E ﬃ cient mutual authentication using Kerberos for resource constraint smart meter in advanced metering infrastructure

: The continuous development of information communication technology facilitates the conven - tional grid in transforming into an automated modern system. Internet - of - Things solutions are used along with the evolving services of end - users to the electricity service provider for smart grid applications. In terms of various devices and machine integration, adequate authentication is the key to an accurate source and destination in advanced metering infrastructure ( AMI ) . Various protocols are deployed to lead the identi ﬁ cation between two parties, which require high computation time and communicational bit opera - tions for system development. Therefore, Kerberos - based authentication protocols were designed in this study with the assistance of elliptic curve cryptography to manage the mutual authentication between two parties and reduce the time and bit operations. The protocols were evaluated in a widely adopted tool, AVISPA, which builds an understanding of the proposed protocol and ensures mutual authentication without unauthorized knowledge. In addition, upon comparing security and performance assessments to the current schemes, it was found that the protocol in this study required less time and bits to transmit information. Consequently, it e ﬀ ectively provides multiple security features making it suitable for resource constraint smart meters in AMI.


Introduction
Major advancement integration of information communication technologies plays an important role in the smart grid. To illustrate, the energy systems could connect with devices, sensors, and systems utilizing the Internet-of-Things (IoT) technologies to enhance the supply and demand of electricity within the smart grid infrastructure. A traditional grid feature is a single-way connection mechanism with less than single data and lower sensors. In addition to the smart meter with the development of advanced metering infrastructure (AMI), the architecture for automated two-way communication is present between the smart meter and the utility company. It is indeed a communication system that connects smart meters, electronic devices, and utility systems in a cycle to provide service and response. The AMI collects, distributes, measures, and evaluates the connectivity, touch, and communication capability with a smart grid [1]. On the other hand, the intelligent smart meter is a device with limited resources. As a result of low-processing capabilities, the limited ability is present for executing time and bit operations at any moment during data transmission [2].
in the performance segment. In Section 5, the study is concluded with future directions for upcoming research trends.

