A Lightweight Anonymous Device Authentication Scheme for Information-Centric Distribution Feeder Microgrid

Anhao Xiang and Jun Zheng

Department of Computer Science and Engineering,New Mexico Institute of Mining and Technology,Socorro,87801,NM,USA

Abstract:Distribution feeder microgrid (DFM) built based on existing distributed feeder (DF),is a promising solution for modern microgrid.DFM contains a large number of heterogeneous devices that generate heavy network traffice and require a low data delivery latency.The information-centric networking(ICN)paradigm has shown a great potential to address the communication requirements of smart grid.However,the integration of advanced information and communication technologies with DFM make it vulnerable to cyber attacks.Adequate authentication of grid devices is essential for preventing unauthorized accesses to the grid network and defending against cyber attacks.In this paper,we propose a new lightweight anonymous device authentication scheme for DFM supported by named data networking(NDN),a representative implementation of ICN.We perform a security analysis to show that the proposed scheme can provide security features such as mutual authentication,session key agreement,defending against various cyber attacks,anonymity,and resilience against device capture attack.The security of the proposed scheme is also formally verified using the popular AVISPA(Automated Validation of Internet Security Protocols and Applications)tool.The computational and communication costs of the proposed scheme are evaluated.Our results demonstrate that the proposed scheme achieves significantly lower computational,communication and energy costs than other state-of-the-art schemes.

Keywords:Mutual authentication;information-centric networking;named data networking;distribution feeder microgrid;smart devices;AVISPA;security

1 Introduction

Smart grids.provide a more reliable and efficient power supply than traditional power grids by incorporating advanced information and communication technologies (ICT) [1,2].Microgrids are a subset of smart grids that achieve grid deployment in small regions.A microgrid acts as a single controlled entity that is formed by a group of interconnected load and demand resources with communication and control capabilities [3].It has a well-defined electricity boundary with a limited number of connection points to the utility grid such that it can operate in either gridconnected or islanded mode.

Distribution feeder microgrid (DFM) has been proposed as a solution of modern microgrid which is built based on existing distribution feeder (DF) [3,4].DFM utilizes advanced communication,control,and protection technologies to increase the sustainability,reliability,and resiliency of the grid and support very high penetration of distributed energy resources (DERs) [3,5].The architecture of DFM is illustrated in Fig.1,which contains a variety of demand and load entities such as consumer appliances,generators,energy storage,electrical vehicles (EVs),DERs,smart meters,synchrophasor devices etc.The DFM gateway (DG) serves as the central control and management entity that connects the DFM to the utility grid.

Figure 1:System architecture of DFM

One of the major technical challenges faced by DFM is the communication demand of a large number of heterogeneous devices.A scalable networking and communication architecture is needed that can meet requirements such as low data delivery latency and heavy network traffic [6].The information centric networking (ICN) paradigm has been explored recently to address the requirements of smart grid communication [6-9].Unlike the host-centric IP-based networking architecture,ICN adopts a content-centric communication model with novel features like data caching in network edge,data provenance,inherent multicast support,etc.which make it suitable for smart grid applications.C-DAX (Cyber-secure Data and Control Cloud) is an ICN-based solution proposed for the monitoring and control of smart grids [8].Tourani et al.[6]proposed an ICN-based smart grid networking architecture called iCenS,which was shown to be effective in serving various types of smart grid traffic.Yu et al.[9]proposed a Content-Centric Networking(CCN) based advanced metering system (CCN-AMI) for smart grids.The CCN-AMI system is comprised of several components such as smart meters,demand response management system(DRMS),which provides better traffic congestion control,mobility and cyber security.Ravikumar et al.[7]proposed an ICN-based smart grid architecture that consists of a three-level hierarchy for information flow including physical level,aggregation level,and computation level.The hierarchy specifies constituents and the interaction mechanism at each level.The proposed architecture adopts IEC 61850 as underlying communication stack for backward compatibility and adds the Information-Centric Network Protocol (ICNP) layer.Both work of [7,9]and have conducted a comprehensive performance analysis of the proposed ICN architectures and the results show a great potential of applying ICN for smart grids.

