



UCA OpenSG Security: Establishing Industry Secure Device Profiles for the Smart Grid

> Rohit Khera, <u>rxkw@pge.com</u> 11/03/2010



- •Establishing Secure Device Profile Process Overview
- •The Need for Smart Grid Secure Device Profiles
- •Why Consider Cryptographic Requirements?
- •Discussion of Hardware Acceleration Options
- •Discussion of Side Channel Attacks
- •Key Provisioning
- •High Level Deliverables
- •Parking Lot Items



### Establishing Secure Device Profiles – Process Overview





## **Introducing Secure Device Profiles**







- M sends A an ephemeral point G\_V = d\_V\*P, and B's public key Q\_V
- M receives A's public key Q\_U and an ephemeral point G\_U = d\_U\*P
- A then computes bitstings Z\_s = k\_U\*Q\_V, and Z\_e = d\_U\*G\_V and shared secret Z = Z\_s || Z\_e
- Through knowledge of A's static private key, M can compute
- $Z_s = k_U^*Q_V$  and  $Z_e = d_V^*G_U$ .
- And compute the common shared secret Z = Z\_s||Z\_e



- Secure algorithms necessary but not sufficient need to address protocol security
- Optionality within specified protocols (eg, IETF, NIST)
- Secure protocols can require additional passes / message exchanges – consider performance / security tradeoffs



## Acceleration for public key cryptography – Sample Applications

#### Modular Multiplication

- Multiple efficient acceleration approaches for modular multiplication in Z/nZ (i) multiply and reduce (ii) interleaving (Karatsuba Ofman, Booth-Barrett, Montgomery method)
- Multiple efficient acceleration approaches for modular multiplication in GF(2<sup>m</sup>) basis dependent / independent

#### Acceleration techniques for ECC



Legend Multiple ASIC / FPGA based approaches w/ desirable throughput/area characteristics

Candidate functions for efficient / cost effective hardware implementation



- Differential Power Analysis utilize statistical correlation to relate specific bits to observed calculation – typically targeting XOR operation between secret keys and temporary data
  - Transition Count Leakage: number of changed bits
  - Hamming Weight Leakage: number of '1' bits being processed
- Timing Attacks targeting bit wise operations and arithmetic operations

## Multiple Mitigation Approaches -

- Constant time algorithms
- Switch gates every clock cycle (regardless of the transmitted data values)



- Symmetric Cryptography
  - Requirements for pairwise symmetric key establishment?
  - Symmetric 'Needham-Schroeder' Protocols eg Kerberos
- Asymmetric Cryptography
  - 802.1AR Secure Device Identity
  - Require RNG capabilities in the device
  - Supports unique key pairs for distinct security associations



- MCUs, chipsets
- Hardware acceleration options
- Hardware based secure key storage & generation options
- Cryptographic primitives, cipher suites & protocols
- Sample cryptographic overhead calculations (hardware dependent)
- Outline of relevant AAA protocols by device category
- Sample power usage analysis
- Key management & provisioning options
- Side channel attack mitigation options
- Cost analysis

Leverage work from existing SDOs



## RTOS'es

# Software / Firmware Integrity, Formal Methods / Static Analysis

Guidelines for a secure supply chain