Multicast Data Authentication in Gridstat by Puneet Agrawal

Multicast Data Authentication in Gridstat Punit Agrawal Washington State University at Pullman WA, 99163, United States May 6, 2011

Abstract It is challenging to provide authentication to time- critical multicast data, where low end-to-end delay is of crucial importance. Consequently, it requires not only e cient authentication algorithms to minimize computational cost, but also avoidance of bu ering packets so that the data can be immediately processed once being presented. Desirable properties for a multicast authentication scheme also include small communication overhead, tolerance to packet loss, and resistance against malicious attacks. This paper presents a low-latency multicast data-origin authentication scheme (LLMDO) to provide end-to-end data-origin guarantees for critical infrastructure monitoring systems. Although this scheme should work for all publish-subscribe data-dissemination frameworks which have strict time restrictions, the scheme has been development with Gridstat in mind and makes heavy use of the existing Gridstat security mechanisms to achieve its objectives. The scheme is able to provide its low-latency guarantees by making use of fast encryption schemes like AES and oneway hash functions. The scheme is a work in progress and is being actively improved upon. 1

Introduction

Multicast authentication is a security primitive that enables each receiver in the multicast group to verify if received data originates from the claimed sender and was not altered on the way. In this paper, we focus on multicast authentication of time-stamped status updates sent from the publisher to interested subscribers. The scheme is motivated by the need for authenticating time-critical multicast data in the power grid, which is one of the largest cyber-physical critical infrastructures and is being transformed today with the design and development of advanced real-time control applications. These applications aim to allow timely

control of power ow over physical power networks based on data from monitoring and control devices such as PMUs (Phasor Measurement Units) and relays. One of the goals of such systems is to prevent cascading failures that lead to blackouts [11]. For example, in the NASPI (North American SynchroPhasor Initiative) [6], each PMU senses and multicasts system environment data to control centers at a frequency of 30 samples per second. To provide exact control and in-time abnormality detection, such data often needs to be processed fast with low processing delay (several milliseconds at most). Given the nature of critical decisions based on this data, authentication is essential to prevent adversaries from forcing catastrophic decisions by modifying or forging data. Hence, e cient multicast authentication of time-critical data is crucially important to the power grid as well as other similar critical infrastructures. The nature of time-critical messages implies two basic requirements on the authentication scheme: 1) e cient algorithms to minimize computational cost, and 2) the ability to avoid packet bu ering so that the data can be processed instantly upon being available.

Additional desirable properties for multicast

authentication are 3) small communication overhead, 4) tolerance to packet loss, and 5) resistance to malicious attacks. In the past decade, researchers proposed multiple approaches to address the multicast authentication problem. However, none of existing schemes can meet all the ve requirements simul- taneously. The simple method of using public key signatures (like RSA [9]) to sign each message is too computationally expensive to authenticate time-critical messages. This paper presents a low-latency multicast data-origin authentication scheme (LLMDO) to provide end-to-end data-origin guarantees for critical infrastructure monitoring systems. Although this scheme should work for all publish-subscribe data-dissemination frameworks which have strict time restrictions, the scheme has been development with Gridstat in mind and makes heavy use of the existing Gridstat security mechanisms to achieve its objectives.

The scheme is able to provide its low-latency guar-

antees by making use of fast encryption schemes like AES and one-way hash functions.

The scheme is a work in progress and is being actively improved

upon. As of now, this scheme can provide e cient data-origin authentication, but cannot provide non-repudiation.

Also, this scheme is vulnerable to co-

operative collusion, which will be discussed in the paper. However, this scheme is bandwidth-e cient and computationally e cient for the receivers. The research contributions of this paper are 1. to give an overview of the current security architecture of Gridstat 2. to propose a low-latency multicast data-origin authentication scheme 3. to integrate the scheme with the Gridstat framework e ciently

This paper is organized as follows: Section 2 gives an overview of the Managed Pub-Sub Model and the Gridstat framework. Section 3 talks about the current security archiecture in Gridstat. Section 4 presents the proposed LLMDO scheme and discusses how the scheme can be integrated with the existing Gridstat framework. Section 5 concludes the paper.

Managed Publish-Subscribe and GridStat

Managed pub-sub could be considered a compromise between the conventional hierarchical SCADA systems and content-based pub-sub systems.

