investigating public-key certiﬁcate revocation in smart gridkan.yang/security_bbcr/paper/... ·...

2327-4662 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/JIOT.2015.2408597, IEEE Internet of Things Journal

1

Investigating Public-Key Certificate Revocationin Smart Grid

Mohamed M. E. A. Mahmoud, Member, IEEE, Jelena Misic, Senior member, IEEE,Kemal Akkaya, Member, IEEE and Xuemin (Sherman) Shen, Fellow, IEEE

Abstract—The public key cryptography is essential for securing many applications in smart grid. For the secure use of the public keycryptography, certificate revocation schemes tailored to smart grid applications should be adopted. However, little work has been doneto study certificate revocation in smart grid. In this paper, we first explain different motivations that necessitate revoking certificates insmart grid. We also identify the applications that can be secured by public key cryptography and thus need certificate revocation. Then,we explain existing certificate revocation schemes and define several metrics to assess them. Based on this assessment, we identifythe applications that are proper for each scheme and discuss how the schemes can be modified to fully satisfy the requirements ofits potential applications. Finally, we study certificate revocation in pseudonymous public key infrastructure where a large number ofcertified public/private keys are assigned for each node to preserve privacy. We target vehicles-to-grid communications as a potentialapplication. Certificate revocation in this application is a challenge because of the large number of certificates. We discuss an efficientcertificate revocation scheme for pseudonymous public key infrastructure, named compressed certificate revocation lists. Our analyticalresults demonstrate that one revocation scheme cannot satisfy the overhead/security requirements of all smart grid applications.Rather, different schemes should be employed for different applications. Moreover, we used simulations to measure the overhead ofthe schemes.

Index Terms—Certificate revocation schemes, public key cryptography, and smart grid communication security.

F

1 INTRODUCTION

THE Smart grid has been envisioned as a promisingevolution to the existing power grid [1]–[3]. It inte-grates communications into the electric transmission anddistribution systems to enable two-way transmission ofpower and flow of information. It aims to improve relia-bility via self-healing and generate and distribute powerefficiently, which can contribute to reducing the elec-tricity prices. However, according to the Electric PowerResearch Institute (EPRI), one of the main challengesfacing the smart grid is cybersecurity [4]. No responsiblegovernment will allow the deployment of the smart gridif there is a chance of launching cyberattacks, probably,by an opponent country to halt the nation’s electricitysupply.

Public key cryptography (PKC) is essential to se-cure many applications in smart grid such as firmwareupdates [5]. These applications will be discussed inSection 3.2. PKC can ensure message authenticity andintegrity [6]–[8]. It can also ensure the non-repudiationof sending a message and its content, which is essentialto enforce accountability. PKC can be used to enforce

• M. Mahmoud is with the Department of Electrical and Computer Engi-neering, Tennessee Tech University, Cookeville, Tennessee, 38505, USA.E-mail: [email protected]

• J. Misic is with Department of Computer Science, Ryerson University,Toronto, Ontario, M5B 2K3, Canada.

• X. Shen is with Department of Electrical and Computer Engineering,University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada.

• K. Akkaya is with Department of Electrical and Computer Engineering atFlorida International University (FIU).

access control to protect the proper operation of the grid.In PKC, nodes should hold public key certificates tobind the certificate holder’s identity to its public key.For more information on the certificates’ format, we referto reference [5]. When a certificate is issued, its validityis limited by an expiration date. However, there aremotivations that necessitate revoking certificates beforethe expiration date, e.g., in case of compromised node.The motivations of revoking certificates in smart gridwill be discussed in Section 4.1. Accordingly, to verifya certificate, two checks are needed to ensure that thecertificate is neither expired nor revoked. Using a securecertificate revocation scheme is essential for the secureuse of the public key cryptography.

A good certificate revocation scheme should take in-to account the characteristics and requirements of thesmart grid applications. These characteristics includecomplexity, scalability, mobile and stationary nodes, andthe large geographical spread of the communicationnetworks. Comparing to other networks, the availabilityof the revocation information is a priority in the smartgrid. Existing works on smart grid security such as [9],[10] use PKC, but they do not provide any schemesfor certificate revocation, even though it is a requiredcomponent. In [11]–[13], we have made the first attemptto study certificate revocation in Automatic MeteringInfrastructure (AMI) networks. In this paper, we broad-en our investigation to include certificate revocation indifferent smart grid applications. The security/privacyrequirements of the smart grid are first discussed andthen we discuss how PKC can satisfy these require-



2

ments in different applications. We then point out themotivations of certificate revocation and the metrics toevaluate certificate revocation schemes. We classify anddiscuss the existing certificate revocation schemes, andstudy certificate revocation in pseudonymous public keyinfrastructure (PPKI). Finally, we evaluate the schemesunder the metrics and discuss how they can be used inpotential smart grid applications.

In PPKI , each node should hold a large number ofcertificates with different public keys and pseudonymsto preserve its privacy. We target vehicle-to-grid com-munications as a potential application for PPKI . Inthis application, pseudonyms can be used to preservethe location privacy of the electric vehicles when theycommunicate with the grid to charge/discharge. Theattackers may try to learn the location of a vehicle andthe amount of power it charges to figure out the drivingdistance. The non-repudiation property of the PPKIcan help secure the communications and the payment ofthe power charging/discharging. Efficient certificate re-vocation in PPKI-based vehicle-to-grid communicationis not easy because of the large number of certificates.A widely used approach to revoke certificates is bydisseminating Certificate Revocation Lists (CRLs) thathave the identifiers of the revoked certificates. To verifythe status of a certificate, each node has to check whetherthe certificate’s identifier is in the list. However, dueto the large number of certificates, using the traditionalCRLs for PPKI is not efficient because they will growvery long. We discuss an efficient certificate revocationscheme for pseudonymous public key infrastructure,named compressed certificate revocation lists.

Our analytical results demonstrate that using certifi-cate revocation schemes is essential for securing thesmart grid, and one scheme cannot satisfy the over-head/security requirements of the different applicationsof the smart grid. Rather, different schemes should beemployed for different applications. For example, phys-ically protected nodes may not need as security strengthas unattended nodes deployed in streets. Also, revokingimportant nodes such as a central unit should be donein a short time, but revoking less important nodes cantolerate some delay. Moreover, simulations have beenused to measure the overhead of the schemes.

The remainder of this paper is organized as follows.Section 2 presents the system models. Section 3 discussesthe security/privacy requirements of the smart grid andthe applications that can be secured by PKC. The cer-tificate revocation motivations and the metrics that canbe used to evaluate the certificate revocation schemesare explained in Section 4. Section 5 discusses the cer-tificate revocation schemes. Performance and securityevaluations are given in Section 6. The related worksare discussed in section 7, followed by conclusions andfuture work in Section 8.

Fig. 1: The architecture of the smart grid.

2 SYSTEM MODELSFig. 1 shows the considered smart grid architecture. Theelectric power is generated at the power plants andsupplied to consumers via transmission and distributionsubstations. The transmission substations deliver powerfrom the plants over high voltage transmission lines tothe distribution substations. The distribution substationsconvert the electrical voltage to medium level and thendistribute the power to the buildings’ feeders to convertthe voltage level into a lower level usable by consumerappliances. Supervisory control and data acquisition(SCADA) can communicate with all the grid systems. Itmonitors the distribution system to determine whetherany actions should be taken to boost the reliability andefficiency or to respond to emergencies. SCADA alsomonitors the power transmission substations and takescorrective actions within a few milliseconds (such astripping circuit breakers) if anomalies are detected.

Consumers are the parties that use and pay for electri-cal power. Smart meters are two-way communication de-vices that are deployed at the consumers’ premises. Theutility companies will periodically receive measurementsfrom the smart meters for billing and estimating the gridstate. The grid provides consumers with real-time pric-ing information to help them to manage their power con-sumption to pay less and help the utility do necessaryload reductions, e.g., shift power use from peak hours tonon-peak hours. Distribution/transmission automationwithin substations involves monitoring and controllingdevices in the substations to enhance the power systemreliability and efficiency.

Some devices in the smart grid such as meters, sensors,and pole-top devices are unattended and have very weakphysical protection to reduce their cost. The level oftrust in these devices must be limited accordingly. Anattacker tries to replace the legitimate firmware with hisprogram, compromise the nodes and re-program them,or replace them with his own devices. However, otherdevices in the grid are physically protected well such asthe devices of SCADA and substations. It is not easyto compromise these devices by external attackers, butdisgruntled employees can use their own credentials to



3

attack the system.

