Lightweight authentication protocol in edge-based smart grid environment

A smart grid (SG) is an advanced power grid system deployed in a cloud center and smart meters (at the consumer end) that provides higher reliability, better data protection, improved power efficiency, automatic monitoring, and effective management of power consumption. However, an SG also poses certain challenges that need to be addressed. For example, data provided by a smart meter are time-sensitive and cannot handle high latency in an SG. Moreover, a smart meter depends on memory, energy, and other factors. Besides, the security between a cloud center and a smart meter is a critical issue that needs to be resolved. Edge computing, an extension of cloud computing deployed in an edge network between a cloud center and the end devices, is an efficient solution to the aforementioned issues. Therefore, in this study, we propose a secure mutual authentication protocol based on edge computing for use in an SG.

A traditional power grid provides four primary operations: power generation, electricity transmission, electricity distribution, and electricity management. Currently, with the rapid development of IoT, the electricity demand has significantly increased; however, the infrastructure used by traditional grids cannot sustain such high electricity demands. Then, the Smart Grid (SG) was developed. SG is an advanced electricity grid that uses a two-way flow of electricity and information, which differs from a traditional electricity infrastructure, providing more efficiency, protected data submissions, and a secure channel between a smart meter (SM) and service provider (SP). The remarkable advantages of SG include monitoring the electricity consumption of the end-users with different approaches in real time [1]. In general, SG infrastructure comprises three components: in-house deployed SMs, SPs in substations, and a control center (CC) in the cloud [2,3,4,5,6,7].

Figure 1 shows a typical infrastructure o SG. SM is used to monitor consumers’ energy consumption and send the processed data to SP, which likely contains the consumers’ private information. SP offers services and electricity to consumers. CC processes, handles, and manages the sensors, SM, and actuators’ resources and stores the data in a cloud computing data center. However, with an increasing number of IoT (end-user) devices, an SG based on cloud computing cannot meet such requirements.

Smart grid infrastructure

Full size image

On the other hand, in 2012, Cisco specified certain disadvantages of cloud computing, including a high latency, low mobility support, and low location awareness. As a result, the company proposed the concept of fog computing [8], which is a type of edge computing as previously mentioned, as an extension of cloud computing [9,10,11]. An edge layer is employed between the end devices and the cloud center; in addition, each end device is directly connected to the edge nodes, and the edge nodes are interconnected, each linked to the cloud [12]. The edge nodes in edge computing consist of certain devices with limited computation power, such as switches, routers, mobile devices, and idle servers. The main role of an edge node is to collect and process the data from the end devices, issue control commands to the actuators, locally filter the data, and send the remaining data to the cloud center [13, 14]. Edge computing has the following characteristics [15]. First, with the rapid development of mobile devices, it is important for the edge nodes to directly communicate with these devices, such as mobile phones, mobile sensors, and moving cars. Second, the batch process used in cloud computing cannot facilitate real-time interactions; however, with large numbers of edge nodes deployed in distributed locations, edge computing can provide real-time interactions. Third, the edge nodes used in edge computing are distributed in different places. Although the computational abilities of the edge nodes are limited, use of a large number of nodes can solve this problem, for example, by using an SG or a smart vehicle network. Finally, in edge computing, the edge nodes are deployed in different places closer to the end-users. Cloud computing applies a centralized architecture, in sharp contrast to the distributed edge architecture.

As previously mentioned, edge computing is an extension of cloud computing, which provides numerous advantages over the cloud computing infrastructure. In recent years, many researchers have attempted to extend the edge computing infrastructure for applications based on cloud computing [1, 16,17,18,19]. In this study, we extended the infrastructure of edge computing to an SG, which is different from the case of a traditional SG. The advantage of an edge-computing based SG over a traditional SG includes minimum latency, providing services to resource-constrained devices, reduced stress on the cloud center, and preprocessing of unimportant data.

It is necessary to extend edge computing to an SG; however, the deployment of an SM is unsafe, and the meter needs to be protected by a physical lock to avoid a possible attack by an adversary. An adversary can obtain the data stored in an SM and pose as an SG to communicate with the SPs or consumers. Therefore, secure communication between the SG and SP is extremely important. A key agreement and mutual authentication protocol are efficient solutions to solving this problem. Several studies have also proposed protocols related to SGs [20,21,22,23,24]. However, a mutual authentication protocol for an SG based on the use of edge computing has yet to be proposed. An SG requires real-time data transmission. Addition of edge nodes to an SG can guarantee a low latency and real-time data response. We, therefore, propose a protocol based on edge computing for use in such a grid.

1.1 Contributions

The contribution of this paper is listed as follows.

1. 1.

   We propose a secure and lightweight key exchange and mutual authentication protocol for an edge-based SG environment. Our design uses one-way hash functions, XOR computations, and an elliptic curve cryptosystem (ECC) instead of another heavy cryptography functions.

2. 2.

