1. Field of Invention
The present invention relates generally to using a portion of an electrical power grid network as an out-of-band or side-channel to enhance the security of various tasks, including, but not limited to, multifactor-authentication schemes, Strong and tamper-proof location binding and certification, securing transactions over a separate network (such as the Internet), tracking the location of electronic devices connected to the electrical grid, and authenticating the location of a person or device communicating with or attached to the separate network as well as to disseminate information via as many paths as possible in case of an emergency
2. Description of the Related Art
Time and again, experience has shown that network security is often an afterthought in designing network communications systems. This is true of the Internet, where the designers and architects of the Internet infrastructure and protocols did not consider that their creation would become the communication backbone of the world, and that it would end up transmitting and distributing nearly all types of communications, including voice, video, and data. As a result, security was not a consideration, until very recently. Today, there is a set of protocols for securing communications made using the Internet, but they are vulnerable.
Similarly, with the rapid growth in technologies and use of computers, those who sold such devices could never have thought that computing would become so ubiquitous and that their products—the personal computers and related operating systems that run them—would gradually become the “base platform” underlying increasingly larger numbers of systems. Consequently, security was never the main consideration in designing either the processors or the operating systems. Consequently, the most vulnerable components in communications networks are often the end-users' computers themselves.
To address these shortcomings, computer users are often forced to subscribe to anti-virus software services or purchase anti-virus software applications to track viruses and other software that act upon their computer systems. Some of the same vendor software used by end-users, however, include root-kits and other malware to, for example, monitor user's violations of license conditions. Thus, other than the most experienced computer and network security experts, most end users cannot be certain that their own computers have not been compromised after they have been in-operation for any period of time (even as short as a week).
Notwithstanding those vulnerabilities, people use their personal computers at their homes or other locations to remotely log into their banks and other personal accounts without a second thought as to security concerns, assuming, incorrectly, that there is “safety in numbers,” and that, in terms of probabilities, they will never be individually targeted by crooks. Their justification is often that their personal communications are not that valuable, and if victims are selected randomly, the chance that they will be attacked is very small.
It is not surprising that a personal computer as well as the communications networks the computer operates on are highly vulnerable to subversion. In fall 2008, it was reported that French President Nicoli Sarkusi's personal bank account was remotely accessed by hackers based in Niger. More recently, it was widely reported that computers owned and operated by the two leading U.S. presidential candidates' campaigns were remotely scanned by computer systems reported to be based in China. It was also reported that the entire sub-networks connecting most of the personal computers in the Dalai Lama's organization, as well as the computers themselves, were compromised by others. More recently, it was reported that unauthorized entities gained access to networks controlling electrical grids and scanned and tested the extent to which access into the network could be achieved. In spring 2009, it was also reported that several sensitive design details of the U.S. Joint Strike Fighter (JSF) aircraft were stolen from computers of one of the U.S. government contractors involved in the JSF development by remote entities. Thus, computer and network security is widely recognized as a pressing issue and in need of better, stronger security mechanisms.
Security experts and cryptologists have designed ever-more sophisticated mechanisms to defend against a “Man-in-the-Middle” (MITM) attack (in a more general sense a “malicious middleware/middle-entities” or simply a “Malicious-Middle” (MM) attack). In the strictest theoretical sense, at least one out-of-band communication is necessary to guard against the aforementioned vulnerabilities and actual attacks. However, increasing the diversity of such communication paths is a good practical way to hedge against the risk of a MitM or MM attack.
Closely related to the security issue is the vital concept of “trust”. Any infrastructure related to computer and network security must be backed up by a hierarchy of trusted entities. In the context of the Internet, this is achieved by creating and maintaining a “certification” infrastructure (which subsumes a PKI or “public-key-infrastructure”). However, it is known that certificate revocation and re-issuing processes have been exploited as vulnerabilities.
Current, state-of-the art security systems, apparata, and methods for securing communications or access to networks or remote computers typically deploy multifactor authentication. That is, such measures do not depend solely on signals transmitted via a single medium such as the Internet. Rather, they also use other independent communication paths to send a portion of the information being communicated (i.e., typically the authentication tokens during the initial phase of establishing a connection).
An example of this is the bank account-accessing procedure recently made available to the security-conscious users by some U.S. banks, such as Bank of America. A computer user seeking remote access to their bank account located on a bank server that is equipped with a security-enhanced protocol may be required to do two things. First, the user must follow the normal logon procedures, including confirming that a pre-determined image is displayed in the individual's browser as a minimalist defense against a “phishing” attack, and then enter the user's username/password and whatever else the bank might ask for. Second, in addition, the user may receive from the bank a random alphanumeric/ASCII character string via an alternate/side channel in the form of an SMS/text message sent to the user's mobile phone. The user must copy/enter that string in a password-like dialogue box on the user's computer browser within a certain (fairly short) time period. This random nonce serves as a “one-time authentication token”. This way, even if the user's home computer is compromised and someone is running a keyboard-logger to capture their bank username, password, etc., the random string is different each time and the bank will recognize and deny attempts to reuse old text strings. If the cell phone is also lost/stolen, then gaining access to the user's bank account is possible, but now the attacker's job is harder. The attacker must compromise the user's personal computer and be in possession of the SMS text account or physically steal the user's mobile phone.
To authenticate users of applications accessed over the Internet, strong strategies often require each user to pass multiple independent authentication challenges. Such challenges might involve knowledge of passwords, possession of physical tokens, biometrics, control of second channels, and proofs of physical location. For example, it is believed that Authentify, Inc., sells an authentication service using telephone callback. For many applications, such a strategy meaningfully enhances authentication assurance by forcing the adversary to corrupt multiple independent systems.
As illustrated above, basic security measures must address (1) how to bootstrap the chain of trust among and between communications nodes in a communications network, and (2) how to facilitate and achieve at least one-single out-of-band communication to guarantee that the ensuing communications between nodes are free of the danger of MitM and/or MM attacks.
In general, a diversity of communication paths between communications nodes is the best hedge against malicious subversion attacks that compromise the communication between those nodes. As wireless networks and services continue their explosive growth, it is easy and natural to utilize wireless technologies to deploy out-of-band or side channels for security purposes (as evidenced by the bank-login-procedure mentioned above that uses text-messaging via cell-phones as a side channel). However, while those wireless voice and data networks are continuing to be exploited, very little attention has been focused on using the existing electrical grid as the side channel (or as an additional side channel).
Other multi-factor authentication systems have also been well known for some time. For example, using a clock synchronized with an application server, an RSA SecurID hardware token generates a new one-time password every 60 seconds to be entered by the user. Dongles, such as ID2P Technologies' CFPKey and Yubico's YubiKey, generate cryptographic tokens to be sent by the user's computer to an Internet application. Many Internet applications use email as a simple out-of-band authentication channel: after entering a username and password, the user also enters a use-once randomly generated string sent to the user's email account. The companies Authentify, StrikeForce, and PhoneFactor perform a similar authentication service using telephony as the second channel. A variety of architectural choices are possible. With Authentify, one option is for the application to send the user's telephone number to the Authentify authentication service, which generates a random string and sends it both to the application and via telephone to the user, who then enters the string into the application. These products are vulnerable to a MitM attack carried out on a compromised user computer, and they do not bind a user to a location.
Several location authentication methods have been suggested using global positioning system (GPS), wireless, infrared, timing, or triangulation strategies. In 1998, Dennings and MacDoran proposed using a trusted GPS receiver to sign a location certificate. In 1993, Brands and Chaum described distance bounding protocols based on roundtrip time between prover and verifier, though this approach is vulnerable to collaborative attacks. Kindberg, Zhang, and Shankar offered a different distance-bounding protocol, based on token broadcast, but their approach is subject to a token-forging proxy attack. Capkun and Hubaux combine distance-bounding and triangulation strategies. For additional methods, see Ferreres et al.
Previous device tracking and anti-theft mechanisms have been developed by others. Anti-theft mechanism need to consider two important aspects: preserving confidentiality of stored data and locating stolen mobile device. Present anti-theft solutions provide strong mechanism to preserve the confidentiality of stored data. User authentication is the fundamental mechanism, which prevents unauthorized access to a stolen device. Remote Laptop Security (RLS) allows a user to control access to files on a computer even if it has been lost or stolen. RLS software encrypts all confidential files and access to files is allowed only after successful authentication. The owner of a stolen device can remotely issue data disable command through RLS whenever the stolen device gets connected to a central server through the Internet. Software based on user authentication and RLS scheme can be bypassed by, for example, reinstalling the operating system, and/or using password recovery software because the thief has complete control of the stolen device.
Prey, BackStopp, FailSafe, and GadgetTrak provide device tracking software to locate and help in the recovery of stolen devices. In their centralized approach, a client machine periodically contacts a central inventory server through the Internet. The location information of the device is determined based on an IP address. Apart from the Internet, the anti-theft software uses WiFi, GSM as the communication channel. The victim can trace the stolen device using location information reported at the central inventory server. The Internet-based location information is not fine-grained because it provides location at the edge of the router instead of the location of the actual stolen device. In such anti-theft mechanisms, location information can be forged using anonymous proxies, and using Tor. In addition, reinstalling the operating system makes software-based anti-theft solutions inept.
Computrace Lojack provides a BIOS-based anti-theft solution that is an extension to software-based device tracking mechanisms. Instead of a hard-drive, their anti-theft software is installed inside the BIOS. Therefore, removing the BIOS-based anti-theft mechanism is difficult, but not impossible.
Intel Centrino 2 with vPro provides hardware-based anti-theft solutions for laptops. Intel's anti-theft hardware preserves the confidentiality of stored data using Data-at-Rest (DAR) encryption technology. Also, it uses a centralized approach for tracing the location of a stolen device. At scheduled rendezvous, the hardware agent checks in with a monitoring center. On check in, the stolen device receives complete disable commands from the monitoring center, which makes the data and the laptop inaccessible to the thief Intel's approach avoids reliance on the Internet connectivity by employing a hardware-based timer to periodically authenticate the identity of the user. Hardware-based user authentication is harder to bypass.
Moreover, reinstalling the operating system does not make a stolen laptop accessible to a thief, which is a significant advantage of Intel's anti-theft hardware solution.
Lojack, GPS tracking, Enfotrace provide GPS-based anti-theft mechanism. In their solutions, a radio transceiver is secretly installed inside the mobile device. A radio transceiver periodically reports the location of the mobile device to a central inventory server. These anti-theft mechanisms provide security by obscurity. A thief can easily bypass such mechanisms by simply removing the radio transceiver from the mobile device.
It is well known that the electric conductors in the electrical grid can be used for data communications (albeit over small distances and relatively smaller bandwidths). First demonstrated in 1940, communications over power lines are now used in many countries for Automatic Meter Reading (AMR), SCADA system control, and Internet service. Vendors such as Corinex, Cisco systems, Netgear, D-Link and others offer devices that can deliver an Ethernet-protocol network over the existing electric copper/aluminum wires from any residential power socket to any other residential power socket within a home or building using the HomePlug specification. This technology is now very mature, stable and is rapidly becoming widespread as evidenced by the recent incorporation (in 2009) of HomePlug technology as the baseline for a newly emerging IEEE P1901 powerline communication standard.
U.S. Pat. No. 6,831,551, discloses transmitting sensor data from railroad crossings via the power lines utilized to provide power to lamps located at the railroad crossings. It also discloses applications that require a group of loosely coupled transceivers to share a communication line. For example, a disclosed embodiment of the invention utilizes an electronic key where the power line is used to power a lock device as well as exchange user provided authentication code information with an authorization database. Another embodiment utilizes an automobile sensor and control where the sensors communicate with controllers over a battery bus. The patent also discloses residential uses, for example residential security such as infra red sensor monitoring and powering; and residential appliance automation where appliances are turned on or off via commands over the power line.
In the electronic key scenario, the patentee refers to, for example, a garage opener door opener or an electrically operated safe. The authentication code provided by the user is transmitted over the same power lines that power the device itself (i.e., the garage door or the electronic safe door) and is matched against a database. This does not involve using an independent physical path as a side channel as one component of a multifactor authentication scheme. In the automobile scenario, the patent teaches using the battery bus to transport signals within the automobile itself, not to a separate system. In the residential infrared sensor monitoring and powering scenario, and the scenario involving turning residential appliances on/off via commands sent over power lines, these systems appear to rely on the signals transferred via one single method (i.e., Internet only, wireless phone-only, electric-power-lines only).
Several vendors in different localities have been providing end-users with up to 10 Mbps connectivity to the Internet via electric power lines. For example, as indicated in an article published in October 2005, the city of Manassas, Va., began the first wide-scale deployment of Broadband over Power Lines (BPL) service in the U.S., offering 10 Mbits/sec service for under $30 USD per month to its 35,000 city residents, using MainNet BPL. It is therefore not surprising that the electric utilities have the capability to read the individual home-electric meters from their premises (substation/distribution-hub, etc.) and are increasingly deploying such technologies.
