Secure Transactions with Mobile Agents in Hostile Environments Panayiotis Kotzanikolaou1, Mike Burmester2 and Vassilios Chrissikopoulos1 1
University of Piraeus, Department of Informatics, Karaoli & Dimitriou 80, 185 34 Piraeus, Greece {pkotzani, chris}@unipi.gr 2 Information Security Group, Royal Holloway, University of London, Egham, Surrey TW20 OEX, UK
[email protected]
Abstract. A major problem of mobile agents is their apparent inability to authenticate transactions in hostile environments. In this paper, we consider a framework for the prevention of agent tampering without compromising the mobility or autonomy of the agent. Our approach uses encrypted functions. We present an RSA implementation which answers affirmatively the open problem on undetachable signatures of Sander and Tschudin.
1 Introduction Traditional software programs use primarily the Remote Procedure Call (RPC) for remote applications, which is performed in accordance with the client – server architecture. The principle of Remote Programming (RP) forms an alternative to RPC. In the RP approach, the client object, instead of exchanging request and reply messages remotely, is itself transferred to the server and is executed locally. The mobile agent paradigm constitutes a way of implementing Remote Programming. Mobile agents are autonomous software entities that are able to migrate across different execution environments. Mobility and autonomy make permanent connections unnecessary; thus mobile agents are suitable for providing low-bandwidth connections and asynchronous communication [1,2,9,21]. Furthermore, they provide better support for heterogeneous environments. The characteristics of mobile agents make them ideal for electronic commerce applications in open networks. A mobile agent can search for special products or services and negotiate on behalf of its owner with other entities. Furthermore, mobile agents can be used as selling agents. However, mobile agents are vulnerable to several attacks and in particular to attacks by malicious hosts. Until quite recently there was a general belief that mobile agent vulnerability could be prevented only with hardware solutions. Chess et al state [2]: "It is impossible to prevent agent tampering unless trusted (and tamper-resistant) hardware is available… Without such hardware, a malicious [host] can always modify/manipulate the agent". This belief however has been shown to be misleading and is referred to “the Chess paradox” in the literature [15].
Jakobsson and Juels propose executable code (X-cash) which binds the user to a payment transaction [8]. The user links the executable code ω with a so-called negotiatable certificate that warrants a restricted purchase. This protocol is practical but not very flexible, in the sense that it requires the issuing of a large number of negotiatable certificates for certain purchases. Sander and Tschudin [15] propose the use of encrypted functions. The user encrypts a function s, which is then executed by the host, without the host having access to s. Although the approach is very promising, no secure implementation has been proposed as yet. Our approach is also based on encrypted functions but is provable secure. Organization of the paper. In Section 2 we review the security issues of mobile agents. In Section 3 we discuss the requirements for secure computations with encrypted functions and review undetachable signatures. In Section 4 we consider a realization of an undetachable RSA signature scheme which allows a mobile agent to conduct a transaction inside a hostile host without being abused. This realization is provably secure and answers affirmatively the open problem of Sander and Tschudin on undetachable signatures [15]. We conclude in Section 5.
2 An Overview of the Security Issues for Mobile Agents Although the mobile agent paradigm extends the capabilities of traditional ways of remote communication and distributed computing, it also raises new security issues [3]. These are generally divided into two broad areas: i) protecting the host from malicious agents, and ii) protecting the agent from hostile hosts. Protecting the host from attacks by malicious agents is possible by using effective access control and sandbox mechanisms (e.g. Java’s sandbox security component). A more challenging problem is to protect an agent from being abused by a hostile server. During the execution of a mobile agent, the agent is in a very asymmetric relation with regards to the server, since the server must be able to access the agent’s code, data and state, in order to execute it. It is not clear how private information (such as a secret key) can be used by an agent, without revealing it to its executing environment. A hostile host could easily appropriate the secret key when the agent attempts to use it. It is believed that this is a very hard problem to solve [1]. For example, Yi et al [20] state: "Current consensus is that it is computationally impossible to protect mobile agents from malicious hosts. Instead of tackling the problem from a computational (difficult) point of view, current research is looking at sociological means of enforcing good host behavior". Research efforts for solving the problem of hostile hosts are broadly divided into two main categories [15,17]: • Detection of agent tampering. This category includes solutions that aim to detect agent tampering a posteriori, trace the identity of the illegitimate host and prove its misbehavior. Vigna [6] introduced a tracing mechanism, which records the execution of the agent and its interac-