   We provide a formal proof to demonstrate the security of the proposed protocol. Besides, we use Burrows–Abadi–Needham (BAN) logic to guarantee the security of our design. Furthermore, we describe the proposed protocol is secure against various kinds of attacks.

3. 3.

   We present a performance evaluation/comparison of our protocol.

1.2 Organization

The remainder of this paper is organized as follows. Section 2 briefly presents the recent studies related to the security of an SG. In Sect. 3, we present an adversary model. The details of the proposed protocol are presented in Sect. 4. To establish the security of the proposed protocol, a security analysis is presented in Sect. 5, concluding with a formal security analysis using formal proof and BAN logic. Section 7 further discusses the proposed protocol is secure against various kinds of attacks. A comparison and performance analysis is provided in Sect. 7. Finally, some concluding remarks are presented in Sect. 8.

With the emergence of an SG in 2001, numerous researchers have worked on ensuring security in an SG. Hassan et al. [25] encountered several problems with the use of an SG. For instance, owing to uncertainties in system planning and maintenance, it is challenging to predict real-time system controls. Besides, communication between system operators in a CC is another problem that needs to be considered. Moreover, the lack of predictive control signals for operating the devices and lack of energy storage devices also affect the deployment of SMs. In 2010, Ericsson [26] pointed out that the essential aspects of an SG infrastructure are cybersecurity and power system communication (PSC). Also, information security has become increasingly important because the deployment occurs in an exoteric and integrated energy management system instead of through isolated automation as previously applied. Moreover, with the development of the Internet, attackers can steal data from an SM and a cloud center.

To ensure the information security of an SG, researchers have proposed several security mechanisms. Kim et al. [27] proposed a security mechanism based on an SG according to the security requirements of remote meters using power-line communication (PLC), including authentication and key sharing between devices, as well as revocation management of the remaining devices. However, the SM server used in this mechanism demands authentication of all nodes, which may cause heavy stress on the SM server. When numerous devices are added to an SG environment, the mechanism will become overburdened. For the purpose of efficient resource management and information security, some researchers have begun adding edge computing to an SG; for instance, Zahoor et al. [1] introduced a new SG model based on edge computing for resource management. The proposed model is based on an edge-cloud hierarchical infrastructure to separate the role of the cloud, providing different types of services to consumers. Compared with a traditional SG model, the proposed approach can improve the response time for effective resource utilization and reduce the latency. In 2016, Nazmudeen et al. [28] proposed a distributed data aggregation method based on an edge-computing architecture, limiting the amount of data sent to the centralized storage space, thereby improving the capacity of the PLC without affecting its functionality.

Although edge computing solves the problems inherent to cloud computing, information security, i.e., the security of a transmitted message through an insecure channel, is vital in an SG. A mutual authentication protocol can guarantee the security of inter-communication. In recent years, some mutual authentication protocols have been proposed to ensure the security between parties [29,30,31,32].

Zhang et al. [23] designed an authentication protocol based on elliptic curve cryptography for an SG, which can provide privacy protection. The authors claimed that the protocol has the advantages of identity protection, mutual authentication, and key agreement. However, after analyzing the protocol, we found that it cannot resist an impersonation attack on an SM or SP or a replay attack. Tsai et al. [22] proposed a new anonymous key distribution scheme in an SG environment using identity-based signature schemes and identity-based encryption schemes. The advantages of the scheme include a trusted authority separate from the authentication phases and direct access of an SM to the SP without a trusted authority, which can lower the computation time. However, the proposed protocol is still vulnerable, cannot withstand a privileged insider attack, and provides imperfect forward secrecy.

In this section, we first introduce the infrastructure of a smart grid based on edge computing. Then, we describe the adversary model used in this paper.

3.1 Edge computing infrastructure for smart grid

In this study, we proposed a protocol based on edge computing for an SG. Our SG infrastructure based on edge computing is shown in Fig. 2. An edge layer is used to join the infrastructure, acting as an SP in an SG. The cloud is separated to handle data from the edge layer and transmit them to the CC. This infrastructure using different SPs from the macro-grids, which can reduce the burden of the cloud, integrates the main capacities of the cloud to communicate with the CC and management control.

Edge based smart grid infrastructure

Full size image

In our protocol, edge nodes act as SPs that can quickly process the data and authenticate an SM. Because of the limited computations of the edge nodes and SM, the proposed protocol only uses an ECC and a one-way hash function for encrypting the parameters. Our protocol comprises the following phases.

3.2 Adversary model

Before introducing our proposed protocol, it is important to describe the adversary model applied. A polynomial time adversary Adv has full control over the insecure network traffic desires to break the security of the proposed scheme. Adv may control limited/completed messages transmitted over an insecure channel, such as intercepting, modifying, and deleting the transmitted message. Adv can extract the security parameters stored in a smart card using a power analysis technique. Adv can try to obtain sensitive information (e.g., passwords) using off-line password guessing attacks. The gola of Adv is to achieve one of the following.

• Compute the session key after a successful run of the authentication scheme.

• Compute the long-term secret key of the server.

