LYU9905 Security in Mobile Agent ECommerce Systems

1
LYU9905 Security in Mobile Agent E-Commerce
Systems

• Prepared by Wong Ka Ming, Caris
• Wong Tsz Yeung, Ah Mole
• Supervisor LYU Rung Tsong Michael
• Date 7/12/99

2
Outline

• Introduction

• What is Mobile Agent

• Overview of SIAS - Shopping Information Agent
  System

• Security in Mobile Agent System Cryptography

• Security Attacks and Defenses Scenarios in SIAS

• Future Work

• Q A Session

3
Introduction (1)

• Mobile software agents has become an important
  aspect in the electronic commerce

• Electronic commerce and information retrieval
  are two prospective directions for application of
  mobile agents

• Security is a crucial concern for such system

4
Introduction (2)

• Discuss mobile agents properties and capability

• Describe the system we have build for the FYP
  Shopping Information Agent System (SIAS)

• Discuss the security problems for the mobile
  agents

• Particularly, analyze possible security attacks
  by malicious hosts against agents in SIAS

• Last but not least, our solutions to detect
  these attacks

5
What is Mobile Agent (1)

• Agent Definition - (User Perspective)

• An Agent is a program that assists people and
  acts on their behalf. Agents function by allowing
  people to delegate work to them

• Example Stock Broker

6
What is Mobile Agent (2)

• Agent Definition - (System Perspective)

• An agent is a software object that is

• situated within an execution environment

• able to communicate with other agents

• mobile and able to travel from one host to
  another

• Autonomous, has control over its own actions

7
What is Mobile Agent (3)

• Dispatch, Disconnect, and Dispatch model

8
What is Mobile Agent (4)

• Advantages of mobile agent over Client/Server
  Paradigms

• Reduce the network load

• Overcome network latency

• Execute asynchronously and autonomously

• Adapt to changes dynamically

• Robust and fault-tolerant

9
Mobile Agent Products

• Aglets from IBM

• Concordia from Mitsubishi

• Voyager from ObjectSpace

10
Introducing SIAS (1)

• SIAS - Shopping Information Agent System

• SIAS is a web-based e-commerce mobile agent
  system

• It provides users with information of products
  for sale in an electronic marketplace

• It is written in Java programming language and
  on top of the Concordia API, which is developed
  by Mitsubishi Electric Research Lab

11
Introducing SIAS (2)

• An electronic market consists of hosts that sell
  products on the network

• Each seller maintains a database that stores the
  prices and quantities in stock of different
  products available at that host

• It allows users to specify a set of products and
  quantities

12
Introducing SIAS (3)

• An agent is created for an user whenever he/she
  has specified a list of products and quantities

• The agent starts travelling in the network
  according to its itinerary (path), which is
  pre-determined while it is created

• After the agent has visited all hosts specified
  in its itinerary, it returns to its sender and
  reports the lowest prices and corresponding
  sellers

13
Introducing SIAS (4)

• Simplified model for SIAS

14
SIAS Details - Implementation (1)

• Four main objects in the system

• Agent - retrieves product information from hosts
  for users

• Launch Server -

• it is a gateway between agent system and client
  programs.

• It initializes and launches an agent whenever it
  receives requests from clients.

• It is also used for receiving agents when an
  agents finishes its trips

15
SIAS Details - Implementation (2)

• Database Server -

• it is used for retrieving information from its
  own database.

• It also receives incoming agents and provides
  execution environments for them until they finish
  executions and leave

• Client Program -

• It is a Java Applet which lets users to choose
  products and quantities.

• Each instance of the client program can
  communicate with the Launch Server

16
SIAS Details - Implementation (3)

• Our current SIAS design

• One Launch Server - it is a trusted host.

• Three Data Base Servers - some of them may be
  malicious

• Client is using Netscape Communicator 4.5

17
SIAS Details - Implementation (4)
Data Base Server 1
Data Base Server 2
Data Base Server 3
Launch Server
Client request
Report results to client
Agent calculates the cheapest purchasing
combination and it will be destroyed by the
Launch Server
A new agent is created
The agent is launched and starts to travel
Agent is going to Data Base Server 1
Agent arrives at Data Base Server 1
Agent retrieves data from database and leaves
Agent is going to Data Base Server 2
Agent arrives at Data Base Server 2
Agent retrieves data from database and leaves
Agent is going Data Base Server 3
Agent arrives at Data Base Server 3
Agent retrieves data from database and leaves
Agent is going back to Launch Server
18
SIAS Details - Implementation (5)