tion with the execution environment. The tracing mechanism will reveal the malicious host. Yi et al proposed the use of an Agent Service Center [20], which traces the itinerary of the agent. Kotzanikolaou et al [9] use a multi-agent system that can trace which mobile agents were victims of malicious behavior. These systems may provide partial solutions to particular problems. However, there are cases where a posteriori detection is not sufficient. • Prevention of agent tampering The philosophy of this approach is to prevent agent tampering a priori. There are two cases to be considered: passive and active prevention. Passive prevention mechanisms protect the agents by using organizational or architectural solutions. Farmer et al [5] propose a scheme where mobile agents are only able to circulate in trusted execution environments. Merwe and Sholms [12] introduce a trade agent system where the agents are implemented with distributed objects that communicate remotely. Some detection mechanisms also use passive prevention techniques, e.g. [9,20]. These approaches either make strong assumptions on the trustworthiness of a host [5], or compromise many of the advantages of mobile agents such as autonomy [9,20] and migration [12]. Active prevention focuses on the development of solutions that provide an agent with protection from attacks of hostile hosts, without compromising the advantages of the mobile agent paradigm. These may use secure hardware devices, e.g. [13,18]. However, their deployment is low, mainly because of the high costs involved. The exploration of active prevention mechanisms that are software-based, is a recent field of research. Fig.1 shows the security issues related to the mobile agent paradigm. Security in the mobile agent paradigm
Protecting the host
Protecting the agent
Detection of tampering
Prevention of tampering
Active prevention
Hardware-based mechanisms
Passive prevention
Software-based mechanisms
Fig. 1. Security issues in the mobile agent paradigm
A first approach for software-based active prevention of agent tampering is the use of obfuscation techniques or scrambling and mess-up algorithms, as proposed by Hohl [6]. This approach could be useful in certain occasions where an agent carries timelimited token-data. However, the security of this method cannot be proven. In [11] it is proposed a method which allows Alice to send mobile code in an untrusted host (Bob) and evaluate an encrypted Boolean function, while maintaining the confidentiality of the function. The security of the scheme is reduced to the security of
the McEliece public key cryptosystem. Unfortunately, under this scheme it is not possible for anyone except Alice to decrypt the result, because Alice's private key is involved in the decryption process. Sander and Tschudin [15] use a technique called Computing with Encrypted Functions (CEF). The host executes an encrypted function s o f where f is the encrypting function, without having access to the function s. The security of the method relies on the difficulty of decomposing the encrypted function. Because the spirit of mobile agents is to perform computations in a mostly autonomous way, the authors in [15] explore the requirements for deploying non-interactive CEF. A candidate class of functions, which can be used for non-interactive CEF consists of the multivariate rational functions. The authors in [15] observe that it would be useful to employ algebraic homomorphic functions in the CEF approach. Unfortunately, so far there are no known provably secure algebraic homomorphic encryption functions [15]. So the problem of prevention of agent tampering in hostile environments remains open.
3 Encrypting a Signature Function Undetachable signatures were proposed by Sander and Tschudin and are based on non-interactive CEF [15]. Suppose that a Customer wishes to send a mobile Agent to purchase some goods from an electronic shop over the Internet. The Agent can autonomously authenticate the transaction only if it is able to use a signature function s of the Customer. However, the Agent is executed by a potentially hostile Server. To protect the signature function s, the Customer encrypts it with a function f to obtain fsigned := s o f
(1)
and gives the pair of functions (f(.), fsigned(.)) to the Agent, as part of its executable code. On migration the Server executes the pair (f(.), fsigned(.)) on input x to obtain the undetachable signature pair f (x) = m and
fsigned (x) = s (f (x)) = s (m).
The pair of functions (f(.), fsigned(.)) enables the Agent to create signatures of the Customer on messages of the Server, without revealing the signature function s (the secret key of s) to the latter. The input x of the Server is linked to the Server's bid. The parameters of function f are such that the output of f includes the Customer's constraints. Thus, m = f (x) links the constraints of the Customer to the bid of the Server. This is certified by fsigned (x) = s (m) which employs the signature function s of the Customer. The Server cannot use the pair (f, fsigned) to sign arbitrary messages, because the function f is linked to the constraints of the Customer. These constraints may include detailed description of the required product, the maximum acceptable price, time-stamps and other requirements of the Customer.
Requirements for secure undetachable signatures. • It must be feasible for the Agent to execute the encrypted function (1) (in polynomial time) on the input x of the Server. • The pair of functions f and s must be such that it is hard to get s by decomposing the encrypted function (1). In the following section we give an implementation of undetachable signatures with RSA [14] signatures.
4 A Secure Solution for the Sander - Tschudin Open Problem on Undetachable Signatures For a realization of undetachable signatures, the authors in [15] proposed among others, the use of birational functions as introduced by Shamir [16]. However, the schemes resulting from these constructions are insecure [15] and subject to the Coppersmith, Stern and Vaudenay attack [4]. The existence of a secure undetachable signature scheme remains an open problem [7,15]. Below we will describe a non-interactive CEF undetachable signature scheme, which uses exponential functions as encrypting functions instead of birational functions and is provably secure. Our protocol is based on the RSA cryptosystem.
A Protocol for Secure Transactions with Mobile Agents Setting. We use an RSA setting. Each Customer selects a modulus n which is the product of two large primes p, q and a number e, 1 < e