• Have the server falsely accept an authentication scheme when they are not communicating with a legitimate entity.

Herein, we describe the proposed protocol, which consists of three phases, an edge node registration phase, an SM registration phase, and a login and authentication phase. Table 1 summarizes the notations used in our proposed protocol.

4.1 Edge node registration phase

If an edge node \(ES_j\) wants to join the system, the edge node registration phase is applied. This phase is shown in Fig. 4 and is described as follows:

1. (i)

   \(ES_j\) first selects an identity \(SID_j\) and transmits \(\{SID_j\}\) to TA through a secure channel.

2. (ii)

   After receiving the above messages, TA checks the validity of \(ES_j\). Then, TA computes \(RSID_j\) = \(H(SID_j || s)\), stores \(\{SID_j, RSID_j\}\) in the database of TA, and transmits \(\{RSID_j\}\) back to \(ES_j\) through a secure channel.

3. (iii)

   \(ES_j\) stores \(\{RSID_j\}\) in its database.

4.2 Smart meter registration phase

The SM registration phase (Fig. 3) is executed if an SM registers with TA. We assume that an SM, whose identity is \(ID_i\), wants to join this system, and there are n edge nodes, denoted as \(ES_1, \ldots , ES_n\), that have been previously registered. The following steps are conducted.

1. (i)

   SM selects identity \(ID_i\) and a random number \(r_i\), and then transmits \(\{ID_i,r_i\}\) to the trusted authority TA through a secure channel.

2. (ii)

   After receiving the message from SM, TA first finds all values of \(RSID_j\) stored in the database where \(1 \le j \le n\). Next, TA computes \(A_j\) = \(H(ID_i || RSID_j)\), \(BAu_j\) = \(A_j \oplus H(ID_i || r_i)\), \(C_j\) = \(H(SID_j || RSID_j)\) and \(DAu_j\) = \(C_j \oplus H(ID_i || r_i)\), and then transmits \(\{SID_j, BAu_j, DAu_j, H(\cdot )\}\) back to SM through a secure channel.

3. (iii)

   The SM computes \(SID_{j}^{*}=SID_j\oplus H(ID_i||r_i)\), \(BAu_{j}^{*}=BAu_j\oplus H(ID_i||r_i)\), \(DAu_{j}^{*}=SID_j\oplus BAu_j\oplus DAu_j\) and stores \(\{SID_{j}^{*}, BAu_{j}^{*}, DAu_{j}^{*}, H(\cdot )\}\) into memory.

Smart meter registration phase

Full size image

Edge node registration phase

Full size image

Login and authentication phase

Full size image

4.3 Login and authentication phase

When a legal SM wants to log in and communicate with \(ES_j\), the SM needs to authenticate \(ES_j\) and establish a session key with \(ES_j\) using the following steps.

1. (i)

   The SM first enters its identity \(ID_i\) and \(r_i\), and then computes \(SID_j=SID_{j}^{*}\oplus H(ID_i||r_i)\), \(BAu_j=BAu_{j}^{*}\oplus H(ID_i||r_i)\), \(DAu_j=SID_j\oplus BAu_j\oplus DAu_{j}^{*}\), and \(C_j=DAu_j\oplus H(ID_i||r_i)\). Next, SM generates the current timestamp \(T_i\) and calculates \(E_i=ID_i\oplus H(C_j||T_i)\). In addition, SM then generates a random number \(n_i\), computing \(N_i=n_iP\), \(A_j=BAu_j\oplus H(ID_i||r_i)\), \(F_i=H(ID_i||A_j)\), \(G_i=F_i\oplus N_i\), and authentication parameter \(M_1=H(ID_i||F_i||N_i||T_i)\), sending \(\{E_i,G_i,M_1,T_i\}\) to \(ES_j\) through an unsecure channel.

2. (ii)

   After receiving the message from SM, \(ES_j\) calculates \(C_{j}^{'}=H(SID_j||RSID_j)\), \(ID_{i}^{'}=E_i\oplus H(C_{j}^{'}||T_i)\), \(A_{j}^{'}=H(ID_{i}^{'}||RSID_j)\), \(F_{i}^{*}=H(ID_{i}^{'}||A_{j}^{'})\), \(N_{i}^{'}=F_{i}^{'}\oplus G_i\), and \(M_{1}^{'}=H(ID_{i}^{'}||F_{i}^{'}||N_{i}^{'}||T_i)\), and then checks the validity of \(M_1\) to verify if SM is legal. If so, \(ES_j\) generates a random number \(n_j\) and current timestamp \(T_j\), and then computes \(N_j=n_jP\), \(M_2=H(A_{j}^{'}||C_{j}^{'}||N_j||T_j)\), \(I_j=H(C_{j}^{'})\oplus N_{i}^{'}\), \(K_j=I_j\oplus N_j\), and the session key \(SK_{ji}=H(ID_{i}^{'}||A_{j}^{'}||n_jN_{i}^{'})\), and transmits the message \(\{M_2,K_j,T_j\}\) to SM.

