A General Authentication and Key Agreement Framework for Industrial Control System

Gao Shan; Chen Junjie; Zhang Bingsheng; Ren Kui; Ye Xiaohua; Shen Yongsheng

doi:10.23919/cje.2023.00.192

Article Contents

Article Navigation > Chinese Journal of Electronics > 2022 > Accepted Manuscript

Shan Gao, Junjie Chen, Bingsheng Zhang, et al., “A General Authentication and Key Agreement Framework for Industrial Control System,” Chinese Journal of Electronics, vol. x, no. x, pp. 1–18, xxxx doi: 10.23919/cje.2023.00.192

Citation:

Shan Gao, Junjie Chen, Bingsheng Zhang, et al., “A General Authentication and Key Agreement Framework for Industrial Control System,” Chinese Journal of Electronics, vol. x, no. x, pp. 1–18, xxxx doi: 10.23919/cje.2023.00.192

Citation:

PDF( 11429 KB)

A General Authentication and Key Agreement Framework for Industrial Control System

doi: 10.23919/cje.2023.00.192

Gao Shan^1
,,
Chen Junjie^{1, 2
,
,},
Zhang Bingsheng^1
,,
Ren Kui^{1, 3
,},
Ye Xiaohua^4
,,
Shen Yongsheng^4
,

1.
School of Cyber Science and Technology, Zhejiang University, Hangzhou and 310058, China
2.
Hangzhou Global Scientific and Technological Innovation Center, Zhejiang University, Hangzhou and 311200, China
3.
Zhejiang Provincial Key Laboratory of Blockchain and Cyberspace Governancee, Hangzhou and 310058, China
4.
HANG ZHOU CITY BRAIN CO., LTD, Hangzhou and 310024, China

More Information

Author Bio:
Shan Gao Shan Gao received the B.E. degree from the Zhejiang University, Zhejiang, China, in 2003, the M.S. degree from the Sixth Research Institute of CEC, Beijing, China, in 2006. He is currently pursuing the Eng.D degree with the College of Engineers, Zhejiang University, Zhejiang, China. His research interests include industrial information security. (Email: higaoshan@163.com)

Junjie Chen JunJie Chen received the B.E. degree from the Peking University, Beijing, China, in 2020. He is currently pursuing the M.S. degree with the School of Cyber Science and Technology, Zhejiang University, Zhejiang, China. His research interests include industrial information security and data privacy. (Email: 22121095@zju.edu.cn)

Bingsheng Zhang Bingsheng Zhang received the Ph.D. degree from the Worcester Polytechnic Institute. He is currently a Professor and the Associate Dean of the College of Computer Science and Technology, Zhejiang University, where he also directs the Institute of Cyber Science and Technology. Before that, he was the SUNY Empire Innovation Professor of The State University of New York at Buffalo. His current research interests include Data Security, IoT Security, AI Security, and Privacy. He received Guohua Distinguished Scholar Award from ZJU in 2020, IEEE CISTC Technical Recognition Award in 2017, SUNY Chancellor’s Research Excellence Award in 2017, Sigma Xi Research Excellence Award in 2012 and NSF CAREER Award in 2011. Kui has published extensively in peer-reviewed journals and conferences and received the Test-of-time Paper Award from IEEE INFOCOM and many Best Paper Awards from IEEE and ACM including MobiSys’20, ICDCS’20, Globecom’19, ASIACCS’18, ICDCS’17, etc. His h-index is 74, and his total publication citation exceeds 32000 according to Google Scholar. Kui is a Fellow of IEEE, a Distinguished Member of ACM and a Clarivate Highly-Cited Researcher. He is a frequent reviewer for funding agencies internationally and serves on the editorial boards of many IEEE and ACM journals. He currently serves as Chair of SIGSAC of ACM China. (Email: bingsheng@zju.edu.cn)

