LYU9905
Security in Mobile Agent E-Commerce Systems
Prepared by :
Supervisor :
Wong Ka Ming, Caris
Wong Tsz Yeung, Ah Mole
LYU Rung Tsong Michael
Date : 7/12/99
Outline
• Introduction
• What is Mobile Agent
• Overview of SIAS - Shopping Information Agent System
• Security in Mobile Agent System & Cryptography
• Security Attacks and Defenses Scenarios in SIAS
• Future Work
• Q & A Session
LYU9905 Security in Mobile Agent E-Commerce Systems
2
Introduction (1)
• Mobile software agents has become an important aspect
in the electronic commerce
• Electronic commerce and information retrieval are two
prospective directions for application of mobile agents
• Security is a crucial concern for such system
LYU9905 Security in Mobile Agent E-Commerce Systems
3
Introduction (2)
• Discuss mobile agents properties and capability
• Describe the system we have build for the FYP –
Shopping Information Agent System (SIAS)
• Discuss the security problems for the mobile agents
• Particularly, analyze possible security attacks by
malicious hosts against agents in SIAS
• Last but not least, our solutions to detect these attacks
LYU9905 Security in Mobile Agent E-Commerce Systems
4
What is Mobile Agent (1)
• Agent Definition - (User Perspective)
• An Agent is a program that assists people and acts on
their behalf. Agents function by allowing people to
delegate work to them
• Example : Stock Broker
LYU9905 Security in Mobile Agent E-Commerce Systems
5
What is Mobile Agent (2)
• Agent Definition - (System Perspective)
• An agent is a software object that is
• situated within an execution environment
• able to communicate with other agents
• mobile and able to travel from one host to another
• Autonomous, has control over its own actions
LYU9905 Security in Mobile Agent E-Commerce Systems
6
What is Mobile Agent (3)
• Dispatch, Disconnect, and Dispatch model
LYU9905 Security in Mobile Agent E-Commerce Systems
7
What is Mobile Agent (4)
• Advantages of mobile agent over Client/Server Paradigms
• Reduce the network load
• Overcome network latency
• Execute asynchronously and autonomously
• Adapt to changes dynamically
• Robust and fault-tolerant
LYU9905 Security in Mobile Agent E-Commerce Systems
8
Mobile Agent Products
•Aglets from IBM
•Concordia from Mitsubishi
•Voyager from ObjectSpace
LYU9905 Security in Mobile Agent E-Commerce Systems
9
Introducing SIAS (1)
• SIAS - Shopping Information Agent System
• SIAS is a web-based e-commerce mobile agent system
• It provides users with information of products for sale in
an electronic marketplace
• It is written in Java programming language and on top of
the Concordia API, which is developed by Mitsubishi
Electric Research Lab
LYU9905 Security in Mobile Agent E-Commerce Systems
10
Introducing SIAS (2)
• An electronic market consists of hosts that sell products on
the network
• Each seller maintains a database that stores the prices and
quantities in stock of different products available at that host
• It allows users to specify a set of products and quantities
LYU9905 Security in Mobile Agent E-Commerce Systems
11
Introducing SIAS (3)
• An agent is created for an user whenever he/she has
specified a list of products and quantities
• The agent starts travelling in the network according to its
itinerary (path), which is pre-determined while it is created
• After the agent has visited all hosts specified in its itinerary, it
returns to its sender and reports the lowest prices and
corresponding sellers
LYU9905 Security in Mobile Agent E-Commerce Systems
12
Introducing SIAS (4)
• Simplified model for SIAS
LYU9905 Security in Mobile Agent E-Commerce Systems
13
SIAS Details - Implementation (1)
• Four main objects in the system
• Agent - retrieves product information from hosts for users
• Launch Server • it is a gateway between agent system and client programs.
• It initializes and launches an agent whenever it receives
requests from clients.
• It is also used for receiving agents when an agents
finishes its trips
LYU9905 Security in Mobile Agent E-Commerce Systems
14
SIAS Details - Implementation (2)
• Database Server • it is used for retrieving information from its own database.
• It also receives incoming agents and provides execution
environments for them until they finish executions and leave
• Client Program • It is a Java Applet which lets users to choose products and
quantities.
• Each instance of the client program can communicate with
the Launch Server
LYU9905 Security in Mobile Agent E-Commerce Systems
15
SIAS Details - Implementation (3)
• Our current SIAS design :
• One Launch Server - it is a trusted host.
• Three Data Base Servers - some of them may be malicious