In this paper,we consider a named data networking (NDN) based architecture to address the communication demand of DFM.NDN is a representative ICN architecture which has been shown as a promising solution for not only smart grid communication [6,7]but also the communication needs of applications of smart cities [10],smart campus [11],smart home [12],and smart healthcare [13].In addition to communication requirements,another key technical challenge faced by DFM is to ensure the security and privacy of the grid.The integration of advanced ICT technologies in DFM makes it vulnerable to a number of cyber attacks such as man-inthe-middle (MITM) attacks,reply attacks,impersonation attacks,etc.Adequate authentication is essential for preventing unauthorized access to the grid network and defending against cyber attacks.There are lots of authentication and key agreement protocols proposed for smart grids based on IP networking architecture.For example,Garg et al.[14]proposed an ECC (Elliptic Curve Cryptography) and FHMQV (Fully Hashed Menezes-Qu-Vanstone) based authentication scheme for smart metering infrastructure (SMI).Kumar et al.[15]proposed another ECC-based authentication scheme for smart grid device and utility center communication.Chen et al.[16]proposed an ECC and bilinear pairing-based authentication scheme for smart grid communication.Zhang et al.[17]proposed a lightweight authentication scheme using symmetric cryptography,hash,and other lightweight operations.

There are some works on authentication protocols designed for ICN-based networking architectures,mainly for supporting various IoT communication scenarios.Similar to IP-based networking architecture,authentication also brings significant security benefits to ICN-based networking architecture [18].Compagno et al.[18]proposed a secure IoT device onboarding protocol for ICN called OnboardICNg based on symmetric-key cryptography.It was shown in [19]that OnboardICNg incurs significant lower time and energy overheads compared with the design based on asymmetric-key cryptography.LASeR,a secure IoT device authentication and routing scheme for NDN-based smart cities,was proposed in [20].The device authentication of LASeR is based on the Pre-Shared Key Extensible Authentication Protocol (EAP-PSK).For ICN based DFM,the authentication scheme should provide various security features including mutual authentication,session key agreement,defending against various attacks,anonymity,and resilience against device capture attack [15].In addition,majority of smart devices in DFM are resource-limited which requires the authentication scheme to have low computational,communication,and energy costs.

The contributions of this paper are:(1) we propose a lightweight anonymous device authentication scheme for NDN-based DFM;(2) we perform an analysis of security requirements satisfied by the proposed scheme and formally verify its security by using the popular AVISPA (Automated Validation of Internet Security Protocols and Applications) tool [21];and (3) we conduct a performance comparison of the proposed scheme with existing schemes to demonstrate that the proposed scheme achieves lower computational,communication,and energy costs.

The rest of this paper is organized as follows:Section 2 introduces system models and assumptions adopted in this paper.The proposed device authentication scheme for NDN-based DFM is presented in Section 3.In Section 4,we analyze security requirements satisfied by the proposed scheme followed by a formal security verification with the AVISPA tool.The performance of the proposed scheme in terms of computational,communication,and energy costs is evaluated and compared with other state-of-the-art schemes in Section 5.Finally,the conclusion of this paper is drawn in Section 6.

2 System Models and Assumptions

In this section,we introduce the network model of NDN based DFM,the threat model,and their assumptions after an overview of NDN.

2.1 NDN Overview

NDN is a new ICN paradigm proposed as a candidate for future internet architecture.NDN assigns a unique name to a trunk of data or a so-called content object.NDN has two types of packets:InterestandDatapackets.TheInterestpacket is issued by a consumer to request the desired data content using the unique name.The network will forward theInterestpacket to the provider of the data content.The provider will reply with aDatapacket back to the consumer which contains the name and actual content of the data.InterestandDatapackets can have other fields besides the name of the data content.In our scheme,we only consider thenamefield in theInterestpacket,and thename,content,andsignaturefields in theDatapacket.

Routing of NDN is done through three data structures maintained by each NDN router:a Pending Interest Table (PIT),a Forwarding Information Base (FIB),and a Content Store (CS).The CS serves as the data cache of an NDN router.When anInterestpacket arrives,the router will check if the name of the requested data content matches any record in the CS and serves the data if there is a match.Otherwise,the router will check the PIT table to avoid forwarding duplicatedInterestpacket.If no PIT entry can be found,the router will use the FIB table to determine the appropriate interface to forward theInterestpacket.In the meantime,the PIT table will also be updated to indicate that theInterestpacket is forwarded.The routing of the correspondingDatapacket will simply use the reverse path identified in the PIT.

