JOURNAL OF LA Scalable Certiﬁcate Revocation Schemes for ...mmahmoud/publications_files/Journals… · JOURNAL OF LATEX CLASS FILES, VOL. –, NO. –, 1 Scalable Certiﬁcate Revocation

JOURNAL OF LATEX CLASS FILES, VOL. –, NO. –, 1

Scalable Certificate Revocation Schemes forSmart Grid AMI Networks Using Bloom Filters

Khaled Rabieh, Mohamed Mahmoud, Kemal Akkaya, and Samet Tonyali

Abstract—Given the scalability of the Advanced Metering Infrastructure (AMI) networks, maintenance and access of certificaterevocation lists (CRLs) pose new challenges. It is inefficient to create one large CRL for all the smart meters (SMs) or create acustomized CRL for each SM since too many CRLs will be required. In order to tackle the scalability of the AMI network, we divide thenetwork into clusters of SMs, but there is a tradeoff between the overhead at the certificate authority (CA) and the overhead at theclusters. We use Bloom filters to reduce the size of the CRLs in order to alleviate this tradeoff by increasing the clusters’ size withacceptable overhead. However, since Bloom filters suffer from false positives, there is a need to handle this problem so that SMs willnot discard important messages due to falsely identifying the certificate of a sender as invalid. To this end, we propose two certificaterevocation schemes that can identify and nullify the false positives. While the first scheme requires contacting the gateway to resolvethem, the second scheme requires the CA additionally distribute the list of certificates that trigger false positives. Using mathematicalmodels, we have demonstrated that the probability of contacting the gateway in the first scheme and the overhead of the secondscheme can be very low by properly designing the Bloom filters. In order to assess the scalability and validate the mathematicalformulas, we have implemented the proposed schemes using Visual C. The results indicate that our schemes are much more scalablethan the conventional CRL and the mathematical and simulation results are almost identical. Moreover, we simulated the distribution ofthe CRLs in a wireless mesh-based AMI network using ns-3 network simulator and assessed its distribution overhead.

Index Terms—Keywords: Certificate revocation; public key cryptography ; smart grid security ; Public key infrastructure; AMI.

F

1 INTRODUCTION

THE Smart Grid (SG) is a revolutionary upgrade to theexisting power grid. It will have complex networks

of intelligent electronic devices, distributed generators, anddispersed loads that require communication networks formanagement and coordination. It aims to enhance the cur-rent grid’s reliability and efficiency [1], [2], [3]. Among themany new applications SG provide, one major application isthe Advanced Metering Infrastructure (AMI) which collectsmart meter data using a two-way communication network.SMs can be connected via a wireless mesh network withone gateway serving as a relay between the meters and theutility company. The AMI network is used to monitor thepower demands over short periods, provide more accuratebilling as well as utilize dynamic pricing to facilitate thereduction of peak demand [4].

The primary security requirements for the AMI com-munications are identity and message authentication, mes-sage integrity, non-repudiation, accountability, and accesscontrol. The public-key cryptography (PKC) is the mostpractical and common cryptosystem that can achieve thesesecurity requirements [5], [6]. In PKC, public and privatekeys are issued for each SM. The public key should be

• K. Rabieh and M. Mahmoud are with the Department of Electrical &Computer Engineering, Tennessee Tech University, Cookeville, TN 38505USA.E-mail: [email protected],[email protected]

• K. Akkaya is with the Department of Electrical & Computer Engineer-ing, Florida International University, Miami, FL 31174 USA.Email:[email protected]

• S. Tonyali is with the Department of Electrical & Computer Engineer-ing, Florida International University, Miami, FL 31174 USA.Email:[email protected]

Manuscript received March 09, 2015; revised —- .

widely known and the private key should be kept secret.The announcement of the public key is usually performedby using a signed document called a public key certificatethat binds the certificate holder’s identity to its public key.The entity that signs the certificate is called the certificateauthority (CA). The CA supports the creation, renewal, andrevocation of the public key certificates. To authenticate amessage, the SM signs the message with its private key anda digital signature algorithm. The verifier of the message’ssignature first verifies the certificate, and then verifies thesignature with the signer’s public key (extracted from thecertificate) and signature verification algorithm.

When a certificate is issued, its lifetime is limited by anexpiration date. After this date, the certificate is consideredexpired and should not be accepted by the SMs. How-ever, there are several strong motivations that necessitaterevoking certificates before the expiry date to secure thenetwork such as private key compromise, excluding mali-cious meters, removal of meters from the network, etc. If thecompromised key is not revoked, the attackers can use it tolaunch attacks under the name of the key’s holder. If a metershows a malicious behavior, the meter’s certificate shouldbe promptly revoked to protect the proper operation of thenetwork. Once this is done, messages from this meter willbe discarded. The certificates of malfunctioned meters thatare removed from service should be revoked to prevent mis-using their keys to launch attacks. Thus, SMs in a wirelessmesh-based AMI network should discard the messages thatare signed with revoked certificates. This requires a check todetermine the certificate revocation status before acceptingthe signatures.

Online certificate status protocols (OCSPs) [7] and Cer-tificate Revocation Lists (CRLs) are widely used approaches


for certificate revocation [8], [9], [10]. In OCSP, an online andinteractive certificate status server stores updated revoca-tion information of the certificates of interest. When a nodeneeds to check the status of a certificate, it sends a querypacket to the server that replies with a response packethaving the status of the certificate. For the CRL approach,the CA has to compose a list of revoked certificates’ serialnumbers and distribute it to the nodes that need to verifythe certificate holders’ signatures. To verify the status ofa certificate, a node should check whether the certificate’sserial number is in the CRL that is stored locally.

In order to use the OCSP in AMI networks, it is costlyto deploy new devices to act as OCSP server, so either thegateways or the CA should be used. It is insecure to allowthe gateways to manage the certificate revocation becausethey are deployed in streets and unattended, and thus lackphysical security. It is also inefficient and unscalable to usethe CA as a certificate status server. The scalability of theAMI network will create a bottleneck at the CA and directconnections between the meters and the CA are required.The main advantages of the CRLs can be summarizedas follows: 1) local verification: certificates can be verifiedlocally without contacting the CA; and 2) scalability: if theoverhead of distributing the CRLs is low, the CRL schemebecomes scalable. Therefore, we believe that CRLs are moreappropriate to the AMI networks if the overhead is reduced.Although public key cryptography is used extensively inthe literature to secure the AMI communications [4], thecertificate revocation in AMI networks has received littleattention in spite of its importance.

The AMI networks have the following special char-acteristics that necessitate novel techniques for certificaterevocation. Limited physical security: the likelihood of com-promising the SMs is high because they are unattended andaccessible by attackers; scalability: the number of meters inAMI network is expected to be very large, and thus thenumber of certificates in the system is large; limited compu-tational power/storage: cost-efficient SMs have limited storageand computational power, and thus it may be inefficient tostore and search long CRLs; and limited bandwidth: the AMInetwork’s bandwidth is limited and it will be overwhelmedin transmitting too much data for different applications, andthus it is not efficient to distribute long CRLs.

It is inefficient to create a customized CRL for eachmeter having the certificates it needs because the numberof different CRLs will be large and too much overhead willbe required to create, sign and distribute them. On the otherhand, given the scalability of the AMI networks, creatingone CRL is inefficient because its size will grow significantlyas time passes and thus becomes a major overhead in termsof distribution, search, and storage. In this paper, in order totackle the scalability of the AMI network, it is divided intoclusters of SMs. However, clustering alone is not enough,but the size of the certificate revocation information needsto be reduced. This is because there is a tradeoff betweenthe computation/communication overhead at the CA andthe communication/storage overhead at the clusters. Thistradeoff can be controlled by the cluster sizes. Specifically,increasing the clusters’ size reduces the number of differentCRLs that should be composed and distributed by the CAbut increases the size of the CRLs which necessitates more

overhead to distribute and store them. Similarly, reducingthe clusters’ size increases the number of different CRLs thatshould be composed and distributed by the CA but decreas-es the size of the CRLs and thus reduces the overhead ofdistributing and storing them.