Kui Ren received the B.E. degree from the Zhejiang University of Technology, Hangzhou, China, in 2007, the M.S. degree from University College London, UK, in 2008, and the Ph.D. degree from the University of Tartu, Estonia, in 2011. He is currently a Professor with the College of Computer Science and Technology, Zhejiang University, Hangzhou, China. Before that, he was program director of Lancaster University's master's degree in cybersecurity and leader of the university's security research group. He specializes in cryptography, verifiable electronic voting (e-voting), and zero-knowledge proofs. In recent years, his research interests include secure computing, collaborative decision-making, and blockchain security. (Email: kuiren@zju.edu.cn)

Xiaohua Ye Xiaohua Ye, graduated from Zhejiang A&F University with a major in computer science. Now she is the CPO of Hangzhou City Brain Co., Ltd. Ye has deeply involved in digtal reform of Zhejiang Province, and participated in the planning and design of the “Zhejiang Government Service Network” and “Zheliban APP”. In 2018, she participated as a volunteer in the exploration and construction of Hangzhou City Brain, and have rich experience in building smart cities and digital governments. In recent years, Ye has led her team to independently research the digital city intensification platform CPaaS, assisting in the construction of digital governments in multiple regions within and outside Zhejiang Province. As a member of the company's digital cockpit technology team, she have helped the team win honors such as the “National Worker Pioneer” and the “First Prize in the Hangzhou City Brain Digital Elite Skills Competition”. (Email: Veraye926@163.com)

Yongsheng Shen Yongsheng Shen earned a Ph.D. in Transportation Planning and Management from Beijing Jiaotong University, and then furthered his studies as a Postdoctoral Fellow at the College of Computer Science, Twente University. He is currently the CEO of Hangzhou City Brain Co., Ltd.. Before that, he was the Technical Director of Zhejiang Daily Digital Culture Group Co.,Ltd.. He has published 10 high-level academic papers in domestic and foreign journals and academic conferences, including 7 papers as the first author. He has deep research and practical experience in Smart City, Digital Governmence, Smart Transportation and other related fields. The major projects he has spearheaded or participated in include Zhejiang Government Service Network, ‘Zheliban’ APP, Hangzhou City Brain, Wenzhou City Brain, Taizhou City Brain and more than 40 projects of digital reform in Zhejiang Province. In 2021, he led the company's technic team to win the honor of ‘National Worker Pioneer’. Personally, he has been awarded many honorary titles, such as ‘Zhejiang Golden Blue Collar’, ‘Hangzhou May Day Labor Medal’. (Email: sys@cityos.com)
Corresponding author: Junjie Chen; Email: 22121095@zju.edu.cn
Received Date: 2022-03-22
Accepted Date: 2022-03-22

Available Online: 2022-03-22

Abstract

Abstract

In modern Industrial Control Systems (ICSs), when user retrieving the data stored in field device like smart sensor, There are two main problems. Firstly, the identification of user and field device should be verified. Secondly, to protect the privacy of sensitive data transmitted over the network, user and field device should exchange a key to encrypt data. In this study, we propose a comprehensive authentication and key agreement framework that enables all connected devices in an ICS to mutually authenticate each other and establish a peer-to-peer session key. The framework combines two types of protocols for authentication and session key agreement: the first one is an asymmetric cryptographic key agreement protocol based on TLS handshake protocol used for Internet access, while the second one is a newly designed lightweight symmetric cryptographic key agreement protocol specifically for field devices. This proposed lightweight protocol imposes very light computational load and merely employs simple operations like one-way hash function and exclusive-or (XOR) operation. In comparison to other lightweight protocols, our protocol requires the field device to perform fewer computational operations during the authentication phase. The simulation results obtained using OpenSSL demonstrates that each authentication and key agreement process in the lightweight protocol requires only 0.005ms. Additionally, our lightweight key agreement protocol satisfies several essential security features, including session key secrecy, identity anonymity, untraceability, integrity, forward secrecy, and mutual authentication. Furthermore, it is capable of resisting impersonation, Man-in-the-Middle (MitM), and replay attacks. We have employed the GNY logic and AVISPA tool to verify the security of our symmetric cryptographic key agreement protocol.
- Industrial control system,
- Authentication and key agreement framework,
- Lightweight key agreement protocol,
- AVISPA

