An Introduction to Cryptography as Applied to the Smart Grid

advertisement
An Introduction to Cryptography as
Applied to the Smart Grid
Jacques Benoit, Cooper Power Systems
Western Power Delivery Automation Conference
Spokane, Washington
March 2011
Agenda
>
>
>
>
>
>
>
>
>
>
Introduction
Symmetric Cryptography
Message Integrity and Authentication
The IEC 62351 Standards
DNP3 Secure Authentication
Asymmetric Cryptography
Digital Signatures
Certificates and Certificate Authorities
Transport Layer Security
Conclusion
2
Introduction
>
>
>
>
Cryptography is the practice and study of hiding information.
Origins date more than 2000 years ago.
Takes it root in the Greek word kryptos, meaning hidden.
The National Institute of Science and Technology (NIST) plays
a major role in defining cryptographic standards.
> NIST published first encryption algorithm for general use in
1974.
> Cryptography provides a set of tool to meet information security
requirements:
 Confidentiality
 Authentication
 Integrity
 Non-repudiation
3
Symmetric Cryptography
ALICE
BOB
4
Symmetric Cryptography Standards
> 1977 – Data Encryption Standard (DES) adopted as FIPS 46
federal standard for unclassified data.
 56-bit key
> 1999 – FIPS 46-3 standard recommends the use of Triple DES
(TDES or 3DES) for increased security.
 With 2 keys, effective strength of 80 bits
 With 3 keys, effective strength of 112 bits and approved for
use until 2029
> 2001 – FIPS 197 Advanced Encryption Standard (AES)
 128, 192, or 256 bit keys
 128 bit key is approved for use beyond 2030
5
Message Integrity
Message Authentication Code
(MAC)
6
Message Authentication Codes
> Checksums and Cyclic Redundancy Check (CRC) designed to
>
>
>
>
>
>
>
detect common communications errors.
Fast. But not designed to provide security. Easy to generate
two messages with same value.
Cryptographic hashes are slower, but it is extremely difficult to
generate two messages with same hash.
MD5 (Message-Digest algorithm 5) is widely used and
generates a 128 bit digest. It is no longer considered secure.
SHA-1 replaced MD5 and produces a 160 bit digest.
Weaknesses have been identified.
SHA-2 defines four functions to replace SHA-1: SHA-224,
SHA-256, SHA-384 and SHA-512.
SHA-224 is approved for use until 2029.
SHA-3 is under development.
7
Message Integrity and Authentication
Hashed-based Message
Authentication Code
(HMAC)
8
Hash-based Message Authentication Code
(HMAC)
> Hash-based Message Authentication Code (HMAC)
algorithm uses the key as part of the hashing
process.
> HMAC algorithm is designed to be used with any
hash function.
> SHA-1 with key greater than 112 bits, but shorter
that 128 bits is acceptable until 2030.
> After 2030, key should have more than 128 bits.
9
IEC 62351 Information Security
for Power System Control Operations
> IEC 62351 was developed for handling the security
of TC-57 protocols including IEC 61850, IEC 608705 and it derivatives, such as DNP3
 IEC 62351-3 specifies how to secure TCP/IPbased protocols through the use of Transport
Layer Security (TLS).
 IEC 62351-5 specifies how to add user and
device authentication, and data integrity.
> The DNP3 Secure Authentication extension was
designed to meet the requirements of IEC 62351-5
10
DNP3 Secure Authentication
Initial Handshake
11
DNP3 Secure Authentication
Challenge-Response
12
Solving the Key Management Challenge:
Asymmetric Cryptography
> In symmetric cryptography both parties share a secret key
>
>
>
>
>
>
used to encrypt and decrypt messages.
In asymmetric cryptography, keys come in pairs.
A message encrypted with one key can only be decrypted
using the other key.
One key is known as the public key and can be widely shared.
The other key, known as the private key, is kept in a secure
location.
The sender of a message can use the intended receiver’s
public key to encrypt the message.
Only the intended receiver with the appropriate private key will
then be able to decrypt the message.
13
Asymmetric Cryptography
ALICE
BOB
14
Digital Signatures
ALICE
BOB
15
Public Key Certificates
16
Approved Asymmetric Algorithms
> Approved algorithms are:
 Rivest, Shamir and Adleman (RSA) with 2048
bits until 2029,
 RSA with 3072 bits, for CAs after 2030.
 Elliptic Curve Cryptography (ECC) with curves P224, K-233, or B-233 until 2029 until 2029.
 ECC with curves P-256, P-384, P-521, K-283, K409, K-571, B-283, B-409 and B-571 after 2030.
17
Certificates and the Smart Grid
Certificates are widely used in a variety of protocols and
technologies:
> ZigBee Smart Energy devices
> 802.1x port-based access control for WLANs
> Internet Protocol Security (IPsec) protocol suite
> Transport Layer Security (TLS) protocol
> S/MIME (Secure/Multipurpose Internet Mail
Extensions) and PKCS#7 for secure email and
signed software updates
18
Transport Layer Security (TLS)
19
Conclusion
> Cryptography is a hidden component in many of the
>
>
>
>
>
technologies of the Smart Grid
It provides confidentiality, authentication and
integrity for data exchanges
NIST has been mandated to recommend standards
and a security model for the Smart Grid.
NIST has submitted five “foundational” family of
standards to FERC
FERC will introduce regulation when there is
sufficient consensus
IEC 62351 is one of the recommended standards
20
Contact Information
Jacques Benoit
Senior Analyst Information Security
Cooper Power Systems
Jacques.Benoit@CooperIndustries.com
21
Download