3 SECURITY/PRIVACY REQUIREMENTS ANDPKC APPLICATIONS

3.1 Security/privacy requirementsThe US National Institute of Standards and Technology(NIST) propose three main cyber-security requirementsfor the smart grid in [4]: availability, integrity and confi-dentiality. In this section, we extend these requirementsand add privacy requirements.

Authentication: The receiver of a message should beable to ensure that the message is sent from the intend-ed node. This can prevent impersonation attacks. Thisrequirement is specifically important when the recipienttakes actions based on the message. For instance, when acentral unit sends a message to a circuit breaker to trip,it should be able to verify the identity of the sender.

Message integrity: The recipient of a message shouldbe able to verify that the message has not been altered,replayed, or delayed. Message integrity is importantfor most smart grid applications. For instance, a homecontroller should periodically receive real-time electricityprice and the integrity of these messages is important toenable the consumers to mange their power consump-tion. Message integrity requirement is also importantto the measurements sent by sensors/meters becausecontrol centers take decisions based on this data.

Confidentiality: The loss of confidentiality is the u-nauthorized disclosure of information, i.e., unauthorizednodes should not be able to tell the content of messages.Confidentiality should be ensured in several applicationsin the smart grid, such as consumers’ electricity con-sumption data, failure and grid state messages, etc.

Accountability and non-repudiation: For non-repudiationproperty, the sender of a message should not be ableto deny either sending the message or its content. Thisproperty is important to enforce accountability in thesmart grid to hold individuals accountable, assign lia-bility, and provide information to investigators in caseof a security breach. For example, damage may becaused if forged commands are sent to order devicesto take wrong actions, and thus forensic investigationsare required for understanding what happened to thesystem and identifying the attackers. This requirementis also important for securing the payment of powercharging/discharging of electric vehicles.

Access control/authorization: This requirement aims torestrict the access of the network resources to the autho-rized nodes. Access control is necessary to ensure reliableand secure operation of the system. It enables the nodesto corroborate that a message sender has the privilegeto issue some type of messages.

Availability: The network services should be availableto the authorized nodes without excessive delay. Thisdelay can be less than 4 ms for protective relays, subsec-onds for transmission wide-area situational awarenessmonitoring, seconds for substations and SCADA data,

minutes for monitoring non-critical equipment and mar-ket pricing information, and days for collecting long-term data such as power quality information. Avail-ability is the most significant security requirement inthe smart grid. The loss of availability can lead toserious problems, such as blackouts, due to the inabilityto properly monitor and control the grid. Availabilityis specifically important for systems such as SCADA,substation control system, and AMI that require real-time interaction.

Credential and identity revocation: The system shouldhave the ability to exclude devices from the communica-tion network by invalidating their keys when they showmalicious behavior. This is a fundamental requirement todefend against internal attackers and restore the safe operationof the grid if some devices are compromised.

Privacy and anonymity: Privacy preservation is an im-portant requirement for some applications in smart gridsuch as vehicle-to-grid communications. The commontechnique for ensuring privacy is by using pseudonymsinstead of one permanent identity [14]. Each vehicleshould be loaded with a set of pseudonyms, pub-lic/private keys, and certificates. Each pseudonym isused for a short time. For the secure use of pseudonyms,an adversary should not be able to link pseudonyms[15]. However, full anonymity is not desirable becauseit encourages attackers to launch attacks without beingdetected. It is also not desirable for payment system. Atrusted party should be able to map pseudonyms to thereal identity to enforce accountability and process thepayment.

Not all these requirements are important for all smartgrid applications. For instance, in some applications,a message recipient needs to make decisions such aswhether consume more/less power, generate more/lesspower, turn a switch on/off, etc. In these cases, themessage recipient needs to ensure that the messageis sent from the intended sender and it has not beentampered with during transmission, but preserving theprivacy of the sender or recipient may not be essential.

3.2 PKC for smart gridPKC can satisfy the requirements discussed in Section3.1 and offer several benefits compared to symmetric-keycryptosystems. Some of these benefits are summarized asfollow:-

Flexibility, scalability, and efficiency: Any two nodes cancommunicate securely without the need for distribut-ing/storing a large number of symmetric keys sharedbetween each two nodes.

Non-repudiation: Unlike the symmetric-key cryptosys-tems, public key cryptography can achieve the non-repudiation property. As explained in Section 3.1, thisproperty is important to enforce accountability, securethe payment, and provide information to investigatorsin case of a security breach.

Availability: Using PKC, communications can be se-cured without the direct involvement of a central unit.



4

The reliance on a central unit may not be robust orscalable for many applications in the smart grid becausethe nodes cannot communicate when the unit is notavailable.PKC can be used to secure several applications in the

smart grid, as follow:-Firmware updates: The ability to perform firmware up-

dates allows the evolution of the applications withoutexpensive physical visits to the devices. However, it isimportant to ensure that firmware updates are not usedto install malwares. PKC can be used to ensure that thefirmware update is sent from the authorized party andit is not modified during transit.

Operation and control: Remotely controllable intelligentelectronic devices (IEDs) will be widely deployed toallow fast isolation of faults and restoration of electricity.These devices will receive control commands, e.g., to tripa switch, from control centers. Without protecting thesemessages, the attackers can send fake control commands,modify valid commands, and replay commands to causechaos in the grid. The attackers can also reset the smartmeters, order the meters to cut off electricity supply fromhouses, command the distribution feeders that supplya large number of consumers to disconnect to triggera blackout, etc. PKC can operate in such massivelydistributed and locally autonomous setting.SCADA/substations communications: SCADA and sub-

stations monitor and control IEDs deployed in unat-tended locations (like pole tops) for automatic faultdetection, isolation, and service restoration. They shouldreceive information such as device states (on/off), alarms(overheat, overload, battery level, etc), and measure-ments (current, voltage, frequency, etc), and take cor-rective actions such as turn on/off automated switches,switch capacitor banks in and out, raise or lower voltageregulators, etc., to boost reliability and efficiency andrespond to emergencies. In addition to ensuring theintegrity of the messages, SCADA/substations need toverify that data is sent by the intended devices. Theyalso need access control mechanisms that allow onlyauthorized devices/users to configure or operate them.

Demand/response: From [16], the purpose of de-mand/response application is stated as ”changes in elec-tric usage by end-use customers from their normal con-sumption patterns in response to changes in the price ofelectricity over time, or to incentive payments designedto induce lower electricity use at times of high wholesalemarket prices or when system reliability is jeopardized”.A house controller should frequently receive real-timeelectricity pricing information to manage the power con-sumption, e.g., to minimize the electric bill by reducingthe power consumption during high-price periods (peakhours). Without securing demand/response messages,coordinated falsification of pricing information acrossmany houses could cause grid instability. The integrity,availability and non-repudiation of pricing informationare essential requirements since there could be financiallosses and possibly legal implications.

Direct load control (DLC): In DLC application, smartappliances are configured by the end-user to commu-nicate directly with the utilities for the efficient use ofelectricity [17]–[20]. For example, the utility may controllighting, thermal equipment (i.e., heating, ventilating,and air conditioning), refrigerators, and pumps. Usually,the on/off patterns are applied to some groups of loadsduring a time interval. The on/off periods of all groupsunder control should not be coincident in order to avoidsome undesirable effects, such as the so-called paybackeffect (increase in peak power demand when comparedwith the situation without load control actions), that maycause strong reduction in revenues. The communicationsbetween the appliances and the utilities can be securedusing PKC.

Advanced metering infrastructure network (AMI): Mil-lions of smart meters are being deployed to enable theutility to interact with consumers. Each smart metershould send fine-grained electricity consumptions to theutility to be used for state estimation. Without securingthe communications, external attackers can impersonatethe meters and inject false data. The public key cryp-tography will enable the smart meters and the utility tosecure the communications by verifying the origin andintegrity of the data as proposed in [9].

Plug-in electric vehicles (PEV s): PEV s are driven pri-marily by electric motor powered by a rechargeablebattery that can be recharged by plugging into the grid.They can inject the energy stored in their batteries backto the grid at the times of high electricity load in areturn of a financial incentive [21]. PKC can secure thecommunications between the vehicles and the grid andsecure the payment of the power charging/discharging.

