Title: Review of Authentication Strategies and Trends for Distributed Energy Resources (DERs)

In this study we review literature on machine to machine (M2M) authentication and encryption pertaining to communication with grid-attached power inverters. We regard security recommendations from NIST, constrained device recommendations from CoAP, as well as influences from the existing markets. We will not focus on passwordless or multifactor schemes of user authentication, the handover/roaming authentication of mobile systems, or the group authentication of WiMAX/LTE communications. The de-facto standards for authentication and encryption are certificate-based public key cryptography and AES, respectively. While certificate-based public key cryptography is widely adopted, certificate management is seen as an Achilles heel of public key infrastructure (PKI). State of the art authentication system research includes work on certificateless authentication; however, much work in the areas of privacy preservation, efficient or lightweight systems continue to be based in public key methods. We will see efforts such as bilinear pairing, aggregate message authentication codes, one-time signatures, and Merkle trees surface and resurface with improved authentication approaches. Though research continues to produce new encryption schemes, AES prevails as a viable choice, as it can be implemented across a variety of resource constrained devices. Other lightweight encryption algorithms often employ the same fundamental addition-rotation-xor operations as AES while achieving higher efficiency, but at steep tradeoffs to security. Despite mathematical proofs of the security of cryptographic algorithms, in practice the greatest weaknesses continue to be incurred during implementation. Security researchers will find edge cases and bugs that allow unintentional behavior. In the following sections, accepted methodologies of authentication and encryption are discussed. Due diligence for securing M2M communications requires consideration during planning, design, implementation and product lifetime, as opposed to a set-it and forget-it policy. Best practices can be gleaned from published successes and failures, with no single end-all, be-all detailed solution.