Related work
In recent few years, a significant number of standard cryptanalysis algorithms and authentication protocols are deployed in AMI. Cryptographic mechanism is the principle of encryption, which is designed to ensure the confidentiality and integrity of information [10]. Two types of encryptions are illustrated in the smart grid symmetric and asymmetric. Specifically, symmetric encryption follows one key use for encryption on the sender side, same key in the decryption. In addition, asymmetric encryption necessitates the use of two keys, namely, public and private keys, in which one key is for the sender and other key is used on receiver side for decryption. Similarly, authentication is the key to verifying the identity of a user and device to protect the system from unauthorized access. It helps to check whether an object identity is correct or not. Inadequate authentication due to lose of forward secrecy and anonymity may occurs vulnerability as an attacker access to private information in AMI environment [5]. Two types of authentications were examined: some author-produced one-way authentications to demonstrate the identification between user and utility server, and likewise, two-way authentications are determined. Authentication including encryption is obligatory safety process to protect the privacy and integrity of information in the AMI [11]. Several methods have been presented with the use of the accompanying encryption and authentication techniques. Notably, several benefits and drawbacks are present, which are described as follows.
To preserve the identification between two parties and reduction cryptographic computation time and bit overheads, Wu and Zhou [12] proposed a homographic message authentication approached to ensure the smart meter and server identification. It was found that main constraint of the proposed technique did not ensure user anonymity in server end. So, this protocol just presented smart meter authentication. Hence, it absolutely decreased the time and bit operations. Then, Nicanfar et al. [13] elaborated the issue to solve by using ECC-based symmetric encryption with a basis on hash function. Although the security goal is desired, the following scheme due to the failure of forward secrecy is unable to meet the mutual authentication from the smart meters to aggregator point. Another author follows the above direction through shortening the time and bit operations to scalable smart meter stability issues.
To reduce time and bits overheads issues Tsai and Lo [14] suggested a new key management scheme using the proposed asymmetric and public key-based technique is satisfied into the methodology. For this reason, we need an extra trusted anchor and another server is required for public-key verification. In the same year, Ferrag and Ahmim [15] proposed the identity-based novel encryption technique to authenticate from smart meter to server but following mechanism failure to consider forward secrecy and high computation overhead for bilinear paring operation. To solve the matter, Diovu and Agee [16] proposed lightweight authentication using message authentication code with advanced encryption standards during message encryption and RSA for session-key generation to achieve targeted results and protect from several data attacks. However, the demerit of this technique RSA takes large computation time and communication bits for session-key generation. At the cloud distributed system, Tbatou et al. [17] employed Kerberos with ECC encryption for the reliable identification of two entities. The technique required high computation time for Diffie-Hellman key exchange operation. Similarly, to preserve the privacy from smart meter to utility server, Saxena and Choi [18] used the certificate-less ECC-based cryptography to ensure privacy preservation, forward secrecy, and semantic security in smart grid. It was found that this system did not control high computation rate for low-resource smart meter.
To solve smart meter computation overhead problem, Wu et al.'s [7] research proposed lightweight provable key agreement protocol by using trusted authority-based key generation technique with the assistance of ECC and bilinear paring utilized in their approaches. Also present in initialization and registration phase fully cover by TA then authentication phase session key computes smart meter and aggregator point themselves. This protocol effectively handles security to provide multiple security features. Apart from increasing the computation time operation, other sides used heavy cryptographic time and bit operations for parameter identification during session-key generation. Furthermore, Braeken et al. [9] introduced the novel key agreements for secure processing of smart meter to substations through the methods to ensure identification with decreased time and bit operations between two entities. So that, protocol used RSA encryption with MD5 authentication technique. Unfortunately, RSA-based approaches increase time and bit operations within smart meter side during session-key generation. Alternatively, ECC used same level bit and time operations as the RSA that offers same security benefits [19]. Moreover, as per result analysis, Khan et al. [2] argued that this protocol just afford to cover smart meter authentication. To solve the issues, Chen et al. [20] discovered anonymously two-way authentication initiated by the Diffie-Hellman key agreement technique by adopting public key cryptography, which significantly reduced the computation time cost and beside, public key infrastructure (PKI) based key agreement strategy increased the smart meter side communication bit operations. Nevertheless, Sutradhar et al. [21] claimed that the technique for the verification of parameter identification requires more time.
Most of the previous protocols demonstrated that the system faced inadequate authentication due to the failure of anonymity and loss in the dealing of forward secrecy. Especially, inefficient authentication is vulnerable for unauthorized access to intercept the system and creates a scope for stealing the information during data transmission. In addition, a situation of maximum worked suffered under high computation time and communication bit operations, which is harmed for the resource constraint smart meters in AMI.

Proposed methodology
According to analysis efficiency known as performance and security problems were attributed to the failure of authentication and encryption for the increased system complexity due to heavy computation time and communication bits operation overheads. Furthermore, the proposed technique hopefully delivers two-way authentications to overcome the unauthorized access issue. This study aims to solve the best degree of data protection by improving proper authentication and using Kerberos authentication protocol during the encrypted data transmission, in which the asymmetric encryption schemes known as ECC are used. At this point, the computation time and communication bits are reduced. In addition, Kerberos-based approaches provide the security features in terms of preserve forward secrecy and anonymity to ensure the mutual authentication. Three-phase protocols are presented to overcome the existing limitations, with the architecture presented in Figure 1. The list of the symbols used in the proposed protocol for easy interaction is presented in Table 1.

Assumption
This study is based on the following assumptions: (1) The new Kerberos-designed authentication is applicable for smart meter to aggregator points for transmitting operation.
(2) Initially, the proposed methodology establishes a connection to a Kerberos authentication server, which relies on a secure channel in an AMI. (3) Efficient authentication techniques allow the main enhancements known as PKTAPP to be approved at the third stage of the Kerberos model. (4) In the scenario of the smart meter and the aggregator point, the clocks are synchronized.