The man-

aged pub-sub model provides a at, wide-area, asynchronous data bus where information can be inserted and extracted anywhere, but instead of routing the events dynamically based on their content, a hierarchical management plane is added that statically controls the routing based on publication identities. By leveraging static routing, managed pub-sub systems are able to provide the low-latencies needed for critical infrastructure monitoring and control, while at the same time providing the convenience of pub-sub systems. The management plane's hierarchy can re ect the geographical and business structure of the critical infrastructure being monitored. The hierarchy provides a place for the cooperating businesses that operate the infrastructure to express and enforce their own policies about resource use and information security. GridStat [4] is an example of such a managed pub-sub system, as seen in Figure 1.

The management hierarchy is made up of quality-of-service (QoS)

brokers that operate and con gure the data plane's forwarding engines so as to provide QoS guarantees such as maximum latency and delivery reliability. GridStat publications are created when a publisher informs the management plane of its intent to produce a periodic stream of update events at a certain rate. Similarly, subscriptions are created when a subscriber informs the management plane of its need to receive update events from a particular publication at a particular rate, latency, and reliability. The management plane con gures data plane mechanisms such as multicast, rate ltering, resource control and redundant paths to meet subscriber requirements. The key mechanism here is multicast in which if the paths assigned by the QOS broker to two or more subscribers has any overlap, then the QOS broker will inform the publisher to send the data only once at the higher rate along the common path and the data is then duplicated at the split. Unlike in content-based pub-sub systems, forwarding decisions are made on the basis of the publication identity of each event and subscribers' requirements: access to event contents is not needed. Because of this, end-to-end security mechanisms are possible in managed pub-sub and there is no latency penalty associated with decrypting data at the forwarding engines.

Figure 1: Gridstat, a managed pub-sub system for power grid monitoring and control

GridStat includes middleware components that provide the communication and management interfaces for publishing and subscribing applications.

Current Security Architecture Characterstics

The security environment for a wide-area process control system used in the electric power grid is very complex. In the power grid, multiple or- ganizational entities (e.g., utilities, regulators and independent generators) control di erent portions of the grid, but they have to cooperate to provide highly reliable electric power. Each entity must protect its business-sensitive information from other entities, but it is sometimes the case that sensitive information has to be shared to achieve systemwide operational goals. The GridStat middleware framework [4] was designed to meet the need for exible, controlled sharing of data streams produced by sensor devices deployed throughout the power grid. The GridStat security architecture is based on two principles. First, data produced by any sensor can be delivered to consuming applications located anywhere else in the grid. For example, an oscillation detection algorithm for the Western North American grid might use synchrophasor data streams from utilities in British Columbia, Arizona, California, Washington and Oregon. Second, owners of data streams are responsible for the integrity of the data and must be able to control access to the data. The GridStat design uses a data plane to provide the exibility required by the rst principle and a management plane to provide the control required by the second principle.

In Figure 2 , publisher, subscriber and forwarding

Figure 2: GridStat security architecture

engine nodes correspond to data plane components while security management service (SMS) nodes correspond to management plane components. Other management plane components, which are not shown, manage routing, resource utilization and other aspects of the data plane. The authentication problem addressed by Chakravarthy [2] concerns the mutual authentication of adjacent nodes in the SMS hierarchy and the mutual authentication of data plane devices with the leaf SMSs that manage them (Figure 2). Just as the pairwise authentication between Kerberos [8, 7] clients and servers provides the foundation for client-server authentication, the authentication of producers and consumers to their corresponding leaf SMSs is the foundation in GridStat for access control, message authentication, data con dentiality and other security services that are functions of the distributed SMS network. of the problem.

Authenticating data plane devices contributes to the novelty These devices are located in substations or remote locations

(and even on power poles), which makes them di cult and expensive to service, yet they have lifetimes that extend for decades. The paper proposes an authentication design allowing cryptographic components to be replaced over the long lifetimes of these devices. The authentication protocol makes use of a preloaded key set as key material to perform mutual authentication. The ReKeying and Re-Moduling Protocols are vital to maintaining the authentication capabilities of process control systems. The Re-Keying Protocol facilitates the move to fresher and stronger keys in a safe manner. The Re-Moduling Protocol facilitates the distribution of new modules and the transitioning to their use in a secure manner. The protocols utilize the preloaded key set both minimally and e ciently.

