The Open Smart Grid Protocol (OSGP) is currently deployed in various countries in large-scale smart metering projects. The protocol was developed by the OSGP Alliance and published as a standard by the European Telecommunications Standards Institute (ETSI). Researchers from the European Network for Cyber Security (ENCS) have recently identified several security issues in the OSG Protocol, primarily the use of a weak digest function and the way the protocol utilizes the RC4 algorithm for encryption. A straight-forward oracle attack triggers the leakage of key material of the digest function. A paper titled, "Structural Weaknesses in the Open Smart Grid Protocol" by Klaus Kursawe and Christiane Peters with ENCS outlines how an attacker can make use of the simple protocol structure to send maliciously altered messages with valid authentication tags to the meters.
“We identified a number of vulnerabilities in the OSG Protocol, some of which can be used to completely recover the authentication- and encryption keys. The outlined attacks are just examples how to exploit the inherent weaknesses of the digest function and the RC4 stream cipher,†stated Christiane Peters during a meeting of the International Association for Cryptologic Research.
“The OSGP digest function does not adhere to any crypto standard, deviating from any best practice in the design of a secure message authentication code (MAC). The digest function is weak in the sense that each key bit affects only one message byte directly; this property allows the backward computation. In addition to replacing the digest function, adding some randomness to the message text may make it harder for an attacker to guess a plaintext message. Also RC4 should not be used (in this way). If a stream cipher should be used for smart-meter communications, a good choice would be the finalists of the eStream Contest,†Peters continued.
“If it is not an option to change ciphers, at least the recommendation to drop the first 768 bytes of keystream should be followed. However, we believe that the only clean way to resolve the security issues in the OSGP is to completely replace some of the algorithms involved, especially the digest function. Moreover, the standard does not seem to provide entity authentication that is assurance on the source of messages. Broadcasts are 'authenticated' using the weak digest function. This however provides only message authentication and not source authentication as would be done by appending a digital signature.
“Lessons to take away include: A standard such as the OSGP should use state-of-the-art crypto-graphic primitives. Moreover, algorithm agility is crucial as even those cryptographic primitives might expire during the lifetime of those devices. The absence of public-key cryptography to secure broadcasted firmware poses a very high risk. The encryption and message-authentication mechanisms were chosen to be lightweight, but not to be secure. While RC4 is probably friendlier to non-volatile memory it also needs a lengthy initialization to reduce the risk of biases in the key stream.
“Rather than using a stream cipher for encrypting messages averaging 100 bytes a block cipher in authenticated operation mode should be used. Authenticated ciphers such as AES- CCM or AES-GCM provide message authentication in encrypt-then-authenticate fashion and not as done in the OSGP as encrypt-and-authenticate. The usage of an authenticated cipher would also simplify the problem in OSGP with setting up encryption and authentication keys. If AES is not a feasible alternative due to performance or memory restrictions, an alternative would be a modern lightweight cipher such as PRESENT which has been recently included in the ISO/IEC 29192 standard,†Peters concluded.
