upper limit of hash queries when simulating an active attack and guessing key $tk$, respectively. The advantage of $\mathcal{A}$ breaking the semantic security is

$$Ad{v}_{\mathcal{A}}^{ake}\le 2Ad{v}_{\mathcal{A}}^{se}+(q_c^2+3q_{send}^2)/2^l$$

Proof. 

We define the sequence of games $G{M}_0$ to $G{M}_3$. Let $Suc{c}_i$ be the event that $\mathcal{A}$ guesses bit b for $G{M}_i$ in the test session successfully. The games $G{M}_0$ to $G{M}_3$ are presented as follows.

Game $G{M}_0$: This game is related to the real attack under the random oracle model. Therefore

$$Ad{v}_{\mathcal{A}}^{ake}=2|Pr\left[Suc{c}_0\right]-1/2|$$

Game $G{M}_1$: We query $Execute$ oracles several times to simulate $\mathcal{A}$’s eavesdropping attack. Because all messages are encrypted symmetrically or hashed, these operations cannot make $\mathcal{A}$ obtain more useful information. Thus $\mathcal{A}$ cannot extend the advantage of winning game $G{M}_1$. Therefore

$$Pr\left[Suc{c}_0\right]=Pr\left[Suc{c}_1\right]$$

Game $G{M}_2$: We query $Send$ and $Hash$ oracles to simulate $\mathcal{A}$’s active attack. It is impossible for $\mathcal{A}$ to find the collisions of $Y_i/P_i/Q_i$ in the way of making queries, or decrypting the information of $X_i/Z_i$ without key $K/tk$. Hence there is no collision when querying $Send$ oracles. Due to the birthday paradox, we obtain

$$|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_1\right]|\le Ad{v}_{\mathcal{A}}^{se}+3q_{send}^2/2^{l+1}$$

Game $G{M}_3$: This game aims at simulating forward security using the $Corrupt$ oracle query. Even if $\mathcal{A}$ is lucky enough to find the correct hash collision value, he still needs to find a way to obtain the long-term stored key K and the temporarily generated $tk$. Thus, $\mathcal{A}$ has to query the $Corrupt$ and Hash Oracle, and we have

$$|Pr\left[Suc{c}_3\right]-Pr\left[Suc{c}_2\right]|\le q_c^2/2^{l+1}$$

$\mathcal{A}$ cannot receive any useful messages since all the oracles have been simulated. At this point, $\mathcal{A}$ has half the chance to guess the correct value of b, so the probability to win $G{M}_3$ is:

$$Pr\left[Suc{c}_3\right]=\frac{1}{2}$$

As a result, the final output performs as follows:

$$Ad{v}_{\mathcal{A}}^{ake}\le 2Ad{v}_{\mathcal{A}}^{se}+(q_c^2+3q_{send}^2)/2^l$$

The semantic security of the improved protocol is proved completely. □

5.2. Informal Security Analysis

This subsection contains an informal security analysis to show that the improved protocol can resist various attacks from both outsider and insider attackers.

5.2.1. Insider Attack

As mentioned in Section 2, an attacker $\mathcal{A}$ may have a legitimate identity. Even if $\mathcal{A}$ obtains the master key K of the service provider, $\mathcal{A}$ cannot pretend to be another consumer in the improved protocol, since $N_{SM}$ is stored in $X_i=E_K((I{D}_i \oplus N_1)\left|\right|N_{SM}\left|\right|\left(\right(h(I{D}_j\left|\right|K\left|\right|N_{SM}\left)\right)$$\oplus I{D}_i\left)\right)$ during the registration phase, and $\left(h\right(I{D}_j\left|\right|K\left|\right|N_{SM})$ generated by each consumer is different. Although $N_{SM}$ can be obtained when decrypting $X_i$ with key K, $\left(h\right(I{D}_j\left|\right|K\left|\right|N_{SM})$ cannot be calculated without $I{D}_j$ or K at the same time. In addition, $S{P}_j$ still does not store $S{M}_i$’s ID so it still meets $S{M}_i$’s non-traceability.

