Smart Grid consortium rolled its own crypto, which is always, always a bad idea


When you make up your own crypto, it's only secure against people stupider than you, and there are lots of people smarter than the designers of the Open Smart Grid Protocol, who rolled their own (terrible) crypto rather than availing themselves of the numerous, excellent, free public cryptographic protocols.

It's impossible to overstate how stupid it was for them to do this. "Only use well-established public ciphers and don't make up your own" is literally the first rule of good crypto.

And of course, the risk to power infrastructure that's secured with this amateur hour crypto is real, not theoretical. Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol, a paper by Philipp Jovanovic and Samuel Neves, shows that the OSGP's "OMA Digest" function, used to sign messages and updates, is trivial to break: " Since the encryption key is derived from the key used by the OMA digest, our attacks break both confidentiality and authenticity of OSGP."

Which is to say: the whole work product of the consortium is unsafe at any speed. Let this be a lesson to anyone else doing standardization.

“Protocol designers should stick to known good algorithms or even the ‘NIST-approved’ short list,” Crain said. “In this instance, the researchers analyzed the OMA digest function and found weaknesses in it. The weaknesses in it can be used to determine the private key in a very small number of trials.”

By comparison, Crain said he implements DNP3 Secure Authentication, which is an IEEE standard.

“By contrast, they use the NIST-approved digest functions known as HMAC-SHA256 and AES-GMAC which are currently considered ‘strong authentication,'” Crain said. “The No. 1 rule of cryptography is ‘Don’t invent your own.'”

The Open Smart Grid Protocol handles communication for smart grids. It was developed by the Energy Service Network Association (ESNA), and since 2012 is the standard of the European Telecommunications Standards Institute (ETSI), according to the paper.

The weaknesses discovered by Jovanovic and Neves enabled them to recover private keys with relative ease: 13 queries to an OMA digest oracle and negligible time complexity in one attack, and another in just four queries and 2^25 time complexity, the paper said.

Weak Homegrown Crypto Dooms Open Smart Grid Protocol [Michael Mimoso/Threat Post]

(Image: Smoking,
Chuck Grimmett, CC-BY-SA
)