• Client is using Netscape Communicator 4.5
LYU9905 Security in Mobile Agent E-Commerce Systems
16
SIAS Details - Implementation (4)
Data Base
Server 1
Data Base
Server 2
Data Base
Server 3
Launch
Server
Client request
Report results to client
Agent
calculates
theto
cheapest
A new
The
agent
agent
is launched
is
created
Data
Base
Agent
arrives
retrieves
is
going
atback
Data
data
Data
Base
to
from
Base
purchasing
combination
and
it will
and starts
Base
Server
Server
2Server
to 1travel
2leaves
Server
database
Launch
3
and
be destroyed by the Launch
Server
LYU9905 Security in Mobile Agent E-Commerce Systems
17
SIAS Details - Implementation (5)
• Technology used in Agent object
• Agent - it is a Concordia object
• It enables an object which is a subclass of Concordia Agent
to dispatch (marshalling) itself into the network and retract
(unmarshalling) into another host
LYU9905 Security in Mobile Agent E-Commerce Systems
18
SIAS Details - Implementation (6)
• Technology used in Data Base Server object
• Data Base Server - the Data Base Server uses an object
namely Agent Transporter to receive and send agents.
• Agent Transporter is able to control every execution of a
received agent.
• The database server used is Oracle 8i. Oracle provides a
driver for JDBC, which is a Java Solution for Database
Connectivity
LYU9905 Security in Mobile Agent E-Commerce Systems
19
SIAS Details - Implementation (7)
• Technology used in Launch Server object
• It also uses Agent Transporter to receive and send agents
• It uses RMI (Remote Method Invocation) to connect with clients
• Why RMI but not Agent??
• Concordia Problem - client needs to install the Concordia
API in order to send and receive agents by web browser
• Not convenient to use, so choose RMI.
LYU9905 Security in Mobile Agent E-Commerce Systems
20
SIAS Details - Implementation (8)
• Technology used in client program
• It is a Java Applet
• It uses RMI to connect to Launch Server
• Can I have a look on it ?? Yes, you can
LYU9905 Security in Mobile Agent E-Commerce Systems
21
SIAS Details - Implementation (9)
LYU9905 Security in Mobile Agent E-Commerce Systems
22
Security in Mobile Agent (1)
• Security problems of malicious agents against hosts
• Trojan horse attacks by malicious agents
• This can be effectively solved by
• strong authentication of the code sources
• verification of code integrity
• limiting the access rights of incoming agents to local
resources of hosts
LYU9905 Security in Mobile Agent E-Commerce Systems
23
Security in Mobile Agent (2)
• Security problems of malicious agents against hosts
• When an agent executes on a remote host, the host is likely
to have access to all the data and code carried by the agent
• If a host is malicious and abuses the code or data, the privacy
and secrecy of the agent and its owner would be at risk
LYU9905 Security in Mobile Agent E-Commerce Systems
24
Security in Mobile Agent (2)
• Seven types of attacks by malicious hosts
• Spying out and manipulation of code
• Spying out and manipulation of data
• Spying out and manipulation of control flow
• Incorrect execution of code
• Masquerading of the host
• Spying out and manipulation of interaction with other agents
• Returning wrong results of system calls to agents
LYU9905 Security in Mobile Agent E-Commerce Systems
25
Security in Mobile Agent (3)
• In SIAS, we have chosen a technique called
Agent Tempering Detection
• Agent Tempering Detection: hiding from hosts the data
possessed by agents and the function to be computed by agents
by messing up code and data of agents, or using cryptographic
technique
• We will discuss: Asymmetric Cryptography & Digital Signature
LYU9905 Security in Mobile Agent E-Commerce Systems
26
Asymmetric Cryptography (1)
• The main difference between asymmetric & traditional
cryptography is the
introduction of public key and private key
• Public key & private key are generated in pairs
• The message is then encrypted, transmitted and decrypted at the other end,
without the need to pass around the private key, which put the private key under
risks of exposure to the public
LYU9905 Security in Mobile Agent E-Commerce Systems
27
Asymmetric Cryptography (2)
• Digital Signature is used to verify the entity that has been signed
• A person who send a message can append an encrypted form of the message, using
sender’s private key, to the end of the message.
• The receiver of the message can decrypt the append cipher-text using the sender’s
public key, and verify the integrity of the received message.
• The appended cipher-text served as a digital signature of the sender for the sent
message
LYU9905 Security in Mobile Agent E-Commerce Systems
28
RSA Algorithm






