 Research
 Open Access
 Published:
Lightweight authentication protocol in edgebased smart grid environment
EURASIP Journal on Wireless Communications and Networking volumeÂ 2021, ArticleÂ number:Â 68 (2021)
Abstract
A smart grid (SG) is an advanced power grid system deployed in a cloud center and smart meters (at the consumer end) that provides higher reliability, better data protection, improved power efficiency, automatic monitoring, and effective management of power consumption. However, an SG also poses certain challenges that need to be addressed. For example, data provided by a smart meter are timesensitive and cannot handle high latency in an SG. Moreover, a smart meter depends on memory, energy, and other factors. Besides, the security between a cloud center and a smart meter is a critical issue that needs to be resolved. Edge computing, an extension of cloud computing deployed in an edge network between a cloud center and the end devices, is an efficient solution to the aforementioned issues. Therefore, in this study, we propose a secure mutual authentication protocol based on edge computing for use in an SG.
1 Introduction
A traditional power grid provides four primary operations: power generation, electricity transmission, electricity distribution, and electricity management. Currently, with the rapid development of IoT, the electricity demand has significantly increased; however, the infrastructure used by traditional grids cannot sustain such high electricity demands. Then, the Smart Grid (SG) was developed. SG is an advanced electricity grid that uses a twoway flow of electricity and information, which differs from a traditional electricity infrastructure, providing more efficiency, protected data submissions, and a secure channel between a smart meter (SM) and service provider (SP). The remarkable advantages of SG include monitoring the electricity consumption of the endusers with different approaches in real time [1]. In general, SG infrastructure comprises three components: inhouse deployed SMs, SPs in substations, and a control center (CC) in the cloud [2,3,4,5,6,7].
FigureÂ 1 shows a typical infrastructure o SG. SM is used to monitor consumersâ€™ energy consumption and send the processed data to SP, which likely contains the consumersâ€™ private information. SP offers services and electricity to consumers. CC processes, handles, and manages the sensors, SM, and actuatorsâ€™ resources and stores the data in a cloud computing data center. However, with an increasing number of IoT (enduser) devices, an SG based on cloud computing cannot meet such requirements.
On the other hand, in 2012, Cisco specified certain disadvantages of cloud computing, including a high latency, low mobility support, and low location awareness. As a result, the company proposed the concept of fog computing [8], which is a type of edge computing as previously mentioned, as an extension of cloud computing [9,10,11]. An edge layer is employed between the end devices and the cloud center; in addition, each end device is directly connected to the edge nodes, and the edge nodes are interconnected, each linked to the cloud [12]. The edge nodes in edge computing consist of certain devices with limited computation power, such as switches, routers, mobile devices, and idle servers. The main role of an edge node is to collect and process the data from the end devices, issue control commands to the actuators, locally filter the data, and send the remaining data to the cloud center [13, 14]. Edge computing has the following characteristics [15]. First, with the rapid development of mobile devices, it is important for the edge nodes to directly communicate with these devices, such as mobile phones, mobile sensors, and moving cars. Second, the batch process used in cloud computing cannot facilitate realtime interactions; however, with large numbers of edge nodes deployed in distributed locations, edge computing can provide realtime interactions. Third, the edge nodes used in edge computing are distributed in different places. Although the computational abilities of the edge nodes are limited, use of a large number of nodes can solve this problem, for example, by using an SG or a smart vehicle network. Finally, in edge computing, the edge nodes are deployed in different places closer to the endusers. Cloud computing applies a centralized architecture, in sharp contrast to the distributed edge architecture.
As previously mentioned, edge computing is an extension of cloud computing, which provides numerous advantages over the cloud computing infrastructure. In recent years, many researchers have attempted to extend the edge computing infrastructure for applications based on cloud computing [1, 16,17,18,19]. In this study, we extended the infrastructure of edge computing to an SG, which is different from the case of a traditional SG. The advantage of an edgecomputing based SG over a traditional SG includes minimum latency, providing services to resourceconstrained devices, reduced stress on the cloud center, and preprocessing of unimportant data.
It is necessary to extend edge computing to an SG; however, the deployment of an SM is unsafe, and the meter needs to be protected by a physical lock to avoid a possible attack by an adversary. An adversary can obtain the data stored in an SM and pose as an SG to communicate with the SPs or consumers. Therefore, secure communication between the SG and SP is extremely important. A key agreement and mutual authentication protocol are efficient solutions to solving this problem. Several studies have also proposed protocols related to SGs [20,21,22,23,24]. However, a mutual authentication protocol for an SG based on the use of edge computing has yet to be proposed. An SG requires realtime data transmission. Addition of edge nodes to an SG can guarantee a low latency and realtime data response. We, therefore, propose a protocol based on edge computing for use in such a grid.
1.1 Contributions
The contribution of this paper is listed as follows.

1.
We propose a secure and lightweight key exchange and mutual authentication protocol for an edgebased SG environment. Our design uses oneway hash functions, XOR computations, and an elliptic curve cryptosystem (ECC) instead of another heavy cryptography functions.

2.
We provide a formal proof to demonstrate the security of the proposed protocol. Besides, we use Burrowsâ€“Abadiâ€“Needham (BAN) logic to guarantee the security of our design. Furthermore, we describe the proposed protocol is secure against various kinds of attacks.

