among consecutive encryption keys for agent data, i.e, all agent keys form a .... time agent key and digital signature scheme with times- tamp. Section 3 presents ...
IEICE TRANS. INF. & SYST., VOL.E83–D, NO.11 NOVEMBER 2000
1
PAPER
Mobile Agents
One-Time Key Generation System for Agent Data Protection Jong-Youl PARK† , Nonmember, Dong-Ik LEE† , Member, Hyung-Hyo LEE† , and Joong-Gil PARK†† , Nonmembers
SUMMARY This paper deals with security issues in a mobile agent system, especially protecting agent data from malicious servers. For this purpose, one-time key generation system, OKGS in short, is proposed. In OKGS, we integrate notions of an oneway hash function and a coupler. A one-way function plays a major role in ensuring confidentiality and integrity of agent data. And the notion of a coupler is used to establish inter-relationship among consecutive encryption keys for agent data, i.e, all agent keys form a unidirectional chain. With these two features of OKGS, therefore, only the agent owner, who creates the agent bearing data, can decrypt and protect all agent data which are gathered in its itinerary. key words: Data integrity, Data confidentiality, One-time Key, One-way hash function, coupler, Mobile Agent
1.
Introduction
Due to the inherent elegant features such as autonomy and mobility, mobile agent technology enables distributed system to overcome several serious defects of remote procedure call, called RPC[1], or other message passing based systems. However its mobility introduces new security problems. The security problems in mobile agent systems can be classified into attacks from malicious servers and attacks from malicious agents. Furthermore the former is classified into agent data protection and agent code protection. In this paper, we concentrate on the security threats from malicious agent servers to protect agent data. 1.1
Mobile Agent System
A mobile agent is a program that can migrate under its own control from one host to another over a heterogeneous network, see Fig.1-b. In contrast, Fig.1a shows traditional Client-Server model. RPC and Client-Server models provide simple and static services, which is predefined. On the other hand, mobile agent model provides active and flexible services due to the inherent autonomy and mobility characteristics. The mobile agent technology introduces many potential advantages in distributed systems such as less network Manuscript received February 31, 2001. Manuscript revised June 5, 2001. † authors are with the Department of Information and Communications, Kwang-Ju Institute of Science and Technology, 1 Oryong-dong, Puk-gu, Kwangju 500-712, Korea †† the author is with the National Security Research Institute, 161 Kajong-dong, Yusong-Gu, Taejon, 305-350, Korea
Fig. 1
Mobile Agent Concept
traffic, more concurrency and more flexible control. Especially, the advent of JavaTM language 1.1 vitalizes the research activities in this area. Despite of its advantages, mobile agent technology, i.e. casting mobile agent code into a network, raises several security problems. Nowadays, security problems are recognized as a major hurdle to put mobile agent technologies in practical use. The new security problems can be categorized as follows; • Protection of a mobile agent from malicious agent servers: Integrity and confidentiality of a mobile agent are critical issues in agent systems. In a practical point of view, however, an agent server can modify, remove and copy mobile agent code and data without restriction, since a mobile agent cannot migrate nor execute without help of the agent server. For example, it is Forced execution and illegal change of the agent data are typical examples. • Protection of an agent server from malicious mobile agents: Since mobile agent migrate from one host to another, some agent can behave as a computer virus or an Internet worm. Namely, consider that an agent, say A, migrates to an agent server, B. A plays his role using B’s CPU and memory. In addition, if A is granted unlimited access right to B’s resources such as file system, system memory and kernel, then A can make B break down using out of memory. Therefore whenever an agent server executes an agent code, the agent code must be appraised[2]. A notable difference between computer virus and an agent’s code is its malice, and hence an agent code must be checked
IEICE TRANS. INF. & SYST., VOL.E83–D, NO.11 NOVEMBER 2000
2
by a state appraisal function for the granting some access rights. 1.2
Related Work