3. (iii)

   When SM receives the messages from \(ES_j\), SM first computes \(I_{j}^{'}=H(C_j)\oplus N_i\), \(N_{j}^{'}=I_{j}^{'}\oplus K_j\), and \(M_{2}^{'}=H(A_j||C_j||N_{j}^{'}||T_j)\), and then checks the validity of \(ES_j\) by checking whether \(M_{2}^{'}=M_2\). If so, SM computes the session key \(SK_{ij}=H(ID_i||A_j||n_iN_{j}^{'})\), which means that SM and \(ES_j\) can securely communicate with each other.

The SM login and authentication phase is illustrated in Fig. 5.

In this section, we first provide a formal proof of the proposed protocol. Then, we further evaluate the security of the proposed protocol with BAN logic.

5.1 Formal proof

Here, we prove the security of the proposed protocol under the Real-Or-Random (ROR) model. In the introduction section, we have defined the capabilities of the adversary [2]. Assume that \(I_{SM}^{x}\), \(I_{ES}^{y}\), and \(I_{TA}^{z}\), respectively, represent the x-th instance of \(SM_s\), the y-th instance of \(ES_j\), and the z-th instance of TA. The adversary \({\mathcal{A}}\) can initiate the following queries.

• \(Execute({\mathcal{O}})\): \({\mathcal{A}}\) executes the query and can obtain the messages \(\{E_i, G_i,M_1,T_i\}\) and \(\{M_2,K_j,T_j\}\), where \({\mathcal{O}}=\{I_{SM}^{x}, I_{ES}^{y},I_{TA}^{z}\}\).

• Hash(string): \({\mathcal{A}}\) executes the query and can get the hash value of the input parameter string.

• \(Send({\mathcal{O}},M)\): \({\mathcal{A}}\) executes the query, sends the message M to \({\mathcal{O}}\), and can receive the corresponding response.

• \(Corrupt({\mathcal{O}})\): \({\mathcal{A}}\) executes the query and can obtain a secret value, such as the long-term private key, temporary information, etc.

• \(Test({\mathcal{O}})\): \({\mathcal{A}}\) executes the query and judges the correctness of the session key by flipping a coin \({\mathcal{C}}\). If the result is \({\mathcal{C}}=1\), \({\mathcal{A}}\) will receive the correct session key returned; if the result is \({\mathcal{C}}=0\), \({\mathcal{A}}\) will receive a random string.

Definition 1

(Elliptic Curve Discrete Logarithm Problem (ECDLP)). Assuming that \({\mathcal{E}}\) is an elliptic curve generation group. Given points, P and aP, where P belongs to \({\mathcal{E}}\) and a belongs to \(F_p\), it is computationally infeasible to obtain a. In polynomial time \(\xi\), the probability of an adversary \({\mathcal{A}}\) solving this problem is defined as: \(Adv_{{\mathcal{A}}}^{ECDLP}(\xi )=Pr[{\mathcal{A}}(P,aP)=a:a\in F_p, P\in {\mathcal{E}}]\). For a sufficiently small \(\eta\), we have: \(Adv_{{\mathcal{A}}}^{ECDLP}(\xi )<\eta\).

Theorem: Under the ROR model, if \({\mathcal{A}}\) attempts to initiate some queries in polynomial time, then the advantage that it can break the proposed protocol \({\mathcal{P}}\) is: \(Adv_{{\mathcal{A}}}^{{\mathcal{P}}}(\xi )\le (q_{send}+q_{exe})^2/p+q_{hash}^2/2^{l-1}+q_{send}/2^{l-1}+2Adv_{{\mathcal{A}}}^{ECDLP}(\xi )\), where \(q_{send}\) represents the number of Send query executed, \(q_{exe}\) represents the number of Execute query executed, \(q_{hash}\) represents the number of Hash query executed, and l represents the bits of the hash operation.

Proof

We use the game sequence \(GM_0\) to \(GM_5\) to verify the above theorem. \(Succ_{{\mathcal{A}}}^{GM_n}(\xi )\) is the probability that \({\mathcal{A}}\) succeeds in the game \(GM_n\). The specific description is as follows.

• \(GM_0\): \(GM_0\) represents a real attack, and \({\mathcal{A}}\) will not initiate any query at this time. Therefore, in \(GM_0\), the probability of \({\mathcal{A}}\) breaking \({\mathcal{P}}\) is: \(Adv_{{\mathcal{A}}}^{{\mathcal{P}}}(\xi )=|2Pr[Succ_{{\mathcal{A}}}^{GM_0}(\xi )]-1|\).

• \(GM_1\): \(GM_1\) adds Execute query based on \(GM_0\). Therefore, we have: \(Pr[Succ_{{\mathcal{A}}}^{GM_1}(\xi )]=Pr[Succ_{{\mathcal{A}}}^{GM_0}(\xi )]\).

