A General Authentication and Key Agreement Framework for Industrial Control System

In modern industrial control systems (ICSs), when user retrieving the data stored in field device like smart sensor, there exists two main problems: one is lack of the verification for identification of user and field device; the other is that user and field device need exchange a key to encrypt sensitive data transmitted over the network. We propose a comprehensive authentication and key agreement framework that enables all connected devices in an ICS to mutually authenticate each other and establish a peer-to-peer session key. The framework combines two types of protocols for authentication and session key agreement: The first one is an asymmetric cryptographic key agreement protocol based on transport layer security handshake protocol used for Internet access, while the second one is a newly designed lightweight symmetric cryptographic key agreement protocol specifically for field devices. This proposed lightweight protocol imposes very light computational load and merely employs simple operations like one-way hash function and exclusive-or (XOR) operation. In comparison to other lightweight protocols, our protocol requires the field device to perform fewer computational operations during the authentication phase. The simulation results obtained using OpenSSL demonstrates that each authentication and key agreement process in the lightweight protocol requires only 0.005 ms. Our lightweight key agreement protocol satisfies several essential security features, including session key secrecy, identity anonymity, untraceability, integrity, forward secrecy, and mutual authentication. It is capable of resisting impersonation, man-in-the-middle, and replay attacks. We have employed the Gong-Needham-Yahalom (GNY) logic and automated validation of Internet security protocols and application tool to verify the security of our symmetric cryptographic key agreement protocol.