In NDN,aDatapacket usually contains the name of the correspondingInterestpacket.This duplication will tremendously increase the size of aDatapacket when a long name is used for the correspondingInterestpacket.This causes a significant problem when transmitting an NDN packet over a low power wireless link such as an IEEE 802.15.4 link due to its limited maximum physical packet size.Solutions relying on fragmentation and reassembly [22]could result in a significant increase in memory storage,processing complexity,and traffic amount.In this paper,we adopt a solution proposed in [23]that replaces a longInterestname with a short 1-byte HopID.The solution extends the PIT table with two new columns:HIDiandHIDo.For anInterestpacket,each hop generates a 1-byte HopID and includes it in the name.The HopID will be stored in theHIDocolumn which should be unique within the local PIT table and has the same lifetime as the corresponding PIT entry.When anInterestpacket arrives at a hop,the HopID will be extracted from theInterestname and stored in theHIDicolumn of the corresponding PIT entry.A new HopID will then be generated by the hop and stored in theHIDocolumn of the same PIT entry.The new HopID will be included in the name of the outgoingInterestpacket.This process will be performed in each intermediate hop until theInterestis served by the producer.The producer will extract HopID from theHIDicolumn and use it as the name of the respondedDatapacket.Intermediate hops that forward theDatapacket will simply extract the HopID and lookupHIDocolumn of the PIT table for a match.If a match is found,the hop will replace the HopID of theDatapacket with the new HopID from theHIDicolumn of the matched PIT entry before forwarding theDatapacket.

2.2 Network Model and Assumptions

We consider that all entities of a DFM shown in Fig.1 are wirelessly connected to form a mesh network topology.The load and demand entities with communication and control capabilities in a DFM are referred as smart devices.The majority of them have limited computational,memory,and energy resources.Each device has a unique and immutable real identity such as a Silicon-ID number [24].The deployment of smart devices is done over time.The connection of a DFM to the utility grid is done through the DG,which is considered as resource un-constrained.A smart device in a DFM may connect to the DG through a multi-hop path with the help of other devices.We also assume that a Trust Authority (TA) is existed to serve DFMs of a utility service provider as shown in Fig.1.The TA provides authentication and authorization services to bootstrap new smart devices into a DFM network.

2.3 Threat Model and Assumptions

The basic adversary model considered for the proposed scheme is the widely used Dolev-Yao(DY) model [25].According to the model,all entities including smart devices and DG are not trustworthy.The messages between the entities are transferred through an open channel which can be eavesdropped,intercepted,and modified by an adversary.In addition,we assume that an adversary can compromise a session key and session states according to Canetti and Krawczyk(CK) adversary model [26].The adversary can also physically capture a device to extract the stored secret credentials by using the sophisticated power analysis attacks [27].Finally,we assume that the TA is a fully trusted entity and can’t be compromised.

Based on the threat model and assumptions,the proposed scheme aims to satisfy security requirements including message integrity,mutual authentication and session key agreement,perfect forward secrecy,anonymity,and resistance to various attacks.

3 Proposed Scheme

The proposed scheme consists of two phases:(1) device registration phase;(2) network discovery and authentication phase.Note that the TA is only involved in the device registration phase.Tab.1 lists the notations and their descriptions used in this paper.

3.1 Device Registration Phase

Before deployed in a DFM,a smart deviceS(SDS)needs to be registered offline at the TA by the owner who brings the device to the TA’s office to complete the registration through a secure channel [28].During the registration process,SDSfirst sends its real identityIDSto TA.TA then generates a master secretkSand two random numbersrTA-DG,andrTA-SDSforSDS.The pseudo-identity ofSDSis then computed asPIDS=H(IDS||kS).TA also computes two secretsAS=H(IDG||PIDS||rTA-DG)andBS=H(IDS||PIDG||rTA-SDS).Note thatIDGandPIDGare the real identity and pseudo-identity of DG,respectively.Finally,TA sendsPIDS,AS,andrTA-SDStoSDS,and then sendsPIDS,BS,andrTA-DGto DG.The device registration phase is illustrated in Fig.2.