4 CERTIFICATE REVOCATION MOTIVA-TIONS AND METRICS4.1 Motivations

Verifying the expiration of a certificate is necessarybut insufficient. Another check is required to determinewhether the certificate is revoked [22], [23]. The mes-sages that are signed using revoked certificate shouldbe discarded. This means that without holding a validcertificate, the nodes can be excluded from the grid’scommunication network. Strong motivations that neces-sitate revoking certificates to secure the smart grid arediscussed as follows.

Key compromise: The private key of the certificateholder or the certificate authority (CA) that issued thecertificate has been compromised or suspected to becompromised. Compromising (or revoking) a CA trig-gers revoking all the certificates issued by the CA. Ifthe certificate is not revoked, the attacher who knowsthe private key can impersonate the certificate holderwithout any suspicion. If the compromised key is for aCA, the attacker can issue new certificates and revokevalid ones.



5

Loss of security token: The private key might be storedin a smart card or USB device and the certificate holder(e.g., an employee) has lost it. Without revoking thecertificate, the attacker can retrieve the private key andsends messages under the name of the employee.

End of certificate’s purpose: The purpose of the certificatefor which it was issued does not exist anymore. Wediscuss three cases named: temporary certificates, change ofaffiliation, and defective devices. For temporary certificates,a certificate may be issued for a temporary purpose,e.g., the hydro company may need to set up makeshiftdevices when it extends the power grid or repairs a dam-age. For change of affiliation, certificates are required foremployees to use the grid’s communication network. Anemployee’s certificate is not only associated to his identi-ty, but also to his privileges and permissions as proposedin [5]. Thus, if an employee is promoted or transferredto a different department/site or his contract has beenterminated early, his certificate must be revoked. Newcertificates should be issued with the updated data suchas the certificate holder’s affiliation and privilege. Fordefective devices, the certificates of defective devices thatare removed from service should be revoked. Otherwise,attackers can use their keys to launch attacks.

Malicious behavior: If the system loses trust in a deviceor an employee, e.g., due to evident malicious behavior,the system must promptly revoke their certificates toprotect the network’s proper operation. A member ofthe maintenance staff and a disgruntled employee whohas physical access to the system and might also haveextensive technical knowledge may act maliciously.

Change of security policy: Certificate revocation is nec-essary when the CA does not work under its definedpolicy anymore, e.g., when the certificate authority hier-archy changes.

Insecure key length: Certificate revocation is necessarywhen the secure key length becomes more than the usedone. This might be due to advances in cryptanalysis andcomputing capabilities.

4.2 Metrics

We will use the following metrics to evaluate the certifi-cate revocation schemes.

1) Overhead: The overhead of revoking a certificate andchecking a certificate status should be minimal. Sev-eral metrics can be used to measure this overheadsuch as the communication overhead (or bandwidthrequirement), storage area, and the computation coston the CA and the nodes. The smart grid willinvolve communication over a variety of channelswith varying bandwidths. Low bandwidth channelswill be too slow to disseminate large certificate revo-cation information. Some devices such as residentialmeters may be limited in their computational powerand/or storage space.

2) Check latency: When a signed message is received,the verifier has to check whether the certificate

is revoked. The latency of this check should beminimized to expedite message authentication.

3) Scalability: This metric depicts how a revocationscheme scales up in large networks. A scheme witha large number of potentially revocable certificatesis expected to require more resources comparing tosmall-scale schemes.

4) Robustness: This metric measures the scheme’s a-bility to resist potential threats [24]. Availability isone way to measure robustness. For example, if thescheme requires an online and interactive server, theavailability of the certificate revocation informationrelies on the availability of the server.

5) Vulnerability period (or revocation latency): This is thelatency between deciding revoking a certificate andthe distribution of revocation information to all de-vices, i.e., when revocation is indeed implemented[25]. A good certificate revocation scheme shouldminimize this period because the messages sent byrevoked certificates will be accepted during thisperiod. The vulnerability period should particularlybe minimized for the certificates of important nodessuch as control centers because these nodes haveenough privileges to launch serious attacks that cancause substantial damage.

5 CERTIFICATE REVOCATIONSCHEMESIn this section, we explain five certificate revoca-tion schemes called short-lived-certificate, tamper-proof-device, online certificate status server, certificate revoca-tion list (CRL), and compressed CRL.

5.1 Short-lived certificatesThis scheme makes use of the fact that certificates are auto-matically revoked when they expire. Short-lived certificatesare self-revoked after short time [26]. If the CAs issueshort-lived certificates, the nodes need to frequentlycontact them to renew their certificates. The CAs canrevoke certificates by denying renewing them.

5.2 Tamper-proof-device based schemeThe main idea behind this scheme is that certificates canbe revoked by deleting the associated private keys [27].Without the private keys, the certificates’ holders cannotcompute valid signatures despite of having unexpiredcertificates. Tamper proof device (TPD) should be in-stalled in each node and the device should be secureenough to resist manipulation. TPD stores the node’sprivate key, and performs security functions such assignature and verification operations.

To revoke a certificate, the CA sends CertificateRevoke Command (CRC) message to the TPD of interestto delete the private key. The message should beencrypted either by a symmetric key or the device’spublic key to prevent the attackers from knowing



6

the purpose of the message and dropping it beforeit reaches the TPD. Only the TPD can decrypt themessage. The CRC message has the identities of theCA and the device, a timestamp, the identifiers of thecertificates to be revoked, and the CA’s signature onthe message. The CA’s signature enables the TPD toverify the authenticity and integrity of the message. Themessage’s format is as follows:

CA→ TPDU : IDCA, EK(REV OKE, Ts, Cert IDs),SigCA(EK(REV OKE, Ts, Cert IDs))

Where IDCA is the identity of the CA and EK(X,Y, Z)denotes the encryption of ”X,Y, Z” with the key K.REV OKE indicates the message’s type, Ts is a times-tamp, and Cert IDs is the identifiers of the certificatesto be revoked. SigCA(Y ) is CA’s signature on Y .

When TPDU receives the message, it first verifiesthe CA’s signature and decrypts the message. Then,it sends back a Certificate Revocation Acknowledgment(CRA) message to confirm revoking the certificate(s).The CRA message has the following format:

TPDU → CA : IDU , EK(REV CONF, Ts, Cert IDs),SigU (EK(REV CONF, Ts, Cert IDs))

Where IDU is the identity of node U , REV CONF in-dicates that the message type is revocation confirmation.SigU (Y ) is node U ’s signature on Y . After sending themessage, node U immediately deletes the private keysof the revoked certificates.

If the CA does not receive the CRA message, e.g.,because it is dropped, the CA has to re-send the CRCmessage. However, node U will not be able to compose avalid CRA message because it deleted the private keys.To resolve this, node U should store both the CRC andCRA messages for a period of time, so that it can re-sendthe CRA message when it receives the CRC. Note thatif a device has multiple certificates from different CAs,revoking a CA’s certificate should not affect the otherCAs’ certificates. This is because each CA is responsiblefor revoking the certificates it issues.

5.3 Certificate revocation listIn this scheme, certificates can be revoked by disseminat-ing certification revocation information using CertificateRevocation Lists (CRLs) [28], [29]. A CRL is issued byeach CA to list the identifiers of the revoked certificatesthat were issued by the CA. A certificate is revoked ifits identifier is found in the CRL, otherwise it is valid.The CRLs are periodically updated and distributed, andeach node has to store the most up-to-date version,otherwise, it verifies the certificate status against out-dated list and may accept messages sent with revokedcertificates.

The format of a CRL is given in Fig. 2. The CRLhas the version, issuer, serial number, issuing date, ex-piration date, and complete list of the revoked (and

Fig. 2: The format of a CRL message.

not yet expired) certificates’ identifiers together withtheir dates of revocation and the revocations’ reasons(may be unspecified). The CRL also has the issuer’sdigital signature on its content and the algorithm usedto generate the signature. The digital signature can guar-antee the integrity and authenticity of the CRL. Expiredcertificates should be removed from the list since theyare not accepted by the nodes.

To verify a CRL, each node has to do the following:(1) verify the CA’s signature, (2) ensure that the CRL’sserial number is the expected one, (3) check that theCRL has arrived at the expected time, and (4) checkthat the certificates declared as revoked in the last CRL(and not yet expired) are included in the current CRL.Two techniques can be used to sent CRLs: (1) CRLsare sent at fixed time interval even if there is no newupdates; or (2) CRLs are sent after accumulating aproper number of certificate, passing a maximum timeinterval, or urgent revocation information needs to bedistributed, e.g., revoking important nodes.