5.2.2. De-Synchronization Attack

Our scheme can resist de-synchronization attacks with a dynamic verification table. If $\mathcal{A}$ intercepts message $X_i,Y_i$, $Z_i$ or $P_i$, $S{M}_i$’s unique identification in the table is not updated, and $S{M}_i$ can perform the authentication phase again. Suppose that $\mathcal{A}$ intercepts message $Q_i$ sent by $S{P}_j$ and $S_1$ of the dynamic verification table has been updated, while the last unique identification is also stored in $S_2$. Once $S{M}_i$ has not received the confirmation message within the limited time, it can still use the last unique identification to authenticate, which can be found in $S_2$.

5.2.3. Replay Attack

If $\mathcal{A}$ wants to replay messages $\{X_i,Y_i\}$ sent by $S{M}_i$, it can pass the first step of $S{P}_j$’s verification. However, after receiving message $Z_i$ returned by $S{P}_j$, $\mathcal{A}$ cannot generate $tk=h(N_1^{*} \oplus N_2^{*} \oplus I{D}_i^{*})$. The attacker will not succeed in replaying message $P_i$, because $N_3$ generated by $S{P}_j$ is different each time. If $\mathcal{A}$ wants to replay the messages $Z_i$ and $Q_i$ sent by $S{P}_j$, $S{M}_i$ will find that $h\left(I{D}_i\right|\left|N_1\right|\left|N_2\right)$ and $h\left(N_1\right|\left|(N_2 \oplus N_3^{*})\right)$ are not the same, since $N_2$ is randomly generated by $S{M}_i$ for each session.

5.2.4. Man-in-the-Middle Attack

The messages sent by $S{M}_i$ and $S{P}_j$ are processed by hash function or symmetrically encrypted. Even if $\mathcal{A}$ obtains the master key K, he can only decrypt the first message $X_i$ sent by $S{M}_i$ and cannot obtain other useful information. Because of the anonymity of $S{M}_i$, $\mathcal{A}$ cannot obtain $I{D}_i$ of $S{M}_i$. The random number $N_1$ is also not be obtained because the tamper-resistant device prevents its leakage. Therefore, even if the attacker modifies the message, $\mathcal{A}$ cannot mount a Man-in-the-middle attack.

5.2.5. Impersonation Attack

In the impersonation attack, we consider an adversary $\mathcal{A}$, who can monitor the public network and capture the message $\{X_i,Y_i,Z_i,P_i,Q_i\}$ transferred on an insecure channel. We consider two cases.

• SM impersonation attack. If adversary $\mathcal{A}$ wants to impersonate the SM, he must forge the message $\{X_i,Y_i,P_i\}$ to have the SP believe that the message is legal. However, $\mathcal{A}$ must know secret parameters such as $I{D}_i,N_1,N_3$ in order to produce the messages as legal. Due to the lack of knowledge of these parameters, the adversary cannot implement the SM impersonation attack.
• SP impersonation attack. If the adversary $\mathcal{A}$ wants to impersonate SP, it needs to forge the message $\{Z_i,Q_i\}$. The generation of the message requires SP’s long-term secret as auxiliary material which the adversary cannot learn. Therefore, the improved scheme can resist the impersonation attack.

5.2.6. Anonymity and Untraceability

The purpose of anonymity is to prevent the adversary, who can intercept messages in an insecure channel, from obtaining the actual ID of the smart grid. At a higher level, the adversary cannot find any relationship among sessions of one entity. In the improved scheme, all the transmitted messages are $\{X_i,Y_i,Z_i,P_i,Q_i\}$. The ID of SM is sent over the insecure channel with the use of a hash function. Therefore, the adversary cannot derive the actual ID from the transmitted messages. Furthermore, each communicated message is dynamically changed by involving random numbers. The adversary also fails to trace the participants.