The paper aims to alleviate this tradeoff by increasing theclusters’ size with acceptable overhead. Specifically, insteadof distributing deterministic CRLs, we use Bloom filter todistribute shorter probabilistic revocation lists. However,Bloom filters suffer from false positives, where a search maymistakenly indicate that a valid certificate is in the list ofrevoked certificates. This is not acceptable in AMI networksbecause meters may discard important messages such as acommand to disconnect power in case of payment default.False positives can also cause financial losses if a metermisses power pricing information. Different from [11] and[9] that use Bloom filters for certificate revocation in vehic-ular ad hoc networks, we propose two Bloom filter basedrevocation schemes for AMI networks that can enable themeters to identify and nullify the false positives.

The first scheme, called two Bloom filter vectors based(TBFV) scheme, uses the fact that Bloom filters are free offalse negatives, i.e., if a search indicates that a certificate isnot in the list, this is certainly true. Instead of distributingonly one Bloom filter vector for revoked certificates like[9], [11], the scheme distributes two fixed-size and shortvectors: one for revoked certificates and another one forvalid certificates. A certificate is valid if it is not found in therevoked certificate vector. Similarly, a certificate is revoked if it isnot found in the valid certificate vector. If a certificate is foundin the two vectors, this indicates that one of the filters trig-gered false positive. In this case, the meters should contactthe gateway to return the correct certificate status. We usea Merkle tree to enable the gateway to provide efficientevidence for certificate revocation without contacting theCA or trusting the gateway. The tree is constructed by theCA and stored in the gateway. Resolving the false positivesat the gateway level instead of the CA level can improvethe scalability of the scheme. We derive a mathematicalformula to the probability of contacting the gateway as afunction of the two filters’ parameters. We demonstrate thatthis probability can be low by properly designing the Bloomfilters.

In TBFV scheme, the SMs can identify the false positiveslocally and need to contact the gateway to resolve them.In some cases, the AMI network has too much traffic andthe required communications to resolve the false positivemay constitute a burden. Therefore, we propose a secondscheme, called false positive certificate list based (FPCL),that can identify and resolve the false positives locally. Thescheme distributes one Bloom filter vector for the revokedcertificates and the list of valid certificates that can triggerfalse positives. To verify a certificate, a SM first checks ifthe certificate’s serial number is in the list. A certificate isvalid if it is found in the list. If the certificate is not found,a SM checks whether the certificate is in the Bloom filtervector. The certificate is revoked if it is found in the vector,otherwise it is valid. We derive a mathematical formula forthe expected communication overhead of the scheme.

In order to assess the scalability of the proposed schemesand validate the mathematical formulas, we have imple-


CA

NAN #1

Cluster #t

NAN #n

Utility

Smart

Meter

802.11s

link

4G Network

NAN #1

Cluster #1

NAN #n

Gateway

Fig. 1: The considered AMI communication network.

mented them and tested under different scenarios usingVisual C. The results indicate that our schemes are muchmore scalable than the conventional CRL and the math-ematical and simulation results are almost identical. Inaddition to this implementation, we have also incorporatedthe proposed schemes in a real AMI network that is basedon IEEE 802.11s based wireless mesh networks [12]. Wehave used the ns-3 network simulator [13] and simulatedthe revocation information distribution in order to assessthe distribution overhead on the network performance suchas end-to-end delay.

To the best of our knowledge, this is the first work thatemploys Bloom filters for certificate revocation without falsepositives in smart grid AMI communications.

The remainder of the paper is organized as follows. Inthe next section, we discuss the network and threat models.The concepts of Bloom filters and Merkle tree are discussedin section 3. In sections 4 and 5, we present our proposedschemes. Section 6 is dedicated to security analysis and per-formance evaluation. In Section 7, we provide a summary tothe related work. Finally, we conclude the paper in Section8.

2 NETWORK AND THREAT MODELS

The assumed AMI network provides two-way communi-cation between the utility company and the consumers’SMs. The AMI network is divided into clusters and eachcluster has a large number of neighborhood area networks(NANs). Each NAN has SMs and a gateway node (or a leadmeter). The SMs communicate with the gateway using anIEEE 802.11s-based wireless mesh network [12] as shown inFig. 1. The gateway communicates with the utility companyand the CA via a long distance communication (e.g., 4G orWiMax). The gateway can initiate communication sessionsto any SM, and similarly, every SM can initiate commu-nication sessions to the gateway possibly via multi-hop

routes. The gateway and each SM have a unique identity,public/private key pair and certificate. All the SMs knowthe gateway’s identity and public key. They also know theCA’s identity and public key.

The utility company will use the AMI network to collectfine-grained power consumption readings to perform stateestimation to the power grid. The readings’ transmissionrate can be less than 30 seconds for business premises andless than 15 minutes for residential ones [14]. The gatewayrelays some data to the meters, e.g., firmware updates andcryptographic and security data such as keys, renewedcertificates, and revocation information from the CA. Thegateway can also relay commands to the SMs, e.g., if aconsumer defaults on the electricity bill, the utility can senda command to turn off the power [6].

AMI networks can be implemented with multi-hop wire-less mesh topology. In this topology, each meter should actas a router to relay other meters’ packets. After receivinga packet, each meter should verify the sender’s signatureand certificate to ensure that the packet is sent from a legit-imate meter before relaying it. Without this check, externalattackers can simply flood the network with bogus packetsto disrupt the communications. There are applications thatnecessitate the communication of a SM with other SMs, e.g.,in case of collective demand response [15]. Meters may alsoneed to exchange information to optimally decide how toreduce the load.

For the threat model, some attackers attempt to manip-ulate the revocation information to mistakenly add validcertificate or remove revoked ones. This attack is serious inthe sense that the attackers can exclude victim SMs fromthe network. The attackers may attempt to impersonate thegateway or the CA to transmit false revocation information.Attackers can replay valid packets or manipulate them ifthis can help achieve their goals. The gateways and SMs arenot trusted but the CA is trusted.


Fig. 2: Bloom filter concept.

3 PRELIMINARIES

In this section, we explain the concepts of the Bloom filterand Merkle tree which are used in the proposed schemes.

3.1 Bloom FilterThe Bloom filter has been used in computing applicationsfor different purposes [16], [17]. It can reduce the overheadof distributing and searching a set of items. The essentialidea of the Bloom filter is illustrated in Fig. 2. The filter is adata structure (or bit array) that stores a set of elements com-pactly in a bit-vector B = {B1, B2, ..., Bm}with length of mbits [18]. Initially, all the vector’s m bits are zeroes. Each cer-tificate’s serial number (SNi) to be stored should be hashedwithK independent hash functions, {H1(), H2(), ...,HK()}.Each hash function maps a given certificate serial number toa number in the range {0, 1, ..,m− 1} which represents theaddress of a bit location in B. The result of hashing SNi

K times is a sequence of K hash values {n1, n2, ..., nk} ∈{0, 1, ...,m − 1}. To store an element SNi, the bits that arepointed by the addresses resulted from the K hashes shouldbe set.

To check whether a given certificate’s serial number is inthe list of certificates of a Bloom filter vector, the certificate’sserial number is hashed by the K hash functions resultingin K bit locations in the vector. As illustrated in Fig. 3, thecorresponding filter bits are checked: if all the bit locationsare set, the certificate is in the list with some probability,otherwise it is definitely not in the list. It is possible that acertificate’s serial number is not stored in the vector but (bycoincidence) the K bit locations in the vector are all set. Thiscomes from the fact that a bit can be set to one multipletimes when the hashes of different serial numbers pointat the same location. This situation is called false positiveand the probability that this occurs is called false-positiveprobability.

The false-positive probability of a Bloom filter can bedriven as follows. The probability that any particular bitBi has zero is (1 − 1/m)KN , since the location Bi must beavoided by all KN hash values, where N is the numberof elements in the vector. Therefore, the probability that aparticular bit is set Pr(Bi = 1) = 1 − (1 − 1/m)KN . Incase of false positive, each of the K hash values must point

H3(SNi) = n3

Bloom filter bit vector

H1(SNi) = n1

H2(SNi) = n2

HK(SNi) = nK

If all these bits are set, SNi is in the list with some probability, otherwise it is definitely not in the list.

Fig. 3: Check whether SNi is an element in a Bloom filter’sbit vector.

h1,8

h5,8

h7,8

h8h7

h5,6

h6h5

SN6SN5 SN8SN7

h1,4

h3,4

h4h3

h1,2

h2h1

SN2SN1 SN4SN3

Fig. 4: Merkle tree for eight revoked certificates.at a bit location that is set to 1. The probability that thisoccurs is Pr(B1 = 1 and B2 = 1 and . . . and BK = 1)which is (1− (1− 1/m)KN )K . For more information on thecomputations of the Bloom filter, we refer to [19].