The CA attaches the certificate revocation reason tothe CRL because it can resolve some problems. Forexample, two certificates Cert1 and Cert2 having thesame public and private keys are issued to one deviceby two different CAs called CA1 and CA2, respectively.The problem arises if CA1 revokes Cert1 and CA2 saysnothing about Cert2. This problem could be resolvedif the reason of revocation is known. For example, ifa certificate is revoked because of key compromise, allcertificates with the same public/private key pair shouldbe revoked. However, if the certificate is revoked becausethe subject is no longer affiliated with CA1, the revoca-tion of Cert1 should not affect the status of the certificateCert2. An example from the smart grid for this case canbe a premise that has two certificates: one for powerdistribution system and the other for power generationsystem. The certificate of the power generation systemshould be revoked if the premise is no longer operatingrenewable resources generator, but this should not affectthe certificate of the power distribution system.



7

In the remainder of this section, we discuss two pos-sible enhancements to CRL-based revocation scheme,named incremental CRL (I−CRL) and partitioned CRL(P − CRL). I − CRL is a short CRL that providesincremental information about the certificates whosestatus changed since the last update [30]. This techniquecan reduce the size of the CRL updates because if acertificate is revoked in one CRL message, it will not bere-sent in the next messages. The devices should cachethe base CRL and add to it the new certificates thathave been revoked in the following updates. The cer-tificates’ revocation information should be stored in thedevices until the certificates expire. Therefore, I − CRLcan reduce the overhead of distributing the revocationinformation because it is much shorter than a completeCRL.

In mobile networks, any two nodes can communicatebecause of the nodes’ mobility. In many applications inthe smart grid, the nodes will only communicate witha limited number of other nodes due to the stationarynature of the network. This means that the nodes do notneed the revocation information of all the certificates, butonly the certificates of interest. Using this observation, apartitioned CRL (P − CRL) can reduce the overheadby storing and distributing the revoked certificates ofinterest instead of all the revoked ones. The size ofP − CRL is much shorter than the complete CRL. Toimplement the P − CRL technique, each node shouldregister its certificates of interest with the CA.

In an ideal case, the certificate authority creates theP − CRLs that only has the nodes’ certificates of inter-est. However, this fine level of granularity will imposeoverhead on composing and distributing the P − CRLsbecause a large number of signatures will be needed.To reduce the overhead, P − CRL can be composed forthe certificates of interest of a group of nodes, e.g., inone geographic region, in such a way that can keep theP −CRL size acceptable with a reasonable overhead onthe CA. What promotes this idea is that the function ofmany nodes in the smart grid is identical, i.e., a groupof devices in one geographic area has identical or over-lapped certificates of interests. It is worth mentioningthat merging both incremental and partitioned CRLsin one scheme, called IP − CRL, can much reduce theoverhead.

5.4 Online certificate status server

In this scheme, an online and interactive certificate statusserver is used. The server stores updated revocation in-formation for the certificates of interest. These certificatesare the ones needed by the nodes in the server’s domain.As shown in Fig. 3a, the verification of the certificatesstatus can be done by request/response packets. Whena node needs to check the status of a certificate, itsimply composes a Certificate Status Query packet withthe certificate identifier and sends it to the server. IDA,Ts, CertID, and SigA() are the identity of the node that

(a) Verifying a certificate status.

(b) Obtaining an updated CRL.

Fig. 3: Online certificate status server based scheme.

sends the query, the current timestamp, the identifier ofthe certificate that the sender needs to verify its status,and the sender’s signature, respectively. Upon the receiptof the query, the server composes a signed response withthe status information and sends the response back to thenode. The format of the response packet is given in Fig.3a, where Status and Te are the certificate status andthe expiry date of the certificate status, respectively. Thecertificate status in the server response can be ”Valid”,”Revoked”, or ”Unknown”. The nodes need to send anew request when the status expires. This scheme canprovide the status of a particular certificate without theneed to acquire the complete revocation list.

As shown in Fig. 3b, the server should periodicallycontact the CA to update its revocation information.The CA responds with the version of the current CRLtogether with a timestamp, all signed by the CA. Theserver compares the version of the current CRL withthe one it stores. If the current CRL is newer, the serverrequests the new CRL from the CA. Alternatively, theCA can distribute the CRL when it is updated. It isworth noting that the P − CRL and I − CRL can beused to send the certificate revocation information to theserver instead of the entire CRL to reduce the overhead.

5.5 Compressed CRLUsing one certificate with a unique identity jeopardizesthe privacy of the users and enables the attackers tolink the users’ messages. Pseudonymous public keyinfrastructure (PPKI) [7], [8], [31] is an extension to thestandard PKI which aims to preserve the users’ privacyby concealing their real identities. Each node is preload-ed with a set of certificates with different pseudonymsand public/private keys. Each certificate is used onlyfor a short time, and thus the nodes need to frequentlycontact the CA to obtain new sets of certificates. Privacycan be preserved because the certificates do not haveany information about the real identity of the user andlinking pseudonyms is infeasible for the adversary. Thecertificates enable the nodes to authenticate themselveswhile preserving their privacy. This authentication can



8

prove that the user is a legitimate member in the net-work, but without revealing its real identity.

In the smart grid, electric vehicles will need to com-municate with the grid to charge and inject power. By al-lowing vehicles to charge during off-peak hours (storingsurplus electricity generated during that time) and dis-charge during peak hours (returning the stored energyback into the grid), lots of benefits can be achieved. It cansmooth the variable generations of renewable sourcesand improve the grid reliability by using the vehicles’stored energy when the energy demand exceeds thesupply [32].

However, the location privacy of the vehicles’ ownersis a great concern. When a vehicle charges or dischargesat the owner’s home, it can be known that the owner is athome. Similarly, it can be known when a vehicle’s owneris at work and shopping malls. Moreover, regularlyparking at a clinic or at a lawyers office can reveal privateinformation about a persons financial status, habits, orhealth situation. The followings are interested in theusers’ private data:-• Employers wondering whether their employees re-

turn home late which can negatively affect theirproductivity.

• Car insurance companies are interested to knowhow the drivers use their cars.

• Law enforcement officials may be interested toknow vehicles’ locations for investigations, e.g., toconfirm the presence of a driver at an certain loca-tion at a certain time.

Although PPKI is a very promising approach topreserve privacy in vehicle-to-grid communications, cer-tificate revocation is a challenge because of the dramaticincrease in the number of certificates in the network. InPKI , a single certificate should be revoked when revok-ing a device, but all the certificates assigned to the deviceshould be revoked in PPKI . Using the regular CRLs isnot efficient because revoking a device requires addingmany certificates to the CRL which much increases itssize. Obviously, distributing a large CRL is inefficientand bandwidth consuming. Therefore, an efficient cer-tificate revocation scheme is essential for the successof PPKI . We introduce compressed CRL (C − CRL)scheme that can significantly reduce the size of the CRL.Reducing the overhead can enable distributing CRLsmore often with acceptable overhead, which can makethem fresher and reduce the vulnerability period.

The CA creates a group of certificate identifiers thatappear to be unrelated, but in fact they are related by asecret key chain known only to the CA. As illustratedin Fig. 4, for each group of certificates, the CA createsthe key chain K1, K2, .., Kn by iteratively hashing aninitial key K1. Then, the CA computes the pseudonymsID(1), ID(2), ...., ID(n) using a random nonce (R) andthe key chain. From the figure, it can be seen that eachpseudonym is the hash value of the the correspondingkey in the key chain and the previous pseudonym, i.e.,ID(i) = h(Ki, ID

(i−1)) and 1 ≤ i ≤ n, where h(X,Y )

Fig. 4: C − CRL-based scheme.

denotes the hash value of X concatenated to Y, n is thesize of the hash chain, and ID(0) = R. Each key in thekey chain is used to compute one pseudonym. It is obvi-ous that without knowing K1, linking the pseudonymsis infeasible. Also, with knowing Ki+1 and ID(i), thepseudonyms {ID(i+1), ID(i+2), ...., ID(n)} can be com-puted but the pseudonyms {ID(1), ID(2), ...., ID(i−1)}cannot be computed because the hash function is oneway, i.e., given Ki, it is easy to compute Ki+1 =H(Ki), but it is infeasible to compute Ki−1, where Ki= H(Ki−1).