Table 1:Notations and their descriptions used in this paper

Figure 2:An illustration of device registration phase

3.2 Network Discovery and Authentication Phase

After the registration,SDSperforms the network discovery and authentication phase to join the trusted network of a DFM.The procedure of this phase is illustrated in Fig.3 and described as follows:

·SDSgenerates a random numberrSDs-DGand a HopIDHopIDS,and then computesC1=EAS(rSDS-DG)andS1=SAS(PIDS||rSDS-DG).After that,SDSgenerates anInterestwith the name as/Discover/PIDS/C1/S1/HopIDS.A PIT entry will be created with name prefix/Discover/PIDS/C1/S1andHopIDSis stored in theHIDocolumn of this entry.ThisInterestwill then be broadcast to all neighbors ofSDS.

· Upon receiving the broadcastInterest,a trusted neighbor deviceN(SDN)can choose to help the network discovery and authentication process ofSDSor not.IfSDNwants to help the process,it will extractHopIDSandS1from the receivedInterest.A PIT entry for the receivedInterestis created with name prefix/Discover/PIDS/C1/S1and theHIDicolumn asHopIDS.SDNthen generates a new HopIDHopIDNand stores it in theHIDocolumn of the newly created PIT entry.A signatureS2will be computed asSSKSDN-DG(S1||PIDG||PIDN),whereSKSDN-DGis the session key shared betweenSDNandDG,andPIDNis the pseudo-identity ofSDN.Finally,a newInterestis generated and sent toDGwith the name as/Auth/PIDG/PIDS/C1/PIDN/S2/HopIDN.Note that a mapping from the newInterestname/Auth/PIDG/PIDS/C1/PIDN/S2to the broadcastInterestname/Discover/PIDS/C1/S1must be established atSDN.

When the newInterestis forwarded through the trusted network of the DFM toDG,the HopID part of theInterestname will be replaced by a new HopID generated at each hop.Supposing the hop beforeDGis a smart deviceM(SDM)and its generated HopID isHopIDM,the name of theInterestreceived byDGwill be/Auth/PIDG/PIDS/C1/PIDN/S2/HopIDM.Without loss of generality,we assume that theInterestsent bySDNwill be received byDGdirectly.

· WhenDGreceives theInterest,a PIT entry with the name prefix/Auth/PIDG/PIDS/C1/PIDN/S2will be created with the correspondingHIDiset asHopIDN.It extractsPID*SandC*1from theInterestname.ThenA*Sis computed asA*S=H(IDG||PID*S||rTA-DG)which is used to decryptC*1to obtainrSDs-DG*=DA*S(C*1).After that,DGcomputesS*1=SA*S(PID*S||rSDS-DG*),andS*2=SSKSDN-DG(S*1||PIDG||PID*N).It then checks ifS*2==S2.If not,the authentication process will be aborted.Otherwise,SDSis authenticated atDGwhich will then generate two random numbersrDG-SDSandrSDs-SDN.The two random numbers are used to generate the session key betweenSDSandSDNasSKSDS-SDN=H(A*S||BS||rSDs-DG*||rSDs-SDN)and the session key betweenSDSandDGasSKSDS-DG=H(A*S||BS||rSDs-DG*||rDG-SDS).DGwill prepare theDatapacket by computingC2=ESKSDN-DG(SKSDS-SDN),C3=EBS(rDG-SDs||rSDS-SDN),andS3=SBS(rDG-SDS||rSDS-SDN||PIDG||PIDN),which are included as the content.DGwill generate a signature for theDatapacket asS4=SSKSDN-DG(C3||S3||SKSDS-SDN).ThenHopIDNis retrieved from theHIDicolumn of the corresponding PIT entry which will be used as the name of theDatapacket.TheDatapacket will be sent back toSDN.