Protection of an agent server from malicious agents is very similar to security problems in distributed systems such as user authentication and authorization. In recent researches, many authentication and access control mechanism have been proposed such as Java security model, authorization language for Aglet [6], and passport model for Ara system [4]. Among others, an authentication language is the most advanced mechanism and it defines the security policies by introducing the notion of roles such as manufactures, owner, and authority principals. Security policy is defined as a set of principals, so called composite principals. Composite principals offer a convenient way to combine privileges that must be granted by multiple principals into a single access right [6]. In the protection of an agent, only three models have been proposed such as “Safe Tcl Security model” from Sun Microsystems [8], “Towards Mobile Cryptography” from UC Berkeley [10], and “Time limited Blackbox Security” from Mole agent system [9]. • Safe Tcl Security Model [8]: Agent Tcl is an extension of Tcl script language. Safe-Tcl has a safety checking mechanism during its execution. Since its protection mechanism operates in the language level, its security function is very powerful. However this model has difficulty in interoperability with other agent systems because some agents, which are developed by the Safe Tcl, cannot run on the Tcl based agent systems without the extension. • Towards Mobile Cryptography [10]: A host can execute an encrypted function without decrypting. Basically, this approach is based on homomorphic encryption scheme. However it is very hard to find those schemes for building Mobile Encrypted Function. Furthermore those functions only support restricted operation. • Time limited Blackbox Security [9]: All agent servers other than an agent owner execute a scrambled agent which is messed-up in the blackbox of the owner for a limited period. The security depends on the “mess-up” algorithm. Though code mess-up is different from encryption, it takes time to transform messed-up code into readable one. This model also has some disadvantages such as short time period and weakness from parallel attacks. On the other hand, in the point of cryptography, some chaining mechanisms are investigated such as cipher block chaining mode, in short CBC mode, and
ciphers based on a one-way hash function for the purpose of the one-time property[19]. In CBC mode, the current block is XORed with the previous block before it is used. There are some problems due to the structure as follows; • Adding arbitrary data : If the end of a message is not known, an attacker can add some data to the end of the encrypted message without being detected. To detect the end of a given message, padding mechanism is frequently used, since padding mechanism makes the last block a fixed length block by adding some bit string. • Single bit error : If an attacker toggles a single bit, the entire block is decrypted incorrectly. • Birthday attack : Although plaintext patterns are concealed by chaining, very long messages will still have patterns. The birthday paradox predicts that there will be identical blocks after 2m/2 blocks, where m is the block size. For a 64-bit block size, that’s about 34 gigabytes. A message has to be pretty long before this is a problem In addition to this, there are cipher algorithms based on one-way hash function. These make interrelationship between encryption keys like CBC mode. However, the main purpose of a one-way hash function, in this paper, updates the encryption key rather than making the inter-relationship such as Karn, LubyRackoff, and Message Digest Cipher(MDC)[15]. The security of these schemes depend on the security of the used one-way function[15]. During the last decade, M D4, M D5 and SHA − 1 are proposed as one-way hash functions. However, the pseudo-collision for M D4 and M D5 are revealed in 1992 and 1995. Collisions for the full version of M D4 was found in 1995. However, for SHA−1, to find an efficient algorithm to find collision looks almost impossible because little information is known about the design criteria for SHA − 1[18]. Another attack of SHA − 1 hash function is birthday paradox as follow; • The difficulty of producing any message having a given message digest is on the order of 2160 operations, where 160 is the output size of SHA − 1 . • The difficulty of producing two messages having the same message digest, this is referred to ‘collision’, is on the order of 280 operations. In consequence, SHA − 1 appears not to be vulnerable to such attacks[18]. 1.3
Purpose and Organization
In this paper, we concentrate on the protection of mobile agents from servers, more specifically, protecting
PARK et al.: ONE-TIME KEY GENERATION SYSTEM FOR AGENT DATA PROTECTION
3
agent data. We propose a one-time key generation system, in short OKGS, for the confidentiality and integrity of agent data. The paper is organized as follows: Section 2 describes our security model OKGS that consists of onetime agent key and digital signature scheme with timestamp. Section 3 presents an algorithm for one-time agent key, and its function in detail. Section 4 analyzes the security of the proposed model. Finally, conclusion is addressed in Section 5. 2.