• \(GM_2\): \(GM_2\) adds the Send query based on \(GM_1\). According to Zipf’s law [3], we have: \(|Pr[Succ_{{\mathcal{A}}}^{GM_3}(\xi )]-Pr[Succ_{{\mathcal{A}}}^{GM_2}(\xi )]|\le q_{send}/2^{l}\).

• \(GM_3\): \(GM_3\) adds Hash query based on \(GM_2\). According to the birthday paradox, we can get that the maximum probability of a hash collision is \(q_{hash}^2/2^{l+1}\); the maximum probability of a conflict occurring in the transmitted text is \((q_{send}+q_{exe})^2/{2p}\) [4, 5]. Therefore, we have: \(|Pr[Succ_{{\mathcal{A}}}^{GM_2}(\xi )]-Pr[Succ_{{\mathcal{A}}}^{GM_1}(\xi )]|\le (q_{send}+q_{exe})^2/{2p}+q_{hash}^2/2^{l+1}\).

• \(GM_4\): In this game, we consider the security of the session key. Here, we divide the discussion into two situations. The first is to obtain a long-term private key to verify perfect forward security; the second is temporary information leakage to verify whether can resist ephemeral secret leakage attack.

  1. 1.

     Perfect forward security. \({\mathcal{A}}\) uses \(Corrupt(I_{TA}^{z})\) to try to get TA’s long-term private key s, or uses \(Corrupt(I_{SM}^{x})\) or \(Corrupt(I_{ES}^{y})\) to try to get a secret value in the registration phase.

  2. 2.

     Ephemeral secret leakage attack. \({\mathcal{A}}\) uses \(Corrupt(I_{SM}^{x})\) or \(Corrupt(I_{ES}^{y})\) to try to obtain temporary information from one party.

  In both cases, the ECDLP needs to be solved to compute the session key \(SK_j=h(ID_i||A_j||n_jN_i)\) or \(SK_i=h(ID_i||A_j||n_iN_j)\). For the first formula \(SK_j=h(ID_i||A_j||n_jN_i)\) in the first case, even if \(RSID_j=H(SID_j||s),C_j=H(SID_j||RSID_j),ID_i=E_i \oplus H(C_j||T_i),A_j=H(ID_i||RSID_j)\) are calculated by s, the random number \(n_j\) is unknown. And through \(Corrupt(I_{SM}^{x})\) or \(Corrupt(I_{ES}^{y})\) to get \(\{SID_j, BAu_j, DAu_j\}\) or \(\{RSID_j\}\), \({\mathcal{A}}\) cannot get any value in session key; in the second case, even if \(n_jN_i\) is calculated by \(n_j\), but the long-term private key s is unknown. Similarly, for the second formula \(SK_i=h(ID_i||A_j||n_iN_j)\) is also true. Therefore, we have: \(|Pr[Succ_{{\mathcal{A}}}^{GM_4}(\xi )]-Pr[Succ_{{\mathcal{A}}}^{GM_3}(\xi )]|\le q_{send}Adv_{{\mathcal{A}}}^{ECDLP}(\xi )\).

• \(GM_5\): The purpose of this game is to verify the impersonation attack. The difference between \(GM_5\) and \(GM_4\) is that the game is terminated if \({\mathcal{A}}\) issues \(h(ID_i||A_j||n_jN_i)\) query. At this point, the probability of \({\mathcal{A}}\) guessing the session key is \(|Pr[Succ_{{\mathcal{A}}}^{GM_5}(\xi )-Pr[Succ_{{\mathcal{A}}}^{GM_4}(\xi )|\le q_{hash}^2/2^{l+1}\). Since \(GM_5\) is equally successful and unsuccessful, we have: \(Pr[Succ_{{\mathcal{A}}}^{GM_5}(\xi )]=1/2\).

In summary, we can get the following conclusion:

Further, we have \(Adv_{{\mathcal{A}}}^{{\mathcal{P}}}(\xi )=(q_{send}+q_{exe})^2/n+q_{hash}^2/2^{l-1}+q_{send}/2^{l-1}+2Adv_{{\mathcal{A}}}^{ECDLP}(\xi )\). \(\square\)

5.2 Security analysis using BAN logic

In this subsection, we demonstrate the security of our solution during the authentication phase through the BAN logic. BAN logic was proposed by Burrows, Abadi, and Needham in 1989 and is a modal logic based on belief and knowledge. Now BAN logic has become the most well-known tools and widely used for analyzing the security of authenticated and key agreement protocols [33,34,35].

In this study, the user (SM) and the edge node \(ES_j\) authenticate each other and calculate a session key. Below are some of the symbols and rules defined when using the BAN logic.

5.2.1 Notations used in BAN logic

• \(P \mid \equiv X\): The principal P believes X, or is entitled to do so. In particular, P may act as though X is true. This construct is central to the logic.

• \(P \triangleleft X\): P sees X. Someone sends a message containing X to P, who can read and repeat X (possibly after a decryption).

• \(P \mid \sim X\): P once stated X. At some point of time, P sent a message including statement X. It is unknown whether the message was sent long ago or during the current run of the protocol, but it is known that P believed X at that time.

