An Implicit Certificate-Based Lightweight Authentication Scheme for Power Industrial Internet of Things
-
摘要: 随着电力工业互联网的快速发展,电力系统与互联网的深度融合在推动产业智能化升级的同时,也带来了严峻的安全挑战。资源受限的终端使电力设备易遭受恶意攻击,亟需高效安全的身份认证机制以保障系统内的数据安全传输。然而,现有认证方案计算开销较大,且在应对常见攻击时仍存在安全隐患,难以满足电力工业互联网的实际需求。针对这一问题,本文设计了一种安全轻量的身份认证方案。在设备注册阶段引入隐式证书技术,将公钥认证信息嵌入签名中,从而无需显式传输完整的证书信息。相比传统证书,隐式证书更短且验证效率更高,有效降低了传输与验证开销。在此基础上,本文构建了仅依赖哈希、异或及椭圆曲线模乘运算的轻量级认证流程,实现设备间的安全身份认证与会话密钥协商,更适用于资源受限终端。随后,本文通过形式化方法分析了方案安全性,证明其具备安全相互认证、会话密钥保密性与前向安全性,并能有效抵御重放与中间人等典型攻击。最后,通过实验对所提方案与现有先进方案进行了全面对比,结果验证了本文提出的方案具备更低的计算和通信开销。Abstract:
Objective With the rapid advancement of technologies such as the Internet of Things, cloud computing, and edge computing, the Power Industrial Internet of Things (PIIoT) is evolving into a key infrastructure for smart electricity systems. In this architecture, terminal devices continuously collect operational data and transmit it to edge gateways for initial processing before forwarding it to cloud platforms for further intelligent analysis and control. Such integration significantly enhances operational efficiency, reliability, and security in power systems. However, the close coupling between traditional industrial systems and open network environments introduces new cybersecurity threats. Resource-constrained devices in PIIoT are particularly vulnerable to attacks, leading to data leakage, privacy breaches, and even the disruption of power services. Existing identity authentication mechanisms either incur high computational and communication overheads or fail to provide adequate security guarantees, such as forward secrecy or resistance to replay and man-in-the-middle attacks. Therefore, this study aims to design a secure and efficient identity authentication scheme tailored to the PIIoT environment. The proposed work addresses the urgent need for a solution that balances lightweight performance with strong security, especially for power terminals with limited processing capabilities. Methods To address this challenge, a secure and lightweight identity authentication scheme is proposed. Specifically, the scheme introduces implicit certificate technology during the device identity registration phase. This technique embeds public key authentication information into the signature, eliminating the need to transmit the full certificate explicitly during communication. Compared to traditional explicit certificates, implicit certificates feature shorter lengths and more efficient verification, thereby reducing overhead in both transmission and validation processes. Building upon this, a lightweight authentication protocol is constructed, relying only on hash functions, XOR operations, and elliptic curve point multiplications. This enables secure mutual authentication and session key agreement between devices while maintaining suitability for resource-constrained power terminal devices. Furthermore, a formal analysis is conducted to evaluate the security of the proposed scheme. The results demonstrate that it achieves secure mutual authentication, ensures the confidentiality and forward secrecy of session keys, and provides strong resistance against various attacks, including replay and man-in-the-middle attacks. Finally, comprehensive experiments are conducted to compare the proposed scheme with existing advanced authentication protocols. The results confirm that the proposed solution achieves significantly lower computational and communication overhead, making it a practical choice for real-world deployment. Results and Discussions The proposed scheme was evaluated through both simulation and numerical comparisons