See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/308396976

Security Threats in M2M Networks: A Survey with Case Study

Article  in  Computer Systems Science and Engineering · July 2016

CITATIONS

5READS

1,198

5 authors, including:

Some of the authors of this publication are also working on these related projects:

Hajj Crowd Monitoring and Control View project

Resource allocation in Cloud-RAN View project

Fatima Hussain

Ryerson University

45 PUBLICATIONS   231 CITATIONS   

SEE PROFILE

Lilatul Ferdouse

Ryerson University

26 PUBLICATIONS   152 CITATIONS   

SEE PROFILE

Lutful Karim

Seneca College

23 PUBLICATIONS   199 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Lilatul Ferdouse on 22 June 2018.

The user has requested enhancement of the downloaded file.

0000; 00:1–18

REVIEW ARTICLE

Security Threats in M2M Networks: A Survey with Case Study

Fatima Hussain1, Lilatul Ferdouse1, Alagan Anpalagan1, Lutful Karim2, and Isaac Woungang3

1Department of Electrical and Computer Engineering, Ryerson University, Canada2 School of ICT, Seneca College of Applied Arts and Technology, Canada3 Department of Computer Science, Ryerson University, Canada

ABSTRACT

Security requirements such as key establishment and authentication are crucial in machine-to-machine (M2M) networks. No matter how strongan encryption or an authentication algorithm is, if the distribution of keys is inefficiently managed and carelessly designed, that scheme isdoomed to fail. This paper presents a study of potential security issues in M2M networks especially related to the authentication and keyagreement phases. One of the important problems is authentication signalling congestion problem which creates overload in radio access partand core network part of the M2M network. Several group based authentication and key agreement schemes have been proposed to solve thiscongestion problem. Among key management protocols, most prominent is Internet Key Exchange (IKE) used with IPSec. This paper presentsa comprehensive survey on IKE and its variants along with their case studies in smart grid and smart home. The goal of this paper is: i) toprovide a survey on the main security issues in M2M wireless communication, ii) to discuss the main security approaches, and iii) to discussvarious security issues in home area networks and recent security enhancements with a case study.

1. INTRODUCTION

Machine to machine (M2M) or machine type communication (MTC)has received increasing attention in recent years. M2M applicationsinvolving intelligence to ubiquitous environment have been inexistence for the past many years. However, its provisioning usingmobile technologies raises a new security challenge. Design ofsecurity mechanisms appropriate for M2M wireless communicationsrequire new approaches. This will be motivated not only dueto unattended nature of M2M communications, but also becauseM2M applications are expected to encompass a multitude ofcommunication technologies, devices and networks [1].

The heterogeneity of the characteristics envisioned for M2Mdevices and applications calls for new approaches regarding howdevices communicate wirelessly at the various protocol layers andhow security should be designed for such communications. Assuch devices and communications are expected to support security-critical applications, the security of M2M wireless communicationsis particularly important. However, there is no ”one size fitsall” solution regarding security. The threats associated with eachapplication need to be assessed in order to define the appropriatesecurity mechanism to deploy [2].

M2M supports communication between devices in an unattendedfashion. It raises important security concerns such as authenticationin some cases and trust between devices without previous knowledgeof each other. Many applications will also require communicationswith back-end or gateway devices. M2M communication is highlyrecommended by research community to be integrated into thecellular network due to its well established infra structure. Cellularnetworks such as LTE/LTE-A and UMTS work as a backbonenetwork to the machine type communication (MTC). The keydifference between cellular communication and M2M is that cellularnetworks support human-to-human (H2H) communication whereasMTC involves less human interaction. Besides this, the MTC

has some distinguishable characteristic features such as low datarates, low mobility, infrequent transmission and massive numberof connectivity of low power autonomous devices. Since mostM2M wireless devices will be seriously constrained in terms ofcomputational capability and energy, security for M2M wirelesscommunications must consider such limitations. This implies thatexisting security mechanisms may not be appropriate for M2Mcommunications.

In general, attacks in M2M systems can be classified as eitherpassive or active. A passive attack does not disrupt the operations ofan M2M communication system, but it attempts to learn informationabout M2M communications by eavesdropping. Although difficultto detect, a passive attack causes less damage if well designedcondentiality mechanisms are adopted. In contrast, an active attack iseasy to detect, but the damages can be significant because it attemptsto deliberately modify sensory and decision data in the M2M andnetwork domains, or even gain authentication to access the back-endserver in the application domain. In addition, active attacks can befurther divided into external and internal attacks. An external attackis launched by attackers who are not equipped with key materialsin an M2M communication system, while an internal attack is onefrom compromised M2M nodes that hold key data. Compared to theexternal attack, the internal attack may cause more damage to theoverall M2M communications system being affected [1].

The MTC communication supports a variety of applications suchas vehicle tracking, smart meter, smart grid, video surveillanceetc. Security threats become a challenging issue of MTC andnew security threats will occur when these MTC applicationtraffic integrate with cellular traffic. Another issue is to designnew authentication and key agreement protocols for MTC becausetraditional authentication protocol of cellular system such as UMTS-Authentication and Key Agreement (UMTS-AKA)[2][3], EvolvedPacket System-AKA(EPS-AKA)[4] are not suitable for massiveM2M systems. When a large number of M2M devices send

1

authentication signalling message simultaneously, the conventionalmethods (e.g. EPS-AKA) will suffer from congestion problem andconsequently overload the radio network part and core networkpart of the cellular network. In order to overcome authenticationsignalling congestion problem, most researchers work recently ondeveloping appropriate authentication and key agreement schemesfor M2M systems.

In [5], authors proposed a triangular security framework for M2Mcomprising of important issues like energy efficiency, reliability,and security. In [6], authors focus on privacy preservation in homeautomation networks and discuss simple cryptographic techniques.In the same spirit, authors in [7] propose a security architecture forM2M communication networks that can ensure mutual authenticationand key management based on RFID and chaotic encryptiontechniques. This scheme allows dynamic sharing of different kindsof keys intended to secure unicast and multicast traffics whilstmeeting the scalability requirement of the M2M communication.Authors in [1] target the identication of potential attacks, threats, andvulnerabilities of M2M communications systems.

The paper is organized as follows. Section II presents securityarchitecture of M2M system, its vulnerability points and basicsecurity requirements. The comparative analysis of some group basedauthentication and key agreement schemes for M2M systems arediscussed in section III. In section IV, security issues and relatedmeasures in HAN are discussed with a case study. Finally, sectionV concludes this paper.

2. SYSTEM ARCHITECTURE AND SECURITYISSUES IN M2M NETWORKS

The 3GPP [8] presents the overview of the MTC security architectureas shown in Figure 1. In this architecture, 3GPP identifies thefollowing three different areas where M2M security aspects shouldbe analysed properly:

A) Security for MTC communication between the M2M UE and3GPP network can be further divided into three security area:

1. Area between the M2M devices and radio aceessnetwork (RAN).

2. Area between the M2M devices and non-access-spectrum (NAS).

3. Area between the M2M devices and MTC interworkingfunction unit (MTC-IWF).

B) Security for MTC communication between the 3GPP networkand an entity outside the 3GPP network can be further dividedto into two areas:

1. In the indirect deployment mode, the security pointshould be between the MTC server and 3GPP network.

2. In the direct deployment mode, security area should bebetween the MTC application and 3GPP network.

C) Security areas that consider non-3GPP entity and the M2Mdevice can be further divided into two areas:

1. In the indirect deployment mode, security points forMTC communication will be between the MTC serverand the M2M devices.

2. In the direct deployment mode, security points for MTCcommunication will be between the MTC applicationand the M2M devices.

MTC

device

domain

RAN

SGSN/

MME

GGSN/P-GW

S-GW

MTC-IWF

HSS/HLR

MTC

SERVER

MTC

APPLICATION

MTC-AAA

SMS-SC/

IP-SM-GW

eNB/BS

MTC USER

MTC USER

eNB/BS

B1

B2

C1

C2

A1

A2

A3

User plane

Control plane

Figure 1. M2M security architecture and main security points.

Security Area: B1,B2Security Area:A1,A2,A3

Threats:

• False network attack

• Tamper attack

• SMS spoofing

Countermeasures

• Mutual authentication between

MTC server and 3GPP networks

• Integrity

MTC sever

MTC

Application

Threats:

• Device triggering attack

• External interface attack

• DoS attack

• Access priority attack

Countermeasures

• User plane or SMS and NAS

signal used for triggering device

• Integrity apply to access indicator

• Device authorization and

authentication

3GPP

Networks

MTC

Device

Domain

Figure 2. Threats and countermeasures in main security points.

2.1. Vulnerabilities for M2M Communication

A M2M system is extremely vulnerable to attacks for several reasons.First, often its components spend most of the time unattended;and thus, it is easy to physically attack them. Second, most of thecommunications are wireless, which makes eavesdropping extremelysimple. Finally, most of the M2M components are characterized bylow capabilities in terms of both energy and computing resourcesand thus, they cannot implement complex schemes supportingsecurity. These terminals are mostly mobile devices communicatingwirelessly, and as there is lot less human attendance in M2Mcommunications, they tend to require remote management. Figure 2shows the list of security threats and their associate countermeasuresin M2M security architecture point of view.

2 0000; 00:1–18DOI: 10.1002/

2.1.1. Security threats in M2M systemAuthors in [9] identified four security threats for M2M

communication:

• Device triggering attack• Denial of service attack• Access priority attack• External interface attack

The device triggering attack occurs when an attacker sends falsetriggering signal and activates M2M device to connect to a falsenetwork. This situation becomes worse when a massive number ofdevices are activated by fake signalling message. However, changingaccess priority code degrades the service performance of M2M usersand insecure external interface can leak sensitive information. The3GPP proposes MTC security architecture and analyzes its potentialvulnerability and threats. In their technical report TR 33.868 [10][8],the following security threats in MTC network are mentioned.

• False network attack: When a MTC UE is in a detachedstate, the attacker can impersonate a network to send a triggerindication to the MTC UE. False network attack is similar todevice triggering attack in which attacker can awaken a MTCUE and waste its power and also obtain personal informationof a particular device.

• Tamper attack: If an attacker tampers the TCP/UDP port of theMTC application server, the MTC UE may establish wrongconnection with this server and get rejected. It will wastepower consumption and increase transmission delay.