· WhenSDNreceives theDatapacket,it first extractsHopIDNfrom the name and look up theHIDicolumn of the matched PIT entry to find the next hop’s HopIDHopIDS,which will be used as the name of the newDatapacket sent back toSDS.ThenSDNwill extractC*2,C*3,S*3from the content of the receivedDataand obtain the session keySKSDS-SDNby decryptingC*2withSKSDN-DG.After that,it generatesS*4=SSKSDN-DG(C*3||S*3||SK*SDS-SDN)and verifies ifS*4==S4.If not,the authentication process will be aborted.Otherwise,SDNsends aDatapacket toSDSwhose content includesPIDG,PIDN,andC3with the name asHopIDSand the signature asS3.

· Upon receiving theDatapacket fromSDN,SDSfirst computesB*S=H(IDS||PID*G||rTA-SDS)and obtainsr*DG-SDSandr*SDS-SDNby decryptingC*3withB*S.ThenSDScomputesS*3=SB*S(r*DG-SDS||r*SDS-SDN||PID*G||PID*N)and verifies ifS*3==S3.If not,the authentication process will be aborted.Otherwise,SDSauthenticatesDGas legitimate and computes the two session keysSKSDS-SDN=H(AS||B*S||rSDs-DG||r*SDs-SDN),andSKSDS-DG=H(AS||B*S||rSDs-DG||r*DG-SDS).

Note that there could be multiple neighboring devices helping the authentication ofSDS.ForInterestpackets received from different neighboring devices,DGwill keep using the samerDG-SDSso that the session key betweenSDSandDGremains the same.DGwill generate differentrSDS-SDNfor neighboring devices so that the session keys betweenSDSand neighboring devices are different.

Figure 3:An illustration of network discovery and authentication phase

4 Security Analysis

In this section,we perform an analysis of security requirements satisfied by the proposed scheme and formally verify its security by using the AVISPA tool.

4.1 Informal Security Analysis

Based on the threat model specified in Section 2.3,the proposed scheme can satisfy the following security requirements.

1)Message integrity:The proposed scheme generates a message signature by using the AESCMAC algorithm to ensure message integrity.SecretsAS,BSand secure session keySKSDSN-DGare used as keys for the AES-CMAC algorithm.Since an adversary can’t obtain these cryptographic materials from intercepted messages,they can’t forge a legitimate message signature after modifying a message.

2) Mutual authentication and session key agreement:Mutual authentication is performed to verify the legitimacy of participating entities.In the proposed scheme,the mutual authentication betweenSDSandDGis achieved by using secretsASandBS.DGauthenticatesSDSby verifyingS*2with secretASand session keySKSDSN-DG.Similarly,SDSauthenticatesDGby verifyingS*3with secretBS.

In the proposed scheme,after performing mutual authentication for a session,a symmetric session key is established betweenSDSandDGasSKSDS-DG=H(AS||BS||rSDs-DG||rDG-SDS),which can be used to encrypt subsequent communication.Similarly,a symmetric session key betweenSDSand its neighborSDNis established asSKSDS-SDN=H(AS||BS||rSDs-DG||rSDS-SDN),which can be used to support secure communication between neighboring devices.

3) Perfect forward secrecy:Perfect forward secrecy ensures that the compromising of longterm secret information of legitimate entities (smart devices andDG) by an adversary should not compromise the session keys established in previous sessions.The proposed scheme generates three random numbersrSDs-DG,rDG-SDS,andrSDS-SDNto compute the two session keysSKSDS-DGandSKSDS-SDNin each session.Without knowing the random numbers,the adversary can’t obtain the session keys of previous sessions.Thus,perfect forward secrecy is held by the proposed scheme.

4)Anonymity:Anonymity ensures that the real identity of an entity can’t be revealed by an adversary through intercepted messages.The proposed scheme uses a pseudo-identity for each entity that is computed from the real identity and a master secret generated by the TA.It’s infeasible for an adversary to compute the real identity without the knowledge of the master secret.Thus,anonymity is satisfied by the proposed scheme.

5) Resistance to impersonation attacks:We consider three cases of impersonation attacks for the proposed scheme:

·New device impersonation attack:To impersonate a legitimate new smart deviceSDS,an adversary needs to generate a validInterestas the network discovery and authentication request broadcast to neighboring devices.However,the adversary doesn’t have the knowledge ofASto computeC1andS1to generate a validInterest.Thus,the proposed scheme can resist the new device impersonation attack.