Initialization phase
The execution of the initial phase generates a public/private key with the assistance of an elliptic curve < P, a, b, G, n, h >. In this curve, p denotes the large prime numbers in a specific elliptic curve, a refers to the first coefficient of the curve, and b represents the second coefficient of the curve. Following that, G is the generator point (base point), where the parameter G denotes (a, b), while n is the prime order of G and h is the cofactor of the group. Overall, these parameters play an effective role in the following section.

Registration phase
The registration phase is the second phase of designating the authentication protocol. During this phase, the smart meter and Kerberos authentication server are registered in this secure channel. In the Kerberos model, the paradigm is catalyzed by AS (authentication server) and TGS (ticket-granting server) in a secure channel. The first smart meter comprises the identity ID SM and password P W with a time-stamp T SM attached for verification purposes to request a service ticket to the Kerberos authentication server for communicating with the aggregator point. Following that, the transmitted credentials are verified by AS server and refer to the ticket-granting server for issues regarding the smart meter service ticket. A similar process initiates aggregator points for registration with the Kerberos authentication server. The process of registration smart meter with the Kerberos authentication server is described below and visualized in Table 2.
Process SM to AS: Smart meter initiates ID SM and password P W then creates time-stamp T SM , and transmits it to the AS. At this point, given that P W and ID SM are considered the security parameters of SM, SM transmits C = (ID SM ∥ P W ∥T SM ).
Process AS to SM: In this stage, the credentials received from SM. AS ensures that the message is only sent via smart meter, followed by AS that checks the database to determine whether the ID SM = ID SM , P W = P W matches the database of AS. This is basis on computation of T AS -T SM ≤. When the computation is exact in terms of time-stamp value, next step is performed. Then, AS stores that smart meter identifies the ID SM meanwhile, forward to the main server, which is compared for further process during the mutual authentication phase. Then, compute session key between the smart meter and ticket-granting server is computed as: AS sends the value to AS = (SK TGS ∥PW SM ) to the SM.
Process SM to TGS: The data received from AS go through smart meter first decrypt packet on smart meter P W hash code, followed by a comparison with the current time-stamp check T SM = T AS ≤. If these elements match, the credential SM = SK TGS (T SM ∥ID SM ) is sent with the assistance of AS, while the session key is sent to the ticket-granting server.
Process TGS to SM: TGS decrypts the message with the assistance of AS due to the knowledge that AS and TGS build a secure channel in the same environment in the Kerberos model. Following that, TGS verifies the current time-stamp T SM -T TGT ≤ and checks ID SM . When a positive result is obtained, a ticket for TGS = TKT AG is created and sent SM. Otherwise, the session is aborted.
If true then go to next step otherwise abort; Process SM: T TGT − T SM ≤ is verified. Upon true verification, the server ticket is obtained from TGS for the data transmission process, while the smart meter dash box saves the TKT AG for the next steps.
At this point, the domain authentication between SM and AS and AG in a secure channel is achieved. The same registration process is performed on the aggregator point when it meets the smart meter according to all the above processes.