From Fig. 4, to revoke a vehicle, the CA releases thecurrent pseudonym ID(F ), the current key in the keychain that is associated with the current pseudonym(KF ), and the number of revoked certificates (n − F +1). The vehicles can compute the complete list of re-voked certificates’ identifiers locally. They first computethe key chain by iteratively hashing KF to compute{KF+1,KF+2, ...,Kn}. Then, using the key chain andID(F ), the node can compute the revoked pseudonyms,i.e., {ID(F+1), ID(F+2), ...., ID(n)}. In this way, a largeset of certificates can be revoked by only adding a keyand a pseudonym to the CRL.

In [33], Haas et al. propose a scheme to reduce theCRL size in the anonymous communications of VANET-s. There are two main differences between this schemeand the one discussed in this section: 1) the efficienthashing operations are used instead of the symmetrickey encryption/decryption operations; and 2) one secretvalue should be stored/computed for each certificate setinstead of two in [33].

6 DISCUSSIONS AND EVALUATIONSIn this section, we evaluate the certificate revocationschemes discussed in the previous section using themetrics discussed in Section 4.2. We also discuss thepotential smart grid applications for each scheme. Acomparison between the certificate revocation schemesis given in Table 1.

6.1 Short-lived certificatesUnlike the certificate revocation list scheme, the short-lived-certificate scheme can save the overhead of dis-



9

TABLE 1: A comparison between different certificate revocation schemes.

Short-lived certificates Tamper-proof-device Online server CRL

Overhead

• No distribution to the re-vocation information

• Tradeoff with the certifi-cates’ lifetime

LowLow storage at the nodes butalways-available communica-tion with the server

Depends on CRL sizeand the frequency ofdistributing CRLs

Check latency None None Depends on the speed of theconnection with the serverDepends on the CRLsize

Scalability Tradeoff with the certifi-cates’ lifetime Scalable but expensiveThe server can be a bottleneck

The CRL size increas-es with the increase ofthe number of certifi-cates

Robustness Depends on the securityof the CA

Depends on the securi-ty of the CA and thetamper proof device

Depends on the security ofthe CA and the server, andthe availability of the com-munications with the server

Depends on the secu-rity of the CA

Vulnerabilityperiod

Tradeoff with the certifi-cates’ lifetime Short

• Depends on the freshness ofthe revocation informationstored at the server

• Tradeoff with the communi-cation overhead

Tradeoff with theoverhead

TABLE 2: Overhead measurements of tamper-proof-device and online certificate status server based schemes.

Packet size Computational time Computational energy

CRC/CRA packets 148 Bytes• Composition: 15.64 ms• Verification: 0.55 ms

• Composition: 550 mJ• Verification: 16.2 mJ

Query/Response packets• Query: 142 Bytes• Response: 144 Bytes

• Composition: 15.64 ms• Verification: 0.55 ms

• Composition: 550 mJ• Verification: 16.2 mJ

tributing the revocation information. The scheme canalso reduce message authentication delay because it canreduce the latency of the certificate status check. Insteadof checking both the expiration and the revocation ofthe certificates, only the expiration check is requiredbecause unexpired certificates are also unrevoked. Thereis an obvious tradeoff between the overhead and therevocation latency. Shorter certificate lifetime can re-duce the revocation latency, but with more overheadto issue/distribute certificates more often. This couldconstitute a high load on the CA and the network. On thecontrary, long certificate lifetime gives the attackers moretime to operate before being revoked, but with lowercertificate renewals overhead. There is an obvious trade-off between revocation latency and scalability and thistradeoff can be controlled with the certificates’ lifetime.The scheme is more scalable with using longer certificatelifetime but with more revocation latency. The scheme’soverhead can be reduced by using the certificate renewalscheme proposed in [5] that can reduce the overheadof issuing/distributing certificates using hash chain. Inthis case, the revocation latency and scalability can beimproved with acceptable overhead.

This scheme is suitable for the applications that requirefast message authentication. It should not be used forthe applications that require immediate revocation ofthe misbehaving nodes to decrease the time windowin which the nodes can jeopardize the proper operation

of the grid. Accordingly, the scheme can suit the nodesthat have uncritical privileges that do not enable them totake important actions if compromised. It is also properfor the cases in which it is hard to compromise thenodes. Since the smart meters and the field devices areunattended and the attackers have full access to them,to use the short-lived certificates scheme securely, thesedevices should have hardware security. The scheme canalso be used in substations or SCADA because thedevices are physically protected.

6.2 Tamper-proof-device based scheme

The main advantage of this scheme is the low com-munication and computation overhead. Only a coupleof packets are required to revoke certificates. The lowoverhead can make the scheme more scalable than short-lived certificates scheme, but the widespread use of thescheme is costly because tamper proof devices shouldbe installed in the nodes. The low overhead can im-prove the scheme’s scalability but the widespread useof the scheme is costly because tamper proof devicesshould be installed in the nodes. Verifying a certificaterevocation status takes no time because a certificate isvalid if the signature is valid. This can expedite messageauthentication. Another important advantage is the verylow revocation latency. Certificates are revoked instantlyafter receiving a CRC message.



10

One signing operation and one symmetric-key encryp-tion are required to compose a CRC or CRA message.One verifying operation and one symmetric-key decryp-tion are required to verify a CRC or CRA message.In order to estimate the required computational timesand energy to compose and verify a CRC or CRAmessage, we have implemented 1,024-bit RSA publickey cryptosystem and 128-bit AES symmetric-key cryp-tosystem using Crypto++ library [34] and 1.6 GHz Intelprocessor. The signature size is 128 bytes and the signingand verifying operations require 15.63 ms and 0.53 ms,respectively. The AES encryption/decryption operationsrequire 1.52 µs/16 bytes. From [35], the energy consump-tion of AES encryption/decryption operation is 1.21 µJper byte, and the energy consumptions for RSA signingand verifying operations are 546.5 mJ and 15.97 mJ ,respectively. A node’s identity, packet type, timestamp,and one certificate identifier require four, one, five, andfive bytes, respectively.

Our measurements indicate that the CRC and CRApacket size is 148 bytes. The computational delay andenergy consumption for composing a CRC or CRAmessage are 15.64 ms and 550 mJ , respectively. Thecomputational time and energy consumption for veri-fying a CRC or CRA packet are 0.55 ms and 16.2 mJ ,respectively. These results are summarized in Table 2.

The scheme is suitable for the applications that re-quire immediate revocation of misbehaving nodes. Thelow overhead can make the scheme suitable for PPKIbecause all the certificates of a device can be revokedby one message. The immediate revocation property isimportant especially for the highly privileged nodes suchas control centers, gateways, some SCADA devices, etc.

6.3 Online certificate status server

This scheme requires low storage at the nodes, but itdoes require always-available communications to theserver. The nodes can acquire the certificates’ revocationstatus without the need to store complete CRLs. Thisis very beneficial when it is inefficient to store CRLsat the nodes because of limited memory or long CRLs.Obviously, the server is a single point of failure, i.e., thenodes cannot check the status of the certificates whenthe server fails. The server should be fully secure andtamper resistant. In addition, the scheme does not scalewell to avoid creating a bottleneck at the server. Oneserver cannot serve many nodes and deploying manyservers is costly. The scheme can reduce the vulnerabilityperiod provided that the server keeps the most-updatedrevocation information. Decreasing the validity period ofthe responses decreases the window of vulnerability butincreases the communication overhead with the server.The certificates revocation verification can be done in atimely manner if the connection between the devices andthe server is fast.

We refer to Section 6.2 for the computation time andenergy of signing and verifying operations. A node’s

identity, certificate status, timestamp, expiry date, andcertificate identifier require four, one, five, five and fivebytes, respectively. The signature size is 128 bytes. Thesize of the query and response packets are 142 and144 bytes, respectively. These results are summarized inTable 2.

In masquerade attack, attackers attempt to masquer-ade the server and fabricate the responses. For responseintegrity attack, attackers try to modify the responsesent by the server. For replay attack, an attacker couldresend an old (valid) response prior to the revocationof a certificate. The scheme is resilient to these attacksbecause of signing the responses sent by the server. Sincetimestamp is attached to the response packet’s signature,replayed packets can be identified and discarded.