3.2 Merkle TreeFig. 4 shows a Merkle tree for eight revoked certificates withserial numbers {SN1, SN2, .., SN8}. The eight leaf nodesare the hash values of the certificates’ serial numbers, i.e., hi= H(SNi) ∀ i = {1, 2, ..., 8}, where H() is a one-way hashfunction [20]. The internal nodes are derived from their childnodes. For instance, the value of the node h3,4 is H(h3|h4),and the value of the root node is h1,8 = H(h1,4|h5,8), where| means concatenation. Each leaf node has a unique path toh1,8 that is called verification path (VP). Using this path, itcan be verified that a leaf node belongs to the tree.

4 TWO BLOOM FILTER VECTORS BASED SCHEME(TBFV)4.1 Overview of the ApproachThe CA prepares the revocation information for each cluster.It first creates two Bloom filter vectors; one vector is for theserial numbers of the revoked certificates in the cluster andthe second one is for the valid certificates. It also creates


Result of check?

Start

Check if SNi is in revoked certificates bit vector

Result of check?

Check if SNi is in valid certificates bit vector

Yes

NoSNi is valid

SNi is revoked

Ask the gateway

No

Yes

Fig. 5: Verifying a certificate’s status in TBFV.

a Merkle tree for the revoked certificates that can triggerfalse positive in the valid certificates Bloom filter. Similarly,it creates another Merkle tree for the valid certificates thatcan trigger false positive in the revoked certificates Bloomfilter. The CA sends the two tress to the cluster’s gateways.The CA sends to the cluster’s gateways a signed packethaving the two Bloom filter vectors, the roots of the Merkletrees, and the issuance and expiry dates. The CA’s signaturecan guarantee the packet’s integrity and authenticity. Thegateways should distribute this packet to the SMs. Eachmeter should verify the signature and store the vectors andtrees’ roots. The SMs can use the two vectors to verify a cer-tificate’s status and identify the false positives. When a falsepositive is found, the SMs contact the gateway to resolveit. The gateway can send an undeniable evidence for thecertificate status using the Merkle tree without contactingthe CA or trusting the gateway.

4.2 Certificate Verification

In order to verify the status of a certificate, the SMs use thetechnique illustrated in Fig. 5. The technique makes use ofthe fact that Bloom filters are free from false negatives, i.e., ifa certificate is not found in the filter, this is certainly true.The SM first checks whether the certificate’s serial numberis in the revoked certificates’ Bloom filter vector. If the serialnumber is not in the vector, the certificate is certainly valid.Otherwise, the SM checks whether the certificate’s serialnumber is in the valid certificates’ Bloom filter vector. If itis not found, the certificate is certainly revoked. Finally, if thecertificate’s serial number is found in the two vectors, thisindicates that one of the Bloom filters triggered false positiveand the SM should contact the gateway to query about thecertificate status. It is impossible to not find a certificate’snumber in the two vectors because the CA must have addedit to one of them. For the same reason, it is impossible to finda certificate in the two vectors without false positive.

4.3 False Positive Resolution

When a meter inquires about the status of a certificate (i.e.,false positive case), the gateway responds with ”Valid” or”Revoked”, and the verification path of the Merkle tree.For instance, using the Merkle tree shown in Fig. 4, when ameter inquires the gateway about the status of the certificateSN1, the gateway replies with the following verificationpath {SN2, h3,4, h5,8}. The SM can verify the path by firstcomputing h1 = H(SN1), h2 = H(SN2), h1,2 = H(h1|h2),and h1,4 = H(h1,2|h3,4). Then, it makes sure that h1,8 issimilar to H(h1,4|h5,8). This is an undeniable proof thatthe CA has revoked the certificate because the root nodeis signed by the CA and it is infeasible to modify thetree after it is created. It is also infeasible to fabricate theCA’s signature. Since only the efficient hashing operationsare required to verify the certificates, the computationaloverhead is low.

The advantage of using the Merkle tree is that the gate-way can prove the status of a certificate without contactingthe CA or trusting the gateway. Trusting the gateway is notrequired because the tree is constructed by the CA. Anotheradvantage is that it can reduce the computation overheadon the SMs because they need to use the efficient hashingoperations to verify the verification path and one signatureverification during the lifetime of the tree.

4.4 Approach Analysis

Equations 1 and 2 give the false positive probabilities ofthe revoked and valid certificates Bloom filters, respectively.Nr, Kr , and mr are the number of revoked certificates, thenumber of hash functions used to compose the revoked cer-tificates’ Bloom filter, and the bit vector size of the revokedcertificates’ Bloom filter. Similarly, Nv , Kv , and mv are thenumber of valid certificates, the number of hash functionsused to compose the valid certificates’ Bloom filter, and thebit vector size of the valid certificates’ Bloom filter.

FPRr = (1− (1− 1

mr)KrNr )Kr (1)

FPRv = (1− (1− 1

mv)KvNv )Kv (2)

The SMs fail to verify the certificates in case of falsepositive at either the revoked certificates’ filter or the validcertificates’ filter. The certificate verification failure probabil-ity (Pf ) is given in Equation 3. Pf equals to the probabilitythat a certificate is revoked and the valid certificate filtertriggers false positive or the certificate is valid and therevoked certificate filter triggers false positive. It can be seenthat the failure probability can be determined by setting sixparameters: the number of revoked and valid certificates(Nr and Nv), the size of the Bloom vectors (mr and mv),and the number of hash functions (Kr and Kv).

Pf = Pr(the certificate is revoked)× FPRv

+ Pr(the certificate is valid)× FPRr (3)


Fig. 6: The probability of certificate verification failure ver-sus mv at different values of mr in TBFV .

Fig. 6 gives the probability of certificate verificationfailure versus mv at different values of mr in TBFV . In thefigure, we select Kr = Kv = 5, and mr and mv are propor-tional to Nr and Nv , respectively. For example, mr = 8Nr

means that the size of mr in number of bits is 8 timesthe number of revoked certificates, i.e., this corresponds toadding 8 bits for each certificate in Bloom the vector. Wealso assume that the probability that a certificate is revokedis 0.1, and thus the probability that a certificate is valid is0.9. The number of valid certificates (Nv) is 9,000 and thenumber of revoked certificates (Nr) is 1,000.

It can be seen that there is a tradeoff between the revoca-tion information size and the verification failure probability,i.e., the increase of the Bloom filter vectors size reducesthe failure probability but at the cost of increasing therevocation information size. Some values of mr and mv

can keep the verification failure probability low, e.g., theverification failure probability is 0.1, if we select mr = 8Nr

and mv = 1.5Nv , i.e., the revocation information overhead(mr+mv) = 2.6 Kbytes. Selecting good values for the bit vectorscan reduce the failure probability with acceptable overhead. Forexample, the figure shows that the increase of mv from 2Nv

to 3Nv has little impact on the verification failure probabilitybut undoubtedly significantly increases the amount of revo-cation information. Moreover, the same failure probabilitycan be obtained with different pairs of mv and mr , e.g., thefailure probability is 0.1 when mv = 1.5Nv and mr = 8Nr

or mv = 2.5Nv and mr = 6Nr. Obviously, the revocationinformation size in the second case is much more becauseNr << Nv . This necessitates searching for and working atthe minimum revocation information that can achieve thedesired failure probability for the efficient use of the scheme.Fig. 7 gives a large space of mr and mv pairs that can keepthe verification failure probability below 0.1. When usingTBFV scheme, the maximum failure probability should bedetermined first. Then, a search is needed to find the optimalmv and mr pair that can achieve the desirable probability.This is corresponding to the pair that can minimize mv +mr .

Fig. 7: The space of mv and mr pairs that can keep thecertificate verification failure probability less than 0.1.

5 FALSE POSITIVE CERTIFICATES LIST BASEDSCHEME (FPCL)5.1 Approach MotivationTBFV scheme requires fast communications between themeters and the gateway to resolve the false positive cases.In some cases, the AMI network has too much traffic andthe required communications to resolve the false positivemay constitute a burden. It also needs fast communicationsbetween the CA and the gateways to send the Merkle tree.The gateways should also have enough storage space tostore the tree. To address these issues, in this section, wepropose another scheme called False Positive CertificatesList Based scheme (FPCL).