• SMS spoofing: When the SMS is used for triggering the MTCUEs, spoofing SMS causes serious threats to the devices whichhas limited power supply. Spam SMS contains false triggerindication message which wastes network resources.

2.2. Security in M2M Environment; A Layered Approach

Security issue spans through all protocol layers and across allnetwork elements. If basic security mechanisms at data link andphysical layer are done, then it can be useful when protecting networkand application layers. The availability of security at lower layersmay be beneficial in relation to two aspects. One is that it may allowa more efficient detection and response to attacks targeting resourceson M2M constrained devices, such as denial of service (DoS) attacksagainst higher layer protocols or applications. The other is that it maypromote the design of energy-efficient hardware security mechanisms[11, 12, 13]. A cross-layer approach may be appropriate to designsecurity solutions for fundamental mechanisms and services suchas key management, trust management, authentication, privacy andintrusion detection, among others.

In the following, we discuss possible security threats at variouslayers. Afterwards, we will present various security methods taken atdifferent layers.

2.2.1. Physical Layer AttacksSuch attacks may be generally classified as passive and active

attacks; passive attacks normally involve traffic analysis andeavesdropping of wireless communications. Active attacks aregenerally more disruptive and may involve jamming and scrambling.

• Jamming: implies that a link between nodes is disturbedby the intruder transmitting at high power and the samefrequency band used by the nodes. Jamming attacks result

MTC Device Domain

Backhull Networks

MTC Application

Domain

3GPP

Non 3GPP

PHY

MAC

Network

Application

Jamming

Scarmbling

Eavesdropping

Exhaustion

Sybil

De-Synchronization

False network attack

Tamper attack

SMS Spoffing

Replay attack

Snopping

Session hijaking

Figure 3. Threats in layered approach.

in the permanent interruption of the communication channeland therefore represents a DoS attack against wirelesscommunications.

• Scrambling: attacks normally target more precisely specificframes or parts of a frame and takes place during smaller andwell defined periods of time.

• Eavesdropping: Since the wireless medium is essentially abroadcast medium, any attacker may just be able to eavesdropon ongoing transmissions and decipher the contents.

• Exhaustion: It is a typical attack launched at the physicallayer is to exhaust the radio power supply. Exhaustiontypically happens due to collision, overhearing, idle listening,retransmission, and interrogation of the transmitted andreceived packets.

Security Measures: Multiple input multiple output (MIMO)technology is proposed to introduce security, and can provide defenseeavesdropping attack. In general, the usage of frequency and timediversity contributes to information security and information hiding.However, these techniques involving the usage of radios supportingmultiple antennas may not be economically viable for MTC.

To avoid jamming attacks, raising the signal power or intensifyingthe bandwidth usage techniques such as spread spectrum are useful.Spread spectrum techniques may provide defense against jamming,eavesdropping and traffic analysis attacks.

Location privacy can be implemented by designing informationhiding techniques to prevent unauthorized detection of transmissionactivities. Embedding private messages to back ground signal ornoise process can protect the signal.

2.2.2. MAC Layer Attacks• Sybil: Once an attacker has access to the network, it can take

multiple identities and cause significant harm to link layer.These identities can occupy the channel and thus preventlegitimate nodes to communicate meaningfully. It can alsoinfluence data aggregation mechanism.

0000; 00:1–18 3DOI: 10.1002/

• De-Synchronization: An embedded multihop network typi-cally relies on strong synchronization between nodes. Anattacker may trigger signals, typically embedded in thelink layer control information, which cause nodes to de-synchronize and thus disconnect the network.

• Traffic Analysis: Anattacker could monitor the activity of thenetwork by simply analyzing the occupancy of the channel.

Security Measures:To avoid the Sybil, countermeasures must betaken that essentially prevent false identities, such as rekeying. Whilea suitable MAC design with some basic security mechanism mayprevent de-synchronization problems among the nodes.In addition tothis, dummy packets can be sent in quieter hours of the system tocountermeasure the traffic analysis by the attacker.

2.2.3. Network / Transport Layer Attacks• False network attack: is similar to device triggering attack in

which attacker can awaken a MTC devices and waste its powerand also obtain personal information of a particular device.

• Tamper attack: If an attacker tampers the TCP/UDP port of theMTC application server, MTC devices may establish wrongconnection with this server and get rejected. It will wastepower consumption and increase transmission delay.

• Short Messaging Service (SMS) spoofing: When the SMS isused for triggering the MTC devices, spoofing SMS causesserious threats to the devices which has limited power supply.Spam SMS contains false trigger indication message whichwastes network resources.

Security Measures: For the behavior of the unauthorized accessto data, two-way authentication mechanism between devices andnetwork, and high strength encryption algorithm should be adopted.This enables attacker not to decrypt hacked data and protects theconfidentiality of information.

2.2.4. Application Layer AttacksSystem Reliability: is the major concern at application level. In

M2M network, there will be a large number of data packet arrivalsimultaneously. Hence, the performance of the back end server atthis time will affect the M2M system whether it can efficiently andreliably run or not.

Security Measures:System reliability and QoS in high networktraffic can be improved by using a pair of servers to work together.One of them is used as the primary server and the other is abackup server. Use of firewall and intrusion detection system willalso improve network security. Table ?? list various security threatsand respective counter measures in M2M systems. While Table I, listvarious security measures taken at specific layer [14].

2.3. Security requirements in M2M system

As many systems are participating in distributed M2M applications,establishment and use of security mechanisms in M2M systemsare inherently collaborative. Applications, networks and devicesmust be managed for core functionality and security in a unifiedand collaborative manner to ensure that the familiar measuresof confidentiality, integrity and availability are maintained andmanaged. In parallel with the challenge of delivering the promiseof secure M2M services, the information security landscapeitself is increasingly characterized by active threat-monitoring

and surveillance-based approaches to augment the monolithic,vulnerability-based protection schemes that have met with limitedsuccess in an environment of rapidly-evolving and distributed attacks[15].

M2M communication is suffering from security problems such asphysical attacks, compromise of credentials, configuration attacks,protocol attacks, attacks on the core network and user data andidentity attacks [16]. In a M2M system, security services suchas authentication, data integrity and key establishment are critical.Authentication is difficult, because it usually requires appropriateauthentication infrastructures and servers that is not feasible inM2M systems [17]. Also, varying security, power and data raterequirements for M2M devices necessitate that they use differentnetwork protocols to communicate. In [18], authors use Scytherto analyze two complex group authentication protocols and theirsecurity properties. In [19], authors present the design, analysis, andevaluation of a cloud service called CLaaS, which offers virtualcybersecurity experiments with Internet connectivity.

Analyzing the security vulnerabilities of the M2M architecture,authors in [9] proposed the following security requirements:

• To prevent false trigger indication, SMS and NAS signal oruser plane can be used for triggering device.

• Integrity protection should be applied to low access priorityindicator message.

The 3GPP identifies the following security requirements in thetechnical report TR 33.868 [10] when MTC server is located outsidethe operator domain.

• Mutual authentication technique should be applied between3GPP network and MTC server.

• Control plane requests should be sent by authorized MTCserver.

• Device triggering signals should be sent by authorized MTCserver.

• All the communications between 3GPP network and MTCserver should be integrity protected.

• Confidentiality protection should be applied to the signallingmessages between the 3GPP network and the MTC server.

3. SURVEY OF DIFFERENT AUTHENTICATIONAND KEY AGREEMENT PROTOCOLSAPPLIED TO M2M NETWORKS

By denition, authentication means binding an identity (ID) toa subject or principal. It can be accomplished by showing thefollowing: 1) what the subject is capable of doing, e.g., performinga digital signature; 2) what the subject knows, e.g., a password; 3)what the subject possesses, e.g., a smart card; or 4) what the subjecthas biometrically, e.g., fingerprints. Moreover, in a networkingenvironment, network nodes should follow a mutual authenticationto establish a certain level of trust. After two parties get authenticatedto each other, they need to set up a secure communication channel,normally by using a security key for data encryption to protect theirdata from unauthorized parties. The key can be symmetric, supportedby a private key cryptography system, or asymmetric, supported by apublic key cryptography system [20].

4 0000; 00:1–18DOI: 10.1002/

Table I. Security Measures at OSI Layers

OSI Layers Confidentiality Integrity Entity Authentication Data AuthenticationData Link SILS/SDE, PPTP,

L2TPSILS/SDE, L2TP PPTP, L2TP, L2F SILS/SDE, L2TP

Network PIC,IPSEC, NLSP PIC, IPSEC, NLSP PIC, IPSEC, NLSP PIC, IPSEC, NLSPTransport SOCKS, TLSP,

SSL, D-TLS,TLS,PCT, SSH

SOCKS, TLSP,SSL, D-TLS, TLS,PCT, SSH

SOCKS, TLSP, SSL,DTLS, TLS, PCT, SSH

TLSP

Application S/HTTP, SPKM,MHS,MSP,PEM,SFTP,PGP/MIME,MOSS, S/MIME

S/HTTP, SPKM,MHS,MSP,PEM,SFTP,PGP/MIME,MOSS, S/MIME

S/HTTP, SPKM, SFTP S/HTTP, SPKM,MHS,MSP,PEM,SFTP, PGP/MIME,MOSS, S/MIME

Group based M2MAuthentication andKey AgreementProtocol

Group based authentication and key agreement protocol (GB-AKA)[21]

Enhanced authentication protocol (EAP-AKA) [22]

Group based authentication and key agreement protocol (G-AKA)[23]

Only Key management protocol

Functional group key management [24]

Regional group key management[24]

Cooperative key establishment protocol [25]Dynamic group based authentication and key managementprotocol(DGB-AKA)[9]

Lightweight group authentication protocol (LGTH)[26]

Secure authentication and key establishment(SAKES)[27]

Figure 4. List of group based authentication and key agreement protocols for M2M systems.