This scheme is suitable for unscalable networks thatcan provide physical protection to the server such asSCADA and substations. In AMI networks, the gatewaycan play the role of the certificate status server, butthis scheme may not be efficient for large scale AMInetworks because of the increased communication andcomputation overhead with the server.

6.4 Certificate revocation list

It is inefficient to compose and distribute an updatedCRL momentarily after a certificate is revoked, becausethis imposes a huge overhead. Instead, the CA has towait until it accumulates a number of revoked certificatesand then release them as a batch. There is a tradeoff be-tween the overhead in terms of distributing of CRLs andthe vulnerability period. This scheme has an interestingfeature for smart grid that is an offline certificate revoca-tion check. CRLs are inappropriate for the applicationsthat require momentary certificate revocation becausethe inherent overhead of CRL distribution prohibitstimely distribution of revocation information [36]. TheCA’s signature on the CRLs can protect the authenticityand integrity of the CRLs.

Reducing the certificates’ lifetime can help shorten theCRL because the revoked certificates’ identifiers shouldstay in the list for a short time until they are expired.However, short-lifetime certificates imposes large over-head on the CA due to renewing/distributing the cer-tificates often. The smart grid will implement differentsystems with different security/overhead requirements.A good certificate lifetime should depend on the longevi-ty of its purpose. It is not expected that all the certificateswill have the same lifetime. A certificate’s lifetime shouldbe determined to balance between the CRL size andthe overhead of composing and distributing them. Forexample, when certificates are issued to employees whomay change their position after few years, it wouldbe appropriate to issue certificates with relatively shortlifetime, so that in case of revocation, the certificates stayin the CRL for a short time. Some certificates may beissued to devices that are deployed with the intent tokeep them operating for many years, and these devices



11

are housed in a secure environment and have low failurelikelihood. In this case, the certificates’ lifetime can belong as the probability of revoking them is low. Reducingthe CRL size can expedite the message authenticationbecause it takes less time to search for a certificate.

In P − CRL, each CA groups the full CRL into aseries of partitioned CRLs that contain the certificatesof interest of a group of nodes. This grouping shouldbe done in such a way that decreases the number ofpartitioned CRLs with acceptable overhead on the CA.It is possible that one certificate is included in more thanone group. For example, if the full CRL of a CA has10, 000 revoked certificates and a node’s list of revokedcertificates of interest is only 50, without partitioning, thenode will receive 9, 950 unneeded certificates, but withpartitioning the P − CRL size will be between 50 and9, 949 certificates.

Partitioning is more efficient when the degree ofoverlapping among the nodes’ certificates of interest ishigh, i.e., P − CRLs are fewer and shorter. This canbe applicable to the field sensor nodes. However, usingP − CRL may not reduce the overhead a lot in someapplications, e.g., a substation has a large number ofcertificates of interest because it communicates with alarge number of devices. In this case, the substation canreceive multiple P − CRLs that cover all its certificatesof interest, or it may revert to a different certificaterevocation scheme.

For C−CRL scheme, the size of the certificate revoca-tion list is linear with the number of revoked certificateseries, irrelative to the number of revoked certificates ineach series. Only a single entry needs to be added to theC−CRL to revoke a series of certificates. In this scheme,the CAs can provide the nodes with enough certificates forprivacy preservation with keeping the size of the CRLsreasonable. Linking the certificates is infeasible withoutknowing the secret key used to compute their identifiers,i.e., the certificates’ identifiers appear unrelated but theycan be linked using a secret key. This unlinkabilityproperty is important to preserve the nodes’ anonymity.Our scheme needs a secure one-way keyed hash functionthat can satisfy the following properties [37]:

1) Given X and K, it is easy to compute h(K,X), butgiven h(K,X) and X , it is infeasible to compute K.

2) Given h(K,X) and X , without knowing K, it isinfeasible to link h(K,X) and X .

3) Given X and K, it is computationally infeasible tofind X 6= X ′ such that h(K,X ′) = h(K,X).

Fortunately, there are several secure and efficient hashfunctions. SHA-1 has 20-byte hash value and can process16.79 Mega bytes per second and consume only 0.76J/byte as given in [38].

Backward unlinkability means that linking a certificatewith the previously used ones in the same series isinfeasible. In our scheme, certificates are not linkablewithout knowing the key chain used to generate theiridentifiers. If a device is revoked, the attackers are able to

compute the certificate identifiers of the revoked certifi-cates, but they cannot compute the identifiers of the usedcertificates before revoking the device. The attackerscannot also link the revoked certificates with the onesused before revoking the device because it is infeasibleto compute the keys used to compute them due to theunidirectionality of the hash function, i.e., given KF ,it is easy to compute {KF+1, KF+2, ..., Kn} but it isinfeasible to compute {KF−1, KF−2, ..., K1}. Specifically,the attackers cannot link the certificates that are usedprior to revocation because the released key (KF ) cannotbe used to generate the certificates’ identifiers that wereused earlier. The backward privacy property is desirablein several scenarios, e.g., if a vehicle’ credentials arerevoked due to changing the owner, the privacy ofthe old owner can be preserved. The CA can map thecertificates’ identifiers to the real identity of the vehiclewhen needed. This is important to enforce accountability.If the system suspects that a vehicle is malicious, the CA(that is trusted) can identify this node.

The total number of pseudonyms that should be load-ed in each vehicle is D × T × 365, where D and Tare the average time each vehicle communicates withthe grid in one day and the pseudonyms’ consump-tion rate (the number of pseudonyms used/minute),respectively. For example, if D and T are three hoursand one pseudonym/minute, respectively, the numberof pseudonyms is 65, 700. Without our scheme, revokinga vehicle will increase the CRL size by 65, 700 elementsbut in C-CRL, only one element will be added. Giventhe large number of vehicles, the CRL will dramaticallygrow. For example, if the total number of vehicles is 5millions and only 1% of them are revoked, the numberof elements in the CRL and C-CRL are 3, 285 millionsand 50, 000, respectively. Note that during the charg-ing/discharging times, each vehicle needs to frequentlychange its pseudonyms to preserve its location privacy.Using SHA-1, each element in C-CRL requires around 42bytes, but the size of an element in the CRL is 4 bytes.Figs. 5 and 6 give the sizes of the C-CRL and CRL atdifferent numbers of vehicles and certificate revocationrates, respectively. The figures can show that the size ofC-CRLs are much smaller than the CRLs.

7 RELATED WORKIn [39], Raya et al. propose a certificate revocationscheme for vehicular ad hoc network (VANETs). Theyuse Bloom filter to store the revoked certificates’ identi-fiers compactly. However, Bloom filters suffer from falsepositive, i.e., there is a chance that a valid certificateis mistakenly considered revoked. Unlike VANETs, thecommunication availability is a priority in smart gridand false positives will not be acceptable. A meter maymiss a command to disconnect power because of falsepositives. They can also cause financial losses if a metermisses power pricing information.

Papadimitratos et al [40] propose a scheme to dis-tribute large CRLs efficiently across wide regions in



12

Fig. 5: C-CRL size versus the number of vehicles.

Fig. 6: CRL size versus the number of vehicles.

VANETs. In [41], Raya et al. propose a scheme to iso-late misbehaving nodes until a centralized revocationis issued by the CA. In [42], a scheme is proposed todistribute the load of a server to a set of participatingclients. The revocation information is available if up tok − 1 participants fail. In [43], Wasef et al propose adistributed certificate-service scheme for VANETs. Thescheme aims to offer flexible interoperability for certifi-cate service in heterogeneous administrative authoritiesand reduce the complexity of certificate management.

Capkun et al [44] propose a fully self-organizedpublic-key management system that allows users togenerate their public/private key pairs, issue certificates,and perform authentication without any centralized ser-vices. Arboit et al [45] present a decentralized certifi-cate revocation scheme that allows the nodes withina mobile ad hoc network to revoke the certificates ofmalicious nodes. In [46], H. Guo et al. propose a batchauthentication protocol for vehicle to smart grid com-munication. Instead of verifying each packet for eachindividual vehicle, the aggregator waits for some timeto receive multiple responses from a batch of vehicles.The aggregator verifies the received responses by onlyone signature verification.