with existing methods. The implementation was conducted on a virtual machine configured with 8 GB RAM, an Intel i7-12700H processor, and Ubuntu 22.04, using the Miracl-Python cryptographic library. The security level was set to 128 bits, employing the ed25519 elliptic curve, SHA-256 as the hash function, and AES-128 for symmetric encryption. Table 1 presents the performance of the underlying cryptographic primitives. As shown inTable 2 , the proposed scheme achieves the lowest computational cost, requiring only three elliptic curve point multiplications on the device side and five on the gateway side. This is substantially lower than traditional certificate-based schemes, which demand up to 14 and 12 such operations, respectively. Compared to other representative schemes, our method further reduces the device-side burden, improving its applicability in resource-constrained environments.Table 3 illustrates that the scheme also minimizes communication overhead, achieving the smallest message size (3456 bits) and requiring only three message exchange rounds, attributed to the use of implicit certificates. As depicted inFig.6 , the authentication phase exhibits the shortest runtime among all evaluated schemes—47.72 ms for devices and 82.88 ms for gateways—demonstrating the scheme’s lightweight nature and practical deployability in real-world Industrial Internet of Things scenarios.Conclusions This paper presents a lightweight and secure identity authentication scheme based on implicit certificates, specifically designed for resource-constrained terminal devices in the Power Industrial Internet of Things. By integrating a low-overhead authentication protocol with efficient certificate handling, the scheme achieves a balanced trade-off between security and performance. The protocol ensures secure mutual authentication, protects the confidentiality of session keys, and satisfies forward secrecy, all while maintaining minimal computational and communication overhead. Security proofs and experimental evaluations verify that the proposed solution outperforms existing methods in both security robustness and resource efficiency. It offers a practical and scalable approach to enhancing the security infrastructure of modern power systems. -
表 1 方案实现功能对比表
方案 [7] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] 本文的方案 A1 √ × × √ √ √ √ √ √ √ √ √ A2 × √ √ √ √ × √ √ × × √ √ A3 × × × × × × √ × × × × √ A4 × × √ × √ √ × √ √ √ × √ A5 √ √ √ √ √ × √ × √ × × √ A6 × √ × √ √ √ × × × √ × √ A7 × × × × × √ × × × × × √ 注:A1 – 安全的相互认证;A2 – 共享密钥的安全生成;A3 – 前向保密性;A4 – 正式的安全性分析;A5 –资源受限设备友好(计算效率);A6 – 资源受限设备友好(通信效率);A7 – 抵御内部攻击者;A8 – 认证类型(SCB – 基于对称密码学的方案,PKCB – 基于公钥密码学的方案)。 
下载: 导出CSV
表 2 计算开销数值对比
方案 电力设备端 边缘网关端 总计 Das等人[24] $ 7\cdot {T}_{ecm}+3\cdot {T}_{eca}+6\cdot {T}_{H} $ $ 7\cdot {T}_{ecm}+3\cdot {T}_{eca}+6\cdot {T}_{H} $ $ 14\cdot {T}_{ecm}+6\cdot {T}_{eca}+12\cdot {T}_{H} $ Li等人 [25] $ 5\cdot {T}_{ecm}+2\cdot {T}_{eca}+6\cdot {T}_{H} $ $ 5\cdot {T}_{ecm}+2\cdot {T}_{eca}+6\cdot {T}_{H} $ $ 10\cdot {T}_{ecm}+4\cdot {T}_{eca}+12\cdot {T}_{H} $ Zhang等人 [26] $ 6\cdot {T}_{ecm}+2\cdot {T}_{eca}+2\cdot {T}_{H} $ $ 6\cdot {T}_{ecm}+2\cdot {T}_{eca}+2\cdot {T}_{H} $ $ 12\cdot {T}_{ecm}+4\cdot {T}_{eca}+4\cdot {T}_{H} $ Liu等人 [27] $ 8\cdot {T}_{ecm}+6\cdot {T}_{eca} $ $ 8\cdot {T}_{ecm}+6\cdot {T}_{eca} $ $ 16\cdot {T}_{ecm}+12\cdot {T}_{eca} $ Wu等人 [17] $ 4\cdot {T}_{ecm}+8\cdot {T}_{H} $ $ 4\cdot {T}_{ecm}+8\cdot {T}_{H} $ $ 8\cdot {T}_{ecm}+16\cdot {T}_{H} $ Wang等人 [18] $ 6\cdot {T}_{ecm}+{T}_{eca}+3\cdot {T}_{H} $ $ 6\cdot {T}_{ecm}+{T}_{eca}+3\cdot {T}_{H} $ $ 12\cdot {T}_{ecm}+2{T}_{eca}+6\cdot {T}_{H} $ 本文方案 $ 3\cdot {T}_{ecm}+{T}_{eca}+{T}_{E}+5\cdot {T}_{H} $ $ 5\cdot {T}_{ecm}+2\cdot {T}_{eca}+{T}_{D}+5\cdot {T}_{H} $ $ 8\cdot {T}_{ecm}+3\cdot {T}_{eca}+{T}_{E}+{T}_{D}+10\cdot {T}_{H} $