3.
We present a performance evaluation/comparison of our protocol.
1.2 Organization
The remainder of this paper is organized as follows. SectionÂ 2 briefly presents the recent studies related to the security of an SG. In Sect.Â 3, we present an adversary model. The details of the proposed protocol are presented in Sect.Â 4. To establish the security of the proposed protocol, a security analysis is presented in Sect.Â 5, concluding with a formal security analysis using formal proof and BAN logic. SectionÂ 7 further discusses the proposed protocol is secure against various kinds of attacks. A comparison and performance analysis is provided in Sect.Â 7. Finally, some concluding remarks are presented in Sect.Â 8.
2 Related literature
With the emergence of an SG in 2001, numerous researchers have worked on ensuring security in an SG. Hassan et al. [25] encountered several problems with the use of an SG. For instance, owing to uncertainties in system planning and maintenance, it is challenging to predict realtime system controls. Besides, communication between system operators in a CC is another problem that needs to be considered. Moreover, the lack of predictive control signals for operating the devices and lack of energy storage devices also affect the deployment of SMs. In 2010, Ericsson [26] pointed out that the essential aspects of an SG infrastructure are cybersecurity and power system communication (PSC). Also, information security has become increasingly important because the deployment occurs in an exoteric and integrated energy management system instead of through isolated automation as previously applied. Moreover, with the development of the Internet, attackers can steal data from an SM and a cloud center.
To ensure the information security of an SG, researchers have proposed several security mechanisms. Kim et al. [27] proposed a security mechanism based on an SG according to the security requirements of remote meters using powerline communication (PLC), including authentication and key sharing between devices, as well as revocation management of the remaining devices. However, the SM server used in this mechanism demands authentication of all nodes, which may cause heavy stress on the SM server. When numerous devices are added to an SG environment, the mechanism will become overburdened. For the purpose of efficient resource management and information security, some researchers have begun adding edge computing to an SG; for instance, Zahoor et al. [1] introduced a new SG model based on edge computing for resource management. The proposed model is based on an edgecloud hierarchical infrastructure to separate the role of the cloud, providing different types of services to consumers. Compared with a traditional SG model, the proposed approach can improve the response time for effective resource utilization and reduce the latency. In 2016, Nazmudeen et al. [28] proposed a distributed data aggregation method based on an edgecomputing architecture, limiting the amount of data sent to the centralized storage space, thereby improving the capacity of the PLC without affecting its functionality.
Although edge computing solves the problems inherent to cloud computing, information security, i.e., the security of a transmitted message through an insecure channel, is vital in an SG. A mutual authentication protocol can guarantee the security of intercommunication. In recent years, some mutual authentication protocols have been proposed to ensure the security between parties [29,30,31,32].
Zhang et al. [23] designed an authentication protocol based on elliptic curve cryptography for an SG, which can provide privacy protection. The authors claimed that the protocol has the advantages of identity protection, mutual authentication, and key agreement. However, after analyzing the protocol, we found that it cannot resist an impersonation attack on an SM or SP or a replay attack. Tsai et al. [22] proposed a new anonymous key distribution scheme in an SG environment using identitybased signature schemes and identitybased encryption schemes. The advantages of the scheme include a trusted authority separate from the authentication phases and direct access of an SM to the SP without a trusted authority, which can lower the computation time. However, the proposed protocol is still vulnerable, cannot withstand a privileged insider attack, and provides imperfect forward secrecy.
3 Method
In this section, we first introduce the infrastructure of a smart grid based on edge computing. Then, we describe the adversary model used in this paper.
3.1 Edge computing infrastructure for smart grid
In this study, we proposed a protocol based on edge computing for an SG. Our SG infrastructure based on edge computing is shown in Fig.Â 2. An edge layer is used to join the infrastructure, acting as an SP in an SG. The cloud is separated to handle data from the edge layer and transmit them to the CC. This infrastructure using different SPs from the macrogrids, which can reduce the burden of the cloud, integrates the main capacities of the cloud to communicate with the CC and management control.
In our protocol, edge nodes act as SPs that can quickly process the data and authenticate an SM. Because of the limited computations of the edge nodes and SM, the proposed protocol only uses an ECC and a oneway hash function for encrypting the parameters. Our protocol comprises the following phases.
3.2 Adversary model
Before introducing our proposed protocol, it is important to describe the adversary model applied. A polynomial time adversary Adv has full control over the insecure network traffic desires to break the security of the proposed scheme. Adv may control limited/completed messages transmitted over an insecure channel, such as intercepting, modifying, and deleting the transmitted message. Adv can extract the security parameters stored in a smart card using a power analysis technique. Adv can try to obtain sensitive information (e.g., passwords) using offline password guessing attacks. The gola of Adv is to achieve one of the following.

Compute the session key after a successful run of the authentication scheme.

Compute the longterm secret key of the server.

Have the server falsely accept an authentication scheme when they are not communicating with a legitimate entity.
4 Proposed protocol
Herein, we describe the proposed protocol, which consists of three phases, an edge node registration phase, an SM registration phase, and a login and authentication phase. TableÂ 1 summarizes the notations used in our proposed protocol.
4.1 Edge node registration phase
If an edge node \(ES_j\) wants to join the system, the edge node registration phase is applied. This phase is shown in Fig.Â 4 and is described as follows:

(i)
\(ES_j\) first selects an identity \(SID_j\) and transmits \(\{SID_j\}\) to TA through a secure channel.

(ii)
After receiving the above messages, TA checks the validity of \(ES_j\). Then, TA computes \(RSID_j\) = \(H(SID_j  s)\), stores \(\{SID_j, RSID_j\}\) in the database of TA, and transmits \(\{RSID_j\}\) back to \(ES_j\) through a secure channel.

(iii)
\(ES_j\) stores \(\{RSID_j\}\) in its database.
4.2 Smart meter registration phase
The SM registration phase (Fig.Â 3) is executed if an SM registers with TA. We assume that an SM, whose identity is \(ID_i\), wants to join this system, and there are n edge nodes, denoted as \(ES_1, \ldots , ES_n\), that have been previously registered. The following steps are conducted.

(i)
SM selects identity \(ID_i\) and a random number \(r_i\), and then transmits \(\{ID_i,r_i\}\) to the trusted authority TA through a secure channel.

(ii)
After receiving the message from SM, TA first finds all values of \(RSID_j\) stored in the database where \(1 \le j \le n\). Next, TA computes \(A_j\) = \(H(ID_i  RSID_j)\), \(BAu_j\) = \(A_j \oplus H(ID_i  r_i)\), \(C_j\) = \(H(SID_j  RSID_j)\) and \(DAu_j\) = \(C_j \oplus H(ID_i  r_i)\), and then transmits \(\{SID_j, BAu_j, DAu_j, H(\cdot )\}\) back to SM through a secure channel.

