Cryptography and the Smart Grid PPT
-
Upload
josephnuamah -
Category
Documents
-
view
95 -
download
0
Transcript of Cryptography and the Smart Grid PPT
An Introduction to Cryptography as Applied to the Smart GridJacques Benoit, Cooper Power Systems
Western Power Delivery Automation ConferenceSpokane, WashingtonMarch 2011
Agenda
> Introduction> Symmetric Cryptography> Message Integrity and Authentication> The IEC 62351 Standards> DNP3 Secure Authentication> Asymmetric Cryptography> Digital Signatures> Certificates and Certificate Authorities> Transport Layer Security> Conclusion
2
Introduction
> Cryptography is the practice and study of hiding information.> Origins date more than 2000 years ago.> Takes it root in the Greek word kryptos, meaning hidden.> The National Institute of Science and Technology (NIST) plays
a major role in defining cryptographic standards.> NIST published first encryption algorithm for general use in
1974.> Cryptography provides a set of tool to meet information security
requirements: Confidentiality Authentication Integrity Non-repudiation
3
Symmetric Cryptography
4
ALICE BOB
Symmetric Cryptography Standards
> 1977 – Data Encryption Standard (DES) adopted as FIPS 46 federal standard for unclassified data. 56-bit key
> 1999 – FIPS 46-3 standard recommends the use of Triple DES (TDES or 3DES) for increased security. With 2 keys, effective strength of 80 bits With 3 keys, effective strength of 112 bits and approved for
use until 2029> 2001 – FIPS 197 Advanced Encryption Standard (AES)
128, 192, or 256 bit keys 128 bit key is approved for use beyond 2030
5
Message Integrity
6
Message Authentication Code(MAC)
Message Authentication Codes
> Checksums and Cyclic Redundancy Check (CRC) designed to detect common communications errors.
> Fast. But not designed to provide security. Easy to generate two messages with same value.
> Cryptographic hashes are slower, but it is extremely difficult to generate two messages with same hash.
> MD5 (Message-Digest algorithm 5) is widely used and generates a 128 bit digest. It is no longer considered secure.
> SHA-1 replaced MD5 and produces a 160 bit digest. Weaknesses have been identified.
> SHA-2 defines four functions to replace SHA-1: SHA-224, SHA-256, SHA-384 and SHA-512.
> SHA-224 is approved for use until 2029.> SHA-3 is under development.
7
Message Integrity and Authentication
8
Hashed-based Message Authentication Code
(HMAC)
Hash-based Message Authentication Code (HMAC)
> Hash-based Message Authentication Code (HMAC) algorithm uses the key as part of the hashing process.
> HMAC algorithm is designed to be used with any hash function.
> SHA-1 with key greater than 112 bits, but shorter that 128 bits is acceptable until 2030.
> After 2030, key should have more than 128 bits.
9
IEC 62351 Information Security for Power System Control Operations
> IEC 62351 was developed for handling the security of TC-57 protocols including IEC 61850, IEC 60870-5 and it derivatives, such as DNP3 IEC 62351-3 specifies how to secure TCP/IP-
based protocols through the use of Transport Layer Security (TLS).
IEC 62351-5 specifies how to add user and device authentication, and data integrity.
> The DNP3 Secure Authentication extension was designed to meet the requirements of IEC 62351-5
10
DNP3 Secure AuthenticationInitial Handshake
11
DNP3 Secure AuthenticationChallenge-Response
12
Solving the Key Management Challenge:Asymmetric Cryptography
> In symmetric cryptography both parties share a secret key used to encrypt and decrypt messages.
> In asymmetric cryptography, keys come in pairs.> A message encrypted with one key can only be decrypted
using the other key.> One key is known as the public key and can be widely shared. > The other key, known as the private key, is kept in a secure
location. > The sender of a message can use the intended receiver’s
public key to encrypt the message. > Only the intended receiver with the appropriate private key will
then be able to decrypt the message.
13
Asymmetric Cryptography
14
ALICE BOB
Digital Signatures
15
ALICE BOB
Public Key Certificates
16
Approved Asymmetric Algorithms
> Approved algorithms are: Rivest, Shamir and Adleman (RSA) with 2048
bits until 2029, RSA with 3072 bits, for CAs after 2030. Elliptic Curve Cryptography (ECC) with curves P-
224, K-233, or B-233 until 2029 until 2029. ECC with curves P-256, P-384, P-521, K-283, K-
409, K-571, B-283, B-409 and B-571 after 2030.
17
Certificates and the Smart Grid
Certificates are widely used in a variety of protocols and technologies:> ZigBee Smart Energy devices> 802.1x port-based access control for WLANs> Internet Protocol Security (IPsec) protocol suite> Transport Layer Security (TLS) protocol> S/MIME (Secure/Multipurpose Internet Mail
Extensions) and PKCS#7 for secure email and signed software updates
18
Transport Layer Security (TLS)
19
Conclusion
> Cryptography is a hidden component in many of the technologies of the Smart Grid
> It provides confidentiality, authentication and integrity for data exchanges
> NIST has been mandated to recommend standards and a security model for the Smart Grid.
> NIST has submitted five “foundational” family of standards to FERC
> FERC will introduce regulation when there is sufficient consensus
> IEC 62351 is one of the recommended standards
20
Contact Information
Jacques BenoitSenior Analyst Information Security
Cooper Power [email protected]
21