Mutual authentication phase
After completing the registration with a smart meter to the Kerberos server, it was performed for mutual authentication during data transmission between the smart meter and aggregator point. The smart meter collects service tickets from the Kerberos server via ticket-granting server, in which the ticket is issued during the registration phase. In this phase, the Kerberos extension is added to achieve mutual authentication. Kerberos allows three public-key extensions, namely, PKINIT, PKCROOSS, and PKTAPP [17,21] in different scenarios on the Kerberos model. Therefore, this work follows traditional Kerberos in the registration phase. Following the successful registration, PKTAPP smart meter to aggregator server is used for a mutual authentication phase. Furthermore, the ECC-based encryption is compiled to efficiently execute the system of the proposed protocol. The proposed system adopts a time-stamp along with a pseudo-random number which we used for every session key freshness by verifying the exact appended parameter of SM within the aggregator point transmission in terms of robust the Kerberos model. The step of mutual authentication is presented in Table 3.  Step 1: In this step, the smart meter and aggregator point compute the private/public key using the aforementioned parameters with the assistance of the initializing phase. Subsequently, the smart meter selects a random prime number that generates two elliptical curve groups including a, b of order p and generator point G in a private-key random value 1 ≤ d ≤ n−1. A random number P SM ∈ Z* private key d SM and public key is calculated as Q SM = d SM *G for secret key generation. Similar steps are performed by aggregator point for key generation.
Step 2: The key generation SM initiates mutual authentication with aggregator point. SM selects the public key of Q AG , which finds that the public directory selects SM = TKT SM after completion, which is taken from the Kerberos authentication server in the registration phase. The session time comparison aims to generate time-stamp T SM ≤ T AG for the session key freshness, which computes pseudo-random number SM = R SM * G P using the corresponding AG in ECC point multiplication. Following that, the appended parameter is sent to SM = (TKT SM ∥ Q AG ∥ T SM ∥ R SM ) to the aggregator point.
Step 3: Following the credential received from SM then, AG initially extracts the message through the used private key of Q AG = d AG * G, while the time-stamp value T SM ≤ T AG is checked. When this process is successful, the pseudo-number is obtained through the AG point of R SM * G P , followed by the storing of the TKT SM of smart meter for further process. Subsequently, AG is performed with the authentication server, which is initially performed through smart meter to collect the AG = TKT SM identity for the permission to access transmission with SM. The current time-stamp T AG ≤ T SM is selected to calculate the session key AG = SK AG ∈ SK AG = d AG × d SM × G, followed by the transmission of AG = (TKT SM ∥ T AG ∥ SK AG ) to the smart meter.
Step 4: Upon receiving the appended value, the smart meter examines the current time-stamp T SM ≤ T AG , which originates from the SM in G* P . This is followed by the storing of TKN AG for further process and the calculation of SK SM = d SM × d AG × G. Provided if the session key matches, this process would be followed to the next section. Otherwise, the session would not succeed.
Following the above process, a real message is obtained, which also contains smart meter with the addition of stored identity of AG = TKT AG , current time-stamp T SM ≤ T AG , and SM session key. Subsequently, SM = SK SM ∥ M ∥ TKT AG ∥ T SM is sent to the AG.
Step 5: After AG opens the message with the help of SK AG = SK SM , T SM ≤ T AG is compared, while the identity of received TKN AG is checked when all credentials are true. Message = Message also ensures that the received message source is real. Otherwise, the session would not succeed in terms of the changed value.
Step 6: Finally, aggregator points send M4 = ACK_SM to the smart meter.

Results and discussion
In this section, we draw a result analysis in terms of security and performance scenarios. First, we analyze security assessment which is that cover informal criteria employed cryptographic parameter and formal AVISPA are utilized. Second, efficiency test known as performance evaluation declares computation time and bit expense assessments. The vulnerability model is thought to be the Dolev-Yao model [10,17] with an attacker having access to systems and being able to intercept traffic between the SMs and aggregator point. The offender has the ability to resend captured messages to the SM or AG point data, and also has the ability to inject malicious messages into the relayed messages in between two sides. The offender may also impersonate the SM and aggregator point sequentially.

Security analysis (Informal)
In this section, the suggested protocol maintains informal security by using an overcome strategy. This evaluation examines every parameter is substantially engaged and supplies security features critically evaluate ( Table 4). In addition, Dolev-Yao threat model are being used in the proposed technique.