3.1. Authentication and Key Management in M2MSystems

Authentication methods in M2M system are quite different fromconventional authentication process. The conventional authenticationprocess such as password based, biometric based authenticationconsider human as an entity which are not applicable to the M2Msystem. Besides this, the authentication process in cellular networks(e.g. EPS-AKA, UMTS-AKA) and wireless sensor networks followpeer to peer symmetric key and shared key based authenticationprocedure, in which keys are stored in the device. If an attackercan impersonate a device and get the shared key, these type ofauthentication methods are vulnerable to device triggering attack,re-directional attack, denial of service attack in a M2M system.Considering these facts, some of the recent work developedsome authentication and key agreement protocols[28][29] for M2Mnetworks. The 3GPP provides some security solution in theirtechnical report, TR.33.868[10][8]. The authors in [10] proposeand evaluate Enhanced-AKA for machine type communication. Theworking procedure and main features of Enhance-AKA are describedbelow:

UE CNN HSS/HLR

1a. Attach request, authentication and

security establishment

1b. Subscription and authentication

material retrieval

2. Request and receive IMEI and /or

certificate

3. Check IMSI/IMEI pairing and fetch

challenge data4a. Device authentication challenge

([(e)KSI],device_challenge)

4b. Optionally

calculate KDevice

4c. Device authentication response

(device_response)

4d. Check device_response

and optionally calculate KDevice

5. Optionally take new security into use

and complete attach

Figure 5. Enhanced-AKA for MTC[10]

0000; 00:1–18 5DOI: 10.1002/

• This enhanced protocol can work with existing AKAprotocols.

• A device root key is assigned uniquely to the internationalmobile equipment identity (IMEI) of the each device which isused to send encrypted traffic.

• At first, Core Network Node (CNN) (e.g. SGSN/MME)creates a device challenge message and sends it to the devicein a relevant NAS message.device challenge=Edevice root key(device temp key),networknonce)

• The device computes the device response and returnsit to the network in a response NAS message. Thisallows the CNN to authenticate the device. Here,device response=devicenonce,deviceres and devicenonce

is a 128-bit random number chosen by the device; anddeviceres is a 128-bit number that is calculated as follows:deviceres=KDF (device temp key),networknonce||devicenonce)

where KDF is a suitable pseudo-random function.• Finally, CNN calculates KDevice as follows:

KDevice=KDF (device temp key||KRoot,networknonce||devicenonce),where KRoot is the key(s) freshly generated from a standardAKA authentication or the key(s) previously generated beforethe CNN initiates the device authentication

Although this protocol works in conjunction with other AKAprotocol, it has some weak points which are described below:

• This protocol considers only one M2M device authenticatedby CNN at a time. As the number of M2M devices is quitelarge, it will create authentication signalling congestion in thecore network.

• This is one-way authentication protocol.• This protocol uses public key cryptography method.• If intruder hacks device root keys and impersonates a device

then DOS attack, device triggering attack is possible.

Authors in [28] proposed some authentication models thatare applied to M2M systems. They proposed four models: i)credential based ii) machine-matric based iii) reference based andiv) witness based authentication methods which consider devicelocation, neighboring, trust relationship information instead ofIMSI or IMEI information. They investigated M2M authenticationinformation which are sufficient for resisting an attack. Similarto enhanced-AKA, their proposed methods consider only peer topeer authentication which is inappropriate for M2M communicationdue to signaling congestion. To prevent signalling congestion,recently some group based methods have been proposed for M2Mcommunication. Figure 4 shows the lists of authentication and keyagreement schemes for M2M system in which some of them onlysupport authentication or key agreement methods and some supportboth.

3.2. Comparative analysis of M2M group basedauthentication and key agreement techniques

Authors in [24] showed two grouping procedure: i) functional group- in which M2M devices are grouped according to their service, ii)regional group - devices are grouped according to their location. Inthe functional group, M2M devices are scattered all over the networkand devices are authenticated by their service identification number.International service provider subscription identifier (ISSI) can beused to implement functional group. Although both methods follow

tree based keying and rekeying policy, functional grouping methodis more flexible than regional method. In [24], authors showed onlyregional group key management procedure. Similarly, in [21], authorsdescribed a group based authentication and key agreement (GB-AKA) protocol for MTC which uses a binary tree to derive secretshare group key. Figure 6 illustrates the authentication and keyagreement phase of GB-AKA protocol.

The main security features of this protocol are:

• It supports mutual authentication.• On behalf of the members, one group leader sends

authentication message. This will reduce signalling messageas well as signalling congestion.

• Each member uses symmetric key and massage authenticationcode (MAC) to derive its group key.

• This protocol resists replay attack through the use of randomnumber (RAND).

Group of MTC

devices

MTCD Leader MME HSS

Response

Request

Request

Send identity information( IMSi || IMGI)Forward message with including

sequence number( IMSi || IMGI||SN_ID)

Send authentication vector (AV), group

leader key (GLK) and group information

(Ginf)

• Generate a random number (RAND)

• Calculate Group member key (GMK) and Group leader key

(GLK)

• Generate authentication vector (AV) and group information

(Ginf)

• Generate authentication message (AUTH)

• Calculate message authentication code for member

(MACmem)

• Calculate response message (xRes)

• Calculate Massage authentication code (MAC)

Each member calculate

message authentication

code (MACmem)

Send MACmem|| k | IMSI

Send MACmem|| k | IMSI

Figure 6. Group based mutual authentication and key agreement method.

However this protocol has some limitations. These are:

• In the authentication phase, group leader sent authenticationrequest message to the MME. This message contains groupleader identification number and group identification numberwhich are sent in plan text and vulnerable to replay attack.

• Secret key derivation follows binary tree formation in whichderivation of secret key of intermediate nodes increase withthe increase of members.

• It has a single point failure problem.• this protocol does not consider mobility features of the group

members.

In [9], considering overload situation by co-located roaming M2Mdevices, the authors proposed a dynamic group based authenticationand key agreement (DGB-AKA) protocol. In this protocol, devicescould use pre-shared secret keys and get a same array of

6 0000; 00:1–18DOI: 10.1002/

authentication vectors. Only one device performs full authenticationand key agreement (AKA) process with home subscriber server(HSS), while others locally authenticate with mobility managementunit (MME). This process decreases authentication congestionprobability in the core network. But update cost increases when thegroup size increases dynamically and also complexity increases withthe update of group keys. Depending on one shared key, this protocolderives others three keys; group key (GK), cypher key (CK) andintegrity key (IK). If any one compromises a device and retrievesshared key, he/she can gain other keys.

Another group based authentication and key agreement protocolhas been proposed in [23] by which a group of MTC devices canbe authenticated by the network simultaneously and also establisha secret session key for communication. The key difference ofthis protocol with others [9][21] is in the cryptography system. Itsupports public key cryptographic process for authentication and keygeneration. The main problem of this protocol is the authenticationcost which increases with the extensive use of certificate. This publickey cryptography authentication protocol may not be suitable forresource constraint devices. Addressing this problem, authors in[26] proposed a lightweight group authentication protocol for MTC.Figure 7 shows the authentication steps of this protocol.

MTCD Leader MME HSS

Step 1:

Each MTC device

calculate MAC and

authentication

message using group

key.

Step 2:

Group leader computes

Aggregate MAC and

authentication message

and sent it to the MME.

Step3:

MME send group

authentication request

message and location

information.

Step 4:

HSS verify

authentication

message and

location

information.

Generate Key lists

(KL), response

message

(XRESG1) and

Group

authentication

vector (GAV).

Authentication response message

Authentication request message

Authentication request message

Authentication request message with

challenge message

Group authentication response

Step 6:

Group leader verify

authentication message

and generate key lists

and Response

message (RESG1) Step 7:

Verify RESG1 with XRESG1

Step 5:

MME calculates own

MAC and authentication

message

Figure 7. Lightweight group authentication protocol.

The lightweight authentication protocol works as follows:

Step1: Group of N devices calculate their own messageauthentication code MACi and authentication messageMDi using pre-shared group key KG1 and send theseinformation to the group leader.Di−>Dleader :MACi,MDi

MACi=fKG1(IDG1

||IDDi||rDi

),

MDi=(IDG1

||IDDi||rDi

),i=1...N

Step2: Group leader calculates aggregate massage authenticationcode MACG1 for group G1 and generates a groupauthentication message AUTHG1 and sends authenticationrequest to MME.

Table II. Notations of LGTH protocol

Notation DescriptionDi Device with index i

MACi Message authentication code for ith deviceMDi Authentication message for Di deviceIDDi Identification information of Di

LAI′

Location informationf1KG1

,..fNKG1

Different functions that apply group key KG1

rDi Random number for Di

AUTHG1 Authentication message for group G1

XRESG1 Response message for G1

Dleader−>MME:MACG1,AUTHG1

MACG1=MAC1

⊕MAC1....

⊕MACN

⊕f1KG1

(LAI),

AUTHG1=MD1

||MD2||...MDN

Step3: MME sends group authentication data request to HSS.MME−>HSS:AUTHG1

||LAI′

Step4: At first, HSS verified group authentication message andlocation information, then generates key lists (KL), responsemessage (XRES) and group authentication vector (GAV ).HSS−−>MME:KL,GAV,XRESG1

The key lists contain group temporary key (GTK), integritykey (IK), cypher key (CK) information.GTKG1

=f3KG1

(rHSS), IK=f4KG1

(rHSS),CK=f5

KG1(rHSS) The group authentication vector is calcu-

lated as GAV =(rHSS ||XRESG1||AUTHHSS) where authenti-

cation message is calculated as AUTHHSS=rHSS ||MACHSS

and group response message aggregates individual responseinformation, XRESG1

=XRESD1||...XRESDN

Step5: After receiving response from HSS, the MME sends groupauthentication request message to the group leader.MME−>DLeader :AUTHMME ,MACMME ,AUTHMME=(IDMME ||MACMME ||MACHSS ||rHSS ||rMME),MACMME=f1

KGTKG1

(IDMME ||MACHSS ||rHSS ||rMME)

GK

GTK,IK,CK

KASME

DKASME1 DKASME2MMEKASME2

M2M Device/

UEeNB/MME

Figure 8. Key Hierarchy of LGTH protocol.

Step6: The group leader sends AUTHMME to all of its groupmember. The group member verifies the following items

• Compute group temporary key,GTKG1

=f3KG1

(rHSS)

0000; 00:1–18 7DOI: 10.1002/

• Verify MACHSS by computingMACHSS=f1

GK1(IDHSS ||rHSS).

• Verify MACMME by computingMACMME=f1

KGTKG1

(IDMME ||MACHSS ||rHSS ||rMME)

• Compute key for access security management entryK

DiASME

=KDF (CK||IK||IDMME ||IDDi)

• Generate response message RESDi send it to the groupleader.