5.2 OverviewFPCL can identify and resolve the false positives locallywithout contacting the gateway. The CA generates oneBloom filter for the revoked certificates and the list of cer-tificates’ serial numbers that trigger false positives (Cl). TheBloom vector is computed using the technique explainedearlier. To compose the false positive certificates list, the CAhas to check all the valid certificates. For each certificate,it hashes its serial number using the K hash functions.The CA adds the certificate to the list if it is found in theBloom vector, i.e., the corresponding K bits in the filter areset, because the certificate triggers false positive. The CAsigns the Bloom vector and the false positive certificate listand sends them to the gateways to distribute to the SMs.The SMs accept the revocation information if the signatureverification passes.

In order to check a certificate’s revocation status, theSMs should use the procedure illustrated in Fig. 8. The SMfirst checks whether the certificate’s serial number is in thefalse positive certificate list. If it is found, the certificate iscertainly valid. Otherwise, the SM hashes the serial numberwith the K hash functions to determine whether it is inthe revoked Bloom filter. If all the corresponding bits inthe vector are set, the certificate is certainly revoked, else, thecertificate is valid. In this scheme, the Bloom filter is free offalse positive because all the certificates other than the onesin the Cl cannot trigger false positives.


Result of check?

Start

Check if SNi is in the Bloom filter

Result of check?

Check if SNi is in the false positive certificates list

Yes

No

SNi is valid

SNi is validNo

Yes

SNi is revoked

Fig. 8: Verifying certificate revocation status in FPCL.

5.3 Approach AnalysisEquation 4 gives the average revocation information size(Ri) in Bytes that equals to the Bloom filter vector bit size(mr) and the average size of the false positive certificate list(Cl). The average number of certificates in Cl equals to theprobability of false positive of the Bloom filter (FPRr) ×the number of valid certificates (Nv), where FPRr = (1 −(1− 1

mr)KrNr )Kr . The size of each certificate’s serial number

is 6 Bytes like the IP addresses in IPV6. In the evaluationsection, we will compare this derived mathematical formulawith simulation results.

Ri =mr

8+ (1− (1− 1

mr)KrNr )Kr ×Nv × 6 (4)

Equation 4 indicates that the overhead has two compo-nents the Bloom filter size and the size of the Cl. Fig. 9shows how the two components contribute to the overheadas mr increases. In the figure, Nv and Nr are 10,000 and1,000, respectively. It can be seen that the increase of mr de-creases the size of Cl until it becomes negligible comparingto mr. This is because the size of Cl depends on the falsepositive probability and the increase of mr reduces the falsepositive probability, i.e., fewer number of valid certificatescan trigger false positives as mr increases. From Fig. 9, wecan conclude that there should be an optimal mr that canminimize the overhead of this scheme.

Fig. 10 gives the relation between the revocation infor-mation in FPCL and mr size. We select Nv and Nr to be10,000 and 1,000 certificates, respectively. It can be seenthat at small mr , the revocation information size is largebecause the false positive rate is high and thus the size ofCl is very large. The increase of mr decreases the revocationinformation size. This is because the reduction rate in Cl

(due to reducing the false positive rate) is much more thanthe increasing rate in mr . After the revocation informationsize reaches a minimum value, it starts to increase becausethe reduction rate in Cl becomes less than the increase rate

Fig. 9: The increase of mr decreases the size of Cl due toreducing the false positive probability.

Fig. 10: The FPCL scheme should be used at the minimumoverhead.

Fig. 11: The size of the revocation information in FPCL atdifferent numbers of certificates.

of mr , and thus the increase of mr increases the revocationinformation size. Choosing a good value for the Bloom filtervector is important to reduce the revocation informationoverhead comparing to the conventional CRL. From thefigure, the minimum revocation information in FPCL is 1.8KB when the size of mr equals to 1.4 KB. Comparing to theCRL size that is 5.86 KB, it is clear that the overhead in FPCLcan be only 32% of the overhead in CRL, but if the value of mr

is not optimal, the overhead of FPCL can be more than theCRL.

Fig. 11 depicts how the optimum mr changes when Nv


Fig. 12: Comparison between the revocation informationsize of TBFV, FPCL and CRL when Nr = 0.1 Nv .

and Nr increase, i.e., when the AMI network size increases.We select the values 2,000, 4,000, 6,000, 8,000 and 10,000 toNv and Nr equals to 20% of Nv . The figure shows thatmr should increase as Nv and Nr increase because theyincrease the false positive probability which increases theCl and the false positive probability and thus the Cl sizecan be reduced by increasing mr . When the network sizechanges, the CA has to update the Bloom filter size inthe first certificate revocation update to stay operating atthe optimal point. This can be done easily in our schemebecause the revocation information is prepared by the CAand the meters are not involved at all. For example, fromFig. 11, when the number of valid certificates changes from2,000 to 4,000, the CA has to increase the Bloom filter sizefrom 0.45 to 0.95 Kbytes to operate at the optimal point.

Similar to the traditional CRL scheme, a cluster’s revoca-tion information should be updated when certificates in thecluster are revoked. This should not affect the revocationinformation of other clusters. First, the CA should computenew Bloom filters. This computation is efficient because itneeds only hashing operations. Then, in order to reduce thecommunication overhead, the CA does not need to send thenew filters to the meters, but it can only send the locationsof the bits that should change in the current Bloom filter toupdate it.

6 EVALUATIONS

In this section, we evaluate the proposed schemes, TPFVand FPCL, and compare them with the conventional CRLscheme. We conducted simulations using Visual C to ver-ify the mathematical formulas given earlier. NS-3 networksimulator is used to study the impact of the revocation in-formation distribution on the network performance. Finally,we analyze the security of the proposed schemes.

6.1 Overhead Evaluations

1. Communication Overhead

Fig. 12 gives the revocation information size of TBFV,FPCL and CRL at different values of Nr and Nv , where Nr

= 0.1 Nv . For TBFV scheme, we report the minimum revo-cation information that can keep the certificate verificationfailure probability below a given value. For FPCL scheme,

Fig. 13: Comparison between the revocation informationsize of TBFV, FPCL and CRL when Nr = 0.2 Nv .

we report the minimum revocation information. In orderto calculate the minimum revocation information size, weinitialize our experiment by a relatively small Bloom filtersize. Then, the Bloom vector size is increased graduallyand the revocation information size is recalculated until theminimum revocation information size is found. The resultsdemonstrate that the revocation information sizes of ourschemes are less than the CRL size.

When comparing TBFV with FPCL, it can be seen thatFPCL has less revocation information size compared toTBFV with a verification failure probability (Pf ) of 0.1.However, we observe that the revocation information sizeof TBFV is less than FPCL when Pf increases to 0.15, butthe meters need to contact the gateway more in TBFV. Thisis because the reduction of the revocation information sizein TBFV increases the false positives that increase Pf . Forexample, TBFV scheme has revocation information sizesof 2.7 KB and 760 bytes to store 1,000 revoked certificateswhen Pf is 0.1 and 0.15, respectively. On the other hand,FPCL’s revocation information size is 1.8 KB to store thesame number of revoked certificates, but the CRL size isabout 5.9 KB. The increase of the Nr and Nv increases therevocation information in TBFV to obtain the same Pf limit.This is because the increase of Nr and Nv increases thefalse positive which increases Pf . To maintain the samePf , mr and/or mv should increase to reduce the falsepositive probability. Similarly, the increase of the Nv andNr necessitates increasing mr and/or Cl to maintain theminimum revocation information. It can also be seen thatTBFV can decrease the amount of revocation informationwith increasing the verification failure probability but thegateway will be contacted more.

Similarly, we repeat the simulation when Nr = 0.2 Nv .Fig. 13 demonstrates that the revocation information sizesof TBFV and FPCL are still less than the CRL. It can alsobe seen that FPCL has less revocation information size thanTBFV with Pf = 0.1 and 0.15 which is different from theresults given in Fig. 12. FPCL has minimum revocationinformation size when the number of revoked certificatesis large. This indicates that FPCL is more scalable than theother schemes. It is noteworthy to mention that there is noadditional communication overhead needed by FPCL sincefalse positive cases can be resolved locally. Consequently,FPCL is suitable when the communication between the


meters and SMs is not fast or there is high traffic in theAMI network.