Security analysis (Formal)
According to Hasan et al.'s [7,22] protocol, this study was evaluated based on mutual authentication between smart meter and aggregator point. This section critically verifies the proposed protocol by using AVISPA, which is a role-based tool measuring the security of the cryptographic method. It also automatically considers several elements, such as public key infrastructure, encryption, decryption, signature generation, and hash function, while the symmetric encryption and decryption are handled within the system. In addition to supporting the unlimited simulation of the session key and message basement, it is effective in determining protocol accuracy. AVISPA combines two states of back-end servers, namely, on-the-fly model-checkers and the Constrict-logic search engine. Based on the work under review by AVISPA, the protocol fascinated was coded into the High-Level Protocol Specifications Language (HLPSL) and tested by the back-end servers. The writing performed on HLPSL is illustrated in Figure 2. The results on the goal section indicated that without the involvement of unauthorized parties, the proposed protocol preserved forward secrecy by SK1 The proposed mechanism first during registration phase proved domain authentication smart meter (SM) to authentication server (AS) by used password hash of SM = P W , which is previously stored in AS server. Same process AG = P W can confirm the domain authentication in insecure channel. Another way confirms that the system mutually transmitting their information generates smart meter TKN SM and TKN AG , which has rechecked in the data transmission phase if the TKN SM = TKN AG same, then exchange the message otherwise session abort by Kerberos authenticator server. Moreover, SK AG ∈ SK AG = d AG × d SM × G and SK SM = d SM × d AG × G. If values match and are equal, then SK AG = SK SM and SK AG , it mutually authenticates between them.

Replay attack
The proposed protocol utilized time-stamp value T AG ≤ T SM and T SM ≤ T AG if change in the value drops the connection immediately. Another way, to avoid the attack in every step on SM to AG generates key freshness in R SM = R SM * G P and R AG = AG * G P without previous knowledge of the parameter did not achieve the value pseudo-random number by as adversary σ. So, the proposed system saves from replay attack. Man in the middle attack Smart meter sends SM = TKN SM ∥Q AG ∥R SM and there is σ only to get the Q SM and Q AG, which is only this parameter publicly available in the channel. Instead, TKN SM and R SM value do not extract due to unable of previous parameter knowledge. Impersonation attack This system mutually authenticates by Here, it is SK AG = SK SM that contained fascinated with parameter TKNAG∥R AG = AG * G P ∥ T AG , which is any previous knowledge that does not get it. Only SM and AG kept the information, so this protocol saves from impersonation attack. Support anonymity Computer security and cryptography is an asset forward secrecy, preventing an assailant that has recorded previous communications from finding participants' identities. There is SM with AG passing all messages between them accommodate with time-stamp value T SM = T AG . Due to the cause of randomness, it makes it different value executes each conversation. Initially, TKN SM and TKN AG get from AS server, which is anonymously used public channel; therefore, it does not understand any unauthorized parties. Thus, the σ (adversary) cannot get real identity of user, so this protocol kept anonymous identity.

Forward secrecy
Forward secrecy, also known as perfect forward secrecy, is a key agreement protocol feature that ensures that the session key will not be compromised in the short or long term. It supports forward secrecy as the session key SK AG = SK SM built by TKN SM ∥ R AG ∥ T AG ∥ SK AG and TKN AG ∥ R SM ∥ T SM ∥ SK SM following information that are time-stamp T AG ≤ T SM and T SM ≤ T AG and pseudo-random number R AG = R SM ensure each message session freshness along both side private keys (d SM and d AG ) provides confidentiality of both entities. Thus, the adversary has trouble cracking the combination of constantly shifting variables and highly protected private keys.
through the smart meter and SK2 that was maintained from the aggregator point. While the protocol achieved mutual authentication, the Dolev-Yao model was considered an intrusion model to confirm the effectiveness of the planned efficient authentication protocol. Based on the results shown in Figure 3, the designed mutual authentication mechanism protocol was secure in terms of SK1 and SK2 that are secret, which is declared by goal section. Moreover, smart meter SK2 and aggregator point (server side) SK1 authenticate themselves. Hence, the proposed scheme is unauthorized risk free. The first segment, which denotes "SUMMARY," indicates whether the protocol built was unsafe or safe, or the evaluation was unclear. The second segment presents the "DETAILS," while the explanation for the performance of the "SUMMARY" section is highlighted. The remaining three parts, namely, "PROTOCOL," "GOAL," and "BACKEND," represent the name of the protocol, the goal defined also during evaluation, and the back-end used in the evaluation, respectively.