• \(P \mid \Longrightarrow X\): P has jurisdiction over X. The principal P is an authority on X and should be trusted in this matter. For example, a server is often trusted to properly generate encryption keys. This may be expressed based on the assumption that the principals believe that the server has jurisdiction over statements regarding the quality of these keys.

• \(\sharp (X)\): The formula X is fresh; that is, X has not been sent in a message at any time before the current run of the protocol. This is typically true for a nonce, that is, an expression invented for the purpose of being fresh. A nonce commonly includes a timestamp or number that is used only once.

• \(P{\overset{K}{\longleftrightarrow }}Q\): P and Q may use a shared key K to communicate. Key K is safe in that it will never be discovered by any principal except P or Q, or by a principal trusted by either P or Q.

• \(P{\overset{X}{\rightleftharpoons }}Q\): Formula X is a secret known only to P and Q and possibly to principals trusted by them. Only P and Q may use X to prove their identities to one another. An example of a secret is a password.

• \(\{X\}_K\): Formula X is encrypted under key K.

• \({\left\langle X \right\rangle }_Y\): Formula X is combined with formula Y.

5.2.2 BAN logic rules

1. (i)

   The message-meaning rule for shared keys is \(\frac{P \mid \equiv P{\overset{K}{\longleftrightarrow }}Q,P\triangleleft \{X\}_K}{P \mid \equiv Q \mid \sim X}\). This indicates that if P believes that K is a key shared with Q and if P sees X encrypted under K, then P believes that Q once stated X.

2. (ii)

   The message-meaning rule for shared secrets: \(\frac{P \mid \equiv P{\overset{Y}{\rightleftharpoons }}Q,P\triangleleft {\left\langle X \right\rangle }_Y}{P \mid \equiv Q \mid \sim X}\). This means that if P believes that Y is a secret known only to P and Q and P sees X under Y, then P believes that Q once stated X.

3. (iii)

   The nonce-verification rule is \(\frac{P \mid \equiv \sharp (X),P \mid \equiv Q \mid \sim X}{P \mid \equiv Q \mid \equiv X}\). This means that if P believes that X is fresh and Q once stated X, then P believes that Q believes X.

4. (iv)

   The jurisdiction rule is \(\frac{P \mid \equiv Q \mid \Longrightarrow X,P \mid \equiv Q \mid \equiv X}{P \mid \equiv X}\). This means that if P believes that Q has jurisdiction over X and believes that Q believes X, then P believes X.

5. (v)

   The session key rule is \(\frac{P \mid \equiv \sharp (X),P \mid \equiv Q \mid \equiv X}{P \mid \equiv P{\overset{K}{\longleftrightarrow }}Q}\). This means that if P trusts that statement formula X is fresh and P trusts that Q trusts X, which is an essential component of the session key, then P trusts that he or she shares the session key K with Q.

6. (vi)

   The freshness rule is \(\frac{P \mid \equiv \sharp (X)}{P \mid \equiv \sharp (X,Y)}\). This means that if P believes that X is fresh, then he or she believes the freshness of (X, Y).

7. (vii)

   The belief rule is \(\frac{P \mid \equiv X,P \mid \equiv Y}{P \mid \equiv (X,Y)}\). This means that if P believes X and Y, then P believes (X, Y).

5.2.3 Goals

• G1: \(SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

• G2: \(ES_j \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

• G3: \(SM \mid \equiv ES_j \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

• G4: \(ES_j \mid \equiv SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

5.2.4 Idealize the communication messages

• Meg1: \(SM \rightarrow ES_j\): \(\{E_i,G_i,M_1,T_i\}\).

• Meg2: \(S_j \rightarrow SM\): \(\{M_2,K_j,T_j\}\).

5.2.5 Initial state assumptions

• A1: \(SM \mid \equiv \sharp (n_i)\).

• A2: \(ES_j \mid \equiv \sharp (n_j)\).

• A3: \(SM \mid \equiv SM {\overset{C_j}{\rightleftharpoons }} ES_j\).

• A4: \(SM \mid \equiv ES_j \mid \Longrightarrow N_j\).

• A5: \(ES_j \mid \equiv SM {\overset{H(C_j \parallel T_i)}{\rightleftharpoons }} ES_j\).

• A6: \(ES_j \mid \equiv \sharp (ID_i)\).

• A7: \(ES_j \mid \equiv SM \mid \Longrightarrow ID_i\).

• A8: \(SM \mid \equiv \sharp (N_j)\).

• A9: \(ES_j \mid \equiv \sharp (N_i)\).

• A10: \(ES_j \mid \equiv SM \mid \Longrightarrow N_i\).

5.2.6 Main proofs using BAN rules and assumptions

Based on the BAN logic rules, we demonstrate that the proposed key exchange protocol can use the initial state assumptions to achieve the defined goals. Below are the steps used to prove the BAN logic.