• Technology used in Agent object

• Agent - it is a Concordia object

• It enables an object which is a subclass of
  Concordia Agent to dispatch (marshalling) itself
  into the network and retract (unmarshalling) into
  another host

19
SIAS Details - Implementation (6)

• Technology used in Data Base Server object

• Data Base Server - the Data Base Server uses an
  object namely Agent Transporter to receive and
  send agents.
• Agent Transporter is able to control every
  execution of a received agent.
• The database server used is Oracle 8i. Oracle
  provides a driver for JDBC, which is a Java
  Solution for Database Connectivity

20
SIAS Details - Implementation (7)

• Technology used in Launch Server object

• It also uses Agent Transporter to receive and
  send agents

• It uses RMI (Remote Method Invocation) to
  connect with clients

• Why RMI but not Agent??

• Concordia Problem - client needs to install the
  Concordia API in order to send and receive agents
  by web browser

• Not convenient to use, so choose RMI.

21
SIAS Details - Implementation (8)

• Technology used in client program

• It is a Java Applet

• It uses RMI to connect to Launch Server

• Can I have a look on it ?? Yes, you can

22
SIAS Details - Implementation (9)
23
Security in Mobile Agent (1)

• Security problems of malicious agents against
  hosts

• Trojan horse attacks by malicious agents

• This can be effectively solved by

• strong authentication of the code sources

• verification of code integrity

• limiting the access rights of incoming agents to
  local resources of hosts

24
Security in Mobile Agent (2)

• Security problems of malicious agents against
  hosts

• When an agent executes on a remote host, the
  host is likely to have access to all the data and
  code carried by the agent

• If a host is malicious and abuses the code or
  data, the privacy and secrecy of the agent and
  its owner would be at risk

25
Security in Mobile Agent (2)

• Seven types of attacks by malicious hosts

• Spying out and manipulation of code

• Spying out and manipulation of data

• Spying out and manipulation of control flow

• Incorrect execution of code

• Masquerading of the host

• Spying out and manipulation of interaction with
  other agents

• Returning wrong results of system calls to agents

26
Security in Mobile Agent (3)

• In SIAS, we have chosen a technique called Agent
  Tempering Detection

• Agent Tempering Detection hiding from hosts the
  data possessed by agents and the function to be
  computed by agents by messing up code and data of
  agents, or using cryptographic technique

• We will discuss Asymmetric Cryptography
  Digital Signature

27
Asymmetric Cryptography (1)

• The main difference between asymmetric
  traditional cryptography is the introduction of
  public key and private key

• Public key private key are generated in pairs

• The message is then encrypted, transmitted and
  decrypted at the other end, without the need to
  pass around the private key, which put the
  private key under risks of exposure to the public

28
Asymmetric Cryptography (2)

• Digital Signature is used to verify the entity
  that has been signed

• A person who send a message can append an
  encrypted form of the message, using senders
  private key, to the end of the message.

• The receiver of the message can decrypt the
  append cipher-text using the senders public key,
  and verify the integrity of the received message.

• The appended cipher-text served as a digital
  signature of the sender for the sent message

29
RSA Algorithm

• R.L. Rivest, A. Shamir, and L. Adelman proposed
  their well-known RSA encryption algorithm.
• In the RSA scheme, a message M is encrypted with
  the encryption key e by the function
• Cipher-text E(M,e,N) Me mod N
• Message D(C,d,N) Cd mod N
• The pair (e,N) is distributed as the public key
  while d is kept private. It can be proved that
  given d and e are carefully selected such that
• d x e 1 mod (p-1)(q-1)
• and d is relatively prime to (p-1)(q-1), the
  functions D and E are the inverse of each other.

30
RSA An Example

• Pick p 5, q 7, z 24, n 35
• Choose d 5, relatively prime to z
• 1 mod z 1, 25, 49, 73, 97, 121, 145...
• Pick e 145 / d 29
• Public key (35, 29) Private key (35, 5)
• Encrypting message M 10
• E(M) 1029 mod 35 5
• VERIFY Decrypting cipher-text c 5
• D(c) 55 mod 35 3125 mod 35 10 M
• In practice, much larger primes p, q are used
• The security provided by RSA relies on the fact
  that it is computationally infeasible to factor a
  large number n to find out p, q, and hence z, e

31
Attacks and Defenses on SIAS (1)

• Scenario 1 - Modification of query products

• The list of products specified by user is stored
  as plain text

• Malicious host can easily spy out the data and
  change it

• Later hosts will response to such changes, and
  report wrong information

• This violates the integrity of queries

32
Attacks and Defenses on SIAS (2)

• Scenario 2 - Modification of query quantities

• Similar to scenario 1

• This lead the later host to report wrong
  information

33
Attacks and Defenses on SIAS (3)

• Scenario 3 - Spying out and modification of
  query results

• Agents carry query results in plain text

• Malicious hosts can spy out and modify the
  results that the agent has collected from
  previous hosts

• Such changes can favor the malicious hosts

• For example, a malicious host raises all the
  prices reported from previous hosts.