(iii)
The SM computes \(SID_{j}^{*}=SID_j\oplus H(ID_ir_i)\), \(BAu_{j}^{*}=BAu_j\oplus H(ID_ir_i)\), \(DAu_{j}^{*}=SID_j\oplus BAu_j\oplus DAu_j\) and stores \(\{SID_{j}^{*}, BAu_{j}^{*}, DAu_{j}^{*}, H(\cdot )\}\) into memory.
4.3 Login and authentication phase
When a legal SM wants to log in and communicate with \(ES_j\), the SM needs to authenticate \(ES_j\) and establish a session key with \(ES_j\) using the following steps.

(i)
The SM first enters its identity \(ID_i\) and \(r_i\), and then computes \(SID_j=SID_{j}^{*}\oplus H(ID_ir_i)\), \(BAu_j=BAu_{j}^{*}\oplus H(ID_ir_i)\), \(DAu_j=SID_j\oplus BAu_j\oplus DAu_{j}^{*}\), and \(C_j=DAu_j\oplus H(ID_ir_i)\). Next, SM generates the current timestamp \(T_i\) and calculates \(E_i=ID_i\oplus H(C_jT_i)\). In addition, SM then generates a random number \(n_i\), computing \(N_i=n_iP\), \(A_j=BAu_j\oplus H(ID_ir_i)\), \(F_i=H(ID_iA_j)\), \(G_i=F_i\oplus N_i\), and authentication parameter \(M_1=H(ID_iF_iN_iT_i)\), sending \(\{E_i,G_i,M_1,T_i\}\) to \(ES_j\) through an unsecure channel.

(ii)
After receiving the message from SM, \(ES_j\) calculates \(C_{j}^{'}=H(SID_jRSID_j)\), \(ID_{i}^{'}=E_i\oplus H(C_{j}^{'}T_i)\), \(A_{j}^{'}=H(ID_{i}^{'}RSID_j)\), \(F_{i}^{*}=H(ID_{i}^{'}A_{j}^{'})\), \(N_{i}^{'}=F_{i}^{'}\oplus G_i\), and \(M_{1}^{'}=H(ID_{i}^{'}F_{i}^{'}N_{i}^{'}T_i)\), and then checks the validity of \(M_1\) to verify if SM is legal. If so, \(ES_j\) generates a random number \(n_j\) and current timestamp \(T_j\), and then computes \(N_j=n_jP\), \(M_2=H(A_{j}^{'}C_{j}^{'}N_jT_j)\), \(I_j=H(C_{j}^{'})\oplus N_{i}^{'}\), \(K_j=I_j\oplus N_j\), and the session key \(SK_{ji}=H(ID_{i}^{'}A_{j}^{'}n_jN_{i}^{'})\), and transmits the message \(\{M_2,K_j,T_j\}\) to SM.

(iii)
When SM receives the messages from \(ES_j\), SM first computes \(I_{j}^{'}=H(C_j)\oplus N_i\), \(N_{j}^{'}=I_{j}^{'}\oplus K_j\), and \(M_{2}^{'}=H(A_jC_jN_{j}^{'}T_j)\), and then checks the validity of \(ES_j\) by checking whether \(M_{2}^{'}=M_2\). If so, SM computes the session key \(SK_{ij}=H(ID_iA_jn_iN_{j}^{'})\), which means that SM and \(ES_j\) can securely communicate with each other.
The SM login and authentication phase is illustrated in Fig.Â 5.
5 Security analysis of the proposed protocol
In this section, we first provide a formal proof of the proposed protocol. Then, we further evaluate the security of the proposed protocol with BAN logic.
5.1 Formal proof
Here, we prove the security of the proposed protocol under the RealOrRandom (ROR) model. In the introduction section, we have defined the capabilities of the adversary [2]. Assume that \(I_{SM}^{x}\), \(I_{ES}^{y}\), and \(I_{TA}^{z}\), respectively, represent the xth instance of \(SM_s\), the yth instance of \(ES_j\), and the zth instance of TA. The adversary \({\mathcal{A}}\) can initiate the following queries.

\(Execute({\mathcal{O}})\): \({\mathcal{A}}\) executes the query and can obtain the messages \(\{E_i, G_i,M_1,T_i\}\) and \(\{M_2,K_j,T_j\}\), where \({\mathcal{O}}=\{I_{SM}^{x}, I_{ES}^{y},I_{TA}^{z}\}\).

Hash(string): \({\mathcal{A}}\) executes the query and can get the hash value of the input parameter string.

\(Send({\mathcal{O}},M)\): \({\mathcal{A}}\) executes the query, sends the message M to \({\mathcal{O}}\), and can receive the corresponding response.

\(Corrupt({\mathcal{O}})\): \({\mathcal{A}}\) executes the query and can obtain a secret value, such as the longterm private key, temporary information, etc.

\(Test({\mathcal{O}})\): \({\mathcal{A}}\) executes the query and judges the correctness of the session key by flipping a coin \({\mathcal{C}}\). If the result is \({\mathcal{C}}=1\), \({\mathcal{A}}\) will receive the correct session key returned; if the result is \({\mathcal{C}}=0\), \({\mathcal{A}}\) will receive a random string.
Definition 1
(Elliptic Curve Discrete Logarithm Problem (ECDLP)). Assuming that \({\mathcal{E}}\) is an elliptic curve generation group. Given points, P and aP, where P belongs to \({\mathcal{E}}\) and a belongs to \(F_p\), it is computationally infeasible to obtain a. In polynomial time \(\xi\), the probability of an adversary \({\mathcal{A}}\) solving this problem is defined as: \(Adv_{{\mathcal{A}}}^{ECDLP}(\xi )=Pr[{\mathcal{A}}(P,aP)=a:a\in F_p, P\in {\mathcal{E}}]\). For a sufficiently small \(\eta\), we have: \(Adv_{{\mathcal{A}}}^{ECDLP}(\xi )<\eta\).
Theorem: Under the ROR model, if \({\mathcal{A}}\) attempts to initiate some queries in polynomial time, then the advantage that it can break the proposed protocol \({\mathcal{P}}\) is: \(Adv_{{\mathcal{A}}}^{{\mathcal{P}}}(\xi )\le (q_{send}+q_{exe})^2/p+q_{hash}^2/2^{l1}+q_{send}/2^{l1}+2Adv_{{\mathcal{A}}}^{ECDLP}(\xi )\), where \(q_{send}\) represents the number of Send query executed, \(q_{exe}\) represents the number of Execute query executed, \(q_{hash}\) represents the number of Hash query executed, and l represents the bits of the hash operation.
Proof
We use the game sequence \(GM_0\) to \(GM_5\) to verify the above theorem. \(Succ_{{\mathcal{A}}}^{GM_n}(\xi )\) is the probability that \({\mathcal{A}}\) succeeds in the game \(GM_n\). The specific description is as follows.