FullText(HTML)

References(30)

References

[1]	R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,” IEEE Security & Privacy Magazine, vol. 9, no. 3, pp. 49–51, 2011. doi: 10.1109/MSP.2011.67
[2]	T. Tsvetanov and S. Slaria, “The effect of the colonial pipeline shutdown on gasoline prices,” Economics Letters, vol. 209 article no. 110122, 2021. doi: 10.1016/j.econlet.2021.110122
[3]	K. Stouffer, J. Falco, and K. Scarfone, “Guide to industrial control systems (ICS) security,” NIST Special Publication, SP 800-82, 2011.
[4]	A. Esfahani, G. Mantas, R. Matischek, et al., “A lightweight authentication mechanism for M2M communications in industrial IoT environment,” IEEE Internet of Things Journal, vol. 6, no. 1, pp. 288–296, 2019. doi: 10.1109/JIOT.2017.2737630
[5]	E. Lara, L. Aguilar, M. A. Sanchez, et al., “Lightweight authentication protocol for M2M communications of resource-constrained devices in industrial internet of things,” Sensors, vol. 20, no. 2, article no. 501, 2020. doi: 10.3390/s20020501
[6]	M. Nakkar, R. AlTawy, and A. Youssef, “Lightweight authentication and key agreement protocol for edge computing applications,” in Proceedings of the IEEE 7th World Forum on Internet of Things (WF-IoT), New Orleans, LA, USA, pp. 415–420, 2021.
[7]	R. Sarabi Miyanaji, S. Jabbehdari, and N. Modiri, “Continuous lightweight authentication according group priority and key agreement for internet of things,” Transactions on Emerging Telecommunications Technologies, vol. 33, no. 7, article no. e4479, 2022. doi: 10.1002/ett.4479
[8]	S. Panda, S. Mondal, and N. Kumar, “Slap: A secure and lightweight authentication protocol for machine-to-machine communication in industry 4.0,” Computers & Electrical Engineering, vol. 98 article no. 107669, 2022. doi: 10.1016/j.compeleceng.2021.107669
[9]	K. Shahzad, M. Alam, N. Javaid, et al., “SF-LAP: Secure M2M communication in IIoT with a single-factor lightweight authentication protocol,” Journal of Sensors, vol. 2022 article no. 1309402, 2022. doi: 10.1155/2022/1309402
[10]	K. H. M. Wong, Y. Zheng, J. N. Cao, et al., “A dynamic user authentication scheme for wireless sensor networks,” in Proceedings of IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC’06), Taichung, China, pp. 1–8, 2006.
[11]	H. R. Tseng, R. H. Jan, and W. Yang, “An improved dynamic user authentication scheme for wireless sensor networks,” in Proceedings of IEEE GLOBECOM 2007-IEEE Global Telecommunications Conference, Washington, DC, USA, pp. 986–990, 2007.
[12]	M. L. Das, “Two-factor user authentication in wireless sensor networks,” IEEE transactions on wireless communications, vol. 8, no. 3, pp. 1086–1090, 2009. doi: 10.1109/TWC.2008.080128
[13]	M. K. Khan and K. Alghathbar, “Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks,” Sensors, vol. 10, no. 3, pp. 2450–2459, 2010. doi: 10.3390/s100302450
[14]	B. Vaidya, D. Makrakis, and H. T. Mouftah, “Improved two-factor user authentication in wireless sensor networks,” in Proceedings of the IEEE 6th International Conference on Wireless and Mobile Computing, Networking and Communications, Niagara Falls, ON, Canada, pp. 600–606, 2010.
[15]	T. H. Chen and W. K. Shih, “A robust mutual authentication protocol for wireless sensor networks,” ETRI Journal, vol. 32, no. 5, pp. 704–712, 2010. doi: 10.4218/etrij.10.1510.0134
[16]	H. L. Yeh, T. H. Chen, P. C. Liu, et al., “A secured authentication protocol for wireless sensor networks using elliptic curves cryptography,” Sensors, vol. 11, no. 5, pp. 4767–4779, 2011. doi: 10.3390/s110504767