One-time Key Generation System
As previously mentioned, security issues in mobile agent systems classified into security for mobile agents and security for agent servers. A security model for agent servers is related to access control and audit trail. Mainly, system security policy is designed in the system design phase, and it works on the criteria of agent state appraisal. On the other hand, a security model for mobile agents, the issue of this paper, can be established by one-time agent key and digital signature. 2.1
One-time Agent Key
The confidentiality and integrity of agent data must be kept during its itinerary. However, in a mobile agent system, it is not trivial to guarantee the confidentiality and integrity of agent data since an agent server can easily modify that agent data. As an example, consider two competing airline companies A and B. They do not share a common reservation system. Assume that a mobile agent is programmed by a traveling agency to gather flight information from a number of airline companies. A customer dispatches the agent to the Aairline server where the agent queries flight information. After that, the agent stores the results and migrates to the B-airline server where it queries flight information also. A number of attacks are possible. For instance, the B-airline server is able to corrupt A’s flight schedule, and also can surreptitiously raise its competitor’s fare. In public key-based systems, each airline’s information can be encrypted by public key of the agent owner. In this case, B intentionally can drop A’s information, insert invalid information using the public key of the agent owner, or replace ciphertexts. In order to preserve the integrity of agent data from this kind of attack, we need another mechanism in addition to the public key systems. So, we introduce (OKGS) to counteract against security threats to agent data. The key idea of OKGS is a sequence of interrelated encryption keys for ciphering agent data. In addition, since the relationship among encryption keys is unidirectional, the only one who has the information on the first encryption key can generate the rest, and detect the unauthorized agent data insertion or deletion. Another important characteristic of OKGS is one-time, which will be
Fig. 2
Overview of OKGS
described in detail in Section 3. Overview of OKGS is shown in Fig.2. In the figure, hexahedron is the one-time key generation module which is based on a one-way hash function. When an agent server receives an agent, the agent server checks digital signature of the agent code. Then the agent server generates a new secret key, that is called an agent key, based on a key seed. A key seed is generated using a coupler, Ck−1 in Fig.2, that is provided by the previous server. The agent server encrypts necessary data with the agent key and the encrypted data are stored in working area of the agent. This means that an agent server encrypts its own data. At the same time the agent server also generates a new coupler, Ck , which will be used in the next agent server. The agent migrates to a new server and the new server generates a new agent key by using the coupler provided by the previous server. The notion of a coupler makes it possible to establish inter-relationship between consecutive keys. Those data in working area of the agent is encrypted by this sequence of agent keys. When the mobile agent returns home, each agent key can be reconstructed because the generation of every agent key is based on a one-way hash function and each server’s secret information(R1, R2), which is encrypted by the public key of the home and carried to the home. Thus the home server can decrypt agent data using each agent key used in agent servers from the initial seed value which is given by the home server. 2.2
Digital Signature and Timestamp
In OKGS, digital signature and timestamp also play important roles to ensure integrity of agent code and data. Digital signature in this system is used in two ways; agent code is signed by the home server to guarantee the integrity, and agent data are signed by each agent server over agent’s itinerary to specify the signer and to guarantee the integrity. An agent owner or a home server means an agent server which creates an agent through the paper. Thus agent code is signed
IEICE TRANS. INF. & SYST., VOL.E83–D, NO.11 NOVEMBER 2000
4
Fig. 3
One-time Key Generation Module
by the owner when it is generated, and agent data is also signed by an agent server with timestamp when it is attached. These signatures are guarantees of each agent server to verify the creation of random numbers R1k , R2k and a timestamp prevents the replay attack because timestamp is effective at a specific period. This aspect is explained later in subsection 4.4. Furthermore the notion of timestamp can also be used for clone detection and this is explained in Appendix. 3.
A one-time Key Generation Algorithm
One-way hash function, in other words a collision-free hash function or a secure hash function, has a distinctive feature such as computation of y = f (x) is very easy, but computation of the inverse function f −1 (y) = x is computationally infeasible. Hence the asymmetric characteristic of the one-way hash function is frequently used in cryptographic algorithms and distributed systems. Formal definition of one-way hash function is; Definition 1: A hash function h is one-way if, given a message digest z, it is computationally infeasible to find a message x such that h(x)=z. Assume that one has hn (x) that is obtained by applying a one-way hash function h n-times to a message x, then he/she easily can have future value hn+a (x), where a is an arbitary positive natural number. However, he/she cannot get the original message x nor hk (x), 0 < k < n, due to the one-way property from Definition 1. A one-time agent key, which is used in encryption, is based on this one-way property, and it provides a inter-relationship between two consecutive agent keys. Fig.3 briefly shows how to make the interrelationship; R1k and R2k are provided by the current host, and they are encrypted with AS0−pub , the public key of the home server. Further an agent key is created using not only R1k but the coupler Ck−1 . Hence only the home server, AS0 , can have R1k , R2k , and Ck−1 in each host, and reconstruct every agent key. We have some assumption in this paper. The proposed OKGS is based on P KI(Public Key Infrastructure) and several cryptographic functions including a
