关于PLC英文文献.doc

《关于PLC英文文献.doc》由会员分享，可在线阅读，更多相关《关于PLC英文文献.doc（13页珍藏版）》请在咨信网上搜索。

1、Security in OPERA Specification based PLC SystemsGuiomar Corral, Josep M. Selga, Agustn Zaballos, David Gonzlez-TarragEnginyeria i Arquitectura La Salle-Universitat RamonLlull (URL)Barcelona-Spainjmselga, guiomar, zaballos, dgonzalezsalle.url.eduLuis M. TorresDesign of Systems on Silicon (DS2) SAVal

2、encia, SpainBerthold HaberlerLinz Strom GmbhLinz, Austria Abstract Power Line Communication (PLC) is a broadband telecommunication technology that enables the use of the existing electricity networks for high speed data transmission purposes. European project OPERA (Open PLC European Research Allian

3、ce) is a project whose strategic objective is to push PLC technology in all the different and relevant aspects. Within this framework, security is an important aspect thatshould be taken into account and integrated into thespecifications from the very beginning. The project was scheduled in two phas

4、es with a duration of two years each. Phase1 produced a first PLC specification, including security.Phase2 produced an improved specification which wassubmitted to the IEEE as the OPERA PLC proposal within thecontest organized by WG P1901. The paper presents the studies related to security in the PL

5、C access technology made within this process that led to the second security specification of OPERA. Finally, an analysis of this specification isperformed. Keywords- access technologies; PLC; communications network security; OPERA project.I. INTRODUCTION Power Line Communication (PLC) is a broadban

6、d telecommunication technology able to use the existing electricity networks for data transmission purposes, allowing any user connected to the power grid to benefit from Information Technology based services easily. The strategic objective of project OPERA (Open PLC European Research Alliance) 1 is

7、 to push PLC technology in all the different and relevant aspects (standardization, technology improvement, installation tools and processes, telecom services, dissemination,.) so as to allow the technology to become a competitive alternative to offer broadband accessservice to all European citizens

8、 using the most ubiquitous infrastructure, the electrical grid, which covers not only the last mile but also in-building and in-home spaces. Security has been sometimes neglected when defining standards. In fact, the initial specifications of many existing standards in related areas such as wireless

9、 2 have been shown to have many vulnerabilities that have had to be fixedin further specifications, not without trouble for the market. Unfortunately OPERA is not different. The specification produced in OPERA Phase1 13 presented also several vulnerabilities that have been fixed in OPERA Phase2speci

10、fication 4. The writing of this second specification by OPERA was inscribed in some way in the process created by the IEEE WG P1901 with the intention of producing an IEEE standard for PLC access and in-home networks. In fact, deliverable D27 4 is the proposal submitted by OPERA to the IEEE within t

11、he mentioned process.The presentation of the OPERA Phase2 specification and the related security analysis are the objectives of this paper. The contents of the present paper is organized as follows. Section II introduces the security requirements to be complied by the specification; Section III succ

12、inctly describes the OPERA Phase1 specification; Section IV analyzes the level of compliance of this specification; Section V outlines the basic ideas for creating a new specification; Section VI contains a security analysis of the new specification and, finally, there is a conclusions section.II. S

13、ECURITY REQUIREMENTS The basic objectives of any security specification are to achieve confidentiality, integrity, mutual authentication and availability. These objectives can be threatened by a series of attacks. Confidentiality is interpreted as the privacy of transactions between two nodes from a

14、ll other nodes. It is made possible by the techniques of cryptography. The most relevant known attacks against confidentiality are 5: brute force attack, dictionary attack, eavesdropping attack and precomputationattack. Data integrity refers to ensuring that data has not been altered during the tran

15、smission process. Malicious manipulation and forging of messages are different attacks against data integrity. It can be prevented by the use of Message Integrity Checks (MIC). The function of admission control is to guarantee that network resources are only accessed by authorized devices which are

16、who claim to be. Thus, it contains two aspects, one is authentication of the stations and the other is authorization to access the resources. Normally both functions are combined in a single access protocol. Different attacks against admission control are the following: identityusurpation, replay at

17、tacks, man-in-the-middle attacks, hijack of MAC addresses, session hijacking, masquerading, malicious device and message interception.Availability refers to the prevention from accessing and using the network by some unauthorized party. Attacks to availability are called Denial of Service (DoS) atta