[17]	M. Turkanović, B. Brumen, and M. Hölbl, “A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion,” Ad Hoc Networks, vol. 20 pp. 96–112, 2014. doi: 10.1016/j.adhoc.2014.03.009
[18]	C. C. Chang and H. D. Le, “A provably secure, efficient, and flexible authentication scheme for ad hoc wireless sensor networks,” IEEE Transactions on Wireless Communications, vol. 15, no. 1, pp. 357–366, 2016. doi: 10.1109/TWC.2015.2473165
[19]	R. Amin, S. K. H. Islam, N. Kumar, et al., “An untraceable and anonymous password authentication protocol for heterogeneous wireless sensor networks,” Journal of Network and Computer Applications, vol. 104 pp. 133–144, 2018. doi: 10.1016/j.jnca.2017.12.012
[20]	C. YWang, D. Wang, Y. Tu, et al., “Understanding node capture attacks in user authentication schemes for wireless sensor networks,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 1, pp. 507–523, 2022. doi: 10.1109/TDSC.2020.2974220
[21]	J. Pirayesh, A. Giaretta, M. Conti, et al., “A PLS-HECC-based device authentication and key agreement scheme for smart home networks,” Computer Networks, vol. 216 article no. 109077, 2022. doi: 10.1016/j.comnet.2022.109077
[22]	M. C. Chuang and J. F. Lee, “TEAM: Trust-extended authentication mechanism for vehicular ad hoc networks,” IEEE systems journal, vol. 8, no. 3, pp. 749–758, 2014. doi: 10.1109/JSYST.2012.2231792
[23]	S. Kumari, M. Karuppiah, X. Li, et al., “An enhanced and secure trust-extended authentication mechanism for vehicular ad-hoc networks,” Security and Communication Networks, vol. 9, no. 17, pp. 4255–4271, 2016. doi: 10.1002/sec.1602
[24]	Standard No. GM/T 0003.2-2012:2012, Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves-Part 2: Digital Signature Algorithm, Available at: http://www.gmbz.org.cn/main/viewfile/20180108023346264349.html, 2012-03-21.
[25]	Standard No. GM/T 0003.3-2012:2012, Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves-Part 3: Key Exchange Protocol, Available at: http://www.gmbz.org.cn/main/viewfile/20180108023456003485.html, 2012-03-21.
[26]	M. Abdalla, P. A. Fouque, and D. Pointcheval, “Password-based authenticated key exchange in the three-party setting,” in Proceedings of the 8th International Workshop on Public Key Cryptography, pp. 65–84, 2005. (查阅网上资料,未找到本条文献出版地信息,请确认) . M. Abdalla, P. A. Fouque, and D. Pointcheval, “Password-based authenticated key exchange in the three-party setting,” in Proceedings of the 8th International Workshop on Public Key Cryptography, pp. 65–84, 2005. (查阅网上资料,未找到本条文献出版地信息,请确认).
[27]	S. Chai, H. T. Yin, B. Xing, et al., “Provably secure and lightweight authentication key agreement scheme for smart meters,” IEEE Transactions on Smart Grid, vol. 14, no. 5, pp. 3816–3827, 2023. doi: 10.1109/TSG.2023.3234000
[28]	L. Gong, R. Needham, and R. Yahalom, “Reasoning about belief in cryptographic protocols,” in Proceedings of 1990 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA, pp. 234–248, 1990.
[29]	A. Armando, D. Basin, Y. Boichut, et al., “The AVISPA tool for the automated validation of internet security protocols and applications,” in Proceedings of the 17th International Conference on Computer Aided Verification, Edinburgh, Scotland, UK, pp. 281–285, 2005.
[30]	L. Viganò, “Automated security protocol analysis with the AVISPA tool,” Electronic Notes in Theoretical Computer Science, vol. 155 pp. 61–86, 2006. doi: 10.1016/j.entcs.2005.11.052