\(GM_0\): \(GM_0\) represents a real attack, and \({\mathcal{A}}\) will not initiate any query at this time. Therefore, in \(GM_0\), the probability of \({\mathcal{A}}\) breaking \({\mathcal{P}}\) is: \(Adv_{{\mathcal{A}}}^{{\mathcal{P}}}(\xi )=2Pr[Succ_{{\mathcal{A}}}^{GM_0}(\xi )]1\).

\(GM_1\): \(GM_1\) adds Execute query based on \(GM_0\). Therefore, we have: \(Pr[Succ_{{\mathcal{A}}}^{GM_1}(\xi )]=Pr[Succ_{{\mathcal{A}}}^{GM_0}(\xi )]\).

\(GM_2\): \(GM_2\) adds the Send query based on \(GM_1\). According to Zipfâ€™s law [3], we have: \(Pr[Succ_{{\mathcal{A}}}^{GM_3}(\xi )]Pr[Succ_{{\mathcal{A}}}^{GM_2}(\xi )]\le q_{send}/2^{l}\).

\(GM_3\): \(GM_3\) adds Hash query based on \(GM_2\). According to the birthday paradox, we can get that the maximum probability of a hash collision is \(q_{hash}^2/2^{l+1}\); the maximum probability of a conflict occurring in the transmitted text is \((q_{send}+q_{exe})^2/{2p}\) [4, 5]. Therefore, we have: \(Pr[Succ_{{\mathcal{A}}}^{GM_2}(\xi )]Pr[Succ_{{\mathcal{A}}}^{GM_1}(\xi )]\le (q_{send}+q_{exe})^2/{2p}+q_{hash}^2/2^{l+1}\).

\(GM_4\): In this game, we consider the security of the session key. Here, we divide the discussion into two situations. The first is to obtain a longterm private key to verify perfect forward security; the second is temporary information leakage to verify whether can resist ephemeral secret leakage attack.

1.
Perfect forward security. \({\mathcal{A}}\) uses \(Corrupt(I_{TA}^{z})\) to try to get TAâ€™s longterm private key s, or uses \(Corrupt(I_{SM}^{x})\) or \(Corrupt(I_{ES}^{y})\) to try to get a secret value in the registration phase.

2.
Ephemeral secret leakage attack. \({\mathcal{A}}\) uses \(Corrupt(I_{SM}^{x})\) or \(Corrupt(I_{ES}^{y})\) to try to obtain temporary information from one party.
In both cases, the ECDLP needs to be solved to compute the session key \(SK_j=h(ID_iA_jn_jN_i)\) or \(SK_i=h(ID_iA_jn_iN_j)\). For the first formula \(SK_j=h(ID_iA_jn_jN_i)\) in the first case, even if \(RSID_j=H(SID_js),C_j=H(SID_jRSID_j),ID_i=E_i \oplus H(C_jT_i),A_j=H(ID_iRSID_j)\) are calculated by s, the random number \(n_j\) is unknown. And through \(Corrupt(I_{SM}^{x})\) or \(Corrupt(I_{ES}^{y})\) to get \(\{SID_j, BAu_j, DAu_j\}\) or \(\{RSID_j\}\), \({\mathcal{A}}\) cannot get any value in session key; in the second case, even if \(n_jN_i\) is calculated by \(n_j\), but the longterm private key s is unknown. Similarly, for the second formula \(SK_i=h(ID_iA_jn_iN_j)\) is also true. Therefore, we have: \(Pr[Succ_{{\mathcal{A}}}^{GM_4}(\xi )]Pr[Succ_{{\mathcal{A}}}^{GM_3}(\xi )]\le q_{send}Adv_{{\mathcal{A}}}^{ECDLP}(\xi )\).

1.

\(GM_5\): The purpose of this game is to verify the impersonation attack. The difference between \(GM_5\) and \(GM_4\) is that the game is terminated if \({\mathcal{A}}\) issues \(h(ID_iA_jn_jN_i)\) query. At this point, the probability of \({\mathcal{A}}\) guessing the session key is \(Pr[Succ_{{\mathcal{A}}}^{GM_5}(\xi )Pr[Succ_{{\mathcal{A}}}^{GM_4}(\xi )\le q_{hash}^2/2^{l+1}\). Since \(GM_5\) is equally successful and unsuccessful, we have: \(Pr[Succ_{{\mathcal{A}}}^{GM_5}(\xi )]=1/2\).
In summary, we can get the following conclusion:
Further, we have \(Adv_{{\mathcal{A}}}^{{\mathcal{P}}}(\xi )=(q_{send}+q_{exe})^2/n+q_{hash}^2/2^{l1}+q_{send}/2^{l1}+2Adv_{{\mathcal{A}}}^{ECDLP}(\xi )\). \(\square\)
5.2 Security analysis using BAN logic
In this subsection, we demonstrate the security of our solution during the authentication phase through the BAN logic. BAN logic was proposed by Burrows, Abadi, and Needham in 1989 and is a modal logic based on belief and knowledge. Now BAN logic has become the most wellknown tools and widely used for analyzing the security of authenticated and key agreement protocols [33,34,35].
In this study, the user (SM) and the edge node \(ES_j\) authenticate each other and calculate a session key. Below are some of the symbols and rules defined when using the BAN logic.
5.2.1 Notations used in BAN logic

\(P \mid \equiv X\): The principal P believes X, or is entitled to do so. In particular, P may act as though X is true. This construct is central to the logic.