Fig. 4
One-time Key Generation Algorithm
one-way hash function and an encryption function. In OKGS, we use DES in encrypting an agent data and SHA − 1[17] as an one-way hash function. In this paper, SHA − 1 is assumed a one-way hash function. If SHA−1 is not considered as a secure hash, SHA−1 can be substituted for RIP EM D − 160 or other one-way hash functions since our one-time agent key algorithm is independent of the adopted hash function. 3.1
Algorithm
The one-time key generation algorithm is depicted in Fig.4. An arbitrary server, ASk , receives a coupler Ck−1 from the previous server, ASk−1 , and generates random numbers R1k and R2k that are secret information of ASk . In case ASk−1 is the home server, AS0 creates a mobile agent and the initial coupler C0 , and then sends them to the next agent server AS1 . Otherwise agent server ASk generates its key seed Sk using Ck−1 , R1k and SHA − 1, and also generates a new DES key based on Sk . then ASk generates Ck , a new coupler for the next agent server, and sends it to the next agent server ASk+1 with the agent data. From now on, we explain the algorithm and design issues step by step. RANDOM NUMBER: R1k (320-bit), R2k (320-bit) In order to generate a one-time agent key, two random numbers R1k and R2k are generated, those are 320-bit. This is used in order to scramble a coupler and to satisfy the secure condition of the one-way function from the birthday attack. Secure condition of a oneway hash function imposes restrictions on size of input and output data; size of an output must be more than 128-bits and that of an input is double of the output size[13]. For the reason of secure condition, R1k and R2k , which are inputs of SHA − 1, is decided on double size(320-bit) of the output(160-bit). And they are
PARK et al.: ONE-TIME KEY GENERATION SYSTEM FOR AGENT DATA PROTECTION
5
this case, if generated key is 64-weak DES key, it must be regenerated. An agent data will be encrypted with this DES key, and the encrypted agent data is denoted as X. X = DES1 (data1 )+DES2 (data2 )+· · ·+DESk (datak ) Encryption: AS0−pub (R1k , R2k , DSAk (X,T imeStamp),T imeStamp)
Fig. 5
DES Key Generation
encrypted using AS0−pub , the public key of the home agent server. Therefore only the home AS0 can decrypt them. RUN: code signature check - DSA0 (code) After receiving agent code, the agent server checks the digital signature for integrity of the agent code. In this paper, since we have already assumed that OKGS is based on PKI, digital signature can be easily implemented with DSA. RUN: Sk = SHA − 1((Ck−1 :Ck−1 )⊕R1k ) Sk is a key seed which is used for DES key generation, and is generated in the agent server that the agent resides. The first step is XOR operation with Ck−1 :Ck−1 and R1k , where Ck−1 :Ck−1 denotes concatenation of two Ck−1 s, and it is a 320-bit long coupler, provided by the previous agent server ASk−1 . If we use Sk = SHA − 1(Ck−1 ) rather than Sk = SHA − 1((Ck−1 :Ck−1 ) ⊕ R1k ), then the agent server ASk−1 that has the knowledge of Ck−1 can easily compute the key seed Sk of the next agent server ASk , thus the confidentiality of the agent data is easily brokken. Note that Ck is generated using Ck−1 which is sent by the previous server ASk−1 . RUN: datak = agent data from ASk datak is the result of agent execution and is encrypted with the agent key DESk , which is generated as follows;
We encrypt R1k , R2k , and DSAk (X, T imeStamp) with AS0−pub . Agent data, i.e. AS0−pub (· · ·), might be modified or be deleted by some agent server. However, when the agent returns to the home server AS0 , the deletion or modification is detected due to the interrelationship among Sk ’s. In addition, digital signature DSAk is possible to replay attack, hence we insert a time stamp, DSAk (X, T imeStamp), to prevent it. Replace Ck = SHA-1((Sk :Sk ) ⊕R2k ) Append DESk (datak ) Append AS0−pub (R1k , R2k , DSAk (X,T imeStamp),T imeStamp) In order to setup inter-relationship between agent keys, a coupler Ck is generated from Sk . However to hide Sk from the next agent server, Sk :Sk is XORed with R2k then the result is hashed. The mobile agent replaces Ck−1 with Ck in the working area. And encrypted data DESk (datak ) and AS0−pub (R1k , R2k , DESk (X, T imeStamp)) are appended to the working area. Finally, the agent is dispatched to the next agent server ASk+1 . Because DESk (datak ) is the same size as datak , additional agent data for data protection is 800-bit† . When a mobile agent completes assigned tasks and returns to the home server AS0 , AS0 decrypts all AS0−pub (R1k , R2k , DESk (X, T imeStamp)) (k = 1 · · ·n) using its private key AS0−pri . Then the home server AS0 can reconstruct all Ck ’s using C0 , R1k ’s, R2k ’s and SHA − 1 as following; S1 = SHA − 1((C0 : C0 ) ⊕ R11 ), C1 = SHA − 1(S1 ⊕ R21 ) S2 = SHA − 1((C1 : C1 ) ⊕ R12 ), C2 = SHA − 1(S2 ⊕ R22 ) . ..
DES key = H(Sk ) ⊕ L(Sk ) ⊕ M (Sk ) where H(Sk ) = Sk1 : Sk2 , L(Sk ) = Sk4 : Sk5 and M (Sk ) = Sk3 : Sk3 , each Ski , i=1,2,...,5, is a 32-bit string, and Sk = Sk1 : Sk2 : Sk3 : Sk4 : Sk5 . Encryption: DESk (datak )
Sk = SHA − 1((Ck−1 : Ck−1 ) ⊕ R1k ), Ck = SHA − 1(Sk ⊕ R2k )
In fact, mobile agent data are encrypted by a new agent key denotes by DESk . We use a symmetric key algorithm DES for fast encryption. As stated above, Sk is 160-bit and DES key is 64-bit. Therefore we make a DES key using XOR operation with high 64bit, low 64-bit, and middle 32-bit as shown Fig.5. In
In consequence, the home server AS0 can have all Sk ’s from S0 to Sn and DES keys from the equation H(Sk ) ⊕ L(Sk ) ⊕ M (Sk ).
.. . Sn = SHA − 1((Cn−1 : Cn−1 ) ⊕ R1n )
†
800-bit = 320-bit(R1) + 320-bit(R2) + 160-bit(digital signature)
IEICE TRANS. INF. & SYST., VOL.E83–D, NO.11 NOVEMBER 2000
6
Fig. 7
An Implementation of OKGS
coupler C0 and DSA0 (code) are generated. 3.2
Implementation
Because mobile agent system is based on the cooperation among agent servers and agents, mobile agents interchanges the program control with an agent server. Life-cycle model supports these kinds of operations and we also adopt it to our system[16]. Therefore our agent has 5 states such as “born”, “init”, “running”, “stop”, and “dead”. Mobile agents consist of three components; “agent server”, “agent template”, and “user agent” 3.2.1
• Init state: In this state, agent code is initialized in each server. It verifies the signature of agent code and generates a one-time agent key using Ck−1 . • Running state: “User agent” code and Secure Save() function, which encrypts a given message using an agent key, are executed. • Stop state: Hash Ck using R2k . • Dead state: All agent keys are reconstructed and all cipher blocks are decrypted using the agent keys.
Agent life-cycle and one-time agent key
Mobile agents have 5 chance to get the program counter. Fig.6 depicts these five states and we call it life-cycle. Agent code consist of “user agent” and “agent template”, “agent template” supports basic operations of life-cycle in th system level and “user agent” defines customized operations in each agent server. Therefore, all the components of OKGS are inserted in “agent template”. To store secret information, “user agent” just calls Secure Save() function in “agent template”. Each state of lifecycle and operations of OKGS are explained in the followings; • Born state: In this state, an agent, the initial
3.2.2
Implementation result
Fig.7 shows the implementation result of OKGS. For the sake of simplicity, only two agent servers, TONGKI(home server) and DSL are considered. Left boxes( 1 , 2 , 4 ) and right box( 3 ) in Fig.7 show the execution results in TONGKI and DSL respectively. And the itinerary is TONGKI(AS0 , AS1 ) → DSL(AS2 ) → TONGKI(AS0 ). Initially, TONGKI generates C0 . Then TONGKI and DSL behave as following; • TONGKI (AS0 : Fig.7- 1 ) – Create an agent – Generate C0 • TONGKI (AS1 : Fig.7- 2 )
Fig. 6
Agent Life Cycle
– Generate the random numbers (R1: 106AE· · ·, R2: 229B1· · ·. – Make an agent’s key using S1 (BDFE01F169· · ·). – Encrypt results using the agent’s key (544F4E474B· · ·→9B1409AA48· · ·).
PARK et al.: ONE-TIME KEY GENERATION SYSTEM FOR AGENT DATA PROTECTION
7
Fig. 8
Performance analysis
• DSL (AS2 : Fig.7- 3 ) – Encrypt the execution results using the agent’s key like as TONGKI (4453400000· · ·→ EFA0DCCFAD· · ·). • TONGKI (AS0 : Fig.7- 4 ) – With AS0−pri , AS0 decrypts all random numbers and reconstructs agent’s key after checking the signature DSAk (X, T imeStamp) – In Fig.7, we can see the result of OKGS using the comparison of the saved data and the decrypted data. 3.3
Overhead
In this section, OKGS has been propsed. However, nothing comes free, that is we need to pay additional expenses to implement and enjoy advantages of OKGS. In this subsection overhead in terms of performance and agent size due to the OKGS is investigated. The number of agent servers, the more agent servers the larger agent size, over which a mobile agent migrates, varies from one to five and query size is 1 byte in this experiment. Further our agent system is implemented over our local area network environment that is 100Mbps Ethernet. Each operation in OKGS costs additional expenses in the performance as shown in Fig.8-a, where ETC portion includes migration and class loading. Note here that overhead of digital signature is more than twice comparing to that of RSA. This is caused by digital signature is performed twice in OKGS. Another important point is that the number of agent servers does not affect on each proportion of overhead in a distinctive way. In average, a mobile agent with OKGS increases to 136% in the size and to 124% the in completion time comparing to a mobile agent without OKGS. See [Table 1]. On the other hand, Fig.8-b depicts the trend of agent overhead depending on size of query that is a part of a user agent. Note here that increase of query size implies increase of agent processing time to complete its own function excluding OKGS related computation,
in servers. From Fig.8-b, we know that OKGS overhead decreases according to increase of query size. The experimental results show that if the user agent part or query size gets larger than the size of OKGS and hence agent computation takes more time, performance overhead caused by the OKGS occupies smaller. 4.
Analysis
In OKGS, while a one-time agent key keeps the confidentiality of agent data, it cannot prevent the illegal change of agent data. However, by checking the digital signature attached to each agent data, OGKS guarantees the integrity of agent data as well. In this section, to verify the security of OKGS, we enumerate the possible security threats to OKGS and evaluate the strength of OKGS. I One-way property I DES key I Agent data 4.1
Threats to one-way property
Because the one-way property of a hash function is our basic assumption, OKGS is vulnerable if this property is broken. Threats to one-way property fall into two categories: One is “breaking the one-way property itself” and the other is “finding collisions in the hash function SHA − 1”. Table 1
the size and completion time of mobile agents
No. 1 2 3 4 5 6 7 8 9 mean overhead
time(ms) original 2298 2145 2084 2105 2157 2238 2231 2287 2124 2168.4 100%
OKGS 2678 2456 2547 2951 2678 2758 2778 2829 2771 2683.6 123.7%
size(byte) original 1836 1859 1868 1897 1907 1985 1987 1998 2001 1924.6 100%
OKGS 2458 2560 2567 2574 2578 2640 2684 2698 2756 2621.3 136.20%
IEICE TRANS. INF. & SYST., VOL.E83–D, NO.11 NOVEMBER 2000
8
4.2.1
DES key search
DES key search is a brute force attack to find the right key that can decrypt the message by trying the 256 possible keys. 1 and 2 in the Fig.9 are related with DES key search. Security attacks to guess DES key are as follows; Fig. 9
4.1.1
Attacks Analysis
Break a one-way hash function
Fig.9 depicts the possible security attacks against oneway key generation module in OKGS. In Fig.9, breaking a one-way hash function corresponds to 2 , and the target of this attack is a scramble phase of SHA − 1. In other words, an attacker who has the knowledge of Ck tries to get the input value Sk of the hash function by breaking the one-way property. This attack is summarized as follows; H Attacks of the Sk using the Ck If the attacker finds the Sk , then DES key is revealed consequently, and the confidentiality of agent data is compromised. While this attack is to search the inverse function or the input value of the hash function, that is computationally infeasible due to our assumption that SHA − 1 is one-way hash function. 4.1.2
Find collisions in SHA − 1
The other threat to one-way property is finding collisions in the hash function SHA − 1, which corresponds to 1 in Fig.9. A hash function h is called collision free if, given a message x, it is computationally infeasible to find a message x0 such that x 6= x0 and h(x) = h(x0 ). Attack in Fig.9- 1 can be described as follows; H Finds R10k , R20k whichi they generate the same Ck−1 and Ck as R1k , R2k H Finds R10k which generate the same Sk as R1k (Sk = SHA − 1(Ck−1 : Ck−1 ⊕ R1k ))
H Brute force attack of DES key using DESk (datak ) H Decrypts AS0−pub (R1k , R2k , DSAk (X, T imeStamp), T imeStamp) H Finds Sk by guessing R1k using Ck−1 (Fig.9- 1 ) H Finds Sk using Ck (Fig.9- 2 ) In terms of a brute force attack, it depends on the key size of the encryption algorithm and how often the key is used. But in OKGS, since the 56-bit DES key is generated on the fly and used only once by each agent server, DES keys in OKGS is relatively secure than other systems where the same DES key is used many times. Futher, the attack to decrypt information encrypted with the public key of the home server, AS0−pub , depends on the strength of the public key cryptography algorithm, RSA. Attack to the DES key by guessing the values of R1k (Fig.9- 1 ) needs the 2320 (2.13 × 1096 ) times of computation, which is practically infeasible. Fig.9- 2 attack is equivalent to breaking one-way property attack in 4.1.1. In terms of DES key search attack, the strength of OKGS depends on the weakest cryptography algorithm among the 3 ones used in one-time key generation process; DES, RSA and SHA−1, all those three are secure enough as shown above. 4.2.2
Replacement of DES key
Another security attack to DES key is replacing a legal DES key with a forged one. To do so, an attacker should find a set of random numbers R10k and R20k that preserve the inter-relationship between consecutive keys. This problem is an equivalent to security attack in 4.1.2. Due the one-way property of the hash function, this attack is computationally infeasible 4.3
Threats to agent data
One-way hash function is collision free hash function[13], and finding collisions in the hash function is also computationally infeasible from the definition of collision free hash function and the assumption that SHA − 1 is one-way hash function. Therefore, OKGS is secure from those attacks that try to break the oneway property of the hash function.