The use of the electrical grid poses a variety of challenges, including low network bandwidth, high signal attenuation and interference on low-voltage lines, silent nodes, transformers which obstruct signals, and a hierarchical structure comprising low-, medium-, and high-voltage lines. The REMPLI project proposed a generic architecture for distributed data acquisition and remote control, which can support applications including AMR and SCADA. Broadband services follow a similar approach. Treytl and Novak designed a key management architecture for REMPLI. In these architectures, each home electric meter communicates over power lines with its substation, which communicates with the electrical grid server using a separate private network such as GPRS, 3G, WiMax, WiFi, HFC.
The electrical power generation and distribution methods used today have not changed much since their inception. Power generation is done at a few or strategic locations (such as hydroelectric dams or fossil- or nuclear-fueled plants) that produce all the electricity, and the electrical grid simply distributes it to the end users. In the conventional electrical grid, the electric energy flows in only one direction: from the generation stations to the end-users. Furthermore, no mechanisms for large-scale storage of electricity are known or available. As a result, the amount of electricity produced must match the demand for its consumption. To their credit, the electrical generation utilities, for the most part, have been able to predict the demand (which can vary wildly) and meet it by appropriately “firing” (or bringing into service) as many generators as are needed. If the delicate balancing act of matching of generation with consumption is not continually done, there can be outages in the electrical grid.
The scarcity of resources and/or the need to reduce the impact of human activities on the environment (which is dictated by sustainability) is expected to force electrical producers and consumers to harness solar, wind, tidal, geo-thermal and other forms of energy. However, these sources of energy are inherently “distributed” and un-reliable in nature. They will complicate the process of matching generation with consumption. Moreover, the flow of electric energy will now be bi-directional. In an ideal scenario, the electrical grid itself should continuously sense the current demand for power and be able predict the demand some-time ahead (at least in the immediate future). Of course the sensing devices need to take into account the time of day (how bright is the sunlight), the season (winter/peak-summer or fall/spring) to try and predict the demand. In addition, such sensing devices must also sense the wind(s) and other local conditions in order to assess how much of the required power could be produced “locally”. Smart sensors should then report back to the generation stations the difference (between demand and local supply capacity) so that the utilities can produce only what is needed.
The term “smart” in reference to smart electrical grids refers to such grids that can automatically balance the complex and dynamic factors such as distributed/local production of electricity, centralized large-scale production (using conventional generation-stations), vis-à-vis the total demand. Obviously the electrical grid would have to be smart to perpetually strike the delicate balance between supply and demand.
In the literature, the term “smart” has also been used to indicate grids that are resilient to attacks attempting to subvert their operations. The “security and reliability/availability” attributes that a “smart” grid must possess refer to the security of the grid itself.
Internet developers have been searching for stronger multifactor authentication schemes (which are in turn strengthened by diverse, independent communication paths). At the same time, there has been a misdirected use of the electrical grid's limited powerline communication capabilities. A great deal of “smart/good” electrical grid infrastructure is in place and is improving by the day. However, it is essential to recognize that power-lines were (and will always be) designed to carry electric-power efficiently, not to transmit communication signals. It is therefore futile for electrical utilities to offer broadband-data-connectivity across powerlines in an attempt to compete with cable/phone/connectivity-providers who are deploying optical fibers and other technologies that are specifically developed for high bandwidth/broadband communications. Also, almost all data/transaction servers at banks or other service providers are connected to some electrical grid. Indeed, it is unusual to encounter mobile servers powered by stand-alone power sources disconnected from the rest of the electrical grid.
Power companies can remotely read individual electric meters through powerline communications even today. In many instances, the utilities might not be using powerline communications. In some places they have created dedicated wireless infrastructure wherein the electric meters transmit the readings wirelessly. The other end of the wireless communication link could be static (for example a tower/tall utility pole) or a mobile unit (for example, the wireless communication capabilities of all the electric meters within a certain area could be simultaneously turned on from a utility company's van. All of them could then stream their data to the receiver(s) in the van, thereby obviating the need to make individual trips to read each electric meter). It is very likely that the “smart” grid of the future will require substantial amount of information exchange on a continual basis. Accordingly to be ready for such an eventuality, many utilities are also deploying fiber optic communication links besides the power cables. Such a dedicated infrastructure is not necessary for the present invention.
Accordingly, there exists a need for a system, method and apparata that takes advantages of the existing electrical grid and existing and future smart electrical grid technology for securing and/or authenticating network communications, especially those communications transmitted over the Internet by a person or device confirmed to be at a particular location. There exists a need for a system, method and apparata that offer the potential to dynamically establish additional/alternate physically distinct communication path(s) that can serve as secure side channel(s) to bolster the security of all communications wherein at least one of the end-peers is also connected to an electrical grid.