These are very novel approaches which will be used by the end-to-end multicast authentication scheme proposed in the next section to verify the origin of status updates delivered from the publishers to the subscribers in a timebounded manner.

LLMDA Multicast Authentication

This section describes the actual authentication scheme which will be used to authenticate the origin of status updates. The scheme is shown in Figure 3.

4.1

Initialization

The publisher and Subscriber are denoted by P and S respectively. Nodes N0 to Nn are the forwarding engines. Initially, keys are shared between publishers and the edge forwarding engine, between each pair of forwarding engines and between the edge forwarding engine and the subscribers. This can be provided in the form of a one-time pad during the installation of the F.E. like in the pairwise authentication protocol [2]. The key between the publisher and edge F.E. and the edge F.E. and the subscriber can be setup when the forwarding tables of the corresponding F.E. are being updated. Each F.E. is also provided with a secret Si which is l bits long. A multicast group consists of a publisher and one or more subscribers whose path overlap. This means that the publisher sends a single update along the common path and the update is duplicated when the paths diverge. Each multicast group is provided with a unique freshly generated multicast key Kg . When a subscription is accepted, if the path allocated is a unique one ,i.e, it does not overlap with any other path, then a new key Kg is generated , otherwise the existing key is provided to the subscriber. Lastly, each Subscriber is also provided

with Sc = S0 + S1 +.. +Sn , where the + operator can be addition modulo 2 (l is the length of each secret) or it can exclusive-or.

4.2

Authentication Scheme

Whenever a publisher wants to push an update, it rst calculates the hash of the message, using a cryptographic hash function. This cryptographic hash function can be a hash algorithm from the Secure Hash Standard [10] or similar. Let H be such a function which outputs a hash of length l bits and m be the status update from the publisher. Then as shown in Figure 3, the publisher sends to the edge status router S0 , the message M0 : {EKP0 (S0 + H(m)),EKg (m)}, where E is an encryption scheme. AES [1] or similar encryption scheme can be used in this case. Since the edge status router S0 knows the key KP0 , it can decrypt

M0 to get X0 : (S0 + H(m)). It adds its own secret to X0 to get X1 : (S0 + S1 + H(m)) and encrypts this using the key K01 which it shares with the next F.E. on the path. It nally sends the message M1 : {EK01 (S0 + S1 + H(m)),EKg (m)}. Note that the F.E. can not get the hash of the mesasge H(m) since it does not know the secret S0 , neither can it get the message m from EKg (m) since it does not know the multicast key Kg . When the next F.E. receives the message, it adds it own secret S1 to it and this continues until the message reaches the nal F.E. The nal F.E. adds its own secret Sn and encrypts the message using the key it shares with the subscriber. The subscriber decrypts this message to get Xn : (S0 + S1 + ... + Sn + H(m)) and EKg (m). Since the subscriber knows the multicast key Kg , it decrypts the ciphertext to get the original message m. It then calculates the hash of the message m H(m), adds it to Sc and checks whether Xn = H(m) + Sc . If it is, then the message was sent by the publisher and it has not been altered in any way. So it accepts the update. If it is not, then it knows that the update was tampered with. The above scheme works in the multicast scenario since each Publisher and F.E. are provided with a di erent shared key for each of their outgoing links.

4.3

Evaluation

A successful attack is one in which the subscriber accepts as legitimate either a message that didnot originate from the publisher P or a message that originated from P and was altered along the path. For an attacker to alter a sent message, he has change two things: rst is the hash of the message and the other is the message itself. So has to have knowledge of the muticast key Kg and some/all of the individual secrets S0 - Sn . Even in the case of the new message injection, the attacker has to know the same two things. Since no F.E. knows the multicast key Kg , it is not possible to inject/alter legitimate updates even if one of the F.E.s is compromised. Also, even if one of the subscribers is malicious, it is not possible for it to inject/alter legitimate updates since it does not the individual secrets S0 - Sn .

Note that although each subscriber is provided with Sc = S0 + S1 +..

