Distributed Cryptographic Key Management for Mobile ... - CiteSeerX

0 downloads 0 Views 551KB Size Report
A number of solutions are proposed based on cryptographic principles have their own limitations. The cryptographic key generation and distribution mechanism ...
RESEARCH PAPER International Journal of Recent Trends in Engineering, Vol 1, No. 1, May 2009

Distributed Cryptographic Key Management for Mobile Agent Security J.M.Gnanasekar, V.Ramachandran Department of Computer Science and Engineering, Anna University Tiruchirappalli, India Email: [email protected] application domains and work correctly only if certain environment assumptions hold. Some of the protocols proposed (e.g. [6]), only in an informal and incomplete way. This paper focuses on the attacks against mobile agents from malicious hosts. Researchers have proposed security mechanisms for mobile agents, mainly to ensure the confidentiality and integrity of the data carried by the agent. Eavesdropping and alteration are other issue that an agent will faces at the hosts site which are really hard to prevent. The various solution proposals share many common ideas and characteristics. The confidentiality can be obtained by encrypting the data with the help of cryptography system. The integrity is more difficult to achieve, because a hostile execution environment has full control over the agent operations. The major issue in the cryptography system is generation and distribution of cryptography key. In this paper, a novel solution using web services, a distributed computing technology, for the secure key generation and distribution is proposed.

Abstract — The problem of securing data section in a mobile agent from discovery and exploitation by a malicious host is a difficult task. A full scale adaptation of mobile agents becomes true once the security obstacles are overcome. A number of solutions are proposed based on cryptographic principles have their own limitations. The cryptographic key generation and distribution mechanism strongly holds the success of the mobile agent security systems. The agents and hosts are mutually distrusting each other, but they trust the third parties. In this paper, this property is exploited for the secure way of generating and distributing the keys using service oriented architecture. The major security future for mobile agent, the Publicly Verifiable and Forward Integrity (PVFI) and Forward Privacy (FP) are also ensured. Index Terms— Mobile Agent, Data Integrity, Data Authenticity

I. INTRODUCTION Mobile agents are a new model for distributed system programming. This model is capable of migrating, the threads of execution from machine to machine and performing their operations locally. The mobile agents have a set property like reactivity, autonomy, collaborative, inferential capability, temporal continuity, adaptive and mobility. The combination of autonomy and mobility provides mobile agents enormous potential for application in today's Internet-based, distributed computing environment. The Mobile Agent technology is pulling the attention of researchers because it provides an elegant and uniform solution to a wide spectrum of application areas, from network and systems management to mobile computing, from distributed information retrieval to electronic commerce. Mobile agents system must satisfy the basic security features like data confidentiality, non-repudiability, forward privacy, strong forward integrity, publicly verifiable forward integrity, insertion defense truncation defense and itinerary secrecy. However, despite all of the potential benefits of mobile agents, the security issues still hinder their widespread adoption. In a typical Internet application, there is little trust between the originator one who initiates the operation and hosts one who serves for the requests by originator. The major security threats are either threats against the hosts, or threats against the agent. Various protocols are proposed in literature are not resistant to all the kinds of tampering: typically, truncations of the collected data in some cases cannot be detected (e.g. [5]). In certain cases, some of the proposed protocols have been designed specifically for particular

II. RELATED WORKS Always security is a fundamental concern for a mobile agent system. Harrison et al. [1] identify security as a “severe concern” and regard it as the primary obstacle to the adopting of mobile agent systems. The security problem of mobile agent system can be classified into two types as protection of host resources and protection of agents. A host node runs one or more agent server processes, which facilitates the execution of visiting agents. Each agent server has an agent environment component, which acts as the interface between visiting agents and server. The server’s domain database keeps track of agents currently executing on it, and responds to status queries from their requestors. The agent transfer component implements a protocol that allows agents to migrate from server to server. The server maintains a resource registry which is used in setting up safe bindings between resources and agents. A. Basic Agent Security Properties The major security related attributes that an agent must maintain are listed as below. 1. Secrecy of the key: The host’s private key should be protected, while enabling the signing ability of the agent. 2. Verifiability: Verifying a signed order, one can be convinced that both the originator and the receiver agree with the order. 164

© 2009 ACADEMY PUBLISHER

RESEARCH PAPER International Journal of Recent Trends in Engineering, Vol 1, No. 1, May 2009 signature schemes have been proposed to protect mobile agents’ paradigm. Sander et al.[6] proposes a two nondetachable signature schemes are developed using RSA signature scheme and computed with encrypted functions. The undetectable signature scheme allows the mobile agent to sign a message without revealing the secret key. An agent acts as a delegate of its creator application and executes on behalf of its owner. Each agent carries a set of credentials which compose the agent’s identity and public key certificate. The creator may delegate to the agent only a limited set of privileges while working on its behalf. Such access restriction is encoded in the credentials. When a server receives an agent, it uses these credentials to validate the authenticity of the agent, and based on the agent’s identity and delegated rights, it can grant access privileges for its local resources. Volker and Mehrdad [7] proposed a key management and access control mechanism for mobile agents. In their scheme, they construct a mobile agent structure and design a cryptographic key assignment mechanism to control the access of confidential data in a mobile agent. This provides a safe binding between the visiting agent code and the server resources; so that the agent can access the resources it needs but cannot breach system security by accessing the resources it is not authorized to use. However, their scheme is inefficient. It requires a larger agent size and higher computational cost. J.Y.Park et al.[8] announced a new key generation scheme called one time key based system. This system uses, computations to generate a key at each node using information received from previous hosts. Only, the originator is able to decode the information since he had the initial value. The main strength and weakness of this system is that there is an inter-relationship among consecutive agent keys. Therefore, in case that some intermediate agent data or key are get tempered or deleted then the whole system will fail.