Fig. 12 and 13 depict how the schemes scale up in largenetworks. It can be seen that as Nr and Nv increase (inscalable networks), the difference betweens CRL and ourscheme increases. This indicates that our schemes signif-icantly outperform CRL in large networks. For example,when the number of certificates is 10,000 and Nr = 1000,the revocation information sizes of TBFV (Pf ≤ 0.1), TBFV(Pf ≤ 0.15), and FPCL require 46%, 13% and 31% of theCRL size, respectively. Similarly, when the number of cer-tificates is 10,000 and Nr = 2000, the revocation informationsizes of TBFV (Pf ≤ 0.1), TBFV (Pf ≤ 0.15), and FPCLrequire 45.8%, 35% and 26.6% of the CRL size, respectively.

When certificate verification fails in TBFV, the meterhas to send a Certificate Status Inquiry (CSI) packet to thegateway. The gateway replies with Certificate Status Re-sponse (CSR) packet. CSI packet has the serial number of thecertificate, the meter’s identifier, timestamp and signature.The total size of the packet is 72 bytes. The CSR packetshould have the gateway signature, certificate serial number,time stamp, identity of the meter, and the verification path.The size of the CSR packet without the verification path is 73bytes. The size of the verification path is the path length ×the size of the hash tags. For the signature scheme, we usedthe Elliptic Curve Digital Signature Algorithm (ECDSA).This was chosen since its overhead is minimal comparing toother public key cryptosystems. It also uses a short key sizethat is comparable to the current symmetric cryptographicschemes. It is an approved signature algorithm for the USgovernment use [21].

2. Computational Overhead

When a signed message is received, the SM has to checkif the certificate is revoked. The latency of this check shouldbe minimized to expedite message authentication. In CRLscheme, the certificate verification latency equals to the timeto find a certificate’s serial number in the CRL. This timedepends on the location of the serial number in the list andalso the list size. For our schemes, the certificate verificationlatency mainly depends on the computation time of the Khashing operations. This time is fixed and does not dependon the number of revoked certificates. Hash functions arevery efficient in computation.

To evaluate the computational overhead of our schemes,we implemented a Bloom filter, using five hash functionsbased on SHA-1 and a vector of m = 9.77 KB that stores10,000 certificate’s serial numbers. The certificates’ serialnumbers are generated randomly. Each serial number is 6bytes. We used Crypto++5 library [22] to implement theSHA-1. We also used a laptop with an Intel processor at1.6 GHZ and 1 GB RAM to implement the filter. Althoughthe computational power of a meter is less than a laptop, wescale the results with the factor of five to obtain a realisticestimation to the expected overhead.

Our measurement results demonstrate that a certificatecan be added to the Bloom filter in 214 µs. To measure thetime to check whether a certificate is in the filter, we take theaverage to 30,000 certificates checks. Half of the certificates’serial numbers were in the filter and the other half of themwere not in the filter. We compute one hash value and check

0 0 1 1 0Reduced hash value

0 0 1 0 0

1 1 0 00

0 1 0 P P

S1

S2

Sn

0 0 1 0 0 1 1 0 0 0 0 1 0 P PSHA-1 output

S1 S2 Sn

Padding

Fig. 14: Reducing the SHA-1’s output to a desired numberof bits.

its corresponding bit. If it is one, we proceed and computethe next hash value, otherwise the certificate is not in thevector and we quit. The average certificate check time isaround 175.48 µs. This is less than the certificate additiontime because K hashing operations should be performed toadd a certificate, but once a hash value points at a locationthat stores zero, the search ends, so less than K hashes maybe required to search for a certificate in the vector. The ver-ification time of TBFV is more than FPCL because it needstwo Bloom filter search operations but FPCL needs only onesearch operation. For composing the revocation information,TBFV and FPCL nearly take the same time because in bothcases all the valid/revoked certificates should be hashed Ktimes.

3. Merkle Tree

A tree of height ~ has Nr = 2~ leaves and Nr−1 interiornodes. If the tree is big and requires large storage area,the gateway can store only the certificates’ serial numbersand some nodes and computes the rest of the nodes whenrequired. This is proper for our scheme because the tree maynot be used very often during its lifetime. Computing theroot node requires Nr hashing operations to calculate theleaves and 2~−1 hashing operations to compute the interiornodes. Several schemes have been proposed to balancebetween the storage area and the computational overheadof the Merkle tree. For instance, M. Szydlo [23] proposedan algorithm for Merkle tree traversal which requires onlylogarithmic space and time. For a tree with Nr leaves, thealgorithm computes sequential tree leaves and verificationpath in time 2log2(Nr) and space less than 3log2(Nr), wherethe units of computation are hash function evaluations orleaf value computations, and the units of space are thenumber of node values that should be stored. Creatingthe Merkle tree needs efficient hashing operations and onesignature by the CA. The path length equals to log2(Nr),where Nr is the number of revoked certificates. The numberof hashing operations required to verify the path equals tothe path length plus one.

6.2 Mathematical Models VerificationWe have used Visual C to implement the proposed schemes.To implement the Bloom filters, we used SHA-1 hash func-


tion [24] to compute the bit location resulted from hashingthe certificates’ serial numbers. However, SHA-1 produces adigest of 160 bits which is much more than what we need.The Bloom filter’s hash values should have dlog2(mr)eoutput bits, where mr is the number of bits in the Bloomfilter vector. To reduce the SHA-1’s output to the desirednumber of bits, we used the approach illustrated in Fig. 14.We strived to keep the random and unbiased nature of SHA-1. We divide the SHA-1 output to blocks of dlog2(mr)e bits.Padding bits that can be zeros or ones are added if the lastblock is less than dlog2(mr)e bits. Then, we apply exclusiveOR (XOR) bitwise operations to the blocks to calculate thedlog2(mr)e bit hash value. If the SHA-1 output is random (asexpected), the resultant dlog2(mr)e bit hash value should berandom as well because it is computed from it. To derivethe K hash functions that are used in the Bloom filterusing SHA-1, we used the technique used in [19]. K hashfunctions can be driven from SHA-1 by appending a specificrandom value to the input, e.g., H(r1|SNi), H(r2|SNi), .. ,andH(rK |SNi). Each function has a different random valuethat is fixed and known to the meters.

We setup an experiment to compare the certificate veri-fication probability in TBFV with the mathematical formulagiven in Equation 3. We consider two cases where mr =4 Kbytes and 8 Kbytes. The number of valid certificates is9,000 and the number of revoked certificates is 1,000. We firstgenerate the certificates’ serial numbers randomly. Then, weadd the revoked certificates to one Bloom filter and add thevalid certificates to another filter. We count the number oftimes a meter fails to verify the certificates’s status locallyand divide it by the total number of verifications. We runour experiment 20 times and report the average value. Fig.15 gives the certificate verification probability at differentvalues of mv for both the mathematical and simulationresults. The figure demonstrates that the experiment andmathematical results are almost identical.

We also setup an experiment to compare the minimumrevocation information size of FPCL with the mathemati-cal formula given in Equation 4. We consider two caseswhere Nr = 0.1 Nv and Nr = 0.2 Nv . We run our theexperiment 20 times and give the average value. For theexperiment and mathematical equation, we calculate theminimum revocation information by starting with a smallmr and gradually increase it until the minimum revocationinformation is found. Fig. 16 gives the minimum revocationinformation size at different number of valid certificates forboth the mathematical and simulation results. The figuredemonstrates that the experiment and mathematical resultsare almost identical.

6.3 Network Simulation Results

The proposed schemes have been implemented in a morerealistic setting where the underlying communication in-frastructure is assumed to be based on 802.11s-based wire-less mesh networks (WMNs) [25]. The simulations are per-formed under ns-3 which has a built-in implementation of802.11s. We created a scenario where the CA divides theAMI network into clusters of NANs and each NAN is ledby a separate gateway as shown in Fig. 1. Each gatewayis assumed to distribute the revocation information to each

Fig. 15: Comparing the math results with the simulationresults in TBFV scheme.

Fig. 16: Comparing the math results with the simulationresults in FPCL scheme.

of the SMs in its NAN. Each NAN topology is generatedrandomly by using NPART topology generation tool [26].All topologies are connected (i.e., each SM can reach thegateway). We generated 30 different topologies for eachNAN size and got the average of the results for statisticalsignificance.