For G1, according to the message Meg2 and using the seeing rule, we obtain S1: \(SM \triangleleft \{ M_2: {\left\langle A_j, N_j, T_j \right\rangle }_{C_j}; K_j, T_j\}\). Using A3, S1, and the message-meaning rule, we obtain S2: \(SM \mid \equiv ES_j \mid \sim (A_j, N_j, T_j)\). Using A3 and S2, and applying the freshness and nonce-verification rules, S3: \(SM \mid \equiv ES_j \mid \equiv (A_j, N_j, T_j)\) is obtained. Applying the belief rule for each component, we obtain S4: \(SM \mid \equiv ES_j \mid \equiv N_i\). Using A4, S4, and the jurisdiction rule, S5: \(SM \mid \equiv N_j\) is obtained. Because \(SK=H(ID_i||A_j||n_iN_{j})\), we obtain S6: \(SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

For G2, according to the message Meg1 and using the seeing rule, we obtain S7: \(ES_j \triangleleft \{ E_i: {\left\langle ID_i \right\rangle }_{H(C_j \parallel T_i)}; G_i, M_1: {\left\langle F_i, N_i, T_i \right\rangle }_{ID_i}; T_i\}\). Using the seeing rule for each component, we obtain S8, i.e., \(ES_j \triangleleft \{ {\left\langle ID_i \right\rangle }_{H(C_j \parallel T_i)}\}\), and S9, i.e., \(ES_j \triangleleft \{ {\left\langle F_i, N_i, T_i \right\rangle }_{ID_i}\}\). Using A5, S8, and the message-meaning rule, we obtain S10: \(ES_j \mid \equiv SM \mid \sim ID_i\). Using A6 and S10 and applying the nonce-verification rule, S11: \(ES_j \mid \equiv SM \mid \equiv ID_i\) is obtained. Using A7, S11, and the jurisdiction rule, we obtain S12: \(ES_j \mid \equiv ID_i\). Using A6, S11, and the session key rule, we obtain S13: \(ES_j \mid \equiv SM {\overset{ID_i}{\rightleftharpoons }} ES_j\). Using S9, S13, and the message-meaning rule, we obtain S14: \(ES_j \mid \equiv SM \mid \sim (F_i, N_i, T_i)\). According to A9 and S15 and using the freshness and nonce-verification rules, S15: \(ES_j \mid \equiv SM \mid \equiv (F_i, N_i, T_i)\) is obtained. Based on the belief rule, we obtain S16: \(ES_j \mid \equiv SM \mid \equiv N_i\). Using A10, S16, and the jurisdiction rule, we obtain S17: \(SM \mid \equiv N_i\). Because \(A_{j}=H(ID_{i}||RSID_j)\) and \(SK=H(ID_i||A_j||n_jN_{i})\), we obtain S18: \(ES_j \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

Applying the belief rule for each component, we obtain S4: \(SM \mid \equiv ES_j \mid \equiv N_i\). Using A4, S4, and the jurisdiction rule, S5: \(SM \mid \equiv N_j\) is obtained. Because \(SK=H(ID_i||A_j||n_iN_{j})\), we obtain S6: \(SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

For G3, according to S6, A1, and the session key rule, we obtain S19: \(SM \mid \equiv ES_j \mid \equiv SM {\overset{SK}{\longleftrightarrow }} ES_j\).

For G4, according to S18, A2, and the session key rule, we obtain S20: \(ES_j \mid \equiv SM \mid \equiv SM {\overset{SK}{\longleftrightarrow }} FS_j\).

Numerous authenticated and key agreement protocols have been proven insecure against the following kinds of attacks [36,37,38,39,40]. In this section, we further discuss our protocol can resist such attacks. First, we assume that the adversary is represented as Adv.

6.1 Replay attack

A replay attack resends the messages intercepted by Adv, which can obtain the messages of \(\{E_i,G_i,M_1,T_i\}\) and \(\{M_2,K_j,T_j\}\). We can see that they all have a timestamp in every transmitted message, which guarantees the freshness of the messages; timestamp \(T_i\) and \(T_j\) are both used in a later authentication parameter to check the validity of each other. Therefore, a faked timestamp cannot pass the verification stage. As a result, an adversary cannot replay the messages, and our protocol effectively resists a replay attack.

6.2 SMs and edge node impersonation attack

If adversary Adv wants to create a login message \(\{E_a,G_a,M_{1a},T_{ai}\}\) or \(\{M_{2a},K_a,T_{aj}\}\) to pose as a legal SM SM or legal \(ES_j\). Taking SM as an example, \(ES_j\) is similar to SM. If Adv wants to log into \(ES_j\), he or she first needs the parameters of \(C_j\) to calculate \(ID_i\); however, without the knowledge of \(SID_j\) and \(RSID_j\), Adv cannot obtain \(C_j\) without \(ID_i\), and Adv cannot calculate \(F_i\) and \(N_i\). Therefore, it is impossible for Adv to create a legal login message, and hence, our protocol can resist attacks on SMs and edge node impersonation attacks.

