Scalable Identity and Key Management for Publish-Subscribe Protocols in EDS
March 2, 2018
Abstract: Publish-Subscribe protocols like the MQ Telemetry Transport (MQTT) protocol and the Advanced Message Queuing Protocol (AMQP) are thought to be scalable, lightweight, and one-size-fits-all solutions for the Internet-of-Things (IoT) including in energy delivery. Originally, MQTT was designed to be used to make the communication between oil pipelines and the control center lightweight over a satellite connection but has subsequently been widely adopted in smart grid control to automate distributed grid equipment such as reclosers, smart meters, sensors, and PMUs. These protocols are being adopted rapidly, without much attention being paid to security. Although these protocols support client-side TLS certificates, they are quite often not enabled in favor of performance and availability. Moreover, management and revocation of these certificates present yet another challenging problem.
We propose a key management and communication scheme based on Macaroons for the IoT and Smart Grid applications. It provides a method for identity ontology for the IoT and smart grid while also providing authentication, confidentiality and integrity in the communications. Furthermore, it enables the reliable revocation of keys. To validate our key management scheme, we built a prototype client for the Firefly RK3288 ARM Development Board and a prototype key management server for a GNU/Linux server, and demonstrate that its performance on the client fits within the 4ms latency limit of smart grid protocols like IEC61850 GOOSE.