In order to assess the impact of the data traffic on therevocation information distribution, we assumed that all theSMs are sending their power readings to the gateways at thetime of distributing the revocation information. The SMs aresending their power readings at every 10 seconds which isused by some utilities in the real-life applications of AMI[27]. We assume a transmission range of 120m for each ofthe SMs. The underlying MAC protocol used was 802.11g,and we implemented TCP as transport layer protocol forreliability. The simulations were run for 100 seconds. Theresults are the snapshot at the end of 100th sec.

In our simulations, we tested two different NAN sizes:40 and 80 meters. The size of the cluster is also a parameterwhich is assumed to be 6,000 and 10,000 meters for testingscalability. For any case, we considered two scenarios forthe number of revoked certificates: 10% and 20% of the totalnumber of valid certificates in the network. This means wedistributed a list of 600 & 1,200 revoked certificates for thecluster size of 6,000 meters and 1,000 & 2,000 revoked certifi-cates for the cluster size of 10,000 meters. These revocationslists are distributed by each gateway to all of the membersof their NANs.

We considered the following three performance metrics


TABLE 1: NS3 simulation results.

ApproachesNAN Size: 80 SMs NAN Size: 40 SMs Revocation

informationsize in bytesPDR (%) Delay (sec) Tput (kbps) PDR (%) Delay (sec) Tput (kbps)

Clustersize:6,000SMs

10% cert.revocation

CRL 84.75 3.44 243.92 90.7 0.8 119.2 3600

TBFV PF= 0.1

90.37 2.36 123.33 90.17 0.47 58.98 1672

TBFV PF= 0.15

89.91 1.86 38.27 89.69 0.2 16.82 455

FPCL 88.84 2.29 96.78 90.41 0.36 45.16 1337

20% cert.revocation

CRL 70.67 4.89 445.02 89.52 1.4 229.3 7200

TBFV PF= 0.1

87.64 3.24 224.7 89.87 0.75 107.57 3250

TBFV PF= 0.15

87.28 2.81 182.62 91.32 0.6 88.96 2634

FPCL 89.8 2.47 126.95 90.66 0.46 60.68 1720

Clustersize:10,000SMs

10% cert.revocation

CRL 74.59 4.56 384.09 90.45 1.24 194.98 6000

TBFV PF= 0.1

88.09 3.03 194.05 91.16 0.67 94.35 2787

TBFV PF= 0.15

89.13 1.94 58.9 90.68 0.26 27.28 760

FPCL 90.92 2.42 135.22 90.92 0.47 64.87 1860

20% cert.revocation

CRL 35.06 5.1 525.54 89.75 2.3 382.19 12000

TBFV PF= 0.1

79.06 4.19 348.08 90.18 1.13 175.43 5417

TBFV PF= 0.15

81.4 3.76 287.46 90.73 0.94 143.82 4390

FPCL 87.23 2.99 219.72 90.63 0.71 106.46 3209

to assess the network performance when the revocationinformation is to be distributed:• End-to-end (ETE) Delay: This metric indicates the averagetime it takes for a revocation information packet to reacha SM.

• Packet Delivery Ratio: This metric indicates the ratio ofthe number of all packets sent from the gateway to thenumber of all packets received at the SMs.

• Throughput: This metric indicates the amount of datareceived at the SMs per second. This metric will showhow much data is transmitted in the network and thushint about the bandwidth usage.The results for all the different cases and approaches (i.e.,

TPFV with different probability of failures depicted as TPFVPf , FPCL, and CRL) are shown in Table 1.

As can be seen from these results, the PDR values do notchange much under different approaches when NAN size istaken as 40 SMs. However, when the NAN size is 80 SMsand the cluster size increases, this makes a significant impacton PDR under different approaches. This is mainly due toincreasing size of revocation information. As the size of therevocation information increases beyond a certain size, theTCP protocol needs to apply fragmentation as there is amaximum size a connection can accommodate (e.g., MTUof 1,500 bytes). This in turn creates more fragments for eachpacket that need to be transmitted separately. This results ina congestion in the NAN, and an increase in the number ofdropped packets. For instance, networks with 20% revokedcertificates is affected significantly by this congestion. ThePDR drops almost the half of that of 10% revoked certificates

case. However, we can see that the proposed FPCL approachcan keep up with the increased revocation information sizeand maintains the same level of PDR performance. It alsoprovides the highest PDR compared to others especiallywhen the cluster size is 10,000 SMs.

The most noticeable conclusion out of these results areon the ETE delay performance of the proposed approaches.As the size of the revocation list increases the number offragments created by the TCP protocol increases as well.This results in an increased contention by the SMs to accessthe channel. In addition, as the number of dropped packetsincreases, the number of retransmissions by the gatewayincreases as well. All of these would contribute to theincreased ETE delay for the packets. In all cases, TBFVwith 0.15 verification failure and FPCL show the best ETEdelay performance for 10% and 20% certificate revocationrespectively because the size of revocation lists they use isthe least amongst the others.

Overall we can claim that TBFV Pf = 0.15 and FPCL canbe used to distribute revocation information with the mini-mal impact on the network performance. They significantlyimprove the network performance in terms of ETE delay anPDR compared to the existing CRL method.

6.4 Security AnalysisIt is not secure to allow the nodes to communicate when theupdated revocation information is not available. This meansthat the nodes cannot communicate when the certificaterevocation scheme fails. In addition, if the information ismanipulated, attackers can sabotage the communications,


e.g., by adding valid certificates to the list or removingrevoked ones. In TBFV, the two filter vectors and the rootof the Merkle tree are timestamped and digitally signedby the CA. Modifying or fabricating them is impossiblewithout knowing the CA’s private key. The attackers maytry to change the vectors and/or the Merkle tree root beforerelaying the packet sent from the CA to the victim meters.However, any change in them will fail the CA’s signatureverification. Similarly, the Bloom filter vector and the falsepositive certificate list in FPCL are signed to ensure thesecurity of the distribution of the revocation information.If an attacker uses the certificate of a meter in a differentcluster, the certificate’s serial number will not be found inthe revoked Bloom filter vector in TBFV and the metersmay accept it. Therefore, the CA should include the cluster’sidentifier in the certificates and the meters should verifythe identifier before verifying its revocation. The CA shouldensure that the Bloom filters of a cluster store all the cluster’scertificates.

To thwart replay attacks, the timestamps can be verifiedto ensure the freshness of the packets. To break our schemes,attackers may try to impersonates the gateway or the CAand send fabricated packets to the smart meters. Digitalsignatures are used to secure the communications betweenthe meters and the gateway. The attackers cannot imperson-ate the gateway or the CA because they can not computecorrect signatures. With using secure hash function, Merkletree cannot be manipulated because it is impossible to findtwo different certificate serial numbers that can generate thesame hash value. Since the tree is authenticated by digitallysigning its root, it cannot be modified without invalidatingthe digital signature.

7 RELATED WORK

In [28], Khurana et al. have discussed the main securityissues in SG. The authors have identified public key man-agement as a challenge due to the system scalability andcomplexity. In [6], a protocol is proposed to ensure thatcustomers who default on their payments can be switchedoff remotely. In order to prevent attackers from launch-ing attacks to interrupt the citizens’ electricity supply, thescheme uses public key cryptography to secure the protocolwithout addressing certificate revocation. Metke et al. [29]survey the existing key security technologies for extremelylarge and wide-area communication networks and studytheir applicability for the smart grid. Based on studyingthe security requirements as well as the scale of the smartgrid, the authors strongly believe that the PKC is the mosteffective key management solution for securing the SG.

Existing works on AMI network security such as [4]propose the use of PKC but do not provide any mechanismsfor certificate revocation, although it is a required compo-nent. Different aspects of certificate revocation problem inSG applications were discussed in [30] without providing asolution to AMI networks.

In [31], Wohlmacher et al survey the different revoca-tion methods. Zhao et. al. [32] propose an efficient keymanagement scheme with key revocation in smart gridcommunications. Instead of the large computation cost ofsignature verification needed in PKI communications, the

scheme only requires to perform Media Key Block (MKB)process to extract the shared key. In MKB process, broadcastencryption [33] is used to recover the shared key betweendifferent devices. The authors study the revocation of mali-cious devices’ keys where new keys are computed at the KeyDistribution Center (KDC) and distributed to non-malicioususers. The revoked users will not be able to decipher theshared key without updating the initial parameters of eachdevice. The authors also compare the proposed scheme withthe internet key exchange methodology in PKI to show thesuperiority of their scheme in terms of communication andcomputation cost. In vehicle-2 grid (V2G) communications,Vaidya et al. [34] propose an efficient PKI infrastructureto overcome the traditional X.509 based PKI shortcomings.These shortcomings are the large size of traditional PKIcertificates and long verification time. The proposed infras-tructure is based on elliptic curve cryptography and self-certified public key technique to reduce the size of thecertificate and verification time.