TABLE I. COMMON NOTATIONS USED FOR MOBILE AGENTS

Π S0 = Sn+1 Si , 1≤ i ≤ n Oi, 1≤ I ≤ n Oi, 1≤ i ≤ n Vi Pi SIGNi(m) ENC(m)

Mobile agent Originator Shops Offer provided by shops Si Signed encapsulated offer of Si Private Key of Si Public Key of Si The signature of m by Si’s private key Encryption of m by Si’s private key

3.Unforgeability: No one except the originator can issue a mobile agent on behalf of himself. 4.Identifiability: Anyone can identify participators of a valid signed order. 5.Nonrepudiation: Once an order is generated by executing the mobile agent on the server side, neither the originator nor the host can repudiate it. That is, neither the customer nor the merchant can correctly modify the signed order to remove his authorization information. 6.Prevention of misuse: The host should not be able to abuse the information in mobile agents for any other illegal purpose. B. Protection of Host Resource A host participating in a mobile agent system runs an agent server process. The host is exposed to various types of attacks, launched by malicious agents. These attacks can be categorized as: damage to host resources, denial of service to other agents etc. In order to prevent these attacks, the agent system needs to be protected by controlling the agent’s access to system resource using security manager, wrapper etc. At the same time, legitimate agents must be given access to the resources they need. Dias et al.[1] proposed a history based security policy mechanism to protect the mobile agent system. This system is based on Resource Based Access Control (RBAC) system. The platform has to maintain a history of visited agents and based on the previous history the access to a list of resources may be granted. Maintaining of such history by an agent server is not an easy task.

D. Service Orienteted Archicture – Web service The Web services philosophy that promotes interoperability across the public Internet. Furthermore, web services involve passing information among multiple vendors in a secure way induces using this technology for carrying key across the servers and hosts. The web server hosts the services as the trusted third party, while the hosts are accessing as per the code carried by the agent. III. NOTATION AND INITIAL ASSUMPTIONS A mobile agent is, a program that can move from host to host during its execution. In this paper, when describing the execution of a mobile agent, in ranges over the visited hosts: S0 denotes the Originator host, i.e. the host that initially creates the agent, whereas S1, S2, . . . , Sn denote the n hosts/shops where the agent is subsequently executed, in order of visit. It is assumed that each mobile agent finally returns back to its originator, where its execution terminates. In this agent execution description, after having visited the nth host Sn, the agent goes to the host Sn+1 which is nothing the originator S0

C. Protection of Agents Many researchers have been focused on the security issues of mobile agents. and proposed few security frameworks like SOMA [2] and Ajanta [3] separately. These frameworks have similar functions to prevent malicious host’s tampering the agent data. These systems are comprises of agent servers, management systems and security policies and restricted themselves with interoperability. Farmer and Swarup proposed an authentication mechanism [4] to guarantee that the mobile agent only executes in a trust environment to prevent attacks. Some 165 © 2009 ACADEMY PUBLISHER

RESEARCH PAPER International Journal of Recent Trends in Engineering, Vol 1, No. 1, May 2009 and forward integrity future. The equations 1, 2 and 3 will illustrates the above concept.

where it terminates. A list of notations is tabulated as in Table-1. A. Object Encryption An encryption technique is implemented using RSA algorithm, is used. The offer by host is represented as an object. The object itself may be protected with the help of encryption technique. The object is converted into a byte array and it is encrypted. The encrypted byte array form of offer only taken by the mobile agent. Generally the encryption is done with the public key of the originator, so the confidentiality of the offer is maintained. B. Publicly Verifiable Chained Digital Signature Kajorth et al. [10] extended Yee’s concept to ensure strong forward integrity, whereby none of the offers in the agent data can be modified without detection by the originator. Each offer in the data set is chained to the next one using the identity of the next host to be visited by the agent. Once the agent returned the originator after visiting the hosts, he only able to decrypts the data. If the chaining relation fails at a particular point, all subsequent offers are rejected. This scheme is extended using digital signature scheme to ensure the publicly verifiability. This scheme is going to sign the static data with the encrypted offer at each stage along with the previously collected offer and the signature at the early stages. This will ensure the publically verifiable and forward integrity property.

Figure 1. Schematic of mobile agent participating in e-commerce application in a secure way

(1)

Oi = SIGNi ( ENCi(Oi ), Hi ).

(2)

Hi = (Oi-1, Si+1 ).

(3)

V. IMPLEMENTATION The proposed system is implemented using JADE[9] version 3.5 and wsig a web service addon for JADE. Jade is java based mobile agent system, which is more users friendly and extends its support for agent and web service interaction also. The application system is designed to retrieve the cost of mobile phone from each host. The originator signs his request and floated across the hosts. The hosts are giving their offer in an encrypted form and this encrypted offer is digitally signed. Finally the host receives the data in a secure way. The agents get the key through the KeyAgent which is deployed as web service. Fig.2 shows the deployment of KeyAgent. The fig.3 shows the deployment of Key Service by the KeyAgent. The service has two operations as senckey and signkey. Once the agent collects the data it automatically encrypted using the key obtained from the senckey service.

IV. SYSTEM ARCHITECTURE The mobile agent is initiated at S0 by originator. The targets i.e. a list of hosts to visit, are also set by the originator. The mobile agent has a code to be executed at the visiting hosts and necessary data needed for a successful execution above code. This data is referred as static data of mobile agent. At each node the agent collects some useful data, i.e. the purpose of visit, is referred as dynamic data. The static data should be authentic and the dynamic data must be confidential. The digital signature scheme ensures the authenticity of the static data. The originator signs the static data before it was floated across the hosts. The host Si who wants to ensure the correctness of the data will simply verify using the digital signature carried by the agent by obtaining the public key of the originator by invoking the web services. The dynamic data must meet the confidentiality property. It is achieved by introducing the encryption technique. The dynamic data is encrypted by the public key of the host originator which is obtained from the web server using web services. In order to ensure the integrity of the dynamic data, it is signed by the private key of the host. As shown in the Figure-1, the agent moves from the originator and visits all the hosts as programmed. During visit of each host, it collects the data encrypt it and append with the existing dynamic data section and it is digitally signed. This will ensure the publicly verifiable

Figure 2. KeyAgent Deployment

166 © 2009 ACADEMY PUBLISHER

Si → Si+1 : Π,{Oj | 0≤ j ≤ i}; 0 ≤ i ≤ n .

RESEARCH PAPER International Journal of Recent Trends in Engineering, Vol 1, No. 1, May 2009 REFERENCES [1] Pedro Dias, Carlos Ribeiro, Paulo Ferreira, "Enforcing History-Based Security Policies in Mobile Agent Systems", Proceedings of the 4th International Workshop on Policies for Distributed Systems and Networks (POLICY’03), 2003 [2] Bellavista, P., Corradi, A., Stefanelli, C., "Protection and Interoperability for Mobile Agents: a Secure and Open Programming Environment," IEICE Transactions on Communications, Special Issue on "Autonomous Decentralized Systems", Vol. E83-B, No. 5, May 2000, pp. 961-972. [3] Tripathi, A., Karnik, N., "A Security Architecture for Mobile Agents in Ajanta,", Proceedings of the International Conference on Distributed Computing Systems, April 2000. [4] Farmer, W., Swarup, W., "Security for Mobile Agents: Authentication and State Appraisal," LNCS-Research in Computer Society, Vol. 1146, Springer Verlag, 1996, pp. 118-130. [5] V. Roth. Empowering mobile software agents, Proc. 6th IEEE Mobile Agents Conference, volume 2535 of Lecture Notes in Computer Science, pages 47–63. Spinger Verlag, October 2002. [6] Sander, T., Tschudin, C.F., "Protecting Mobile Agents Against Malicious Hosts," LNCS-Mobile Agent Security, Vol. 1419, Springer Verlag, 1998, pp. 44-60. [7] Volker, R., Mehradad, J.S., "Access Control and Key Management for Mobile Agents," Computer and Graphics, Vol 22, no 4, 1998, pp. 457-467. [8] Jong-Youl Park, Dong-Ik Lee, Hyung-Hyo Lee, "Data Protection in Mobile Agents: One-Time Key-Based Approach," isads, Fifth International Symposium on Autonomous Decentralized Systems, 2001,pp 411 [9] http://jade.cselt.it lasted visited on December 25, 2008 [10] G. Karjoth, N. Asokan, et al. Protecting the computation results of free-roaming agents. In 2nd International Workshop on Mobile Agents, volume 1477 of Lecture Notes in Computer Science, Springer-Verlag, 1998, pp 195–207.

Figure 3. KeyAgent deployment a GUI view

Figure 4. Originator receives the offer from various hosts

Figure 4. shows the offers collected from various host in a secure way. The originator is the only member able to receive and decode the data as illustrated in the set of equations 1 through 3. This system will ensure the publically verifiable and forward integrity property which is most wanted in mobile agent security system. VI. CONCLUTION This paper proposes application architecture for the security of mobile agent system. The major issue of distributing cryptographic keys is solved using the web services. The web services are used here effectively as the key generation and distribution system. This application may be extended in future to develop new system architecture to ensure the security at the system level itself.

167 © 2009 ACADEMY PUBLISHER