1. Field of the Invention
The present invention is directed generally toward the domain of network security, and in particular toward the use of the electrical distribution grid with a system for establishing the schematic location of nodes on the electrical distribution grid, as a key-courier network and as a means for authenticating the key requestor.
2. Background of the Invention
The electrical grid in the United States and most other areas of the world is historically divided into two networks: the transmission grid and the distribution grid. The transmission grid originates at a generation point, such as a coal-burning or atomic power plant, or a hydroelectric generator at a dam. DC power is generated, converted to high-voltage AC, and transmitted to distribution points, called distribution substations, via a highly controlled and regulated, redundant, and thoroughly instrumented high-voltage network. This high-voltage network has at its edge a collection of distribution substations. Over the last century, as the use of electrical power became more ubiquitous and more essential, and as a complex market in the trading and sharing of electrical power emerged, the technology of the transmission grid largely kept pace with the technological requirements of the market.
The second network, the distribution grid, is the portion of the electrical grid which originates at the distribution substations and has at its edge a collection of residential, commercial, and industrial consumers of energy. In contrast to the transmission grid, the technology of the distribution grid has remained relatively static since the mid-1930s until very recent years. Today, as concern grows over the environmental effects of fossil fuel usage and the depletion of non-renewable energy sources, interest has increased in augmenting the electrical distribution grid with communication instruments. The primary goals of this activity are energy-related—such as energy conservation, resource conservation, cost containment, and continuity of service. However, a side effect of establishing such networks is the ability to transmit information over an existing network, the distribution grid itself, which has special properties that enhance the security and particularly the authenticity and non-repudiability of transmitted messages.
Binary digital encryption has largely superseded all other forms of ciphers as the means of encoding sensitive communications in this digital age. Encryption and decryption algorithms require three components to work: the data itself (in the clear for encryption, or the encrypted string for decryption), a well-known algorithm, and a binary string called a key which must be known in order to drive the algorithm to produce the proper results.
Two major classes of encryption algorithms are in use and well-known in the art. In one class, the same key is used for both encryption and decryption, so that both the data source and the data destination have a copy of the key. These algorithms, typified by the Advanced Encryption Standard (AES), are known as symmetric key or shared secret methods. Such methods, especially AES itself, are favored for embedded or machine-to-machine applications because the algorithms are relatively low-cost in terms of code space and execution time, and because the keys are relatively short (128 to 256 bits at present). Also, if the data payload is carefully chosen, as little as one bit is added to the message length by the encryption process. This added length is called overhead.
Algorithms of the second major class are known as asymmetric key or public key methods. In these schemes, a different key is used to encrypt the data than is used to decrypt the data. The encryption key is publically known, so that anyone can send an encrypted message. The decryption key must be kept private in order to preserve message security. Public key methods are favored for lower-traffic applications such as client-server or web-service applications, where a broadband network and relatively powerful computers are used at both ends of a secure transaction. The keys are longer, the algorithms are more complex, and the overhead is higher than in symmetric key methods. One well-known method of mitigating the computational and data overhead of public key encryption is to use it only for initially authenticating and establishing a secure session, and exchanging a shared secret. Then longer messages can be exchanged using symmetric-key encryption.
The elements of data security include Privacy, Authentication, Integrity, and Non-repudiation (PAIN). Encryption itself provides only the privacy element, in that it ensures that an agency who is merely intercepting signals on a network cannot extract the information encoded in a signal sequence or message. Authentication is the process of ensuring that an agency initiating or responding to a secure transaction is who it claims to be and not a malicious intruder. Integrity refers to the ability to detect tampering with a message in transit, and either prevent it or make it evident. Non-repudiability means the sender cannot deny having sent the message which was received.
Regardless of the encryption method used, the primary security risks in data communications are not associated with “breaking” the encryption but with other elements of PAIN. Primarily, risks arise from the failure of one of these processes:                Authenticating the requestor of a key or a secure transaction        Authenticating the key authority (who may or may not be the agency who receives and decrypts the data)        Distributing keys in a secure manner        Establishing that a message actually originated with the purported sender and not some other party who gained access to the encryption key (including the purported receiver, who may self-generate a message and claim to have received it from the purported sender).        
Well-known means of ensuring full PAIN security involve both the use of a secure encryption algorithm and either a secure “out of band” means of exchanging keys, a trusted third party (TTP) responsible for generating and distributing keys, or both. The simplest example of this is the case of two individuals A and B who wish to exchange private messages over a computer network. They meet face to face and agree on a secret encryption key and an encryption algorithm. They then separate and use their shared secret to exchange private messages. Because the nature of (good) shared secret keys is such that the probability someone else will choose the same secret as A and B is very low, as long as neither party breaks the trust (reveals the secret), the digital conversation between A and B is private and authenticated. A and B could ensure integrity by making further agreements about the organization or contents (such as a hash code) of the messages. This method is never non-repudiable, however, because A could generate a message and claim that it came from B, and the message would be indistinguishable from one actually generated by B.
The best-known method for establishing a fully secure channel, known as the Diffie-Hellman method, is based on the existence of asymmetric-key encryption algorithms and is described in U.S. Pat. No. 4,200,770 to Hellman et al. In this method, A and B each begin with a pair of distinct asymmetric keys. B sends his public key to A, and A sends his public key to B. A and B now each employs his own private key and his correspondent's public key to generate a value called the shared secret, which is in itself a pair of asymmetric keys. The essence of the Diffie-Hellman method is the proof that the two mismatched pairs of public and private keys can, in fact, be used to independently generate the same shared secret. B then generates a symmetric key, using the “public” portion of the shared secret to encrypt it, and sends it to A. A uses the “private” portion of the shared secret to decrypt the symmetric key. Now, A and B can send private communications back and forth efficiently using the symmetric key. The last step is only needed because of the inefficiency of asymmetric keys as a bulk encryption method.
The Diffie-Hellman algorithm is known to be vulnerable to a form of security attack known as man-in-the-middle. In such attacks, the initial exchange of public keys is intercepted by the attacker, who substitutes different public keys for those sent by A and B. If the attacker can intercept both sides of the exchange long enough to learn the symmetric key, then the attacker can pretend to be either member of the secure exchange, and can eavesdrop on the conversation and even alter the information in transit. Public Key Infrastructures (PKIs) have been created to correct this. In a PKI, a trusted third party (TTP) is used by A and B to mediate the generation and exchange of keys. The TTP does this by combining the public keys with information that authenticates the party wishing to exchange information and with the digital signature of the TTP in a tamper-evident manner. Today, many widely used programs such as web browsers are pre-programmed to recognize and honor the format of such certificates and the signatures of widely-known TTPs, more commonly called Certificate Authorities or CAs.
In the year 2011, there were at least 2 documented cases where well-established and trusted CAs were hacked and fraudulent certificates were issued, allowing the fraudulent issuer to steal information. To date, the only remedy for this has been to revoke trust for CAs known to have issued fraudulent certificates. Additionally, some specialized security needs exist where it is insufficient to authenticate the requesting user or device. For example, a physician may be authorized to use a mobile device to access electronic patient records from her home or office, but not from an internet café or other public place. In this situation, it is necessary to authenticate not only that the user of the device is the physician, but that the device is not in a public place where a patient's privacy could be compromised. In the most extreme examples of highly-secured operations, it is undesirable for the requesting user's interface device to be connected to a conventional network at all.