·Neighboring device impersonation attack:To impersonate a legitimate neighboring device,an adversary needs to generate a validInterestsent toDG.However,the adversary doesn’t have the knowledge ofSKSDSN-DGto computeS2to generate a validInterest.Thus,the proposed scheme can resist the neighboring device impersonation attack.

·DG impersonation attack:To impersonate a legitimateDG,an adversary needs to interpret a receivedInterestand generate a validDataas the response which is impossible since the adversary doesn’t have the knowledge ofASandBS.Thus,it’s infeasible for an adversary to launch theDGimpersonation attack.

6)Resistance to replay attacks:An adversary can intercept the transmitted messages and reply them back in a later time.In the proposed scheme,the adversary can’t generate the session keys from the intercepted messages.To generate the session keys,the adversary needs to knowASandBS,and the three random numbersrSDs-DG,rDG-SDS,andrSDS-SDNwhich can’t be obtained from the intercepted messages.Therefore,the proposed scheme can resist replay attacks.

7)Resistance of MITM attacks:An adversary can launch MITM attacks by intercepting the transmitted messages and try to make two legitimate entities believe that they communicate with each other directly.To make this happen,the adversary has to knowASandBS,orSKSDN-DGwhich are infeasible to be obtained from the intercepted messages.Thus,the proposed scheme can resist MITM attacks.

8)Resilience against devices capture attack:A smart device deployed in the wild could be physically captured by an adversary.Based on the threat model discussed in Section 2.3,the adversary can obtain the secret credentials for authentication such asPIDS,AS,andBSfrom a stolen device by using the power analysis attacks [27].Such side-channel attacks are difficult to defend unless the device is tamper-resistant [29].However,the computation of the secret credentials such asASandBSinvolvesIDS,a unique and immutable identity,so that they are distinct for all smart devices in the DFM network.Thus,the adversary can’t compute the session keys betweenDGand other non-compromising devices using the secret credentials of the captured device.Such security property is called unconditional security against device capture attack [15,24,30-32].Therefore,the proposed scheme is resilient against device capture attack.

4.2 Formal Security Verification

In this section,we formally verify the security of the proposed scheme by using the AVISPA tool,which is designed for the analysis of large-scale internet security-sensitive protocols [21].

In AVISPA,the protocol actions and security requirements are described with a language called the High-Level Protocol Specification Language (HLPSL).AVISPA generates an intermediate file (IF) from the input HLPSL file by using the HLPSL2IF translator and passes the intermediate file to an AVISPA backend.The backend will verify the protocol security and generates a security report.AVISPA has four different backends:On-the-fly Model-Checker(OFMC),CL-based Attack Searcher (CL-AtSe),SAT-based Model-Check (SATMC),and Tree Automata-based Protocol Analyzer (TA4SP).User can choose suitable backends for protocol security verification.

HLPSL is a role-based language that contains two types of roles:basic role and composition role.Figs.4-6 describe the initial parameters,states,and transitions for the three basic roles(SDS,SDN,andDG) involved in the authentication process.The composition roles are specified in Fig.7.The session role instantiates the parameters of the basic roles.The environment role contains the global variables and specifies the sessions of the protocol.Finally,the security goals of the proposed scheme are also specified in Fig.7,which test the strength of session keys against various attacks and verify the establishment of mutual authentication.Fig.8 shows the outputs of the OFMC and CL-AtSe backends,which prove the proposed scheme is safe against both backends.

5 Performance Analysis

In the following sections,we evaluate the communication,computation,and energy costs of the proposed scheme and compare them with those of OnboardICNg [18]and LASeR [20].OnboardICNg and LASeR adopt similar system architectures as the proposed scheme.Tab.2 shows the mapping of the entities of OnboardICNg and LASeR to those of the proposed scheme.SinceDGis resource-unconstrained,our analysis concentrates on resource-limited smart devices.We assume that there arenneighbor devices helping the authentication process.

5.1 Communication Cost

In this section,we evaluate the communication cost of the proposed scheme during the network discovery and authentication phase in terms of the number of exchanged messages and the number of bytes sent and received by smart devices.We use IEEE 802.15.4 as the underlying link-layer which has a maximum frame size of 127 bytes.