34
Attacks and Defenses on SIAS (4)

• Scenario 4 - Modification of itinerary of agent

• Itinerary of an agent is accessible to hosts

• Malicious hosts can change the itinerary of an
  agent

• Agents may go to hosts that are not specified in
  itinerary

• Agents may skip hosts that are specified in
  itinerary

35
Attacks and Defenses on SIAS (5)

• Hybrid Attacks

• Can mix the above 4 attacks

36
Attacks and Defenses on SIAS (6)

• Solution to Attack Scenario 1 2

• We introduce digital signature on the whole list
  of product IDs as well as the signature on the
  list of product quantities

• Product ID list gt Product ID
  listsigA(Product ID list)

• Quantity list gtQuantity listsigA(Quantity
  list)

37
Attacks and Defenses on SIAS (7)

• Solution to Attack Scenario 3

• We introduce RSA encryption algorithm on the
  results obtained from the Data Base server

• Query result gt DA(Query resultsigH(Query
  result))

38
Attacks and Defenses on SIAS (8)

• Solution to Attack Scenario 4

• The Data Base server will sign the path of the
  agent to ensure the agent goes the right path

• EHN(EH(N-1)(EH2(EH1(Itinerary at Host 1)
  Itinerary at Host 2) Itinerary at Host N-1)
  Itinerary at Host N)

39
Attacks and Defenses on SIAS (9)

• Introduce 2 new objects to support security
  measures

• RSA object and

• Key Server object

40
Attacks and Defenses on SIAS (10)

• RSA object is the core of Secure SIAS design

• It helps to implement a public key
  infrastructure (PKI)

• It can encrypt a character string to ciphertext,
  and decrypt a ciphertext to a character string

41
Attacks and Defenses on SIAS (11)

• Key Server object acts as a Certificate
  Authority (CA) of our PKI

• It accepts public keys from agents and hosts,
  and distribute them

• It uses RMI in transporting public keys

• Why not agent but RMI??

• Endless chain of security measures

42
Attacks and Defenses on SIAS (12)

• A Secure SIAS

43
Security Analysis on SIAS (1)

• We have test times for SIAS to launch a single
  agent before and after the implementation of the
  security mechanisms.
• Round trip times (RTTs) required for an agent to
  travel around are measured.
• Queries of different sizes have been tested.

44
Security Analysis on SIAS (2)

• The RTT increases very slightly
• Overhead by each additional item in average is
  about 18.9 milliseconds.
• This can be explained by the small change in
  delay of database query with different query
  sizes.

Figure shows SIAS without security measures and
attacks
45
Security Analysis on SIAS (3)

• The RTT increases very fast and linearly with
  the size of query
• The overhead of each additional item is about
  245 milliseconds, 13 times the overhead of the
  primary SIAS design
• This can be explained by the use of RSA
  algorithm
• It is time consuming to encrypt and decrypt data
  with long keys.
• Trade-off between performance and security for
  SIAS.

Figure shows SIAS with security measures
implemented
46
Security Analysis on SIAS (4)

• This graph and the next show SIAS with the
  simulation of malicious hosts attacks
• Both shows an agent takes more time to travel
  then the first figure.
• This suggests that the RTT may be used as a
  measure for tempering detection

Figure shows SIAS with simulation of attacks
- modification of product IDs
47
Security Analysis on SIAS (5)
Figure shows SIAS with simulation of attacks
- modifying itinerary
48
Summary

• We studied the technology of autonomous mobile
  agents and discussed the problem of malicious
  hosts in a mobile agent system.
• We implemented SIAS as a sample application of
  mobile agents, which reduces communication cost
  and allows delegation of tasks.
• We addressed some security problems of malicious
  hosts in SIAS, and developed a primitive approach
  to protect the agents.
• We analyzed the security of our approach, and
  believe it is strong enough for domestic purpose.
• We measured the performance overhead of the
  security measures, see a trade-off between
  performance and security for SIAS, and learned
  that it takes time for a malicious host to attack
  an agent.

49
Future Work

• We will implement payment method on SIAS

• We will scale up the current system

• We will continue to think of other security
  attack scenarios and corresponding solutions
  (such as multiple malicious hosts)
• We believe autonomous mobile agents would be an
  important technology in future distributed
  systems.

50
END
THANK YOU!!