The group leader aggregates all response messages and sendsit to the MME. DLeader−>MME:RESG1

Step7: The MME compares this response message withthe HSS response message and if this verification issuccessful, it will send authentication acknowledgementsignal to the group leader and also computesK

DiASME

=KDF (CK||IK||IDMME ||IDDi) for future

communication.

The main features of this protocol are:

• It supports symmetric key cryptographic and mutualauthentication process.

• The group leader uses aggregate MAC to authenticateeach device.

• It preserves identity information of each group member.• It uses key hierarchy process to derive group key,

integrity key and cipher key as depicted in Figure 8.

The basic features, merits and demerits of each protocol are given inTable III. Table IV shows the comparison among five group basedauthentication and key agreement mechanisms of M2M systems.Different protocols use different cryptography system and keyagreement process. For example, the LGTH protocol uses symmetrickey cryptographic for authentication process and support mutualauthentication. For key agreement process, it uses key derivationfunction of 3GPP [30], shown in Figure 8, which derives four keyssuch as GTK, IK, CK and KASME in a hierarchy process. Similarly,[9] uses the same procedure to derive sub keys (IK, CK) from mastergroup key. On other other hand, the SAKES [27] protocol usespairwise shared key for authentication process and supports one wayauthentication mechanism. For key agreement process, it use DiffieHellman (DH) algorithm to generate session key. However, to securesession key form replay attack, public key cryptography is used withDH key generation process.

Comparison of signaling overhead: There are m groups andeach group contains n devices. For signaling overhead scenario, threecases are considered. Case I represents one group having one device(n = 1,m = 1) excluding group leader, case II denotes one grouphaving more than one device (n > 1,m = 1) and case III representsm groups, each has n devices (n > 1,m > 1). In case I, the GB-AKA protocol needs nine messages to complete authenticationprocess whereas the LGTH needs minimum of signalling message.In case II, when the number of devices becomes n, the GB-AKAprotocol shows that nine authentication messages are exchangedbetween group leader to HSS and another five messages are neededfor local authentication of (n− 1)’s devices. The total authenticationsignaling messages become 9 + 5(n− 1). Similarly, DGB-AKAand G-AKA generate 7 + 5(n− 1) and 8 + 3(n− 1) number ofsignaling messages respectively. The LGTH protocol shows the

Figure 9. Smart Grid System [31]

lowest value of (6 + 2(n− 1)) among the others. If the number ofgroup becomes m, the signaling message increases by the factor ofm and the case III shows this result.

4. CASE STUDY: SMART GRID

We have discussed various security threats in M2M networks and therespective security measures in the previous sections. Also, we havepresented a comparative analysis of different authentication and keyagreement protocols used in M2M networks. M2M networks haveapplications like e-health, home automation, traffic control, smartgrid etc. Smart grid is one of the most appreciated application and thestrongest driving forces for M2M communications. In the followingsections, we will be studying security threats in smart grid followedby the applied authentication and key management protocols.

Smart grid uses intelligent transmission and distribution networksto efficiently deliver electricity and manage energy usage. Dynamicoptimization of data consumption and power system operations areimportant tasks performed by smart grids. Smart grid is the heartof smart home technologies, comprised of sensors and controllersthroughout our homes. It provides energy savings, home automation,and other cost savings and conveniences. For example, thermostatscan be adjusted automatically based on sensed motion patterns,doors can be unlocked when the owners smart phone moves insideof a geofence around the home, and open garage doors can bereported to us while on vacation thousands of miles away from home.However, without security and privacy controls, this promise willnot be positively achieved. An adversary with access to smart homesensor data can detect when the owner leaves the home or suppress anopen garage door alarm in order to gain physical access. Well knownsecurity and privacy problems have been shown across devices andnetworks, from pacemakers that can be made to deliver a fatal chargeto networked light bulbs that can provide back doors into WiFi

8 0000; 00:1–18DOI: 10.1002/

Table III. Comparative analysis of group based authentication and key management methods applied to M2M systems

Protocol name Security features Strengths Limitations

Functional groupmethod [24]

-Devices are grouped and identified accordingto their functions or services.

-Group keys are generated according to thefunction of M2M device.- More flexible and scalable method.- When devices move to another cell, keyagreement policy remain the same, onlylocation information is updated.

-Single point failure problem.-M2M devices are identified by function.

Regional groupmethod[24]

-Symmetric key based method -Reduced overhead by sharing secret keyamong eNB and M2M devices.-Supports larger number of device than func-tional group.

-Single point failure problem.- If a particular region covers massivenumber of M2M device, key agreementand rekeying policy create overhead to thesystem.

GB-AKA [21] -Supports mutual authentication.-Binary tree and hash function are used togenerate secret keys.

- One leader per group commnicates withauthentication server, this will reduce signallingcongestion.-It shows lowest communication costs and handover delay than EPS-AKA

-Intermideate level of binary tree increasewith the number of devices.-Single point failure problem.

DGB-AKA[9] -One way authentication.-It uses MAC and secret key to derive otherkeys.

-It is a more practical approach because itconsiders roaming device as a group member.-Avoids signalling congestion.

-This protocol is vulnerable to redirectionand device triggering attacks.-Computational complexity increases withgroup size and update of re-keying policy.

G-AKA [23] -Supports mutual authentication.-Uses aggregate signature for authentication.

-Uses public key cryptographic to generatesession key.-Reduce signalling overhead by authenticatinggroup of device at a time.

-Computation cost is high due to use ofcertificate based schema.-This schema is not suitable for resourceconstraints device.

LIGTH [26] -Supports mutual authentication.-Use aggregate MAC to authenticate eachdevice.

-Minimizes authentication overhead.-Energy effieicent protocol applied to resourceconstrained M2M devices.

-Authentication is done by aggregatedMAC. Complexity increases with theincrease of M2M devices.

SAKES [27] -One way authentication.-Symmetric key based authentication method.-Applied Diffie-Hellman (DH) method toestablish session key.

-Apply to IP based sensor devices that aregrouped into a particular region.-Resists replay attack through nonce.- DH method uses public key cryptographic toresist man-in-the-middle attack.

-This method is designed for IP-basedM2M systems.-Each device needs 9 message for authenti-cation and key generation. Therefore, sig-nalling congestion occurs if the systemsupport large number of M2M devices.-Not very flexible in terms of share keyand public key distribution among largenumber of devices.

Table IV. Comparison among group authentication and key agreement schemes in M2M system

GB-AKA[21] DGB-AKA[9] G-AKA[23] SAKES[27] LGTH[26]Type of authentication Mutual One-way Mutual One way MutualType of cryptographic Symmetric Symmetric Public key Symmetric SymmetricSupport key agreement Yes Yes Yes Yes YesGroup key derivation process Binary tree and key

derivation function(KDF)

KDF Elliptic Curve DiffieHellman(ECDH)

DH and public keycryptographic

KDF

Type of key agreement duringauthentication process

-GLK-GMK

-GTK-IK-CK-AK

-Session Key -Session Key -GTK-IK-CK-KASME

Type of communication system use UMTS LTE-A LTE-A 6LoWPAN LTE-AMinimize signalling overhead Yes Yes Yes No YesType of attack resistance -Replay attack

-Man-in-the-middleattack

-Replay attack-Man-in-the-middleattack

-Man-in-the-middleattack

-Replay attack-Man-in-the-middleattack

-Redirectional attack-Replay attack-Man-in-the-middleattack

networks, to smart TVs that listen to conversations, to refrigeratorsthat are enlisted into denial of service attacks [2].

Sensors in a smart grid sense, process, and transmit data collectedfrom different devices, users, and computers connected at home and

respond to personalized services. It uses wireless communicationtechnologies such as 3GPP, WiBro, WLAN, ZigBee, UWB etc. forremote monitoring of machines, payment, transport, smart meteringof water and electronic consumption etc. Smart grid is a combination

0000; 00:1–18 9DOI: 10.1002/

Table V. Comparison of signaling overhead

CASE In = 1,m = 1

CASE IIn > 1,m = 1

CASE IIIn > 1,m > 1

GB-AKA[21] 9 9 + 5(n− 1) 9m+ 5m(n− 1)

DGB-AKA[9] 7 7 + 5(n− 1) 7m+ 5m(n− 1)

G-AKA[23] 8 8 + 3(n− 1) 8m+ 3m(n− 1)

SAKES[27] 9 9n 9mn

LGTH[26] 6 6 + 2(n− 1) 6m+ 2m(n− 1)

of different systems and subsystems and is vulnerable to variousattacks that may cause different levels of harms to the devices andeven to the society at large. Due to its heterogeneous architecture,an attacker may launch a wide range of attacks including man-in-the middle, impersonation, eavesdropping, message forgery, packetdropping, and noise injection.

Moreover, different viruses or attacks such as brute-force anddictionary attacks can target the data security and confidentiality.The Stauxnet worm is another example that can cause a signicantimpact even on national security [20]. Once an entry point is found,an intruder or a malicious node may perform different actionsto compromise the whole system. Since millions of homes areconnected to an smart grid, the impact of such attacks can causea signicant loss or harm on society, e.g., by causing a blackout,changing the customer billing information, or changing the pricinginformation sent to the customers.

The customers side of an smart grid consists of home areanetworks (HANs) in customer premises where smart appliancesand controllers are connected to smart meters (SMs), which formthe endpoints of the advanced metering infrastructure (AMI) thatprovides two-way data communications between SMs and theutilitys meter data management center. This work is focused onauthentication and key management over the AMI.

4.1. Challenges and Emerging Aspects

4.1.1. ChallengesOne major security concern is how to manage the security keys

in the smart devices since the component in the smart grid needs akey for cryptographic computations such as encryption and digitalsignature. Smart grid systems are inherently of limited storage, lowpower, and bandwidth, which requires that the key managementscheme should be efficient and flexible [32]. We emphasize onfollowing security requirements.

• Secure key exchange: Cryptographic key is the root ofauthentication protocols and key exchange between twodevices is extremely important.

• Key revocation: When a device is compromised by attackers,the system administrator needs to revoke the pre shared key ofthat device as soon as possible for the security of the wholesystem.

• Efficient authentication: Entity authentication is veryimportant and should be efficient in terms of bothcommunication cost and computation cost.

M2M networks are expected to be heterogeneous supporting multipletechnologies from local area wireless networks such as WiFi towide area mobile cellular networks such as LTE. To realize the fullpotential of the services available in such networks, smart grid system

has to be designed to operate efficiently saving energy in all aspectsof power generation, distribution, and consumption. Security featureswithin M2M or IoT domain have to be built in such as way failure iscontained locally and without escalating the security problem deepinto the network especially given that the future networks becomemore autonomous and self-operated.

4.2. Constraints of Classical Key Management Protocols

The devices and network of smart grid are different fromtraditional network environment. Some constraints of power system’senvironment make it difficult to apply various existing securitytechnology to this system. In particular, we consider the followingsystem constraints [33]:

• Computational Capability: Some power utility devices, e.g.phasor measurement unit (PMU) or intelligent electronicdevice (IED), have limited processing power processors.Therefore, it is impractical to perform intense computationsuch as PKI-based encryption decryption.

• Communication Limitation: Limited bandwidth is akey challenge in current power networks and similarbandwidth issues are expected in smart grid. Moreover, somecommunications links also charge costs per bit transmitted.Therefore, the authentication mechanism must not add toomuch overhead to the affected protocols.

• Off-line Processing: Since the device management center( e.g. Key Distribution Center (KDC)) may not always bereachable, it should be possible for secure communicationto occur between IEDs when the management center isunavailable.

• Storage Capability: Memory resources of most IEDs arelimited.

• Management Cost: There may exist thousands of IEDs ineach management domain and will add to management cost.

4.3. Security Threats and Security Requirements inSmart Grid

Smart grid is a vulnerable system and can be attacked even fromaboard, attacks that may cause different level of issues and harmson the devices. Because of this vulnerability, an attacker is ableto execute a large-scale of denial of service attack. Moreover, theattacker can fabricate the meter readings and manipulate energy costresulting in a billion dollar bug for the industry. Figure 10 showspossible attacks in smart home environment [34].

These attacks are classified as local or remote attacks. We willbe limited to local attacks within the HAN where all appliancescommunicate to their advance metering infrastructure (AMIs) usinga one-hop network from their power outlets. Remote attacks, which

10 0000; 00:1–18DOI: 10.1002/

Possib

le S

ecu

rity

Att

acks o

n W

HA

N-S

M

Rem

ote

Att

ack

sL

ocal

Att

acks

Session Hijacking

Snooping

Denial of service

Device Tampering

Impersonation

Packet Replay

Repudiation

Wormhole Attack

Black hole Attack

Byzantine Attack

Resource

ConsumptionAttack

Routing attack

Network Manipulation

Snooping

Attacks of

particular

relevance to

WHAN_SM

Figure 10. Security Threats in HAN [34]

typically exploit weaknesses in the routing mechanisms and multi-hop nature of networks are not included.

4.3.1. Jamming AttackIn these attacks, an attacker disrupts communications in a wireless

network by sending deliberate signals on the shared medium. Ifthe medium is jammed, by an attacker, the sender cannot begincommunicating or its transmitted packet will be corrupted by theadversarys signal when received. Such attacks are the most difficultto defend against and could cripple a HAN based on a wirelessarchitecture.

4.3.2. Appliance ImpersonationBased on the customer-utility agreement, the customer agrees to

let the utility control a group of their appliances. However, therecould be instances where the customer would want to renege on thisagreement and not relinquish control. This could occur, for example,when a customer tries to control the air conditioning for bettercomfort. For the utility, an inability to control the appliance couldresult in demand exceeding supply, possibly resulting in a blackoutin parts of the grid.

4.3.3. Replay AttackA neighbor could capture an appliance request made at some other

time by a customer and replay it another time when no actual requestwas made. The neighbor does not gain any benefit, but it can hurtthe customer, and could even be a safety hazard. Such fake requestscould overload the AMI.

4.3.4. Non-repudiationThis means, the customer cannot later refute having received

certain control messages from the AMI to operate their appliance.Alternately, an AMI cannot later deny how it tried to control acustomer appliance.

4.4. Security Requirement

The main objectives to ensure security in a smart home networks areas follows [34, 35].

4.4.1. AuthenticationAuthentication is used by one node to identify another node and is

important for administrative tasks like association, beaconing, andidentifier collision. It is important for customer to be sure of theauthenticity of an AMI with which its appliance is communicating,and also for AMI to ensure that it is communicating only with theassigned customers appliances.

4.4.2. AvailabilityIt is important to ensure that network services are available all the

time and can survive possible attacks or failures. Resource depletionis not a concern here, but computation capabilities and memoryconstraints can be exploited by keeping these resources fully loaded.This will affect the ability of the network to function as desired.Equipment failures may also be more common.

4.4.3. IntegrityThis requirement is to ensure that a received message is not

altered from the way it was transmitted by the sender. It is veryimportant as, if source request is changed by an attacker, AMI endsup communicating and controlling the wrong appliance.

4.4.4. ConfidentialityThe goal of confidentiality is to ensure that any sensitive data is not

disclosed to parties other than those involved in the communicationprocess. This means that apart from the customer and utility, no otherparty gets access to the appliance usage behavior of the customer.

4.4.5. Time SensitivityAny message delayed over a specific tolerable time frame may

be of no use and latency constraints must be enforced. A customerrequest for appliance operation must reach AMI in a timely manner;similarly, control commands from AMI to appliances must bealso timely. Fairness, which is common to more general wirelessnetworks, are not applicable in smart grid scenario. As all appliancescompeting for access to the medium belong to the same customer.

5. KEY MANAGEMENT AND AUTHENTICATIONIN SMART GRID NETWORK

Secure communications employ cryptographic keys for encrypt-ing/decrypting data messages. There are different solutions to estab-lish a key between two parties, usually as a part of the authenticationprocess, some of which are tailored for (mutual or one-way) authen-tication.

Starting point of designing and implementing a reasonablesecurity is providing a scheme for the authentication followed by keymanagement. Key management protocols maintain keys required forthe unicast, multicast and broadcast communications. Authenticationand key management protocol are the prerequisite to the rest ofthe security and privacy aspects like integrity, authorization andconfidentiality. These can be implemented as long as a strong keymanagement protocol has already been designed and addressed.

0000; 00:1–18 11DOI: 10.1002/

Key establishment is the process by which a secret key isset up between two entities in order to secure their subsequentcommunications. An entity may generate or otherwise obtain a secretkey and then transmit it to the other entity in a secure manner. Orboth parties can together build the secret key, or retrieve it froma trusted third party. Key establishment is considered as a crucialtopic in WSN and M2M networks due to the resource constraints.Several key establishment schemes based on cryptographic measures(symmetric and asymmetric algorithms) have been proposed.

Key management for the smart grid typically falls into twocategories: public key infrastructure (PKI) and symmetric keymanagement. In a PKI system, a public key certificate is bound withthe devices identity and public key. This certificate is a signature of atrusted certificate authority (CA). In a symmetric key environment,a secret key, either pre-stored in the tamper-proof storage of thedevice or generated by a trusted third party, is shared between two ormore entities in the smart grid for processing cryptographic functionsuch as encryption and decryption. The advantage of symmetric keymanagement over the PKI is the speed and efficiency. However, dueto the criticality of smart grid information, and the differences incomputing capability between smart grid objects, new approaches areproposed to the key management issue.

5.1. Related work on key management

Smart grid is assumed to have an IPv6 based topology for outside ofhome are network (HAN), a mesh based topology with, for exampleusing the WiMax communication. Also for inside the HAN, chancesof the ZigBee and 6LoWPAN are the most possible solutions. Infact, IEEE 802.16 is the standard for outside and IEEE 802.15.4 isthe standard for inside the HAN domain. In [36], author discussedthe IP-based communication between a smart meter (SM) and theutilitys meter data management (MDM). SM has a processing chipand a nonvolatile storage so that it can perform smart functions likereporting periodic usage updates to end-users and interact directlywith smart appliances at home to control them. In [37], authorspresented a secure, scalable M2M data collection protocol for thesmart grid. They used a hierarchical architecture with intermediarynodes collecting and relaying the data securely from measurementdevices back to the power operator. While the data collectors verifythe integrity, they are not given access to the content. In [38], cybersecurity issues in the smart grid and consequences of using AMIs arediscussed.

Currently, the most popular HAN protocol Zigbee [39] proposesfive potential device authentication schemes for the devices in theHAN. However, the proposed schemes either need user effort toprovide security or they are impractical for a typical smart gridenabled HAN. The other popular HAN protocol, Wi-Fi, introducedWi-Fi protected setup [40] for the secure establishment of the HAN.Wi-Fi protected setup offers four choices for the customers to adda new device to the HAN. However, these methods aren’t eithersecure due to man-in-the-middle (MITM) attack nor practical for atypical smart grid enabled HAN. Another HAN protocol INSTEON[41] utilizes device authentication either by pressing the buttons ofdevices or by sending special messages. Both methods are vulnerableto MITM attack as messages includes device IDs which are written onthe devices. Different from INSTEON, in the Z-Wave protocol [42],each home has a unique home ID and the privacy of communicationwithin each home is provided by using this unique ID. Therefore, it

is likely that the attacker can compromise any home by just capturingits unique ID.

A novel key management protocol for data communicationbetween the utility server and customers smart meters is discussedin [43] for unicast and multicast communications. Authors presenteda secured four steps mutual authentication scheme that prevents mainattacks like brute-force, replay, MITM, and denial-of-service attacks.It is followed by the secure key management protocol based on theconcept of ID-based public/private key pair model that decreases thecost of the certificate authority (CA). In [44], authors provided a meshnetwork architecture model having two domains. First domain coversHAN including appliances and SM. Second domain handles NANmesh network that connects HANs domains to the AMI head-end.