18、cks. The security requirement demands that the specificationmust be robust against these attacks as well as to any other possible attack.III. SUCCINCT DESCRIPTION OF OPERA PHASE 1 SECURITY SPECIFICATIONOPERA1 Specification 23 is aimed for PLC access networks and defines three types of devices, Head-

19、End (HE), Repeaters (TDR, Time Division Repeaters) and Customer Premises Equipment (CPE). They typically form a multi-hop system like the one depicted in Figure 1.Confidentiality in OPERA1 is achieved by the use of DES6 and 3DES7 encryption systems. The admission control process involves three messa

20、ges: an Access Frame that invites nodes to join the network, a contention Access Reply Frame that is an answer to the Access Frame and arequest to join the network and, finally, an Access Protocol Packet that basically informs about the success or failure of the admission control process. It is, thu

21、s, a 3-wayhandshake.The MAC layer is based on token passing controlled by the HE. The HE organizes and controls the downlink data frame for all data transmission from the HE to the CPEs. It also assigns the access duration for each CPE, which allowsthe uplink transmissions from the CPEs to the HE 28

22、.The data frame structure used in the uplink and downlink transmissions is illustrated in Figure 2 8. Each frame begins with a “token announce” (TA). The TA is broadcasted in the clear over the network to inform the other stations about the upcoming transmission. The TA is followed by a number of bu

23、rsts, each one addressing a specific CPE. Each burst consists of a burst header followed by several OPERA packets (basically similar to Ethernet packets). An interpacket header is inserted to separate two continuous packets or fragments of packets in a burst. The last symbol of the data frame carrie

24、s a “Data Token” (DT).IV. OPERA PHASE 1 SPECIFICATION SECURITY ANALYSISThe most relevant vulnerabilities of OPERA Phase1 specification that have been detected are the following:Vulnerability 1: It uses DES 6 with a 56/64 bit key which has been reported to be breakable. It has even been phased out by

25、 FIPS (Federal Information Processing Standards). Brute force attacks as well as other attacks are feasible.Vulnerability 2: Admission control is only based on MAC addresses. Since these addresses are necessarily sent in the clear over the PLC channel, they can be supplanted. Hijacking and identity

26、usurpation are easy to deploy. Vulnerability 3: There is no mutual authentication. There is no provision to authenticate masters. A malicious masterand man-in-the-middle attacks are possible.Vulnerability 4: The OPERA1 proposal does not contain any security Message Integrity Check (MIC) that could p

27、reserve data against tampering.Vulnerability 5: Channel Estimation MPDUs are never encrypted and include no MIC. Thus they can be manipulated to cause a DoS attack.Vulnerability 6: Another possible data integrity attack is just to change the position of different blocks in the payload. This would be

28、 unnoticed due to the independent ciphering of each block. It is a permutation attack.Vulnerability 7: It uses Diffie-Hellman algorithm without any protection against Man-in-the Middle attack. Although this may seem a big number of vulnerabilities of the OPERA Phase1 specification, the situation is

29、common with other technologies, the most relevant of them being the early IEEE802.11 security specification 1.V. OUTLINE FOR A NEW OPERA SECURITY SPECIFICATIONUpon the view of the previous vulnerabilities it was clear that a new specification was needed and that it should provide stronger encryption

30、, stronger integrity and a new admission control method really securing authentication and authorization.A- Stronger encryption.It can be obtained by the use of AES 9 or 3DES 7 ciphering algorithms. Neither of both has been reported to be cracked until today. For the new security specification the o

31、ption chosen has been AES. The reason is that upon a careful comparison with 3DES it was clear that under many scenarios AES is less costly than 3DES. Another fact is that AES is recommended by IEEE and that it is believed to be more robust than 3DES.AES is a block cipher. To achieve confidentiality

32、 in messages of arbitrary length there are five options 10 called modes of operation. From these possible modes of operation the one chosen was the CTR mode because it can be performed in parallel (CFM and OFM modes do not allow this). Also it avoids some problems from the simpler ECB mode, it is we

33、ll known and trusted (it has been used for more than 20 years) and does not raise Intellectual Property Rights (IPR) concerns as OCB does. B- Stronger integrity.From the variety of mechanisms generating a Message Integrity Check (MIC) the ones that support integrated confidentiality and integrity ar