Chan et. al. [35] propose an enhanced PKI mechanismto resist the Denial of Service (DoS) attack in wireless smartgrid communications. In the domain of smart grid, a DoSattack can prevent legitimate smart meters from connectingto a node if an attacker keeps sending fake signatures andcertificates because the signature verification computationcost is high. For this reason, a lightweight signature verifi-cation scheme is proposed for authenticating different smartgrid devices.

Akkaya et. al [36] propose an efficient grouping algorith-m to distribute CRLs in an 802.11s based AMI networks.The grouping algorithm is based on the fact that SMs arecommunicating with the gateway to send/receive utilityinformation. Each SM uses the same route to communicatewith the gateway i.e. communicate with the same group ofSMs for forwarding its packets. Instead of storing a largeCRL in each SM, SMs only keep the CRL of its group tominimize the communication and storage overhead of CRL.

In VANETs, revocation of malicious vehicles is exten-sively studied. In that sense, it is noteworthy to discuss therevocation schemes employed in VANETs. In [37], Raya et al.propose a scheme to isolate misbehaving nodes in VANETsuntil a centralized revocation is issued by the CA. A groupof neighboring nodes perform a voting on the misbehaviorof a specific node. If the accumulation of votes exceeds apredefined threshold, then a warning message is broadcast-ed to the neighboring vehicles to inform them to ignore allthe messages transmitted by the misbehaving nodes. Rayaet al. [11] have investigated certificate revocation problem inVANETs. They argue that low false positive is acceptable formost VANETs’ applications. Unlike VANETs, false positiveswill not be acceptable in AMI networks because meters maymiss important messages such as commands to disconnectpower and power pricing information. In [9], Haas et al. pro-posed a scheme to distribute CRLs quickly even during theincremental deployment of VANETs. They also proposed arevocation scheme for anonymous communications, whereeach vehicle uses several certified pseudonymous insteadof a unique identity to preserve its privacy. The authorsargue that a vehicle can avoid triggering a false positiveby discarding any of its own certificates that will trigger afalse positive before it is ever sent, thus preventing a receiver


from generating a false positive. Obviously, this cannot beapplied to AMI because each meter will use one certificate.Different from [9], [11], our paper studies using Bloom filterfor AMI networks and proposes a novel scheme to mitigatethe false positives.

Papadimitratos et al [38] propose a scheme to distributelarge CRLs efficiently across wide regions in VANETs. In[39], a scheme is proposed to distribute the load of a serverto a set of participating clients. The authors introduce a newclass of graphs that support efficient and fault-tolerant revo-cation. In [40], Wasef et al propose a distributed certificate-service scheme for VANETs. The scheme aims to offer flexi-ble interoperability for certificate service in heterogeneousadministrative authorities and reduce the complexity ofcertificate management. In [41], Wasef et al propose anexpedite message authentication protocol for VANETs. Toauthenticate a message, vehicles should check if the certifi-cate of the sender is included in the CRL. The proposedprotocol replaces the time-consuming CRL checking processby an efficient revocation checking process.

8 CONCLUSION

We have proposed certificate revocation schemes for largescale AMI networks. The network is divided into clustersof SMs, and in order to alleviate the tradeoff between theoverhead at the certificate authority (CA) and the overheadat the clusters, we used Bloom filters to reduce the size ofthe CRLs in order to alleviate this tradeoff by increasingthe clusters’ size with acceptable overhead. To addressthe false positive issue of the Bloom filter, we proposedtwo revocation schemes called TBFV and FPCL to identifyand resolve the false positives. In order to evaluate theperformance of our schemes, mathematical model, VisualC, and ns-3 simulation results have been presented. Theresults have demonstrated that our mathematical results arealmost identical to the simulation results. Our evaluationsdemonstrated that our schemes are much more efficientthan the conventional CRL approach. In most cases, ourschemes require less than 33% of the overhead required inthe CRL approach. Overall we can claim that TBFV Pf = 0.15and FPCL can be used to distribute revocation informationwith the minimal impact on the network performance. Theysignificantly improve the network performance in termsof ETE delay an PDR compared to the conventional CRLmethod.

9 ACKNOWLEDGEMENT

This work is supported in part by US National ScienceFoundation under the grant number 1319087.

REFERENCES

[1] H. Liang, B. Choi, A. Abdrabou, W. Zhuang, and X. Shen, “Decen-tralized economic dispatch in microgrids via heterogeneous wire-less networks,” IEEE J. Selected Areas of Communications, vol. 30,no. 6, pp. 1061–1074, 2012.

[2] H. Farhangi, “The path of the smart grid,” IEEE Power and EnergyMagazine, vol. 8, no. 1, pp. 18–28, January 2010.

[3] N. Saputro, K. Akkaya, and S. Uludag, “A survey of routingprotocols for smart grid communications,” Comput. Netw., vol. 56,no. 11, pp. 2742–2771, Jul. 2012.

[4] A. Beussink, K. Akkaya, I. Senturk, and M. Mahmoud, “Preservingconsumer privacy on ieee 802.11s-based smart grid ami networksusing data obfuscation,” IEEE INFOCOM Workshop on Communi-cations and Control for Smart Energy Systems, Toronto, Canada, April2014.

[5] M. Mahmoud and X. Shen, “Esip: Secure incentive protocol withlimited use of public-key cryptography for multihop wirelessnetworks,” IEEE Transactions on Mobile Computing, vol. 10, no. 7,pp. 997–1010, 2011.

[6] R. Anderson and S. Fuloria, “Who controls the off switch?” inFirst IEEE International Conference on Smart Grid Communications(SmartGridComm), October 2010, pp. 96–101.

[7] M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams,“X.509 internet public key infrastructure online certificate sta-tus protocolocsp,” Available: http://www.ietf.org/rfc/rfc2560.txt, June1999.

[8] R. Housley, W. Polk, W. Ford, and D. Solo, “Internet x.509 publickey infrastructure certificate and certificate revocation list (crl)profile,” RFC 3280, IETF, April 2002.

[9] J. Haas, Y.-C. Hu, and K. Laberteaux, “Efficient certificate revo-cation list organization and distribution,” IEEE Journal on SelectedAreas in Communications, vol. 29, no. 3, pp. 595–604, March 2011.

[10] M. Nowatkowski, “Certificate revocation list distribution in vehic-ular ad hoc networks,” PhD thesis, Georgia Institute of Technology,May 2010.

[11] M. Raya, P. Papadimitratos, I. Aad, D. Jungels, and J.-P. Hubaux,“Eviction of misbehaving and faulty nodes in vehicular net-works,” Selected Areas in Communications, IEEE Journal on, vol. 25,no. 8, pp. 1557–1568, Oct 2007.

[12] G. Hiertz, S. Max, R. Zhao, D. Denteneer, and L. Berlemann,“Principles of ieee 802.11s,” in International Conference on ComputerCommunications and Networks (ICCCN’7), August 2007, pp. 1002–1007.

[13] T. R. Henderson, M. Lacage, G. F. Riley, C. Dowell,and J. B. Kopena, “Network simulations with the ns-3 simulator,” SIGCOMM’08 Demos, 2008, code available:http://www.nsnam.org/releases/ns-3.1.tar.bz2.

[14] R. Castellanos and P. Millan, “Design of a wireless communica-tions network for advanced metering infrastructure in a utility incolombia,” in Proc. of IEEE Communications Conference (COLCOM),May 2012, pp. 1–6.

[15] W. Wang, Y. Xu, and M. Khanna, “A survey on thecommunication architectures in smart grid,” Computer Networks,vol. 55, no. 15, pp. 3604 – 3629, 2011. [Online]. Available:http://www.sciencedirect.com/science/article/pii/S138912861100260X

[16] A. Kumar, J. J. Xu, J. Wang, O. Spatschek, and L. E. Li, “Space-codebloom filter for efficient per-flow traffic measurement,” in Proc. ofIEEE INFOCOM, 2004, pp. 1762–1773.