5.2.7. Perfect Forward Secrecy

This property means even if the long-term secret parameters of both entities are leaked, it will not lead to the previous session key being compromised. In our protocol, if the long-term secret parameters of SM and SP are compromised, the adversary needs to know the ephemeral secret to compute. Due to the lack of the knowledge of the ephemeral secret, the session key remain secure.

6. Performance Analysis

How to improve security without affecting the efficiency is one of the goals of improving the protocol. This section presents a comparison between the improved protocol and four other protocols proposed recently for smart grids [19,20,21,22,27], in terms of functionality, computation efficiency and the communication efficiency.

6.1. Security and Functionality Analysis

Table 3. Security and functionality comparison table.

	F1	F2	F3	F4	F5	F6	R1	R2	R3	R4	R5	R6
[19]	YES	YES	YES	NO	NO	YES	YES	YES	YES	/	/	YES
[20]	YES	YES	YES	NO	NO	YES	YES	YES	YES	/	YES	YES
[21]	YES	YES	YES	YES	/	YES	YES	YES	NO	/	/	YES
[22]	YES	YES	YES	NO	YES	YES	YES	YES	YES	YES	NO	YES
[27]	YES	YES	YES	YES	YES	YES	YES	YES	YES	NO	YES	YES
our scheme	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES

shows the comparison of security and functionality, where $F1$ denotes mutual authentication, $F2$ denotes session-key security, $F3$ denotes message integrity, $F4$ denotes smart meters’ anonymity, $F5$ denotes perfect forward secrecy, $F6$ denotes smart meters’ untraceability, $R1$ denotes the ability to resist replay attack, $R2$ denotes resistance to man-in-the-middle attack, $R3$ denotes resistance to impersonation attack, $R4$ denotes resistance to de-synchronization attack, $R5$ denotes resistance to insider attack and $R6$ denotes resistance to stolen verifier attack.

From Table 3, it can be seen that the improved scheme can meet the basic functionality and security requirements. In terms of functionality, our scheme can guarantee mutual authentication, session-key security, message integrity, perfect forward secrecy, smart meters’ anonymity and untraceability. In terms of security, our scheme can resist replay attacks, man-in-the-middle attacks, impersonation attack, de-synchronization attacks, insider attacks and stolen verifier attacks. In addition, some protocols do not consider insider attackers [19,21,22]. Some schemes [19,20,22] do not provide smart meters’ anonymity, while some [19,20,21,27] cannot resist de-synchronization attacks. To summarize, our improved protocol has advantages in security and functionality.

6.2. Computation Overhead Analysis

Only the authentication and agreement phase is compared when analyzing the computation cost, since this phase is the main part of the scheme. The executions of the concatenating operation and OR operation are not considered, because the time of these executions is negligible. Let $T_h$ denote the computation time for the one-way hash function, $T_e$ denote the computation time for symmetric encryption operation, $T_d$ denote the computation time for a symmetric decryption operation, $T_{HMAC}$ denote the computation time for the hash-based message authentication code (HMAC) operation, $T_a$ denote the computation time for point addition of elliptic curve and $T_m$ denote the computation time for the point multiplication of the elliptic curve. According to the literature of Abbasinezhad-Mood et al. [39], we have that $T_h$ takes 0.0023 ms, $T_e$ takes 0.0046 ms, $T_d$ takes 0.0046 ms, $T_{HMAC}$ takes 0.0046 ms, $T_a$ takes 0.0288 ms and $T_m$ takes 2.226 ms. Let $C1$ denote the computation cost in the smart meter, $C2$ denote the computation overhead in the service provider phase and $C3$ denote the total costs.

Table 4. Computation cost comparison table.