下载: 导出CSV
表 3 通信开销数值对比
方案 通信复杂度 通信总量 (bits) 交互轮次 Das等人[24] $ 6\cdot {L}_{G}+6\cdot {L}_{p}+2\cdot {L}_{ID}+3\cdot {L}_{T} $ 4928 3 Li等人 [25] $ 6\cdot {L}_{G}+4\cdot {L}_{p}+2\cdot {L}_{ID} $ 4224 3 Zhang等人 [26] $ 8\cdot {L}_{G}+3\cdot {L}_{p}+3\cdot {L}_{ID} $ 5056 6 Liu等人 [27] $ 8\cdot {L}_{G}+4\cdot {L}_{p}+4\cdot {L}_{ID} $ 5376 6 Wu等人 [17] $ 2\cdot {L}_{G}+4\cdot {L}_{p}+3\cdot T $ 2240 3 Wang等人 [18] $ 6\cdot {L}_{G}+4\cdot {L}_{p} $ 4096 4 本文方案 $ 5\cdot {L}_{G}+2\cdot {L}_{p}+3\cdot {L}_{ID}+3\cdot {L}_{N} $ 3456 3
下载: 导出CSV
-
[1] LIU Mengxiang, TENG Fei, ZHANG Zhenyong, et al. Enhancing cyber-resiliency of DER-based smart grid: A survey[J]. IEEE Transactions on Smart Grid, 2024, 15(5): 4998–5030. doi: 10.1109/TSG.2024.3373008. [2] DEHGHANPOUR K, WANG Zhaoyu, WANG Jianhui, et al. A survey on state estimation techniques and challenges in smart distribution systems[J]. IEEE Transactions on Smart Grid, 2019, 10(2): 2312–2322. doi: 10.1109/TSG.2018.2870600. [3] SAHANI N, ZHU Ruoxi, CHO J H, et al. Machine learning-based intrusion detection for smart grid computing: A survey[J]. ACM Transactions on Cyber-Physical Systems, 2023, 7(2): 11. doi: 10.1145/3578366. [4] HU Chunqiang, LIU Zewei, LI Ruinian, et al. Smart contract assisted privacy-preserving data aggregation and management scheme for smart grid[J]. IEEE Transactions on Dependable and Secure Computing, 2024, 21(4): 2145–2161. doi: 10.1109/TDSC.2023.3300749. [5] PAGANINI P. Sodinokibi ransomware operators hit electrical energy company light S. A. [EB/OL]. https://securityaffairs.com/105477/cyber-crime/sodinokibi-ransomware-light-s-a.html, 2020. [6] DONG Jingnan, XU Guangxia, MA Chuang, et al. Blockchain-based certificate-free cross-domain authentication mechanism for industrial internet[J]. IEEE Internet of Things Journal, 2024, 11(2): 3316–3330. doi: 10.1109/JIOT.2023.3296506. [7] DAS A K, SHARMA P, CHATTERJEE S, et al. A dynamic password-based user authentication scheme for hierarchical wireless sensor networks[J]. Journal of Network and Computer Applications, 2012, 35(5): 1646–1656. doi: 10.1016/j.jnca.2012.03.011. [8] LEE J Y, LIN Weicheng, and HUANG Yuhung. A lightweight authentication protocol for internet of things[C]. Proceedings of the 2014 International Symposium on Next-Generation Electronics (ISNE), Kwei-Shan Tao-Yuan, China, 2014: 1–2. doi: 10.1109/ISNE.2014.6839375. [9] BRAEKEN A. Symmetric key based 5G AKA authentication protocol satisfying anonymity and unlinkability[J]. Computer Networks, 2020, 181: 107424. doi: 10.1016/j.comnet.2020.107424. [10] GHANI A, MANSOOR K, MEHMOOD S, et al. Security and key management in IoT‐based wireless sensor networks: An authentication protocol using symmetric key[J]. International Journal of Communication Systems, 2019, 32(16): e4139. doi: 10.1002/dac.4139. [11] BADAR H M S, QADRI S, SHAMSHAD S, et al. An identity based authentication protocol for smart grid environment using physical uncloneable function[J]. IEEE Transactions on Smart Grid, 2021, 12(5): 4426–4434. doi: 10.1109/TSG.2021.3072244. [12] ZHANG Yunru, HE Debiao, VIJAYAKUMAR P, et al. SAPFS: An efficient symmetric-key authentication key agreement scheme with perfect forward secrecy for industrial internet of things[J]. IEEE Internet of Things Journal, 2023, 10(11): 9716–9726. doi: 10.1109/JIOT.2023.3234178. [13] ABBASINEZHAD-MOOD D and NIKOOGHADAM M. Design and hardware implementation