\(P \triangleleft X\): P sees X. Someone sends a message containing X to P, who can read and repeat X (possibly after a decryption).

\(P \mid \sim X\): P once stated X. At some point of time, P sent a message including statement X. It is unknown whether the message was sent long ago or during the current run of the protocol, but it is known that P believed X at that time.

\(P \mid \Longrightarrow X\): P has jurisdiction over X. The principal P is an authority on X and should be trusted in this matter. For example, a server is often trusted to properly generate encryption keys. This may be expressed based on the assumption that the principals believe that the server has jurisdiction over statements regarding the quality of these keys.

\(\sharp (X)\): The formula X is fresh; that is, X has not been sent in a message at any time before the current run of the protocol. This is typically true for a nonce, that is, an expression invented for the purpose of being fresh. A nonce commonly includes a timestamp or number that is used only once.

\(P{\overset{K}{\longleftrightarrow }}Q\): P and Q may use a shared key K to communicate. Key K is safe in that it will never be discovered by any principal except P or Q, or by a principal trusted by either P or Q.

\(P{\overset{X}{\rightleftharpoons }}Q\): Formula X is a secret known only to P and Q and possibly to principals trusted by them. Only P and Q may use X to prove their identities to one another. An example of a secret is a password.

\(\{X\}_K\): Formula X is encrypted under key K.

\({\left\langle X \right\rangle }_Y\): Formula X is combined with formula Y.
5.2.2 BAN logic rules

(i)
The messagemeaning rule for shared keys is \(\frac{P \mid \equiv P{\overset{K}{\longleftrightarrow }}Q,P\triangleleft \{X\}_K}{P \mid \equiv Q \mid \sim X}\). This indicates that if P believes that K is a key shared with Q and if P sees X encrypted under K, then P believes that Q once stated X.

(ii)
The messagemeaning rule for shared secrets: \(\frac{P \mid \equiv P{\overset{Y}{\rightleftharpoons }}Q,P\triangleleft {\left\langle X \right\rangle }_Y}{P \mid \equiv Q \mid \sim X}\). This means that if P believes that Y is a secret known only to P and Q and P sees X under Y, then P believes that Q once stated X.

(iii)
The nonceverification rule is \(\frac{P \mid \equiv \sharp (X),P \mid \equiv Q \mid \sim X}{P \mid \equiv Q \mid \equiv X}\). This means that if P believes that X is fresh and Q once stated X, then P believes that Q believes X.

(iv)
The jurisdiction rule is \(\frac{P \mid \equiv Q \mid \Longrightarrow X,P \mid \equiv Q \mid \equiv X}{P \mid \equiv X}\). This means that if P believes that Q has jurisdiction over X and believes that Q believes X, then P believes X.

(v)
The session key rule is \(\frac{P \mid \equiv \sharp (X),P \mid \equiv Q \mid \equiv X}{P \mid \equiv P{\overset{K}{\longleftrightarrow }}Q}\). This means that if P trusts that statement formula X is fresh and P trusts that Q trusts X, which is an essential component of the session key, then P trusts that he or she shares the session key K with Q.

(vi)
The freshness rule is \(\frac{P \mid \equiv \sharp (X)}{P \mid \equiv \sharp (X,Y)}\). This means that if P believes that X is fresh, then he or she believes the freshness of (X, Y).

(vii)
The belief rule is \(\frac{P \mid \equiv X,P \mid \equiv Y}{P \mid \equiv (X,Y)}\). This means that if P believes X and Y, then P believes (X, Y).
5.2.3 Goals

G1: \(SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

G2: \(ES_j \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

G3: \(SM \mid \equiv ES_j \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

G4: \(ES_j \mid \equiv SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).
5.2.4 Idealize the communication messages

Meg1: \(SM \rightarrow ES_j\): \(\{E_i,G_i,M_1,T_i\}\).

Meg2: \(S_j \rightarrow SM\): \(\{M_2,K_j,T_j\}\).
5.2.5 Initial state assumptions

A1: \(SM \mid \equiv \sharp (n_i)\).

A2: \(ES_j \mid \equiv \sharp (n_j)\).

A3: \(SM \mid \equiv SM {\overset{C_j}{\rightleftharpoons }} ES_j\).

A4: \(SM \mid \equiv ES_j \mid \Longrightarrow N_j\).

A5: \(ES_j \mid \equiv SM {\overset{H(C_j \parallel T_i)}{\rightleftharpoons }} ES_j\).

A6: \(ES_j \mid \equiv \sharp (ID_i)\).

A7: \(ES_j \mid \equiv SM \mid \Longrightarrow ID_i\).

A8: \(SM \mid \equiv \sharp (N_j)\).

A9: \(ES_j \mid \equiv \sharp (N_i)\).