	[19]	[20]	[21]	[22]	[27]	Our Scheme
$C1$	3$T_h$+ 2$T_m$ =	3$T_h$ + 2$T_m$ =	3$T_h$ + 2$T_m$ + $T_e$ + $T_d$ +	7$T_h$ + 1$T_d$ =	4$T_h$ + $T_e$ + $T_d$ + 3$T_m$	7$T_h$ + 1$T_d$ =
	4.4589 ms	4.4589 ms	$2T_{HMAC}$ = 4.4773 ms	0.0207 ms	= 6.7796 ms	0.0207 ms
$C2$	4$T_h$ + 3$T_m$ =	2$T_h$ + 3$T_m$ + $T_a$	4$T_h$ + 3$T_m$ + $T_e$ + $T_d$ +	9$T_h$ + 2$T_e$ + $T_d$	3$T_h$ + $T_e$ + $T_d$ + 3$T_m$	9$T_h$ + 2$T_e$ + $T_d$
	6.6872 ms	= 6.7114 ms	2$T_{HMAC}$ = 6.7056 ms	= 0.0345 ms	= 6.7772 ms	= 0.0345 ms
$C3$	11.1461 ms	11.1703 ms	11.1829 ms	0.0552 ms	13.5568 ms	0.0552 ms

shows the computational cost including the improved protocol and other ones.

It can be seen from Table 4 that the computation cost of the improved protocol at the smart meter is $C_1=7T_h+1T_d$, i.e., the smart meter needs to execute seven one-way hash function operations and an encryption operation. In addition, the service provider’s computation overhead is $C_2=9T_h+2T_e+1T_d$. The total cost is $C_3=16T_h+2T_d+2T_e$, which is less computation resources than the protocols using the elliptic curve [19,20,21,27]. The new protocol has the same computation efficiency as the original protocol [22]. Both of them are 0.0552 ms. Since these two protocols have a great improvement in computation cost compared with the known protocols [19,20,21,27], our proposed protocol is still lightweight in terms of computational overhead level.

6.3. Communication Overhead Analysis

This subsection discusses the communication cost of the improved protocol. Suppose the hash function used in the improved protocol is SHA1 and the symmetric encryption algorithm is AES-128. The output of the hash function is 20 bytes (160 bits), the output of a 128 bit AES is based on the input of the plaintext, and the random number is 128 bits long. Similarly, a point of the elliptic curve is assumed to be 40 bytes (320 bits).

Let $C4$ denote the communication cost in the authentication and key agreement phase.

Table 5. Communication cost comparison table.

	[19]	[20]	[21]	[22]	[27]	Our Scheme
$C4$	248 bytes	298 bytes	254 bytes	204 bytes	248 bytes	236 bytes

shows the communication cost including the improved protocol and others.

Table 5 shows that the communication cost of these protocols are relatively close, ranging from 200 bytes to 300 bytes. The new protocol has a communication cost of 236 bytes, which is a little higher than the original protocol [22]. However, it is still less than the communication cost of protocols [19,20,21,27]. In other words, this communication cost is acceptable in smart grids.

To sum up, the improved protocol obtains the strongest security against both the outsider attacker and the insider attacker, and is the only one obtaining all security properties. In terms of the computation efficiency and the communication efficiency, the improved protocol has low computational cost and communication cost compared with the lightweight schemes, thus is very suitable for the smart grid with limited computing resources.

7. Conclusions

In this paper, we analyzed the security of Zhang et al.’s protocol [22] and showed that their protocol is not secure enough to prevent an impersonation attack against an insider attacker, since different SMs hold the same confidential information. To address the flaws, we proposed an improved protocol which allows SMs and SPs to authenticate each other and establish a session key securely. Moreover, we verified the security of the improved protocol using the ROR model. By conducting an informal security analysis, we demonstrated that the new protocol is secure against various attacks from both outsider and insider attackers. In terms of the computation cost and communication cost, the improved protocol has almost the same efficiency as Zhang et al.’s protocol, while providing enhanced security. Furthermore, the proposed protocol has a significantly lower computational cost compared to the other protocols, which is well suited to smart grid environments where smart meters are resources-constrained. The limitation of our protocol is that it is not suitable in general communication models, except wireless ones. In addition, our protocol has no significant advantage over existing schemes in terms of communication cost. We will consider these two limitations in our future work.