[17] H. Shi, B. Schmidt, W. Liu, and W. Muller-Wittig, “A parallel algo-rithm for error correction in high-throughput short-read data oncuda-enabled graphics hardware,” Journal of Computational Biology,vol. 17, no. 4, pp. 603–615, 2010.

[18] B. H. Bloom, “Space/time trade-offs in hash coding with allowableerrors,” CACM, vol. 13, no. 7, pp. 422–426, 1970.

[19] L. Fan, P. Cao, J. Almeida, and A. Broder, “Summary cache:a scalable wide-area web cache sharing protocol,” Networking,IEEE/ACM Transactions on, vol. 8, no. 3, pp. 281–293, Jun 2000.

[20] NIST, “Digital hash standard,” Fed. Information Processing StandardsPublication 180-1, April 1995.

[21] ——, “Fips 186-3: Digital signature standard,” 2009.[22] W. Dai, “Crypto++ library 5.6.0,” http://www.cryptopp.com, last re-

trieved 2014.[23] M. Szydlo, “Merkle tree traversal in log space and time,” Advances

in Cryptology - EUROCRYPT - Lecture Notes in Computer Science,vol. 3027, pp. 541–554, 2004.

[24] A. J. Menezes, P. van Oorschot, and S. Vanstone, “Handbook ofapplied cryptography,” CRC Press, 1996.

[25] N. Saputro and K. Akkaya, “On preserving user privacy in smartgrid advanced metering infrastructure applications,” Security andCommunication Networks, vol. 7, no. 1, pp. 206–220, 2014. [Online].Available: http://dx.doi.org/10.1002/sec.706

[26] B. Milic and M. Malek, “Npart-node placement algorithm forrealistic topologies in wireless multihop network simulation,” inProceedings of the 2nd International Conference on Simulation Toolsand Techniques. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2009, p. 9.


[27] “Korean electric power research institute,” 2013. [Online].Available: http://www.kepri.re.kr/

[28] H. Khurana, M. Hadley, N. Lu, and D. Frincke, “Smart-gridsecurity issues,” IEEE Security and Privacy, vol. 8, no. 1, pp. 81–85, 2010.

[29] A. Metke and R. Ekl, “Security technology for smart grid net-works,” IEEE Transactions on Smart Grid, vol. 1, no. 1, pp. 99–107,June 2010.

[30] M. Mahmoud, J. Misic, and X. Shen, “Efficient public-key cer-tificate revocation schemes for smart grid,” Proc. of IEEE GlobalCommunication Conference, Atlanta, GA, USA, December 9-13 2013.

[31] P. Wohlmacher, “Digital certificates: A survey of revocation meth-ods,” in Proc. of the ACM Workshops on Multimedia, Los Angeles,California, USA, 2000, pp. 111–114.

[32] F. Zhao, Y. Hanatani, Y. Komano, B. Smyth, S. Ito, and T. Kam-bayashi, “Secure authenticated key exchange with revocation forsmart grid,” Innovative Smart Grid Technologies (ISGT), pp. 1–8,2012.

[33] D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracingschemes for stateless receivers,” Advances in CryptologyCRYPTO,pp. 41–62, 2001.

[34] B. Vaidya, D. Makrakis, and H. Mouftah, “Effective public keyinfrastructure for vehicle-to-grid network,” Proceedings of the fourthACM international symposium on Development and analysis of intelli-gent vehicular networks and applications, pp. 95–101, 2014.

[35] S. Chan, M. Guizani, C. Chen, and J. Bu, “An enhanced publickey infrastructure to secure smart grid wireless communicationnetworks,” IEEE Network, pp. 11–16, 2014.

[36] K. Akkaya, K. Rabieh, M. Mahmoud, and S. Tonyali, “Customizedcertificate revocation lists for ieee 802.11s-based smart grid aminetworks,” 2014.

[37] M. Raya, D. Jungels, P. Papadimitratos, I. Aad, and J. P. Hubaux,“Certificate revocation in vehicular networks,” Swiss Fed. Inst.Technol., Lausanne, Switzerland, Tech. Rep. LCA-Rep.-2006-006, 2006.

[38] P. Papadimitratos, G. Mezzour, and J. Hubaux, “Certificate revo-cation list distribution in vehicular communication systems,” Proc.5th ACM Int. Workshop Veh. Inter-NETw., pp. 86–87, 2008.

[39] R. Wright, P. Lincoln, and J. Millen, “Efficient fault-tolerant certifi-cate revocation,” Proc. of CCS’00, 2000.

[40] A. Wasef, Y. Jiang, and X. Shen, “Dcs: An efficient distributed-certificate-service scheme for vehicular networks,” Vehicular Tech-nology, IEEE Transactions on, vol. 59, no. 2, pp. 533–549, Feb 2010.

[41] A. Wasef and X. Shen, “Emap: Expedite message authenticationprotocol for vehicular ad hoc networks,” Mobile Computing, IEEETransactions on, vol. 12, no. 1, pp. 78–89, Jan 2013.

Khaled Rabieh received the B.Sc. degree incomputer science from Ain-shams University,Cairo, Egypt, in 2004 and the M.Sc. degreein communications and information technologyfrom Nile University in 2012. He is currentlya research assistant and working toward thePh.D. degree at the Center for ManufacturingResearch, Department of Electrical and Com-puter Engineering, Tennessee Tech University,Cookeville, Tennessee, United states.

Mohamed M. E. A. Mahmoud received PhDdegree from the University of Waterloo in April2011. From May 2011 to May 2012, he workedas a postdoctoral fellow in the Broadband Com-munications Research group - University of Wa-terloo. From August 2012 to July 2013, heworked as a visiting scholar in University of Wa-terloo, and a postdoctoral fellow in Ryerson U-niversity. Currently, Dr Mahmoud is an assistantprofessor in Department Electrical and Comput-er Engineering, Tennessee Tech University, US-

A. The research interests of Dr. Mahmoud include security and privacypreserving schemes for smart grid communication network, mobile adhoc network, sensor network, and delay-tolerant network. Dr. Mahmoudhas received NSERC-PDF award. He won the Best Paper Award fromIEEE International Conference on Communications (ICC’09), Dresden,Germany, 2009. Dr. Mahmoud is the author for more than twenty threepapers published in major IEEE conferences and journals, such asINFOCOM conference and IEEE Transactions on Vehicular Technology,Mobile Computing, and Parallel and Distributed Systems. He serves asan Associate Editor in Springer journal of peer-to-peer networking andapplications. He served as a technical program committee member forseveral IEEE conferences and as a reviewer for several journals andconferences such as IEEE Transactions on Vehicular Technology, IEEETransactions on Parallel and Distributed Systems, and the journal ofPeer-to-Peer Networking.

Dr. Kemal Akkaya is an associate professorin the Department of Electrical and ComputerEngineering at Florida International University.He received his PhD in Computer Science fromUniversity of Maryland Baltimore County in 2005and joined the department of Computer Scienceat Southern Illinois University (SIU) as an as-sistant professor. Dr. Akkaya was an associateprofessor at SIU from 2011 to 2014. He wasalso a visiting professor at The George Washing-ton University in Fall 2013. His current research

interests include security and privacy, energy aware routing, topologycontrol, and quality of service issues in a variety of wireless networkssuch as sensor networks, multimedia sensor networks, smart-grid com-munication networks and vehicular networks. Dr. Akkaya is a memberof IEEE. He is the area editor of Elsevier Ad Hoc Network Journaland serves on the editorial board of IEEE Communication Surveysand Tutorials. He has served as the guest editor for Journal of HighSpeed Networks, Computer Communications Journal, Elsevier Ad HocNetworks Journal and in the TPC of many leading wireless networkingconferences including IEEE ICC, Globecom, LCN and WCNC. He haspublished over 90 papers in peer reviewed journal and conferences. Hehas received “Top Cited” article award from Elsevier in 2010.

Samet Tonyali is currently a Graduate ResearchAssistant in Computer Science Department atSouthern Illinois University Carbondale, USAand pursuing his Ph.D. degree in the same de-partment. He received the B.S. degree and theM.S. degree in Computer Engineering from Mar-mara University, Istanbul, TURKEY in 2011 and2013, respectively.

Documents

JOURNAL OF LA Scalable Certiﬁcate Revocation Schemes for ...mmahmoud/publications_files/Journals… · JOURNAL OF LATEX CLASS FILES, VOL. –, NO. –, 1 Scalable Certiﬁcate Revocation