A10: \(ES_j \mid \equiv SM \mid \Longrightarrow N_i\).
5.2.6 Main proofs using BAN rules and assumptions
Based on the BAN logic rules, we demonstrate that the proposed key exchange protocol can use the initial state assumptions to achieve the defined goals. Below are the steps used to prove the BAN logic.
For G1, according to the message Meg2 and using the seeing rule, we obtain S1: \(SM \triangleleft \{ M_2: {\left\langle A_j, N_j, T_j \right\rangle }_{C_j}; K_j, T_j\}\). Using A3, S1, and the messagemeaning rule, we obtain S2: \(SM \mid \equiv ES_j \mid \sim (A_j, N_j, T_j)\). Using A3 and S2, and applying the freshness and nonceverification rules, S3: \(SM \mid \equiv ES_j \mid \equiv (A_j, N_j, T_j)\) is obtained. Applying the belief rule for each component, we obtain S4: \(SM \mid \equiv ES_j \mid \equiv N_i\). Using A4, S4, and the jurisdiction rule, S5: \(SM \mid \equiv N_j\) is obtained. Because \(SK=H(ID_iA_jn_iN_{j})\), we obtain S6: \(SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).
For G2, according to the message Meg1 and using the seeing rule, we obtain S7: \(ES_j \triangleleft \{ E_i: {\left\langle ID_i \right\rangle }_{H(C_j \parallel T_i)}; G_i, M_1: {\left\langle F_i, N_i, T_i \right\rangle }_{ID_i}; T_i\}\). Using the seeing rule for each component, we obtain S8, i.e., \(ES_j \triangleleft \{ {\left\langle ID_i \right\rangle }_{H(C_j \parallel T_i)}\}\), and S9, i.e., \(ES_j \triangleleft \{ {\left\langle F_i, N_i, T_i \right\rangle }_{ID_i}\}\). Using A5, S8, and the messagemeaning rule, we obtain S10: \(ES_j \mid \equiv SM \mid \sim ID_i\). Using A6 and S10 and applying the nonceverification rule, S11: \(ES_j \mid \equiv SM \mid \equiv ID_i\) is obtained. Using A7, S11, and the jurisdiction rule, we obtain S12: \(ES_j \mid \equiv ID_i\). Using A6, S11, and the session key rule, we obtain S13: \(ES_j \mid \equiv SM {\overset{ID_i}{\rightleftharpoons }} ES_j\). Using S9, S13, and the messagemeaning rule, we obtain S14: \(ES_j \mid \equiv SM \mid \sim (F_i, N_i, T_i)\). According to A9 and S15 and using the freshness and nonceverification rules, S15: \(ES_j \mid \equiv SM \mid \equiv (F_i, N_i, T_i)\) is obtained. Based on the belief rule, we obtain S16: \(ES_j \mid \equiv SM \mid \equiv N_i\). Using A10, S16, and the jurisdiction rule, we obtain S17: \(SM \mid \equiv N_i\). Because \(A_{j}=H(ID_{i}RSID_j)\) and \(SK=H(ID_iA_jn_jN_{i})\), we obtain S18: \(ES_j \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).
Applying the belief rule for each component, we obtain S4: \(SM \mid \equiv ES_j \mid \equiv N_i\). Using A4, S4, and the jurisdiction rule, S5: \(SM \mid \equiv N_j\) is obtained. Because \(SK=H(ID_iA_jn_iN_{j})\), we obtain S6: \(SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).
For G3, according to S6, A1, and the session key rule, we obtain S19: \(SM \mid \equiv ES_j \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).
For G4, according to S18, A2, and the session key rule, we obtain S20: \(ES_j \mid \equiv SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} FS_j\).
6 Discussion
Numerous authenticated and key agreement protocols have been proven insecure against the following kinds of attacks [36,37,38,39,40]. In this section, we further discuss our protocol can resist such attacks. First, we assume that the adversary is represented as Adv.
6.1 Replay attack
A replay attack resends the messages intercepted by Adv, which can obtain the messages of \(\{E_i,G_i,M_1,T_i\}\) and \(\{M_2,K_j,T_j\}\). We can see that they all have a timestamp in every transmitted message, which guarantees the freshness of the messages; timestamp \(T_i\) and \(T_j\) are both used in a later authentication parameter to check the validity of each other. Therefore, a faked timestamp cannot pass the verification stage. As a result, an adversary cannot replay the messages, and our protocol effectively resists a replay attack.
6.2 SMs and edge node impersonation attack
If adversary Adv wants to create a login message \(\{E_a,G_a,M_{1a},T_{ai}\}\) or \(\{M_{2a},K_a,T_{aj}\}\) to pose as a legal SM SM or legal \(ES_j\). Taking SM as an example, \(ES_j\) is similar to SM. If Adv wants to log into \(ES_j\), he or she first needs the parameters of \(C_j\) to calculate \(ID_i\); however, without the knowledge of \(SID_j\) and \(RSID_j\), Adv cannot obtain \(C_j\) without \(ID_i\), and Adv cannot calculate \(F_i\) and \(N_i\). Therefore, it is impossible for Adv to create a legal login message, and hence, our protocol can resist attacks on SMs and edge node impersonation attacks.
6.3 Maninmiddle attack
As mentioned previously, Adv cannot obtain the messages of both \(\{E_a,G_a,M_{1a},T_{ai}\}\) and \(\{M_{2a},K_a,T_{aj}\}\), and thus Adv cannot forge legal SMs or an edge node. Thus, our proposed protocol is resilient against a maninthemiddle attack.
6.4 Perfect forward secrecy
In perfect forward secrecy, the longterm key s indeterminable for Adv, and the messages over an insecure channel and the parameters from the memory of the SMs are revealed to Adv; however, even with these parameters, Adv still cannot expose the session key between SMs and edge nodes. In our proposed protocol, if Adv wants to calculate a session key \(SK_{ij}=H(ID_iA_jn_iN_{j}^{'})\), Adv needs to know the parameters, \(ID_i\) and \(A_j\), and the random parameters, \(n_iN_j\) or \(n_jN_i\), whereas \(ID_i\), \(A_j\), \(n_iN_j\), and \(n_jN_i\) are independent of the longterm key and cannot be calculated based on messages from an insecure channel; therefore Adv cannot obtain the parameters used to compute the session key. Hence, our protocol can guarantee perfect forward secrecy.
6.5 Ephemeral secret leakage attack
As mentioned above, if Adv wants to obtain a session key, he or she needs to first obtain the ephemeral secret \(n_i, n_j\). In an ephemeral secret leakage attack, Adv can obtain the random parameters \(n_i\) and \(n_j\); however, if Adv wants to obtain the session key, Adv needs another two parameters \(ID_i\) and \(A_j\), which cannot be obtained from an insecure channel or the memory of the SMs. This proves that our proposed protocol is resilient against an ephemeral secret attack.
6.6 SM anonymity and untraceability attack
In our protocol, the random numbers \(n_i\) and \(n_j\) and timestamp \(T_i,T_i\) are used in the login and authentication phase. Different sessions have different messages; thus, Adv cannot trace the message to focus on specific SMs, and the proposed protocol can have security against an SM anonymity attack. In addition, the identities of the SMs and edge nodes are masked by a random number and timestamp, which is also different. Hence our protocol can resist an untraceability attack.
7 Experimental result and comparison
In this section, some protocols related to an SG that do not employ edge computing are listed and compared with our proposed protocol to prove the higher performance of the latter. To objectively analyze the protocols, we used an iPhone 7 for accurately determining the computational costs. In the evaluation based on experimental data, to evaluate the proposed protocol, we use \(T_h\), \(T_d\), \(T_{pa}\), \(T_{pm}\), \(T_{ae}\), \(T_{ad}\), \(T_{exp}\), and \(TG_e\) to represent the time required for performing a oneway hash function, a symmetric decryption/encryption operation, an ECC point addition, a point multiplication, asymmetric public key encryption, asymmetric public key decryption, modular exponentiation, and a bilinear pairing operation. The time required for a bitwise XOR computation is negligible, and therefore, we do not consider the XOR computation time. TableÂ 2 lists the computation time for these operations.
The computation times for the related SG protocols and the proposed protocol are presented in TableÂ 3. A bar chart of the computation times is shown in Fig.Â 6. From the bar chart, it can be concluded that the proposed protocol involves the minimum computation time in all stages of entities. Although the computation time of Zhang et al.â€™s protocol was approximately 110.77 ms, which is similar to that of the proposed protocol, Zhang et al.â€™s protocol cannot resist a privileged insider attack or provide perfect forward secrecy. Therefore, taking all requirements into account, our proposed protocol can provide easy computations and security against various attacks.
8 Conclusion
In this study, we proposed using edge computing to solve the current security issues encountered in SGs. We designed a secure key exchange and mutual authentication protocol based on edge computing for such grids. To verify our proposed protocolâ€™s security, we analyzed the protocol using the automatic tool ProVerif and BAN logic to prove that it can resist various types of attacks. We also compared our proposed protocol with other protocols used in SGs without an edge computing infrastructure. We concluded that the computation time of our proposed protocol is lower than that of other protocols and that the proposed protocol is more secure and lightweight.
Availability of data and materials
Not applicable.
Abbreviations
 SG:

Smart grid
 SM:

Smart meter
 SP:

Service provider
 CC:

Control center
 ECC:

Curve cryptosystem
References
S. Zahoor, N. Javaid, A. Khan, B. Ruqia, F.J. Muhammad, M. Zahid, A cloudfogbased smart grid model for efficient resource utilization, in 2018 14th International Wireless Communications and Mobile Computing Conference (IWCMC) (IEEE, New York, 2018), pp. 1154â€“1160
T.Y. Wu, Y.Q. Lee, C.M. Chen, Y. Tian, N.A. AlNabhan, An enhanced pairingbased authentication scheme for smart grid communications. J. Ambient Intell. Hum. Comput. 2021, 1â€“13 (2021)
V.C. Gungor, D. Sahin, T. Kocak, S. Ergut, C. Buccella, C. Cecati, G.P. Hancke, Smart grid technologies: communication technologies and standards. IEEE Trans. Ind. Inf. 7(4), 529â€“539 (2011)
X. Fang, S. Misra, G. Xue, D. Yang, Smart grid: the new and improved power grid: a survey. IEEE Commun. Surv. Tutor. 14(4), 944â€“980 (2011)
S.M. Amin, B.F. Wollenberg, Toward a smart grid: power delivery for the 21st century. IEEE Power Energ. Mag. 3(5), 34â€“41 (2005)
A. Ipakchi, F. Albuyeh, Grid of the future. IEEE Power Energ. Mag. 7(2), 52â€“62 (2009)
H. Khurana, M. Hadley, N. Lu, D.A. Frincke, Smartgrid security issues. IEEE Secur. Privacy 8(1), 81â€“85 (2010)
F. Bonomi, R. Milito, J. Zhu, S. Addepalli, Fog computing and its role in the internet of things, in Proceedings of the 1st Edition of the MCC Workshop on Mobile Cloud Computing (2012), pp. 13â€“16
T.Y. Wu, C.M. Chen, X. Sun, S. Liu, J.C.W. Lin, A countermeasure to SQL injection attack for cloud environment. Wirel. Pers. Commun. 96(4), 5279â€“5293 (2017)
H. Xiong, Y. Wang, W. Li, C.M. Chen, Flexible, efficient, and secure access delegation in cloud computing. ACM Trans. Manag. Inf. Syst. (TMIS) 10(1), 1â€“20 (2019)
A. Kumari, V. Kumar, M.Y. Abbasi, S. Kumari, P. Chaudhary, C.M. Chen, Csef: cloudbased secure and efficient framework for smart medical system using ECC. IEEE Access 8, 107838â€“107852 (2020)
I. Stojmenovic, S. Wen, The fog computing paradigm: scenarios and security issues, in 2014 Federated Conference on Computer Science and Information Systems (IEEE, New York, 2014), pp. 1â€“8
P. Hu, S. Dhelim, H. Ning, T. Qiu, Survey on fog computing: architecture, key technologies, applications and open issues. J. Netw. Comput. Appl. 98, 27â€“42 (2017)
P. Hu, H. Ning, T. Qiu, H. Song, Y. Wang, X. Yao, Security and privacy preservation scheme of face identification and resolution framework using fog computing in internet of things. IEEE Internet Things J. 4(5), 1143â€“1155 (2017)
C.M. Chen, Y. Huang, K.H. Wang, S. Kumari, M.E. Wu, A secure authenticated and key exchange scheme for fog computing. Enterprise Inf. Syst. 2020, 1â€“16 (2020)
R. Deng, R. Lu, C. Lai, T.H. Luan, Towards power consumptiondelay tradeoff by workload allocation in cloudfog computing, in 2015 IEEE International Conference on Communications (ICC) (IEEE, New York, 2015), pp. 3909â€“3914
F.Y. Okay, S. Ozdemir, A fog computing based smart grid model, in 2016 International Symposium on Networks, Computers and Communications (ISNCC) (IEEE, New York, 2016), pp. 1â€“6
X. Hou, Y. Li, M. Chen, D. Wu, D. Jin, S. Chen, Vehicular fog computing: a viewpoint of vehicles as the infrastructures. IEEE Trans. Veh. Technol. 65(6), 3860â€“3873 (2016)
N.B. Truong, G.M. Lee, Y. GhamriDoudane, Software defined networkingbased vehicular adhoc network with fog computing, in 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM) (IEEE, New York, 2015), pp. 1202â€“1207
M.M. Fouda, Z.M. Fadlullah, N. Kato, R. Lu, X.S. Shen, A lightweight message authentication scheme for smart grid communications. IEEE Trans. Smart Grid 2(4), 675â€“685 (2011)
N. Saputro, K. Akkaya, S. Uludag, A survey of routing protocols for smart grid communications. Comput. Netw. 56(11), 2742â€“2771 (2012)
J.L. Tsai, N.W. Lo, Secure anonymous key distribution scheme for smart grid. IEEE Trans. Smart Grid 7(2), 906â€“914 (2015)
L. Zhang, S. Tang, H. Luo, Elliptic curve cryptographybased authentication with identity protection for smart grids. PLoS ONE 11(3), 0151253 (2016)