In [47], H. Khurana et al. have discussed the mainsecurity issues in smart grid. The authors have iden-tified public key management as a challenge due tothe system scalability and complexity. From [48], thesmart meters will have a remote off switch to ensurethat customers who default on their payments can beswitched off remotely. However, the attackers can launchattacks to interrupt the citizens’ electricity supply. Inorder to address this attack, the authors use public keycryptography to secure the ”turn off” commands. A.Metke et al. [49] survey the existing key security tech-nologies for extremely large, wide-area communicationnetworks. Based on studying the security requirementsof the smart grid as well as the scale of the system,the authors strongly believe that the most effective keymanagement solution for securing the smart grid will bebased on public key infrastructure.

In [50], M. Qiu et al. measure the energy consumptionsof various security algorithms using energy-constrainednodes. They propose a group of code optimization meth-ods to increase the energy consumption efficiency ofdifferent security algorithms for smart grid. Chee-Wooiet al. [51] propose a vulnerability assessment frameworkto systematically evaluate the vulnerabilities of SCADAsystems. In [52], a survey on cybersecurity of criticalinfrastructures is reported. A supervisory control anddata acquisition security framework has been proposed.In [53], the authors present a framework for cyber-attackimpact analysis of a smart grid. The authors illustratehow cause-effect relationships can be conveniently ex-pressed for both analysis and extension to large-scalesmart grid systems.

In [54], the authors investigate the attacks and privacyconcerns in the smart grid. They also expect that thepublic key cryptography will be implemented to securethe smart grid. In [55], the authors highlight the sig-nificance of cyber-infrastructure security in conjunctionwith power application security to prevent, mitigate,and tolerate cyber-attacks. Cheng et al. [56] introducethree main attack categories and their countermeasuresin the smart grid communication networks. In [57], [58],privacy-preserving power consumption data aggrega-tion schemes for AMI networks have been proposed. M.Fouda et al. [59] propose a lightweight message authen-tication scheme for securing smart grid communications.The PKC has been used in several works to secure theAMI networks such as [9]. In [60], X. Liang et al. proposea usage-based dynamic pricing scheme for smart grid ina community environment, which enables the electricityprice to correspond to the electricity usage in real time.

However, although securing smart grid has recentlygained extensive attention, certificate revocation in smartgrid has not been well studied yet. In [11]–[13], wehave introduced the problem of certificate revocation inAMI networks. Unlike this work that focuses only onAMI networks, this paper broadens our investigationsto include certificate revocation in different applicationsof the smart grid.



13

8 CONCLUSIONS AND FUTURE WORKIn this paper, we have investigated certificate revocationin smart grid applications. We have explained differentcertificate revocation schemes and defined several met-rics to assess them. Based on our assessment, we identi-fied the applications that are proper for each scheme anddiscuss how the schemes can be modified to fully meetthe requirements of potential applications. Finally, westudied certificate revocation in pseudonymous publickey infrastructure and explained an efficient scheme forvehicles-to-grid communications as a potential applica-tion. We have discussed that one revocation schemecannot satisfy the overhead/security requirements ofall smart grid applications. Rather, different schemesshould be employed for different applications. This isbecause the smart grid applications have different secu-rity/overhead needs.

In our future work, we will further investigate thisidea of partitioned CRLs (P − CRLs) and apply it onthe AMI networks. A good certificate revocation schemefor AMI networks should balance the size of the CRLsand the overhead of forming and distributing them.It should also take into account the limited storageand computation power of the meters, and address thescalability and the large geographic deployment of thenetworks and require low communication overhead.

9 ACKNOWLEDGEMENTThis work is supported in part by US National ScienceFoundation under the grant number 1318872.

REFERENCES[1] F. Li, W. Qiao, H. Sun, H. Wan, J. Wang, Y. Xia, Z. Xu, and

P. Zhang, “Smart transmission grid: Vision and framework,”Smart Grid, IEEE Transactions on, vol. 1, no. 2, pp. 168–177, Sept2010.

[2] S. Amin, “For the good of the grid,” IEEE Power Energy Mag.,vol. 6, pp. 48–59, 2006.

[3] E. Santacana, G. Rackliffe, L. Tang, and X. Feng, “Getting smart,”IEEE Power Energy Mag., vol. 8, pp. 41–48, 2010.

[4] NIST, “Report to nist on smart grid interoper-ability standards roadmap epri,” Available [Online]:http://www.nist.gov/smartgrid/InterimSmartGridRoadmapNISTRestructure.pdf,June 2009.

[5] M. Mahmoud, J. Misic, and X. Shen, “A scalable public keyinfrastructure for smart grid communications,” Proc. of IEEEGlobal Communication Conference (IEEE GLOBECOM’13), Atlanta,GA, USA, December 2013.

[6] M. Mahmoud and X. Shen, “Esip: Secure incentive protocol withlimited use of public-key cryptography for multihop wirelessnetworks,” Mobile Computing, IEEE Transactions on, vol. 10, no. 7,pp. 997–1010, July 2011.

[7] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,”Journal of Computer Security, vol. 15, no. 1, pp. 39–68, 2007.

[8] J. P. Hubaux, “The security and privacy of smart vehicles,” IEEESecurity and Privacy, vol. 2, p. 4955, 2004.

[9] A. Beussink, K. Akkaya, I. Senturk, and M. Mahmoud, “Pre-serving consumer privacy on ieee 802.11s-based smart grid aminetworks using data obfuscation,” IEEE INFOCOM Workshop onCommunications and Control for Smart Energy Systems, 2014.

[10] D. Wu and C. Zhou, “Fault-tolerant and scalable key managementfor smart grid,” Smart Grid, IEEE Transactions on, vol. 2, no. 2, pp.375–381, June 2011.

[11] K. Akkaya, K. Rabieh, M. Mahmoud, and S. Tonyali, “Effi-cient generation and distribution of crls for ieee 802.11s-basedsmart grid ami networks,” Proc. of IEEE SmartGridComm’14, Italy,November 2014.

[12] M. Mahmoud, K. Akkaya, K. Rabieh, and S. Tonyali, “An efficientcertificate revocation scheme for large-scale ami networks,” 2014.

[13] K. Akkaya, K. Rabieh, M. Mahmoud, and S. Tonyali, “Customizedcertificate revocation lists for ieee 802.11s-based smart grid aminetworks,” Smart Grid, IEEE Transactions on, vol. PP, no. 99, pp.1–1, 2015.

[14] K. Ren, W. Lou, K. Kim, and R. Deng, “A novel privacy preservingauthentication and access control scheme for pervasive computingenvironments,” Vehicular Technology, IEEE Transactions on, vol. 55,no. 4, pp. 1373–1384, July 2006.

[15] K. Sampigethava, L. Huang, M. Li, R. Poovendran, K. Matsuura,and K. Sezaki, “Caravan: providing location privacy for vanet,”Proceedings of International workshop on Vehicular ad hoc networks,2006.

[16] V. Balijepalli, V. Pradhan, S. Khaparde, and R. Shereef, “Reviewof demand response under smart grid paradigm,” IEEE PESInnovative Smart Grid Technologies, 2011.

[17] C.-J. Tang, M.-R. Dai, C.-C. Chuang, Y.-S. Chiu, and W. Lin,“A load control method for small data centers participating indemand response programs,” Future Generation Computer Systems,vol. 32, no. 0, pp. 232 – 245, 2014.

[18] A.-H. Mohsenian-Rad, V. W. Wong, J. Jatskevich, R. Schober, andA. Leon-Garcia, “Autonomous demand-side management basedon game-theoretic energy consumption scheduling for the futuresmart grid,” Smart Grid, IEEE Transactions on, vol. 1, no. 3, pp.320–331, 2010.

[19] N. Ruiz, I. Cobelo, and J. Oyarzabal, “A direct load controlmodel for virtual power plant management,” Power Systems, IEEETransactions on, vol. 24, no. 2, pp. 959–966, 2009.

[20] A. Gomes, C. Antunes, and A. Martins, “A multiple objectiveapproach to direct load control using an interactive evolutionaryalgorithm,” Power Systems, IEEE Transactions on, vol. 22, no. 3, pp.1004–1011, 2007.

[21] H. Liu, H. Ning, Y. Zhang, and L. Yang, “Aggregated-proofs basedprivacy-preserving authentication for v2g networks in the smartgrid,” Smart Grid, IEEE Transactions on, vol. 3, no. 4, pp. 1722–1733,Dec 2012.

[22] P. Wohlmacher, “Digital certificates: a survey of revocation meth-ods,” Proc. of the ACM Workshops on Multimedia, California, pp.111–114, 2000.