R.L. Rivest, A. Shamir, and L. Adelman proposed their well-known RSA
encryption algorithm.
In the RSA scheme, a message M is encrypted with the encryption key e by the
function:
Cipher-text = E(M,e,N) = Me mod N
Message = D(C,d,N) = Cd mod N
The pair (e,N) is distributed as the public key while d is kept private. It can be
proved that given d and e are carefully selected such that:
–
d x e = 1 mod (p-1)(q-1)
and d is relatively prime to (p-1)(q-1), the functions D and E are the inverse of
each other.
LYU9905 Security in Mobile Agent E-Commerce Systems
29
RSA: An Example









Pick p = 5, q = 7, z = 24, n = 35
Choose d = 5, relatively prime to z
1 mod z = 1, 25, 49, 73, 97, 121, 145...
Pick e = 145 / d = 29
Public key (35, 29); Private key (35, 5)
Encrypting message M = 10:
E(M) = 1029 mod 35 = 5
VERIFY: Decrypting cipher-text c = 5:
D(c) = 55 mod 35 = 3125 mod 35 = 10 = M
In practice, much larger primes p, q are used
The security provided by RSA relies on the fact that it is
computationally infeasible to factor a large number n to find out p, q,
and hence z, e
LYU9905 Security in Mobile Agent E-Commerce Systems
30
Attacks and Defenses on SIAS (1)
• Scenario 1 - Modification of query products
• The list of products specified by user is stored as plain text
• Malicious host can easily spy out the data and change it
• Later hosts will response to such changes, and report wrong
information
• This violates the integrity of queries
LYU9905 Security in Mobile Agent E-Commerce Systems
31
Attacks and Defenses on SIAS (2)
• Scenario 2 - Modification of query quantities
• Similar to scenario 1
• This lead the later host to report wrong information
LYU9905 Security in Mobile Agent E-Commerce Systems
32
Attacks and Defenses on SIAS (3)
• Scenario 3 - Spying out and modification of query results
• Agents carry query results in plain text
• Malicious hosts can spy out and modify the results that the
agent has collected from previous hosts
• Such changes can favor the malicious hosts
• For example, a malicious host raises all the prices reported
from previous hosts.
LYU9905 Security in Mobile Agent E-Commerce Systems
33
Attacks and Defenses on SIAS (4)
• Scenario 4 - Modification of itinerary of agent
• Itinerary of an agent is accessible to hosts
• Malicious hosts can change the itinerary of an agent
• Agents may go to hosts that are not specified in itinerary
• Agents may skip hosts that are specified in itinerary
LYU9905 Security in Mobile Agent E-Commerce Systems
34
Attacks and Defenses on SIAS (5)
• Hybrid Attacks
• Can mix the above 4 attacks
Host 1
Malicious
Host
Host N
Launch Server
LYU9905 Security in Mobile Agent E-Commerce Systems
35
Attacks and Defenses on SIAS (6)
• Solution to Attack Scenario 1 & 2
• We introduce digital signature on the whole list of product IDs
as well as the signature on the list of product quantities
• {Product ID list} => {Product ID list}sigA({Product ID list})
• {Quantity list} =>{Quantity list}sigA({Quantity list})
LYU9905 Security in Mobile Agent E-Commerce Systems
36
Attacks and Defenses on SIAS (7)
• Solution to Attack Scenario 3
• We introduce RSA encryption algorithm on the results
obtained from the Data Base server
• {Query result} => DA({Query result}sigH({Query result}))
LYU9905 Security in Mobile Agent E-Commerce Systems
37
Attacks and Defenses on SIAS (8)
• Solution to Attack Scenario 4
• The Data Base server will sign the path of the agent to ensure
the agent goes the right path
• EHN(EH(N-1)(…EH2(EH1(Itinerary at Host 1) Itinerary at Host
2) … Itinerary at Host N-1) Itinerary at Host N)
LYU9905 Security in Mobile Agent E-Commerce Systems
38
Attacks and Defenses on SIAS (9)
• Introduce 2 new objects to support security measures
• RSA object ; and
• Key Server object
LYU9905 Security in Mobile Agent E-Commerce Systems
39
Attacks and Defenses on SIAS (10)
• RSA object is the core of Secure SIAS design
• It helps to implement a public key infrastructure (PKI)
• It can encrypt a character string to ciphertext, and decrypt a
ciphertext to a character string
LYU9905 Security in Mobile Agent E-Commerce Systems
40
Attacks and Defenses on SIAS (11)
• Key Server object acts as a Certificate Authority (CA) of our PKI
• It accepts public keys from agents and hosts, and distribute them
• It uses RMI in transporting public keys
• Why not agent but RMI??
• Endless chain of security measures
LYU9905 Security in Mobile Agent E-Commerce Systems
41
Attacks and Defenses on SIAS (12)
Host One
(Concordia
Agent Transporter)
Host Two
(Concordia
Agent Transporter)
Host N
(Concordia
Agent Transporter)
KeyServer
(RMI Server)
Launch Server
(RMI Server)
• A Secure SIAS
Client Program
(Java Applet)
LYU9905 Security in Mobile Agent E-Commerce Systems
42
Security Analysis on SIAS (1)