Performance of computation time operation
Following the comparison between recent works, the results in Table 5 demonstrate the cost of cryptographic protocol computation time for secret key generation, time of encryption/decryption, pseudo-random number generation, and time-stamp selection for system development. These were performed on the protocol with core!5 and 3.20 GHz processors and 4 GB RAM, while the operation was made in Python version 3.4 in the crypto library for each cryptographic operation. Moreover, the service ticket generation was created based on the Kerberos operation used in open-SSL, which is the renowned open-source application of signature generation, verification, and distribution as a third party. Overall, the results indicated that the approach in this study required a shorter computation time for the session key generation (11.14 ms). Based on Figure 4, the yielded value proposed that the protocol required less computation time compared to the existing technique.   6T ME + 4T ESED + 2T HO + 2T HMAC ≅ 23.13 [25] 5TPM + TB + 2TME + 10T HO ≅ 18.96 [9] 2T PA + 2T PM + 2T E/D + 2T PRNG + 3T TS + 1T TKNG ≅ 17.93 [7] 4T ME + 4T PKED + 2T HMAC ≅ 15.01 Proposed 2T PA + 2T PM + 2T E/D + 2T PRNG + 3T TS + 1T TKNG ≅ 11.14 token generation ≅ 3.250 ms are, respectively, total computation expenses is 11.14 ms. Based on

Performance of communication bit operations
The communication costs of the proposed protocol presented in Table 6 were compared to the existing schemes [7,9,[23][24][25]. This comparison was based on the number of messages sent and received by the two parties, including the number of bytes connected with each transmission token. A proposed system was constructed by carrying the pseudo-random 128 bits, ECC encryption and decryption 320 bits, and timestamp taken 32 bits, which was identified as Kerberos ticket for initializing the smart meter to aggregator point ticket that consisted of 64 bits. The data shown in Figure 5 indicated that the proposed approach obtained by the X and Y axes consumed less computing bits compared to the other previous technique. Based on Table 6, it illustrates that ComputaƟon Ɵme in (ms) Figure 4: Comparison of computation time.
• The communication cost proposed protocol used three messages, which is 672 bits.
• The communication cost used three messages [23] with 47,416 bits, which is approximately 84.78% increased from the proposed scheme. • The communication cost used two messages [24] with 4,768 bits, which is approximately 85.90% increased from the proposed scheme. • The communication cost used two messages [25] with 2,752 bits, which is approximately 75.58% increased from the proposed scheme. • The communication cost used three messages [9] with 1,280 bits, which is approximately 47.50% increased from the proposed scheme. • The communication cost used three messages [7] with 1,940 bits, which is approximately 65.36% increased from the proposed scheme.
According to the examination of computation time and communication bit assessment, the proposed scheme requires less time and operations with fewer bits than the prior scheme. According to the results, the smart meter side computation and communication overhead were greatly decreased, allowing both security and performance assessments to be managed equally.

Conclusion
In rapidly integration of data transmission system basis on Internet-connected numerous device, the AMI is a perfect system in smart grid. On the other hand, lightweight, protection, reliability, and privacy of smart grids are issues of higher importance to governments, businesses, and academics among others. To overcome the current difficulties that are caused by inefficient authentication, high computation time, and communication bits overheads in AMI, the Kerberos-based authentication with ECC-based cryptography was proposed to adequately address the previously encountered issue. Currently, the proposed guidelines ensured structured analysis, which reflected the techniques used by resource constraint smart meter in AMI. This outcome led to significantly lower computation time and communication bit operation costs in resource de-sufficient smart meters. Mutual authentication through the use of widely adopted tools AVISPA has been proven. Moreover, this article has also demonstrated that the proposed protocol is safe from unauthorized access, which is evaluated by formal and informal way. The current study managed a limited number of devices for validation in the AMI. Meanwhile, the dynamic device transmission for session key generation would be parallel to the applicability for smart meters to an aggregator point. Furthermore, it was confirmed in this study protocol that the message transmission is more reliable in the AMI environment. Finally, it is hoped that the protocols in this study for the AMI could be built in a hierarchical manner to enhance the platform strength and liveliness in smart grid applications. Efficient mutual authentication using Kerberos  13