[23] P. Kocher, “On certificate revocation and validation,” Proceedingsof the 2nd International Conference on Financial Cryptography, An-guilla, pp. 172–177, 1998.

[24] M. Myer, “Revocation: options and challenges,” Proceedings of the2nd International Conference on Financial Cryptography, West Indies,pp. 165–171, Feb 1998.

[25] P. Zheng, “Tradeoffs in certificate revocation schemes,” ACMSIGCOMM Computer Communication Review, vol. 33, no. 2, pp.103–112, 2003.

[26] M. Jakobsson and S. Wetzel, “Efficient attribute authenticationwith applications to ad hoc networks,” in Proceedings of VANET’04,2004.

[27] M. Raya, D. Jungels, P. Papadimitratos, I. Aad, and J. Hubaux,“Certificate revocation in vehicular networks,” Technical ReportLCA-Report-2006-006, 2006.

[28] R. Housley, W. Polk, W. Ford, and D. Solo, “Internet x.509 publickey infrastructure certificate and certificate revocation list (crl)profile,” Internet Request for Comments (RFC 3280), April 2002.

[29] IEEE Trial-Use Standard for Wireless Access in Vehicular Envi-ronments - Security Services for Applications and ManagementMessages, IEEE Std. 1609.2-2006, 2006.

[30] D. A. Cooper, “A more efficient use of delta-crls,” Proceedings ofIEEE Symposium on Security and Privacy, pp. 190–202, 2000.

[31] A. Wasef, Y. Jiang, and X. Shen, “Dcs: An efficient distributed-certificate-service scheme for vehicular networks,” Vehicular Tech-nology, IEEE Transactions on, vol. 59, no. 2, pp. 533–549, Feb 2010.

[32] Center for Carbon-Free Power Integration [Online], Available:http://www.carbonfree.udel.edu/.

[33] J. Haas, Y.-C. Hu, and K. Laberteaux, “Efficient certificate revo-cation list organization and distribution,” IEEE Journal on SelectedAreas in Communications, vol. 29, no. 3, pp. 595–604, March 2011.

[34] W. Dai, “Crypto++ library 5.6.0,” http://www.cryptopp.com, lastretrieved 2014.



14

[35] N. Potlapally, S. Ravi, A. Raghunathan, and N. Jha, “A studyof the energy consumption characteristics of cryptographic algo-rithms and security protocols,” Mobile Computing, IEEE Transac-tions on, vol. 5, no. 2, pp. 128–143, Feb 2006.

[36] B. Fox and B. LaMacchia, “Online certificate status checking infinancial transactions: the case for reissuance,” Financial Cryptog-raphy - Lecture Notes in Computer Science, vol. 1648, pp. 104–117,1999.

[37] W. Mao, “Modern cryptography: Theory and practice,” EnglewoodCliffs, NJ: Prentice-Hall, 2003.

[38] M. Mahmoud and X. Shen, “Fescim: Fair, efficient, and secure co-operation incentive mechanism for multihop cellular networks,”Mobile Computing, IEEE Transactions on, vol. 11, no. 5, pp. 753–766,May 2012.

[39] M. Raya, P. Papadimitratos, I. Aad, D. Jungels, and J.-P. Hubaux,“Eviction of misbehaving and faulty nodes in vehicular net-works,” Selected Areas in Communications, IEEE Journal on, vol. 25,no. 8, pp. 1557–1568, Oct 2007.

[40] P. Papadimitratos, G. Mezzour, and J. Hubaux, “Certificate re-vocation list distribution in vehicular communication systems,”Proc. 5th ACM Int. Workshop Veh. Inter-NETw., pp. 86–87, 2008.

[41] M. Raya, D. Jungels, P. Papadimitratos, I. Aad, and J. P. Hubaux,“Certificate revocation in vehicular networks,” Swiss Fed. Inst.Technol., Lausanne, Switzerland, Tech. Rep. LCA-Rep.-2006-006, 2006.

[42] R. Wright, P. Lincoln, and J. Millen, “Efficient fault-tolerant cer-tificate revocation,” Proc. of CCS’00, 2000.

[43] A. Wasef, Y. Jiang, and X. Shen, “Dcs: An efficient distributed-certificate-service scheme for vehicular networks,” Vehicular Tech-nology, IEEE Transactions on, vol. 59, no. 2, pp. 533–549, Feb 2010.

[44] S. Capkun, L. Buttyan, and J.-P. Hubaux, “Self-organized public-key management for mobile ad hoc networks,” Mobile Computing,IEEE Transactions on, vol. 2, no. 1, pp. 52–64, Jan 2003.

[45] G. Arboit, C. Crpeau, C. R. Davis, and M. Maheswaran, “A local-ized certificate revocation scheme for mobile ad hoc networks,”Elsevier Ad Hoc Networks, vol. 6, no. 1, pp. 17–31, January 2008.

[46] H. Guo, Y. Wu, F. Bao, H. Chen, and M. Ma, “Ubapv2g: A uniquebatch authentication protocol for vehicle-to-grid communication-s,” Smart Grid, IEEE Transactions on, vol. 2, no. 4, pp. 707–714, Dec2011.

[47] H. Khurana, M. Hadley, N. Lu, and D. Frincke, “Smart-gridsecurity issues,” IEEE Security and Privacy, vol. 8, no. 1, pp. 81–85,January-February 2010.

[48] R. Anderson and S. Fuloria, “Who controls the off switch?” inFirst IEEE International Conference on Smart Grid Communications(SmartGridComm), October 2010, pp. 96–101.

[49] A. Metke and R. Ekl, “Security technology for smart grid net-works,” IEEE Transactions on Smart Grid, vol. 1, no. 1, pp. 99–107,June 2010.

[50] M. Qiu, W. Gao, M. Chen, J.-W. Niu, and L. Zhang, “Energyefficient security algorithm for power grid wide area monitoringsystem,” Smart Grid, IEEE Transactions on, vol. 2, no. 4, pp. 715–723, Dec 2011.

[51] C. Ten, C. Liu, and G. Manimaran, “Vulnerability assessmentof cybersecurity for scada systems,” IEEE Transactions on PowerSystems, vol. 23, no. 4, pp. 1836–1846, November 2008.

[52] C. Ten, G. Manimaran, and C. Liu, “Cybersecurity for criticalinfrastructures: attack and defense modeling,” IEEE Transactionson Systems, Man and Cybernetics, Part A: Systems and Humans,vol. 40, no. 4, pp. 853–865, July 2010.

[53] D. Kundur, X. Feng, S. Liu, T. Zourntos, and K. Butler-Purry,“Towards a framework for cyber attack impact analysis of theelectric smart grid,” in First IEEE International Conference on SmartGrid Communications (SmartGridComm), Oct 2010, pp. 244–249.

[54] S. Iyer, “Cyber security for smart grid, cryptography, and pri-vacy,” International Journal of Digital Multimedia Broadcasting, vol.2011, 2011.

[55] S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber-physical systemsecurity for the electric power grid,” Proceedings of the IEEE, vol.100, no. 1, pp. 210–224, Jan 2012.

[56] P. Chen, S. Cheng, and K. Chen, “Smart attacks in smart gridcommunication networks,” IEEE Communications Magazine, Au-gust 2012.

[57] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “Eppa: An efficientand privacy-preserving aggregation scheme for secure smart gridcommunications,” Parallel and Distributed Systems, IEEE Transac-tions on, vol. 23, no. 9, pp. 1621–1631, Sept 2012.

[58] W. Jia, H. Zhu, Z. Cao, X. Dong, and C. Xiao, “Human-factor-aware privacy-preserving aggregation in smart grid,” SystemsJournal, IEEE, vol. 8, no. 2, pp. 598–607, June 2014.

[59] M. Fouda, Z. Fadlullah, N. Kato, R. Lu, and X. Shen, “Alightweight message authentication scheme for smart grid com-munications,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp.675 – 685, December 2011.

[60] X. Liang, X. Li, R. Lu, X. Lin, and X. Shen, “Udp: Usage-baseddynamic pricing with privacy preservation for smart grid,” SmartGrid, IEEE Transactions on, vol. 4, no. 1, pp. 141–150, March 2013.

investigating public-key certiﬁcate revocation in smart gridkan.yang/security_bbcr/paper/... ·...

Documents