As agent data are an important asset in mobile agent system, OKGS should provide appropriate countermeasures to attacks against agent data. Attacks to agent data can be divided into 3 areas: “eavesdropping an agent data”, “unauthorized insertion of agent and route” and “modification of agent data”.
4.2
4.3.1
Threats to DES key
Threats to DES key are classified into two groups: “DES key search” and “replacement of DES key”.
Eavesdropping agent data
In order for an attacker to eavesdrop agent data, he/she should know a DES key of an agent server. This means
PARK et al.: ONE-TIME KEY GENERATION SYSTEM FOR AGENT DATA PROTECTION
9
Fig. 10
Fabrication Attacks
the attacker finds the the right DES key in advance. Therefore, this attack is equivalent to DES key search one described in 4.2.1.
Modification of an agent data by an attacker can be done by two ways. One is to modify agent data using the legal DES key, and the other is without knowledge of DES key. The first attack is the same problem that described in 4.1.2 and 4.2.1. The latter attack is detected at home server in agent data verification phase.
as fabricated data. Otherwise the home server immediately realizes that the received data have been inserted by inappropriate servers by checking the digital signature. If timestamp is not incorporated, then the home server has no way to check when the data are generated and inserted. However if a timestamp is incorporated, then the home server is easily able to detect whether the received data are currently valid or invalid. For example, assume that an agent travels every three days over a route as shown in Fig.10b and acquires the price of a ticket. ASk+i (0 ≤ i ≤ m) set $100 at the first and $90 at three days later. If an attacker which is one of the conspiring group knows the previous signature AS0−pub (R1k+i , R2k+i , DSAk+i (..$100..)), then it is possible for the attacker to fabricate the route, to insert the old one instead of new one and to set his/her best price, for example $95. This attack can be considered as a replay attack. If digital signature DSAk+i (..$100..) incorporates with the timestamp as DSAk+i (..$100.., T imeStamp), this kind of replay attacks can be prevented.
4.4
5.
4.3.2
Insertion of fabricated agent data and route
A malicious agent server can insert fabricated data into working area of an agent. Agent server ASk creates m imaginary agent servers as shown in Fig.10-a. While this kind of attack is not detected in agent execution phase, it can be eventually detected at the home server using the non-repudiation property of digital signature. 4.3.3
Modifying the agent data
Threats of collusive attack
A collusive attack means an attack conspired by two or more agent servers together. In Fig.10-b, two malicious servers, ASk−1 and ASk+m+1 , exchange the itinerary of an agent and insert a series of fabricated agent data into an agent’s working area. That is agent data are 0 inserted into the agent by servers from ASk0 to ASk+m instead of those from ASk to ASk+m . If public keys of servers are not uncovered, only old data that were generated by the legal servers in the past can be inserted
Conclusion
In this paper, we propose OKGS to protect agent data from malicious servers. And we also show that OKGS is secure from any kind of attack. In OKGS, we assumed that SHA − 1 is one-way hash function. In the case that SHA − 1 does not satisfy one-way property, we can change it into sufficiently secure one, since OKGS is independent of hash function. The main idea of OKGS is that there is interrelationship among consecutive agent keys through cou-
IEICE TRANS. INF. & SYST., VOL.E83–D, NO.11 NOVEMBER 2000
10
plers. Therefore, in case that some intermediate agent data are tempered or deleted, we can finally detect the modification based on the established inter-relationship among agent keys. Acknowledgements This work was partially supported by KOSEF under contract 98-0102-11-3, BK21 program of the Ministry of Education and ITRC Program of the Ministry of Information and Communications.
workflow systems with time constraints,” In Proc. of International Symposium on Autonomous Decentralized Systems, pp. 370-373, 1999. [17] National Institute of Standards and Technology, “Secure Hash Standard”, FIPS Publication 180-1, 1995. [18] William Stallings, “Secure Hash Algorithm”, in Cryptography and Network Security: principles and practice Second Edition, Prentice-Hall, Inc., pp. 193-197, 1999. [19] Bruce Schneier, “Using One-Way Hash Functions”, in Applied Cryptography Second Edition, John Wiley & Sons, Inc., pp. 351-354, 1996.
