Researchers in Europe have published research examining weak, homegrown cryptography used in the Open Smart Grid Protocol.

In the three years since its inception, the Open Smart Grid Protocol has found its way into more than four million smart meters and similar devices worldwide.

And like its SCADA, industrial control system, and embedded system brethren, it’s rife with security issues.

Two researchers, Phillip Jovanovic of the University of Passau in Germany and Samuel Neves of the University of Coimbra in Portugal, published a paper exposing encryption weaknesses in the protocol.

The paper, “Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol” explains how the authenticated encryption scheme used in the OSGP is open to numerous attacks—the paper posits a handful—that can be pulled off with minimal computational effort. Specifically under fire is a homegrown message authentication code called OMA Digest.

“This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever,” the researchers wrote.

Experts, meanwhile, sounded off against the use of a homespun encryption scheme.

So apparently the smart grid crypto protocols are so broken that researchers have to invent faster attacks… just to challenge themselves. — Matthew Green (@matthew_d_green) May 6, 2015

Adam Crain, security researcher and founder of Automatak who has published research on the DNP3 protocol used in industrial control system communication, said the use of a homegrown digest function is a “big red flag.”

“Protocol designers should stick to known good algorithms or even the ‘NIST-approved’ short list,” Crain said. “In this instance, the researchers analyzed the OMA digest function and found weaknesses in it. The weaknesses in it can be used to determine the private key in a very small number of trials.”

By comparison, Crain said he implements DNP3 Secure Authentication, which is an IEEE standard.

“By contrast, they use the NIST-approved digest functions known as HMAC-SHA256 and AES-GMAC which are currently considered ‘strong authentication,'” Crain said. “The No. 1 rule of cryptography is ‘Don’t invent your own.'”

The Open Smart Grid Protocol handles communication for smart grids. It was developed by the Energy Service Network Association (ESNA), and since 2012 is the standard of the European Telecommunications Standards Institute (ETSI), according to the paper.

“The No. 1 rule of cryptography is ‘Don’t invent your own.'”

-Adam Crain

The weaknesses discovered by Jovanovic and Neves enabled them to recover private keys with relative ease: 13 queries to an OMA digest oracle and negligible time complexity in one attack, and another in just four queries and 2^25 time complexity, the paper said.

“A different approach only requires one arbitrary valid plaintext-tag pair, and recovers the key in an average of 144 message verification queries, or one ciphertext-tag pair and 168 ciphertext verification queries,” the researchers wrote.

The researchers said the encryption keys are derived from the key used by the OMA digest,

Because the encryption key is derived from the key used by OMA digest, the researchers said their attacks break the confidentiality and authenticity of OSGP.

“The work at hand is another entry in the long list of examples of flawed authenticated encryption schemes,” the researchers wrote, “and shows once more how easily a determined attacker can break the security of protocols based on weak cryptography.”