Figure 4:Specification of the SDS role

Figure 5:Specification of the SDN role

Figure 6:Specification of the DG role

Since the communication betweenSDSandSDNis untrusted during the authentication process,an 802.15.4 frame exchanged betweenSDSandSDNdoes not carry the signature which results in a size of 36 bytes for the header and footer.On the other hand,a frame exchanged within the trusted network of DFM requires the full 52-byte 802.15.4 header and footer.In addition,we consider the 1+0 encoding proposed for NDN packets [33].Tab.3 shows the fields and their corresponding sizes for NDNInterestandDatapackets,whereSTis the total size of name components TL (1B * number of name components),SNis the total size of the name values,andSCis the total size of the content.We assume that ID and PID are 4 bytes,a random number is 8 bytes,and outputs of electric signature,hash,and encryption operations are 16 bytes.Prefixes (/Discoverand/Auth) are encoded in 1 byte.Based on the above assumptions,we compare the communication cost of the proposed scheme with those of OnboardICNg and LASeR in Tab.4.For the two reference schemes,we compute the number of bytes sent and received by smart devices with and without HopID implemented.It can be seen that HopID can significantly reduce the communication overheads of the reference schemes,especially for LASeR which also has longInterestnames.Overall,the results show that the proposed scheme is significantly lightweight than the two reference schemes in terms of the number of exchanged messages and the number of bytes sent/received by smart devices.

Figure 7:Specification of the Environment and Session role

5.2 Computational Cost

Tab.5 compares the cryptographic operations performed by the proposed scheme with those of OnboardICNg and LASeR.In the table,‘TH’,‘TE’,‘TD’,‘TM’,and ‘THM’represent execution times of operations of hash.AES-128 encryption and decryption,AES-CMAC,and HMAC,respectively.To measure the computation times of cryptographic operations,we used a Raspberry Pi 3 board as the smart device running OpenSSL C programming language libraries.The measured computation times of AES-128 encryption,AES-128 decryption,SHA-256,AES-CMAC,and HMAC are 4.36μs,4.47μs,2.69μs,5.54μs,and 10.9μs,respectively.We then compared the computation time of the proposed scheme with those of OnboardICNg and LASeR.As shown in Tab.5,both the proposed scheme and LASeR are more computationally efficient than OnboardICNg.The new joining device of the proposed scheme has a lower computational time than that of LASeR whennis less than 18.Note that LASeR does not establish session keys between the new joining device and its neighbor devices.

Figure 8:Outputs of OFMC and CL-AtSe backends

Table 2:Mapping of entities in different schemes

Table 3:NDN Interest(I) and Data(D) packets

5.3 Energy Cost

We estimated the computational energy cost by using the formulaE=V*I*t,whereVis the voltage of the input power,Iis the current of the circuit,andtis the computation time.BothVandIwere obtained from the Raspberry Pi data sheet [34,35].We estimated the communication energy cost by using the energy cost of sending and receiving one bit on the Raspberry Pi,which was measured as 0.029μJand 0.033μJ,respectively.Fig.9 compares the energy costs of a new joining device of the three schemes under different number of neighbor devices.Note that the communication costs of OnboardICNg and LASeR in Fig.9 were estimated with HopID implemented for a fair comparison.The results show that the proposed scheme is more energyfriendly than the two reference schemes.

Table 4:Comparison of communication costs

Table 5:Comparison of computation costs

Figure 9:Comparison of energy costs (dj:OnboardICNg [18],SN2:LASeR [20],SDS:proposed scheme)

6 Conclusion

In this paper,we propose a new lightweight anonymous device authentication scheme for NDN-based DFM.We perform an informal analysis of security requirements satisfied by the proposed scheme.Formal security verification of the proposed is also carried out by using the popular AVISPA tool.We conduct a performance evaluation to compare the computational,communication,and energy costs of the proposed scheme with those of other schemes.The results of our security analysis and performance evaluation reveal that the proposed scheme has lower computational and communication overheads than other state-of-the-art schemes.In future,we plan to develop an efficient group key agreement scheme for smart devices in information-centric DMF.We will also research how to perform secure and reliable access control of smart devices in information-centric DMF.

Funding Statement:This material is based upon work funded by the National Science Foundation EPSCoR Cooperative Agreement OIA-1757207.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.