of a security-enhanced elliptic curve cryptography based lightweight authentication scheme for smart grid communications[J]. Future Generation Computer Systems, 2018, 84: 47–57. doi: 10.1016/j.future.2018.02.034. [14] GARG S, KAUR K, KADDOUM G, et al. Secure and lightweight authentication scheme for smart metering infrastructure in smart grid[J]. IEEE Transactions on Industrial Informatics, 2020, 16(5): 3548–3557. doi: 10.1109/TII.2019.2944880. [15] CHAUDHRY S A, NEBHAN J, YAHYA K, et al. A privacy enhanced authentication scheme for securing smart grid infrastructure[J]. IEEE Transactions on Industrial Informatics, 2022, 18(7): 5000–5006. doi: 10.1109/TII.2021.3119685. [16] HU Shunfang, CHEN Yanru, ZHENG Yilong, et al. Provably secure ECC-based authentication and key agreement scheme for advanced metering infrastructure in the smart grid[J]. IEEE Transactions on Industrial Informatics, 2023, 19(4): 5985–5994. doi: 10.1109/TII.2022.3191319. [17] WU Yapeng, GUO Hua, HAN Yiran, et al. A security-enhanced authentication and key agreement protocol in smart grid[J]. IEEE Transactions on Industrial Informatics, 2024, 20(9): 11449–11457. doi: 10.1109/TII.2024.3399915. [18] WANG Zhihao, HUO Ru, and WANG Shuo. A lightweight certificateless group key agreement method without pairing based on blockchain for smart grid[J]. Future Internet, 2022, 14(4): 119. doi: 10.3390/fi14040119. [19] SHAHIDINEJAD A, ABAWAJY J, and HUDA S. Highly-secure yet efficient blockchain-based CRL-free key management protocol for IoT-enabled smart grid environments[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 6738–6750. doi: 10.1109/TIFS.2024.3423724. [20] STINSON D R and STROBL R. Provably secure distributed schnorr signatures and a (t, n) threshold scheme for implicit certificates[C]. Proceedings of the 6th Australasian Conference, ACISP 2001, Sydney, Australia, 2001: 417–434. doi: 10.1007/3-540-47719-5_33. [21] BRAEKEN A, CHIN Jijian, and TAN S Y. ECQV-IBI: Identity-based identification with implicit certification[J]. Journal of Information Security and Applications, 2021, 63: 103027. doi: 10.1016/j.jisa.2021.103027. [22] BLANCHET B. Modeling and verifying security protocols with the applied pi calculus and ProVerif[J]. Foundations and Trends® in Privacy and Security, 2016, 1(1/2): 1–135. doi: 10.1561/3300000004. [23] ZHENG Yue, LIU Wenye, GU Chongyan, et al. PUF-based mutual authentication and key exchange protocol for peer-to-peer IoT applications[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(4): 3299–3316. doi: 10.1109/TDSC.2022.3193570. [24] DAS A K, WAZID M, YANNAM A R, et al. Provably secure ECC-based device access control and key agreement protocol for IoT environment[J]. IEEE Access, 2019, 7: 55382–55397. doi: 10.1109/ACCESS.2019.2912998. [25] LI Sensen, ZHANG Tikui, YU Bin, et al. A provably secure and practical PUF-based end-to-end mutual authentication and key exchange protocol for IoT[J]. IEEE Sensors Journal, 2021, 21(4): 5487–5501. doi: 10.1109/JSEN.2020.3028872. [26] ZHANG Shiwen, YAN Ziwei, LIANG Wei, et al. BCAE: A blockchain-based cross domain authentication scheme for edge computing[J]. IEEE Internet of Things Journal, 2024, 11(13): 24035–24048. doi: 10.1109/JIOT.2024.3387934. [27] LIU Zewei, HU Chunqiang, RUAN Conghao, et al. An enhanced authentication and key agreement protocol for smart grid communication[J]. IEEE Internet of Things Journal, 2024, 11(12): 22413–22428. doi: 10.1109/JIOT.2024.3381379. [28] 方案安全性验证源码: https://github.com/chengqi1223/ALC-BLA. (查阅网上资料,未找到本条文献信息,请确认). -
图(5) / 表(3)
计量
- 文章访问数: 29
- HTML全文浏览量: 12
- PDF下载量: 2
- 被引次数: 0
下载:
