LYU9905 Security in Mobile Agent E-Commerce Systems

1
LYU9905Security in Mobile Agent E-Commerce
Systems

• Prepared by Wong Ka Ming, Caris
• Wong Tsz Yeung, Ah Mole
• Supervisor LYU Rung Tsong Michael

2
Outline

• Introduction
• Project Overview
• Overview of SIAS - Shopping Information Agent
  System
• Project Status
• Security measure in Mobile Agent System
  Cryptography
• Security Attacks and Defenses Scenarios in SIAS
• Fault Tolerance of our system SIAS
• Future Planning
• More security measure in Mobile Agent System
  Cryptography
• Some more security Attacks and Defenses Scenarios
  in SIAS

3
Introduction

• What is Mobile Agent?
• A mobile agent is a software which can
  autonomously do the job for us.
• It assists people and acts on their behalf.
  Agents function by allowing people to delegate
  work to them
• What is mobile code paradigm?
• Consider the applet
• The code is download from the web server to the
  client side and run in the client side through
  the web browser
• Such strategy is called code on demand, which
  means the code are moving across the machine
  passively when demanded
• Mobile code paradigm is little bit different in
  which the code will actively move from one host
  to another

4
Introduction (1)

• What is the advantage of mobile agent?
• It can be able to communicate with other agents,
  so it is suitable for some system, such as Stock
  Broker System.
• It is mobile and able to travel from one host to
  another, so it is very suitable for mobile
  computing, in which the machine cannot be always
  connected to the network.
• It reduces the network load and it also overcome
  network latency.
• It is autonomous, has control over its own
  actions, which means it can adapt to changes
  dynamically.
• Thus, it is robust and fault-tolerant

5
Introduction (2)

• Business Opportunities of mobile agents
• Extend the lifecycle of existing applications and
  products by providing new capabilities (i.e.
  Internet/Intranet Access, Mobile Computing
  Features, Disconnected Computing Capabilities,
  etc.)
• Decrease the cost of development, time to market,
  and support for new applications that would be
  developed using client/server architecture in the
  past.
• New revenue source by providing mobile agent
  enabled solutions without investments in
  expensive and scarce resources (i.e. developers
  with mobile agent experience, non-standard
  development tools).

6
Mobile Agent Products

• Aglets from IBM

• Concordia from Mitsubishi

• Voyager from ObjectSpace

7
Project Overview (1)

• In the last semester, we have developed the SIAS
  system
• SIAS is a web-based e-commerce mobile agent
  system
• It provides users with information of products
  for sale in an electronic marketplace
• It is written in Java programming language and on
  top of the Concordia API, which is developed by
  Mitsubishi Electric Research Lab

8
Project Overview (2)
9
Project Overview (3)

• What is Concordia?
• Concordia is a full-featured framework for the
  development and management of network-efficient
  mobile agent applications which extend to any
  device supporting Java.
• Concordia is written in Java and is portable to
  any platform running Java.
• A Concordia System, at its simplest, is made up
  of a Java Virtual Machine (VM), a Concordia
  Server, and at least one mobile agent on 1
  network node.
• Usually, the Concordia System will consist of
  multiple machines in a local or wide area
  network, each of which is running Java VMs,
  Concordia Servers, and mobile agents.

10
Project Overview (4)

• Our current SIAS design
• Agent - retrieves product information from hosts
  for users
• One Launch Server - it is a trusted host which is
  a gateway between the agent system and client
  programs. It initializes and launches an agent
  whenever it receives requests from clients and
  receive agents when an agents finishes its trips
• 26 Data Base Servers - some of them may be
  malicious. They receive incoming agents and
  retrieving information from its own database.
• Client is using Netscape Communicator 4.7. It is
  a Java Applet which lets users to choose products
  and quantities.

11
Project Status (1)

• We have implemented SIAS as a sample application
  of mobile agents, which reduces communication
  cost and allows delegation of tasks.
• We studied discussed the problem of malicious
  hosts in a mobile agent system and addressed
  these problems in SIAS so as to develop a
  primitive approach to protect the agents.
• We measured the performance overhead of the
  security measures, see a trade-off between
  performance and security for SIAS, and learned
  that it takes time for a malicious host to attack
  an agent.

12
Project Status (2)

• We have scaled up our system from 3 hosts to 26
  hosts
• We have implemented a fault tolerance mechanism
  to the system, so that the agents can still
  travel the trip when some host is down.
• We have continued to think of other security
  attack scenarios and corresponding solutions
  (such as encrypting the whole agent)

13
Security in Mobile Agent (1)

• Security problems of malicious agents against
  hosts
• Trojan horse attacks by malicious agents
• This can be effectively solved by
• strong authentication of the code sources
• verification of code integrity
• limiting the access rights of incoming agents to
  local resources of hosts

14
Security in Mobile Agent (2)

• Security problems of malicious hosts against
  agents
• When an agent executes on a remote host, the host
  is likely to have access to all the data and code
  carried by the agent
• If a host is malicious and abuses the code or
  data, the privacy and secrecy of the agent and
  its owner would be at risk

15
Security in Mobile Agent (3)

• In SIAS, we have chosen a technique called Agent
  Tempering Detection
• Agent Tempering Detection hiding from hosts the
  data possessed by agents and the function to be
  computed by agents by messing up code and data of
  agents, or using cryptographic technique

16
Attacks and Defenses on SIAS (1)

• Scenario 1 - Modification of query products
• The list of products specified by user is stored
  as plain text
• Malicious host can easily spy out the data and
  change it
• Later hosts will response to such changes, and
  report wrong information
• This violates the integrity of queries

17
Attacks and Defenses on SIAS (2)

• Scenario 2 - Modification of query quantities
• Similar to scenario 1
• This lead the later host to report wrong
  information

18
Attacks and Defenses on SIAS (3)

• Scenario 3 - Spying out and modification of query
  results
• Agents carry query results in plain text
• Malicious hosts can spy out and modify the
  results that the agent has collected from
  previous hosts
• Such changes can favor the malicious hosts
• For example, a malicious host raises all the
  prices reported from previous hosts

19
Attacks and Defenses on SIAS (4)

• Scenario 4 - Modification of itinerary of agent
• Itinerary of an agent is accessible to hosts
• Malicious hosts can change the itinerary of an
  agent
• Agents may go to hosts that are not specified in
  itinerary
• Agents may skip hosts that are specified in
  itinerary

20
Attacks and Defenses on SIAS (5)

• Hybrid Attacks
• Can mix the above 4 attacks

21
Attacks and Defenses on SIAS (6)

• Solution to Attack Scenario 1 2
• We introduce digital signature on the whole list
  of product IDs as well as the signature on the
  list of product quantities

• Product ID list gt Product ID
  listsigA(Product ID list)

• Quantity list gtQuantity
  listsigA(Quantity list)

22
Attacks and Defenses on SIAS (7)

• Solution to Attack Scenario 3
• We introduce RSA encryption algorithm on the
  results obtained from the Data Base server

• Query result gt DA(Query resultsigH(Query
  result))

23
Attacks and Defenses on SIAS (8)

• Solution to Attack Scenario 4
• The Data Base server will sign the path of the
  agent to ensure the agent goes the right path

• EHN(EH(N-1)(EH2(EH1(Itinerary at Host 1)
  Itinerary at Host 2) Itinerary at Host N-1)
  Itinerary at Host N)

24
Attacks and Defenses on SIAS (9)

• Introduce 2 objects to support security measures
• RSA object and
• Key Server object

25
Attacks and Defenses on SIAS (10)

• RSA object is the core of Secure SIAS design
• It helps to implement a public key infrastructure
  (PKI)
• It can encrypt a character string to ciphertext,
  and decrypt a ciphertext to a character string

26
Attacks and Defenses on SIAS (11)

• Key Server object acts as a Certificate Authority
  (CA) of our PKI
• It accepts public keys from agents and hosts, and
  distribute them
• It uses RMI in transporting public keys
• Why not agent but RMI??
• Endless chain of security measures

27
Attacks and Defenses on SIAS (12)

• A Secure SIAS

28
Agent Encryption (1)

• For encrypting the agent, we found that our
  original RSA algorithm cannot encrypt the agent
  object.
• Thus, we have try another method
• we have used symmetric key approach
• We make use of the Diffie-Hellman Key Exchange
  for exchanging the symmetric key between two
  hosts.