34、e specially interesting because they use one algorithm for both functions, thing that mayavoid hardware and software costs. So the decision was to use AES for both functions: confidentiality and MIC generation. The chosen method to perform integrated encryption and authentication was CCM (Counter wi

35、th CBCMAC) as defined in RFC 3610 11. CCM combines CTR mode of encryption with the CBC-MAC mode of authentication. CCM has been used and studied for a longtime and has well-understood cryptographic properties. CCM uses the same encryption key for both processes but, in conjunction with other paramet

36、ers, it leads to two separated keys.The chosen values of the M and L parameters of CCM are: M = 8; indicating that the MIC is 8 octets long. L = 2; indicating that the length field is 2 octets.The length of the MIC was chosen to be 64 bits since this is the minimum length recommended by 11. Figure 3

37、: Construction of an Encrypted Burst The previous selections are coincident with those made in standard IEEE802.11i 12 for Wireless LANs. The main difference is that encryption and integrity are not applied over the same message. Encryption is performed over data bursts, which may contain several OP

38、ERA packets, while a MIC is generated for each OPERA packet (see Figure 3). The Burst header is authenticated but not encrypted. The OPERA packet header is authenticated and encrypted. This is done to improve efficiency in the very noisy environments typical to PLC channels. In case of error it is n

39、ot necessary to retransmit the whole burst but only one packet. Another difference with 12 is that the OPERA specification does not support non robust options such as WEP or TKIP. This is possible because OPERA does not have to take into account IEEE802.11 legacy systems.C-Admission controlWith resp

40、ect to admission control, the open possibilities were to define a specific protocol for OPERA or to use an existing standard. If such a standard existed it seems wiser the option to use it. Fortunately this standard exists and isIEEE 802.1X 13, an IEEE standard for port-based Network Access Control

41、in LAN, based on the EAP (Extensible Authentication Protocol) 14, that has beenadapted to be used in other environments such as wireless and which today is part of IEEE802.11i. Due to the adequacy and long time experience of this standard the decision was to make use of it in OPERA.IEEE 802.1X defin

42、es three entities, Supplicant, Authenticator and Authentication Sever (AS) and allows foran authentication dialog after the two opening messages (EAP-Request and EAP-Response) and before the closingmessage (EAP-Success or Failure). The three messages of the three-way handshake of OPERA Phase1 commen

43、ted in Section III have similar functionality to the three EAP messages just mentioned. The approach taken in the new OPERA specification has been to keep the three messagesas defined in OPERA Phase1 for backwards compatibility. The Authenticator is in charge of converting between both formats. The

44、process has been represented in Figure 4. The Authenticator translates messages B and D into the corresponding Radius over EAP messages anddecapsulates/encapsulates messages C, those belonging to the authentication protocol of choice.A much major difference is that the Authenticator in IEEE802.11i i

45、s the Access Point while in OPERA can be the HE but also a Repeater.This creates the difference that in OPERA the communication between the Authenticator, when it is a Repeater, and the Authentication Server (Which can be located at the HE or beyond it) is also transmitted over the PLC channel. This

46、 fact implies the need to send the messages encrypted, protected with a MIC, with the same rules as in the dialog between Supplicant and Authenticator, and encapsulated into OPERA packets. Another difference is that the Supplicant can be a CPE or Repeater. So, a Repeater can be first a Supplicant an

47、d later Authenticator. A smaller difference is that the Access Protocol Packet may convey not only success or failure information but also indication of a failed dialog. The authentication dialog allowed by IEEE802.1X/EAP allows for the use of both shared secrets and certificates. This solves the pr

48、oblem of OPERA1 Phase1 of authenticating only on a MAC address basis.The new specification of OPERA is quite similar to the IEEE 802.11i and it complies with the RSNA (Robust Secure Network Association) defined in it. Nevertheless, the multihop nature of PLC, as shown in Figure 1, is a majordifferen

49、ce with respect to wireless. In fact IEEE802.11i does not take into account the possible existence of repeaters. What the OPERA specification does, is to apply recursively the dialog between Supplicant and Authenticator.A node is first Supplicant and, once admitted into the network, may become Authenticator for another Supplicant. This creates a chain of trust among d