K. Mahmood, S.A. Chaudhry, H. Naqvi, S. Kumari, X. Li, A.K. Sangaiah, An elliptic curve cryptography based lightweight authentication scheme for smart grid communication. Fut. Gener. Comput. Syst. 81, 557â€“565 (2018)
R. Hassan, G. Radman, Survey on smart grid, in Proceedings of the IEEE SoutheastCon 2010 (SoutheastCon) (IEEE, New York, 2010), pp. 210â€“213
G.N. Ericsson, Cyber security and power system communicationessential parts of a smart grid infrastructure. IEEE Trans. Power Deliv. 25(3), 1501â€“1507 (2010)
S. Kim, E.Y. Kwon, M. Kim, J.H. Cheon, S.H. Ju, Y.H. Lim, M.S. Choi, A secure smartmetering protocol over powerline communication. IEEE Trans. Power Deliv. 26(4), 2370â€“2379 (2011)
M.S.H. Nazmudeen, A.T. Wan, S.M. Buhari, Improved throughput for power line communication (PLC) for smart meters using fog computing based data aggregation approach, in 2016 IEEE International Smart Cities Conference (ISC2) (IEEE, New York, 2016), pp. 1â€“4
H.Y. Chien, C.H. Chen, Mutual authentication protocol for RFID conforming to EPC class 1 generation 2 standards. Comput. Stand. Interfaces 29(2), 254â€“259 (2007)
D. He, N. Kumar, J.H. Lee, R.S. Sherratt, Enhanced threefactor security protocol for consumer USB mass storage devices. IEEE Trans. Consum. Electron. 60(1), 30â€“37 (2014)
S.R. Moosavi, T.N. Gia, E. Nigussie, A.M. Rahmani, S. Virtanen, H. Tenhunen, J. Isoaho, Endtoend security scheme for mobility enabled healthcare internet of things. Future Gener. Comput. Syst. 64, 108â€“124 (2016)
M. Wazid, A.K. Das, N. Kumar, A.V. Vasilakos, Design of secure key management and user authentication scheme for fog computing services. Future Gener. Comput. Syst. 91, 475â€“492 (2019)
C.M. Chen, L. Xu, K.H. Wang, S. Liu, T.Y. Wu, Cryptanalysis and improvements on threepartyauthenticated key agreement protocols based on chaotic maps. J. Internet Technol. 19(3), 679â€“687 (2018)
Y. Fei, H. Zhu, P.C. Vinh, Security analysis of the access control solution of NDN using ban logic. Mobile Netw. Appl. 2020, 1â€“12 (2020)
C.M. Chen, C.T. Li, S. Liu, T.Y. Wu, J.S. Pan, A provable secure private data delegation scheme for mountaineering events in emergency system. IEEE Access 5, 3410â€“3422 (2017)
C.T. Li, C.C. Lee, C.Y. Weng, C.M. Chen, Towards secure authenticating of cache in the reader for RFIDbased IoT systems. PeertoPeer Netw. Appl. 11(1), 198â€“208 (2018)
S. Kumari, P. Chaudhary, C.M. Chen, M.K. Khan, Questioning key compromise attack on OstadSharif et al.â€™s authentication and session key generation scheme for healthcare applications. IEEE Access 7, 39717â€“39720 (2019)
K.H. Wang, C.M. Chen, W. Fang, T.Y. Wu, On the security of a new ultralightweight authentication protocol in IoT environment for RFID tags. J. Supercomput. 74(1), 65â€“70 (2018)
H.M. Sun, K.H. Wang, C.M. Chen, On the security of an efficient timebound hierarchical key management scheme. IEEE Trans. Dependable Secure Comput. 6(2), 159â€“160 (2009)
T.Y. Wu, Z. Lee, M.S. Obaidat, S. Kumari, S. Kumar, C.M. Chen, An authenticated key exchange protocol for multiserver architecture in 5G networks. IEEE Access 8, 28096â€“28108 (2020)
Y. Wang, Password protected smart card and memory stick authentication against offline dictionary attacks, in IFIP International Information Security Conference (Springer, London, 2012), pp. 489â€“500
D. Ghosh, C. Li, C. Yang, A lightweight authentication protocol in smart grid. IJ Netw. Secur. 20(3), 414â€“422 (2018)
Acknowledgements
Not applicable.
Funding
Not applicable.
Author information
Authors and Affiliations
Contributions
Conceptualization, CMC and LC; Formal analysis, YH, JMTW; Methodology, CMC, LC and YH; Software, SK; Supervision, CMC, JMTW; Validation, YH; Writing, JMTW. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Chen, CM., Chen, L., Huang, Y. et al. Lightweight authentication protocol in edgebased smart grid environment. J Wireless Com Network 2021, 68 (2021). https://doi.org/10.1186/s13638021019306
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s13638021019306
Keywords
 Smart grid
 Edge computing
 Mutual authentication
 Network security