6.3 Man-in-middle attack

As mentioned previously, Adv cannot obtain the messages of both \(\{E_a,G_a,M_{1a},T_{ai}\}\) and \(\{M_{2a},K_a,T_{aj}\}\), and thus Adv cannot forge legal SMs or an edge node. Thus, our proposed protocol is resilient against a man-in-the-middle attack.

6.4 Perfect forward secrecy

In perfect forward secrecy, the long-term key s indeterminable for Adv, and the messages over an insecure channel and the parameters from the memory of the SMs are revealed to Adv; however, even with these parameters, Adv still cannot expose the session key between SMs and edge nodes. In our proposed protocol, if Adv wants to calculate a session key \(SK_{ij}=H(ID_i||A_j||n_iN_{j}^{'})\), Adv needs to know the parameters, \(ID_i\) and \(A_j\), and the random parameters, \(n_iN_j\) or \(n_jN_i\), whereas \(ID_i\), \(A_j\), \(n_iN_j\), and \(n_jN_i\) are independent of the long-term key and cannot be calculated based on messages from an insecure channel; therefore Adv cannot obtain the parameters used to compute the session key. Hence, our protocol can guarantee perfect forward secrecy.

6.5 Ephemeral secret leakage attack

As mentioned above, if Adv wants to obtain a session key, he or she needs to first obtain the ephemeral secret \(n_i, n_j\). In an ephemeral secret leakage attack, Adv can obtain the random parameters \(n_i\) and \(n_j\); however, if Adv wants to obtain the session key, Adv needs another two parameters \(ID_i\) and \(A_j\), which cannot be obtained from an insecure channel or the memory of the SMs. This proves that our proposed protocol is resilient against an ephemeral secret attack.

6.6 SM anonymity and untraceability attack

In our protocol, the random numbers \(n_i\) and \(n_j\) and timestamp \(T_i,T_i\) are used in the login and authentication phase. Different sessions have different messages; thus, Adv cannot trace the message to focus on specific SMs, and the proposed protocol can have security against an SM anonymity attack. In addition, the identities of the SMs and edge nodes are masked by a random number and timestamp, which is also different. Hence our protocol can resist an untraceability attack.

In this section, some protocols related to an SG that do not employ edge computing are listed and compared with our proposed protocol to prove the higher performance of the latter. To objectively analyze the protocols, we used an iPhone 7 for accurately determining the computational costs. In the evaluation based on experimental data, to evaluate the proposed protocol, we use \(T_h\), \(T_d\), \(T_{pa}\), \(T_{pm}\), \(T_{ae}\), \(T_{ad}\), \(T_{exp}\), and \(TG_e\) to represent the time required for performing a one-way hash function, a symmetric decryption/encryption operation, an ECC point addition, a point multiplication, asymmetric public key encryption, asymmetric public key decryption, modular exponentiation, and a bilinear pairing operation. The time required for a bitwise XOR computation is negligible, and therefore, we do not consider the XOR computation time. Table 2 lists the computation time for these operations.

Comparison with related protocols

Full size image

The computation times for the related SG protocols and the proposed protocol are presented in Table 3. A bar chart of the computation times is shown in Fig. 6. From the bar chart, it can be concluded that the proposed protocol involves the minimum computation time in all stages of entities. Although the computation time of Zhang et al.’s protocol was approximately 110.77 ms, which is similar to that of the proposed protocol, Zhang et al.’s protocol cannot resist a privileged insider attack or provide perfect forward secrecy. Therefore, taking all requirements into account, our proposed protocol can provide easy computations and security against various attacks.

In this study, we proposed using edge computing to solve the current security issues encountered in SGs. We designed a secure key exchange and mutual authentication protocol based on edge computing for such grids. To verify our proposed protocol’s security, we analyzed the protocol using the automatic tool ProVerif and BAN logic to prove that it can resist various types of attacks. We also compared our proposed protocol with other protocols used in SGs without an edge computing infrastructure. We concluded that the computation time of our proposed protocol is lower than that of other protocols and that the proposed protocol is more secure and lightweight.

Not applicable.

SG:

Smart grid

SM:

Smart meter

SP:

Service provider

CC:

Control center

ECC:

Curve cryptosystem

Not applicable.

Not applicable.

Authors and Affiliations

1. Shandong University of Science and Technology, Qingdao, Shandong, China

   Chien-Ming Chen, Lili Chen & Jimmy Ming-Tai Wu

2. Harbin Institute of Technology (Shenzhen), Shenzhen, China

   Yanyu Huang

3. Ajay Kumar Garg Engineering College, Ghaziabad, India

   Sachin Kumar

Contributions

Conceptualization, C-MC and LC; Formal analysis, YH, JM-TW; Methodology, C-MC, LC and YH; Software, SK; Supervision, C-MC, JM-TW; Validation, YH; Writing, JM-TW. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Jimmy Ming-Tai Wu.

Competing interests

The authors declare that they have no competing interests.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions