A Situation-Aware Scheme for Efﬁcient Device Authentication in Smart Grid-Enabled Home Area Networks

: Home area networks (HANs) are the most vulnerable part of smart grids since they are not directly controlled by utilities. Device authentication is one of most important mechanisms to protect the security of smart grid-enabled HANs (SG-HANs). In this paper, we propose a situation-aware scheme for efﬁcient device authentication in SG-HANs. The proposed scheme utilizes the security risk information assessed by the smart home system with a situational awareness feature. A suitable authentication protocol with adequate security protection and computational and communication complexity is then selected based on the assessed security risk level. A protocol design of the proposed scheme considering two security risk levels is presented in the paper. The security of the design is veriﬁed by using both formal veriﬁcation and informal security analysis. Our performance analysis demonstrates that the proposed scheme is efﬁcient in terms of computational and communication costs.


Introduction
Smart grids offer many valuable benefits compared with traditional power grids. By enabling distributed power generation, distributed power storage, and microgrids in smart grids, more efficient and reliable power supply can be achieved [1]. The power generation of smart grids uses a mix of traditional fuel based power sources and renewable power sources such as wind farm and solar plant, which can significantly reduce the carbon footprint. The study in [2] shows that by 2030, CO 2 emissions can be reduced by 5% when adopting conservative approach to smart grids. The reduction can be nearly 16% if aggressive approach is adopted. The connection of home area networks (HANs) to smart grids enables the automation of home energy use. Smart grids also provide important infrastructure support for increased using of electric vehicles (EVs) through vehicle-to-grid (V2G) networks [3].
On the other hand, the implementation of smart grids faces major challenges in both physical and cyber domains. Since smart grids contain millions of nodes along with a complex control system, how to achieve the collaboration between components and the large-scale deployment of new devices and technologies becomes a crucial challenge [1]. Connecting power grids to cyber networks for advanced monitoring and control exposes the grids to cyber-attacks which can result in catastrophic damages as demonstrated by the 2015 Ukrine Blackout [4].
In this work, we concentrate on the security of smart grid-enabled HANs (SG-HANs), which connects many smart devices (SDs) of a smart home such as smart appliances, renewable energy sources and storage, EVs, etc. to smart grids. HANs are the most vulnerable part of smart grids since utilities have no direct control of this part [5]. Device authentication is one of the most important

Device Authentication in SG-HANs
There are a number of works in the literature on device authentication in SG-HANs. Li proposed a ECC (Elliptic Curve Cryptography) based authenticated key establishment (EAKE) protocol for smart home energy management system in [6]. The EAKE protocol has two phases: a device or a security manager receives private/public key pair from the Certificate Agent (CA) through an out-of-band channel in the first phase; the initial session key is then established between the device and the security manager using the EAKE protocol in the second phase. In Ref. [7], Vaidya et al. also proposed a device authentication protocol for smart energy home area networks based on ECC. Both protocols of [6,7] are expensive for resource-limited devices due to the use of public key cryptography.
In Ref. [8], a secure key agreement protocol was proposed for radio frequency for consumer electronics (RF4CE) ubiquitous smart home systems based on symmetric key cryptography. In the proposed protocol, the initial unique secure information is pre-shared between the devices and manufacturers. The RF4CE-based controller receives the secret information from the manufacturer to authenticate a new device.
Ayday and Rajagopal [5] proposed three different device authentication mechanisms for the SG-HANs that provide (1) authentication between the gateway and the smart meter, (2) authentication between the smart appliances and the HAN, and (3) authentication between the transient devices and the HAN. The design of the three authentication mechanisms is based on symmetric key cryptography with the help of the trust center through the Internet.
Kumar et al. [9] proposed a lightweight and secure scheme for establishing session-key in smart home environments based on symmetric key cryptography. The smart home devices register with the security service provider offline to obtain security parameters including identity, a secret key with key identifier and a short authentication token. They also proposed a secure authentication and key agreement framework for smart home environments in [10] which realizes anonymity and unlinkability. The protocol is lightweight in comparison to other schemes because the design uses less encryption and decryption operations, and the number of exchanged messages is small.
Gaba et al. [11] proposed a robust and lightweight mutual authentication scheme called RLMA for distributed smart environments such as smart homes and smart buildings. The scheme utilizes implicit certificates to achieve simple and efficient mutual authentication and key agreement between smart devices in a smart environment.

Situational Awareness of Smart Home
Situational awareness is one of the essential features for smart homes [12]. The majority of the existing works for the situational awareness of smart homes are on activity recognition. For example, Wan et al. [13] proposed a dynamic sensor stream segmentation technology which helps the smart home system to categorize multiple sensor streams that belong to the same activity. Sensor correlation calculation and time correlation calculation are applied for the task. In Ref. [14], a data-driven approach based on neural network ensembles was developed for human activity recognition in smart home environments. Various approaches were explored to resolve conflicts between base models used in ensembles. Cicirelli et al. [15] proposed a framework for activity recognition under the cloud-assisted agent-based smart home environment (CASE). By using cloud computing technology, a smart home system can have greater analytic power. The work introduces an innovate approach, which embed activity recognition tasks including data acquisition, feature extraction, activity discovery, and activity recognition into different layers of CASE.
There are only a few works on the situational awareness of the smart home in cyberspace. A framework to measure the security risk of information leakage in IoT-based smart homes was proposed by Park et al. in [16]. The risk assessment is performed using the factor analysis of information risk (FAIR) method. The risk level for cyber situational awareness is obtained through risk grade clustering based on security scenarios.

Situation-Aware Security Schemes
There are a few recent works on developing situation-aware security schemes. Kim et al. [17] proposed DAoT, a dynamic and energy-aware authentication scheme for IoT devices. The scheme selects different key establishment (KE), message authentication code (MAC) and handshake operations to achieve energy efficient device authentication. The work evaluated the energy costs of different KE, MAC and handshake operations.
In Ref. [18], Hjelm and Truedsson investigated situation-aware adaptive cryptography for an IP camera. Situation parameters from WiFi and Bluetooth connections of the IP camera are used to determine the protection level. The cryptographic algorithms for encryption, hash and message authentication are then selected that are most suitable for the protection level. The power consumption, computational time and communication throughput were examined for different cryptographic algorithms.
Gebrie and Abie [19] proposed a risk-based authentication scheme for health care-related IoT authentication in smart homes. The channel characteristics in wireless body area network (WBAN) including Received signal strength indicator (RSSI), channel gain, temporal link signature, and Doppler measurement are used to determine risk level by using a naive Bayes algorithm. The authentication decision is then performed based on the risk level. For example, timeout and re-authentication will be performed if the risk level is determined as abnormal. It should be noted that there are no actual protocols designed in [17][18][19].

System Architecture and Attack Model
In this section, we introduce the system architecture of SG-HANs and the adopted attack model.

System Architecture of SG-HANs
The system architecture of SG-HANs considered in our work is shown in Figure 1, which consists of the infrastructure part and the HAN part. The infrastructure part controlled by utilities consists of smart meters (SMs), neighborhood area network (NAN) gateways, and control center. The HAN part in each house is controlled by the home owner, which consists of a number of SDs and one HAN gateway (HGW). A SD communicates with the HGW using a wireless protocol such as ZigBee or MQTT. In this work, we are interested in the authentication between SDs and HGW in the HAN part, which is helped by the control center. We assume that the smart home system is installed in the HAN with a situational awareness feature. Although the design of situational awareness feature is out of the scope of this work, we envision that the security risk assessment of the smart home system should combine activity recognition in physical domain [13][14][15] and risk analysis in cyber domain [16].

Attack Model
The attack model considered in this work is the Dolev-Yao model [20]. In the model, the attacker can eavesdrop, intercept, inject, replay and modify messages exchanged on the open channel. Accordingly the attacker can launch various types of attacks including man-in-the-middle (MITM) attacks, replay attacks and impersonation attacks. Under this attack model, the proposed scheme will achieve security goals of message integrity, mutual authentication and session key establishment, and resistance against various attacks.

Proposed Scheme
In this section, we present a protocol design of the proposed situation-aware device authentication scheme for SG-HANs. Without loss of generality, we assume that the security risk assessed by the smart home system has two levels, low and high. The design can be easily extended to more than two security risk levels. The proposed scheme consists of two phases: device registration phase and device authentication and key agreement phase. Table 1 lists the notations and their descriptions that are used in the paper. Table 1. Notations and their descriptions used in this paper.

Notation
Description We have made the following assumptions for the proposed scheme: (1) SD has a clock which runs on its own battery and its assumed to be syAyday2013nchronized with the HGW's clock. (2) HGW is assumed to be authenticated before SD-HGW authentication takes place.

Device Registration Phase
Before installed in a SG-HAN, each SD needs to be registered offline at the control center. During the registration, the control center assigns an identification number ID A to the registered SD A along with a random number RC A . Furthermore, the control center computes secret S i = H(ID A ||RC A ). Finally, the control center sends ID A and S i to the SD A, and ID A and RC A to the HGW. The device registration phase is illustrated in Figure 2.

Device Authentication and Key Agreement Phase
After the registration, the SD A starts the authentication and key agreement process by sending the message MSG 1 to the HGW. MSG 1 includes an message header HE 1 = 'SD − AUTH and ID A as shown below: Upon receiving MSG 1 , the HGW obtains the current security risk level from the smart home system. The following messages between the SD A and the HGW are generated based on the security risk level.

(a) Low security risk
When the security risk is low, the HGW computes S * i = H(ID * A ||RC A ) and extracts current time stamp T 1 . Then the HGW computes C 1,L = (ID G ||T 1 ) ⊕ S * i and C 2,L = H(HE 2,L ||ID G ||T 1 ||S * i ). HE 2,L = 'HGW − LOW is the header of the message MSG 2,L that the HGW sends to the SD A.
Upon receiving the message MSG 2,L at time stamp T 1 , the device A knows from the message header that the current security risk level is low. The ID of the HGW ID G * and T 1 * can be obtained by computing ID G * ||T 1 If not, the authentication process will be aborted. Otherwise, the SD A generates the secret A i = H(ID G * ||H(ID A ||S i )) and extracts the current time stamp T 2 . Then the SD A computes C 3,L = Finally, the SD A sends MSG 3,L to the HGW: The SD A computes the key SK A = H(T 1 * ||T 2 ||S i ||A i ) which will be used as the shared session key between the device and the HGW.
When the HGW receives MSG 3,L at time stamp and then extracts ID A * and T 2 * by computing . Assume all checks pass, the HGW adds ID A to the trusted list of devices and computes the key . After this step, both the SD A and the HGW have generated the symmetric session key which will be used for future data communication.

(b) High security risk
When the security risk level obtained by the HGW is high, the message exchange between the SD A and the HGW needs higher security strength.
Upon receiving MSG 1 under high security risk, the HGW computes S i * = H(ID * A ||RC A ) and generates a random number R G . Then the HGW extracts current time stamp T 1 and forms MSG 2,H as following: where HE 2,H = 'HGW − H IGH is the message header of MSG 2,H , C 1,H = E S * i (ID G ||T 1 ||R G ) and C 2,H = H(HE 2,H ||ID G ||T 1 ||R G ). Finally, the HGW sends MSG 2,H to the SD A.
Upon receiving the message MSG 2,H at time stamp T 1 , the SD A learns from the message header that the security risk level is high. The SD A then uses S i to decrypt C 1,H * to obtain ID G * , T 1 * and R G * .
Then it checks if The authentication process will be terminated if the check is failed. Otherwise, the SD A generates the secret A i = H(ID G * ||H(ID A ||S i )) and a random number R A . Then the device extracts the current time stamp If all checks pass, the HGW adds ID A to the trusted list of devices and computes the session key

Security Analysis
In this section, we verify the security of the proposed scheme using formal verification and informal security analysis.

Formal Security Verification
The formal security verification of the proposed scheme was done by using the automated validation feature of the Internet Security Protocols and Applications (AVISPA) tool [21], which is a push-button security analyzer tool designed for large scale internet security-sensitive protocols. AVISPA tool has been widely applied for formal security analysis of authentication protocols [9,10,[22][23][24].
The architecture of AVISPA tool is illustrated in Figure 5. High Level Protocol Specification Language (HLPSL) is used to describe protocol design and specify security goals. AVISPA tool takes a HLPSL file as input and translates the file into intermediate format (IF) by using HLPSL2IF translator. The IF code becomes the input to the backend, where protocol security goals will be verified. Finally, the backend outputs the security report. As shown in Figure 5, the backend of AVISPA tool consists of four components: on-the-fly Model-Checker (OFMC), CL-based Attack Sercher (CL-AtSe), SAT-based Model-Check (SATMC), and Tree Automata-based Protocol Analyzer (TA4SP). Users can choose the backend components according to security requirements of their design. Notice that HLPSL is a role based language. The basic role states initial variables, constants, and transition steps. The composed role instantiate one or more basic roles. Finally, a top level role called environment role, states global constants and a composition of multiple sessions. The security goals of the proposed scheme are specified in Figure 6 as: (1) secrecy_of sessionkey means that the session key generated in the proposed scheme is kept secret between the SD and the HGW; (2) authentication_on gateway_Si means that secret S i will be verified at the SD; (3) authentication_on_device_Ai means that secret A i will be verified at the HGW; (4) authentication_on_device_t2 means that the timestamp T 2 generated by the SD will be agreed between the SD and the HGW; (5) Similarly, authentication_on_gateway_t1 verifies the agreement on timestamp T 1 between the HGW and the SD. The first security goal tests the strength and secrecy of the session key against various attacks such as MITM attack. The second and third security goals together confirm the establishment of mutual authentication, and the last two security goals test the protocol design against replay attacks. By running the HLPSL file through the backend, we test not only the protocol design against various attacks, but also whether the protocol satisfies specific requirements.  Figures 7 and 8 specify the roles of the SD and the HGW for low security risk, respectively. In the SD role, State 0 indicates the beginning of the authentication process. At State 0, the SD starts the authentication process by sending identity ID A to the HGW through the SND() function. On the other side, the HGW receives the device identity ID A at State 0 by using the RCV() function. Upon receiving ID A , the HGW will move to State 1, where secret S i is generated by using the built-in hash function H(), T 1 will be generated as random number by calling new() function. Then the HGW uses built-in xor function to generate the response message. Similarly, after sending ID A to the HGW, the SD will move to State 1 and wait for the response message from the HGW. Both SD and HGW generates the session key at State 2. Similar to low security risk, Figures 9 and 10 specify the SD and HGW roles for high security risk, respectively.     Figure 11 specifies the protocol session role. In this role, we instantiate one instance of each basic role and compose them together to construct the whole protocol session. Channel(dy) declaration means that the intruder has full control over the channel, where dy stands for the Dolev-Yao attack model. Finally, the top-level environment role is defined in Figure 12. This role defines device ID, gateway ID, rc and si as global constants, and a composition of three sessions. Note that the intruder represented as constant i, will have names of all agents as initial knowledge.  The outputs of the OFMC and CL-AtSe backends for P L and P H of the proposed scheme are shown in Figures 13-16. The results show that the proposed scheme is safe in the OFMC and CL-AtSe backends. This means that the proposed scheme successfully meets specified security goals.

Informal Security Analysis
In this section, we perform an informal security analysis to show how the proposed scheme achieves different security objectives.

Message Integrity
Both P L and P H of the proposed scheme use one-way hash functions to achieve the message integrity. To tamper the transmitted messages, the attacker needs to learn the secrets S i and A i which can not be obtained through the eavesdropped messages. Thus, the attacker cannot compute a valid hash value for a message, which means that the proposed scheme achieves the message integrity properly.

Mutual Authentication
Mutual authentication is an important property to verify the legitimacy of the SD and HGW to each other. In the proposed scheme, the SD authenticates the HGW by verifying the validity of the value C 2, * using the secret S i . The HGW then authenticates the SD by verifying the validity of the value C 4, * using the secret A i . As the secrets S i and A i cannot be obtained from the eavesdropped messages, the proposed scheme support the mutual authentication between the SD and HGW.

Resistance against MITM Attack
An attacker can launch the MITM attack by relaying and manipulating the messages exchanged between the SD and HGW. In the proposed scheme, the attacker needs to learn the secret S i to manipulate the messages successfully. Since the secret S i cannot be obtained from the previously eavesdropped messages, the propose scheme can resist the MITM attack.

Resistance against Replay Attack
In the replay attack, the attacker can replay previously eavesdropped messages to establish an authenticated session with the targeted entity. The proposed scheme uses the timestamp to verify if a received message is valid or not. Since the replayed message has the old timestamp, it cannot pass the verification. Thus, the proposed scheme can resist the replay attack.

Resistance against Impersonation Attack
An attacker may impersonate a SD by forging the request message MSG 1 with a fake/stolen ID as MSG 1 is in plain text. However, the response message MSG 2, * from the HGW cannot be interpreted by the attacker since the secret S i is unknown to the attacker. Therefore, the attacker cannot continue the authentication process. There is also no way for the attacker to impersonate the HGW by forging the response message since the HGW identity ID G is protected with the secret S i during the transmission. Thus, the proposed scheme can resist the impersonation attack.

Performance Analysis
Since a SD is usually resource limited, the design of authentication scheme should not overwhelm the SD's computational and communication resources. In this section, we perform an analysis of the computational and communication costs of the proposed scheme.

Communication Cost
The communication cost of the proposed scheme is evaluated using the total number of bits sent and received by the SD and the communication energy cost. In the analysis, we assume that message header is 3 bits in length, device ID and HGW ID are 8 bits, timestamp and random number are 32 bits, and outputs of hash and encryption operations are 128 bits. Table 2 compare the proposed scheme with [6,8,9] in terms of total number of exchanged messages. Both P L and P H of the proposed scheme require three messages exchanged between the SD and the HGW, which is comparable to that of [9] and less than those of [6,8]. The communication overheads of P L and P H of the proposed scheme in terms of total number of bits are shown in Table 3, which are calculated using aforementioned parameters. Figure 17 shows the communication overhead of the proposed scheme with different percentages of P L and P H being used. Generally, the higher chance that P L is used, the lower the communication overhead of the proposed scheme. The communication overheads of three existing works [6,8,9] are also plotted in Figure 17. It is obvious that the proposed scheme achieves the lowest communication overhead even only P H is used.
Besides communication overhead, communication energy cost is another important factor when evaluating communication cost. In order to simulate a resource limited SD, we used the TelosB platform which embeds a 16-bit processor running at 8 MHz clock frequency. TelosB also has limited amount of memory: 48 KB of ROM and 10 KB of RAM [25]. To measure the communication energy cost, we obtained the energy costs of sending and receiving one bit of data on TelosB platform as 0.72 µJ and 0.81 µJ from [26]. Then the communication energy costs of P L and P H are obtained as 269.55 µJ and 403.47 µJ (Table 4). Table 5 compares the communication energy cost of the proposed scheme with those of [6,8,9]. We assume that P L and P H have equal chance to be used for the proposed scheme. The results indicate that the proposed scheme is more efficient than other schemes in terms of communication energy cost.  Figure 17. Communication overhead of the proposed scheme compared with those of three existing works [6,8,9].

Scheme Communication Energy Cost (µJ)
Li [6] 483.84 Han et al. [8] 656.64 Kumar et al. [9] 430.22 Proposed Scheme (50% P L + 50% P H ) 336.51 Table 6 compares the computational cost of the proposed scheme with those of [6,8,9]. In the table, 'H' represents the time to execute one hash function. 'XOR' represents the time to perform an exclusive-or operation. 'E' and 'D' represent the times to perform encryption and decryption, respectively. 'MAC' and 'HMAC' represent the times used to compute the message authentication code and the hashed message authentication code, respectively. 't' is the time to perform a point multiplication operation. As shown in Table 6, P L of the proposed scheme requires five hash operations and two XOR operations while P H requires five hash operations, one encryption operation and one decryption operation. Since both P L and P H use five hash operations, a time and memory efficient hash algorithm such as BLAKE2 [27] is recommended for the proposed scheme. In comparison, the scheme proposed in [6] requires two point multiplication operations, one MAC operation, one encryption operation, one decryption operation, and one hash operation. Note that the point multiplication operation has high computational complexity compared with other operations. The scheme proposed in [8] requires seven MAC operations, four encryption operations, four decryption operations, and five hash operations. Finally, two hash operations, one MAC operation, one HMAC operation, one encryption operation and one decryption operation are required for the scheme of [9]. Overall, the proposed scheme is computational efficient and easy to implement compared with other schemes.

Computational Cost
We also analyzed the computational energy cost of the proposed scheme using a similar method of [9]. The energy consumption of a SD (E) is calculated by using the formula E = V × I, where V is the voltage of the new batteries and I is the current of the circuit. Both V and I were retrieved from the TelosB datasheet [25]. The energy costs of executing hash function and encryption algorithm on TelosB platform can be computed based on the work of [28]. To compare with other schemes, we also obtained the energy costs of MAC and HMAC operations and point multiplication operation from [9,26], respectively. Since the time of executing XOR operation is negligible compared with other operations, it was excluded from the evaluation. The computational energy costs of different operations are shown in Table 7. Table 8 compares the total computational energy cost of the proposed scheme (50% P L and 50% P H ) with those of [6,8,9]. The results indicate that the proposed scheme is more efficient than other schemes in terms of computational energy cost.

Conclusions
Situation awareness is the essential feature of a smart home system which can be used to develop various smart applications. In this paper, we propose an efficient device authentication scheme for SG-HANs that can adapt to the security risk information assessed by the smart home system. The scheme selects a suitable authentication protocol based on the assessed security risk level that provides adequate security protection with reduced computational and communication costs. We presents a protocol design of the proposed scheme by considering two security risk levels. A formal security verification using AVISPA tool and an informal security analysis are performed to prove the security of the design. The performance analysis demonstrates that the proposed scheme is efficient for device authentication in SG-HANs in terms of both computational and communication costs. In future, we will research how to use the information collected by the smart home system in both physical and cyber domains to assess the security risk level, which is the key to enable the proposed scheme.
Author Contributions: Conceptualization, J.Z.; methodology, A.X. and J.Z.; formal analysis, A.X. and J.Z.; software, A.X.; writing-original draft preparation, A.X. and J.Z.; writing-review and editing, A.X. and J.Z.; supervision, J.Z.; funding acquisition, J.Z. All authors have read and agreed to the published version of the manuscript.
Funding: This material is based upon work funded by the National Science Foundation EPSCoR Cooperative Agreement OIA-1757207.

Conflicts of Interest:
The authors declare no conflict of interest.