Some efforts have been put on key management of smartmeters and sensors in smart grid. Authors in [45] described a keymanagement scheme for secure communication in smart grid. Thescheme develops keys for unicast, multicast, and broadcast. Nodesare arranged as binary trees and the secret key of parent is the hashof the children keys. However, they did not discussed how differentparties process or encrypt the data. It is not clear whether the datareported by a certain meter can be hidden from the data collector.Wu and Zhou proposed a new key management scheme for the SmartGrid [46]. In their scheme, they combine both of PKI and a thirdtrusted anchor to increase the authentication security. However, thisscheme is not secure against the man-in-the-middle attack. Also,by inclusion of third anchor, complication for the smart grid willincrease due to requirement of two different kinds of servers forPKI and the trust anchor respectively. The researchers in [47], securethe communication in smart grid by using the smart meter as afirewall between intra and inter network to manage the incoming andoutgoing packets. It means that the smart meter is strictly requiredto handle these packets and it is a high-level requirement for currentsmart meters. Authors in [48] also considered the key managementproblem for a massive number of smart meters. Key graph is used tomanage unicast, multicast, and broadcast keys.

In [49] elliptic curve digital signature algorithm ECDSA wasproposed as authentication method within IKE. ECDSA signaturesprovide advantages including computational efficiency, smallsignature sizes and minimal communication bandwidth comparedto RSA and DSA signatures. Like RSA public key encryption andRSA/DSA signatures, ECDSA based signatures still deploy the PKIto convey the elliptic curve domain parameters and public key inX.509 certificates. Nevertheless, there is no discussion on how toprotect the data reported by a sensor.

Some protocols have been developed to establish shared keyswhen the two parties can establish direct communication. Authorsin [50] described how to establish/find keys to secure unicastand multicast communications. The authors suggest keys to beestablished by direct connection between the two entities thatneed shared keys. While in [51], authors apply the DifieHellmanmechanism to establish a shared key for data authentication betweentwo parties.

In [52], authors proposed an extension of lKE V2 to resolve trustissue in home networks where three multi vendor parties are requiredto communicate securely. Hence, a residential gateway needs tocommunicate with a server and a service demander. Their approachmakes things better and far simpler.

In [53], the problems of implementing the conventionalIKE authentications such as pre-shared key and certificate-based

12 0000; 00:1–18DOI: 10.1002/

Router A Router BHost A Host B

1. Host A sends interesting traffic to Host B.

2. Router A and B negotiate an IKE phase one session.

IKE SA IKE SAIKE Phase 1

3. Router A and B negotiate an IKE phase two session.

IPSec SA IPSec SAIKE Phase 2

4. Information is exchanged via IPSec tunnel.

IPSec

Tunnel

Figure 11. Phases of IKE [49]

asymmetric systems (such as public key encryption and digitalsignature) are discussed. Authors proposed IKE authenticationscheme based on certificate-less signature, which offers significantreduction in system complexity, eliminates the use of certificate toguarantee the authenticity of public keys, and reduces the cost forestablishing and managing the certificates.

Authors in [33] have shown that authenticated key exchangescheme with revocation is more efficient in comparison with thePKI signature based IKE protocol in terms of the communication,computation and device revocation cost. The comparison resultsshow that their scheme is efficient and cost-effective in most casesfor devices and systems in smart grid. Each device only needs once toperform an media key block (MKB) process, to extract the media keyin contrast to PKI based scheme, which needs to distribute individualcertificate for each device.

5.2. IKE

The conventional IKE authentication mechanisms are pre-shared keyand certificate-based techniques: RSA public-key encryption andRSA/DSA digital signature [49]. A pre-shared key is a nontrivialstring up to 128 characters long. The authentication is accomplishedby assigning the identical key to each node. The pre-shared keyauthentication offers simplicity in its implementation. On the otherhand, the use of certificate-based techniques provide more securityand scalability than pre-shared key. In the traditional PKI, certificatesare deployed to provide an assurance of the binding between publickeys and users identities that hold the corresponding private keys.The binding process is done by the CA. The public/private key pairsin PKI can either be generated by the CA for the node or the nodecan generate the keys for itself and then verify with the CA forauthenticity.

IKE is defined as a set of protocols and mechanisms designed toperform two functions; creation of a protected environment (whichincludes peers authentication who are unknown to each other inadvance) and to establish and manage security associations (SA)between the authenticated peers. It operates in two phases namelyphase 1 and phase 2. During phase 1, peers know each other,authenticate, agree on shared secret key and validate their previouscommunication. Once a seed key is there, both nodes use encryptedmessages.The purpose of this phase is to generate the shared secret

from which other keys will be computed and authenticate thecommunicating peers. Figure 11 shows various phases of IKE.

A successful negotiation requires establishment of IKE securityassociation which is like a bi-directional contract of the offeredservices by the communicating parties. Each communication in IKEtakes place in form of request response. Once a secure environmentfor the negotiation is built up and IKE SA is created, negotiationsfor the second phase commence. This phase consists of only a singlemode called Quick mode. The purpose of this phase is to create anIPSec security association and to generate new keys [52].

5.2.1. Limitations of IKEThe use of pre-shared key is only feasible in the small scale

network due to the difficulties in distributing the shared key toeach pair of nodes. On the other hand, the use of certificate-based infrastructure requires a common certificate authority betweentwo nodes. Using digital certificate seems effective way as eachdevice in the smart grid can be authenticated with one certificateand the key with the certificate never leaves once it is installed.However, balancing the length of validity time of a certificate andthe manageably sized certificate revocation list (CRL) is a majorissue of PKI based IKE protocol. Moreover, due to the limitedstorage of a smart meter, large size of CRLs would be a challengefor the smart meter to cache the updated CRLs. Thus, the routinemaintenance and setting an appropriate validity time of public keycertificate could become the challenges for the key management forthe smart grid. Because of the inherent limitations of the conventionalimplementation of IKE, several enhancements are proposed. IKEV2 is proposed in [52] for multi vendor home environment. IKEauthentication scheme based on certificate-less signature is proposedin [53]. In addition to the above, cryptographic key managementmechanism for secure and efficient key revocation and key exchangeis presented in [33]. We will be discussing these in detail in thefollowing section. Basic differences between IKEv1 and IKEv2 arelisted in Table VI.

5.3. Extending IKEv2 for multi-vendor Home NetworkEnvironment

Enhancements to IKE proposed in [52] are discussed next:

5.3.1. Flexibility and SimplicityThe first and most important difference between IKE and IKE

V2 is the lesser complexity and greater clarity for which IKEhas always been known. In IKE V2, number of phases and thenumber of messages to be exchanged during these phases havebeen reduced. In IKE V2 traffic selectors (TS) specify the selectioncriteria for the packets to be forwarded for the newly establishedSAs. This flexibility is of particular interest in the situation wherehost configuration is being updated or hosts have inherently differentconfiguration. In IKE, these parameters were fixed and there was nochoice for the end hosts on the selection of TS parameters. This wasa potential source of deletion of legitimate packets because, in casethere is an error in traffic selector, a parameter is lost, then the packetwas bound to be discarded. Also, TS are carried in TSs payloadswhile in IKE they were parts of identification payloads.

5.3.2. Enhanced SecurityThe possibility of denial of service type of attack was a

major vulnerability of IKE which has been removed by adding

0000; 00:1–18 13DOI: 10.1002/

supplementary mechanisms. To make it harder, the responder mayask for a cookie to the initiator who has to assure the responder thatthis is a normal connection. In fact large number of requests can besent to a victim to waste its CPU and memory resources; therefore,this mechanism is added so that if a party suspects the incomingrequests are not genuine, it may verify the existence of correct, realIP addresses from which the request are being generated. Therefore,in case when a responder receives a large number of half open IKESA requests, it has to reject them except if it contain a notify payload(cookie).

5.3.3. Re-Structuring and New AdditionsA source of continued confusion in lKE was the inter-relationship

of attributes, transforms and proposals, that is made simpler inversion 2. An SA is an ordered list of proposals; a proposal consistsof one or multiple protocol (ESP,AH). A protocol, in turn, may haveone or multiple transforms (like DH). Each transform is made up ofattributes (DES, 3DES, AES). It should be noted that while structureis redefined, the syntax remains the same as it was in IKE.

In IKE, SA life times of communicating parties were negotiatedin the beginning and both had to abide by this agreement. In IKEV2, there has been greater flexibility and each party is capable ofchoosing an SA life time of its choice independent of the others. Theresult of this change, in overall IKE performance is that parties withdifferent needs of secure communication may integrate better thanbefore. Also, there is a built in mechanism in IKE V2 which may beused for QoS, that was not in IKE.

5.4. IKE Authentication using Certificate less Signatures

Aiming at the problems of implementing the conventional IKEauthentications such as pre-shared key and certificate based publickey infrastructure, authors propose a new certificate less IKEauthentication scheme in [53]. This scheme uses bilinear pairingto structure the framework of certificate less IKE authentication. Itsolves the end to end IPSec security by removing the requirementof both nodes either to be manually configured with the commonshared key or to exchange the certificates and the necessity to beenrolled to certain certificate authority. Furthermore, their researchprovides a set of specifications for implementing IKE authenticationusing certificate-less signature that can be used to verify the validityof the scheme in a single trust domain infrastructure.

5.4.1. Basic InfrastructureIn CL-PKI, all the functions are distributed between key granting

centre (KGC) and participating nodes. KGC is involved in generationof public parameters and deriving a partial secret key from thenodes identity whose is assumed to be unique in a trust domain.While nodes are responsible for deriving the public/private keyswith information obtained from KGC. The complete process can bedivided into following phases:

• Setup Phase:KGC executes setup algorithm to generate a listof public parameters “params” and master secret key (MSK).This algorithm is executed only when a new set of ”params”needs to be generated or in case of KGC is under compromisedattack (in practice very seldom). This algorithm takes as inputthe system security parameter, on which strength of publicdomain parameters depends.

• Distribution of “Params”: For the node to generatepublic/secret keys pair, KGC needs to securely bootstrapall nodes with the public parameters “params”. These KGC“params” are distributed through DNS to all the nodes.

• Partial Secret Key: After receiving the “params”, nodes willrequest KGC to send the partial secret keys. KGC runs partialsecret key extract algorithm by taking the end nodes identityID (IP address, email address, or host name), “params”, andMSK as inputs to generate end nodes partial key. This partialkey is transmitted to end node over a secure channel.

• Secret Key Generation: Upon receipt of the “params” fromDNS server and partial key from KGC, the nodes generatesecret/public keys pair.

• Authentication: Nodes will authenticate using securityattributes like client ID (lookup key for IKE SA), “params”,client public key and hash function.