We have test times for SIAS to launch a single agent
before and after the implementation of the security
mechanisms.
 Round trip times (RTTs) required for an agent to travel
around are measured.
 Queries of different sizes have been tested.
LYU9905 Security in Mobile Agent E-Commerce Systems
43
Security Analysis on SIAS (2)
Aver age Agent Tr avel l i ng Ti me
mi l l i s e c onds
2000
• The RTT increases very slightly
1500
• Overhead by each additional
item in average is about 18.9
milliseconds.
Aver age Agent
Tr avel l i ng Ti me
1000
500
0
1
2
3
4
5
6
7
8
9
10
11
12
• This can be explained by the
small change in delay of database
query with different query sizes.
Numbe r of i t e ms
Figure shows SIAS without security measures and attacks
LYU9905 Security in Mobile Agent E-Commerce Systems
44
Security Analysis on SIAS (3)
• The RTT increases very fast and
linearly with the size of query
Aver age Agent Tr avel l i ng Ti me
mi l l i s e c onds
5000
4000
3000
Aver age Agent
Tr avel l i ng Ti me
2000
• The overhead of each additional
item is about 245 milliseconds, 13
times the overhead of the primary
SIAS design
• This can be explained by the use
of RSA algorithm
1000
0
1
2
3
4
5
6
7
8
9
10
11
12
• It is time consuming to encrypt
and decrypt data with long keys.
Figure shows SIAS with security measures implemented
• Trade-off between performance
Numbe r of i t e ms
and security for SIAS.
LYU9905 Security in Mobile Agent E-Commerce Systems
45
Security Analysis on SIAS (4)
• This graph and the next show
SIAS with the simulation of
malicious host’s attacks
Aver age Agent Tr avel l i ng Ti me
mi l l i s e c onds
3500
3000
2500
2000
Aver age Agent
Tr avel l i ng Ti me
1500
1000
500
0
1
2
3
4
5
6
7
8
9
Numbe r of i t e ms
10
11
12
• Both shows an agent takes
more time to travel then the first
figure.
• This suggests that the RTT may
be used as a measure for
tempering detection
Figure shows SIAS with simulation of attacks modification of product IDs
LYU9905 Security in Mobile Agent E-Commerce Systems
46
Security Analysis on SIAS (5)
Aver age Agent Tr avel l i ng Ti me
mi l l i s e c onds
4000
3500
3000
2500
2000
1500
1000
500
0
Aver age Agent
Tr avel l i ng Ti me
1
2
3
4
5
6
7
8
9
10
11
12
Numbe r of i t e ms
Figure shows SIAS with simulation of attacks modifying itinerary
LYU9905 Security in Mobile Agent E-Commerce Systems
47
Summary

We studied the technology of autonomous mobile agents and discussed
the problem of malicious hosts in a mobile agent system.

We implemented SIAS as a sample application of mobile agents,
which reduces communication cost and allows delegation of tasks.

We addressed some security problems of malicious hosts in SIAS, and
developed a primitive approach to protect the agents.

We analyzed the security of our approach, and believe it is strong
enough for domestic purpose.

We measured the performance overhead of the security measures, see a
trade-off between performance and security for SIAS, and learned that
it takes time for a malicious host to attack an agent.
LYU9905 Security in Mobile Agent E-Commerce Systems
48
Future Work
• We will implement payment method on SIAS
• We will scale up the current system
• We will continue to think of other security attack scenarios and
corresponding solutions (such as multiple malicious hosts)
•We believe autonomous mobile agents would be an important
technology in future distributed systems.
LYU9905 Security in Mobile Agent E-Commerce Systems
49
END
THANK YOU!!
LYU9905 Security in Mobile Agent E-Commerce Systems
50