Appendix A:
Timestamp - Clone detection[14]
References [1] B.H. Tay and A.L. Ananda, “A Survey of Remote Procedure calls,” Operating Systems Review, vol 24, No.3, pp.6879, July 1990. [2] W. Farmer, J. Guttman, and V. Swarup, “security for mobile agents: Authentication and state appraisal,” the European Symposium on Research in Computer Security(ESORICS), Lecture Notes in Computer Science, September 1996. [3] W. Farmer, J. Guttman, and V. Swarup, “Security for mobile agents: Issues and requirements.” National Information Systems Security Conference, National Institute of Standards and Technology, October 1996. [4] H. Peine, “Security Concepts and Implementation in the Ara Mobile Agent System,” 7th IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, Stanford University, USA, June 1998. [5] J. Baumann, F. Hohl, K. Rothermel, and M. Strasser, “Mole - Concepts of a mobile Agent System,” The World Wide Web Journal, special issue on Software Agents, 1998. [6] G. Karjoth, D. B. Lange, and M. Oshima, “A Security Model for Aglets,” IEEE Internet Computing, Vol. 1, No. 4, pp. 68-77, July - August 1997. [7] R. Gray, “Agent Tcl: A flexible and secure mobile agent system,” In Proceedings of the Fourth Annual Tcl/Tk Workshop, Monterey, Cal., pp. 9-23, July 1996. [8] John K. Ousterhout, Jacob Y. Levy, and Brent B. Welch, “The Safe-Tcl Security Model,” TR-97-60, March 1997. [9] F. Hohl, “Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts,” Mobile Agents and Security, Springer-Verlag, pp. 99-113, 1998. [10] T. Sander and Chr. Tschudin, “Towards Mobile Cryptography,” the 1998 IEEE Symposium on Security and Privacy. [11] Neil M. Haller, “The S/KEY One-Time Password System,” Proceedings of the ISOC Symposium on Network and Distributed System Security, San Diego, CA, February 1994. [12] L.R. Knudsen, X. Lai, and B. Preneel, “Attacks on fast double block length hash functions,” Journal of Cryptology, Vol 11, No. 1, pp. 59-72, Winter 1998. [13] Douglas R. Stinson, “Collision-free Hash Functions”, in Cryptography Theory and Practice, CRC press, pp. 234236, 1995. [14] Jusung Baek, R. S. Ramakrishna and Dong-Ik Lee, “A design of a protocol for detecting an Agent clone in Mobile Agent Systems and its Correctness Proof”. ACM Symposium on Principles of Distributed Computing, ACM press, pp.269, May 1999. [15] Bruce Schneier, “Using One-Way Hash Functions”, in Applied Cryptography Second Edition, John Wiley & Sons, Inc., pp. 351-354, 1996. [16] J-J Yoo and D-I Lee, ”X-MAS: mobile agent platform for
Agent data is signed by an agent server with timestamp when it is attached. Note here that timestamp is used for clone detection as well as for the data integrity. Assume that an agent visit agent servers ‘A’, ‘B’ and ‘C’. Server ‘A’ stamps time, and sends the agent to server ‘B’. Sometimes, server ‘B’ makes multiple identical agents, those are called clone agents. Without timestamp, the owner of the agent does not know which agent server has created clones. However if timestamp is incorporated, timestamps of a clone and the original agent are different. Therefore we know that either ‘B’ or ‘C’ creates clones.
Jong-Youl Park received the B.E. degree in Computer Engineering from Chungnam National University, Republic of Korea in 1996 and the M.S. degree in Information and Communications from Kwang-Ju Institute of Science and Technology in 1999. He is currently a Ph.D candidate. degree at Kwang-Ju Institute of Science and Technology. His research interests include mobile agents, mobile computing, secure protocol, security system, authentication, distributed systems and formal method.
Dong-Ik Lee received the B.E. from Yeungnam University, Republic of Korea, M.E. and Dr. of Eng. from Osaka University, Japan, in 1985, 1989 and 1993, respectively. He was a research associate in the Department of Electronic Engineering of Osaka University from 1990 to 1995. From 1993 through 1994, he was a visiting assistant professor in Coordinated Science Lab. of University of Illinois. He is currently an associate professor in the Department of Information and Communications in Kwang-Ju Institute of Science and Technology from 1995. His research interests include Petri net theory and its applications to concurrent systems, asynchronous circuits design and CAD, and agent systems.
PARK et al.: ONE-TIME KEY GENERATION SYSTEM FOR AGENT DATA PROTECTION
11
Hyung-Hyo Lee received his B.S. in Computer Science from Chonnam National University, Republic of Korea in 1987 and M.S. and Ph.D. in Computer Science from KAIST(Korea Advanced Institute of Science and Technology) and Chonnam National University in 1989 and 2000, respectively. He was a post-doctoral researcher at kwang-Ju Institute of Science and Technology from 200 through 2001. Currently he is a full-time lecturer in Wonkwang Universiy. His research areas are security models, secure operating systems and e-commerce security.
Joong-Gil-Park received the B.E. degree in Computer Engineering from Dong Guk University, Republic of Korea in 1986 and the M.S. degree in Computer Engineering from Sogang University in 1988. He is currently a Ph.D candidate. degree at Chungnam National University and a Senior Member of Engineering Staff in National Security Research Institute. His research interests include secure protocol, security system, authentication, network security and PKI.