5.4.2. Certificate less signature IKE offers• IPSec security without requirement of both nodes to be

manually configured with the common shared key.• Significant reduction in system complexity .• Eliminates the exchange of certificate between nodes to

guarantee the authenticity of public keys.• Avoid the necessity to be enrolled to certain CA and reduces

the cost for establishing and managing the certificates.

5.5. Secure Authentication Key Exchange withRevocation for Smart Grid

To develop an efficient cryptographic key management scheme withkey revocation is one of the challenges for smart grid. Consideringthe system constraints and the security requirements in the smartgrid, an authenticated key exchange scheme with revocation has beenproposed in [33]. Authors have used a well known cryptographicprotocol, broadcast encryption with a media key block (MKB).Broadcast encryption is a cryptographic key management protocolmainly used in copy right protection system such as advanced accesscontent (ACCS). Broadcast encryption is one of the cryptographicprimitives that enables the key distribution center (KDC) to securelyand efficiently distribute the group key, called media key KM ,hereafter, to the compliant devices. Since only a compliant device candecrypt the cipher text with KM and play the content, its copyrightis well protected. Broadcast encryption has a special property thatrevokes maliciously cracked devices at any time without updating theinitial parameters for each device. Complete process is summarizedin the following blocks:

• Setup: At initialization KDC generates a key pair of publicand private key and assign to each node. Each device (node)shall get a secret ID from KDC most probably at the start ofsite acceptance test.

• Media Key Extraction: Cipher text containing the media key(group key) KM broadcasted from the KDC. Any compliantdevice can extract the media key by using its correspondingdevice key. If a set of device keys is compromised in a waythat threatens the integrity of the system, an updated MKBcan be released that causes a device with the compromised setof device keys to be unable to calculate the correct KM . Inthis way, the compromised device keys are ”revoked” by thenew MKB.

14 0000; 00:1–18DOI: 10.1002/

Media key extraction

Device key:KDi

Media key: KM

MKB

Figure 12. Media Key Extraction

• Authentication: Nodes can verify the authenticity of eachother by using public/private/media keys. There are twophases for authentication: key sharing phase and conformationphase. In key sharing phase both parties will generate randomnumbers and process them with media and private keys togenerate shared secret. The shared key between two devicesmay be verified in the conformation phase.

5.5.1. Comparison and BenefitsExperimental results show that proposed scheme is better than the

original IKE using ECDSA in following respects:

• Communication Cost:IKE protocol using ECDSA andproposed scheme are constructed over a 256 bit elliptic curvegroup. Then the size of a point on the elliptic curve is 512 bits,and the size of an ECDSA signature is 512 bits. IKE initiatorand the responder both use 2560 bits string and proposedprotocol using 1984 bit string. Therefore, the communicationcost of proposed protocol is more efficient than the ECDSAbased IKE protocol.

• Computation Cost: Computation cost is estimated by thenumbers of the scalar multiplication which is a dominantcomputation. The signing of ECDSA includes one scalarmultiplication, and the verification of ECDSA includestwo scalar multiplications. Proposed solution has lessercomputational cost than IKE.The computation at the KDC is little heavier than thecomputation of CA in ECDSA based IKE. But this willnot become a problem for electrical systems in the smartgrid because almost the same revocation has been practicallyadopted by the Blu ray Disc players for a long time.

5.5.2. Open Research Issues and Research DirectionsComputationally secure cryptosystems, no matter whether public

or secret key, will always be at the mercy of mathematical and/orcomputational breakthroughs, which are difficult to predict and mayeven be hidden. Also, steady progress in code breaking allows theadversary to reach back in time and break older, earlier capturedmessages encrypted with weaker keys. Therefore, periodic re-encryption or re-signing sensitive documents is necessary.

Due to the heterogeneous communication architecture ofsmart grids, it is quite challenging to design sophisticated androbust security mechanisms. Which can be easily deployed toprotect communications among different layers of the smart grid-infrastructure. It is not practical to design a universal key-management scheme for the entire smart grid. For encryption, bothsymmetric key encryption and public key encryption are used in

smart grid networks. While symmetric key requires lower computingcapabilities, public key has been proven to be more secure and iseasier to implement. However, due to the variation of computationalcapability of devices across smart grid networks, which rangefrom simple sensors to smart phones and computers, both types ofencryption are used. The choice of which type of encryption to use ina certain part of the network depends on factors such as computationcapability, time contains, and data-criticality.

It is very difficult to design a strong and efficient key managementand authentication mechanism. Hardware based authenticationmechanism such as using PUF (physically unclonable function)devices is a good solution to the security problem. These devicesare inexpensive to manufacture and resistant to spoong attacks.PUF based secret generation mechanism provides strong protectionagainst key leakage as the master key is never stored in memory.As PUF is added as an extra entity to the smart meter , therefore,is not suitable for energy and space constraint M2M devices butenhancement to the efficient hardware design can prove this methodto be most acceptable solution. Also, there is a need of more universalkey design to cater for all types of security attackers than to be usedin authentication only.

Physical layer authentication is another area to be researchedfor, in which authentication can be performed on the signal byaltering either the modulation scheme of the physical signal, or bythe characteristics of the signal and transmission channel. Althoughsuch technologies are still prone to errors, they introduce new meansof authentication that can be further developed in order to meet therequirements of the smart grid.

Quantum mechanics offers a solution for the secure keydistribution and is another interesting area to explore. Quantum keydistribution (QKD)is a technology to distribute, or rather generate,secure random keys between two communicating parties usingoptical fiber or free space as a communication channel. The secretkey is transmitted over a quantum, considered as a safe channeland can provide unconditional security. Security is guaranteed bythe Heisenberg uncertainty principle and it encodes each bit ofinformation into an individual quantum object, such as a singlephoton. Single photons cannot be split, copied or amplified withoutintroducing detectable disturbances. Since only the cryptographickey is transmitted, if someone attempts to eavesdrop, no informationleakage can take place.

Emerging M2M networks are heterogeneous and to realize thefull potential of the services available in such networks, how todesign smart grid system to operate efficiently saving energy is achallenging problem. Also security features within M2M domainhave to be built to contain and failure locally given that the futurenetworks become more autonomous and self-operated. Emergingcloud-based systems will also pose challenges to the security of thedata available in multiple locations without proper protection forsmart grid operations.

6. CONCLUSION AND ANALYSIS

Embedded devices in M2M networks infer the sensed data anddeliver this information reliably and securely to the final gateway. Inorder to complete this process, the sensed data, the infrastructure andthe communication protocols should be secured against numerousthreats. Security is a truly global issue spanning through all protocol

0000; 00:1–18 15DOI: 10.1002/

Table VI. Comparison of IKE

IKEv1 IKEv2Authenticationmethods

Pre-Shared KeyDigital SignaturePublic Key Encryp-tionRevised Mode ofPublic key Encryp-tion

Pre-Shared KeyDigital Signature

Enhanced security not supported DoS , Anti-replayfunction’Cookies’ is sup-ported

Rekeying not supported definedBandwidth more reducedSupported platforms none MOBIKE,

EAP,NATReliability moderate more , liveness

check enableComplexity more less more , liveness

check enable

layers and across a network elements. Preventing attacks at a givenlayer essentially eliminates threats at higher layers.

The heterogeneous and distributed nature of M2M networks leadto many security challenges in M2M systems. Security cannotbe offered as an addition after the main engineering work ofthe system, but has to be the part of the design process fromthe very beginning. Securing information requires development ofnew security protocols. Two fundamental needs for any securecommunication are condentiality and authentication. Furthermore, itis important that a security protocol must fulfill needs of integrity andnon-repudiation etc.

Group based communication feature of M2M networks requiresgroup confidentiality, group authentication and key management forgroup of devices, which motivate to develop new authenticationand key management protocols for M2M systems. The mainkey point of group based authentication protocols is to reducesignalling congestion, overhead associated to authentication process.In this paper, a comprehensive survey of group based authenticationprotocols has been presented and their security features, advantagesand limitations has been analyzed. Finally, a comparative analysisof all group based protocols are tabulated. From the tables, onecan summarize as, if we consider symmetric key based mutualauthentication, the choice of LGTH becomes more efficient thanother protocols because it uses MAC and location information inits authentication process and also derives five keys for futurecommunication. On the other hand, if M2M system supports roamingdevices, then the DGB-AKA considers as a best choice because thisprotocol has been designed for dynamic group in which devices canchange their location. However, the LGTH protocol uses minimumnumber of signalling messages in authentication process than otherprotocols. For the large number of M2M device grouping, the LGTHis considered as a best choice for authentication and key agreementprotocol because it needs minimum number of signalling messagefor authentication. Moreover, this protocol is efficient and faster than

others because it uses massage authentication code in authenticationprocess.

Key Management is the most important part of any securitynetwork and it is believed that, carelessly designed key managementscheme can undermine the strongest ciphers and most sophisticatedalgorithms. Key management schemes are processes of keyorganizational frameworks, distribution, generation, refresh and keystorage policies. It is a well known fact that complexity does notnecessarily mean security because without thorough analysis securitycannot be guaranteed. The objectives of great exibility, optimizedefciency, and still lighter for the network, have motivated manyresearchers to investigate more into this.

Cryptographic key management considers asymmetric keys (e.g.PKI: public key infrastructure) or on symmetric keys (e.g. pre-shared-key/secretkey). Asymmetric key management mechanismstypically use X.509 certificates, however, this solution has a highcomputation and communication cost for the electric device, e.g. asmart meter. By comparison, symmetric key mechanisms are moreefficient, but may assume the existence of a pre-shared key. Inthese schemes care should be taken to protect against ”break oncebreak everywhere”, due to the use of one secret key or a commoncredential across the entire infrastructure. In this symmetric keybased system, after any device is compromised, revoking that deviceand reconstructing a new secret key for other valid devices is the firstto be undertaken by electric power utilities. However, developing anefficient cryptographic key management scheme with key revocationis one of the challenges for smart grid.

Heterogeneous nature of smart grid imposes a compatibility chal-lenge, in which high-level sophisticated computers are exchanginginformation with simple, low-computing, low-power devices. There-fore, an interesting line of research related to M2M in 5G networkspertains to security work spanning across different systems, suchas 3GPP and WiFi systems. Centralized or globally trusted securitymight be the right approach for these types of emerging heterogenousnetwork systems.