29
Agent Encryption (2)

• Diffie-Hellman Key Exchange
• It is a key exchange technique which enable two
  users to exchange a key securely.
• It can then be used for subsequent encryption of
  message.
• It depends for its effectiveness on the
  difficulty of computing discrete algorithm

30
Agent Encryption (3)

• Under its scheme, there are two publicly known
  numbers a prime number n and an integer g that
  is a primitive root of n
• Suppose hosts A and B wish to exchange a key.
• Host A selects a random integer x lt n and
  computes X gxmod n.
• Similarly, host B independently selects a random
  integer y lt n and compute Ygymodn.
• Each side keeps x and y be private and makes X
  and Y available publicly to the other side.
• Host A computes the key as K Yxmodn and host B
  computes the key as K Xymodn.
• These two calculations produce the same result
  and act as the symmetric key

31
Agent Encryption (4)

• Thus, the two sides have exchanged a secret key.
• Furthermore, because x and y are private, an
  opponent only has the following ingredients to
  work with g, n, X and Y.
• Thus, the opponent is forced to take a discrete
  logarithm to determine the key.
• For example, attacking the secret key of host B,
  the opponent must compute y using Y, g and n
  which is computationally difficult to do so.

32
Agent Encryption (5)

• Using Diffie-Hellman Key Exchange technique, we
  can use the symmetric key to encrypt the agent.
• We just use the bitwise XOR to encrypt and
  decrypt the agent
• When the agent wants to travel to next host, it
  first get the public key of the next host and
  generate the symmetric key using the private key
  of the host that it resides. Then it will encrypt
  itself using the symmetric key.
• When the agent reaches the destination host, it
  will get the public key of the previous host and
  decrypt itself using the secret key the
  destination host.

33
Security Analysis on SIAS (1)

• The security of the additional measures lies
  mainly on the introduction of a key server that
  facilitates the use of public key cryptography.
• Assuming the key server, the communication
  channel with the key server are secure enough,
  and the keys are managed properly, the prevention
  of modification of the signed product and
  quantity lists of an agent by a malicious host is
  supported by the security of the RSA encryption
  algorithm.

34
Security Analysis on SIAS (2)

• The time complexity for breaking the RSA
  cryptosystem depends on the length of the key in
  number of bits.
• The longer the key is, the more secure the system
  would be.
• In our implementation, we have chosen a key
  length of 128 bits.
• This would be sufficiently secure for our
  security purpose

35
Security Analysis on SIAS (3)

• We have test times for SIAS to launch a single
  agent with and without security measures.
• Round trip times (RTTs) required for an agent to
  travel around an electronic market of different
  number of hosts, with and without security
  enforcement, are measured respectively.
• We will measure the performance overhead of the
  security measure, such as encrypting the agent,
  see the trade-off between performance and
  security for SIAS.
• Queries of different sizes (number of products)
  have been tested.

36
Security Analysis on SIAS (4)

• Results show that, the RTT for an agent to travel
  in SIAS changes more or less linearly over the
  number of hosts in the system.
• This is due to the additional time to travel an
  additional host, and the overhead for each
  additional host is more or less the same.
• Moreover, the RTT is also linearly increasing as
  the number of products of the query increases.
• This can be explained by the increases in number
  of database transactions and time to transport an
  agent.

37
Security Analysis on SIAS (5)

• When security is enforced, the RTT increases in
  general.
• For the maximum number of hosts of 26, and
  maximum size of query of 90 products, the RTT
  increases by 100 seconds, from 230 seconds to 350
  seconds.
• This can be explained by the extensive use of the
  RSA algorithm to encrypt and decrypt each item,
  which is time consuming, especially when the key
  is long.
• Therefore, we see a trade-off between security
  and performance in SIAS.

38
Fault Tolerance (1)

• Our system highly depends on Concordia API
• Faults that are introduced by Concordia cannot be
  avoided
• Fault Tolerance features is needed
• Two Approaches
• Monitor Program
• Confirmation of Availability of Connection

39
Fault Tolerance (2)

• Monitor Program
• The monitor program always checks whether all the
  servers are up or not
• If one of the server is down, it sends requests
  to the destination host and restart the server
• Also uses logs to monitor the servers status

40
Fault Tolerance (3)
monitor
a server dies
server recovers

• A forever loop is used to check the servers

41
Fault Tolerance (4)

• Confirmation of Availability of Connection
• In Concordia architecture, an agent dies if
  connection to next hosts does not exists
• This introduces data lost
• We introduce methods to avoid such lost
• by using methods like ping in UNIX
• Before an agent travels to next host, it pings
  for the availability of the host
• If the next host dies, the agent waits until the
  monitor program restarts the server

42
Fault Tolerance (5)
If server B dies
Server A
Server B
agent arrives at server A
server B responses
agent travels to server B
agent waits until server B restarts
server B restarts
agent travels to server B
agent arrives at server B

• An agent dies only if the server that the agents
  resides on dies

43
Future Planning

• We will analyze the security of our new approach
• We will continue to work on the fault tolerance
  part of SIAS
• We will think more about security Attacks and
  Defenses Scenarios in SIAS