+Sn , it is not possible for it to decode individual keys from Sc . This extends to any collusion of muticast group members who can eavesdrop on communication links or insert/alter messages on links. However, as it should clear by now, the scheme is not safe against a collusion of a multicast group member and one of the F.Es. From the bandwidth point of view, this scheme is very e cient since the per message overhead is only one hash value which is l bits.

The scheme is also

computionally very e cient for the subscribers since they have to just compute one hash, perform one decryption and do one comparison. Lastly, the scheme

Figure 3: Authentication Scheme

does not introduce any additional latency at the F.E. since at each F.E., only one decryption, one sum and one encryption is performed. Also these encryptions operate over small strings (l bits).

4.4

Integration with Gridstat

LLMDA scheme makes heavy use of the existing services Gridstat has to provide. The encryption and cryptographic hash modules can be dynamically loaded using the recon gurable security approach as proposed in [Solum et. al 5]. Also if the encryption/cryptographic hash modules are compromised, then they can be replaced over the air by the leaf QOS broker using the remoduling protocol as suggested in [Rasika et. al 3]. The F.Es.

are provided with one-time kay

pads, one for each outgoing link they have and this keypad can be shared with the complementary F.E. at the other end of the link, to implement the pairwise shared key structure that is required for the above scheme.

In case a key is

believed to be compromised or the key has been used for a large enough time period, both the F.Es. can switch to a new key using the rekeying protocol, as shown in [Rasika et. al 3]. This approach can also be used for the secret Si , that needs to be kept at each F.E and for the multicast key Kg that is allocated to each multicast group.

Conclusion

In this paper, a new multicast data origin authentication scheme is proposed to allow the veri cation of the source of status updates, that are received by a subscriber in Gridstat. Although this scheme is speci cally designed for Gridstat, it can be ported to other publish-subscribe data dissemination models, where multicast data authentication needs to be done. The scheme provides data origin authentication in a low-latency, bandwidth e cient and computationally e cient manner. The only drawback is that non-repudiation is not provided, which is an interesting aspect to explore for my future work.

Acknowledgement

This work is based upon work funded by the TCIPG organization. I would like to thank Dr.

Carl Hauser for his inputs and other anonymous reviewers for

their invaluable suggestions to improve this paper.

References [1]

ADVANCED ENCRYPTION STANDARD (AES). Federal Information

Processing Standards Publication, November 26, 2001. [2]

C.; Bakken D. E. Chakravarthy R.; Hauser. Long-lived Authentication Protocols for Process Control Systems . In: International Journal of Critical Infrastructure Protection. Vol. 3. 3-4. Dec. 2010, pp. 174 181.

[3]

Rasika Mudumbai Chakravarthy. Long-lived Authentication Protocols for Critical Infrastructure Process Control Systems . PhD thesis. School of Electrical Engineering and Computer Science, Washington State University, May 2009.

[4]

Harald GjermundrĂ¸d David E. Bakken Carl H. Hauser and Anjan Bose. Towards More Flexible and Robust Data Delivery for Monitoring and Control of the Electric Power Grid. . Tech. rep. School of Electrical Engineer-

ing and Computer Science, Washington State University, May 2007. [5]

Carl Hauser Erik Solum and David E. Bakken. Modular Over-The-Wire Security in Managed Publish-Subscribe Systems. Tech. rep. School of Elec-

trical Engineering and Computer Science, Washington State University, December 2007. [6]

R. Hasan, R. Bobba, and H. Khurana. Analyzing NASPInet data ows . In: PSCE'06 (2006).

[7]

J. Kohl and C. Nueman. The Kerberos Network Authentication Services (v5) . In: RFC 1510 (www.ietf.org/rfc/rfc1510.txt) (1993).

[8]

C. Neuman and T. Ts'o. Kerberos: An authentication service for computer networks . In: IEEE Communications. Vol. 32(9). 33 38. 1994.

[9]

R. L. Rivest, A. Shamir, and L. M. Adleman. Method for obtaining digital signatures and public-key cryptosystems . In: Commun. ACM. Vol. 21. 2. 1978, pp. 120 126.

[10]

Secure Hash Standard (SHS). FEDERAL INFORMATION PROCESS-

ING STANDARDS PUBLICATION, October 2008.

[11]

U.S. -Canada Power System Outage Task Force, Final report on the August 14, 2003 blackout in the united states and canada: Causes and recommendations. Tech. rep. April 2004.