16 0000; 00:1–18DOI: 10.1002/

REFERENCES

1. M. Chen, J. Wan, S. Gonzalez, X. Liao, and V. C. Leung, “ASurvey of Recent Developments in Home M2M Networks,”IEEE Communications Surveys and Tutorials, vol. 16, pp. 98– 114, January 2014.

2. C.M.Huang and J.W.Li, “Authentication and Key Agreementprotocol for UMTS with low bandwidth consumption,” IEEEinternatinal conference on advanced information networkingand applications (AINA), pp. 392–397, 2005.

3. 3GPP TS 33.102 V12.1.0, “3G Security:Security Architecture,”October 2014.

4. 3GPP TS 33.401 V11.3.0, “Evolved Universal TerrestrialRadio Access (E-UTRA)and Evolved Universal TerrestrialRadio Access Network (E-UTRAN);Overall description;Stage2,” March 2012.

5. M. H. Ahmadzadegan and T. Fabritius, “A Multi-PurposeTriangular Framework for M2M Communication Security ,”World Congress on Computer Applications and InformationSystems (WCCAIS), pp. 1 – 5, Janauary 2014.

6.7. W. Boubakri, W. Abdallah, and N. Boudriga, “A Chaos-

based Authentication and Key Management Scheme for M2MCommunication ,” IEEE International Conference for InternetTechnology and Secured Transactions, pp. 366–371, 2014.

8. 3GPP TS 36.868 V0.8.0, “Technical Specification GroupServices and System Aspects; Security aspects of Machine-Type Communications ,” May 2012.

9. Y. Zhang, J. Chen, H. Li, W. Zhang, J. Cao, and C. Lai,“Dynamic Group based Authentication Protocol for Machine-Type Communication ,” IEEE conference on IntelligentNetworking and Collaborative Systems (INCos), September2012.

10. 3GPP TR 33.868 V12.1.0, “Technical Specification GroupServices and System Aspects; Study on security aspects ofMachine-Type Communications (MTC) and other mobile dataapplications communications enhancements ,” July 2014.

11. S. Khan and A.-S. K. Pathan, Wireless Networks and SecurityIssues, Challenges and Research Trends. Springer, Berlin.,2013.

12. X. Nie and X. Zhai, “M2M Security Threat and SecurityMechanism Research,” International Conference on ComputerScience and Network Technology, pp. 906 – 909, 2013.

13. M. Dohler and C. A. Haron, Machine to Machine Communica-tion: Arcchitecture, Performance and Applications. 2015.

14. E. N. Barnhart and C. A. Bokath, “Considerations for Machine-to-Machine Communications Architecture and Security Stan-dardization ,” IEEE, 2011.

15. E. Barnhart and C. Bokath, “Considerations for Machine-to-Machine Communications Architecture and Security Standard-ization,” IEEE International Conference on Internet MultimediaSystems Architecture and Application (IMSAA), pp. 1–6, 2011.

16. H. Roh and S. Jung, “Session Key Exchange and MutualAuthentication Scheme between Mobile Machines in WLANbased Ad Hoc Networks ,” International Conference onInformation and Communication Technology Convergence(ICTC), pp. 482–483, 2010.

17. C. Hongsong and Z. Dongyan, “Security and Trust Researchin M2M System,” IEEE Vehicular Technology Conference,

pp. 286–290, Janauary 2011.18. H. Yang, V. Oleshchuk, and A. Prinz, “Verifying group

authentication protocols by scyther,” Journal of WirelessMobile Networks, Ubiquitous Computing, and DependableApplications (JoWUA), vol. 7, pp. 3–19, June 2016.

19. C. Tunc and S. Hariri, “Claas: Cybersecurity lab as a service,”Journal of Internet Services and Information Security (JISIS),vol. 5, pp. 41–59, November 2015.

20. H. Nicanfar, P. Jokar, K. Beznosov, and V. C. M. Leung,“Ef?cient Authentication and Key Management Mechanismsfor Smart Grid Communications ,” IEEE System Journal, vol. 8,pp. 629–640, June 2014.

21. D. Choi, S. Hong, and H. kee Choi, “A Group-based SecurityProtocol for machine-type Communication in LTE-Advanced,”INFOCOM, 2014.

22. R. Jiang, C. Lai, J. Luo, X. Wang, and H. Wang, “EAP-Based Group Authentication and Key Agreement Protocolfor machine-Type Communications,” International Journal ofDistributed Sensor Networks, 2013.

23. J. Cao, M. Ma, and H. Li, “A Group-based Authenticationand Key Agreement for MTC in LTE Networks,” Globecom-Communication and Information Security Symposium, 2012.

24. S. L. Inshil Doh, Jiyoung Lim and K. Chae, “Key establishmentand management for Secure Cellular Machine-to-MachineCommunication,” IEEE conference on Inovative Mobile andInternet Services in Ubiquitous Computing (IMIS), 2013.

25. A. O. Yosra Ben Saied and D. Zeghlache, “Energy Efficientin M2M Networks:A Cooperative Key Establishment System,”IEEE conference on ICUMT, October 2011.

26. C. Lai, H. Li, R. Lu, R. Jiang, and X. Shen, “A lightweightGroup authentication Protocol for Machine-Type Communi-cation in LTE Networks.,” Globecom: Communication andInformation System Security Symposium, 2013.

27. H. R. Hussen, G. A. Tizazu, M. Ting, and T. Lee, “SecureAuthentication and Key Eastablishment Scheme for M2MCommunication in the IP-Based Wireless Sensor Network(6LowPAN),” IEEE conference on Ubiquitous and FutureNetworks (ICUFN), 2013.

28. W. Ren, L. Yu, L. Ma, and Y. Ren, “How to Authenticate adevice? Formal Authentication models for M2M Communica-tion defending againt Ghost Compromising Attack,” Interna-tional Journal of Distributed Sensor Networks, 2013.

29. H. V. Ioannis Broustis, Ganapathy S. Sundaram, “GroupAuthentication: A New paradigm for Emerging Application,”Bell Lab Technical Journal, vol. 17, December 2012.

30. G. T. . V12.5.0, “3GPP System Architecture Evolution (SAE);Security Architecture (Rel 12),” September 2012.

31. D. Niyato and L. Xiao, “Machine-to-Machine Communicationsfor Home Energy Management System in Smart Grid,” IEEECommunications Magazine, April 2011.

32. J. Xia and Y. Wang, “Secure Key Distribution for the SmartGrid,” IEEE Transaction on Smart Grid, vol. 3, pp. 1437 – 1443,2012.

33. F. Zhao and Y. Hanatani, “Secure Authenticated Key Exchangewith Revocation for Smart Grid,” IEEE Innovative Smart GridTechnologies (ISGT), pp. 1–8, 2012.

34. V. Aravinthan and V. Namboodiri, “Wireless AMI Applicationand Security for Controlled Home Area Networks,” IEEE Powerand Energy Society General Meeting, pp. 1–8, 2011.

0000; 00:1–18 17DOI: 10.1002/

35. A. R. Mohassel, A. Fung, F. Mohammadi, and K. Raahemifar,“A survey on Advanced Metering Infrastructure, InternationalJournal of Electrical Power and Energy Systems,” IEEEGlobal Telecommunications workshop, vol. 63, pp. 473 – 484,December 2014.

36. J. Wang and V. Leung, “A Survey of Technical Requirementsand Consumer Application Standards for IP-based SmartGrid AMI Network,” International Conference on InformationNetworking, pp. 114–119, 2011.

37. S. Uludag, K.-S. Lui, W. Ren, and K. Nahrstedt, “Practicaland Secure Machine-to-Machine Data Collection Protocol inSmart Grid ,” Workshop on Security and Privacy in Machine-to-Machine Communications, pp. 85–90, 2014.

38. A. Anzalchi and A. Sarwat, “A Survey on Security Assessmentof Metering Infrastructure in Smart Grid System ,” IEEESoutheastcon Conference, pp. 1 – 4, April 2015.

39. Zigbee Alliance, http://www.zigbee.org.40. Wi-Fi Alliance, http://www.wi-fi.org.41. INSTEON, http://www.insteon.net.42. Z-Wave, http://www.z-wave.com.43. H. Nicanfar and P. Jokar, “Smart Grid Authentication and

Key Management for Unicast and Multicast Communications,”IEEE Innovative Smart Grid Technologies Asia (ISGT), pp. 1–8,2011.

44. H. Gharavi and B. Hu, “Multigate Communication Network forSmart Grid,” IEEE Proceedings in General Topics for EngineersCommunications Magazine, vol. 29, p. 10281045, June 2011.

45. X. Long, D. Tipper, and Y. Qian, “An advanced keymanagement scheme for secure smart grid communications,”IEEE Proceedings on Smart Grid Communications, 2013.

46. D. Wu and C. Zhou, “Fault-tolerant and scalable keymanagement for smart grid,” IEEE Transaction on Smart Grid,vol. 2, pp. 371–378, June 2011.

47. J. Naruchitparames and M. H. Gunes, “Secure communicationsin the smart grid,” IEEE Consumer Communication, pp. 1171–1175, January 2011.

48. N. Liu, J. Chen, L. Zhu, J. Zhang, and Y. He, “A keymanagement scheme for secure communications of advancedmetering infrastructure in smart grid,” IEEE Trasactions onIndustrial Electronics, vol. 60, no. 10, 2013.

49. D. Fu and J. Solinas, “IKE and IKEv2 Authentication Using theElliptic Curve Digital Signature Algorithm (ECDSA),” InternetEngineering Task Force, Janauary 2007.

50. Y. Law, G. Kounga, and A. Lo, “AKE: Key managementscheme for wide-area measurement systems in smart grid,”IEEE Communication Magzene, January 2013.

51. X. Long, D. Tipper, and Y. Qian, “An advanced keymanagement scheme for secure smart grid communications,”IEEE Proceedings on Smart Grid Communications, vol. 2,no. 4, 2011.

52. M. Hussain and H.Affifi, “Extending IKEv2 for multi-vendorHome Network Environment,” International Conference onAdvanced Communication Technology ICACT, vol. 1, pp. 63 –68, 2005.

53. A. Yaacob and N. Ahmad, “IKE Authentication using Certifi-cateless Signature,” International Conference on InformationNetworking (ICOIN), pp. 447 – 452, 2011.

18 0000; 00:1–18DOI: 10.1002/

View publication statsView publication stats